What is a core file?

4. April 2012 22:16

 

If you have an application that crashes with a "segment fault" or other error error message like SIGBUS or SIGILL. There are an indication that a serious problem has occured inside the application that was running. eg a segment fault means that the application tried to access memory that is not allocated to that process. Or a sig ill is an illegal instruction and this occurs when a program jumps into random memory and the processor cannot understand the instruction at the current address that it is running at.

 

If the program didn't actually dump a core there can be a number of reasons for this. Typically because the ulimit value is set to 0. You can check this by running the command "ulimit -c" and it will show you the maximum size a core dump can be. You can set this to unliminted by using the command "ulimit -c unlimited" this will typically cause a core to be dumped. There are some other security releated reason why a core will not be dumped. An example is if an executable is marked suid it won't dump a core by default.

 

Many people always wonder what a core file is and a really simple way to explain it is that it contains the core memory of the application that crashed. Though it is in a format simalar the elf executable file format. This provides information about memory region and their contents. You can show the contents of a core file using the objdump utility.

 

eg the output of the command "objdump -x core" will show something like this.

 

 

core:     file format elf32-i386
core
architecture: i386, flags 0x00000000:

start address 0x00000000

Program Header:
    NOTE off    0x00000294 vaddr 0x00000000 paddr 0x00000000 align 2**0
         filesz 0x0000022c memsz 0x00000000 flags ---
    LOAD off    0x00001000 vaddr 0x08048000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00001000 flags r-x
    LOAD off    0x00002000 vaddr 0x08049000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00001000 flags rw-
    LOAD off    0x00003000 vaddr 0xb75f9000 paddr 0x00000000 align 2**12
         filesz 0x00002000 memsz 0x00002000 flags rw-
    LOAD off    0x00005000 vaddr 0xb75fb000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00140000 flags r-x
    LOAD off    0x00006000 vaddr 0xb773b000 paddr 0x00000000 align 2**12
         filesz 0x00000000 memsz 0x00001000 flags ---
    LOAD off    0x00006000 vaddr 0xb773c000 paddr 0x00000000 align 2**12
         filesz 0x00002000 memsz 0x00002000 flags r--
    LOAD off    0x00008000 vaddr 0xb773e000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00001000 flags rw-
    LOAD off    0x00009000 vaddr 0xb773f000 paddr 0x00000000 align 2**12
         filesz 0x00003000 memsz 0x00003000 flags rw-
    LOAD off    0x0000c000 vaddr 0xb7742000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00015000 flags r-x
    LOAD off    0x0000d000 vaddr 0xb7757000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00001000 flags r--
    LOAD off    0x0000e000 vaddr 0xb7758000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00001000 flags rw-
    LOAD off    0x0000f000 vaddr 0xb7759000 paddr 0x00000000 align 2**12
         filesz 0x00002000 memsz 0x00002000 flags rw-
    LOAD off    0x00011000 vaddr 0xb7774000 paddr 0x00000000 align 2**12
         filesz 0x00002000 memsz 0x00002000 flags rw-
    LOAD off    0x00013000 vaddr 0xb7776000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00001000 flags r-x
    LOAD off    0x00014000 vaddr 0xb7777000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x0001b000 flags r-x
    LOAD off    0x00015000 vaddr 0xb7792000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00001000 flags r--
    LOAD off    0x00016000 vaddr 0xb7793000 paddr 0x00000000 align 2**12
         filesz 0x00001000 memsz 0x00001000 flags rw-
    LOAD off    0x00017000 vaddr 0xbfe74000 paddr 0x00000000 align 2**12
         filesz 0x00016000 memsz 0x00016000 flags rw-

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 note0         0000022c  00000000  00000000  00000294  2**0
                  CONTENTS, READONLY
  1 .reg/12315    00000044  00000000  00000000  000002f0  2**2
                  CONTENTS
  2 .reg          00000044  00000000  00000000  000002f0  2**2
                  CONTENTS
  3 .auxv         000000a0  00000000  00000000  000003dc  2**2
                  CONTENTS
  4 load1         00001000  08048000  00000000  00001000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  5 load2         00001000  08049000  00000000  00002000  2**12
                  CONTENTS, ALLOC, LOAD
  6 load3         00002000  b75f9000  00000000  00003000  2**12
                  CONTENTS, ALLOC, LOAD
  7 load4a        00001000  b75fb000  00000000  00005000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  8 load4b        00000000  b75fc000  00001000  00006000  2**12
                  ALLOC, READONLY, CODE
  9 load5         00000000  b773b000  00000000  00006000  2**12
                  ALLOC, READONLY
 10 load6         00002000  b773c000  00000000  00006000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY
 11 load7         00001000  b773e000  00000000  00008000  2**12
                  CONTENTS, ALLOC, LOAD
 12 load8         00003000  b773f000  00000000  00009000  2**12
                  CONTENTS, ALLOC, LOAD
 13 load9a        00001000  b7742000  00000000  0000c000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 14 load9b        00000000  b7743000  00001000  0000d000  2**12
                  ALLOC, READONLY, CODE
 15 load10        00001000  b7757000  00000000  0000d000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY
 16 load11        00001000  b7758000  00000000  0000e000  2**12
                  CONTENTS, ALLOC, LOAD
 17 load12        00002000  b7759000  00000000  0000f000  2**12
                  CONTENTS, ALLOC, LOAD
 18 load13        00002000  b7774000  00000000  00011000  2**12
                  CONTENTS, ALLOC, LOAD
 19 load14        00001000  b7776000  00000000  00013000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 20 load15a       00001000  b7777000  00000000  00014000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 21 load15b       00000000  b7778000  00001000  00015000  2**12
                  ALLOC, READONLY, CODE
 22 load16        00001000  b7792000  00000000  00015000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY
 23 load17        00001000  b7793000  00000000  00016000  2**12
                  CONTENTS, ALLOC, LOAD
 24 load18        00016000  bfe74000  00000000  00017000  2**12
                  CONTENTS, ALLOC, LOAD
SYMBOL TABLE:
no symbols

 

 

The above information isn't really that useful but does provide a memory map with the permissions of the different regions of the application when it crashed. This can become useful later when debugging things. Like in C/C++ when things are declared "const" they are loaded into a read-only section of memory so any attempt to write to that area will fail and cause a "segment fault"

 

Something that is more usful is with the following command you can determine which application crashed by simply reading all the string for the executable and looking for the '_=' string.

 

cat core |strings |grep -E '^_='
_=./willcore.exe

 

You may also be interested in my next post which uses gdb to read a core file

E-mail Kick it! DZone it! del.icio.us Permalink


Cant Work today.

28. December 2011 18:20

I can't respond to any emails today. Something has crashed on my computer and the mouse is missing

E-mail Kick it! DZone it! del.icio.us Permalink