Comment 24 for bug 674146

This appears to be a compiler bug. Using plain gcc-linaro-4.5-2010.11-1, parse_warn includes the following assembly:

 266: f7ff fffe bl 0 <dcgettext>
   266: R_ARM_THM_CALL dcgettext
 26a: 4632 mov r2, r6
 26c: f104 0108 add.w r1, r4, #8
 270: aefd add r6, sp, #1012 ; 0x3f4
 272: 9600 str r6, [sp, #0]
 274: 4603 mov r3, r0
 276: 1d20 adds r0, r4, #4
 278: f7ff ff8a bl 190 <parse_error_msg.clone.1>
 27c: 4631 mov r1, r6
 27e: a803 add r0, sp, #12
 280: f7ff fffe bl 0 <str_escape_fmt>

Note that r6 is set to &buf at 0x270, stored on the stack at 0x272, and put into r1 at 0x27c. parse_error_msg() however corrupts r6:

00000190 <parse_error_msg.clone.1>:
 190: b580 push {r7, lr}
 192: b082 sub sp, #8
 194: 4614 mov r4, r2
 196: 4606 mov r6, r0
 198: 460d mov r5, r1

which causes str_escape_fmt() to stomp on memory.

Either the compiler should call parse_error_msg (not the clone), or save r6 in the clone, or restore r6 from the stack before calling str_escape_fmt().