Core dumps - What are they and how are they made?

Introduction

This post is really an adjunct to a core dump post that Julia Evans published a couple of years ago.

If you are looking to get and process a core dump I would highly recommend to go and read her post.

This post is more of a background on what a core dump is, how they are made in the operating system with references to the relevant parts of the Linux code.

What are core dumps?

Simply put core dumps are a snapshot of the state of a process.

Core dumps are one of the oldest forms of debugging. The name originates from a time when magnetic cores were the main implementation of Random Access Memory(RAM) and dumps were printed out onto paper.

Today core dumps are generated by travesing the memory of a process and outputting it to an Executable Linkable Format(ELF) so that it can be interogated further.

The layout of an core dump is defined as follows ELF Layout

  • ELF Header provides type and architecture information
  • Program header table defines the process layout for the system to prepare execution
  • .text is the definition of the program
  • .rodata is the read-only data for the program
  • .data stores the variables initialized by the user
  • Section header table presents extra information about the sections in the program

A much more detailed text description is available in this pdf.

A larger more detailed diagram is available below

How are they generated?

To understand this flow from an application developers point of view you need to recall that a when a process starts the operating system creates a wrapper around the application code to provide consistent management whatever the actual program is doing. You don't have to explicitly handle the core dump in application code.

core dump process

  1. Typically a kernel event occours and the kernel notifies the process of this event by signal.
  2. The process wrapper handles the signal usually through coredump action.
  3. In order to create the file the kernel traverses all the Virtual Memory Areas that belongs to the process and generates the contents to an ELF format.
  4. If the core_pattern starts with a | the ELF file is piped to a downstream process.
  5. Else the core is sent to a file

elf walkthrough

There is a lot going in this picture but if you are working with ELF files and need a desk reminder This is a great tool by Ange_Albertini.

ELF Walkthrough