Databases
StackOverflow2013
Postsdbo
POCore dump note section
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POCore dump note section
    primarykey
    data
    text
    <p>Following my question about <a href="https://stackoverflow.com/questions/17858728/manually-generate-elf-core-dump">manually generating a core dump file</a>, I decided to dive into it and get my hands dirty.</p> <p>I am able to build the basic core dump structure and get my dead program's memory back into the core dump within a big LOAD section. When debugging in GDB, my variables are back, no problem with that. Here comes the tricky part, how do I get GDB to retrieve information about where the program was when it crashed.</p> <p>I know that the note section of the core dump contains this information (cpu registers among others). Here is what a <em>objdump -h</em> gives for a "real" core dump :</p> <pre><code>core.28339: file format elf32-i386 Sections: Idx Name Size VMA LMA File off Algn 0 note0 000001e8 00000000 00000000 000000f4 2**0 CONTENTS, READONLY 1 .reg/28339 00000044 00000000 00000000 00000150 2**2 CONTENTS 2 .reg 00000044 00000000 00000000 00000150 2**2 CONTENTS 3 .auxv 000000a0 00000000 00000000 0000023c 2**2 CONTENTS 4 load1a 00001000 08010000 00000000 00001000 2**12 CONTENTS, ALLOC, LOAD, READONLY, CODE .. other load sections ... </code></pre> <p>I figured out thanks to <em>readelf</em> that those .reg sections contain data mapped from some structures :</p> <pre><code>Notes at offset 0x000000f4 with length 0x000001e8: Owner Data size Description CORE 0x00000090 NT_PRSTATUS (prstatus structure) CORE 0x0000007c NT_PRPSINFO (prpsinfo structure) CORE 0x000000a0 NT_AUXV (auxiliary vector) </code></pre> <p>Can someone give me directions on how is structured the Notes section ? I tried writing directly those structures to my file, it did not work and I am obviously missing something here. I looked at the <a href="https://code.google.com/p/google-coredumper/" rel="nofollow noreferrer">Google Coredumper code</a> and took some bits of it, but writing the note section is not that simple and any detailed information about what it exactly contains and its format are welcomed.</p> <p><strong>Edit #1 : following 1st comment</strong></p> <p>I figured out my Elf file should be structured as follows :</p> <ul> <li>Elf header ElfW(Ehdr)</li> <li>Program headers (Ehdr.e_phnum times ElfW(Phdr)), here i basically used one PT_NOTE and one PT_LOAD headers</li> <li>Note sections : <ul> <li>Section's header (ElfW(Nhdr))</li> <li>Section's name (.n_namesz long)</li> <li>Section's data (.n_descsz long)</li> </ul></li> <li>Program section containing all my program's memory</li> </ul> <p>Then i will have to put 3 note records, one for the <em>prstatus</em>, one for <em>prpsinfo</em> and one for the <em>auxiliary vector</em>.</p> <p>This seems to be the right way as <em>readelf</em> gives me a similar output as what I got above with the real core dump.</p> <p><strong>Edit #2 : after getting the correct structure</strong></p> <p>I am now struggling with the different structures composing the note records.</p> <p>Here is what I get when running a <em>eu-readelf --notes</em> on my core dump :</p> <pre><code>Note segment of 540 bytes at offset 0x74: Owner Data size Type CORE 336 PRSTATUS CORE 136 PRPSINFO CORE 8 AUXV NULL </code></pre> <p>Here is what I get when running the same command on the real core dump :</p> <pre><code>Note segment of 488 bytes at offset 0xf4: Owner Data size Type CORE 144 PRSTATUS info.si_signo: 11, info.si_code: 0, info.si_errno: 0, cursig: 11 sigpend: &lt;&gt; sighold: &lt;&gt; pid: 28339, ppid: 41446, pgrp: 28339, sid: 41446 utime: 0.000000, stime: 0.000000, cutime: 0.000000, cstime: 0.000000 orig_eax: -1, fpvalid: 0 ebx: -1 ecx: 0 edx: 0 esi: 0 edi: 0 ebp: 0xffb9fcbc eax: -1 eip: 0x08014b26 eflags: 0x00010286 esp: 0xffb9fcb4 ds: 0x002b es: 0x002b fs: 0x0000 gs: 0x0000 cs: 0x0023 ss: 0x002b CORE 124 PRPSINFO state: 0, sname: R, zomb: 0, nice: 0, flag: 0x00400400 uid: 9432, gid: 6246, pid: 28339, ppid: 41446, pgrp: 28339, sid: 41446 fname: pikeos_app, psargs: ./pikeos_app CORE 160 AUXV SYSINFO: 0xf7768420 SYSINFO_EHDR: 0xf7768000 HWCAP: 0xbfebfbff &lt;fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe&gt; PAGESZ: 4096 CLKTCK: 100 PHDR: 0x8010034 PHENT: 32 PHNUM: 2 BASE: 0 FLAGS: 0 ENTRY: 0x80100be UID: 9432 EUID: 9432 GID: 6246 EGID: 6246 SECURE: 0 RANDOM: 0xffb9ffab EXECFN: 0xffba1feb PLATFORM: 0xffb9ffbb NULL </code></pre> <p>Does someone have any clue or explanations about why my note records are not read properly ? I thought it might be due to incorrect offsets, but then why would the records be correctly listed ?</p> <p>Thanks !</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USd6bels
    plurals
    1. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POCore dump note section
      1. USZhang Li
      1. VTFavorite
    1. COPrecised the question regarding structures contained in the note records
      singulars
      1. POCore dump note section
      1. USd6bels
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload