gdbstackframescoredump

How to read frames from a core dump (without GDB)?


I would like to access the frames stored in a core dump of a program that doesn't has debug symbols (I want to do this in C). When I open up the program and the core dump inside GDB I get a stack trace including the names of the functions. For example:

(gdb) bt
#0  0x08048443 in layer3 ()
#1  0x08048489 in layer2 ()
#2  0x080484c9 in layer1 ()
#3  0x0804854e in main ()

The names of all functions are stored in the executable in the .strtab section. How can I build up the stack trace with the different frames? Running GDB in batch mode is not an option. And also just "copy the parts from gdb the are needed" is also a bad idea because the code is not independently written.

So to make my question more precisely: Where do I find the point inside a core dump where I can start reading the stack information? Is there a library of some sort for accessing those information? A struct I can use? Or even better, a documentation how those informations are structured inside a core dump?

(I already seen the question "how to generate a stack trace from a core dump file in C, without invoking an external tool such as gdb", but since there is no valid answer, I thought I would ask it again)

[Edit] I'm doing this under Linux x86


Solution

  • Coredump contains stack information as well. If you can use this stack information along with the EBP and EIP register values in the coredump file, you can print the stack trace. I had written a program to do this. You can find the program in the following link[1].

        https://gist.github.com/root42/c979b037f85dc4b2be1f3735afedeb1d
    

    Usage: Compile the above program and give the corefile when you execute it.

           $corestrace core
    

    If you want symbols also to be printed, you do like this: Let's assume the program that generated the core is 'test'.

           $ nm -n test > symbols
           $ corestrace core symbols
    

    Sample output looks like this:

           $ ./coretrace core symbols 
    
            0x80483cd foo+0x9
            0x8048401 func+0x1f
            0x8048430 main+0x2d
    

    [1] The original link was 'http://www.emntech.com/programs/corestrace.c', but that went down.