|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76631 Nested serialize() with shared references yields wrong result
Submitted: 2018-07-16 12:30 UTC Modified: 2018-07-16 12:39 UTC
From: niklas dot correnz at hcom dot de Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.1.19 OS: Ubuntu 16.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
35 + 4 = ?
Subscribe to this entry?

 [2018-07-16 12:30 UTC] niklas dot correnz at hcom dot de
When implementing \Serializable a nested serialize() call will cause the end result to be messed up.

Nested serialize() calls often occur when extending classes and overwriting serialize with additional fields, so this is not unusual. Our test script simulates this by nesting serialize().

The result still break, if the array with the referenced objects is not inside the nested serialize(), but instead any additional property is serialized with a nested call (not in the test script).

Test script:
$role1 = new \stdClass();
$role1->name = 'role1';
$role2 = new \stdClass();
$role2->name = 'role2';
class group implements \Serializable {
  private $roles;
  public function __construct(array $roles) {
    $this->roles = $roles;
  public function serialize() {
    return serialize([serialize($this->roles)]);
  public function unserialize($serialized) {
    $this->roles = unserialize(unserialize($serialized)[0]);
$group1 = new \group([$role1, $role2]);
$group2 = new \group([$role1, $role2]);
$serialized = serialize([$group1, $group2]);
echo "$serialized\n";

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-16 12:39 UTC] niklas dot correnz at hcom dot de
-Status: Open +Status: Closed
 [2018-07-16 12:39 UTC] niklas dot correnz at hcom dot de
Bad report, the unserialize is the problem.
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Aug 24 22:01:26 2019 UTC