Introduce a way to (de)serialize subclasses of un(de)serializable classes if the appropriate methods are present

nielsdos · nielsdos · commit 41804ad59c87 · 2023-01-19T20:49:41.000+01:00
This introduces the class flag ZEND_ACC_SUBCLASS_SERIALIZABLE, which allows classes which are not serializable / deserializable to become that if a subclass implements the appropriate methods. Setting this flag through the stubs can be done using @subclass-serializable. Introducing this through behaviour a new flag allows for opt-in behaviour, which is backwards compatible. Fixes GH-8996
diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h
@@ -240,7 +240,7 @@ typedef struct _zend_oparray_context {
 /* or IS_CONSTANT_VISITED_MARK                            |     |     |     */
 #define ZEND_CLASS_CONST_IS_CASE         (1 << 6)  /*     |     |     |  X  */
 /*                                                        |     |     |     */
-/* Class Flags (unused: 21,30,31)                         |     |     |     */
+/* Class Flags (unused: 21,31)                            |     |     |     */
 /* ===========                                            |     |     |     */
 /*                                                        |     |     |     */
 /* Special class types                                    |     |     |     */
@@ -304,6 +304,11 @@ typedef struct _zend_oparray_context {
 /* Class cannot be serialized or unserialized             |     |     |     */
 #define ZEND_ACC_NOT_SERIALIZABLE        (1 << 29) /*  X  |     |     |     */
 /*                                                        |     |     |     */
+/* Subclass can be serialized or unserialized even if     |     |     |     */
+/* the parent cannot be, on the condition that the        |     |     |     */
+/* subclass implements the appropriate methods.           |     |     |     */
+#define ZEND_ACC_SUBCLASS_SERIALIZABLE   (1 << 30) /*  X  |     |     |     */
+/*                                                        |     |     |     */
 /* Function Flags (unused: 28-30)                         |     |     |     */
 /* ==============                                         |     |     |     */
 /*                                                        |     |     |     */
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
@@ -1629,7 +1629,16 @@ ZEND_API void zend_do_inheritance_ex(zend_class_entry *ce, zend_class_entry *par
 			ce->ce_flags |= ZEND_ACC_EXPLICIT_ABSTRACT_CLASS;
 		}
 	}
-	ce->ce_flags |= parent_ce->ce_flags & (ZEND_HAS_STATIC_IN_METHODS | ZEND_ACC_HAS_TYPE_HINTS | ZEND_ACC_USE_GUARDS | ZEND_ACC_NOT_SERIALIZABLE | ZEND_ACC_ALLOW_DYNAMIC_PROPERTIES);
+	ce->ce_flags |= parent_ce->ce_flags & (ZEND_HAS_STATIC_IN_METHODS | ZEND_ACC_HAS_TYPE_HINTS | ZEND_ACC_USE_GUARDS | ZEND_ACC_NOT_SERIALIZABLE | ZEND_ACC_ALLOW_DYNAMIC_PROPERTIES | ZEND_ACC_SUBCLASS_SERIALIZABLE);
+
+	if ((parent_ce->ce_flags & (ZEND_ACC_NOT_SERIALIZABLE | ZEND_ACC_SUBCLASS_SERIALIZABLE)) == (ZEND_ACC_NOT_SERIALIZABLE | ZEND_ACC_SUBCLASS_SERIALIZABLE)) {
+		if (ce->__serialize || ce->__unserialize
+			|| ce->serialize || ce->unserialize
+			|| zend_hash_find_known_hash(&ce->function_table, ZSTR_KNOWN(ZEND_STR_SLEEP))
+			|| zend_hash_find_known_hash(&ce->function_table, ZSTR_KNOWN(ZEND_STR_WAKEUP))) {
+			ce->ce_flags &= ~(ZEND_ACC_NOT_SERIALIZABLE | ZEND_ACC_SUBCLASS_SERIALIZABLE);
+		}
+	}
 }
 /* }}} */
 
diff --git a/build/gen_stub.php b/build/gen_stub.php
@@ -21,7 +21,8 @@
 const PHP_80_VERSION_ID = 80000;
 const PHP_81_VERSION_ID = 80100;
 const PHP_82_VERSION_ID = 80200;
-const ALL_PHP_VERSION_IDS = [PHP_70_VERSION_ID, PHP_80_VERSION_ID, PHP_81_VERSION_ID, PHP_82_VERSION_ID];
+const PHP_83_VERSION_ID = 80300;
+const ALL_PHP_VERSION_IDS = [PHP_70_VERSION_ID, PHP_80_VERSION_ID, PHP_81_VERSION_ID, PHP_82_VERSION_ID, PHP_83_VERSION_ID];
 
 /**
  * @return FileInfo[]
@@ -1754,6 +1755,7 @@ protected function getFlagsByPhpVersion(): array
             PHP_80_VERSION_ID => [$flags],
             PHP_81_VERSION_ID => [$flags],
             PHP_82_VERSION_ID => [$flags],
+            PHP_83_VERSION_ID => [$flags],
         ];
     }
 
@@ -2372,6 +2374,7 @@ class ClassInfo {
     /** @var AttributeInfo[] */
     public array $attributes;
     public bool $isNotSerializable;
+    public bool $isSubclassSerializable;
     /** @var Name[] */
     public array $extends;
     /** @var Name[] */
@@ -2407,6 +2410,7 @@ public function __construct(
         bool $isStrictProperties,
         array $attributes,
         bool $isNotSerializable,
+        bool $isSubclassSerializable,
         array $extends,
         array $implements,
         array $constInfos,
@@ -2426,6 +2430,7 @@ public function __construct(
         $this->isStrictProperties = $isStrictProperties;
         $this->attributes = $attributes;
         $this->isNotSerializable = $isNotSerializable;
+        $this->isSubclassSerializable = $isSubclassSerializable;
         $this->extends = $extends;
         $this->implements = $implements;
         $this->constInfos = $constInfos;
@@ -2610,11 +2615,18 @@ private function getFlagsByPhpVersion(): array
             }
         }
 
+        $php83Flags = $php82Flags;
+
+        if ($this->isSubclassSerializable) {
+            $php83Flags[] = "ZEND_ACC_SUBCLASS_SERIALIZABLE";
+        }
+
         return [
             PHP_70_VERSION_ID => $php70Flags,
             PHP_80_VERSION_ID => $php80Flags,
             PHP_81_VERSION_ID => $php81Flags,
             PHP_82_VERSION_ID => $php82Flags,
+            PHP_83_VERSION_ID => $php83Flags,
         ];
     }
 
@@ -3482,6 +3494,7 @@ function parseClass(
     $isDeprecated = false;
     $isStrictProperties = false;
     $isNotSerializable = false;
+    $isSubclassSerializable = false;
     $allowsDynamicProperties = false;
     $attributes = [];
 
@@ -3498,6 +3511,8 @@ function parseClass(
                 $isNotSerializable = true;
             } else if ($tag->name === 'undocumentable') {
                 $isUndocumentable = true;
+            } else if ($tag->name == 'subclass-serializable') {
+                $isSubclassSerializable = true;
             }
         }
     }
@@ -3517,6 +3532,10 @@ function parseClass(
         throw new Exception("A class may not have '@strict-properties' and '#[\\AllowDynamicProperties]' at the same time.");
     }
 
+    if (!$isNotSerializable && $isSubclassSerializable) {
+        throw new Exception("@subclass-serializable without @not-serializable is a no-op");
+    }
+
     $extends = [];
     $implements = [];
 
@@ -3555,6 +3574,7 @@ function parseClass(
         $isStrictProperties,
         $attributes,
         $isNotSerializable,
+        $isSubclassSerializable,
         $extends,
         $implements,
         $consts,
diff --git a/ext/dom/php_dom.stub.php b/ext/dom/php_dom.stub.php
@@ -291,7 +291,10 @@ public function after(...$nodes): void;
     public function replaceWith(...$nodes): void;
 }
 
-/** @not-serializable */
+/**
+ * @not-serializable
+ * @subclass-serializable
+ */
 class DOMNode
 {
     /** @readonly */
@@ -391,7 +394,10 @@ public function removeChild(DOMNode $child) {}
     public function replaceChild(DOMNode $node, DOMNode $child) {}
 }
 
-/** @not-serializable */
+/**
+ * @not-serializable
+ * @subclass-serializable
+ */
 class DOMNameSpaceNode
 {
     /** @readonly */
@@ -901,7 +907,10 @@ public function __construct(string $name, string $value = "") {}
 }
 
 #ifdef LIBXML_XPATH_ENABLED
-/** @not-serializable */
+/**
+ * @not-serializable
+ * @subclass-serializable
+ */
 class DOMXPath
 {
     /** @readonly */
diff --git a/ext/dom/php_dom_arginfo.h b/ext/dom/php_dom_arginfo.h
diff --git a/ext/dom/tests/not_serializable.phpt b/ext/dom/tests/not_serializable.phpt
@@ -36,7 +36,7 @@ try {
 
 ?>
 --EXPECT--
-Serialization of 'DOMDocument' is not allowed
-Serialization of 'DOMElement' is not allowed
-Serialization of 'DOMXPath' is not allowed
-Serialization of 'DOMNameSpaceNode' is not allowed
+Serialization of 'DOMDocument' is not allowed, unless you extend the class and provide a serialisation method
+Serialization of 'DOMElement' is not allowed, unless you extend the class and provide a serialisation method
+Serialization of 'DOMXPath' is not allowed, unless you extend the class and provide a serialisation method
+Serialization of 'DOMNameSpaceNode' is not allowed, unless you extend the class and provide a serialisation method
diff --git a/ext/intl/formatter/formatter.stub.php b/ext/intl/formatter/formatter.stub.php
@@ -2,7 +2,10 @@
 
 /** @generate-class-entries */
 
-/** @not-serializable */
+/**
+ * @not-serializable
+ * @subclass-serializable
+ */
 class NumberFormatter
 {
     /* UNumberFormatStyle constants */
diff --git a/ext/intl/formatter/formatter_arginfo.h b/ext/intl/formatter/formatter_arginfo.h
diff --git a/ext/intl/tests/bug74063.phpt b/ext/intl/tests/bug74063.phpt
@@ -12,4 +12,4 @@ try {
 }
 ?>
 --EXPECT--
-Serialization of 'NumberFormatter' is not allowed
+Serialization of 'NumberFormatter' is not allowed, unless you extend the class and provide a serialisation method
diff --git a/ext/simplexml/simplexml.stub.php b/ext/simplexml/simplexml.stub.php
@@ -8,7 +8,10 @@ function simplexml_load_string(string $data, ?string $class_name = SimpleXMLElem
 
 function simplexml_import_dom(SimpleXMLElement|DOMNode $node, ?string $class_name = SimpleXMLElement::class): ?SimpleXMLElement {}
 
-/** @not-serializable */
+/**
+ * @not-serializable
+ * @subclass-serializable
+ */
 class SimpleXMLElement implements Stringable, Countable, RecursiveIterator
 {
     /** @tentative-return-type */
diff --git a/ext/simplexml/simplexml_arginfo.h b/ext/simplexml/simplexml_arginfo.h
diff --git a/ext/standard/var.c b/ext/standard/var.c
@@ -1057,8 +1057,13 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, php_serialize_
 				uint32_t count;
 
 				if (ce->ce_flags & ZEND_ACC_NOT_SERIALIZABLE) {
-					zend_throw_exception_ex(NULL, 0, "Serialization of '%s' is not allowed",
-						ZSTR_VAL(ce->name));
+					if (ce->ce_flags & ZEND_ACC_SUBCLASS_SERIALIZABLE) {
+						zend_throw_exception_ex(NULL, 0, "Serialization of '%s' is not allowed, unless you extend the class and provide a serialisation method",
+							ZSTR_VAL(ce->name));
+					} else {
+						zend_throw_exception_ex(NULL, 0, "Serialization of '%s' is not allowed",
+							ZSTR_VAL(ce->name));
+					}
 					return;
 				}
 
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -1277,8 +1277,13 @@ object ":" uiv ":" ["]	{
 	*p = YYCURSOR;
 
 	if (ce->ce_flags & ZEND_ACC_NOT_SERIALIZABLE) {
-		zend_throw_exception_ex(NULL, 0, "Unserialization of '%s' is not allowed",
-			ZSTR_VAL(ce->name));
+		if (ce->ce_flags & ZEND_ACC_SUBCLASS_SERIALIZABLE) {
+			zend_throw_exception_ex(NULL, 0, "Unserialization of '%s' is not allowed, unless you extend the class and provide a unserialisation method",
+				ZSTR_VAL(ce->name));
+		} else {
+			zend_throw_exception_ex(NULL, 0, "Unserialization of '%s' is not allowed",
+				ZSTR_VAL(ce->name));
+		}
 		zend_string_release_ex(class_name, 0);
 		return 0;
 	}

Original file line number	Diff line number	Diff line change
`@@ -1629,7 +1629,16 @@ ZEND_API void zend_do_inheritance_ex(zend_class_entry ce, zend_class_entry par`
`1629`	`1629`	`ce->ce_flags \|= ZEND_ACC_EXPLICIT_ABSTRACT_CLASS;`
`1630`	`1630`	`}`
`1631`	`1631`	`}`
`1632`		`- ce->ce_flags \|= parent_ce->ce_flags & (ZEND_HAS_STATIC_IN_METHODS \| ZEND_ACC_HAS_TYPE_HINTS \| ZEND_ACC_USE_GUARDS \| ZEND_ACC_NOT_SERIALIZABLE \| ZEND_ACC_ALLOW_DYNAMIC_PROPERTIES);`
	`1632`	`+ ce->ce_flags \|= parent_ce->ce_flags & (ZEND_HAS_STATIC_IN_METHODS \| ZEND_ACC_HAS_TYPE_HINTS \| ZEND_ACC_USE_GUARDS \| ZEND_ACC_NOT_SERIALIZABLE \| ZEND_ACC_ALLOW_DYNAMIC_PROPERTIES \| ZEND_ACC_SUBCLASS_SERIALIZABLE);`
	`1633`	`+`
	`1634`	`+ if ((parent_ce->ce_flags & (ZEND_ACC_NOT_SERIALIZABLE \| ZEND_ACC_SUBCLASS_SERIALIZABLE)) == (ZEND_ACC_NOT_SERIALIZABLE \| ZEND_ACC_SUBCLASS_SERIALIZABLE)) {`
	`1635`	`+ if (ce->__serialize \|\| ce->__unserialize`
	`1636`	`+ \|\| ce->serialize \|\| ce->unserialize`
	`1637`	`+ \|\| zend_hash_find_known_hash(&ce->function_table, ZSTR_KNOWN(ZEND_STR_SLEEP))`
	`1638`	`+ \|\| zend_hash_find_known_hash(&ce->function_table, ZSTR_KNOWN(ZEND_STR_WAKEUP))) {`
	`1639`	`+ ce->ce_flags &= ~(ZEND_ACC_NOT_SERIALIZABLE \| ZEND_ACC_SUBCLASS_SERIALIZABLE);`
	`1640`	`+ }`
	`1641`	`+ }`
`1633`	`1642`	`}`
`1634`	`1643`	`/* }}} */`
`1635`	`1644`
Original file line number	Diff line number	Diff line change
`@@ -291,7 +291,10 @@ public function after(...$nodes): void;`
`291`	`291`	`public function replaceWith(...$nodes): void;`
`292`	`292`	`}`
`293`	`293`
`294`		`-/** @not-serializable */`
	`294`	`+/**`
	`295`	`+ * @not-serializable`
	`296`	`+ * @subclass-serializable`
	`297`	`+ */`
`295`	`298`	`class DOMNode`
`296`	`299`	`{`
`297`	`300`	`/** @readonly */`
`@@ -391,7 +394,10 @@ public function removeChild(DOMNode $child) {}`
`391`	`394`	`public function replaceChild(DOMNode $node, DOMNode $child) {}`
`392`	`395`	`}`
`393`	`396`
`394`		`-/** @not-serializable */`
	`397`	`+/**`
	`398`	`+ * @not-serializable`
	`399`	`+ * @subclass-serializable`
	`400`	`+ */`
`395`	`401`	`class DOMNameSpaceNode`
`396`	`402`	`{`
`397`	`403`	`/** @readonly */`
`@@ -901,7 +907,10 @@ public function __construct(string $name, string $value = "") {}`
`901`	`907`	`}`
`902`	`908`
`903`	`909`	`#ifdef LIBXML_XPATH_ENABLED`
`904`		`-/** @not-serializable */`
	`910`	`+/**`
	`911`	`+ * @not-serializable`
	`912`	`+ * @subclass-serializable`
	`913`	`+ */`
`905`	`914`	`class DOMXPath`
`906`	`915`	`{`
`907`	`916`	`/** @readonly */`
Original file line number	Diff line number	Diff line change
`@@ -12,4 +12,4 @@ try {`
`12`	`12`	`}`
`13`	`13`	`?>`
`14`	`14`	`--EXPECT--`
`15`		`-Serialization of 'NumberFormatter' is not allowed`
	`15`	`+Serialization of 'NumberFormatter' is not allowed, unless you extend the class and provide a serialisation method`