Linuxのcore dumpの中身についてその3

coreファイル内のnoteセクションにどんな情報が含まれているのか調べてみた。


まず、objdumpでセクション情報を調べる

$ objdump -h core.3313
core.3313:     file format elf32-i386
Sections:
Idx Name          Size      VMA       LMA       File off  Algn
0 note0         000001d8  00000000  00000000  000001d4  2**0
CONTENTS, READONLY
...

readelfで見てみる

$ readelf -a core.3313
...
Notes at offset 0x000001d4 with length 0x000001d8:
Owner         Data size       Description
CORE          0x00000090      NT_PRSTATUS (prstatus structure)
CORE          0x0000007c      NT_PRPSINFO (prpsinfo structure)
CORE          0x00000090      NT_AUXV (auxiliary vector)

出力の一番最後にnoteの情報が出ている。

更に、note0のダンプを取り、readelfの結果と付き合わせてみる。

$ objdump -s -j note0 core.3313
core.3313:     file format elf32-i386
Contents of section note0:
0000 05000000 90000000 01000000 434f5245  ............CORE
0010 00000000 0b000000 00000000 00000000  ................
0020 0b000000 00000000 00000000 f10c0000  ................
0030 460c0000 f10c0000 460c0000 00000000  F.......F.......
0040 e7030000 00000000 87130000 00000000  ................
0050 00000000 00000000 00000000 f43fa300  .............?..
0060 b01db4bf 01000000 a04c8f00 00000000  .........L......
0070 981db4bf 341eb4bf 7b000000 7b000000  ....4...{...{...
0080 00000000 33000000 ffffffff 79830408  ....3.......y...
0090 73000000 82020100 80150590 7b000000  s...........{...
00a0 00000000 05000000 7c000000 03000000  ........|.......
00b0 434f5245 00000000 00520000 00064000  CORE.....R....@.
00c0 f401f401 f10c0000 460c0000 f10c0000  ........F.......
00d0 460c0000 6269675f 61727261 79000000  F...big_array...
00e0 00000000 2e2f6269 675f6172 72617920  ...../big_array
00f0 00000000 00000000 00000000 00000000  ................
0100 00000000 00000000 00000000 00000000  ................
0110 00000000 00000000 00000000 00000000  ................
0120 00000000 00000000 00000000 00000000  ................
0130 00000000 05000000 90000000 06000000  ................
0140 434f5245 00000000 20000000 00c43d00  CORE.... .....=.
0150 21000000 00c03d00 10000000 fffbeb0f  !.....=.........
0160 06000000 00100000 11000000 64000000  ............d...
0170 03000000 34800408 04000000 20000000  ....4....... ...
0180 05000000 07000000 07000000 00000000  ................
0190 08000000 00000000 09000000 80820408  ................
01a0 0b000000 f4010000 0c000000 f4010000  ................
01b0 0d000000 f4010000 0e000000 f4010000  ................
01c0 17000000 00000000 0f000000 3b1fb4bf  ............;...
01d0 00000000 00000000                    ........

noteセクションの構造は、以下のようになっている。

[ ][ ][ ][ ] namesz(4byte)  ノート名の長さ
[ ][ ][ ][ ] descsz(4byte)  ノート本体の長さ
[ ][ ][ ][ ] type(4byte)    ノートのタイプ
[ ][ ][ ]…[ ] name(Nbyte)  ノート名(長さはnamesz) ※4バイト境界
[ ][ ][ ]…[ ] desc(Nbyte)  ノート本体(長さはdescs) ※4バイト境界

次に、NT_PRSTATUS (prstatus structure)、NT_PRPSINFO (prpsinfo structure)、NT_AUXV (auxiliary vector)といったノートのタイプとノート本体。ノート名は只のテキスト情報なので、ダンプ結果を見れば一目瞭然と思う。

ノートのタイプは、/usr/include/elf.hに定義がある。

$ grep "define NT_" /usr/include/elf.h
#define NT_PRSTATUS     1               /* Contains copy of prstatus struct */
#define NT_FPREGSET     2               /* Contains copy of fpregset struct */
#define NT_PRPSINFO     3               /* Contains copy of prpsinfo struct */
#define NT_PRXREG       4               /* Contains copy of prxregset struct */
#define NT_TASKSTRUCT   4               /* Contains copy of task structure */
#define NT_PLATFORM     5               /* String from sysinfo(SI_PLATFORM) */
#define NT_AUXV         6               /* Contains copy of auxv array */
#define NT_GWINDOWS     7               /* Contains copy of gwindows struct */
#define NT_ASRS         8               /* Contains copy of asrset struct */
#define NT_PSTATUS      10              /* Contains copy of pstatus struct */
#define NT_PSINFO       13              /* Contains copy of psinfo struct */
#define NT_PRCRED       14              /* Contains copy of prcred struct */
#define NT_UTSNAME      15              /* Contains copy of utsname struct */
#define NT_LWPSTATUS    16              /* Contains copy of lwpstatus struct */
#define NT_LWPSINFO     17              /* Contains copy of lwpinfo struct */
#define NT_PRFPXREG     20              /* Contains copy of fprxregset struct*/
#define NT_VERSION      1               /* Contains a version string.  */

ノートの本体のうち、今回出てきたprstatus structureとprpsinfo structureは、/usr/include/sys/procfs.hに定義がある。

$ cat /usr/include/sys/procfs.h
...
struct elf_prstatus
{
struct elf_siginfo pr_info;         /* Info associated with signal.  */
short int pr_cursig;                /* Current signal.  */
unsigned long int pr_sigpend;       /* Set of pending signals.  */
unsigned long int pr_sighold;       /* Set of held signals.  */
__pid_t pr_pid;
__pid_t pr_ppid;
__pid_t pr_pgrp;
__pid_t pr_sid;
struct timeval pr_utime;            /* User time.  */
struct timeval pr_stime;            /* System time.  */
struct timeval pr_cutime;           /* Cumulative user time.  */
struct timeval pr_cstime;           /* Cumulative system time.  */
elf_gregset_t pr_reg;               /* GP registers.  */
int pr_fpvalid;                     /* True if math copro being used.  */
};
...
struct elf_prpsinfo
{
char pr_state;                      /* Numeric process state.  */
char pr_sname;                      /* Char for pr_state.  */
char pr_zomb;                       /* Zombie.  */
char pr_nice;                       /* Nice val.  */
unsigned long int pr_flag;          /* Flags.  */
unsigned short int pr_uid;
unsigned short int pr_gid;
int pr_pid, pr_ppid, pr_pgrp, pr_sid;
/* Lots missing */
char pr_fname[16];                  /* Filename of executable.  */
char pr_psargs[ELF_PRARGSZ];        /* Initial part of arg list.  */
};
...

auxiliary vectorとは、id(4byte)とその値Val(4byte)が交互に並んだ構造をしており、id=0となったところが構造の終わりとなっている。

[id(4byte)][val(4byte)][id(4byte)][val(4byte)]...[id(4byte)][val(4byte)]

idは/usr/include/elf.hに定義されている

$ grep "define AT_" /usr/include/elf.h
#define AT_NULL         0               /* End of vector */
#define AT_IGNORE       1               /* Entry should be ignored */
#define AT_EXECFD       2               /* File descriptor of program */
#define AT_PHDR         3               /* Program headers for program */
#define AT_PHENT        4               /* Size of program header entry */
#define AT_PHNUM        5               /* Number of program headers */
#define AT_PAGESZ       6               /* System page size */
#define AT_BASE         7               /* Base address of interpreter */
#define AT_FLAGS        8               /* Flags */
#define AT_ENTRY        9               /* Entry point of program */
#define AT_NOTELF       10              /* Program is not ELF */
#define AT_UID          11              /* Real uid */
#define AT_EUID         12              /* Effective uid */
#define AT_GID          13              /* Real gid */
#define AT_EGID         14              /* Effective gid */
#define AT_CLKTCK       17              /* Frequency of times() */
#define AT_PLATFORM     15              /* String identifying platform.  */
#define AT_HWCAP        16              /* Machine dependent hints about
#define AT_FPUCW        18              /* Used FPU control word.  */
#define AT_DCACHEBSIZE  19              /* Data cache block size.  */
#define AT_ICACHEBSIZE  20              /* Instruction cache block size.  */
#define AT_UCACHEBSIZE  21              /* Unified cache block size.  */
#define AT_IGNOREPPC    22              /* Entry should be ignored.  */
#define AT_SYSINFO      32
#define AT_SYSINFO_EHDR 33
#define AT_L1I_CACHESHAPE       34
#define AT_L1D_CACHESHAPE       35
#define AT_L2_CACHESHAPE        36
#define AT_L3_CACHESHAPE        37

コメント