|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81142 PHP 7.3+ memory leak when unserialize() is used on an associative array
Submitted: 2021-06-15 17:27 UTC Modified: 2021-09-14 16:16 UTC
Avg. Score:3.5 ± 1.7
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: jnelson at archive dot org Assigned:
Status: Closed Package: Arrays related
PHP Version: 7.3.28 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: jnelson at archive dot org
New email:
PHP Version: OS:


 [2021-06-15 17:27 UTC] jnelson at archive dot org
As seen here:

This program loops thousands of times calling serialize() and unserialize() on associative arrays with a string key and an integer value without holding long-term references to any of the data.

Prior to 7.3, this program would peak at a few hundred KB.  With 7.3.0 forward, this program consumes megabytes.

The two flags at the top of the program can be used to confirm (a) the memory leak only occurs with associative arrays, and (b) it's caused by unserialize() and not serialize().

Test script:
The core of the linked program to repro the problem:

function load($str) {
    $php = serialize([ $str => 1 ]);

for ($ctr = 0; $ctr < 50000; $ctr++)

echo memory_get_peak_usage();

Expected result:
Prior to 7.3.0, my linked program produces this output (or similar numbers):

Usage: 377.99 K
Peak:  414.33 K

Actual result:
With 7.3.0 to 8.0.3, the numbers look like this:

Usage: 4.73 M
Peak:  5.34 M


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-06-16 12:11 UTC]
First, I suggest to use something like

    $mem0 = memory_get_usage();
    for ($ctr = 0; $ctr < 50000; $ctr++)
    $mem1 = memory_get_usage();
    var_dump($mem1 - $mem0);

to see the *relative* memory usage.

Anyhow, as of PHP 7.3.0, unserialized string keys are interned[1].
If OPcache is enabled, there is actually only one copy for all
50.000 keys.  If OPcache is disabled, these strings are allocated
permanently in process memory.

[1] <>
 [2021-06-16 13:40 UTC]
-Assigned To: +Assigned To: cmb
 [2021-06-16 13:40 UTC]
-Status: Assigned +Status: Open
 [2021-06-16 14:31 UTC]
The following pull request has been associated:

Patch Name: Fix #81142: memory leak when unserialize()ing associative array
On GitHub:
 [2021-06-16 14:32 UTC]
Note that PHP-7.3 is no longer actively supported, so a patch can
target PHP-7.4 at most.
 [2021-07-15 13:59 UTC]
-Assigned To: cmb +Assigned To:
 [2021-08-12 09:58 UTC]
Automatic comment on behalf of nikic
Log: Fix bug #81142 by adding zend_string_init_existing_interned()
 [2021-08-12 09:58 UTC]
-Status: Open +Status: Closed
 [2021-09-13 18:47 UTC] amfriedman at gmail dot com
FYI -- I also reproduced this memory leak on PHP 7.2. Change the bug title?
 [2021-09-14 16:16 UTC] jnelson at archive dot org
The link I included in the initial report tests all versions of PHP from 5.4.0 to 8.0.7, and the leak is only seen in 7.3.0 and above.  Perhaps you're seeing a different type of leak?
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jul 18 02:01:29 2024 UTC