All the trouble happened because in at least the 3.8.0-26 kernel I have,
the sys_write syscall starts with a call to __fentry__ .  That was
messing up the stack cleanup the abort() action must perform (it has
to clean up the stack frame the prologue allocated).  There are two
ways to cleanup the stack: 1) see if the code is using frame pointers
(then use a multi-instr leave; ret sequence -- but we can only do that
if the target provides thread control so we can ensure both instrs are
stepped before control goes to another thread -- and we don't have
thread control on the xen target); or 2) disasm the prologue and
statically analyze how much the prologue allocates on the stack, and
updating %sp and doing a simple ret.

For #1, we were only looking for the first byte of the instruction
being the push %ebp instr (and that method doesn't work on xen target
anyway); and #2 there was a bug (I think -- maybe distorm, our
disassembler, changed -- but probably it's my bug) that was affecting
prologues whose stack space was reserved with a SUB instr.  Weird, I'm
sure that was tested at one point; so who knows.