Bug 799581 - Segmentation fault. 0x455640ec in __strcasestr_sse42_nonascii () from /lib/libc.so.6
Segmentation fault. 0x455640ec in __strcasestr_sse42_nonascii () from /lib/li...
Description Knut J BJuland 2012-03-03 03:20:44 EST
Description of problem:
When I start IBM SPSS 19 for linux it segment crash

Version-Release number of selected component (if applicable):

How reproducible:
Start IBM SPSS 19

Steps to Reproduce:
1. SPSS_HOME=/opt/IBM/SPSS/Statistics/19
2.  cd /opt/IBM/SPSS/Statistics/19
3. . /opt/IBM/SPSS/Statistics/19/bin/statsenv.sh
4 ddd /opt/IBM/SPSS/Statistics/19/bin/STATISTICS $@
Or start from command line
Actual results:
Segment fault with   Segmentation fault. 0x455640ec in __strcasestr_sse42_nonascii () from /lib/libc.so.6

Expected results:

It should start as it is compatible with Redhat Enteprise linux 6.

Additional info:
Comment 1 Knut J BJuland 2012-03-03 13:25:52 EST
STATISTICS[21848] general protection ip:455640ec sp:ffd456f4 error:0 in libc-2.14.90.so[45427000+1a7000]
Comment 2 Jeff Law 2012-03-05 13:31:25 EST
Knut, can you please see if this also fails with SPSS 20?  I don't have a copy of SPSS 19, nor can I find one one the web that I can use.  However, I can get a trial for SPSS 20.

Can you also verify whether this is an x86 or x86_64 application that is failing?  

file /opt/IBM/SPSS/Statistics/19/bin/STATISTICS
Comment 3 Knut J BJuland 2012-03-06 05:18:48 EST
/opt/IBM/SPSS/Statistics/19/bin/STATISTICS: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
Comment 4 Jeff Law 2012-03-12 14:51:48 EDT
Are you able to test this with SPSS20?  As I mentioned in c#2, I don't have a copy of SPSS19, but I can get a copy of SPSS20.

A full backtrace would also be helpful as the path to strcasestr as well as the arguments may point us to the core problem.

Comment 5 Knut J BJuland 2012-03-28 12:00:54 EDT
GNU DDD 3.3.12 (x86_64-redhat-linux-gnu), by Dorothea Lütkehaus and Andreas Zeller.
Copyright © 1995-1999 Technische Universität Braunschweig, Germany.
Copyright © 1999-2001 Universität Passau, Germany.
Copyright © 2001 Universität des Saarlandes, Germany.
Copyright © 2001-2004 Free Software Foundation, Inc.
Reading symbols from /opt/IBM/SPSS/Statistics/19/bin/STATISTICS...done.
(gdb) set args
(gdb) run
Missing separate debuginfo for /lib/ld-linux.so.2
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/03/51a659bc0812678c67f62af1f802a5f367befc.debug
Missing separate debuginfo for /lib/libnsl.so.1
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/81/63f121b94883addbeb3dc331bfb34338aca566.debug
Missing separate debuginfo for /lib/libpthread.so.0
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/66/bde8f1c5ea0505d428ab205352524e2ccfa7ac.debug
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Missing separate debuginfo for /lib/libdl.so.2
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/10/cec21724c13b95ec03f00985b0405412817a49.debug
Missing separate debuginfo for /lib/librt.so.1
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/70/ec0be07448920a83c0bceafed09d46008e56b1.debug
Missing separate debuginfo for /lib/libm.so.6
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/96/b666a7f6d7a80ea6f9aef54f0cdd0f6190c058.debug
Missing separate debuginfo for /usr/lib/libstdc++.so.5
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/9e/29ba9fa821b74165220c959b5866d33129c26f.debug
Missing separate debuginfo for /lib/libgcc_s.so.1
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/4b/65b2ab36082e9552ad2014fac436421c4f65ad.debug
Missing separate debuginfo for /lib/libc.so.6
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/e4/2d500dc9e803be62453540b4c81a12e96a006a.debug
Missing separate debuginfo for /usr/lib/libnuma.so.1
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/b1/e761e9a1863a759201e4a2c9211aee03042b31.debug

Program received signal SIGSEGV, Segmentation fault.
0x434ec0ec in __strcasestr_sse42_nonascii () from /lib/libc.so.6

I have a x86_64 bit system.
Comment 6 Jeff Law 2012-03-29 15:21:09 EDT
Can you issue a "bt" command to DDD/gdb after it gets control?  That would give me the full backtrace which might help diagnose the problem.

If you have root privileges on the machine running

debuginfo-install glibc 

before running the ddd/gdb test again would be helpful.

Also, as I asked earlier, have you tried with SPSS 20, I don't have access to SPSS19.

Comment 7 Knut J BJuland 2012-03-31 12:24:23 EDT

It works with SPSS 20. I have issued debuginfo-install glibc, but I use x86_64 pc with 64 bits linux. 

Comment 8 Jeff Law 2012-04-17 00:58:43 EDT
Thanks for the additional information.  However, you still haven't provided the backtrace which could be critical for debugging this problem.

Please run

When ddd/gdb gets control after the segfault, please issue the following commands and provide me with the output.

info file
x/40i $pc
i r

Could you also issue the following commands and send me the result

rpm -qa | grep glibc

objdump -x /lib/libc.so.6
Comment 9 Knut J BJuland 2012-05-04 04:39:46 EDT
Comment 10 Knut J BJuland 2012-05-04 04:40:31 EDT
(gdb) backtrace
#0  0x434ec0ec in __strcasestr_sse42_nonascii () from /lib/libc.so.6
#1  0xf6687b28 in numa_node_size64 () from /usr/lib/libnuma.so.1
#2  0xf6687eb3 in ?? () from /usr/lib/libnuma.so.1
#3  0x43399e40 in call_init.part.0 () from /lib/ld-linux.so.2
#4  0x43399f70 in _dl_init_internal () from /lib/ld-linux.so.2
#5  0x4339e521 in dl_open_worker () from /lib/ld-linux.so.2
#6  0x43399d0f in _dl_catch_error () from /lib/ld-linux.so.2
#7  0x4339dd06 in _dl_open () from /lib/ld-linux.so.2
#8  0x4355fc09 in dlopen_doit () from /lib/libdl.so.2
#9  0x43399d0f in _dl_catch_error () from /lib/ld-linux.so.2
#10 0x435603ba in _dlerror_run () from /lib/libdl.so.2
#11 0x4355fcb7 in dlopen@@GLIBC_2.1 () from /lib/libdl.so.2
#12 0xf7f529cb in j9sl_open_shared_library () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/libj9prt24.so
#13 0xf7f5bb87 in j9vmem_startup () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/libj9prt24.so
#14 0xf7f4a086 in j9port_startup_library () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/libj9prt24.so
#15 0xf7f49d04 in j9port_init_library () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/libj9prt24.so
#16 0xf6797253 in JNI_CreateJavaVM () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/j9vm/libjvm.so
#17 0x08052da7 in JCVirtualMachine::createJVM (this=0xffffc0b0, vmArgs=0xffffc058, env=0xffffc068) at /userhome/statbldr/views/builder1unix_spss1901_view/java_client/launchjc/unix/source/jcvirtualmachine.cpp:247
#18 0x08052024 in JCVirtualMachine::run (this=0xffffc0b0) at /userhome/statbldr/views/builder1unix_spss1901_view/java_client/launchjc/unix/source/jcvirtualmachine.cpp:45
#19 0x08053875 in main (argc=1, argv=0xffffc1a4) at /userhome/statbldr/views/builder1unix_spss1901_view/java_client/launchjc/unix/source/spss.cpp:14

in /userhome/statbldr/views/builder1unix_spss1901_view/java_client/launchjc/unix/source/jcvirtualmachine.cpp
(gdb)
Comment 11 Knut J BJuland 2012-05-04 04:41:23 EDT
(gdb) (gdb) x/40i $pc
=> 0x434ec0ec <__strcasestr_sse42_nonascii+396>:	movdqa 0x10(%esp),%xmm1
   0x434ec0f2 <__strcasestr_sse42_nonascii+402>:	cmpb   $0x0,0x1(%edx)
   0x434ec0f6 <__strcasestr_sse42_nonascii+406>:	je     0x434ec270 <__strcasestr_sse42_nonascii+784>
   0x434ec0fc <__strcasestr_sse42_nonascii+412>:	mov    %edx,%esi
   0x434ec0fe <__strcasestr_sse42_nonascii+414>:	mov    %gs:0x0(%ebp),%edx
   0x434ec102 <__strcasestr_sse42_nonascii+418>:	movzbl (%esi),%ecx
   0x434ec105 <__strcasestr_sse42_nonascii+421>:	test   %cl,%cl
   0x434ec107 <__strcasestr_sse42_nonascii+423>:	je     0x434ed830 <__strcasestr_sse42_nonascii+6352>
   0x434ec10d <__strcasestr_sse42_nonascii+429>:	movzbl %cl,%ecx
   0x434ec110 <__strcasestr_sse42_nonascii+432>:	mov    (%edx,%ecx,4),%ecx
   0x434ec113 <__strcasestr_sse42_nonascii+435>:	mov    %cl,0x20(%esp)
   0x434ec117 <__strcasestr_sse42_nonascii+439>:	movzbl 0x1(%esi),%ecx
   0x434ec11b <__strcasestr_sse42_nonascii+443>:	test   %cl,%cl
   0x434ec11d <__strcasestr_sse42_nonascii+445>:	je     0x434ed48a <__strcasestr_sse42_nonascii+5418>
   0x434ec123 <__strcasestr_sse42_nonascii+451>:	movzbl %cl,%ecx
   0x434ec126 <__strcasestr_sse42_nonascii+454>:	mov    (%edx,%ecx,4),%ecx
   0x434ec129 <__strcasestr_sse42_nonascii+457>:	mov    %cl,0x21(%esp)
   0x434ec12d <__strcasestr_sse42_nonascii+461>:	movzbl 0x2(%esi),%ecx
   0x434ec131 <__strcasestr_sse42_nonascii+465>:	test   %cl,%cl
   0x434ec133 <__strcasestr_sse42_nonascii+467>:	je     0x434ed499 <__strcasestr_sse42_nonascii+5433>
   0x434ec139 <__strcasestr_sse42_nonascii+473>:	movzbl %cl,%ecx
   0x434ec13c <__strcasestr_sse42_nonascii+476>:	mov    (%edx,%ecx,4),%ecx
   0x434ec13f <__strcasestr_sse42_nonascii+479>:	mov    %cl,0x22(%esp)
   0x434ec143 <__strcasestr_sse42_nonascii+483>:	movzbl 0x3(%esi),%ecx
   0x434ec147 <__strcasestr_sse42_nonascii+487>:	test   %cl,%cl
   0x434ec149 <__strcasestr_sse42_nonascii+489>:	je     0x434ed7ce <__strcasestr_sse42_nonascii+6254>
   0x434ec14f <__strcasestr_sse42_nonascii+495>:	movzbl %cl,%ecx
   0x434ec152 <__strcasestr_sse42_nonascii+498>:	mov    (%edx,%ecx,4),%ecx
   0x434ec155 <__strcasestr_sse42_nonascii+501>:	mov    %cl,0x23(%esp)
   0x434ec159 <__strcasestr_sse42_nonascii+505>:	movzbl 0x4(%esi),%ecx
   0x434ec15d <__strcasestr_sse42_nonascii+509>:	test   %cl,%cl
   0x434ec15f <__strcasestr_sse42_nonascii+511>:	je     0x434ed7c4 <__strcasestr_sse42_nonascii+6244>
   0x434ec165 <__strcasestr_sse42_nonascii+517>:	movzbl %cl,%ecx
   0x434ec168 <__strcasestr_sse42_nonascii+520>:	mov    (%edx,%ecx,4),%ecx
   0x434ec16b <__strcasestr_sse42_nonascii+523>:	mov    %cl,0x24(%esp)
   0x434ec16f <__strcasestr_sse42_nonascii+527>:	movzbl 0x5(%esi),%ecx
   0x434ec173 <__strcasestr_sse42_nonascii+531>:	test   %cl,%cl
   0x434ec175 <__strcasestr_sse42_nonascii+533>:	je     0x434ed7ba <__strcasestr_sse42_nonascii+6234>
   0x434ec17b <__strcasestr_sse42_nonascii+539>:	movzbl %cl,%ecx
   0x434ec17e <__strcasestr_sse42_nonascii+542>:	mov    (%edx,%ecx,4),%ecx
Comment 12 Knut J BJuland 2012-05-04 04:42:11 EDT
(gdb) i r
eax            0x8078e98	134712984
ecx            0x3a	58
edx            0xf668af7f	-160911489
ebx            0x43558ff4	1129680884
esp            0xffff9e34	0xffff9e34
ebp            0xffffffd0	0xffffffd0
esi            0xffffffff	-1
edi            0x8078e98	134712984
eip            0x434ec0ec	0x434ec0ec <__strcasestr_sse42_nonascii+396>
eflags         0x10206	[ PF IF RF ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x63	99
Comment 13 Knut J BJuland 2012-05-04 04:44:17 EDT
Comment 14 Knut J BJuland 2012-05-04 04:45:18 EDT
Created attachment 582054 [details]
objdump -x /lib/libc.so.6 >libc6.asm

objdump -x /lib/libc.so.6
Comment 15 Jakub Jelinek 2012-05-04 04:54:03 EDT
=> 0x434ec0ec <__strcasestr_sse42_nonascii+396>: movdqa 0x10(%esp),%xmm1
esp            0xffff9e34 0xffff9e34
most probably means something up in the call stack violates the ABI by misaligning the stack pointer, because %esp at that point should be 16-byte aligned.  It doesn't seem that this is a fault of strcasestr, because
the prologue does:
4491af60:       55                      push   %ebp
4491af61:       57                      push   %edi
4491af62:       56                      push   %esi
4491af63:       53                      push   %ebx
4491af64:       81 ec cc 00 00 00       sub    $0xcc,%esp
and the slot above call return value is supposed to be 16-byte aligned, thus when it subtracts the return call slot from that (4 bytes), then 4 pushes (0x10 bytes) and then 0xcc bytes, that is in total 0xe0 bytes subtracted, divisible by 16.
I guess you can go up in the backtrace using up and always see the value of the sp at each step, find out where the misaligning happens, report there.
Comment 16 Jeff Law 2012-05-04 13:32:06 EDT
But note that this is running in 32bit mode (see gdb startup in c#9 and all the addresses, register dump, etc); isn't the stack boundary in 32bit mode still just 32 bits?  So if a function in 32bit mode uses movdqa (such as strcasestr_sse42_nonascii) on a stack slot, doesn't that function have to forcably realign the stack?
Comment 17 Jakub Jelinek 2012-05-04 13:58:55 EDT
Linux 32-bit ABI has 16-byte esp alignment.  Code that doesn't ensure 16-byte alignment can still be run, but only as long as it doesn't call any functions with the default ABI directly, but through wrappers that realign the stack (-mstackrealign or force_align_arg_pointer attribute).
See -mstackrealign, -mpreferred-stack-boundary= and -mincoming-stack-boundary=
option documentation, the default on Linux is no -mstackrealign, and both of the other options set to 4 (i.e. 16-byte alignment).
Comment 18 Knut J BJuland 2012-05-04 14:14:33 EDT
It seem that IBM have fixed the problem in SPSS 20. I have now switched to SPSSS 20.0.
Comment 19 Jeff Law 2012-05-04 14:45:07 EDT
If you've still got V19 installed, start it up with your debugger, wait for the segfault, then

p/x $sp
p/x $sp

Repeat 18 more times.  That'll give us the value of the stack pointer in each frame.  From that we can determine if glibc is somehow misaligning the stack pointer or if it's an SPSS problem.

I don't see anything in the SPSS20 list of defect corrections which looks like it resolve this issue.  It's entirely possible this is working by chance in SPSS20.
Comment 20 Knut J BJuland 2012-05-04 16:13:41 EDT
Program received signal SIGSEGV, Segmentation fault.
0x434ec0ec in __strcasestr_sse42_nonascii () from /lib/libc.so.6
(gdb) p/x $sp
$1 = 0xffff9e34
(gdb) up
#1  0xf6687b28 in numa_node_size64 () from /usr/lib/libnuma.so.1
(gdb) p/x $sp
$2 = 0xffff9f14
(gdb) up
#2  0xf6687eb3 in ?? () from /usr/lib/libnuma.so.1
(gdb) p/x $sp
$3 = 0xffff9fc4
(gdb) up
#3  0x43399e40 in call_init.part.0 () from /lib/ld-linux.so.2
(gdb) p/x $sp
$4 = 0xffffa044
(gdb) up
#4  0x43399f70 in _dl_init_internal () from /lib/ld-linux.so.2
(gdb) p/x $sp
$5 = 0xffffa084
(gdb) up
#5  0x4339e521 in dl_open_worker () from /lib/ld-linux.so.2
(gdb) p/x $sp
$6 = 0xffffa0c4
(gdb) up
#6  0x43399d0f in _dl_catch_error () from /lib/ld-linux.so.2
(gdb) p/x $sp
$7 = 0xffffa124
(gdb) up
#7  0x4339dd06 in _dl_open () from /lib/ld-linux.so.2
(gdb) p/x $sp
$8 = 0xffffa204
(gdb) up
#8  0x4355fc09 in dlopen_doit () from /lib/libdl.so.2
(gdb) p/x $sp
$9 = 0xffffa274
(gdb) up
#9  0x43399d0f in _dl_catch_error () from /lib/ld-linux.so.2
(gdb) p/x $sp
$10 = 0xffffa2c4
(gdb) up
#10 0x435603ba in _dlerror_run () from /lib/libdl.so.2
(gdb) p/x $sp
$11 = 0xffffa3a4
(gdb) up
#11 0x4355fcb7 in dlopen@@GLIBC_2.1 () from /lib/libdl.so.2
(gdb) p/x $sp
$12 = 0xffffa3e4
(gdb) up
#12 0xf7f529cb in j9sl_open_shared_library () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/libj9prt24.so
(gdb) p/x $sp
$13 = 0xffffa414
(gdb) up
#13 0xf7f5bb87 in j9vmem_startup () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/libj9prt24.so
(gdb) p/x $sp
$14 = 0xffffae74
(gdb) up
#14 0xf7f4a086 in j9port_startup_library () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/libj9prt24.so
(gdb) p/x $sp
$15 = 0xffffaed4
(gdb) up
#15 0xf7f49d04 in j9port_init_library () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/libj9prt24.so
(gdb) p/x $sp
$16 = 0xffffaef4
(gdb) up
#16 0xf6797253 in JNI_CreateJavaVM () from /opt/IBM/SPSS/Statistics/19/bin/JRE/lib/i386/j9vm/libjvm.so
(gdb) p/x $sp
$17 = 0xffffaf14
(gdb) up
#17 0x08052da7 in JCVirtualMachine::createJVM (this=0xffffc0b0, vmArgs=0xffffc058, env=0xffffc068) at /userhome/statbldr/views/builder1unix_spss1901_view/java_client/launchjc/unix/source/jcvirtualmachine.cpp:247
	in /userhome/statbldr/views/builder1unix_spss1901_view/java_client/launchjc/unix/source/jcvirtualmachine.cpp
(gdb) p/x $sp
$18 = 0xffffbfd4
(gdb) up
#18 0x08052024 in JCVirtualMachine::run (this=0xffffc0b0) at /userhome/statbldr/views/builder1unix_spss1901_view/java_client/launchjc/unix/source/jcvirtualmachine.cpp:45
(gdb) p/x $sp
$19 = 0xffffc04c
(gdb) up
#19 0x08053875 in main (argc=1, argv=0xffffc1a4) at /userhome/statbldr/views/builder1unix_spss1901_view/java_client/launchjc/unix/source/spss.cpp:14
	in /userhome/statbldr/views/builder1unix_spss1901_view/java_client/launchjc/unix/source/spss.cpp
(gdb) p/x $sp
$20 = 0xffffc094
(gdb) up
Initial frame selected; you cannot go up.
(gdb) p/x $sp
$21 = 0xffffc094
(gdb) up
Initial frame selected; you cannot go up.
(gdb) p/x $sp
Comment 21 Jeff Law 2012-05-05 01:27:58 EDT
Knut, thanks.  The stuff you've given us in the last few days has been extremely helpful.  What's exceedingly strange is it appears the stack starts misaligned and is dutifully kept misaligned throughout execution.  This could either be a kernel issue or dynamic linker issue.  I presume you're not running a custom kernel?

While it's possible to debug the early stages of the dynamic linker to see if the kernel is providing the misaligned stack or if the dynamic linker mucks things up at some point, it's fairly complex and might involve a lot of trial and error.

Are you interested in pursuing this further?  If so, would it be possible to temporarily get access to your machine so I can poke at the state of the dynamic linker?
Comment 22 Jakub Jelinek 2012-05-05 02:10:38 EDT
Normally it is _start (in gcrt1.o or Scrt1.o) that aligns stack, and main does that as well.

080482e0 <_start>:
 80482e0:       31 ed                   xor    %ebp,%ebp
 80482e2:       5e                      pop    %esi
 80482e3:       89 e1                   mov    %esp,%ecx
 80482e5:       83 e4 f0                and    $0xfffffff0,%esp
080483fc <main>:
 80483fc:       55                      push   %ebp
 80483fd:       89 e5                   mov    %esp,%ebp
 80483ff:       53                      push   %ebx
 8048400:       83 e4 f0                and    $0xfffffff0,%esp

Which would mean that SPSS19 would need to be linked both with broken *crt1.o and compiled with broken compiler...
Comment 23 Knut J BJuland 2012-05-05 07:27:55 EDT

I have sent a mail from knutjorgen(nospam at)knutjorgen.com to Jeff Law.
Comment 24 Jeff Law 2012-05-07 14:25:16 EDT

I could easily see IBM using an old toolchain  or even possibly something other than GCC to compile SPSS.  We really don't have any contact with that part of IBM, so insight is lacking.

Knut, one thing you could pass along would be the disassembler dump of _start and main.  

If you start up your debugger and issue the following commands

disassemble main
disassemble _start

That might help track things down.

Comment 25 Knut J BJuland 2012-05-10 22:18:25 EDT
(gdb) disassemble main
Dump of assembler code for function main:
   0x080537fc <+0>:	push   %ebp
   0x080537fd <+1>:	mov    %esp,%ebp
   0x080537ff <+3>:	sub    $0x3,%esp
   0x08053802 <+6>:	and    $0xfffffff8,%esp
   0x08053805 <+9>:	add    $0x4,%esp
   0x08053808 <+12>:	sub    $0x6c,%esp
   0x0805380b <+15>:	mov    %edi,-0x4(%ebp)
   0x0805380e <+18>:	mov    %esi,-0x8(%ebp)
   0x08053811 <+21>:	mov    %ebx,-0xc(%ebp)
   0x08053814 <+24>:	call   0x8053819 <main+29>
   0x08053819 <+29>:	pop    %eax
   0x0805381a <+30>:	add    $0xcce3,%eax
   0x0805381f <+35>:	mov    %eax,-0x18(%ebp)
   0x08053822 <+38>:	add    $0xfffffff8,%esp
   0x08053825 <+41>:	movl   $0x6,(%esp)
   0x0805382c <+48>:	lea    -0x6208(%eax),%edx
   0x08053832 <+54>:	mov    %edx,0x4(%esp)
   0x08053836 <+58>:	mov    %eax,%ebx
   0x08053838 <+60>:	call   0x804ca64 <setlocale@plt>
   0x0805383d <+65>:	add    $0x8,%esp
   0x08053840 <+68>:	add    $0xfffffff4,%esp
   0x08053843 <+71>:	lea    -0x58(%ebp),%eax
   0x08053846 <+74>:	mov    %eax,(%esp)
   0x08053849 <+77>:	mov    0x8(%ebp),%eax
   0x0805384c <+80>:	mov    %eax,0x4(%esp)
   0x08053850 <+84>:	mov    0xc(%ebp),%eax
   0x08053853 <+87>:	mov    %eax,0x8(%esp)
   0x08053857 <+91>:	mov    -0x18(%ebp),%eax
   0x0805385a <+94>:	mov    %eax,%ebx
   0x0805385c <+96>:	call   0x8051eb4 <JCVirtualMachine::JCVirtualMachine(int, char**)>
   0x08053861 <+101>:	add    $0xc,%esp
   0x08053864 <+104>:	push   %edi
   0x08053865 <+105>:	lea    -0x58(%ebp),%eax
   0x08053868 <+108>:	mov    %eax,(%esp)
   0x0805386b <+111>:	mov    -0x18(%ebp),%eax
   0x0805386e <+114>:	mov    %eax,%ebx
   0x08053870 <+116>:	call   0x8051fbc <JCVirtualMachine::run()>
   0x08053875 <+121>:	add    $0x4,%esp
   0x08053878 <+124>:	mov    %eax,-0x14(%ebp)
   0x0805387b <+127>:	mov    -0x14(%ebp),%eax
   0x0805387e <+130>:	movzbl %al,%eax
   0x08053881 <+133>:	test   %eax,%eax
   0x08053883 <+135>:	jne    0x80538c3 <main+199>
   0x08053885 <+137>:	jmp    0x80538ba <main+190>
   0x08053887 <+139>:	call   0x805388c <main+144>
   0x0805388c <+144>:	pop    %eax
   0x0805388d <+145>:	add    $0xcc70,%eax
   0x08053892 <+150>:	mov    %eax,-0x5c(%ebp)
   0x08053895 <+153>:	push   %edi
   0x08053896 <+154>:	lea    -0x58(%ebp),%edx
   0x08053899 <+157>:	mov    %edx,(%esp)
   0x0805389c <+160>:	mov    %eax,%ebx
   0x0805389e <+162>:	call   0x8051f8a <JCVirtualMachine::~JCVirtualMachine()>
   0x080538a3 <+167>:	add    $0x4,%esp
   0x080538a6 <+170>:	push   %edi
   0x080538a7 <+171>:	mov    -0x60(%ebp),%eax
   0x080538aa <+174>:	mov    %eax,(%esp)
   0x080538ad <+177>:	mov    -0x5c(%ebp),%eax
   0x080538b0 <+180>:	mov    %eax,%ebx
   0x080538b2 <+182>:	call   0x804ccc4 <_Unwind_Resume@plt>
   0x080538b7 <+187>:	add    $0x4,%esp
   0x080538ba <+190>:	movl   $0x1,-0x10(%ebp)
   0x080538c1 <+197>:	jmp    0x80538ca <main+206>
   0x080538c3 <+199>:	movl   $0x0,-0x10(%ebp)
   0x080538ca <+206>:	mov    -0x10(%ebp),%eax
   0x080538cd <+209>:	mov    %eax,-0x1c(%ebp)
   0x080538d0 <+212>:	push   %edi
   0x080538d1 <+213>:	lea    -0x58(%ebp),%eax
   0x080538d4 <+216>:	mov    %eax,(%esp)
   0x080538d7 <+219>:	mov    -0x18(%ebp),%eax
   0x080538da <+222>:	mov    %eax,%ebx
   0x080538dc <+224>:	call   0x8051f8a <JCVirtualMachine::~JCVirtualMachine()>
   0x080538e1 <+229>:	add    $0x4,%esp
   0x080538e4 <+232>:	mov    -0x1c(%ebp),%eax
   0x080538e7 <+235>:	mov    -0xc(%ebp),%ebx
   0x080538ea <+238>:	mov    -0x8(%ebp),%esi
   0x080538ed <+241>:	mov    -0x4(%ebp),%edi
   0x080538f0 <+244>:	leave  
   0x080538f1 <+245>:	ret    
   0x080538f2 <+0>:	mov    %eax,-0x6c(%ebp)
   0x080538f5 <+3>:	mov    %edx,-0x68(%ebp)
   0x080538f8 <+6>:	nop
   0x080538f9 <+7>:	mov    -0x6c(%ebp),%eax
   0x080538fc <+10>:	mov    %eax,-0x60(%ebp)
   0x080538ff <+13>:	mov    -0x68(%ebp),%eax
   0x08053902 <+16>:	mov    %eax,-0x64(%ebp)
   0x08053905 <+19>:	jmp    0x8053887 <main+139>
   0x08053907 <+21>:	nop
End of assembler dump.
Comment 26 Knut J BJuland 2012-05-10 22:19:11 EDT
Dump of assembler code for function _start:
   0x0804cd40 <+0>:	xor    %ebp,%ebp
   0x0804cd42 <+2>:	pop    %esi
   0x0804cd43 <+3>:	mov    %esp,%ecx
   0x0804cd45 <+5>:	and    $0xfffffff0,%esp
   0x0804cd48 <+8>:	push   %eax
   0x0804cd49 <+9>:	push   %esp
   0x0804cd4a <+10>:	push   %edx
   0x0804cd4b <+11>:	push   $0x8058930
   0x0804cd50 <+16>:	push   $0x80588e8
   0x0804cd55 <+21>:	push   %ecx
   0x0804cd56 <+22>:	push   %esi
   0x0804cd57 <+23>:	push   $0x80537fc
   0x0804cd5c <+28>:	call   0x804cbe4 <__libc_start_main@plt>
   0x0804cd61 <+33>:	hlt    
   0x0804cd62 <+34>:	nop
   0x0804cd63 <+35>:	nop
End of assembler dump.
Comment 27 Jeff Law 2012-05-10 23:11:26 EDT
Bingo!  We have a winner!

main() isn't properly aligning the stack; this is clearly a problem with either the SPSS 19 build procedure and/or the compiler used to build SPSS 19. See main+0x6 where it masks off low bits in %esp using the mask 0xfffffff8.  The right mask is 0xfffffff0.

If you wanted to verify that SPSS20 handles this correctly, disassemble it's main procedure and look for an instruction near the beginning masking low bits off in %esp.  It should be using the mask 0xfffffff0.

Thanks for your patience and willingness to keep sending in register dumps, disassembly dumps, etc.  They were all very helpful in tracking this problem down to its root cause.
Comment 28 Jakub Jelinek 2012-05-11 01:24:58 EDT
_start they are using is buggy too, is missing
so it is really ancient.

Note You need to log in before you can comment on or make changes to this bug.