Edit report at https://bugs.php.net/bug.php?id=61165&edit=1
ID: 61165 Patch added by: larue...@php.net Reported by: tomas dot liska at actumg2 dot cz Summary: Segfault - strip_tags() Status: Assigned Type: Bug Package: Reproducible crash Operating System: Linux PHP Version: Irrelevant Assigned To: dmitry Block user comment: N Private report: N New Comment: The following patch has been added/updated: Patch Name: bug61165.phpt Revision: 1330102962 URL: https://bugs.php.net/patch-display.php?bug=61165&patch=bug61165.phpt&revision=1330102962 Previous Comments: ------------------------------------------------------------------------ [2012-02-24 16:58:16] larue...@php.net this seems introduced by #43450. so if you stash the $this in __toString, $this will be relased, so undefined error occurred (in this case, I guess, the next return_value suddenly point to the previous $this which was be released just before, due to the zend mm cache); I have made a patch, but cause 43450 test failed again ,although I am not sure whether the test self is right or not, will keep diggin. ------------------------------------------------------------------------ [2012-02-24 09:22:28] me at ktamura dot com I am fairly certain it is some kind of pointer deferencing here on L446 of Zend/zend_execution_API.c (php-5.3.10) I am not sure what the exact cause is yet though. 434 ZEND_API void _zval_ptr_dtor(zval **zval_ptr ZEND_FILE_LINE_DC) /* {{{ */ 435 { 436 zval *zv = *zval_ptr; 437 438 #if DEBUG_ZEND>=2 439 printf("Reducing refcount for %x (%x): %d->%d\n", *zval_ptr, zval_ptr, Z_REFCOUNT_PP(zval_ptr), Z_REFCOUNT_PP(zval_ptr) - 1); 440 #endif 441 Z_DELREF_P(zv); 442 if (Z_REFCOUNT_P(zv) == 0) { 443 TSRMLS_FETCH(); 444 445 if (zv != &EG(uninitialized_zval)) { 446 GC_REMOVE_ZVAL_FROM_BUFFER(zv); 447 zval_dtor(zv); 448 efree_rel(zv); ------------------------------------------------------------------------ [2012-02-24 08:32:29] tomas dot liska at actumg2 dot cz I might have the cause of this. This code produces $cnt - 1 leaks: <?php error_reporting(E_ALL | E_NOTICE | E_STRICT); class T { private $params = array(); private $_this; public function __toString() { //$this->params['this'] = $this; // <-- uncoment this //$this->_this = $this; // <-- or this (both cause the leak) return 'A'; } } $t = new T; $cnt = 2; for ($i = 0; $i < $cnt; $i++) { strip_tags($t); echo "$i\n"; } Output: 0 1 [Fri Feb 24 09:27:16 2012] Script: 'go_own_own.php' /home/users/tliska/wd/php/php-5.4.0RC8/ext/standard/string.c(4087) : Freeing 0x2B9B23ADC678 (2 bytes), script=go_own_own.php ------------------------------------------------------------------------ [2012-02-24 04:56:31] larue...@php.net this is not the strip_tags's issue. ervery internal function perfer a 's', will act the same result(segfault). so the problem should be in the __toString of that object... I will keep digging.. thanks ------------------------------------------------------------------------ [2012-02-23 05:41:30] larue...@php.net I can confirm this issue exists. but still can not figure out the reason. dmitry, could you plz look at this? thanks ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61165 -- Edit this bug report at https://bugs.php.net/bug.php?id=61165&edit=1
