6

The Wikipedia page on Core dump says

In Unix-like systems, core dumps generally use the standard executable image-format:

a.out in older versions of Unix,
ELF in modern Linux, System V, Solaris, and BSD systems,
Mach-O in OS X, etc.

Does this mean a core dump is executable by itself? If not, why not?

Edit: Since @WumpusQ.Wumbley mentions a coredump_filter in a comment, perhaps the above question should be: can a core dump be produced such that it is executable by itself?

Sundar R
  • 13,776
  • 6
  • 49
  • 76
  • What would you expect as a result if the core dump were to be executed? – icedwater Aug 05 '13 at 06:15
  • I believe (but am not sure) that the core dump contains the machine instructions from the original executable also, since they are part of the memory image of the process. If so, I would expect it to run those instructions. I'm entirely unclear on whether this would happen, and if it would, whether it would start afresh or would try to continue execution from the stored state (and perhaps crash again), hence the question. – Sundar R Aug 05 '13 at 07:05
  • 5
    undump: http://code.google.com/p/undump/ –  Aug 15 '13 at 18:11
  • @WumpusQ.Wumbley Thanks, that was exactly the kind of interesting stuff I was hoping to learn from this. `undump` seems to require both the original executable and the core dump though, so it looks like core dump only has the data, and not the executable code? – Sundar R Aug 15 '13 at 20:11
  • 3
    Whether a core dump includes the text segment depends on some configuration options. See the section on `coredump_filter` in http://man7.org/linux/man-pages/man5/core.5.html for instance. I think the traditional unix behavior was to include it, so the core dump would have everything. Omitting it to make core dumps cheaper, on the assumption that the user will be able to find the executable and pair it up with the core file, is a more recent development. Can't find any evidence to back up my recollection though. –  Aug 15 '13 at 23:30

3 Answers3

8

In older unix variants it was the default to include the text as well as data in the core dump but it was also given in the a.out format and not ELF. Today's default behavior (in Linux for sure, not 100% sure about BSD variants, Solaris etc.) is to have the core dump in ELF format without the text sections but that behavior can be changed.
However, a core dump cannot be executed directly in any case without some help. The reason for that is that there are two things missing from a simple core file. One is the entry point, the other is code to restore the CPU state to the state at or just before the dump occurred (by default also the text sections are missing).
In AIX there used to be a utility called undump but I have no idea what happened to it. It doesn't exist in any standard Linux distribution I know of. As mentioned above (@WumpusQ) there's also an attempt at a similar project for Linux mentioned in above comments, however this project is not complete and doesn't restore the CPU state to the original state. It is, however, still good enough in some specific debugging cases.
It is also worth mentioning that there exist other ELF formatted files that cannot be executes as well which are not core files. Such as object files (compiler output) and .so (shared object) files. Those require a linking stage before being run to resolve external addresses.

Reed
  • 499
  • 2
  • 8
  • Thank you very much for the clear explanation, and the point about .o and .so files is a valid one that I didn't think about. I also got a similar answer about the entry point, etc. from the creator of the `undump` utility, I'll now post that as another answer for the sake of completeness. I'm accepting your answer but leaving the bounty open for now, just in case. – Sundar R Aug 16 '13 at 13:17
  • Another big problem with the "undump" concept is that you lose all the state associated with the file descriptors that were open at the time of the crash. –  Aug 16 '13 at 23:57
  • @WumpusQ.Wumbley yes, the creator of `undump` mentioned it in his email about this, I've posted that reply as another answer on this question. – Sundar R Aug 17 '13 at 10:45
  • You can change the sections dumped on Linux using /proc//coredump_filter (or for all processes the kernel boot option coredump_filter). See [core(5)](http://man7.org/linux/man-pages/man5/core.5.html). – Ben C Jul 24 '18 at 17:47
2

I emailed this question the creator of the undump utility for his expertise, and got the following reply:

As mentioned in some of the answers there, it is possible to include the code sections by setting the coredump_filter, but it's not the default for Linux (and I'm not entirely sure about BSD variants and Solaris). If the various code sections are saved in the original core-dump, there is really nothing missing in order to create the new executable. It does, however, require some changes in the original core file (such as including an entry point and pointing that entry point to code that will restore CPU registers). If the core file is modified in this way it will become an executable and you'll be able to run it. Unfortunately, though, some of the states are not going to be saved so the new executable will not be able to run directly. Open files, sockets, pips, etc are not going to be open and may even point to other FDs (which could cause all sorts of weird things). However, it will most probably be enough for most debugging tasks such running small functions from gdb (so that you don't get a "not running an executable" stuff).

Sundar R
  • 13,776
  • 6
  • 49
  • 76
  • The undump [on Google Code](https://code.google.com/archive/p/undump/) is for i386 (use the gcc flag `-m32` or port to 64 bits!) and works enough to make an executable which you can run in gdb and it will get the same segfault. It doesn't have symbols but you can use the gdb command `symbol-file` to get the symbols from the original binary. This lets you call functions and see global variables but not local scope (stack) variables, symbols or lines of code. I don't see any reason why that couldn't be fixed though. – Ben C Jul 24 '18 at 19:30
  • (There is also a much older undump on [CTAN](https://ctan.org/tex-archive/obsolete/support/undump) which was formerly used to create the TeX frontend binaries. This is of historical interest but now obsolete.) – Ben C Jul 24 '18 at 19:33
0

As other guys said, I don't think you can execute a core dump file without the original binary.

In case you're interested to debug the binary (and it has debugging symbols included, in other words it is not stripped) then you can run gdb binary core.

Inside gdb you can use bt command (backtrace) to get the stack trace when the application crashed.

jyz
  • 6,011
  • 3
  • 29
  • 37