Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

if no reproduce script, we can't do much thing on this...

To get a userland backtrace, switch to the execute_ex frame "f 6", load gdb macros "source path/to/php-src/.gdbinit" and run "zbacktrace execute_data".

Thanks for the info. After seeing the userland backtrace, I have little faith of being able to create a script that can reproduce this. According to the backtrace, the offending line is 195 in a particular script:
###
$obj_key = $type . '/' . $class;
###

Which appears in this context:
###
	public static function fetch_object($type, $class, $dependency = '', $always_instantiate = false)
	{
		static $object = array();

		$obj_key = $type . '/' . $class; // SEGFAULT?

		if ($dependency AND $class != 'Dependency')
		{
			$obj_key .= '/' . $dependency;
		}
###

The backtrace claims that $type = 'Model' and $class = 'Node' when it is passed to ::fetch_object
From a userland perspective, anything above this context in the stack should not have an effect here.

Since not only does this code run in production flawlessly 99.9% of the time for this and other arguments, I cannot see being able to concatenate any simple string like this in an attempt to cause a segfault for a test script without understanding the way the internals work.

Further, this is going off of the line numbers provided by the backtrace that in some cases are blatantly wrong. I have noticed in recent builds of PHP that line numbers associated with errors in general tend to be completely wrong. Hoping you sort out the issue with line numbers soon.

The linenos in zbacktrace may well be wrong - the implementation is not very complete. But I'm not aware of incorrect line numbers for normal errors. Can you maybe post an example?

Apologies, the line numbering issue I had noted was actually an issue with the way my code viewer counted lines. I have switched viewers, and the line numbers given by userland errors are now correct.

In my last reply I mentioned the segfault occurred on line 195 in my script. Using the correct line numbers, line 195 is the closing brace in the last line of the snippet I provided.

I should also mention that in this case, the backtrace claims that $dependency is passed explicitly as "" (not just using the default value).

I believe I have located the site URL that leads to this the segfault, so I can start stepping through the calling script and see if there's anything unusual going on.

I was able to resolve the segfault by making a small change to the script. Unfortunately, it is a very large script and the segfault seemed to occur only with certain data sets -- I could not reproduce the segfault on a separate installation or by using a smaller test script. I compared the data sets that segfaulted to sets that didn't and there were no differences or irregularities that I could see.

However, here is the test script I made that demonstrates the kinds of operations the script performs, as well as where the segfault occurs (while this test doesn't actually segfault):

###
class Info_Object
{
}

class Item_Object
{
	protected $infoid = 0;

	public function getInfoId()
	{
		$this->infoid = 1;

		return $this->infoid;
	}
}

function fetch_info(&$infoid)
{
	global $infocache;

	$infoid = intval($infoid);

	if (!isset($infocache["$infoid"]))
	{
		$infocache["$infoid"] = array(
			'contentid' => 1,
			'title' => 'Content'
		);

		$shortcut =& $infocache["$infoid"];
	}

	// other code here was the backtrace in the core dump
	// such as
	$infocache["$infoid"]['itemid'] = $infoid;

	// but when walking through, we learned that the segfault was later

	return $infocache["$infoid"]; // segfault
}

$view = new Info_Object();
$view->item = new Item_Object();
$view->infoid = $view->item->getInfoId();

if ($view->infoid)
{
	$info = fetch_info($view->infoid);
}

echo 'SUCCESS';
exit;
####

I was able to resolve the segfault by modifying this line:
####
$info = fetch_info($view->infoid);
####

So that the new line was like so:
####
$infoid = $view->infoid;
$info = fetch_info($infoid);
####

Hopefully this gives a clue as to where to look.

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.