ELF core file format

Question

Short of digging through GDB source, where can I find documentation about the format used to create core files?

The ELF specification leaves the core file format ope

Answer 1

The core dump file format is using the ELF format but is not described in the ELF standard. AFAIK, there is no authoritative reference on this.

so how is the information about which file a segment corresponds to, stored in the core file?

A lot of extra information is contained within the ELF notes. You can use readelf -n to see them.

The CORE/NT_FILE note defines the association between memory address range and file (+ offset):

Page size: 1
             Start                 End         Page Offset
0x0000000000400000  0x000000000049d000  0x0000000000000000
    /usr/bin/xchat
0x000000000069c000  0x00000000006a0000  0x000000000009c000
    /usr/bin/xchat
0x00007f2490885000  0x00007f24908a1000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908a1000  0x00007f24908bd000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908bd000  0x00007f2490eb0000  0x0000000000000000
    /usr/share/fonts/opentype/ipafont-gothic/ipag.ttf
[...]

For each thread, you should have a CORE/NT_PRSTATUS note which gives you the registers of the thread (including the stack pointer). You might be able to infer the position of the stacks from this.

More information about format of ELF core files:

• Anatomy of an ELF core file (disclaimer: I wrote this one)

• A brief look into core dumps