I'm debugging using core dumps, and note that gdb needs you to supply the executable as well as the core dump. Why is this? If the core dump contains all the memory that the process uses, isn't the executable contained within the core dump? Perhaps there's no guarantee that the whole exe is loaded into memory (individual executables are not usually that big though) or maybe the core dump doesn't contain all relevant memory after all? Is it for the symbols (perhaps they're not loaded into memory normally)?
Why does GDB need the executable as well as the core dump
core-dumpgdb
Best Answer
The core dump is just the dump of your programs memory footprint, if you know where everything was then you could just use that.
You use the executable because it explains where (in terms of logical addresses) things are located in memory, i.e. the core file.
If you use a command
objdump
it will dump the meta data about the executable object you are investigating. Using an executable object named a.out as an example.objdump -h a.out
dumps the header information only, you will see sections named eg. .data or .bss or .text (there are many more). These inform the kernel loader where in the object various sections can be found and where in the process address space the section should be loaded, and for some sections (eg .data .text) what should be loaded. (.bss section doesn't contain any data in the file but it refers to the amount of memory to reserve in the process for uninitialised data, it is filled with zeros ).The layout of the executable object file conforms to a standard, ELF.
objdump -x a.out
- dumps everythingIf the executable object still contains its symbol tables (it hasn't been stripped -
man strip
and you used-g
to generate debug generation togcc
assuming a c source compilation), then you can examine the core contents by symbol names, e.g. if you had a variable/buffer named inputLine in your source code, you could use that name ingdb
to look at its content. i.e.gdb
would know the offset from the start of your programs initialised data segment where inputLine starts and the length of that variable.Further reading Article1, Article 2, and for the nitty gritty Executable and Linking Format (ELF) specification.
Update after @mirabilos comment below.
But if using the symbol table as in
Produces
and then not using symbol table and examining address directly in,
Produces
I have examined memory directly without using the symbol table in the 2nd command.
I also see, @user580082 's answer adds further to explanation, and will up-vote.