Edit report at https://bugs.php.net/bug.php?id=61165&edit=1
ID: 61165 Updated by: larue...@php.net Reported by: tomas dot liska at actumg2 dot cz Summary: Segfault - strip_tags() Status: Assigned Type: Bug Package: Reproducible crash Operating System: Linux PHP Version: Irrelevant -Assigned To: dmitry +Assigned To: laruence Block user comment: N Private report: N New Comment: fixed in trunk and 5.3, will close this after merge to 5.4 Previous Comments: ------------------------------------------------------------------------ [2012-02-25 04:36:03] larue...@php.net Automatic comment from SVN on behalf of laruence Revision: http://svn.php.net/viewvc/?view=revision&revision=323489 Log: Fixed bug #61165 (Segfault - strip_tags()) ------------------------------------------------------------------------ [2012-02-25 03:12:49] larue...@php.net Automatic comment from SVN on behalf of laruence Revision: http://svn.php.net/viewvc/?view=revision&revision=323485 Log: Tests for bug #61165 ------------------------------------------------------------------------ [2012-02-24 17:02:42] larue...@php.net The following patch has been added/updated: Patch Name: bug61165.phpt Revision: 1330102962 URL: https://bugs.php.net/patch-display.php?bug=61165&patch=bug61165.phpt&revision=1330102962 ------------------------------------------------------------------------ [2012-02-24 16:58:16] larue...@php.net this seems introduced by #43450. so if you stash the $this in __toString, $this will be relased, so undefined error occurred (in this case, I guess, the next return_value suddenly point to the previous $this which was be released just before, due to the zend mm cache); I have made a patch, but cause 43450 test failed again ,although I am not sure whether the test self is right or not, will keep diggin. ------------------------------------------------------------------------ [2012-02-24 09:22:28] me at ktamura dot com I am fairly certain it is some kind of pointer deferencing here on L446 of Zend/zend_execution_API.c (php-5.3.10) I am not sure what the exact cause is yet though. 434 ZEND_API void _zval_ptr_dtor(zval **zval_ptr ZEND_FILE_LINE_DC) /* {{{ */ 435 { 436 zval *zv = *zval_ptr; 437 438 #if DEBUG_ZEND>=2 439 printf("Reducing refcount for %x (%x): %d->%d\n", *zval_ptr, zval_ptr, Z_REFCOUNT_PP(zval_ptr), Z_REFCOUNT_PP(zval_ptr) - 1); 440 #endif 441 Z_DELREF_P(zv); 442 if (Z_REFCOUNT_P(zv) == 0) { 443 TSRMLS_FETCH(); 444 445 if (zv != &EG(uninitialized_zval)) { 446 GC_REMOVE_ZVAL_FROM_BUFFER(zv); 447 zval_dtor(zv); 448 efree_rel(zv); ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61165 -- Edit this bug report at https://bugs.php.net/bug.php?id=61165&edit=1
