Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:128998 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 653871A00BC for ; Wed, 29 Oct 2025 15:34:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1761752101; bh=NDjndccoiFWNFMqUtTz5RR/stuPcGqD/4QTYezSe9dU=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=c9WtZ3ev1Ovl7bUyaMSgxpWZ3tpZ53B0aUtqTJrvEFzePqshUgfQ5sX5DTBkOGWGT Y4E4UqgDb+mwi+nTJ+1M0zvLyNsoWD6VmZELWjMPbxQja2kJmZKdgXXWZ2xRAzUd/h bXcNUbYDOxLGRBVAcXtfImbLOZlmVc9LInY4MunF2d7PC+vzuBL7dtYjAAiqTBqXE/ z83aQoZ9L77n49nFEMtGymNTkqW6heG+9i1c6FnzUD7/zrM6S8BQ+AXT+uSHaAf84y hOvMG8vauJnG9Eh/B3eOea4LX4XUSUMdtVfAf6c2cridatqen8QOrYselwGGXUKsbz FS2vRygWPu+eQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D22B21801E3 for ; Wed, 29 Oct 2025 15:35:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 29 Oct 2025 15:35:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1761752093; bh=3wKOnLzvNSqPJZN3PX8ApvmHE/75HVIefkQZKRqQcXk=; h=MIME-Version:Date:From:To:Cc:Subject:In-Reply-To:References: Message-ID:Content-Type:from:to:cc:subject:message-id; b=X4NXgbDGH1jCCxb0GAefuqujc3pHLy5EXLdd6BVCDq63Ad8hTDz+FyOxmw8PRxOjH 5bjnFvql4rdKYZCa2yPPXg9b1FQyvpVBnwhnFHbBPK553NetNapfMHz4OaxzALR0CK 3krmDTh9VmH9WxCOvdbOmYz+d7cYaut0KNoUYWyNci10jU6+AX77PWwI4Lybt3v28C WHACPSjjr7925OBxRqxOITb/iekVYovnlGW+VbkmU2LMImnnFoIc458tSk+A2CLEuU Optf6hu0LgPsYSh3wMt+l/jrD7NU7Q5klbtjWz+PJBZQ9H0hT0nSnXPL2tOeLz+DtL hI1CgjgOU2Cjg== Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 Date: Wed, 29 Oct 2025 16:34:53 +0100 To: Dmytro Kulyk Cc: Ilija Tovilo , PHP internals Subject: Re: [PHP-DEV] [RFC][Discussion] Add #[NoSerialize] attribute for excluding properties or classes from serialization In-Reply-To: References: Message-ID: <4b6abc36d8ab6cd306e95141869db3b0@bastelstu.be> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=) Hi Thank you for your RFC. It is really well-written and nicely explains the various (edge) cases. I've only read through the `#[\NoSerialize]` one, since it is the topic of this RFC discussion. I agree with Ilija on all points. Am 2025-10-29 15:35, schrieb Dmytro Kulyk: > #[NoSerialize], on the other hand, would apply to wrappers, > containers, or domain objects where serialization of the rest of the > structure should continue even if one field or nested object cannot be > meaningfully serialized. But even for wrappers you can't guarantee that the wrapper is stored in a nullable property. When applying the attribute to a field, omitting the field makes sense, since the author of the property is the same person who is capable of adding the attribute and thus is in full control. This is different for classes where the author of the class doesn't know how and where the class is being used. I thus agree with Ilija that this should throw to clearly indicate that the user of the class is doing something incorrect and to not silently corrupt data. If an author of a class needs more fine-grained control, they can either add the attribute to individual properties themselves - or implement `__serialize()`. >> > Class-level #[NoSerialize] is inherited by child classes unless explicitly overridden. >> >> Can you clarify how this would work? How can you override this >> attribute by omission? >> >> #[NoSerialize] >> class Foo {} >> >> /* What do I add here to remove #[NoSerialize]? */ >> class Bar extends Foo {} > > Class-level #[NoSerialize] is transparently inherited by child classes. > There’s currently no way to override or cancel this behavior in > descendants; the attribute remains effective throughout the > inheritance chain. Indeed, however the “unless explicitly overridden” bit in the RFC text implies that this is possible. > As an alternative, #[NotSerializable] could be extended to > #[NotSerializable(bool $soft = false)], which would provide the same > behavior while keeping it in a separate, more consistent attribute — > avoiding the double semantics currently implied by #[NoSerialize]. I don't think that sub classes should be able to make a non-serializable parent class serializable, since they clearly won't be able to correctly restore the state of the parent class. In fact I would consider this an improvement over the existing serialization hooks where the child class can simply skip calling the parent's serializer and thus create a situation that the parent class does not expect to occur. > Initially, the idea was to make all of these cases emit warnings, but > I didn’t figure out how to implement that consistently within the > attribute validators. > At this point, I don’t see any practical reason to allow the attribute > on unsupported targets, so all such cases will be changed to > compile-time errors instead of warnings. Yes, every clear error that is detectable at compile-time should be a hard error to make it easy for users to detect the mistake. Best regards Tim Düsterhus