feat(release): ship a DWARF debug companion for prod kernels#24
feat(release): ship a DWARF debug companion for prod kernels#24kalyazin wants to merge 2 commits into
Conversation
So a customer sandbox's guest kernel can be debugged with full source-level symbols, prod kernels now build with DWARF and publish a vmlinux.debug companion alongside the boot image (forward-only). Enabling DWARF is code-neutral — confirmed via olddefconfig: only debug-info options change, no codegen impact — so the boot image's loadable segments are unchanged. - configs/x86_64/6.1.158.config: enable CONFIG_DEBUG_INFO_DWARF5 (KASLR and the rest unchanged). - build.sh: for x86_64 builds carrying DWARF, split into a lean boot image (objcopy --strip-debug -> vmlinux.bin, loadable + symtab) and a vmlinux.debug companion (objcopy --only-keep-debug); non-DWARF/arm64 builds unchanged. Declare binutils explicitly in install_dependencies (objcopy/readelf are used by the split; previously only pulled in transitively via gcc). - release.yml / upload-release-to-gcs.sh: attach and upload vmlinux.debug companions to the parallel GCS path; the boot vmlinux.bin path is unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Nikita Kalyazin <nikita.kalyazin@e2b.dev>
PR SummaryMedium Risk Overview Release and GCS upload now include *.debug assets beside existing *.bin paths. verify-dwarf-code-neutral.sh and check-loadable-sections.sh double-build each DWARF config (DWARF on/off, pinned metadata, IKCONFIG off for compare) and require byte-identical executable sections. That check runs on PRs via verify-dwarf-neutral.yml and blocks publish on manual release via verify-dwarf in release.yml, auto-discovering any x86_64 config with DWARF5. Reviewed by Cursor Bugbot for commit 6a2adb9. Bugbot is set up for automated code reviews on this repo. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
kalyazin
force-pushed
the
kalyazin/kernel-debuginfo
branch
2 times, most recently
from
549a69e to
5d719e9
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 5d719e9. Configure here.
Guard that enabling DWARF does not change the kernel's machine code: scripts/verify-dwarf-code-neutral.sh builds a version both WITH (the committed config) and WITHOUT DWARF and asserts their executable sections (.text and friends) are byte-identical, via check-loadable-sections.sh. It compares the executable code, not the whole loadable image, because the non-code loadable data legitimately differs between two independent builds: the GNU build-id (a hash that also covers the differing .debug_*) and the .version build counter (the "#N" in linux_banner). Both builds also disable CONFIG_IKCONFIG, so the embedded /proc/config.gz blob (whose gzip size depends on the config text, which differs by the debug-info lines) does not shift .init.data and the addresses that .init.text references. With no version argument the script discovers every x86_64 config that enables CONFIG_DEBUG_INFO_DWARF5. Run two ways: - verify-dwarf-neutral.yml: PRs touching the kernel build inputs, plus manual dispatch (optional version override). - release.yml: a verify-dwarf job that publish (and thus deploy) depends on, so a non-code-neutral kernel is never released. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Nikita Kalyazin <nikita.kalyazin@e2b.dev>
kalyazin
force-pushed
the
kalyazin/kernel-debuginfo
branch
from
5d719e9 to
6a2adb9
Compare
1 participant
Why
Debug the prod guest kernel with source-level symbols (snapshot resume investigations)
without running a different kernel. So: keep building the exact prod kernel, also
publish its debug info, and prove adding DWARF doesn't change the running image.
What
CONFIG_DEBUG_INFO_DWARF5onconfigs/x86_64/6.1.158.config;build.shsplits the DWARF x86_64 build into a leanvmlinux.bin(objcopy --strip-debug, loadable segments + symtab) and a separatevmlinux.debug(--only-keep-debug). arm64 / non-DWARF builds unchanged.binutilsadded as an explicit dep.
release.yml/upload-release-to-gcs.shpublish the.debugcompanion to a parallel GCS path;vmlinux.binpath/name unchanged(forward-only, never overwrites the boot kernel).
verify-dwarf-code-neutral.shbuilds each DWARF configtwice (with/without DWARF, build metadata pinned) and asserts the boot image's
loadable segments are byte-identical (
check-loadable-sections.sh). With no arg itdiscovers every x86_64 config enabling DWARF — no hardcoded version. Wired as a
verify-dwarfjob thatpublish(→deploy) depends on, so a non-neutral kernelcan't be released; also runs on PRs via
verify-dwarf-neutral.yml.