A core dumps is the content of the working memory of a process at a specific time, generally when:
- the process has crashed
- or otherwise terminated abnormally.
A core dump represents the complete contents of the dumped regions of the address space of the dumped process.
Modern operating systems typically generate a file containing an image of the memory belonging to the crashed process, or the memory images of parts of the address space related to that process, along with other information such as:
- the values of processor registers,
- program counter,
- stack pointer
- memory management information
- system flags
- and other processor and operating system information.
Memory dump can be printed as
- octal or hexadecimal numbers (a “hex dump”)
- machine language instructions. The interpretation of the octal or hexadecimal numbers
These files can be viewed as text, printed, or analysed tools such as:
- on Linux systems:
- and kdump .
In Linux the core dump file generated after an application has crashed is stored in the directory from where the application was run.
To place the core dump files in another location, the “kernel.core_pattern” variable in the /etc/sysctl.conf file is used. The current value of this variable can be checked by running this command as root:
sysctl -a | grep core_pattern
The output should be similar to this:
kernel.core_pattern = core
# You may also see this output:
kernel.core_pattern = | /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e
- abrt is the Automatic Bug Reporting Tool (ABRT). The daemon is running. ABRT will dynamically overwrite the destination of core files to /var/spool/abrt/.
The value can be manually reset using the sysctl -p command.
Generating a stack trace
Determining which executable produced the core file
The command to accomplish this is:
file <core file name>