Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Here is the reproduce script:
<?php
class strtoupper_filter extends php_user_filter {
  function filter($in, $out, &$consumed, $closing)
    {
      while ($bucket = stream_bucket_make_writeable($in)) {}
    }
}
stream_filter_register("strtoupper", "strtoupper_filter");
$fp = fopen("foo-bar.txt", "w");
stream_filter_append($fp, "strtoupper");
fwrite($fp, "Line1\n");

Note:
1. This bug can not be reproduced on Linux platform. My distro is SuSE 10.1. I can reproduce the bug on one certain UNIX platform.

2.The above script is for testing purpose and is deliberated written like that. It is not following the stream filter coding way.

3. Here is some debugger info. "php_stream_bucket_unlink" was called twice I guess the second call is to clean the system resource and "brigade" is "0x0" at this moment.
**** ****
[1] stopped in php_stream_bucket_unlink at line 235 in file "filter.c"  ($t2)
  235           if (bucket->prev) {
(/tmp/dbx) print *bucket
(next = 0x0, prev = 0x0, brigade = 0x220C70E8, buf = "Line1.", buflen = 6, own_buf = 0, is_persistent = 0, refcount = 1)
(/tmp/dbx) print *bucket->brigade
(head = 0x2223D000, tail = 0x2223D000)
(/tmp/dbx) print *bucket->brigade->head
(next = 0x0, prev = 0x0, brigade = 0x220C70E8, buf = "Line1.", buflen = 6, own_buf = 0, is_persistent = 0, refcount = 1)
(/tmp/dbx) next
stopped in php_stream_bucket_unlink.$b156 at line 238 in file "filter.c"  ($t2)
  238                   bucket->brigade->head = bucket->next;
(/tmp/dbx) list
  239           }
  240           if (bucket->next) {
  241                   bucket->next->prev = bucket->prev;
  242           } else if (bucket->brigade) {
  243                   bucket->brigade->tail = bucket->prev;
  244           }
  245           bucket->brigade = NULL;
  246           bucket->next = bucket->prev = NULL;
  247   }
(/tmp/dbx) cont
[1] stopped in php_stream_bucket_unlink at line 235 in file "filter.c"  ($t2)
  235           if (bucket->prev) {
(/tmp/dbx) print *bucket
(next = 0x0, prev = 0x0, brigade = 0x0, buf = "", buflen = 0, own_buf = 0, is_persistent = 0, refcount = 0)
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 240 in file "filter.c"  ($t2)
  240           if (bucket->next) {
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 245 in file "filter.c"  ($t2)
  245           bucket->brigade = NULL;
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 246 in file "filter.c"  ($t2)
  246           bucket->next = bucket->prev = NULL;
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 247 in file "filter.c"  ($t2)
  247   }
(/tmp/dbx) cont
program exited
**** ****

Assigned to the maintainer.

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fix will appear in 5.2.0RC6

Changing status for record keeping purposes.

Not actually bogus, but it is a duplicate of Bug#36515 which wins because it was reported first.

For the record though, your report and analysis was much better :)