1 .\" Copyright (c) 2006, 2008 by Michael Kerrisk <mtk.manpages@gmail.com>
3 .\" Permission is granted to make and distribute verbatim copies of this
4 .\" manual provided the copyright notice and this permission notice are
5 .\" preserved on all copies.
7 .\" Permission is granted to copy and distribute modified versions of this
8 .\" manual under the conditions for verbatim copying, provided that the
9 .\" entire resulting derived work is distributed under the terms of a
10 .\" permission notice identical to this one.
12 .\" Since the Linux kernel and libraries are constantly changing, this
13 .\" manual page may be incorrect or out-of-date. The author(s) assume no
14 .\" responsibility for errors or omissions, or for damages resulting from
15 .\" the use of the information contained herein. The author(s) may not
16 .\" have taken the same level of care in the production of this manual,
17 .\" which is licensed free of charge, as they might when working
20 .\" Formatted or processed versions of this manual, if unaccompanied by
21 .\" the source, must acknowledge the copyright and authors of this work.
23 .TH CORE 5 2012-07-16 "Linux" "Linux Programmer's Manual"
25 core \- core dump file
27 The default action of certain signals is to cause a process to terminate
29 .IR "core dump file" ,
30 a disk file containing an image of the process's memory at
31 the time of termination.
32 This image can be used in a debugger (e.g.,
34 to inspect the state of the program at the time that it terminated.
35 A list of the signals which cause a process to dump core can be found in
38 A process can set its soft
40 resource limit to place an upper limit on the size of the core dump file
41 that will be produced if it receives a "core dump" signal; see
45 There are various circumstances in which a core dump file is
48 The process does not have permission to write the core file.
49 (By default the core file is called
51 and is created in the current working directory.
52 See below for details on naming.)
53 Writing the core file will fail if the directory in which
54 it is to be created is nonwritable,
55 or if a file with the same name exists and
57 or is not a regular file
58 (e.g., it is a directory or a symbolic link).
60 A (writable, regular) file with the same name as would be used for the
61 core dump already exists, but there is more than one hard link to that
64 The file system where the core dump file would be created is full;
65 or has run out of inodes; or is mounted read-only;
66 or the user has reached their quota for the file system.
68 The directory in which the core dump file is to be created does
75 (file size) resource limits for the process are set to zero; see
77 and the documentation of the shell's
84 The binary being executed by the process does not have read
87 The process is executing a set-user-ID (set-group-ID) program
88 that is owned by a user (group) other than the real user (group)
90 (However, see the description of the
93 operation, and the description of the
94 .I /proc/sys/fs/suid_dumpable
95 .\" FIXME . Perhaps relocate discussion of /proc/sys/fs/suid_dumpable
96 .\" and PR_SET_DUMPABLE to this page?
101 a core dump may exclude part of the address space of the process if the
105 .SS Naming of core dump files
106 By default, a core dump file is named
109 .I /proc/sys/kernel/core_pattern
110 file (since Linux 2.6 and 2.4.21)
111 can be set to define a template that is used to name core dump files.
112 The template can contain % specifiers which are substituted
113 by the following values when a core file is created:
122 PID of dumped process
125 (numeric) real UID of dumped process
128 (numeric) real GID of dumped process
131 number of signal causing dump
134 time of dump, expressed as seconds since the
135 Epoch, 1970-01-01 00:00:00 +0000 (UTC)
138 hostname (same as \fInodename\fP returned by \fBuname\fP(2))
141 executable filename (without path prefix)
144 pathname of executable,
145 with slashes (\(aq/\(aq) replaced by exclamation marks (\(aq!\(aq).
148 core file size soft resource limit of crashing process (since Linux 2.6.24)
152 A single % at the end of the template is dropped from the
153 core filename, as is the combination of a % followed by any
154 character other than those listed above.
155 All other characters in the template become a literal
156 part of the core filename.
157 The template may include \(aq/\(aq characters, which are interpreted
158 as delimiters for directory names.
159 The maximum size of the resulting core filename is 128 bytes (64 bytes
160 in kernels before 2.6.19).
161 The default value in this file is "core".
162 For backward compatibility, if
163 .I /proc/sys/kernel/core_pattern
164 does not include "%p" and
165 .I /proc/sys/kernel/core_uses_pid
167 is nonzero, then .PID will be appended to the core filename.
169 Since version 2.4, Linux has also provided
170 a more primitive method of controlling
171 the name of the core dump file.
173 .I /proc/sys/kernel/core_uses_pid
174 file contains the value 0, then a core dump file is simply named
176 If this file contains a nonzero value, then the core dump file includes
177 the process ID in a name of the form
181 .\" 9520628e8ceb69fa9a4aee6b57f22675d9e1b709
183 .I /proc/sys/fs/suid_dumpable
184 is set to 2 ("suidsafe"), the pattern must be either an absolute pathname
185 (starting with a leading \(aq/\(aq character) or a pipe, as defined below.
187 .SS Piping core dumps to a program
188 Since kernel 2.6.19, Linux supports an alternate syntax for the
189 .I /proc/sys/kernel/core_pattern
191 If the first character of this file is a pipe symbol (\fB|\fP),
192 then the remainder of the line is interpreted as a program to be
194 Instead of being written to a disk file, the core dump is given as
195 standard input to the program.
196 Note the following points:
198 The program must be specified using an absolute pathname (or a
199 pathname relative to the root directory, \fI/\fP),
200 and must immediately follow the '|' character.
202 The process created to run the program runs as user and group
205 Command-line arguments can be supplied to the
206 program (since kernel 2.6.24),
207 delimited by white space (up to a total line length of 128 bytes).
209 The command-line arguments can include any of
210 the % specifiers listed above.
211 For example, to pass the PID of the process that is being dumped, specify
214 .SS Controlling which mappings are written to the core dump
215 Since kernel 2.6.23, the Linux-specific
216 .IR /proc/PID/coredump_filter
217 file can be used to control which memory segments are written to the
218 core dump file in the event that a core dump is performed for the
219 process with the corresponding process ID.
221 The value in the file is a bit mask of memory mapping types (see
223 If a bit is set in the mask, then memory mappings of the
224 corresponding type are dumped; otherwise they are not dumped.
225 The bits in this file have the following meanings:
231 Dump anonymous private mappings.
234 Dump anonymous shared mappings.
237 Dump file-backed private mappings.
240 Dump file-backed shared mappings.
241 .\" file-backed shared mappings of course also update the underlying
244 bit 4 (since Linux 2.6.24)
247 bit 5 (since Linux 2.6.28)
248 Dump private huge pages.
250 bit 6 (since Linux 2.6.28)
251 Dump shared huge pages.
255 By default, the following bits are set: 0, 1, 4 (if the
256 .B CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS
257 kernel configuration option is enabled), and 5.
258 The value of this file is displayed in hexadecimal.
259 (The default value is thus displayed as 33.)
261 Memory-mapped I/O pages such as frame buffer are never dumped, and
262 virtual DSO pages are always dumped, regardless of the
266 A child process created via
268 inherits its parent's
273 value is preserved across an
276 It can be useful to set
278 in the parent shell before running a program, for example:
282 .RB "$" " echo 0x7 > /proc/self/coredump_filter"
283 .RB "$" " ./some_program"
287 This file is only provided if the kernel was built with the
289 configuration option.
294 command can be used to obtain a core dump of a running process.
296 If a multithreaded process (or, more precisely, a process that
297 shares its memory with another process by being created with the
301 dumps core, then the process ID is always appended to the core filename,
302 unless the process ID was already included elsewhere in the
303 filename via a %p specification in
304 .IR /proc/sys/kernel/core_pattern .
305 (This is primarily useful when employing the LinuxThreads implementation,
306 where each thread of a process has a different PID.)
307 .\" Always including the PID in the name of the core file made
308 .\" sense for LinuxThreads, where each thread had a unique PID,
309 .\" but doesn't seem to serve any purpose with NPTL, where all the
310 .\" threads in a process share the same PID (as POSIX.1 requires).
311 .\" Probably the behavior is maintained so that applications using
312 .\" LinuxThreads continue appending the PID (the kernel has no easy
313 .\" way of telling which threading implementation the user-space
314 .\" application is using). -- mtk, April 2006
316 The program below can be used to demonstrate the use of the
318 .I /proc/sys/kernel/core_pattern
320 The following shell session demonstrates the use of this program
321 (compiled to create an executable named
322 .IR core_pattern_pipe_test ):
326 .RB "$" " cc \-o core_pattern_pipe_test core_pattern_pipe_test.c"
329 .RB "#" " echo \(dq|$PWD/core_pattern_pipe_test %p \
330 UID=%u GID=%g sig=%s\(dq > \e"
331 .B " /proc/sys/kernel/core_pattern"
334 .BR "^\e" " # type control-backslash"
336 .RB "$" " cat core.info"
338 argc[0]=</home/mtk/core_pattern_pipe_test>
343 Total bytes in core dump: 282624
349 /* core_pattern_pipe_test.c */
352 #include <sys/stat.h>
359 #define BUF_SIZE 1024
362 main(int argc, char *argv[])
370 /* Change our current working directory to that of the
373 snprintf(cwd, PATH_MAX, "/proc/%s/cwd", argv[1]);
376 /* Write output to file "core.info" in that directory */
378 fp = fopen("core.info", "w+");
382 /* Display command\-line arguments given to core_pattern
385 fprintf(fp, "argc=%d\\n", argc);
386 for (j = 0; j < argc; j++)
387 fprintf(fp, "argc[%d]=<%s>\\n", j, argv[j]);
389 /* Count bytes in standard input (the core dump) */
392 while ((nread = read(STDIN_FILENO, buf, BUF_SIZE)) > 0)
394 fprintf(fp, "Total bytes in core dump: %d\\n", tot);