Description:
------------
Segfault frequently happening, with same callstack.
It doesn't have any pattern, and it takes time to happen, it's not immediate.
Running latest stable 5.6.15, but it happens also with 5.6.14 and 5.5.30.

I can't provide any test script: no pattern, always a different script, reloading a faulty page won't reproduce a segfault, so it appears that it's not a faulty script but rather related to the PHP engine. As it happens on a production server for web hosting, I can't provide nor look into the may-not-be-faulty scripts - legal matter - and I can't test with the lastest git/snapshot.
I already tried the lastest on a identical development server, but I couldn't get it to segfault, so I suspect it may happen under load (considering that it's not due to a specific script).

Three backtraces provided, I can get more.
It may be related to: http://news.php.net/php.internals/89030, as it would partially matches the symptoms.

Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  _zend_mm_free_int (heap=0x8b77230, p=0x8eae370) at Zend/zend_alloc.c:2104
2104		if (ZEND_MM_IS_FREE_BLOCK(next_block)) {

gdb$ bt
#0  _zend_mm_free_int (heap=0x8b77230, p=0x8eae370) at Zend/zend_alloc.c:2104
#1  0x084c2804 in php_shutdown_temporary_directory () at main/php_open_temporary_file.c:194
#2  0x084af3a8 in php_request_shutdown (dummy=0x0) at main/main.c:1880
#3  0x085cf75c in fpm_run_fcgi (fcgi_fd=0x0, max_requests=0x80) at sapi/fpm/fpm/fpm_main.c:2021
#4  0x085d0aaf in main (argc=0x1, argv=0xffaaa6e4) at sapi/fpm/fpm/fpm_main.c:1893

gdb$ print *mm_block
$1 = {info = {_size = 0x8eaf350, _prev = 0x11}}

gdb$ print (char*)p
$2 = 0x8eae370 "/tmp"

gdb$ print *(zend_mm_block*)((char*)p-8)
$3 = {info = {_size = 0x8eaf350, _prev = 0x11}}

--------------------------------------------------------------------------------

Program terminated with signal 11, Segmentation fault.
#0  zend_mm_remove_from_free_list (heap=0x8b77230, mm_block=0xdde68774) at Zend/zend_alloc.c:837
837			if (UNEXPECTED(prev->next_free_block != mm_block) || UNEXPECTED(next->prev_free_block != mm_block)) {

gdb$ bt
#0  zend_mm_remove_from_free_list (heap=0x8b77230, mm_block=0xdde68774) at Zend/zend_alloc.c:837
#1  0x084ed569 in _zend_mm_free_int (heap=0x8b77230, p=<value optimized out>) at Zend/zend_alloc.c:2105
#2  0x084c2804 in php_shutdown_temporary_directory () at main/php_open_temporary_file.c:194
#3  0x084af3a8 in php_request_shutdown (dummy=0x0) at main/main.c:1880
#4  0x085cf75c in fpm_run_fcgi (fcgi_fd=0x0, max_requests=0x80) at sapi/fpm/fpm/fpm_main.c:2021
#5  0x085d0aaf in main (argc=0x1, argv=0xff8917f4) at sapi/fpm/fpm/fpm_main.c:1893

gdb$ print *heap
$1 = {use_zend_alloc = 0x1, _malloc = 0, _free = 0, _realloc = 0, free_bitmap = 0xffffffff, large_free_bitmap = 0x6ff80, block_size = 0x40000, compact_size = 0x200000, segments_list = 0x99a4710, storage = 0x8b77220, real_size = 0x880000, real_peak = 0xd40000, limit = 0x20000000, size = 0x2b56ec5c, peak = 0xc63d6c, reserve_size = 0x2000, reserve = 0xf5581018, overflow = 0x0, internal = 0x0, cached = 0x20010, cache = {0xf559e068, 0x8fea6ac, 0x95db86c, 0xf55b9c28, 0xf559bf38, 0x99e0744, 0xd4a94784, 0x99cbcf4, 0x99caf58, 0x8efe848, 0xf559bf00, 0x99e206c, 0x93ffc60, 0x8efcfc0, 0x94e7058, 0x8f32168, 0x94359f8, 0xd4b06764, 0x99e1c8c, 0xd4a93610, 0xd4b3bca8, 0xd4b43a20, 0xd4b3d768, 0x8f30ac8, 0x8f1adac, 0x99d4aec, 0x99e3054, 0x99e1fb0, 0xd4b0b0b8, 0xd4aa000c, 0x99d0cdc, 0x99d754c}, free_buckets = {0x99cc160, 0xf55a2f98, 0x8ff0084, 0xf55acb64, 0x941fda8, 0xf55aed1c, 0x942e454, 0x91ca338, 0x941e6f8, 0xf55aca04, 0x8eb4748, 0x942eb04, 0x99dfc3c, 0xf558305c, 0xd4aa87e0, 0xf55a8760, 0xd4a9a240, 0x8fe7f64, 0x900455c, 0x8f17a3c, 0x9429818, 0xf55a0adc, 0xd4b3ff18, 0xf55a0b8c, 0xd4a9ce50, 0xf55a0b30, 0x94189e4, 0xf55b9be4, 0xd4aa97b0, 0x928b014, 0xd4b0b218, 0xf559e6e4, 0x9435c0c, 0xd4a99848, 0x9417ecc, 0xf559e8c8, 0x99e4254, 0xd4a90d30, 0xd4a8e91c, 0x99e1708, 0x99db790, 0x99e1858, 0xd4a908d8, 0xd4a962b0, 0x8f2fa30, 0xf55a0c98, 0xd4a9b478, 0xd4a93f68, 0xd4aa235c, 0xd4aa2720, 0x99d8fec, 0xd4a9346c, 0x94353f4, 0x928b7d4, 0x99ca8e0, 0x9410b90, 0xd4a948d8, 0xf55a0a14, 0xd4a929fc, 0x99d0c58, 0xd4a9fa28, 0xf55bafdc, 0xd4aa1c1c, 0xf559f1fc}, large_free_buckets = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xd4a994d4, 0xf55a349c, 0x9417b28, 0xd4aa72f0, 0x94ed2ec, 0x94e774c, 0x95ddaf4, 0xd4b20cc4, 0xd4b2c650, 0x0, 0x97646d0, 0xd4aa9bd0, 0x0 <repeats 13 times>}, rest_buckets = {0xd4b8f018, 0xd4b8f018}, rest_count = 0x1}

gdb$ print *mm_block 
$2 = {info = {_size = 0xd500a204, _prev = 0x11}, prev_free_block = 0x706d742f, next_free_block = 0x8e1fb00, parent = 0x10, child = {0x79, 0x50435245}}

gdb$ select-frame 1
gdb$ print *(zend_mm_block*)mm_block 
$3 = {info = {_size = 0xd500a204, _prev = 0x11}}
gdb$ print *next_block 
$4 = {info = {_size = 0xd506fa4c, _prev = 0xe}}

--------------------------------------------------------------------------------

Program terminated with signal 11, Segmentation fault.
#0  zend_mm_remove_from_free_list (heap=0x8b77230, mm_block=0x90545a0) at Zend/zend_alloc.c:837
837			if (UNEXPECTED(prev->next_free_block != mm_block) || UNEXPECTED(next->prev_free_block != mm_block)) {

gdb$ bt
#0  zend_mm_remove_from_free_list (heap=0x8b77230, mm_block=0x90545a0) at Zend/zend_alloc.c:837
#1  0x084ed569 in _zend_mm_free_int (heap=0x8b77230, p=<value optimized out>) at Zend/zend_alloc.c:2105
#2  0x084c2804 in php_shutdown_temporary_directory () at main/php_open_temporary_file.c:194
#3  0x084af3a8 in php_request_shutdown (dummy=0x0) at main/main.c:1880
#4  0x085cf75c in fpm_run_fcgi (fcgi_fd=0x0, max_requests=0x80) at sapi/fpm/fpm/fpm_main.c:2021
#5  0x085d0aaf in main (argc=0x1, argv=0xff8917f4) at sapi/fpm/fpm/fpm_main.c:1893

gdb$ print *mm_block 
$1 = {info = {_size = 0x0, _prev = 0x11}, prev_free_block = 0x706d742f, next_free_block = 0xf5932300, parent = 0x0, child = {0x3a9, 0x8f1fbc8}}

gdb$ print *heap
$2 = {use_zend_alloc = 0x1, _malloc = 0, _free = 0, _realloc = 0, free_bitmap = 0xffffffff, large_free_bitmap = 0x11f80, block_size = 0x40000, compact_size = 0x200000, segments_list = 0x9262f20, storage = 0x8b77220, real_size = 0x3c0000, real_peak = 0x3c0000, limit = 0x20000000, size = 0x36a1d8, peak = 0x3a9274, reserve_size = 0x2000, reserve = 0xf5581018, overflow = 0x0, internal = 0x0, cached = 0x20004, cache = {0x0, 0x0, 0x0, 0x9162054, 0x9185be4, 0xf55a22e0, 0x9191d48, 0x923cf6c, 0x91885d8, 0x916affc, 0x90feaf8, 0x90c88a8, 0x916af84, 0x916ade4, 0x921a968, 0x921951c, 0x9219498, 0x9228c6c, 0x9180a04, 0x926f264, 0x921b5c8, 0x928b914, 0x92806b4, 0x91f1b24, 0x92180e4, 0x0, 0x91f0908, 0x9289b20, 0x91db014, 0x927c7b8, 0x92a2544, 0x9246f64}, free_buckets = {0x8fbcc90, 0x8fe5dd4, 0x9221ed0, 0x9220c3c, 0x900a700, 0x8e899f4, 0x91938e0, 0x8fea290, 0x91db4e0, 0x9273de0, 0x9221a0c, 0x91829a4, 0x91e570c, 0x8e89ebc, 0x925e9ac, 0x918a030, 0x91ee3d8, 0x8e89a40, 0x92271e8, 0x90a46e4, 0x9157070, 0x9191bf4, 0x90a7fb8, 0x8e8a014, 0x90a7f3c, 0x90c6ab4, 0x9173f58, 0x9197cd0, 0x91213c8, 0xf559e1b0, 0x8ffe540, 0x8fffc88, 0x91f45a0, 0x8fcc3f0, 0x8e17724, 0xf55a0e04, 0x8fc9d6c, 0xf559bfec, 0xf559e9f4, 0xf559e9f4, 0x91220e8, 0x9185874, 0x90a4368, 0xf55a099c, 0x922c624, 0xf55a0c14, 0x9217d18, 0xf55a0f9c, 0x9218170, 0xf559f96c, 0x92291b0, 0xf55a04a4, 0x92515ac, 0xf559ec54, 0x919d084, 0xf559e8e8, 0x91dcb4c, 0xf559f55c, 0x919b9c0, 0xf55a0894, 0x90f3268, 0x9190e64, 0x918f1b8, 0x91eef60}, large_free_buckets = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x91f0744, 0x9174358, 0x916a820, 0x916b14c, 0x9158ae4, 0x91a774c, 0x0, 0x0, 0x0, 0x91f9474, 0x0 <repeats 15 times>}, rest_buckets = {0x8b77478, 0x8b77478}, rest_count = 0x0}

gdb$ select-frame 1
gdb$ print *mm_block 
$3 = {info = {_size = 0x0, _prev = 0x11}}
gdb$ print *next_block 
$4 = {info = {_size = 0x0, _prev = 0x11}}