1. Patchew
  2. Xen
  3. View series

[PATCH] coverage: place GCOV-generated .text.* sections in Xen text

Dmytro Prokopchuk1 posted 1 patch 3 days, 13 hours ago
Patches applied successfully (tree, apply log)
git fetch https://gitlab.com/xen-project/patchew/xen tags/patchew/cb8c1e0862a554f7a28347f549e9cfd0b0d6db2f.1779829545.git.dmytro._5Fprokopchuk1@epam.com
xen/arch/arm/xen.lds.S   | 2 +-
xen/arch/ppc/xen.lds.S   | 2 +-
xen/arch/riscv/xen.lds.S | 2 +-
xen/arch/x86/xen.lds.S   | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
[PATCH] coverage: place GCOV-generated .text.* sections in Xen text
Posted by Dmytro Prokopchuk1 3 days, 13 hours ago 
GCOV instrumentation can emit executable input sections such as
.text.startup and .text.exit when CONFIG_COVERAGE is enabled.
At present the Xen linker scripts only collect .text.* into the
main text output section when CONFIG_CC_SPLIT_SECTIONS is enabled.

With CONFIG_COVERAGE=y and CONFIG_CC_SPLIT_SECTIONS=n, these executable
sections may be placed as linker orphans outside the expected Xen text
region. Constructors generated by coverage instrumentation can then point
at code outside the normal RX text mapping, leading to early boot crashes
from init_constructors():

    (XEN) [   12.331193] Instruction Abort Trap. Syndrome=0xf
    (XEN) [   12.334253] Walking Hypervisor VA 0xa00003ce000 on CPU0 via TTBR 0x000000004352d000
    (XEN) [   12.338550] 0TH[0x014] = 0x4352cf7f
    (XEN) [   12.341823] 1ST[0x000] = 0x4352bf7f
    (XEN) [   12.345124] 2ND[0x001] = 0x40000043527f7f
    (XEN) [   12.347329] 3RD[0x1ce] = 0x400000433cef7f
    (XEN) [   12.351233] CPU0: Unexpected Trap: Instruction Abort
    (XEN) [   12.357643] ----[ Xen-4.21.1  arm64  debug=n gcov=y  Not tainted ]----
    (XEN) [   12.360243] CPU:    0
    (XEN) [   12.364098] PC:     00000a00003ce000 00000a00003ce000
    (XEN) [   12.375835] LR:     00000a00004802f8
    (XEN) [   12.378273] SP:     00000a00004c7e10
    (XEN) [   12.380492] CPSR:   0000000080000249 MODE:64-bit EL2h (Hypervisor, handler)
    (XEN) [   12.382785]      X0: 00000a00003ce000  X1: 0000000000000000  X2: 00000a0000410fa0
    (XEN) [   12.385176]      X3: 0000000000000000  X4: 0000000000000010  X5: 0000000000000001
    (XEN) [   12.387555]      X6: 00000a00004e5f40  X7: 00000a00004e5f38  X8: 0000000000000000
    (XEN) [   12.390027]      X9: 00000a00004e5f20 X10: 00000a00004e5f30 X11: 00000a00004e5f40
    (XEN) [   12.392510]     X12: 00000a0000439748 X13: 00000a0000406938 X14: 000000000000062e
    (XEN) [   12.394954]     X15: 00000a00004f3918 X16: 00000a00004c7bb5 X17: 00000000004c7bb5
    (XEN) [   12.397293]     X18: 0000000000000030 X19: 000000000000001d X20: 00000000000000a9
    (XEN) [   12.399803]     X21: 00000a00004c8008 X22: 00000a00003fa000 X23: 00000a00004e2000
    (XEN) [   12.402392]     X24: 00000a00003f9390 X25: 00000a00003fa000 X26: 00000a00003f4ca8
    (XEN) [   12.404798]     X27: 0000000000000002 X28: 00000a000057a9c0  FP: 00000000bedb6740
    (XEN) [   12.407110]
    (XEN) [   12.409442]   VTCR_EL2: 0000000080023558
    (XEN) [   12.411291]  VTTBR_EL2: 00000000bffc4000
    (XEN) [   12.412895]
    (XEN) [   12.414204]  SCTLR_EL2: 0000000030cd183d
    (XEN) [   12.415928]    HCR_EL2: 0000000000000039
    (XEN) [   12.417642]  TTBR0_EL2: 000000004352d000
    (XEN) [   12.419152]
    (XEN) [   12.420327]    ESR_EL2: 000000008600000f
    (XEN) [   12.422056]  HPFAR_EL2: 0000000000000000
    (XEN) [   12.423809]    FAR_EL2: 00000a00003ce000
    ...
    (XEN) [   12.485355] Xen call trace:
    (XEN) [   12.489080]    [<00000a00003ce000>] 00000a00003ce000 (PC)
    (XEN) [   12.512076]    [<00000a00004802f8>] init_constructors+0x38/0x50 (LR)

Observed failing symbol:
    _sub_I_00100_0
called from:
    init_constructors()
The issue can be diagnosed by enabling linker orphan diagnostics or
generating a linker map:
    LDFLAGS += "--orphan-handling=warn"
    LDFLAGS += "-Map=xen.map"
and then inspecting orphaned executable sections such as:
    .text.startup

Collect .text.* whenever either CONFIG_CC_SPLIT_SECTIONS or
CONFIG_COVERAGE is enabled.

Apply the same change for arm, x86, riscv and ppc.

Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>
---
 xen/arch/arm/xen.lds.S   | 2 +-
 xen/arch/ppc/xen.lds.S   | 2 +-
 xen/arch/riscv/xen.lds.S | 2 +-
 xen/arch/x86/xen.lds.S   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/xen/arch/arm/xen.lds.S b/xen/arch/arm/xen.lds.S
index 2d5f1c516d..e1b179fe5f 100644
--- a/xen/arch/arm/xen.lds.S
+++ b/xen/arch/arm/xen.lds.S
@@ -41,7 +41,7 @@ SECTIONS
        *(.text.unlikely .text.*_unlikely .text.unlikely.*)
 
        *(.text)
-#ifdef CONFIG_CC_SPLIT_SECTIONS
+#if defined(CONFIG_CC_SPLIT_SECTIONS) || defined(CONFIG_COVERAGE)
        *(.text.*)
 #endif
 
diff --git a/xen/arch/ppc/xen.lds.S b/xen/arch/ppc/xen.lds.S
index d0f2ed43f1..6224c06ae8 100644
--- a/xen/arch/ppc/xen.lds.S
+++ b/xen/arch/ppc/xen.lds.S
@@ -34,7 +34,7 @@ SECTIONS
         *(.text.unlikely .text.*_unlikely .text.unlikely.*)
 
         *(.text)
-#ifdef CONFIG_CC_SPLIT_SECTIONS
+#if defined(CONFIG_CC_SPLIT_SECTIONS) || defined(CONFIG_COVERAGE)
         *(.text.*)
 #endif
 
diff --git a/xen/arch/riscv/xen.lds.S b/xen/arch/riscv/xen.lds.S
index 65f136dce9..7c19d2e9dd 100644
--- a/xen/arch/riscv/xen.lds.S
+++ b/xen/arch/riscv/xen.lds.S
@@ -24,7 +24,7 @@ SECTIONS
         *(.text.unlikely .text.*_unlikely .text.unlikely.*)
 
         *(.text)
-#ifdef CONFIG_CC_SPLIT_SECTIONS
+#if defined(CONFIG_CC_SPLIT_SECTIONS) || defined(CONFIG_COVERAGE)
         *(.text.*)
 #endif
 
diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S
index b9e888e596..42a17f57e6 100644
--- a/xen/arch/x86/xen.lds.S
+++ b/xen/arch/x86/xen.lds.S
@@ -93,7 +93,7 @@ SECTIONS
 
        *(.text.page_aligned)
        *(.text)
-#ifdef CONFIG_CC_SPLIT_SECTIONS
+#if defined(CONFIG_CC_SPLIT_SECTIONS) || defined(CONFIG_COVERAGE)
        *(.text.*)
 #endif
        *(.text.__x86_indirect_thunk_*)
-- 
2.43.0
Re: [PATCH] coverage: place GCOV-generated .text.* sections in Xen text
Posted by Roger Pau Monné 2 days, 21 hours ago 
On Tue, May 26, 2026 at 09:07:42PM +0000, Dmytro Prokopchuk1 wrote:
> GCOV instrumentation can emit executable input sections such as
> .text.startup and .text.exit when CONFIG_COVERAGE is enabled.
> At present the Xen linker scripts only collect .text.* into the
> main text output section when CONFIG_CC_SPLIT_SECTIONS is enabled.
> 
> With CONFIG_COVERAGE=y and CONFIG_CC_SPLIT_SECTIONS=n, these executable
> sections may be placed as linker orphans outside the expected Xen text
> region. Constructors generated by coverage instrumentation can then point
> at code outside the normal RX text mapping, leading to early boot crashes
> from init_constructors():
> 
>     (XEN) [   12.331193] Instruction Abort Trap. Syndrome=0xf
>     (XEN) [   12.334253] Walking Hypervisor VA 0xa00003ce000 on CPU0 via TTBR 0x000000004352d000
>     (XEN) [   12.338550] 0TH[0x014] = 0x4352cf7f
>     (XEN) [   12.341823] 1ST[0x000] = 0x4352bf7f
>     (XEN) [   12.345124] 2ND[0x001] = 0x40000043527f7f
>     (XEN) [   12.347329] 3RD[0x1ce] = 0x400000433cef7f
>     (XEN) [   12.351233] CPU0: Unexpected Trap: Instruction Abort
>     (XEN) [   12.357643] ----[ Xen-4.21.1  arm64  debug=n gcov=y  Not tainted ]----
>     (XEN) [   12.360243] CPU:    0
>     (XEN) [   12.364098] PC:     00000a00003ce000 00000a00003ce000
>     (XEN) [   12.375835] LR:     00000a00004802f8
>     (XEN) [   12.378273] SP:     00000a00004c7e10
>     (XEN) [   12.380492] CPSR:   0000000080000249 MODE:64-bit EL2h (Hypervisor, handler)
>     (XEN) [   12.382785]      X0: 00000a00003ce000  X1: 0000000000000000  X2: 00000a0000410fa0
>     (XEN) [   12.385176]      X3: 0000000000000000  X4: 0000000000000010  X5: 0000000000000001
>     (XEN) [   12.387555]      X6: 00000a00004e5f40  X7: 00000a00004e5f38  X8: 0000000000000000
>     (XEN) [   12.390027]      X9: 00000a00004e5f20 X10: 00000a00004e5f30 X11: 00000a00004e5f40
>     (XEN) [   12.392510]     X12: 00000a0000439748 X13: 00000a0000406938 X14: 000000000000062e
>     (XEN) [   12.394954]     X15: 00000a00004f3918 X16: 00000a00004c7bb5 X17: 00000000004c7bb5
>     (XEN) [   12.397293]     X18: 0000000000000030 X19: 000000000000001d X20: 00000000000000a9
>     (XEN) [   12.399803]     X21: 00000a00004c8008 X22: 00000a00003fa000 X23: 00000a00004e2000
>     (XEN) [   12.402392]     X24: 00000a00003f9390 X25: 00000a00003fa000 X26: 00000a00003f4ca8
>     (XEN) [   12.404798]     X27: 0000000000000002 X28: 00000a000057a9c0  FP: 00000000bedb6740
>     (XEN) [   12.407110]
>     (XEN) [   12.409442]   VTCR_EL2: 0000000080023558
>     (XEN) [   12.411291]  VTTBR_EL2: 00000000bffc4000
>     (XEN) [   12.412895]
>     (XEN) [   12.414204]  SCTLR_EL2: 0000000030cd183d
>     (XEN) [   12.415928]    HCR_EL2: 0000000000000039
>     (XEN) [   12.417642]  TTBR0_EL2: 000000004352d000
>     (XEN) [   12.419152]
>     (XEN) [   12.420327]    ESR_EL2: 000000008600000f
>     (XEN) [   12.422056]  HPFAR_EL2: 0000000000000000
>     (XEN) [   12.423809]    FAR_EL2: 00000a00003ce000
>     ...
>     (XEN) [   12.485355] Xen call trace:
>     (XEN) [   12.489080]    [<00000a00003ce000>] 00000a00003ce000 (PC)
>     (XEN) [   12.512076]    [<00000a00004802f8>] init_constructors+0x38/0x50 (LR)
> 
> Observed failing symbol:
>     _sub_I_00100_0
> called from:
>     init_constructors()
> The issue can be diagnosed by enabling linker orphan diagnostics or
> generating a linker map:
>     LDFLAGS += "--orphan-handling=warn"
>     LDFLAGS += "-Map=xen.map"
> and then inspecting orphaned executable sections such as:
>     .text.startup

The x86 linker script does account for .text.startup in the .init
section:

  DECL_SECTION(.init.text) {
#endif
       _sinittext = .;
       *(.init.text)
       *(.text.startup)
       _einittext = .;

I think you just need to copy this to the arches that don't have it?

Thanks, Roger.
Re: [PATCH] coverage: place GCOV-generated .text.* sections in Xen text
Posted by Dmytro Prokopchuk1 1 day, 22 hours ago 

On 5/27/26 16:17, Roger Pau Monné wrote:
> On Tue, May 26, 2026 at 09:07:42PM +0000, Dmytro Prokopchuk1 wrote:
>> GCOV instrumentation can emit executable input sections such as
>> .text.startup and .text.exit when CONFIG_COVERAGE is enabled.
>> At present the Xen linker scripts only collect .text.* into the
>> main text output section when CONFIG_CC_SPLIT_SECTIONS is enabled.
>>
>> With CONFIG_COVERAGE=y and CONFIG_CC_SPLIT_SECTIONS=n, these executable
>> sections may be placed as linker orphans outside the expected Xen text
>> region. Constructors generated by coverage instrumentation can then point
>> at code outside the normal RX text mapping, leading to early boot crashes
>> from init_constructors():
>>
>>      (XEN) [   12.331193] Instruction Abort Trap. Syndrome=0xf
>>      (XEN) [   12.334253] Walking Hypervisor VA 0xa00003ce000 on CPU0 via TTBR 0x000000004352d000
>>      (XEN) [   12.338550] 0TH[0x014] = 0x4352cf7f
>>      (XEN) [   12.341823] 1ST[0x000] = 0x4352bf7f
>>      (XEN) [   12.345124] 2ND[0x001] = 0x40000043527f7f
>>      (XEN) [   12.347329] 3RD[0x1ce] = 0x400000433cef7f
>>      (XEN) [   12.351233] CPU0: Unexpected Trap: Instruction Abort
>>      (XEN) [   12.357643] ----[ Xen-4.21.1  arm64  debug=n gcov=y  Not tainted ]----
>>      (XEN) [   12.360243] CPU:    0
>>      (XEN) [   12.364098] PC:     00000a00003ce000 00000a00003ce000
>>      (XEN) [   12.375835] LR:     00000a00004802f8
>>      (XEN) [   12.378273] SP:     00000a00004c7e10
>>      (XEN) [   12.380492] CPSR:   0000000080000249 MODE:64-bit EL2h (Hypervisor, handler)
>>      (XEN) [   12.382785]      X0: 00000a00003ce000  X1: 0000000000000000  X2: 00000a0000410fa0
>>      (XEN) [   12.385176]      X3: 0000000000000000  X4: 0000000000000010  X5: 0000000000000001
>>      (XEN) [   12.387555]      X6: 00000a00004e5f40  X7: 00000a00004e5f38  X8: 0000000000000000
>>      (XEN) [   12.390027]      X9: 00000a00004e5f20 X10: 00000a00004e5f30 X11: 00000a00004e5f40
>>      (XEN) [   12.392510]     X12: 00000a0000439748 X13: 00000a0000406938 X14: 000000000000062e
>>      (XEN) [   12.394954]     X15: 00000a00004f3918 X16: 00000a00004c7bb5 X17: 00000000004c7bb5
>>      (XEN) [   12.397293]     X18: 0000000000000030 X19: 000000000000001d X20: 00000000000000a9
>>      (XEN) [   12.399803]     X21: 00000a00004c8008 X22: 00000a00003fa000 X23: 00000a00004e2000
>>      (XEN) [   12.402392]     X24: 00000a00003f9390 X25: 00000a00003fa000 X26: 00000a00003f4ca8
>>      (XEN) [   12.404798]     X27: 0000000000000002 X28: 00000a000057a9c0  FP: 00000000bedb6740
>>      (XEN) [   12.407110]
>>      (XEN) [   12.409442]   VTCR_EL2: 0000000080023558
>>      (XEN) [   12.411291]  VTTBR_EL2: 00000000bffc4000
>>      (XEN) [   12.412895]
>>      (XEN) [   12.414204]  SCTLR_EL2: 0000000030cd183d
>>      (XEN) [   12.415928]    HCR_EL2: 0000000000000039
>>      (XEN) [   12.417642]  TTBR0_EL2: 000000004352d000
>>      (XEN) [   12.419152]
>>      (XEN) [   12.420327]    ESR_EL2: 000000008600000f
>>      (XEN) [   12.422056]  HPFAR_EL2: 0000000000000000
>>      (XEN) [   12.423809]    FAR_EL2: 00000a00003ce000
>>      ...
>>      (XEN) [   12.485355] Xen call trace:
>>      (XEN) [   12.489080]    [<00000a00003ce000>] 00000a00003ce000 (PC)
>>      (XEN) [   12.512076]    [<00000a00004802f8>] init_constructors+0x38/0x50 (LR)
>>
>> Observed failing symbol:
>>      _sub_I_00100_0
>> called from:
>>      init_constructors()
>> The issue can be diagnosed by enabling linker orphan diagnostics or
>> generating a linker map:
>>      LDFLAGS += "--orphan-handling=warn"
>>      LDFLAGS += "-Map=xen.map"
>> and then inspecting orphaned executable sections such as:
>>      .text.startup
> 
> The x86 linker script does account for .text.startup in the .init
> section:
> 
>    DECL_SECTION(.init.text) {
> #endif
>         _sinittext = .;
>         *(.init.text)
>         *(.text.startup)
>         _einittext = .;
> 
> I think you just need to copy this to the arches that don't have it?
> 
> Thanks, Roger.
Hello Roger,

Yes, probably it could be done in this way.
I can prepare V2 and update the commit message.

Thanks,
Dmytro.
Re: [PATCH] coverage: place GCOV-generated .text.* sections in Xen text
Posted by Andrew Cooper 3 days, 10 hours ago 
On 26/05/2026 10:07 pm, Dmytro Prokopchuk1 wrote:
> GCOV instrumentation can emit executable input sections such as
> .text.startup and .text.exit when CONFIG_COVERAGE is enabled.
> At present the Xen linker scripts only collect .text.* into the
> main text output section when CONFIG_CC_SPLIT_SECTIONS is enabled.
>
> With CONFIG_COVERAGE=y and CONFIG_CC_SPLIT_SECTIONS=n, these executable
> sections may be placed as linker orphans outside the expected Xen text
> region. Constructors generated by coverage instrumentation can then point
> at code outside the normal RX text mapping, leading to early boot crashes
> from init_constructors():
>
>     (XEN) [   12.331193] Instruction Abort Trap. Syndrome=0xf
>     (XEN) [   12.334253] Walking Hypervisor VA 0xa00003ce000 on CPU0 via TTBR 0x000000004352d000
>     (XEN) [   12.338550] 0TH[0x014] = 0x4352cf7f
>     (XEN) [   12.341823] 1ST[0x000] = 0x4352bf7f
>     (XEN) [   12.345124] 2ND[0x001] = 0x40000043527f7f
>     (XEN) [   12.347329] 3RD[0x1ce] = 0x400000433cef7f
>     (XEN) [   12.351233] CPU0: Unexpected Trap: Instruction Abort
>     (XEN) [   12.357643] ----[ Xen-4.21.1  arm64  debug=n gcov=y  Not tainted ]----
>     (XEN) [   12.360243] CPU:    0
>     (XEN) [   12.364098] PC:     00000a00003ce000 00000a00003ce000
>     (XEN) [   12.375835] LR:     00000a00004802f8
>     (XEN) [   12.378273] SP:     00000a00004c7e10
>     (XEN) [   12.380492] CPSR:   0000000080000249 MODE:64-bit EL2h (Hypervisor, handler)
>     (XEN) [   12.382785]      X0: 00000a00003ce000  X1: 0000000000000000  X2: 00000a0000410fa0
>     (XEN) [   12.385176]      X3: 0000000000000000  X4: 0000000000000010  X5: 0000000000000001
>     (XEN) [   12.387555]      X6: 00000a00004e5f40  X7: 00000a00004e5f38  X8: 0000000000000000
>     (XEN) [   12.390027]      X9: 00000a00004e5f20 X10: 00000a00004e5f30 X11: 00000a00004e5f40
>     (XEN) [   12.392510]     X12: 00000a0000439748 X13: 00000a0000406938 X14: 000000000000062e
>     (XEN) [   12.394954]     X15: 00000a00004f3918 X16: 00000a00004c7bb5 X17: 00000000004c7bb5
>     (XEN) [   12.397293]     X18: 0000000000000030 X19: 000000000000001d X20: 00000000000000a9
>     (XEN) [   12.399803]     X21: 00000a00004c8008 X22: 00000a00003fa000 X23: 00000a00004e2000
>     (XEN) [   12.402392]     X24: 00000a00003f9390 X25: 00000a00003fa000 X26: 00000a00003f4ca8
>     (XEN) [   12.404798]     X27: 0000000000000002 X28: 00000a000057a9c0  FP: 00000000bedb6740
>     (XEN) [   12.407110]
>     (XEN) [   12.409442]   VTCR_EL2: 0000000080023558
>     (XEN) [   12.411291]  VTTBR_EL2: 00000000bffc4000
>     (XEN) [   12.412895]
>     (XEN) [   12.414204]  SCTLR_EL2: 0000000030cd183d
>     (XEN) [   12.415928]    HCR_EL2: 0000000000000039
>     (XEN) [   12.417642]  TTBR0_EL2: 000000004352d000
>     (XEN) [   12.419152]
>     (XEN) [   12.420327]    ESR_EL2: 000000008600000f
>     (XEN) [   12.422056]  HPFAR_EL2: 0000000000000000
>     (XEN) [   12.423809]    FAR_EL2: 00000a00003ce000
>     ...
>     (XEN) [   12.485355] Xen call trace:
>     (XEN) [   12.489080]    [<00000a00003ce000>] 00000a00003ce000 (PC)
>     (XEN) [   12.512076]    [<00000a00004802f8>] init_constructors+0x38/0x50 (LR)
>
> Observed failing symbol:
>     _sub_I_00100_0
> called from:
>     init_constructors()
> The issue can be diagnosed by enabling linker orphan diagnostics or
> generating a linker map:
>     LDFLAGS += "--orphan-handling=warn"
>     LDFLAGS += "-Map=xen.map"
> and then inspecting orphaned executable sections such as:
>     .text.startup
>
> Collect .text.* whenever either CONFIG_CC_SPLIT_SECTIONS or
> CONFIG_COVERAGE is enabled.
>
> Apply the same change for arm, x86, riscv and ppc.
>
> Signed-off-by: Dmytro Prokopchuk <dmytro_prokopchuk1@epam.com>

We already have --orphan-handling=warn.  We've talked about upgrading it
to =error several times because things like this keep on happening.

[edit] oh, we only have =warn on x86.  That explains why you didn't see
it on ARM.

The patch is perhaps ok at this juncture in 4.22, but see how x86
already suffers from the bug described by Linux's TEXT_SECTION to do
with matching .text.startup, and the absence of .text.startup in other
architectures means that the constructors (which should be going in
.init) are being orphaned and outside of init in all the other
architectures.

I think we need to borrow Linux's workaround for this issue (which
solves your orphaned section), and gather .text.startup properly in the
non-x86 architectures, then organise =error everywhere and let
randconfig loose on it.

~Andrew

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.