From eca84946a4e7269d59ea2d79b5f42117de89ae74 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Sat, 22 Oct 2016 14:50:21 +0800
Subject: Fixed bug #73350 (Exception::__toString() cause circular references)

---
 NEWS                     |  2 ++
 Zend/tests/bug73156.phpt |  2 +-
 Zend/tests/bug73350.phpt | 27 +++++++++++++++++++++++++++
 Zend/zend_exceptions.c   |  5 +++--
 4 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 Zend/tests/bug73350.phpt

diff --git a/NEWS b/NEWS
index f5a2424753..c1f142af81 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.13
 
 - Core:
+  . Fixed bug #73350 (Exception::__toString() cause circular references).
+    (Laruence)
   . Fixed bug #73181 (parse_str() without a second argument leads to crash).
     (Nikita)
   . Fixed bug #66773 (Autoload with Opcache allows importing conflicting class
diff --git a/Zend/tests/bug73156.phpt b/Zend/tests/bug73156.phpt
index b5092514a0..327ad9e431 100644
--- a/Zend/tests/bug73156.phpt
+++ b/Zend/tests/bug73156.phpt
@@ -1,5 +1,5 @@
 --TEST--
-iBug #73156 (segfault on undefined function)
+Bug #73156 (segfault on undefined function)
 --FILE--
 <?php
 class A {
diff --git a/Zend/tests/bug73350.phpt b/Zend/tests/bug73350.phpt
new file mode 100644
index 0000000000..7505884efb
--- /dev/null
+++ b/Zend/tests/bug73350.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #73350 (Exception::__toString() cause circular references)
+--FILE--
+<?php
+$e = new Exception();
+
+// This line cause problem :(
+// Comment it to see the difference.
+(string) $e;
+
+// This line show the clue (PHP Warning: ...).
+var_export($e);
+?>
+--EXPECTF--
+Exception::__set_state(array(
+   'message' => '',
+   'string' => 'Exception in %sbug73350.php:%d
+Stack trace:
+#0 {main}',
+   'code' => 0,
+   'file' => '%sbug73350.php',
+   'line' => %d,
+   'trace' => 
+  array (
+  ),
+   'previous' => NULL,
+))
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
index 89c94eb56f..e0aa370bfe 100644
--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@@ -776,14 +776,15 @@ ZEND_METHOD(exception, __toString)
 		Z_OBJPROP_P(exception)->u.v.nApplyCount++;
 		exception = GET_PROPERTY(exception, "previous");
 		if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->u.v.nApplyCount > 0) {
-			exception = NULL;
+			break;
 		}
 	}
 	zval_dtor(&fname);
 
+	exception = getThis();
 	/* Reset apply counts */
 	while (exception && Z_TYPE_P(exception) == IS_OBJECT && (base_ce = i_get_exception_base(exception)) && instanceof_function(Z_OBJCE_P(exception), base_ce)) {
-		if(Z_OBJPROP_P(exception)->u.v.nApplyCount) {
+		if (Z_OBJPROP_P(exception)->u.v.nApplyCount) {
 			Z_OBJPROP_P(exception)->u.v.nApplyCount--;
 		} else {
 			break;
-- 
cgit v1.2.1