Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:74947 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 3129 invoked from network); 17 Jun 2014 13:49:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jun 2014 13:49:31 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.45 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.45 mail-qa0-f45.google.com Received: from [209.85.216.45] ([209.85.216.45:41024] helo=mail-qa0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 92/70-00242-A6740A35 for ; Tue, 17 Jun 2014 09:49:31 -0400 Received: by mail-qa0-f45.google.com with SMTP id v10so9318415qac.32 for ; Tue, 17 Jun 2014 06:49:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FL41IMn597pxjNZagAcqhDPV43+nRtJFJDQl2Xzuhnw=; b=WYYCaidS20LVDBAF/MiHRlZnehE9PM6arbqyswvm9byHsrC7dWJsu1LCRASgHQ/HoI +GIkwotHvFnAFxyN/X+mNQ7p5jcINLsXczVeNmMJEMKMiC+EV0pXJePrVB6nZaWmuguc 42BBsJGrf5YL1rf4REqa9PVeZSc4colPzoF7Lb9sK8gLctd5mtmfDb3p4KpVhOytOxyl RCJsw2LOoXCSrMOahMhttnfnCuDWXpaDUQhYhIhOZcYQqI+GI76+02+43BM4qEyLLmga f3A8Z8lMruOTgdbzaBkbgnPtUTU4SDcLthT/4JGu0IKMx5bWaLnz05mpuVk8reCsXkHQ gR7g== MIME-Version: 1.0 X-Received: by 10.140.90.69 with SMTP id w63mr34672822qgd.52.1403012968354; Tue, 17 Jun 2014 06:49:28 -0700 (PDT) Received: by 10.140.17.77 with HTTP; Tue, 17 Jun 2014 06:49:28 -0700 (PDT) In-Reply-To: References: <53886F73.70402@php.net> <1401810913.2282.81.camel@guybrush> <538DFEB1.7030207@fedoraproject.org> <538EAD75.5020402@fedoraproject.org> <539B0888.9040208@fedoraproject.org> Date: Tue, 17 Jun 2014 15:49:28 +0200 Message-ID: To: Rafael Dohms Cc: Marco Pivetta , Remi Collet , internals Content-Type: multipart/alternative; boundary=001a11c139ba981b7504fc086916 Subject: Re: [PHP-DEV] BC break in 5.4.29 and 5.5.13 From: tyra3l@gmail.com (Ferenc Kovacs) --001a11c139ba981b7504fc086916 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, My replies are inline and the tl;dr is that I don't think that it is a good idea to release the current "fix" to the problem as-is: On Tue, Jun 17, 2014 at 11:01 AM, Rafael Dohms wrote: > On Fri, Jun 13, 2014 at 4:25 PM, Marco Pivetta wrote= : > > > On 13 June 2014 16:19, Remi Collet wrote: > > > > > See my proposal > > > http://marc.info/?l=3Dphp-internals&m=3D140257374715698&w=3D2 > > > > > > Not designed as a fix, but rather a small improvement to make this ha= ck > > > possible for Internal and Serializable classes > > > > > > > Thanks Remi, that looks indeed like what we'd want :-) > > > > Marco Pivetta > > > > http://twitter.com/Ocramius > > > > http://ocramius.github.com/ > > > > > Its a BC break people. > It does not matter if we think A or B are correct, a point release CANNOT > break BC. > generally BC breaks are not allowed in micro versions, but this doesn't mean that we can't change existing behavior in micro versions. currently there are 3 cases where we have precedence changing behavior in micro versions: - bugfix - changing (explicitly) undefined behavior - introducing a new class/function/method/constant (I don't like this, but it seems that it is the consensus seems to be that this is okay). In this particular case the BC was caused by a bugfix ( https://bugs.php.net/bug.php?id=3D67072) and changed the unserialize behavi= or regarding of the usage of the Serializable interface to prevent such issues while keeping the implementation in-line with the docs (see http://markmail.org/message/u6r6rzj6tzejlaaf for the details). Even though that we noticed that it would affect some userland code and Stas argued for not introducing the BC break, Anatol's argument seemed to be reasonable enough to keep the change, and nobody else complained. After the release, we get a some more complaints and Anatol decided to make a compromise and change the fix to allow userland classes to be instanitated via this trick, but still preventing the constructorless instanitation of the internal classes via the crafted unserialize string method. While this will solve like 99.X% of the cases for the userland, this still a BC break, as previously it was possible to instaniate internal classes implementing the Serializable interface with the unserialize trick without calling the constructor and we don't allow that anymore, and on a second look, this also brings back the original problem this change was trying to prevent but with a bit more effort: [tyrael@ferencs-mbp-135 php-src.git (PHP-5.5 =E2=9C=97)]$ ./sapi/cli/php -v PHP 5.5.15-dev (cli) (built: Jun 17 2014 15:33:34) (DEBUG) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies [tyrael@ferencs-mbp-135 php-src.git (PHP-5.5 =E2=9C=97)]$ ./sapi/cli/php -r= 'class Foo extends SplFileObject{};$foo =3D unserialize("O:".strlen("Foo").":\"Foo\":0:{}");echo $foo;' [1] 72973 segmentation fault ./sapi/cli/php -r So the current "fix" still breaks BC compared to the original buggy behavior, but still not completely fixes the problem... I think that the original change was warranted here and even though that we introduced a BC break, we shouldn't allow instanitation of incomplete/unstable objects because that opens up more serious problems for the users, and I'm somehow glad that we didn't rushed with the release of this "fix", as I'm not entirely convinced, that this is the proper way for handling this issue. > It has been 18 days without a 5.5.14 release or a rollback of 5.5.13. > This is highly unacceptable and irresponsible of a core language. > > I cannot understand why we are discussing this and leaving userland broke= n, > this affect a lot more the phpunit/doctrine. > Rollback the release, or release a 5.5.14 release that fixes it, THEN you > discuss what the proper thing should be and worry about it in 5.5.15. > I think that this is a bit blown out of proportion, even thought that this change affected some really popular tools, but this was still caused by a warranted fix in the internal unserialization behavior which was documented to work the way as Anatol changed to behave in the first place. I think it is a pretty good thing that we haven't rushed out another release without making sure we have a fix we are satisfied with. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --001a11c139ba981b7504fc086916--