|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79447 Serializing uninitialized typed properties with __sleep should not throw
Submitted: 2020-04-03 15:06 UTC Modified: 2020-04-07 13:00 UTC
Avg. Score:5.0 ± 0.0
Reproduced:7 of 7 (100.0%)
Same Version:7 (100.0%)
Same OS:4 (57.1%)
From: Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4.4 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2020-04-03 15:06 UTC]
This is a follow up of

The Symfony+Doctrine community is learning to use uninitialized properties, and we're having a bad time with __sleep().
The behavior implemented in forbids serializing arbitrary objects (e.g.for hashing purpose). This forces us to catch and ignore "Throwable", which in turn might hide legit errors that ppl do need to see during development.

Here is an example issue where this is discussed, originating from, which in turns generates PRs like

All this activity would disappear and things would work seamlessly if the engine would just ignore uninitialized properties returned by __sleep().

On unserialize(), such properties should be unserialized back to the "uninitialized" state. This would respect the semantics of serialize/unserialize and would solve all this complexity we don't know how to deal with.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-04-07 13:00 UTC]
I have a bit of a hard time following these threads. In the end I didn't understand a) where __sleep is actually defined/generated in the first place and b) why the __sleep returns uninitialized properties. (As a bonus question, can this usage of __sleep be migrated to __serialize?)
 [2020-04-07 13:21 UTC]
We (Doctrine) could return only the initialized properties in `__sleep`.

The only reason `__sleep` exists in proxies is to avoid serializing the whole ORM and proxy initializer closures (and transitively `PDO` too), but we could use reflection in `__sleep` to determine which properties are initialized. The performance impact is acceptable, since we're well out the 80/20 scenario.

Overall, the behavior of PHP-SRC makes sense to me, and the added strictness is welcome, so the engine throwing when `serialize($somethingWithBrokenSleep)` seems correct, although it is indeed a BC break.
 [2020-04-23 08:31 UTC]
Automatic comment on behalf of
Log: Fix bug #79447
 [2020-04-23 08:31 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Mar 20 12:03:39 2023 UTC