Multiple closures on the same line all resolve to the first one

[JoshSalway]

Description

When multiple closures are defined on the same source line with identical signatures, they all resolve to the first closure after a serialize/unserialize roundtrip. No error is thrown; the wrong closure silently executes.

Reproduction

<?php
require 'vendor/autoload.php';

use Opis\Closure\SerializableClosure;

$closures = [fn() => 'a', fn() => 'b', fn() => 'c'];

$serialized = array_map(function($c) {
    return serialize(new SerializableClosure($c));
}, $closures);

$results = array_map(function($s) {
    return unserialize($s)();
}, $serialized);

var_dump($results);
// Expected: ['a', 'b', 'c']
// Actual:   ['a', 'a', 'a']

Root cause

Two places contribute:

1. AbstractParser::resolve() uses a cache key of {prefix}/{fileKey}/{startLine}/{endLine}. Multiple closures sharing the same line hit the same cache entry, so the second closure returns the first one's parsed info.

2. ClosureParser::findFunctionIndex() scans from getStartLine() and returns the first T_FN/T_FUNCTION token it finds. There is no mechanism to distinguish which closure on that line corresponds to which \Closure object.

Impact

This affects any code that serializes arrays of inline closures, e.g. job chains, pipeline stages, callback arrays. The same bug exists in laravel/serializable-closure (issue laravel/serializable-closure#131) and a fix is in progress there.

Multi-line closures (each on their own line) are not affected.

Environment

• opis/closure: 4.5.0
• PHP: 8.4.19
• OS: Windows 11

[sorinsarca]

This is already documented https://opis.io/closure/4.x/caveats.html

It would have been great if php reflection included column number, but I'm afraid it only provides the line number for a closure.

[sorinsarca]

This cannot be solved without extra information, and PHP doesn't provide that extra bit of information.

Here is a more complex PHP 8.5 example:

<?php

#[Attribute]
class ExampleAttribute {
    public $callback;
    public function __construct(callable $callback) {
        $this->callback = $callback;
    }
}

$f = fn() => #[ExampleAttribute(static function () {return "B";})] fn() => static function() {return "A";};

// $a = static function() {return "A";}
$a = $f()(); 


// $b = static function () {return "B";}
$b = new ReflectionFunction($f())->getAttributes(ExampleAttribute::class)[0]->newInstance()->callback;


// here you will see that both closures have the same name
// so we cannot tell them apart by name
foreach (["a" => $a, "b" => $b] as $k => $g) {
    echo "\${$k}() = ", $g(), PHP_EOL;
    echo "name of \${$k} = ", (new ReflectionFunction($g))->getName(), PHP_EOL;
}

// Output:
// $a() = A
// name of $a = {closure:{closure:{closure:/path/to/file.php:11}:11}:11}
// $b() = B
// name of $b = {closure:{closure:{closure:/path/to/file.php:11}:11}:11}

[JoshSalway]

@sorinsarca Thanks for your feedback, as mentioned earlier cant find people running into this issue in the wild so will have to stay as a known caveat.