How can I figure out the program that caused core dump?

Question

I'm on Mac OS X 10.10.

I notice that my hard-disk is filling up because every few minutes a new core dump file appears in /cores:

$ ls -alhtr /cores
total 3551488
-rw-r--r--@  1 saqib  admin   6.0K Apr 24 12:38 .DS_Store
drwxr-xr-x  32 root   admin   1.1K Aug  1 17:00 ../
-r--------   1 saqib  admin   578M Aug  1 22:36 core.35049
-r--------   1 saqib  admin   578M Aug  1 22:37 core.35202
drwxrwxr-t@  6 root   admin   204B Aug  1 22:38 ./
-r--------   1 saqib  admin   578M Aug  1 22:38 core.35438

But I have no clue which processes are creating these core files. The numbers in the file names are supposed to represent the PIDs of the processes that created them. But of course those processes are now dead. So how can I figure out which process is creating these cores so that I can fix/remove it?

EDIT 1

Doing gdb -c on the core file doesn't give me the information I need:

$ gdb -c /cores/core.35438
GNU gdb (GDB) 7.8.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin14.0.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
"/cores/core.35438": no core file handler recognizes format
(gdb)

EDIT 2

file doesn't seem to work either:

$ file /cores/core.35049
/cores/core.35049: Mach-O core i386

EDIT 3

I opened the core file using an application called MachOView. You can see the screenshot of what it showed me. I still couldn't figure out which app created this core file.

Answer 1

Run the Console utility, found in /Applications/Utilities. Look under DIAGNOSTIC AND USAGE INFORMATION for User Diagnostic Reports and System Diagnostic Reports. There should be an entry for each recent crash, with the name of the program, date, time, and host name. You can click on each of these for additional information.

You can also just access the diagnostic reports directly in the file system. User Diagnostic Reports are in ~/Library/Logs/DiagnosticReports/ and System Diagnostic Reports are in /Library/Logs/DiagnosticReports/.

Answer 2

If the system have a gdb installed, you can use gdb -c .. command:

gdb -c core.35049

You will get the output like follow:

GNU gdb (Ubuntu 7.9-1ubuntu1) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
[New LWP 2905]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.

By reading that, you will see the core was generated by a.out program.

UPDATE

Using file, you can also get similar information:

$ file core
core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from './a.out'