Don't throw an error when serializing uninitialized typed properties with __sleep()

Attached is a debdiff which fixes this bug on Focal.

I did some minor sanity checks before uploading, considering that this could affect a high number of users and reverse-deps:

- upstream has no further "fixes:" or patches touching this specific serialization behavior
- regression potential seems to be focused on users relying on undefined behavior or uninitialized objects, which is less likely to occur in official packages
- autopkgtests look good, as well as minor tests with some important reverse-deps (wordpress, pandoc, mediawiki)

In general, it looks good. Uploaded to focal, thanks Matthew!

Hi Heitor, Matthew (and SRU team).

Note that the NEW queue for focal [1] has a pending upload for php7.4. This is a minor fix for LP: #1989196, which I intended to let sit in blocked in proposed (staged SRU). That upload's version was already overriden once (by a security upload).

Would you like to merge both changes in a single upload?

[1] https://launchpad.net/ubuntu/focal/+queue?queue_state=1

Hi Athos,

Sorry, I didn't notice your upload, but yes, they should be merged for sure. This bug is perfect for yours to piggyback on without being marked as blocked-proposed.

Do you want me to make a new debdiff with both, or Heitor, can you merge them?

I can merge them and upload if you don't mind if I do it :)

Hi Matthew,

Bryce raised an interesting concern regarding the test case proposed in this bug [1]. The test case here requires downloading external software and is far from a minimal test. Would you be willing to provide a shorter test case? One option would be to just verify the upstream test case covers the issue, explain how it does so and use that test as the test case here.

[1] https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/php7.4/+git/php7.4/+merge/434796

Hi Athos,

As mentioned in the merge request, the minimal testcase is the php testcase ext/standard/tests/serialize/sleep_uninitialized_typed_prop.phpt found in the patch itself, and when you build the package, it is executed and passes:

...
TEST 12251/13940 [ext/standard/tests/serialize/sleep_uninitialized_typed_prop.phpt]
PASS Referencing an uninitialized typed property in __sleep() should be skipped [ext/standard/tests/serialize/sleep_uninitialized_typed_prop.phpt]
...

I left the external testcase in the bug report since it is closer to what the customer sees on their systems during deployment, and the linked source repo has minimal additional dependencies and reproduces the problem nicely.

I uploaded the SRUs combined. Thanks!

Hello Matthew, or anyone else affected,

Accepted php7.4 into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.16 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted php7.4 (7.4.3-4ubuntu2.16) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

php-excimer/1.0.0~git20190913.d82eaf7-1build1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#php7.4

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Performing verification for Focal

I started a fresh new Focal VM and followed the testcase to get symfony installed and configured, as well as docker. The VM is running php7.4 7.4.3-4ubuntu2.15 from -updates.

Upon running the cloned project that reproduces the issue, I see:

$ curl http://127.0.0.1:8000
...
Error:
Typed property Proxies\__CG__\App\Entity\Store::$ must not be accessed before initialization (in __sleep)

  at vendor/symfony/serializer/Normalizer/AbstractObjectNormalizer.php:626
  at serialize()
     (vendor/symfony/serializer/Normalizer/AbstractObjectNormalizer.php:626)
  at Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer->getCacheKey()
     (vendor/symfony/serializer/Normalizer/AbstractObjectNormalizer.php:327)
  at Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer->denormalize()
     (vendor/symfony/serializer/Serializer.php:191)
  at Symfony\Component\Serializer\Serializer->denormalize()
     (src/Controller/DefaultController.php:47)
  at App\Controller\DefaultController->index()
     (vendor/symfony/http-kernel/HttpKernel.php:146)
  at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
     (vendor/symfony/http-kernel/HttpKernel.php:68)
  at Symfony\Component\HttpKernel\HttpKernel->handle()
     (vendor/symfony/http-kernel/Kernel.php:201)
  at Symfony\Component\HttpKernel\Kernel->handle()
     (public/index.php:25)
...

I then went and enabled -proposed and upgraded php7.4 to 7.4.3-4ubuntu2.16, and restarted the reproducer.

We now see:

$ curl -I http://127.0.0.1:8000
HTTP/1.1 200 OK

The issue no longer reproduces.

Additionally, looking at the php testcase added to the source tarball, we see during build of 7.4.3-4ubuntu2.16 the test passes:

TEST 12251/13940 [ext/standard/tests/serialize/sleep_uninitialized_typed_prop.phpt]
PASS Referencing an uninitialized typed property in __sleep() should be skipped [ext/standard/tests/serialize/sleep_uninitialized_typed_prop.phpt]

The package in -proposed fixes the issue, happy to mark verified for Focal.

This bug was fixed in the package php7.4 - 7.4.3-4ubuntu2.16

---------------
php7.4 (7.4.3-4ubuntu2.16) focal; urgency=medium

  [ Athos Ribeiro ]
  * d/rules: fix PHP_EXTRA_VERSION setting. (LP: #1989196)
  * Test PHP_EXTRA_VERSION setting with autopkgtest.

  [ Matthew Ruffell ]
  * No longer throw an error when serializing uninitialized typed
    properties with __sleep(), which makes serializing objects with
    __sleep() behave the same as serializing objects without
    __sleep(). (LP: #1999598)
    - d/p/lp-1999598-Fix-bug-79447.patch

 -- Athos Ribeiro <email address hidden> Thu, 15 Sep 2022 19:53:21 -0300

The verification of the Stable Release Update for php7.4 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.