发表新帖
发表新帖

ELF core file format

后端 未结
关注
5 904
醉酒成梦
醉酒成梦 2020-12-31 04:51

Short of digging through GDB source, where can I find documentation about the format used to create core files?

The ELF specification leaves the core file format ope

相关标签:
5条回答
  • 闹比i
    2020-12-31 05:20

    A simpler solution to your problem may be to parse text from /proc/$pid/maps to determine what file a given virtual address maps to. You could then parse the corresponding file.

    Kenshoto's open source VDB (debugger) uses this approach, if you can read python it is a good example.

    0 讨论(0)
  • 醉梦人生
    2020-12-31 05:21

    A core dump is the in-memory image of the process when it crashed. It includes the program segments, the stack, the heap and other data. You'll still need the original program in order to make sense of the contents: the symbol tables and other data make the raw addresses and structures in the memory image meaningful.

    0 讨论(0)
  • 旧时难觅i
    2020-12-31 05:23

    The core dump file format is using the ELF format but is not described in the ELF standard. AFAIK, there is no authoritative reference on this.

    so how is the information about which file a segment corresponds to, stored in the core file?

    A lot of extra information is contained within the ELF notes. You can use readelf -n to see them.

    The CORE/NT_FILE note defines the association between memory address range and file (+ offset):

    Page size: 1
             Start                 End         Page Offset
0x0000000000400000  0x000000000049d000  0x0000000000000000
    /usr/bin/xchat
0x000000000069c000  0x00000000006a0000  0x000000000009c000
    /usr/bin/xchat
0x00007f2490885000  0x00007f24908a1000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908a1000  0x00007f24908bd000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908bd000  0x00007f2490eb0000  0x0000000000000000
    /usr/share/fonts/opentype/ipafont-gothic/ipag.ttf
[...]

    For each thread, you should have a CORE/NT_PRSTATUS note which gives you the registers of the thread (including the stack pointer). You might be able to infer the position of the stacks from this.

    More information about format of ELF core files:

    • Anatomy of an ELF core file (disclaimer: I wrote this one)

    • A brief look into core dumps

    0 讨论(0)
  • 生来不讨喜
    2020-12-31 05:36

    Additional information about the process that generated the core file is stored in an ELF note section, albeit in an operating system specific manner. For example, see the core(5) manual page for NetBSD.

    0 讨论(0)
  • -上瘾入骨i
    2020-12-31 05:39

    Not so much gdb as the bfd library used by gdb, binutils, etc.

    0 讨论(0)
 看不清?
提交回复
热议问题