|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69072 bug when serializing classes that internally calls serialize
Submitted: 2015-02-18 11:18 UTC Modified: 2015-07-14 20:45 UTC
From: quamis+php at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Scripting Engine problem
PHP Version: 5.6.5 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: quamis+php at gmail dot com
New email:
PHP Version: OS:


 [2015-02-18 11:18 UTC] quamis+php at gmail dot com
Consider the following example:
class A implements Serializable, defines serialize() as a serialized stdClass
class B extends A, adds 1 public member

index.php instantiates B and serializes it to be able to cache it/store it for future reference.

function serialize fails in this case, returns an invalid string. It should at least issue an exception/warning.

If class A defines serialize() as a serialized array it will work as expected.

Test script:
Testcase: , 

Working testcase (class A returns serialized array): ,

Expected result:
no exception should be thrown, and an actual representation of the class should be generated.

According to, this woked ok in PHP 5.3, and its broken since PHP 5.4


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-18 14:38 UTC]
-Summary: bug when serializing classes that implements Serializable interface +Summary: bug when serializing classes that internally calls serialize
 [2015-02-18 14:38 UTC]
This appears to be an issue when calling serialize within serialize.

The first and second \stdClass's created have the same ObjectHash. It appears that the second internal call to serialize attempts to return a reference for the second stdclass to the first stdclass. But that is not valid as the first serialization of stdclass is actually in a different serialization call, and it's not meant to be a reference.

There is a simpler code example below; the class extending is not required to show the behaviour. The output is:

loop 0: ObjectHash 00000000169f9afe0000000054338336 Received: O:8:"stdClass":0:{}
loop 0: Returning 'O:8:"stdClass":0:{}'
loop 1: ObjectHash 00000000169f9afe0000000054338336 Received: r:3; //This is wrong - it is not a reference.
Object hash already exists - serialize is going to be sad.
borked, serialize of stdClass::__set_state(array(
)) returned r:3; which could not be unserialized.


class testClass_forSerialize implements Serializable {
    public function serialize() {
        static $count = 0;
        static $objectHashes = [];
        $ret = new \stdClass();
        $serializedData = serialize($ret);

        $objectHash = spl_object_hash($ret);
        echo "loop $count: ObjectHash $objectHash Received: ".$serializedData."\n";
        if (array_key_exists($objectHash, $objectHashes) == true) {
            echo "Object hash already exists - serialize is going to be sad.\n";

        $objectHashes[$objectHash] = $count;

        if (@unserialize($serializedData) === false) {
                "borked, serialize of %s returned %s which could not be unserialized.\n",
                var_export($ret, true),

        echo "loop $count: Returning '$serializedData'\n";
        return $serializedData;

    public function unserialize($data) {
        throw new \Exception("not relevant");

$list = [];
for ($i=0; $i<2; $i++) {
    $list[] = new \testClass_forSerialize();

$ser = serialize($list);
 [2015-02-18 15:08 UTC]
-Package: Class/Object related +Package: Scripting Engine problem
 [2015-02-18 15:08 UTC]
Probably duplicate of
 [2015-07-14 20:45 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2015-07-14 20:45 UTC]
Actually, this is a duplicate of bug #64146 (as it has the same
cause), but not of #66052.

See also <> and <>.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed May 29 18:01:34 2024 UTC