Updating to 8.6.8 or 8.6.9 with Drush 8 causes data loss via update_fix_compatibility()

This patch does avoid the problem on the status report screen initially, but after a cache rebuild, the behavior I described in #3031128-67: Update from 8.6.7 to 8.6.8 warnings - Drupal\Core\Extension\Extension has no unserializer still occurs. I get the two notices from system_requirements() and the line on the status report that lists the active installation profile shows the machine name of the profile with the details missing.

I'm digging into this a little deeper, so I'll report more details soon. This sounds like the same behavior reported by @John Pitcairn in #3031128-76: Update from 8.6.7 to 8.6.8 warnings - Drupal\Core\Extension\Extension has no unserializer.

Thanks, @alexpott. Confirmed the patch in #5 fixes all of the problems I've experienced. I caught the condition on dev and never updated anything permanent yet, so it's not an issue for me. But I agree that anyone who did update already and had the extension removed from the list has a potentially bad situation on their hands.

I don't know enough about the inner workings here to offer any specifics about how to proceed. But I noticed in my tests that when the profile was missing from core.extension, the status report screen still listed the proper profile's machine name. That was because drupal_get_profile() returned the proper extension, but system_get_info('module', $profile) returned an empty array. At least in my case, nothing was removed from the filesystem, so there shouldn't actually be anything missing. Not sure why drupal_get_profile() has it, but perhaps that could be used to rebuild whatever is missing.

I'm out of time for the day, but I can dig around there more tomorrow. If there are any additional specs from my setup that would be helpful to you, let me know.

#7 corrects the problem as I experience it when updating without the patch from #5. And updating with the patch from #5 avoids the problem entirely. I tested both the patch and the script against a clean install and against a real project and both appear to be effective resolutions of the problem.

Happy with #16, but let's get more eyes on this since it'll be our second hotfix release in two weeks.

Tagging this because it's tied to the ongoing saga of fixing SA-CORE-2019-002.

#16 works for me. I don't have any input on your concerns from #14, but your evaluation seems reasonable.

@DamienMcKenna: This has nothing to do with SA-CORE-2019-002, it is a problem that was introduced in 8.6.8, a regular non-security update. SA-CORE-2019-002 was 8.6.6.

Bumping to RTBC, could still do with an extra set of eyes since it's not clear whether #20-22 reviewed the patch.

Sorry, I should have elaborated. My comments in #21 were made after testing patch #16. I agree, though it wouldn't hurt for others to review it.

Here are the details of my setup and tests. I'm using composer for the code, drush 8.1.18 for database updates, my test environment uses a lando drupal8 recipe with php 7.2.

First pass: Update without the patch to produce the corruption in the profile, then test that hook_update_n fixes it.

1. Clean install using custom profile at 8.6.7
2. Log in as user 1, view status report screen
3. Update to 8.6.9
4. drush updb
5. Observe error on status report screen ("TypeError: Argument 1 ... ")
6. drush cr
7. Status report screen loads, but with notices ("Undefined index: ... in system_requirements() ... ") and missing installation profile
8. Apply patch from #16
9. drush updb
10. Observe successful execution of system_update_8601
11. Status report screen loads without problems and installation profile is restored

Second pass: Direct upgrade with patch to test that it avoids the problem

1. Clean install using custom profile at 8.6.7
2. Log in as user 1, view status report screen
3. Update to 8.6.9 + patch from #16
4. drush updb
5. Observe successful execution of system_update_8601
6. Status report screen loads normally, including the proper installation profile

Upgraded to 8.6.9 from 8.6.7 with Drush 8.1.17 and received warnings and errors mentioned in this thread.

Applied the patch from #16 and drush updb ran successfully.

I will note that I did receive Warning: Invalid argument supplied for foreach() in Drupal\Component\Plugin\Discovery\DerivativeDiscoveryDecorator->getDerivatives() when viewing the status report screen immediately after database update but I believe this to be related to a different issue not caused here.

Thanks for the additional reviews. Committed and pushed 9340bf9755 to 8.7.x and 5e2c514e63 to 8.6.x. Thanks!

So was commit 5e2c514 included in the 8.6.9 release? or did it get applied only to the 8.6.x dev branch? Wondering if I should wait for an 8.6.10 release to update my sites...

Thanks to all for resolving this.

#16 worked for me as well.

Should have probably waited a bit before applying update since we are still on Drush 8 ourselves. Glad to know there will be a fix in 8.6.10

I have tried to update to 8.6.9 from 8.6.7 twice today. Both times after replacing the files and running update.php, I get:
Error: Call to undefined method Drupal\Core\Update\UpdateKernel::fixSerializedExtensionObjects() in <site directory>\core\includes\update.inc

The first time I tried from 8.6.7 direct to 8.6.9. Then, thinking there was something in 8.6.8 that might have fixed the issue, I restored to 8.6.7 and did 8.6.8, all good, then 8.6.9 again and it failed.

I cannot use Drush.

My environment (which is somewhat unique):

• Windows 10
• Apache 2.4.33 (Win64)
• PHP 7.2.5
• MS SQL Server 2012

I have had no issues with this configuration until 8.6.9. We started with Drupal 7 in 2015.

@alexpott, sounds about right. Thank you.

After restoring the database and 8.6.7 code, I was able to 'fix' the problem by doing a fresh cache clear just before updating the code and executing update.php.

That appears to have resolved the problem.

Sometimes cache clearing fixes a problem and sometimes, when something strange happens, running update.php (even if you haven't updated anything) clears up issues.

So, I was able to update all 7 non-production sites to Drupal 8.6.9 and am ready for the production one with a slick script to do it all quickly.

This has been temporarily reverted from 8.6.x only but will be recommitted before the next bugfix release.

Hmmh, this is very confusing ;)

This has been temporarily reverted from 8.6.x only but will be recommitted before the next bugfix release.

Wonder what this does mean for todays security release? We are on 8.6.7 waiting for 8.6.10 because of @alexpotts note in #30:

... if you are using Drush 8 definitely wait for 8.6.10

So will we be able to run the security update coming from 8.6.7 or will there be patches avail?

Thanks!

It would be really good to know if today's security update is still compatible with drush8, because switching is a bigger task than just applying the update.

Same questions as #39 and #40.

edit for clarity and to avoid confusion
For those concerned on how to get a security release as a patch without upgrading:

Asked in the #security-team in slack and got the suggestion to get a patch from https://cgit.drupalcode.org/drupal/log/ -> pick specific commit -> click *patch*.
Thanks @pingwin4eg.

As per @catch's comment below we shouldn't need to do this.

The revert was just to make the release process smoother, drush 8 users shouldn't need to take any additional steps to update.

To clarify, this was reverted so that the fix can be included in today's release (because of specifics of how core releases are tagged). The security release today will include this fix and that it why we had to remove it from 8.6.x HEAD for a few hours.

This is included as part of the commit for https://www.drupal.org/sa-core-2019-003 to ensure that sites can update to 8.6.10 safely. Marking back to fixed. (Issue credit is still granted.)