relationship between virtual memory and core dump

Question

I have an executable file, and a gcore.

I created core dump file with gcore.

Now, I would like to map the virtual address of the executable file to the core dump.

I know that the core dump is a memory dump of an executable file, and if I would like to analyze virtual address from the core dump. Can I assume that the virtual address 0x0000 equals to offset 0x0000 of the core dump?

Answer 1

I know that the core dump is a memory dump of an executable file,

No. A core dump in gdb (gcore indicates you're using this) is usually in ELF format, so there's an extensive header definining what maps to what.

I'm not quite sure how much use GDB/linux makes of address space mangling when dumping cores, but you cannot assume file offset x will map to memory offset x -- because the virtual address space can span a huge address space, of which it only uses a few pages. (eg. a 64bit process can have a virtual address space that's much much bigger than your hard drive, whilst it might only have actually reserved memory that's far smaller, and even of that, not all pages need actually be allocated).

However, GDB can read these headers and if you ask it to print things (e.g. using the print or x command), it will give you the right thing.

If you want to read a core dump file, the right thing to do hence is to use GDB's capabilities to do so. Luckily, there's libgdb, which does exactly that for your C/C++ application. It basically let's you talk with GDB as if you were a user sitting in front of the gdb shell. Hence, figure out how to do what you want in GDB, and then use libgdb to do it programmatically.

If you want to do it lowlevel (don't do that, it's a hassle, and GDB is really what you want to use, actually) you can directly use the Binary File Descriptor Library to parse and represent the core dump. It's an essential part of GDB, and it'll be hard to get it to run with your own C++ program without re-implementing a lot of GDB routines.