27

I'm looking for a way to take a non-intrusive coredump of a running process on Linux.

I'm familiar with gdb's gcore, but that can only be run when gdb is attached to the process and it's stopped for debugging. For a big core dump that might mean many seconds, or even a few minutes, of interrupted execution.

Is there any non-blocking alternative?

Linux supports copy-on-write memory, which it relies upon to support fork() without exec(). So I'm thinking of something kernel-level where the kernel takes a copy-on-write snapshot of the process page tables of the process being dumped, then writes the core out while the original process keeps on running.

I'm pretty sure I could use gdb to force a fork() then dump the child while the parent carries on happily, then wait() in the parent to reap the child after termination. It's messy, though, and still requires two interruptions of the parent process, albeit short ones.

Surely someone's needed this before?

Craig Ringer
  • 11,525

2 Answers2

3

Google CoreDumper springs to mind. It makes a copy-on-write copy of the process's address space, see WriteCoreDump() (see "Notes").

EricM
  • 171
2

Here's another alternative - Breakpad (mirror on GitHub).

Breakpad is a set of client and server components which implement a crash-reporting system.

Initially it was an in-process only library. But now it contains a pid2md tool, that can generate dumps from a live process, like GDB's gcore, but in minidump format.

The generated minidump file contains enough information (register sets and stacks for each thread) to unwind the thread stacks and display backtraces using the corresponding symbol file. But as far as I understand, it does not contain a snapshot of the heap memory.
Conclusions:

  • The strong point: minidumps are smaller, in my case 10-50x smaller than a classic coredump (even after digging holes in it).
    So, even pid2md works internally like GDB's gcore (stop process and gets memory via ptrace), the time it takes to create a dump should be significantly decreased.
  • The weak point: a post-inspection of the process dump in the debugger is limited.

Note: Breakpad suggests using its own format for symbols. Alternatively, you can convert the generated minidump file into coredump using md2core, and then use it as usual.

SergA
  • 261