Core dump
A core dump is a file containing a snapshot of a process's memory image, including its address space, registers, and other state information, captured at the moment of abnormal termination, such as from a segmentation fault or other unhandled signal, to facilitate postmortem debugging and analysis of software crashes.[1] The term originates from the era of magnetic-core memory in early computers, where "core" referred to the ferrite rings used for main memory storage, and "dumping" meant copying or printing the contents for examination during failures.[2] In Unix-like operating systems, core dumps are automatically generated by the kernel in response to specific signals (e.g., SIGSEGV for invalid memory access or SIGABRT for assertion failures), provided the process's resource limit for core files (RLIMIT_CORE) permits it and the system configuration enables dumping.[1] These files, typically named "core" or "core.Introduction
Definition
A core dump is a file containing an image of a process's memory at the moment of its termination.[5] This snapshot captures the complete state of the process, including key components such as the heap for dynamically allocated data, the stack for local variables and function frames, CPU registers, and code segments.[5] The term "core dump" originates from the magnetic core memory technology prevalent in early computers, where such dumps preserved the contents of ferrite core-based storage.[6] Understanding a core dump requires familiarity with the typical process memory layout in Unix-like systems, which divides address space into distinct segments.[7] The text segment holds the program's executable instructions.[7] The data segment stores initialized global and static variables, while the BSS segment allocates space for uninitialized ones.[7] Above these lie the heap, managed for runtime allocations, and the stack, which grows downward to handle function calls and automatic variables.[7] Registers, though not part of the memory segments, are also preserved to reflect the processor's state at termination.[5] In contrast to other diagnostic outputs like logs or execution traces—which provide textual records of events or high-level behaviors—a core dump delivers a raw, binary representation of memory and state for precise reconstruction of failures.[5] Its fundamental purpose is to facilitate post-mortem examination in a debugger, enabling developers to investigate runtime errors such as segmentation faults, often triggered by signals like SIGSEGV.[8] This allows pinpointing issues like invalid memory accesses or assertion violations that caused the process to abort.[5]Historical Background
The concept of a core dump originated in the 1960s with the widespread use of magnetic core memory systems, where "core" specifically referred to the tiny ferrite rings that stored individual bits of data in early computers like those from IBM and MIT's Whirlwind project.[9] These systems required mechanisms to capture and preserve memory contents during failures for post-mortem analysis, as physical core memory was expensive.[10] Early implementations emerged in mainframe operating systems, including IBM's OS/360, announced in 1964, which provided debugging tools for dumping memory states to aid in error diagnosis.[11] Similarly, the Multics operating system, developed from 1965 to 1969 on the GE-645 computer, incorporated core dump capabilities to examine memory after crashes, supporting its time-sharing architecture.[12] In the 1970s, Unix, created by Ken Thompson and Dennis Ritchie at Bell Labs, adopted and refined these features for software debugging, transitioning from hardware-centric dumps to more accessible file-based outputs on minicomputers like the PDP-11.[13] The evolution continued into the personal computing era, where core dumps shifted from hardware-initiated captures in mainframes to software-generated files, enabling easier portability and analysis on smaller systems. A key milestone occurred in 1988 with the POSIX.1 standard (IEEE Std 1003.1-1988), which described core dump practices as common in Unix-like systems to promote portability.[14] In the 1960s and 1970s, with the introduction of virtual memory architectures, core dumps were adapted to include process address spaces beyond physical RAM limits.[15] Although magnetic core memory was largely replaced by semiconductor RAM after the 1970s, the nomenclature "core dump" endured in software practices, reflecting its historical roots while applying to modern memory management.[9]Generation
Automatic Triggers
In Unix-like operating systems, core dumps are automatically triggered by unhandled signals that have a default action of terminating the process and generating a core file. Primary examples include SIGSEGV, which is raised upon segmentation violations such as invalid memory access; SIGABRT, often invoked by the abort() function during assertion failures; and SIGQUIT, typically sent by the quit command or certain keyboard interrupts.[5][16] Other signals like SIGFPE (floating-point exceptions, e.g., division by zero on some architectures), SIGILL (illegal instructions), SIGBUS (bus errors), and SIGTRAP (trace traps on certain systems) also initiate dumps under similar conditions.[16][17] The operating system kernel plays a central role in detecting these fatal errors and initiating the core dump process. Upon receiving such a signal, the kernel terminates the offending process and, if enabled, creates a core dump file capturing the process's state at the moment of failure. This detection occurs for hardware-generated faults, such as invalid memory references or arithmetic errors, ensuring the dump is produced before process cleanup.[5][16] Core dump generation is subject to resource limits configured via system calls like setrlimit() or the ulimit command, particularly the RLIMIT_CORE limit which controls the maximum size of the core file. If RLIMIT_CORE is set to zero, no dump is produced, preventing potential disk exhaustion; similarly, exceeding RLIMIT_FSIZE may block the dump unless configured otherwise.[5] Additional conditional factors can trigger dumps indirectly, such as pipe write failures in some configurations (though SIGPIPE typically terminates without dumping) or watchdog timeouts in supervised environments that escalate to abort signals. Assertion failures explicitly call abort(), routing through SIGABRT to force a dump.[16] At the time of triggering, the core dump preserves the process's full state, including virtual memory contents, CPU registers, a list of open file descriptors, environment variables, and—for multi-threaded processes—the stack and registers of all threads, enabling later reconstruction of the execution context.[5][18]Manual Invocation
Manual invocation enables the deliberate generation of core dumps from running processes, providing a controlled alternative to automatic triggers that respond only to unhandled signals like segmentation faults. This approach is essential for proactive diagnostics in production environments where faults are not yet manifesting. Command-line utilities offer straightforward ways to initiate core dumps externally. The gcore tool, included in the GNU Debugger (GDB) distribution, attaches to one or more running processes by their process IDs (PIDs) and produces core files equivalent to those created by the kernel during a crash, while allowing the processes to continue execution afterward.[19] For example, executinggcore <pid> pauses the target process temporarily, dumps its memory state, and resumes operation, with the output file named core.<pid> by default.[19] Similarly, the kill command can send SIGQUIT (signal 3) or SIGABRT (signal 6) to a PID, both of which have a default action of terminating the process and generating a core dump.[16]
Within application code, programmatic triggers facilitate core dumps at specific points, such as during error conditions or checkpoints. In C and C++, the abort() function from <stdlib.h> raises SIGABRT, leading to abnormal program termination and a core dump unless the signal is caught and handled to prevent it.[20] Developers can also explicitly call raise(SIGABRT) to achieve the same effect, ensuring the process state is captured precisely where the invocation occurs. Equivalent functionality in other languages, such as Python's os.abort(), leverages underlying signal APIs to simulate abort conditions and produce dumps.[21]
Debugger attachments provide interactive control over core dump creation. In GDB, after attaching to a process with gdb -p <pid>, the generate-core-file command (or its alias gcore) saves the inferior process's memory image and register state to a file, defaulting to core.<pid> if unspecified.[22] This method supports customization, such as excluding certain memory mappings via the use-coredump-filter setting, and generates sparse files on compatible filesystems to optimize storage.[22]
System configuration influences manual dump behavior in Linux environments. The /proc/sys/kernel/core_pattern parameter defines the template for core file names and can route dumps to a pipe for processing by a user-space program, applying uniformly to manually invoked dumps from tools like gcore or signal sends.[1] For instance, setting core_pattern to /tmp/core.%p directs all dumps, including manual ones, to a specific directory with PID inclusion.[1]
These techniques are valuable for diagnosing hangs or intermittent issues, where capturing a snapshot allows offline examination without forcing an immediate crash that could exacerbate problems.[23] The resulting files adhere to standard storage conventions, typically placed in the current working directory or as configured.[1]
A key limitation is the potential for incomplete dumps if the process is in an inconsistent state, such as midway through memory operations or with locked regions, leading to partial or unreliable snapshots.[23] Additionally, memory marked non-dumpable via /proc/Uses and Applications
Debugging Software Failures
Core dumps play a crucial role in debugging software failures by preserving the exact state of a program at the moment of a crash, enabling developers to reconstruct the execution context without needing to reproduce the issue in a live environment. This includes capturing the call stack, which reveals the sequence of function calls leading to the failure, as well as the values of variables and registers at that instant. By loading the core dump into a debugger such as GDB, analysts can examine these elements to identify root causes like memory corruption. Such reconstruction is particularly valuable for pinpointing issues like buffer overflows, where data exceeds allocated memory boundaries and overwrites adjacent areas, or null pointer dereferences, which occur when code attempts to access memory through an uninitialized pointer. In these cases, the core dump allows inspection of corrupted memory regions and the offending code paths, facilitating targeted fixes that might otherwise require extensive logging or trial-and-error reproduction. For instance, tools within GDB can dump memory contents around the fault address to visualize overflow patterns or invalid accesses.[24] Integration with integrated development environments (IDEs) further enhances this process by allowing core dumps to be loaded directly into debuggers for interactive analysis, simulating a step-through execution as if the program were still running. IDEs like CLion or Visual Studio Code support postmortem debugging of core files, where developers can set breakpoints retrospectively, inspect variables frame by frame, and navigate the call stack visually. This approach bridges the gap between crash artifacts and familiar development workflows, making it easier to correlate dump data with source code.[25][26] In multi-threaded applications, core dumps provide a snapshot of all threads' states, enabling the identification of concurrency issues such as race conditions—where threads access shared data unpredictably—or deadlocks, where threads mutually block resource acquisition. Debuggers like GDB offer commands such asinfo threads to list active threads and thread apply all bt to generate backtraces for every thread simultaneously, revealing contention points or locked resources at crash time. This thread-level visibility is essential for diagnosing non-deterministic bugs that evade live debugging sessions.[27]
Effective analysis requires matching the core dump against the precise version of the source code and binary that produced it, typically using debug symbols to map addresses to function names, line numbers, and variable details. If symbols are stripped from the production binary, a separate debug information file or the original build artifact must be used; mismatches can lead to incomplete or misleading traces, as the dump's memory layout depends on the exact compilation. GDB verifies compatibility by loading the executable alongside the core file, ensuring symbols align correctly for accurate reconstruction.
Best practices for enabling useful core dumps include compiling with debug symbols via flags like -g in GCC or Clang, which embed symbol tables without significantly impacting performance, and retaining these in separate files (e.g., using -gsplit-dwarf) for production deployments. Additionally, avoiding aggressive optimization flags like -O3 during debugging builds—or using -Og for a balance—prevents code transformations that reorder instructions or inline functions, which can obscure variable states and stack frames in the dump. These steps ensure dumps remain interpretable while maintaining realistic crash conditions.[28][29]
By facilitating rapid offline diagnosis of production incidents, core dumps contribute to reducing mean time to resolution (MTTR). This impact is amplified in high-availability systems, where quick postmortem analysis minimizes downtime without requiring on-site reproduction.[30]
Forensic and Diagnostic Purposes
Core dumps are instrumental in incident response efforts, capturing the full state of a process's memory at the moment of failure to facilitate root cause analysis of system outages. Investigators use them to pinpoint the sequence of events leading to downtime.[31] For instance, in network device incidents, core dumps from Cisco IOS systems preserve volatile data like main memory and I/O buffers, allowing reconstruction of events without rebooting the device.[32] In security forensics, core dumps enable detection of exploits by revealing anomalous memory patterns indicative of attacks, such as stack smashing through buffer overflows or heap spraying to facilitate code injection. These artifacts can extract traces of malicious payloads, network traffic captured in memory, or unauthorized modifications, supporting attribution in breach investigations.[33] Unlike routine debugging, which focuses on isolated bugs, forensic analysis of core dumps addresses systemic compromises, though they often contain sensitive data that requires secure handling to mitigate privacy risks.[34] For performance tuning, core dumps support heap profiling to uncover resource exhaustion and inefficient code paths, such as gradual memory growth from leaks that degrade application responsiveness over time. By examining heap structures within the dump, engineers identify allocation hotspots and deallocation failures, informing optimizations without relying solely on live tracing tools.[35] This approach is particularly valuable in diagnosing intermittent issues that evade real-time monitoring. In compliance and auditing contexts, core dumps serve as evidentiary records for regulatory reviews in regulated industries like finance and healthcare, where they document failure modes to verify adherence to standards such as data integrity and error handling protocols. Access to these files must be tightly controlled, with directories restricted to software owners and designated administrators to prevent unauthorized exposure of potentially confidential memory contents.[36] Handling core dumps in secure environments presents challenges, including the need to manage encrypted or obfuscated files while preserving forensic value for analysis. In virtualized setups like VMware vSphere, core dumps are automatically encrypted to protect sensitive information, necessitating decryption keys and policy-compliant storage to balance diagnostics with data protection requirements.[37] Additionally, vulnerabilities in dump handlers can inadvertently expose credentials or keys, complicating retention in high-security deployments.[34]Analysis Techniques
Manual Inspection Methods
Manual inspection of core dumps involves low-level examination of the raw file contents to uncover memory states, execution paths, and artifacts from a crashed process. This approach relies on basic utilities for viewing binary data and requires familiarity with the underlying architecture and process layout. Analysts typically begin by loading the core dump into a hexadecimal viewer to scan for recognizable patterns, such as ASCII strings that may indicate error messages or variable contents. Hexadecimal viewing uses command-line tools likehexdump or xxd to display the core dump's binary data in a readable format, showing both hexadecimal bytes and their ASCII equivalents where applicable. This allows identification of textual artifacts, such as log strings or buffer overflows, embedded in memory regions. For instance, scanning sections around the stack or heap might reveal null-terminated strings or binary signatures of allocated data. Such inspection helps pinpoint anomalies like corrupted pointers or unexpected data overwrites without higher-level interpretation.
Symbol table parsing entails manually correlating memory addresses in the core dump with function names and offsets from the executable's symbol table. This process involves extracting addresses from key locations, such as the program counter or registers preserved in the dump, and cross-checking them against a disassembly listing of the binary. By aligning these addresses, analysts can trace function calls leading to the crash, identifying entry points or return paths. This method demands access to the unstripped executable and knowledge of the ELF format's symbol sections.
Stack unwinding reconstructs the call stack by calculating frame pointers and return addresses stored in the core dump's stack segment. Starting from the saved base pointer (e.g., RBP on x86_64), each frame's return address is followed to the previous frame, revealing the sequence of function invocations at the time of failure. This manual traversal accounts for prologue and epilogue code in functions, which adjust the stack pointer, and can expose issues like buffer overflows that corrupt stack frames. Frame pointers, when enabled during compilation, simplify this process by providing direct links between frames.[38]
Memory mapping correlates sections of the core dump to the process's virtual address space, identifying regions like the text segment for code, data for globals, or heap for dynamic allocations. By examining the ELF program headers in the dump, which outline mapped intervals, analysts can locate malloc'ed regions or shared libraries. This step reveals how memory was laid out, such as distinguishing executable code from writable data, to assess access violations or leaks.[39]
Cross-referencing enhances accuracy by comparing the core dump's contents with process maps obtained from /proc/<pid>/maps on Linux systems, ideally captured before the crash. This file lists virtual addresses, permissions, and backing files for each mapping, allowing validation of dump sections against the original layout—such as confirming a heap region's boundaries. Discrepancies might indicate partial dumps or post-crash changes, aiding in contextualizing observed data.[39]
These manual methods are time-intensive, particularly for large core dumps exceeding gigabytes, as they involve byte-by-byte navigation and repeated calculations. They also require deep knowledge of assembly language and system internals, limiting their practicality for complex crashes where automated tools offer greater efficiency.[40]
Automated Analysis Tools
Automated analysis tools for core dumps leverage debuggers, sanitizers, and reporting frameworks to parse memory states, extract stack traces, and identify failure patterns without manual intervention. These utilities enable scalable examination of crashes across development and production environments, often integrating scripting for repeatable workflows. By automating symbol resolution, register inspection, and error annotation, they reduce debugging time and improve accuracy in diagnosing issues like segmentation faults or memory corruption. The GNU Debugger (GDB) provides interactive yet automated core dump analysis through commands such asbt for generating backtraces, info registers for displaying CPU register values at the time of the crash, and x for examining memory contents at specific addresses. Loading a core file with gdb executable core allows these commands to operate on the dumped process state, facilitating automated scripting via GDB's Python API for batch processing multiple dumps.
LLDB, the debugger integrated into Apple's Xcode, supports core file analysis on macOS and iOS platforms, enabling scripting with Python and Lua for automated visualization of stack frames and variables.[41] Commands like bt and register read mirror GDB functionality, while LLDB's expression evaluator allows dynamic code execution against the core dump for deeper inspection.[42] This makes it suitable for ecosystem-specific debugging, such as iOS app crashes, with built-in support for Mach-O binaries and symbolication.
For Windows systems, WinDbg analyzes dump files (.dmp) using extensions like !analyze for automated bug check interpretation and kernel-mode stack unwinding.[43] Loaded via File > Open Crash Dump or command-line options such as windbg -z <file.dmp>, it supports kernel extensions such as !process for thread enumeration and !peb for process environment block details, streamlining triage of blue screen crashes. For user-mode dumps, similar analysis applies using appropriate symbols and commands.[44]
AddressSanitizer (ASan), a compiler-integrated runtime tool from LLVM/Clang and GCC, detects memory errors like use-after-free or buffer overflows and can be configured to abort on errors, triggering core dump generation for subsequent analysis.[45] Setting ASAN_OPTIONS=abort_on_error=1 ensures the process terminates with a core file containing annotated error locations, including shadow memory maps that highlight corrupted regions.[46] This facilitates automated detection without post-mortem manual parsing.
On Linux systems using systemd (common in distributions like Ubuntu and Fedora as of 2025), systemd-coredump automatically collects and stores core dumps, with the coredumpctl command providing automated analysis tools. Commands like coredumpctl list enumerate dumps, coredumpctl info <pid> displays details, and coredumpctl gdb <pid> launches GDB directly on the dump for backtrace and inspection, simplifying triage without manual file handling.[47]
Crash reporting systems integrate core dumps for remote upload and triage; for instance, Sentry's coredump-uploader utility monitors directories for new core files and automatically transmits them to its platform for symbol resolution and grouping by error signatures.[48] Similarly, the ELK Stack (Elasticsearch, Logstash, Kibana) can process extracted stack traces from core dumps via Logstash pipelines, enabling searchable indexing and visualization for fleet-wide crash pattern analysis.
Scripting extensions enhance automation in GDB; pwndbg, a Python-based plugin, automates pattern matching in core dumps by providing enhanced hexdump views, context-aware disassembly, and custom commands for searching memory artifacts like ROP chains.[49] Installed as a GDB module, it supports core file loading and scripting for repeatable vulnerability hunts, improving efficiency over vanilla GDB interactions.[50]
File Properties
Structure and Format
Core dump files capture the state of a process at termination, typically organizing data in a structured binary format to facilitate post-mortem analysis. In Unix-like systems, the predominant format is the Executable and Linkable Format (ELF), which treats the core dump as a specialized ELF file with type ET_CORE (value 4) to distinguish it from executables or object files.[51] The ELF header begins with the e_ident array, featuring magic bytes 0x7F followed by the ASCII characters 'E', 'L', 'F' (0x45, 0x4C, 0x46), which identify the file as ELF-compliant, along with fields specifying class (e.g., 32-bit or 64-bit), data encoding (endianness), and version. Following the header, program headers describe loadable segments and auxiliary information, while sections may include notes for metadata. The program headers in an ELF core dump include entries of type PT_LOAD (value 1), which map virtual memory areas (VMAs) from the process's address space to offsets in the file, capturing segments like the text, data, heap, and stack with details on virtual address, memory size, file size, and permissions (e.g., read, write, execute).[52] A critical PT_NOTE (value 4) entry houses process-specific notes, structured as a sequence of note headers (Elf64_Nhdr or Elf32_Nhdr) containing name size, descriptor size, and type, followed by the note data.[52] Common note types encompass NT_PRSTATUS for register states and signal information, NT_PRPSINFO for process details like command line and execution state, and NT_AUXV for the auxiliary vector, which includes entries such as the command-line arguments, environment variables, and hardware capabilities.[5] These components collectively provide a snapshot of memory mappings and execution context without embedding the full executable. Beyond ELF, portable formats like the minidump used in Google Breakpad offer cross-platform alternatives, serializing crash data as a sequence of modular streams within a header-defined structure.[53] The minidump header (MINIDUMP_HEADER) specifies the file signature ('MDMP'), version, stream count, and a directory of stream locations, with each stream (e.g., thread lists, memory regions, exception records) containing typed data for registers, stacks, and modules to enable analysis on diverse architectures without OS-specific dependencies.[54] Core dumps routinely incorporate metadata such as the generation timestamp, process ID (PID), terminating signal number (e.g., SIGSEGV for segmentation faults), and CPU register dumps, often stored in dedicated note streams or headers to contextualize the failure.[5] To address storage constraints, core dumps may employ compression, such as gzipping the entire file post-generation via kernel piping or user-space tools, reducing size while preserving the underlying structure for decompression prior to analysis. Standards like the Generic ABI (gABI) for ELF define the header, program, and note formats to ensure interoperability across Unix-like implementations, while POSIX guidelines mandate core generation on unhandled signals (e.g., SIGABRT, SIGFPE) but leave the exact encoding implementation-defined, with ELF as the de facto convention in modern systems.Naming and Storage Conventions
Core dump files in Unix-like systems follow standardized naming conventions to facilitate identification and organization. By default, the file is named simply "core" and stored in the current working directory of the process that generated it.[1] If the kernel parameter/proc/sys/kernel/core_uses_pid is set to a nonzero value, the filename incorporates the process ID (PID) as "core./proc/sys/[kernel](/page/Kernel)/core_pattern file, which supports placeholders for dynamic elements like PID (%p), signal number (%s), timestamp (%t in seconds since epoch), hostname (%h), and executable name (%e). For instance, a pattern like "core.%p.%s.%t" produces files such as "core.12345.11.1636450000", where 11 represents the signal (e.g., SIGSEGV).[55] This file can also specify a full path for storage, redirecting dumps away from the working directory to a central location like /var/crash/core.%p. Additionally, patterns starting with a pipe symbol (|) enable piping the dump to a user-space program for immediate processing, such as Ubuntu's Apport crash reporter via |/usr/share/apport/apport %p %s %c %d %P %E.[56]
Storage management often involves quotas and automated cleanup to prevent excessive disk usage. In systems using systemd-coredump, dumps are stored compressed in /var/lib/systemd/coredump, with limits enforced via /etc/systemd/coredump.conf: MaxUse= defaults to 10% of the filesystem size, triggering deletion of oldest dumps when exceeded, while KeepFree= reserves 15% free space with priority.[57] Individual dump sizes are capped by ProcessSizeMax= (defaults to 1 GB on 32-bit systems and 32 GB on 64-bit systems).[57] Retention is further handled by systemd-tmpfiles, which defaults to deleting files in /var/lib/systemd/coredump after 3 days via a configuration in /usr/lib/tmpfiles.d/systemd.conf.[58]
Security practices emphasize restricting core dumps in production environments, where they may expose sensitive data from process memory, including credentials or proprietary information.[59] Administrators often disable generation entirely using ulimit -c 0 in shell profiles like /etc/[profile](/page/Profile) or by setting Storage=none in coredump.conf.[57][59] When enabled, dumps should be directed to restricted directories with appropriate permissions, such as those owned by root and inaccessible to non-privileged users, to mitigate unauthorized access risks.
For historical retention, core dumps can integrate with log rotation tools like logrotate, configured to compress, rotate, and archive files in designated directories based on size or age thresholds, ensuring organized long-term storage without manual intervention. This approach complements kernel-level policies, allowing customizable retention periods beyond default cleanup mechanisms.[58]
Platform Variations
Unix-like Systems
In Unix-like operating systems, including Linux, BSD variants, and macOS, core dumps are generated when a process terminates abnormally due to signals such as SIGSEGV (segmentation fault), SIGABRT (abort), SIGFPE (floating-point exception), SIGILL (illegal instruction), or SIGQUIT (keyboard quit), which by default trigger a core dump alongside process termination.[16] The prctl(PR_SET_DUMPABLE) system call allows processes to control their dumpability; for instance, setting it to 1 (via prctl(PR_SET_DUMPABLE, 1)) enables core dumps for the calling process, which is particularly useful for privileged or setuid processes where dumps are disabled by default to prevent information leakage. This attribute is inherited by child processes but preserved across execve calls, ensuring consistent behavior. Core dumps in these systems typically follow the Executable and Linkable Format (ELF), capturing the process's memory image, registers, and auxiliary data at the time of failure. Key note sections include NT_PRSTATUS, which records the process status such as general-purpose registers, signal number, and code, and NT_AUXV, which provides the auxiliary vector containing details like the program's auxiliary information (e.g., AT_PHDR for program header address).[5] In Linux kernels since version 2.6.23, the /proc/[pid]/coredump_filter file offers fine-grained control over dump contents via a bitmask; for example, bit 0 enables anonymous private mappings, bit 1 shared anonymous mappings, and bit 4 ELF headers, with a default value of 0x33 dumping most essential segments while excluding large or sensitive areas to manage file size.[5] This filtering helps balance diagnostic utility with storage constraints. Naming conventions for core dump files are configurable through /proc/sys/kernel/core_pattern, which supports patterns like %p for process ID and %s for the signal number that caused the dump; for example, setting it to "core-%p-%s" produces files named core-1234-11 for PID 1234 and SIGSEGV (signal 11).[61] The /proc/sys/kernel/core_uses_pid parameter, when set to 1, automatically appends the PID (e.g., core.1234) if no %p is in the pattern, providing backward compatibility and uniqueness to avoid overwrites.[61] Storage is limited by the RLIMIT_CORE resource, adjustable via ulimit -c (e.g., ulimit -c unlimited for no limit or ulimit -c 1000000 for 1 MB cap), which prevents excessive disk usage but can truncate dumps if exceeded. In distributions like Ubuntu, the Apport tool automates collection by intercepting crashes and storing compressed dumps in /var/crash/ with metadata, enabled via systemctl enable apport for non-interactive analysis.[62] Similarly, Fedora's ABRT (Automatic Bug Reporting Tool) captures dumps in /var/spool/abrt/, processing them for backtraces and symbolication before optional reporting.[63] Analysis of Unix-like core dumps often involves GDB, loaded as gdb executable core, where symbol resolution requires debug information packages; in systems like Fedora or RHEL, these are installed via debuginfo tools, placing symbols in /usr/lib/debug/ for libraries and executables, enabling commands like bt (backtrace) to map addresses to source lines. Address Space Layout Randomization (ASLR), enabled by default in modern kernels (via /proc/sys/kernel/randomize_va_space=2), randomizes load addresses for security, but core dumps preserve the runtime layout, allowing GDB to relocate symbols accurately without disabling ASLR during analysis—though reproducing crashes may require temporarily setting randomize_va_space=0 for consistent addressing.[61] In containerized environments like Docker on Linux hosts, core dump support requires explicit configuration due to default limits; running containers with --ulimit core=infinity enables unlimited dumps, often combined with volume mounts (e.g., -v /host/tmp:/tmp) to persist files outside the ephemeral container filesystem, and --privileged if kernel restrictions apply, ensuring dumps capture container-specific memory without host interference. This setup addresses challenges in isolated environments, where dumps might otherwise be discarded or truncated.[64]Windows Systems
In Windows systems, the equivalent of a core dump is referred to as a memory dump, which captures the state of a process or the entire system's memory at the time of a failure for debugging purposes.[65] These dumps are primarily managed through Windows Error Reporting (WER), a built-in mechanism that handles both user-mode and kernel-mode failures.[66] Common types include minidumps, which record essential data such as the call stack and thread contexts for a specific process (typically 256 KB or less), full dumps that include the entire process memory, and kernel dumps that focus on system-level components.[67] Minidumps are the default for user-mode application crashes to balance diagnostic utility with storage efficiency, while complete memory dumps encompass all physical RAM but require significant disk space and a sufficiently large page file.[3] Memory dumps can be generated automatically or manually. Automatic generation occurs for user-mode crashes via WER, which is triggered by unhandled exceptions in applications and logs events such as Event ID 1000 in the Windows Event Log, indicating the faulting module and exception code.[66] For kernel-mode failures, such as Blue Screen of Death (BSOD) events, dumps are created using the system's page file (pagefile.sys) to store kernel memory data when configured for kernel, automatic, or complete dump types in System Properties.[68] Legacy tools like Dr. Watson, available in older Windows versions such as XP and Server 2003, automated user-mode crash reporting with optional full dumps but have been superseded by WER in modern releases.[69] The Fault Tolerant Heap (FTH) feature, introduced in Windows 7, monitors recurring application crashes and can indirectly facilitate dump collection by mitigating heap corruption before invoking WER.[70] Manual generation provides flexibility for on-demand debugging. Users can create live kernel or user-mode dumps directly from Task Manager by right-clicking a process and selecting "Create dump file," which saves a full memory snapshot without terminating the process.[71] For scripted or automated scenarios, the ADPlus.vbs script from the Windows Debugging Tools attaches the debugger (e.g., CDB) to a process and captures dumps on exceptions or hangs. The ProcDump utility from Sysinternals, a command-line tool, enables conditional dumps based on CPU thresholds, memory usage, or exceptions, often used in production environments with commands likeprocdump -ma process.exe to generate a full dump and exit.[72]
Dump files use the .dmp extension and follow the Microsoft Debug Dump format, compatible with tools like WinDbg for analysis; this format includes headers with system information, followed by memory pages and exception details.[73] Minidumps are partial, excluding most user-mode memory to reduce size, whereas complete dumps include all addressable memory.[65] Kernel dumps, generated during system crashes, rely on pagefile.sys for temporary storage before writing to the final location, ensuring capture even if the boot volume is affected.[3]
Naming conventions for user-mode dumps default to the format ProcessName_pid_YYYYMMDD_HHMMSS.dmp and are stored in %LOCALAPPDATA%\CrashDumps for per-user crashes or %WINDIR%\Minidump for system-wide ones, with paths configurable via registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\[Microsoft](/page/Microsoft)\Windows\[Windows Error Reporting](/page/Windows_Error_Reporting)\LocalDumps.[66] Kernel dumps are typically saved as MEMORY.DMP in the %SystemRoot% directory, with options to specify custom paths in advanced system settings.[68] Event logs, such as those under Application or System sources, record triggers with details like fault offsets to correlate with dump files.[74]
Kernel-mode dumps differ from user-mode ones in scope and triggers: kernel dumps address system-wide issues like driver faults during BSODs, capturing kernel address space, loaded modules, and processor states via the page file, while user-mode dumps target individual application exceptions without affecting the OS kernel.[67] In virtualized environments like Hyper-V, host-initiated dumps for guest VMs use tools such as VMConnect or PowerShell cmdlets (e.g., Get-VM | Stop-VM -Force) combined with ProcDump to capture guest memory without direct guest access, supporting diagnostics in cloud-integrated setups like Azure Virtual Machines.[75] Brief comparisons to Unix-like core dumps highlight Windows' emphasis on configurable partial captures over full ELF-based snapshots.[66]