From: Operating system: Linux PHP version: Irrelevant Package: Reproducible crash Bug Type: Bug Bug description:Segfault - strip_tags()
Description: ------------ Running attached script causes heap corruption resulting in segfault or other simillar results in all tested PHP versions: 5.3.2, 5.3.8, 5.3.9, 5.3.10, 5.4.0-RC* Passing object with __toString() causes segfault in random script iteration. When casted to string beforehand, it runs OK. Test script: --------------- http://dl.dropbox.com/u/63573745/test.tar.gz Since I'm not sure what causes the problem, I was unable to create a smaller test case. Expected result: ---------------- Range of numbers from 0 to 9999 (included). Actual result: -------------- php-5.3.8: $ php go.php 0 1 Segmentation fault php-5.3.9: 0 1 ... 739 740 Segmentation fault Core dump: Program terminated with signal 11, Segmentation fault. #0 0x0000000000795ad1 in _zval_dtor_func (zvalue=0x7fff3f7421a0, __zend_filename=0xb00838 "/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.c:52 52 Z_OBJ_HT_P(zvalue)->del_ref(zvalue TSRMLS_CC); (gdb) bt #0 0x0000000000795ad1 in _zval_dtor_func (zvalue=0x7fff3f7421a0, __zend_filename=0xb00838 "/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.c:52 #1 0x00000000007c9ac1 in _zval_dtor (zvalue=0x7fff3f7421a0, __zend_filename=0xb00838 "/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.h:35 #2 0x0000000000802714 in zend_assign_to_variable (variable_ptr_ptr=0xf3810f8, value=0xf389130, is_tmp_var=0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c:690 #3 0x000000000080218e in ZEND_ASSIGN_DIM_SPEC_VAR_CONST_HANDLER (execute_data=0x2b3bb0b002f8) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:10382 #4 0x00000000007cc29e in execute (op_array=0xf3313f8) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:107 #5 0x0000000000787822 in zend_call_function (fci=0x7fff3f742860, fci_cache=0x7fff3f7427f0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute_API.c:969 #6 0x00000000007b6c75 in zend_call_method (object_pp=0x7fff3f742918, obj_ce=0xf355c60, fn_proxy=0xf355e50, function_name=0xb005be "__tostring", function_name_len=10, retval_ptr_ptr=0x7fff3f742928, param_count=0, arg1=0x0, arg2=0x0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_interfaces.c:97 #7 0x00000000007c84f7 in zend_std_cast_object_tostring (readobj=0xf389130, writeobj=0xf389130, type=6) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_object_handlers.c:1269 #8 0x0000000000799d68 in parse_arg_object_to_string (arg=0x2b3bb0aff4f8) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:258 #9 0x000000000079c608 in zend_parse_va_args (num_args=1, type_spec=0xadeffc "s|Z", va=0x7fff3f742c00, flags=0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:692 #10 0x000000000079d022 in zend_parse_parameters (num_args=1, type_spec=0xadeffc "s|Z") at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:871 #11 0x00000000006b6d87 in zif_strip_tags (ht=1, return_value=0xf388750, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /home/users/tliska/wd/php/php-5.3.9/ext/standard/string.c:4056 #12 0x00000000007cd2bb in zend_do_fcall_common_helper_SPEC (execute_data=0x2b3bb0aff090) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:320 #13 0x00000000007d3185 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x2b3bb0aff090) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:1640 #14 0x00000000007cc29e in execute (op_array=0xf3569f0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:107 #15 0x0000000000798f1a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend.c:1236 #16 0x0000000000717a8e in php_execute_script (primary_file=0x7fff3f745560) at /home/users/tliska/wd/php/php-5.3.9/main/main.c:2308 #17 0x000000000088c464 in main (argc=2, argv=0x7fff3f7457e8) at /home/users/tliska/wd/php/php-5.3.9/sapi/cli/php_cli.c:1184 php-5.4.0RC8: 0 1 ... 689 /php-5.4.0RC8/Zend/zend_hash.c(551) : ht=0x2ada805a4960 is being destroyed No core dump produced here. -- Edit bug report at https://bugs.php.net/bug.php?id=61165&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=61165&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=61165&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=61165&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=61165&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=61165&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=61165&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=61165&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=61165&r=needscript Try newer version: https://bugs.php.net/fix.php?id=61165&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=61165&r=support Expected behavior: https://bugs.php.net/fix.php?id=61165&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=61165&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=61165&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=61165&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=61165&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=61165&r=dst IIS Stability: https://bugs.php.net/fix.php?id=61165&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=61165&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=61165&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=61165&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=61165&r=mysqlcfg
