Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ELF core file format

Tags:

gdb

coredump

elf

Short of digging through GDB source, where can I find documentation about the format used to create core files?

The ELF specification leaves the core file format open, so I guess this should be part of the GDB specifications! Sadly, I did not find any help in this regard from GNU's gdb documentation.

Here's what I am trying to do: Map virtual addresses to function names in executable/libraries that comprised the running process. To do that, I would first like to figure out, from the core file, the map from virtual address space to the name of the executable file/libraries, and then dig into the relevant file to get the symbolic information.

Now 'readelf -a core' tells me that nearly all the segments in the core file are of the type 'load' -- I'd guess these are the .text and .bss/.data segments from all the participating files, plus a stack segment. Barring these load segments, there is one note segment, but that does not seem to contain the map. So how is the information about which file a segment corresponds to, stored in the core file? Are those 'load' segments format in a particular way to include the file information?

like image 227
NoJunkNoNoise Avatar asked May 13 '11 01:05

NoJunkNoNoise

People also ask

What is an ELF core file?

ELF core 1 files provide information about the CPU state and the memory state of a program when the coredump has been generated. The memory state embeds a snapshot of all segments mapped in the memory space of the program. The CPU state contains register values when the core dump has been generated.

What is in an ELF file?

Each ELF file is made up of one ELF header, followed by file data. The data can include: Program header table, describing zero or more memory segments. Section header table, describing zero or more sections. Data referred to by entries in the program header table or section header table.

What is core file in Oracle?

Core files are generated when a process or application terminates abnormally. Core files are managed with the coreadm command. For example, you can use the coreadm command to configure a system so that all process core files are placed in a single system directory.

How do I read an ELF file?

you can use readelf and objdump to read parts of an elf file. You can also use 'hexdump filename' to get a hexdump of the contents of a binary file (this is likely only useful if you like reading machine code or you are writing an assembler).

3 Answers

The core dump file format is using the ELF format but is not described in the ELF standard. AFAIK, there is no authoritative reference on this.

so how is the information about which file a segment corresponds to, stored in the core file?

A lot of extra information is contained within the ELF notes. You can use readelf -n to see them.

The CORE/NT_FILE note defines the association between memory address range and file (+ offset):

Page size: 1
             Start                 End         Page Offset
0x0000000000400000  0x000000000049d000  0x0000000000000000
    /usr/bin/xchat
0x000000000069c000  0x00000000006a0000  0x000000000009c000
    /usr/bin/xchat
0x00007f2490885000  0x00007f24908a1000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908a1000  0x00007f24908bd000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908bd000  0x00007f2490eb0000  0x0000000000000000
    /usr/share/fonts/opentype/ipafont-gothic/ipag.ttf
[...]

For each thread, you should have a CORE/NT_PRSTATUS note which gives you the registers of the thread (including the stack pointer). You might be able to infer the position of the stacks from this.

More information about format of ELF core files:

  • Anatomy of an ELF core file (disclaimer: I wrote this one)

  • A brief look into core dumps

like image 194
ysdx Avatar answered Oct 20 '22 15:10

ysdx

A core dump is the in-memory image of the process when it crashed. It includes the program segments, the stack, the heap and other data. You'll still need the original program in order to make sense of the contents: the symbol tables and other data make the raw addresses and structures in the memory image meaningful.

like image 4
jmkeyes Avatar answered Oct 20 '22 14:10

jmkeyes

Additional information about the process that generated the core file is stored in an ELF note section, albeit in an operating system specific manner. For example, see the core(5) manual page for NetBSD.

like image 3
jkoshy Avatar answered Oct 20 '22 14:10

jkoshy
Sign in to Comment

Related questions

Xcode debug with iPhone app is slow and laggy
How to debug an R package (with C code) in Emacs using GDB?
Using [] operator with unordered_map in gdb give unresolved operator
is there a way to generate a gdb-readable coredump when running programs compiled with MinGW?
Why does GDB evaluate floating-point arithmetic differently from C++?
how to print std::map value in gdb
How do I examine the contents of an std::vector in gdb, using the icc compiler?
Stopping the debugger when a NaN floating point number is produced
How to tell GDB to flush the stdio of the program being debugged
LLDB - Evaluate Address In Register
Quit valgrind cleanly when debugging with gdb
Use gdb to call a printDebug method
How to use gdb python debugging extension inside virtualenv
In GDB on MinGW, how do I make Ctrl-C stop the program?
Can gdb be set to break on any throw? [duplicate]
How to get environment of a program while debugging it in GDB
What is needed to use gdb 7's support for debugging Python programs?
How to set default options for gdb?
Python extension debugging
Using less as gdb pager

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!