linux 捕获sigsegv信息如何生成core文件,Linux上的核心轉儲文件：如何獲取打開文件的信息？...

I have a core dump file from a process that has probably a file descriptor leak (it opens files and sockets but apparently sometimes forgets to close some of them). Is there a way to find out which files and sockets the process had opened before crashing? I can't easily reproduce the crash, so analyzing the core file seems to be the only way to get a hint on the bug.

我有一個進程的核心轉儲文件可能有文件描述符泄漏(它打開文件和套接字，但顯然有時會忘記關閉其中一些)。有沒有辦法在崩潰之前找出進程打開了哪些文件和套接字？我無法輕易重現崩潰，因此分析核心文件似乎是獲取bug的唯一方法。

8 个解决方案

#1

11

If you have a core file and you have compiled the program with debuging options (-g), you can see where the core was dumped:

如果您有一個核心文件，並且您已使用debuging選項(-g)編譯該程序，則可以看到轉儲核心的位置：

$ gcc -g -o something something.c

$ ./something

Segmentation fault (core dumped)

$ gdb something core

You can use this to do some post-mortem debuging. A few gdb commands: br prints the stack, fr jumps to given stack frame (see the output of br).

你可以用它來做一些驗屍后的調試。一些gdb命令：br打印堆棧，fr跳轉到給定的堆棧幀(參見br的輸出)。

Now if you want to see which files are opened at a segmentation fault, just handle the SIGSEGV signal, and in the handler, just dump the contents of the /proc/PID/fd directory (i.e. with system('ls -l /proc/PID/fs') or execv).

現在，如果您想查看在分段錯誤時打開哪些文件，只需處理SIGSEGV信號，並在處理程序中，只需轉儲/ proc / PID / fd目錄的內容(即使用system('ls -l / proc) / PID / fs')或execv)。

With these informations at hand you can easily find what caused the crash, which files are opened and if the crash and the file descriptor leak are connected.

有了這些信息，您可以輕松找到導致崩潰的原因，打開哪些文件以及是否連接了崩潰和文件描述符泄漏。

#2

5

Your best bet is to install a signal handler for whatever signal is crashing your program (SIGSEGV, etc.).

最好的辦法是為任何崩潰程序的信號安裝一個信號處理程序(SIGSEGV等)。

Then, in the signal handler, inspect /proc/self/fd, and save the contents to a file. Here is a sample of what you might see:

然后，在信號處理程序中，檢查/ proc / self / fd，並將內容保存到文件中。以下是您可能會看到的示例：

Anderson cxc # ls -l /proc/8247/fd

total 0

lrwx------ 1 root root 64 Sep 12 06:05 0 -> /dev/pts/0

lrwx------ 1 root root 64 Sep 12 06:05 1 -> /dev/pts/0

lrwx------ 1 root root 64 Sep 12 06:05 10 -> anon_inode:[eventpoll]

lrwx------ 1 root root 64 Sep 12 06:05 11 -> socket:[124061]

lrwx------ 1 root root 64 Sep 12 06:05 12 -> socket:[124063]

lrwx------ 1 root root 64 Sep 12 06:05 13 -> socket:[124064]

lrwx------ 1 root root 64 Sep 12 06:05 14 -> /dev/driver0

lr-x------ 1 root root 64 Sep 12 06:05 16 -> /temp/app/whatever.tar.gz

lr-x------ 1 root root 64 Sep 12 06:05 17 -> /dev/urandom

Then you can return from your signal handler, and you should get a core dump as usual.

然后你可以從信號處理程序返回，你應該像往常一樣獲得核心轉儲。

#3

3

You can try using strace to see the open, socket and close calls the program makes.

您可以嘗試使用strace來查看程序所做的打開，套接字和關閉調用。

Edit: I don't think you can get the information from the core; at most it will have the file descriptors somewhere, but this still doesn't give you the actual file/socket. (Assuming you can distinguish open from closed file descriptors, which I also doubt.)

編輯：我認為你不能從核心獲取信息;最多它將在某處具有文件描述符，但是這仍然不能提供實際的文件/套接字。 (假設您可以區分打開和關閉的文件描述符，我也懷疑。)

#4

2

If the program forgot to close those resources it might be because something like the following happened:

如果程序忘記關閉這些資源，可能是因為發生了以下情況：

fd = open("/tmp/foo",O_CREAT);

//do stuff

fd = open("/tmp/bar",O_CREAT); //Oops, forgot to close(fd)

now I won't have the file descriptor for foo in memory.

現在我不會在內存中擁有foo的文件描述符。

If this didn't happen, you might be able to find the file descriptor number, but then again, that is not very useful because they are continuously changing, by the time you get to debug you won't know which file it actually meant at the time.

如果沒有發生這種情況，您可能會找到文件描述符編號，但是再次，這不是很有用，因為它們不斷變化，當您進行調試時，您將不知道它實際意味着哪個文件當時。

I really think you should debug this live, with strace, lsof and friends.

我真的認為你應該用strace，lsof和朋友調試這個。

If there is a way to do it from the core dump, I'm eager to know it too :-)

如果有辦法從核心轉儲中做到這一點，我也很想知道它:-)

#5

2

One of the ways I jump to this information is just running strings on the core file. For instance, when I was running file on a core recently, due to the length of the folders I would get a truncated arguments list. I knew my run would have opened files from my home directory, so I just ran:

我跳轉到這些信息的方法之一就是在核心文件上運行字符串。例如，當我最近在核心上運行文件時，由於文件夾的長度，我會得到一個截斷的參數列表。我知道我的運行會從我的主目錄中打開文件，所以我跑了：

strings core.14930|grep jodie

But this is a case where I had a needle and a haystack.

但這是我有針和大海撈針的情況。

#6

2

Recently during my error troubleshooting and analysis , my customer provided me a coredump which got generated in his filesystem and he went out of station in order to quickly scan through the file and read its contents i used the command

最近在我的錯誤故障排除和分析過程中，我的客戶向我提供了一個coredump，它在他的文件系統中生成並且他離開了工作站以快速瀏覽文件並讀取其內容我使用了命令

strings core.67545 > coredump.txt and later i was able to open the file in file editor.

字符串core.67545> coredump.txt以及之后我能夠在文件編輯器中打開文件。

#7

1

A core dump is a copy of the memory the process had access to when crashed. Depending on how the leak is occurring, it might have lost the reference to the handles, so it may prove to be useless.

核心轉儲是進程在崩潰時可以訪問的內存的副本。根據泄漏的發生方式，它可能已經失去了對手柄的引用，因此它可能被證明是無用的。

lsof lists all currently open files in the system, you could check its output to find leaked sockets or files. Yes, you'd need to have the process running. You could run it with a specific username to easily discern which are the open files from the process you are debugging.

lsof列出系統中所有當前打開的文件，您可以檢查其輸出以查找泄漏的套接字或文件。是的，您需要讓流程運行。您可以使用特定的用戶名運行它，以便輕松識別您正在調試的進程中的打開文件。

I hope somebody else has better information :-)

我希望別人有更好的信息:-)

#8

0

Another way to find out what files a process has opened - again, only during runtime - is looking into /proc/PID/fd/ , which contains symlinks to open files.

查找進程已打開的文件的另一種方法 - 僅在運行時期間 - 查看/ proc / PID / fd /，其中包含用於打開文件的符號鏈接。