The default action of certain signals is to cause a process to termi-
nate and produce a core dump file, a disk file containing an image of
the process's memory at the time of termination. This image can be
used in a debugger (e.g., gdb(1)) to inspect the state of the program
at the time that it terminated. A list of the signals which cause a
process to dump core can be found in signal(7).
A process can set its soft RLIMIT_CORE resource limit to place an upper
limit on the size of the core dump file that will be produced if it
receives a "core dump" signal; see getrlimit(2) for details.
There are various circumstances in which a core dump file is not pro-
* The process does not have permission to write the core file. (By
default the core file is called core, and is created in the current
working directory. See below for details on naming.) Writing the
core file will fail if the directory in which it is to be created is
nonwritable, or if a file with the same name exists and is not
writable or is not a regular file (e.g., it is a directory or a sym-
* A (writable, regular) file with the same name as would be used for
the core dump already exists, but there is more than one hard link
to that file.
* The filesystem where the core dump file would be created is full; or
has run out of inodes; or is mounted read-only; or the user has
reached their quota for the filesystem.
* The directory in which the core dump file is to be created does not
* The RLIMIT_CORE (core file size) or RLIMIT_FSIZE (file size)
resource limits for the process are set to zero; see getrlimit(2)
and the documentation of the shell's ulimit command (limit in
* The binary being executed by the process does not have read permis-
* The process is executing a set-user-ID (set-group-ID) program that
is owned by a user (group) other than the real user (group) ID of
the process. (However, see the description of the prctl(2)
PR_SET_DUMPABLE operation, and the description of the
/proc/sys/fs/suid_dumpable file in proc(5).)
* (Since Linux 3.7) The kernel was configured without the CONFIG_CORE-
In addition, a core dump may exclude part of the address space of the
process if the madvise(2) MADV_DONTDUMP flag was employed.
%s number of signal causing dump
%t time of dump, expressed as seconds since the Epoch, 1970-01-01
00:00:00 +0000 (UTC)
%h hostname (same as nodename returned by uname(2))
%e executable filename (without path prefix)
%E pathname of executable, with slashes ('/') replaced by exclama-
tion marks ('!').
%c core file size soft resource limit of crashing process (since
A single % at the end of the template is dropped from the core file-
name, as is the combination of a % followed by any character other than
those listed above. All other characters in the template become a lit-
eral part of the core filename. The template may include '/' charac-
ters, which are interpreted as delimiters for directory names. The
maximum size of the resulting core filename is 128 bytes (64 bytes in
kernels before 2.6.19). The default value in this file is "core". For
backward compatibility, if /proc/sys/kernel/core_pattern does not
include "%p" and /proc/sys/kernel/core_uses_pid (see below) is nonzero,
then .PID will be appended to the core filename.
Since version 2.4, Linux has also provided a more primitive method of
controlling the name of the core dump file. If the /proc/sys/ker-
nel/core_uses_pid file contains the value 0, then a core dump file is
simply named core. If this file contains a nonzero value, then the
core dump file includes the process ID in a name of the form core.PID.
Since Linux 3.6, if /proc/sys/fs/suid_dumpable is set to 2 ("suid-
safe"), the pattern must be either an absolute pathname (starting with
a leading '/' character) or a pipe, as defined below.
Piping core dumps to a program
Since kernel 2.6.19, Linux supports an alternate syntax for the
/proc/sys/kernel/core_pattern file. If the first character of this
file is a pipe symbol (|), then the remainder of the line is inter-
preted as a program to be executed. Instead of being written to a disk
file, the core dump is given as standard input to the program. Note
the following points:
* The program must be specified using an absolute pathname (or a path-
name relative to the root directory, /), and must immediately follow
the '|' character.
* The process created to run the program runs as user and group root.
* Command-line arguments can be supplied to the program (since Linux
2.6.24), delimited by white space (up to a total line length of 128
* The command-line arguments can include any of the % specifiers
listed above. For example, to pass the PID of the process that is
being dumped, specify %p in an argument.
Controlling which mappings are written to the core dump
bit 2 Dump file-backed private mappings.
bit 3 Dump file-backed shared mappings.
bit 4 (since Linux 2.6.24)
Dump ELF headers.
bit 5 (since Linux 2.6.28)
Dump private huge pages.
bit 6 (since Linux 2.6.28)
Dump shared huge pages.
By default, the following bits are set: 0, 1, 4 (if the CON-
FIG_CORE_DUMP_DEFAULT_ELF_HEADERS kernel configuration option is
enabled), and 5. The value of this file is displayed in hexadecimal.
(The default value is thus displayed as 33.)
Memory-mapped I/O pages such as frame buffer are never dumped, and vir-
tual DSO pages are always dumped, regardless of the coredump_filter
A child process created via fork(2) inherits its parent's coredump_fil-
ter value; the coredump_filter value is preserved across an execve(2).
It can be useful to set coredump_filter in the parent shell before run-
ning a program, for example:
$ echo 0x7 > /proc/self/coredump_filter
This file is provided only if the kernel was built with the CON-
FIG_ELF_CORE configuration option.
The gdb(1) gcore command can be used to obtain a core dump of a running
In Linux versions up to and including 2.6.27, if a multithreaded
process (or, more precisely, a process that shares its memory with
another process by being created with the CLONE_VM flag of clone(2))
dumps core, then the process ID is always appended to the core file-
name, unless the process ID was already included elsewhere in the file-
name via a %p specification in /proc/sys/kernel/core_pattern. (This is
primarily useful when employing the obsolete LinuxThreads implementa-
tion, where each thread of a process has a different PID.)
The program below can be used to demonstrate the use of the pipe syntax
in the /proc/sys/kernel/core_pattern file. The following shell session
demonstrates the use of this program (compiled to create an executable
$ cc -o core_pattern_pipe_test core_pattern_pipe_test.c
# echo "|$PWD/core_pattern_pipe_test %p UID=%u GID=%g sig=%s" > \
/* core_pattern_pipe_test.c */
#define BUF_SIZE 1024
main(int argc, char *argv)
int tot, j;
/* Change our current working directory to that of the
crashing process */
snprintf(cwd, PATH_MAX, "/proc/%s/cwd", argv);
/* Write output to file "core.info" in that directory */
fp = fopen("core.info", "w+");
if (fp == NULL)
/* Display command-line arguments given to core_pattern
pipe program */
fprintf(fp, "argc=%d\n", argc);
for (j = 0; j < argc; j++)
fprintf(fp, "argc[%d]=<%s>\n", j, argv[j]);
/* Count bytes in standard input (the core dump) */
tot = 0;
while ((nread = read(STDIN_FILENO, buf, BUF_SIZE)) > 0)
tot += nread;
fprintf(fp, "Total bytes in core dump: %d\n", tot);
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2018
All Rights Reserved.