Description:
------------
Original report through the Xdebug bug tracker https://bugs.xdebug.org/view.php?id=1352, but this is not Xdebug specific.

Running the "Test script" with USE_ZEND_ALLOC=0 and valgrind shows the actual output.

Test script:
---------------
<?php
set_error_handler(function() {
    throw new Error;
});
call_user_func("fail");
?>


Expected result:
----------------
No valgrind warning :-)

Actual result:
--------------
derick@whisky:~ $ valgrind php /tmp/foo.php 
==5682== Memcheck, a memory error detector
==5682== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==5682== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==5682== Command: php /tmp/foo.php
==5682== 
==5682== Invalid read of size 1
==5682==    at 0xABB041: cleanup_unfinished_calls (zend_execute.c:2465)
==5682==    by 0xABEAAD: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:1496)
==5682==    by 0xABB5BD: execute_ex (zend_vm_execute.h:414)
==5682==    by 0xF42DF21: xdebug_execute_ex (xdebug.c:1913)
==5682==    by 0xABB6CE: zend_execute (zend_vm_execute.h:458)
==5682==    by 0xA605CF: zend_execute_scripts (zend.c:1427)
==5682==    by 0x9D1D9E: php_execute_script (main.c:2494)
==5682==    by 0xB202A4: do_cli (php_cli.c:974)
==5682==    by 0xB21269: main (php_cli.c:1344)
==5682==  Address 0x101a96ec is 4 bytes before a block of size 352 alloc'd
==5682==    at 0x4C2BB0B: realloc (vg_replace_malloc.c:785)
==5682==    by 0xA2D24D: _erealloc (zend_alloc.c:2476)
==5682==    by 0xA4DF15: pass_two (zend_opcode.c:598)
==5682==    by 0xA09484: compile_file (zend_language_scanner.l:611)
==5682==    by 0x7CCAC1: phar_compile_file (phar.c:3322)
==5682==    by 0xF42E700: xdebug_compile_file (xdebug.c:2141)
==5682==    by 0xA60561: zend_execute_scripts (zend.c:1421)
==5682==    by 0x9D1D9E: php_execute_script (main.c:2494)
==5682==    by 0xB202A4: do_cli (php_cli.c:974)
==5682==    by 0xB21269: main (php_cli.c:1344)
==5682==