php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69072 bug when serializing classes that internally calls serialize
Submitted: 2015-02-18 11:18 UTC Modified: 2015-07-14 20:45 UTC
From: quamis+php at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Scripting Engine problem
PHP Version: 5.6.5 OS: Linux
Private report: No CVE-ID: None
 [2015-02-18 11:18 UTC] quamis+php at gmail dot com
Description:
------------
Consider the following example:
class A implements Serializable, defines serialize() as a serialized stdClass
class B extends A, adds 1 public member

index.php instantiates B and serializes it to be able to cache it/store it for future reference.

function serialize fails in this case, returns an invalid string. It should at least issue an exception/warning.

If class A defines serialize() as a serialized array it will work as expected.


Test script:
---------------
Testcase: http://pastebin.com/6Hc60VbD , http://3v4l.org/SggeU 

Working testcase (class A returns serialized array): http://pastebin.com/itzZY1En , http://3v4l.org/hIJE9

Expected result:
----------------
no exception should be thrown, and an actual representation of the class should be generated.

According to http://3v4l.org, this woked ok in PHP 5.3, and its broken since PHP 5.4


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-18 14:38 UTC] danack@php.net
-Summary: bug when serializing classes that implements Serializable interface +Summary: bug when serializing classes that internally calls serialize
 [2015-02-18 14:38 UTC] danack@php.net
This appears to be an issue when calling serialize within serialize.

The first and second \stdClass's created have the same ObjectHash. It appears that the second internal call to serialize attempts to return a reference for the second stdclass to the first stdclass. But that is not valid as the first serialization of stdclass is actually in a different serialization call, and it's not meant to be a reference.

There is a simpler code example below; the class extending is not required to show the behaviour. The output is:

loop 0: ObjectHash 00000000169f9afe0000000054338336 Received: O:8:"stdClass":0:{}
loop 0: Returning 'O:8:"stdClass":0:{}'
loop 1: ObjectHash 00000000169f9afe0000000054338336 Received: r:3; //This is wrong - it is not a reference.
Object hash already exists - serialize is going to be sad.
borked, serialize of stdClass::__set_state(array(
)) returned r:3; which could not be unserialized.


<?php

class testClass_forSerialize implements Serializable {
    public function serialize() {
        static $count = 0;
        static $objectHashes = [];
        $ret = new \stdClass();
        $serializedData = serialize($ret);

        $objectHash = spl_object_hash($ret);
        echo "loop $count: ObjectHash $objectHash Received: ".$serializedData."\n";
        if (array_key_exists($objectHash, $objectHashes) == true) {
            echo "Object hash already exists - serialize is going to be sad.\n";
        }

        $objectHashes[$objectHash] = $count;

        if (@unserialize($serializedData) === false) {
            printf(
                "borked, serialize of %s returned %s which could not be unserialized.\n",
                var_export($ret, true),
                $serializedData
            );
            exit(0);
        }

        echo "loop $count: Returning '$serializedData'\n";
        $count++;
        return $serializedData;
    }

    public function unserialize($data) {
        throw new \Exception("not relevant");
    }
}


$list = [];
for ($i=0; $i<2; $i++) {
    $list[] = new \testClass_forSerialize();
}

$ser = serialize($list);
 [2015-02-18 15:08 UTC] danack@php.net
-Package: Class/Object related +Package: Scripting Engine problem
 [2015-02-18 15:08 UTC] danack@php.net
Probably duplicate of https://bugs.php.net/bug.php?id=66052
 [2015-07-14 20:45 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2015-07-14 20:45 UTC] cmb@php.net
Actually, this is a duplicate of bug #64146 (as it has the same
cause), but not of #66052.

See also <http://3v4l.org/SggeU> and <http://3v4l.org/9ttkq>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 03 23:01:27 2024 UTC