Core dumps - What are they and how are they made?

A dive into what core dumps actually are and how they are made


This post is a follow on to a core dump post that Julia Evans published a couple of years ago.

If you are looking to get and process a core dump I would highly recommend to go and read her post.

What follows is more of a background on what a core dump is, how they are made in the operating system with references to the relevant parts of the Linux code.

What are core dumps?

Simply put core dumps are a snapshot of the state of a process.

Core dumps are one of the oldest forms of debugging. The name originates from a time when magnetic cores were the main implementation of Random Access Memory(RAM) and dumps were printed out onto paper.

Today core dumps are generated by travesing the memory of a process and outputting it to an Executable Linkable Format(ELF) so that it can be interogated further.

The layout of an core dump is defined as follows

ELF Layout
ELF Layout

  • ELF Header provides type and architecture information
  • Program header table defines the process layout for the system to prepare execution
  • .text is the definition of the program
  • .rodata is the read-only data for the program
  • .data stores the variables initialized by the user
  • Section header table presents extra information about the sections in the program

A much more detailed text description is available in this pdf.

A larger more detailed diagram is available below

How are they generated?

To understand this flow from an application developers point of view you need to recall that a when a process starts the operating system creates a wrapper around the application code to provide consistent management on top of the program. You don't have to explicitly handle the core dump in application code.

core dump process
core dump process

  1. Typically a kernel event occours and the kernel notifies the process of this event by signal.
  2. The process wrapper handles the signal usually through coredump action.
  3. In order to create the file the kernel traverses all the Virtual Memory Areas that belongs to the process and generates the contents to an ELF format.
  4. If the core_pattern starts with a | the ELF file is piped to a downstream process.
  5. Else the core is sent to a file

elf walkthrough

There is a lot going in this picture but if you are working with ELF files and need a desk reminder This is a great tool by Ange_Albertini.

ELF Walkthrough
ELF Walkthrough

Did you like it? Why don't you try also...

Bringing GitOps to Core Dump Management

An overview of creating a github issues from a core dump event.

Green on Red - Discovering Energy Efficient Containers with Tide on Appsody

While comparing Runtimes on OpenShift I made as personal discovery that I thought would be good to share.

Serverless Rust with Tide, Appsody and Knative

A step by step tutorial on to build and deploy a simple serverless app.