segfault and apparent memory corruption in tsrm_virtual_cwd.c

I have an utterly reproducible segfault with php5-fpm 5.5.9+dfsg-1ubuntu4.4.

Here are the top 4 backtrace frames. It looks to these relatively naive eyes like there's memory corruption in cwd, resolved_path, trypath, and actual_path.

This trace was generated with realpath cache disabled, opcache disabled, etc. I've attached a full gdb bt, and will attach a core file next.

#0 virtual_file_ex (state=state@entry=0x7fffe6661630, path=path@entry=0x774d240 "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", verify_path=verify_path@entry=0x0, use_realpath=use_realpath@entry=2) at /build/buildd/php5-5.5.9+dfsg/TSRM/tsrm_virtual_cwd.c:1153
        path_length = <optimized out>
        resolved_path = <error reading variable resolved_path (Cannot access memory at address 0x7fffe66605e0)>
        start = <optimized out>
        ll = <error reading variable ll (Cannot access memory at address 0x7fffe66605d4)>
        t = <error reading variable t (Cannot access memory at address 0x7fffe66605d8)>
        ret = <optimized out>
        add_slash = <optimized out>
        tmp = <optimized out>
#1 0x000000000068b3a4 in tsrm_realpath (path=path@entry=0x774d240 "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", real_path=real_path@entry=0x7fffe6662750 "") at /build/buildd/php5-5.5.9+dfsg/TSRM/tsrm_virtual_cwd.c:1954
        new_state = {cwd = 0x356fed0 "", cwd_length = 0}
        cwd = '\000' <repeats 40 times>, "p\334IT\000\000\000\000/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", '\000' <repeats 3351 times>...
#2 0x0000000000692e50 in php_resolve_path (filename=0x774d240 "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", filename_length=65, path=0xb65a20 ".:/usr/share/php:/usr/share/pear") at /build/buildd/php5-5.5.9+dfsg/main/fopen_wrappers.c:503
        resolved_path = '\000' <repeats 3336 times>...
        trypath = "\260\375V\003\000\000\000\000A", '\000' <repeats 47 times>, "p\334IT\000\000\000\000/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", '\000' <repeats 15 times>, "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.a"...
        ptr = <optimized out>
        end = <optimized out>
        p = <optimized out>
        actual_path = 0x68b3e9 <tsrm_realpath+281> "H\211\330H\213\214$\030\020"
        wrapper = <optimized out>
#3 0x000000000054c6e5 in phar_find_in_include_path (filename=0x774d240 "/home/deploy/jep/app/sites/all/modules/contrib/dfp/dfp.adtest.inc", filename_len=65, pphar=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/ext/phar/util.c:290
        try_len = 13289150
        path = 0xcac6be <php_execute.entry_semaphore> ""
        fname = <optimized out>
        arch = 0x7f77c6f5dc48 " \334y"
        entry = 0xcac6ba <php_function.entry_semaphore> ""
        ret = 0x0
        test = <optimized out>
        arch_len = 0
        entry_len = 0
        fname_len = <optimized out>
        ret_len = <optimized out>
        phar = 0xcac6bc <php_execute.return_semaphore>
#4 0x000000000079bb96 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x779e378) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_vm_execute.h:30889
        file_handle = {type = 25021472, filename = 0xcc91a0 <executor_globals> "", opened_path = 0x779e1f8 "", handle = {fd = 7984485, fp = 0x79d565 <zend_do_fcall_common_helper_SPEC+1109>, stream = {handle = 0x79d565 <zend_do_fcall_common_helper_SPEC+1109>, isatty = 125428784, mmap = {len = 140152415837928, pos = 125428280, map = 0x779e430, buf = 0x775a000 "P\240u\a", old_handle = 0x775a000, old_closer = 0x779e378}, reader = 0x7f77c6f5df78, fsizer = 0x1, closer = 0x724aa9 <ZEND_JMPZ_SPEC_VAR_HANDLER+185>}}, free_filename = 120 'x'}
        resolved_path = <optimized out>
        opline = 0x7f77c6f5dfa8
        new_op_array = 0x0
        inc_filename = 0x7759fa0
        tmp_inc_filename = 0x0
        failure_retval = 0 '\000'