core File Format

Edit online

Purpose

Contains an image of a process at the time of an error.

Description

A .core file is created in the current directory when various errors occur. Errors such as memory-address violations, illegal instructions, bus errors, and user-generated quit signals, commonly cause this core dump. The core file that is created contains a memory image of the terminated process. If the faulty process is multi-threaded and the current core size ulimit is less than what is required to dump the data section, then only the faulting thread stack area is dumped from the data section.
Note: The core dump file can be given a unique name by using the chcore command. The default behavior is the same as in previous versions of the AIX® operating system.

Any shared memory allocated by the process may also be optionally omitted from the core file. This data is only omitted if the CORE_NOSHM environment variable is exported. The default is to include all shared memory in the core file. The CORE_NOSHM variable can be set to any value.

Unique core file naming will only be enabled if the environment variable CORE_NAMING is exported. The default name is core as in previous releases. The value of the variable should be set to true.

The contents of a core dump are organized sequentially in the core file as follows:

Item Description
Core header Defines basic information about the core dump, and contains offsets that locate the remainder of the core dump information.
ldinfo structures Defines loader information.
mstsave structures Defines kernel thread state information. Since the faulting thread mstsave structure is directly saved in the core header, additional structures are saved here only for multi-threaded programs.
Default user stack Contains a copy of the user stack at the time of the core dump.
Default data area (Optional) Contains the user data section.
Memory mapped regions (Optional) Contains the anonymously mapped regions.
vm_info structures (Optional) Contains offset and size information for memory mapped regions.

By default, the user data is, anonymously mapped regions, and vm_info structures are not included in a core dump. This partial core dump includes the current process stack, thread stack, the thread mstsave structures, the user structure, and the state of the registers at the time of the fault. A partial core dump contains sufficient information for a stack traceback. The size of a core dump can also be limited by the setrlimit subroutine.

To enable a full core dump, set the SA_FULLDUMP flag in the sigaction subroutine for the signal that is to generate a full core dump. If this flag is set when the core is dumped, the data section is, anonymously mapped regions, and vm_info structures are included in the core dump.

Core files are dumped in the following ways:
  • All dumped cores are in the context of the running process. They are dumped with an owner and a group matching the effective user ID (UID) and group ID (GID) of the process. If this UID/GID pair does not have permission to write to the target directory that is determined according to the standard core path procedures, no core file is dumped.
  • If the real user ID (RUID) is root, the core file can always be dumped, but with a mode of 0600.
  • If the effective user ID (EUID) matches the real user ID (RUID), and the effective group ID (EGID) matches any group in the credential's group list, the core file is dumped with permissions of 0600.
  • If the EUID matches the RUID, but the EGID does not match any group in the credential's group list, the core file cannot be dumped. The effective user cannot see data that they do not have access to.
  • If the EUID does not match the RUID, the core file can be dumped only if you have set a core directory using the syscorepath command. This avoids dumping the core file into either the current working directory or a user-specific core directory in such a way that you cannot remove the core file. Core is dumped with a mode of 0600. If you have not used the syscorepath command to set a core directory, no core is dumped.

The format of the core header is defined by the core_dump structure (in the core.h header file), which is organized as follows:

Item Field Name Description
char c_signo The number of the signal which caused the error.
char c_flag A bit field which describes the core dump type. The meanings of the bits are as follows:
FULL_CORE
core contains the data sections (0x01)
CORE_VERSION_1
core was generated by AIX Version 4 or higher (0x02)
MSTS_VALID
core contains mstsave structures (0x04)
CORE_BIGDATA
core contains big data (0x08)
UBLOCK_VALID
core contains the u_block structure (0x10)
USTACK_VALID
core contains the user stack (0x20)
LE_VALID
core contains at least one module (0x40)
CORE_TRUNC
core was truncated (0x80)
ushort c_entries The number of core dump modules
struct ld_info * c_tab The offset to the beginning of the core table
caddr_t c_stack The offset to the beginning of the user stack
int c_size The size of the user stack
struct mstsave c_mst A copy of the faulting mst
struct user c_u A copy of the user structure
int c_nmsts The number of mstsave structures referenced by the c_msts field
struct mstsave * c_msts The offset to the other threads' mstsave structures
int c_datasize The size of the data region
caddr_t c_data The offset to user data
int c_vmregions The number of anonymously mapped regions
struct vm_info * c_vmm The offset to the start of the vm_info table