Process - (Core|Memory|System) dump
Table of Contents
1 - About
A core dumps is the content of the working memory of a process at a specific time, generally when:
- the process has crashed
- or otherwise terminated abnormally.
2 - Articles Related
3 - Format
A core dump represents the complete contents of the dumped regions of the address space of the dumped process.
Memory dump can be printed as
- octal or hexadecimal numbers (a “hex dump”)
- machine language instructions. The interpretation of the octal or hexadecimal numbers
Modern operating systems typically generate a file containing an image of the memory belonging to the crashed process, or the memory images of parts of the address space related to that process, along with other information such as:
- the values of processor registers,
- program counter,
- stack pointer
- memory management information
- system flags
- and other processor and operating system information.
These files can be viewed as text, printed, or analysed with specialised tools such as:
- elfdump, objdump and kdump on Linux systems.
- WinDbg on Windows
4 - Storage Location
In Linux the core dump file generated after an application has crashed is stored in the directory from where the application was run.
To place the core dump files in another location, the “kernel.core_pattern” variable in the /etc/sysctl.conf file is used. The current value of this variable can be checked by running this command as root:
sysctl -a | grep core_pattern
The output should be similar to this:
kernel.core_pattern = core # You may also see this output: kernel.core_pattern = | /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e
- abrt is the Automatic Bug Reporting Tool (ABRT). The daemon is running. ABRT will dynamically overwrite the destination of core files to /var/spool/abrt/.
The value can be manually reset using the
sysctl -p command.
5 - Generating a stack trace
cd /path/to/core/file gdb path_to_executable
6 - Determining which executable produced the core file
The command to accomplish this is:
file <core file name>