CORE(5) File Formats and Configurations CORE(5)
NAME
core - process core file
DESCRIPTION
The operating system writes out a core file for a process when the process
is terminated due to receiving certain signals. A core file is a disk copy
of the contents of the process address space at the time the process
received the signal, along with additional information about the state of
the process. This information can be consumed by a debugger. Core files
can also be generated by applying the
gcore(1) utility to a running
process.
Typically, core files are produced following abnormal termination of a
process resulting from a bug in the corresponding application. Whatever
the cause, the core file itself provides invaluable information to the
programmer or support engineer to aid in diagnosing the problem. The core
file can be inspected using a debugger such as
mdb(1), gdb, dbx, or or by
applying one of the
proc(1) tools.
The operating system attempts to create up to two core files for each
abnormally terminating process, using a global core file name pattern and a
per-process core file name pattern. These patterns are expanded to
determine the pathname of the resulting core files, and can be configured
by
coreadm(8). By default, the global core file pattern is disabled and
not used, and the per-process core file pattern is set to
core. Therefore,
by default, the operating system attempts to create a core file named
core in the process's current working directory.
A process terminates and produces a core file whenever it receives one of
the signals whose default disposition is to cause a core dump or the
upanic(2) system call is used. The list of signals that result in
generating a core file is shown in
signal.h(3HEAD). Therefore, a process
might not produce a core file if it has blocked or modified the behavior of
the corresponding signal. Additionally, no core dump can be created under
the following conditions:
+o If normal file and directory access permissions prevent the creation or
modification of the per-process core file pathname by the current
process user and group ID. This test does not apply to the global core
file pathname because, regardless of the UID of the process dumping
core, the attempt to write the global core file is made as the
superuser.
+o Core files owned by the user
nobody will not be produced. For example,
core files generated for the superuser on an NFS directory are owned by
nobody and are, therefore, not written.
+o If the core file pattern expands to a pathname that contains
intermediate directory components that do not exist. For example, if
the global pattern is set to
/var/core/%n/core.%p, and no directory
/var/core/`uname -n` has been created, no global core files are
produced.
+o If the destination directory is part of a filesystem that is mounted
read-only.
+o If the resource limit RLIMIT_CORE has been set to
0 for the process, no
per-process core file is produced. Refer to
setrlimit(2) and
ulimit(1) for more information on resource limits.
+o If the core file name already exists in the destination directory and
is not a regular file (that is, is a symlink, block or character
special-file, and so forth).
+o If the kernel cannot open the destination file O_EXCL, which can occur
if same file is being created by another process simultaneously.
+o If the process's effective user ID is different from its real user ID
or if its effective group ID is different from its real group ID.
Similarly, set-user-ID and set-group-ID programs do not produce core
files as this could potentially compromise system security. These
processes can be explicitly granted permission to produce core files
using
coreadm(8), at the risk of exposing secure information.
The core file contains all the process information pertinent to debugging:
contents of hardware registers, process status, and process data. The
format of a core file is object file specific.
For ELF executable programs (see
a.out(5)), the core file generated is also
an ELF file, containing ELF program and file headers. The
e_type field in
the file header has type ET_CORE. The program header contains an entry for
every segment that was part of the process address space, including shared
library segments. The contents of the mappings specified by
coreadm(8) are
also part of the core image. Each program header has its
p_memsz field set
to the size of the mapping. The program headers that represent mappings
whose data is included in the core file have their
p_filesz field set the
same as
p_memsz, otherwise
p_filesz is
zero.
A mapping's data can be excluded due to the core file content settings (see
coreadm(8)), due to a failure, or due to a signal received after core dump
initiation but before its completion. If the data is excluded because of a
failure, the program header entry will have the PF_SUNW_FAILURE flag set in
its
p_flags field; if the data is excluded because of a signal, the
segment's
p_flags field will have the PF_SUNW_KILLED flag set.
The program headers of an
ELF core file also contain entries for two
NOTE segments, each containing several note entries as described below. The
note entry header and core file note type (
n_type) definitions are
contained in <
sys/elf.h>. The first
NOTE segment exists for binary
compatibility with old programs that deal with core files. It contains
structures defined in <
sys/old_procfs.h>. New programs should recognize
and skip this
NOTE segment, advancing instead to the new
NOTE segment. The
old
NOTE segment is deleted from core files in a future release.
The old
NOTE segment contains the following entries. Each has entry name
CORE and presents the contents of a system structure:
prpsinfo_t n_type: NT_PRPSINFO. This entry contains information of
interest to the
ps(1) command, such as process status, CPU
usage, nice value, controlling terminal, user-ID, process-ID,
the name of the executable, and so forth. The
prpsinfo_t structure is defined in <
sys/old_procfs.h>.
char[] n_type: NT_PLATFORM. This entry contains a string describing
the specific model of the hardware platform on which this core
file was created. This information is the same as provided by
sysinfo(2) when invoked with the command SI_PLATFORM.
auxv_t[] n_type: NT_AUXV. This entry contains the array of
Bauxv_t structures that was passed by the operating system as startup
information to the dynamic linker. Auxiliary vector
information is defined in <
sys/auxv.h>.
Following these entries, for each active (non-zombie) light-weight process
(LWP) in the process, the old
NOTE segment contains an entry with a
prstatus_t structure, plus other optionally-present entries describing the
LWP, as follows:
prstatus_t n_type: NT_PRSTATUS. This structure contains things of
interest to a debugger from the operating system, such as the
general registers, signal dispositions, state, reason for
stopping, process-ID, and so forth. The
prstatus_t structure
is defined in <
sys/old_procfs.h>.
prfpregset_t n_type: NT_PRFPREG. This entry is present only if the
LWP used the floating-point hardware. It contains the floating-
point registers. The
prfpregset_t structure is defined in
<
sys/procfs_isa.h>.
gwindows_t n_type: NT_GWINDOWS. This entry is present only on a SPARC
machine and only if the system was unable to flush all of the
register windows to the stack. It contains all of the
unspilled register windows. The
gwindows_t structure is
defined in <
sys/regset.h>.
prxregset_t n_type: NT_PRXREG. This entry is no longer included in core
files, but is of historical note because in the past it was
included on SPARC-based systems. While since then the
prxregset_t and extended register sets have been defined on
other architectures, they do not emit this in the old note
section because there is no binary compatibility.
The new
NOTE segment contains the following entries. Each has entry name
CORE and presents the contents of a system structure:
psinfo_t n_type: NT_PSINFO. This structure contains information of
interest to the
ps(1) command, such as process status, CPU
usage, nice value, controlling terminal, user-ID, process-ID,
the name of the executable, and so forth. The
psinfo_t structure is defined in <
sys/procfs.h>
pstatus_t n_type: NT_PSTATUS. This structure contains things of
interest to a debugger from the operating system, such as
pending signals, state, process-ID, and so forth. The
pstatus_t structure is defined in <
sys/procfs.h>.
char[] n_type: NT_PLATFORM. This entry contains a string describing
the specific model of the hardware platform on which this core
file was created. This information is the same as provided by
sysinfo(2) when invoked with the command SI_PLATFORM.
auxv_t[]
n_type: NT_AUXV. This entry contains the array of
auxv_t structures that was passed by the operating system as startup
information to the dynamic linker. Auxiliary vector
information is defined in <
sys/auxv.h>.
struct utsname n_type: NT_UTSNAME. This structure contains the system
information that would have been returned to the process if it
had performed a
uname(2) system call prior to dumping core.
The
utsname structure is defined in <
sys/utsname.h>.
pcred_t
n_type: NT_PRCRED. This structure contains the process
credentials, including the real, saved, and effective user and
group IDs. The
pcred_t structure is defined in
<
sys/procfs.h>. Following the structure is an optional array
of supplementary group IDs. The total number of supplementary
group IDs is given by the
pr_ngroups member of the
pcred_t structure, and the structure includes space for one
supplementary group. If
pr_ngroups is greater than 1, there
is `
pr_ngroups - 1'
gid_t items following the structure;
otherwise, there is no additional data.
char[] n_type: NT_ZONENAME. This entry contains a string which
describes the name of the zone in which the process was
running. See
zones(7). The information is the same as
provided by
getzonenamebyid(3C) when invoked with the
numerical ID returned by
getzoneid(3C).
prfdinfo_core_t n_type: NT_FDINFO. This structure contains information about
any open file descriptors, including the path, flags, and
stat(2) information. The
prfdinfo_core_t structure is defined
in <
sys/procfs.h>.
struct ssd[] n_type: NT_LDT. This entry is present only on an 32-bit x86
machine and only if the process has set up a Local Descriptor
Table (LDT). It contains an array of structures of type
struct ssd, each of which was typically used to set up the
%gs segment register to be used to fetch the address of the
current thread information structure in a multithreaded
process. The
ssd structure is defined in <
sys/sysi86.h>.
core_content_t n_type: NT_CONTENT. This optional entry indicates which parts
of the process image are specified to be included in the core
file. See
coreadm(8).
prsecflags_t n_type: NT_SECFLAGS. This entry contains the process
security-flags, see
security-flags(7),
proc(5), and
psecflags(1) for more information.
prupanic_t n_type: NT_UPANIC. This entry is included if a process
terminated through the
upanic(2) system call. It is defined
in <
sys/procfs.h>.
The
pru_version member indicates the current revision of the
structure, which is expected to be PRUPANIC_VERSION_1 (1).
The
pru_flags member will be set to the bitwise-inclusive-OR
of the following fields:
PRUPANIC_FLAG_MSG_VALID Indicates that
pru_data member
has valid contents and that the
process provided a message in
the
upanic(2) call .
PRUPANIC_FLAG_MSG_ERROR Indicates that the calling
process attempted to include a
message; however, the provided
address of the message did not
point to valid memory.
PRUPANIC_FLAG_MSG_TRUNC Indicates that the calling
process included a message;
however, the message it wanted
to provide was larger than the
current message length.
The
pru_data array contains binary data that the terminating
process used to indicate that the reason why it panicked.
This member should be ignored if the PRUPANIC_FLAG_MSG_VALID
flag is not set in
pru_flags. While it is recommended that
processes terminate with an ASCII string, consumers of this
should not assume that the binary data is made of of printable
characters.
For each active and zombie
LWP in the process, the new
NOTE segment
contains an entry with an
lwpsinfo_t structure plus, for a non-zombie LWP,
an entry with an
lwpstatus_t structure, plus other optionally-present
entries describing the LWP, as follows. A zombie LWP is a non-detached LWP
that has terminated but has not yet been reaped by another LWP in the same
process.
lwpsinfo_t n_type: NT_LWPSINFO. This structure contains information of
interest to the
ps(1) command, such as LWP status, CPU usage,
nice value, LWP-ID, and so forth. The
lwpsinfo_t structure is
defined in <
sys/procfs.h>. This is the only entry present for
a zombie LWP.
lwpstatus_t
n_type: NT_LWPSTATUS. This structure contains things of
interest to a debugger from the operating system, such as the
general registers, the floating point registers, state, reason
for stopping, LWP-ID, and so forth. The
lwpstatus_t structure
is defined in <
sys/procfs.h>.
gwindows_t n_type: NT_GWINDOWS.
This entry is present only on a SPARC machine and only if the
system was unable to flush all of the register windows to the
stack. It contains all of the unspilled register windows.
The
gwindows_t structure is defined in <
sys/regset.h>.
prxregset_t n_type: NT_PRXREG. This entry is present only if the machine
has extra register state associated with it. It contains the
extra register state. The
prxregset_t structure is defined in
<
sys/procfs_isa.h>; however applications should include
<
procfs.h> to get access to it. On most architectures the
prxregset_t is opaque and of variable size.
proc(5) discusses
the structure of the extended register set for each supported
architecture.
asrset_t asrset_t n_type: NT_ASRS. This entry is present only on a
SPARC V9 machine and only if the process is a 64-bit process.
It contains the ancillary state registers for the LWP. The
asrset_t asrset_t structure is defined in <
sys/regset.h>.
psinfo_t n_type: NT_SPYMASTER. This entry is present only for an agent
LWP and contains the
psinfo_t of the process that created the
agent LWP. See the
proc(5) description of the
spymaster entry
for more details.
Depending on the
coreadm(8) settings, the section header of an ELF core
file can contain entries for CTF, DWARF debug information, symbol table,
and string table sections. The
sh_addr fields are set to the base address
of the first mapping of the load object that they came from to. This can
be used to match those sections with the corresponding load object.
The size of the core file created by a process can be controlled by the
user (see
getrlimit(2))
SEE ALSO
elfdump(1),
gcore(1),
mdb(1),
proc(1),
ps(1),
getrlimit(2),
setrlimit(2),
setuid(2),
sysinfo(2),
uname(2),
upanic(2),
getzoneid(3C),
getzonenamebyid(3C),
elf(3ELF),
signal.h(3HEAD),
a.out(5),
proc(5),
security-flags(7),
zones(7),
coreadm(8)illumos January 24, 2023 illumos