14

What is a core dump file in linux? What all information does it provide?

ks1322
  • 33,961
  • 14
  • 109
  • 164
Jay
  • 24,173
  • 25
  • 93
  • 141
  • link for info code dump files http://linux.die.net/man/5/core – sush Mar 16 '11 at 05:52
  • 1
    Can't you read http://en.wikipedia.org/wiki/Core_dump? – Gabe Mar 16 '11 at 06:04
  • 5
    @Gabe - Maybe they can, but [so what?](http://meta.stackexchange.com/questions/5280/embrace-the-non-googlers). – detly Mar 16 '11 at 06:37
  • @detly Just because something was posted to MetaSO doesn't mean it's right. In fact it's very much wrong, for two reasons: 1) If SO *were* the ultimate source for all programming questionsanswers, then instead of looking things up at google, one would look them up at SO. *Asking*, rather than looking up, is a much more time-consuming and much less effective way of getting information. 2) SO is *not* the ultimate source of all programming information, will never be that source, and the whole idea of a _single_ source for such information is stupid. – Jim Balter Mar 16 '11 at 07:01
  • Also, SO is a great way of answering _specific_ questions, but Wikipedia is a far better mechanism for _general information_ because it is editable by a large community operating on a consensus basis. Wikipedia has mature mechanisms for information presentation that SO can't touch. – Jim Balter Mar 16 '11 at 07:04
  • @detly: Have you seen http://blog.stackoverflow.com/2011/02/are-some-questions-too-simple/? The link I posted is the first thing that comes up when I search for "core dump"; the link sushanth posted is the first result for "linux core dunp". – Gabe Mar 16 '11 at 07:14
  • 3
    @Jim Balter, @Gabe - fair enough, I had not seen that and stand corrected. Nonetheless, compare @paxdiablo's answer — simple, coherent, targeted, and containing an example — to the Wikipedia entry: more than half of the "Uses..." section is overly general or applies to archaic technology, it's mixed in with history and formatting, and there's a grand total of three sentences that specifically address the actual question here (core dumps on Linux). The answer here is a better starting point than either of the external links provided above. – detly Mar 16 '11 at 07:36
  • @detly There's also http://stackoverflow.com/questions/775872/why-core-dump-file-is-generated (among others) -- the accepted answer gives the link that @Gabe gave. By rights this question should have been closed as a duplicate. – Jim Balter Mar 16 '11 at 07:51
  • @Jim Balter - sure, I don't want to start (or continue) a flame war. I just think that what we think of as canonical sources might actually be bad or useless explanations. (I mean, this is a really poorly asked question, and could have been closed on that basis too.) – detly Mar 16 '11 at 08:31
  • @detly Lots of things "might" be, but that's neither nor there. The Wikipedia link has been offered in quite a few SO answers about core files; if it is flawed, feel free to improve it. The worst thing to do is engage in tribalism, which is what that "ultimate source" nonsense from Jonathan Sampson does. All the things he says "isn't happening elsewhere" happen at Wikipedia. Each site has its role and its value. – Jim Balter Mar 16 '11 at 08:47

2 Answers2

15

It's basically the process address space in use (from the mm_struct structure which contains all the virtual memory areas), and any other supporting information*a, at the time it crashed.

For example, let's say you try to dereference a NULL pointer and receive a SEGV signal, causing you to exit. As part of that process, the operating system tries to write your information to a file for later post-mortem analysis.

You can load the core file into a debugger along with the executable file (for symbols and other debugging information, for example) and poke around to try and discover what caused the problem.

*a: in kernel version 2.6.38, fs/exec.c/do_coredump() is the one responsible for core dumps and you can see that it's passed the signal number, exit code and registers. It in turn passes the signal number and registers to a binary-format-specific (ELF, a.out, etc) dumper.

The ELF dumper is fs/binfmt_elf.c/elf_core_dump() and you can see that it outputs non-memory-based information, like thread details, in fs/binfmt_elf.c/fill_note_info(), then returns to output the process space.

paxdiablo
  • 854,327
  • 234
  • 1,573
  • 1,953
  • Will global variable information be available in a core file? – Jay Mar 16 '11 at 06:05
  • 1
    @Jay: The variables themselves will be there since they're in the address space. Information on them (such as mapping names to locations) is not. This is something retrieved from the executable when loading into the debugger (assuming the executable was compiled with debug info). – paxdiablo Mar 16 '11 at 06:07
  • 1
    @Jay The values of local variables will be there as well, and how to access them is made known to the debugger through the symbol table in the executable, if the executable has a debugging symbol table, such as created by gcc -g. (For other compilers, check their documentation.) – Jim Balter Mar 16 '11 at 07:08
  • to me an _address space_ is a set of addresses. I think it would be more accurate to say that a core file is a dump of the _process memory_ at the time it crashed. – Ben Mar 16 '11 at 13:07
  • @Ben, clarified to state address space _in use._ – paxdiablo Mar 16 '11 at 13:35
2

If a program terminates abnormally, the status of the program at the point of abnormal termination should be recorded for further analysis. and this status is recorded in core dump file.

In a multiuser and multitasking environment, accessing resources which doesn't belong to you is not acceptable. If a process-A tries to access system resources which belongs to process-B, Its a violation. At this point of time, the operating system kills the process and stores the process status into a file. And this file is called core dump file. There are many reasons for core dump. I just explained one of the possibilities for core dump. Usually it will be because of SIGSEGV (segmentation fault) and SIGBUS(Bus error).

The core dump file contains details of where the abnormal termination happened, process stack, symbol table etc.

There are many tools available to debug the coredumps. gdb dbx objdump mdb

Compiler options are present to make the debugging process easier. while compilation giving these flags (-g usually) will result in leaving extra information in symbol table of object files, which helps debuggers (gdb/dbx) to easily access the symbols(symbolic references).

77H3jjuu
  • 346
  • 3
  • 10