This appears to be a compiler bug. Using plain gcc-linaro-4.5-2010.11-1, parse_warn includes the following assembly:
266: f7ff fffe bl 0 <dcgettext> 266: R_ARM_THM_CALL dcgettext 26a: 4632 mov r2, r6 26c: f104 0108 add.w r1, r4, #8 270: aefd add r6, sp, #1012 ; 0x3f4 272: 9600 str r6, [sp, #0] 274: 4603 mov r3, r0 276: 1d20 adds r0, r4, #4 278: f7ff ff8a bl 190 <parse_error_msg.clone.1> 27c: 4631 mov r1, r6 27e: a803 add r0, sp, #12 280: f7ff fffe bl 0 <str_escape_fmt>
Note that r6 is set to &buf at 0x270, stored on the stack at 0x272, and put into r1 at 0x27c. parse_error_msg() however corrupts r6:
00000190 <parse_error_msg.clone.1>: 190: b580 push {r7, lr} 192: b082 sub sp, #8 194: 4614 mov r4, r2 196: 4606 mov r6, r0 198: 460d mov r5, r1
which causes str_escape_fmt() to stomp on memory.
Either the compiler should call parse_error_msg (not the clone), or save r6 in the clone, or restore r6 from the stack before calling str_escape_fmt().
This appears to be a compiler bug. Using plain gcc-linaro- 4.5-2010. 11-1, parse_warn includes the following assembly:
266: f7ff fffe bl 0 <dcgettext> error_msg. clone.1>
266: R_ARM_THM_CALL dcgettext
26a: 4632 mov r2, r6
26c: f104 0108 add.w r1, r4, #8
270: aefd add r6, sp, #1012 ; 0x3f4
272: 9600 str r6, [sp, #0]
274: 4603 mov r3, r0
276: 1d20 adds r0, r4, #4
278: f7ff ff8a bl 190 <parse_
27c: 4631 mov r1, r6
27e: a803 add r0, sp, #12
280: f7ff fffe bl 0 <str_escape_fmt>
Note that r6 is set to &buf at 0x270, stored on the stack at 0x272, and put into r1 at 0x27c. parse_error_msg() however corrupts r6:
00000190 <parse_ error_msg. clone.1> :
190: b580 push {r7, lr}
192: b082 sub sp, #8
194: 4614 mov r4, r2
196: 4606 mov r6, r0
198: 460d mov r5, r1
which causes str_escape_fmt() to stomp on memory.
Either the compiler should call parse_error_msg (not the clone), or save r6 in the clone, or restore r6 from the stack before calling str_escape_fmt().