Eli Zaretskii <eliz@gnu.org> writes:

>> From: npostavs@users.sourceforge.net
>> Date: Fri, 07 Oct 2016 20:29:36 -0400
>> Cc: 24358@debbugs.gnu.org
>> 
>> npostavs@users.sourceforge.net writes:
>> >
>> >> (I'm also on GNU/Linux, Arch) I get the same max-specpdl-size error with
>> >> 25.1.50, with 24.5 (and below) I get (error "Stack overflow in regexp
>> >> matcher")
>> 
>> icalendar--read-element has been fixed, but this still reproduces when
>> doing (re-search-forward ".*\\(\n.*\\)*" nil t) on the text file given
>> in the OP.
>
> Isn't that "user error"?

Yes, but it should give "Stack overflow in regexp matcher", not overflow
the lisp stack (or assertion failure).

>
>> And I'm still seeing an assertion failure due to what looks like
>> memory corruption on the emacs-25 branch.
>
> Details of the assertion?

(See also https://debbugs.gnu.org/cgi/bugreport.cgi?bug=24358#8)

I tracked the corruption to a malloc call, but I wasn't able to figure
out what's happening there.

I used the following to debug:

Apply the attached bug-24358-hunting.diff and then run

    gdb --args ./emacs -Q -batch -l ~/src/emacs/bug-24358-regex-max-specpdl.el

Where ~/src/emacs/bug-24358-regex-max-specpdl.el is:

    (with-temp-buffer
      (insert-file-contents "~/src/emacs/bug-24358-regex-max-specpdl.txt") ; adjust path
      (goto-char (point-min))
      (re-search-forward ".*\\(\n.*\\)*" nil t))

I show some more excerpts in the attached bug-24358-debug.log, but my
main finding is that string1 of re_match_2_internal is originally:

    string1=0x1835980 "DESCRIPTION;LANGUAGE=

but then it becomes corrupted during a malloc:

Old value = 68 'D'
New value = 0 '\000'
0x00007ffff0cc01a7 in __memset_sse2_unaligned_erms () from /usr/lib/libc.so.6

(gdb) bt 13
#0  0x00007ffff0cc01a7 in __memset_sse2_unaligned_erms () from /usr/lib/libc.so.6
#1  0x00000000006d27f5 in r_alloc_sbrk (size=290816) at ralloc.c:848
#2  0x00000000006ced96 in get_contiguous_space (size=290816, position=0x1833000) at gmalloc.c:476
#3  0x00000000006cf92a in _malloc_internal_nolock (size=163840) at gmalloc.c:844
#4  0x00000000006cfe9d in _malloc_internal (size=163840) at gmalloc.c:927
#5  0x00000000006cff1a in gmalloc (size=163840) at gmalloc.c:951
#6  0x00000000006d14e4 in malloc (size=163840) at gmalloc.c:1827
#7  0x00000000005f3e6b in lmalloc (size=163840) at alloc.c:1414
#8  0x00000000005f3356 in xmalloc (size=163840) at alloc.c:821
#9  0x00000000005f38e4 in record_xmalloc (size=163840) at alloc.c:1038
#10 0x00000000005ee233 in re_match_2_internal (bufp=0xd6d650 <searchbufs+5072>, string1=0x1835980 "", 
    size1=0, string2=0x1835980 "", size2=40918, pos=0, regs=0xd6deb0 <search_regs>, stop=40918)
    at regex.c:5844