views:

439

answers:

1

I know how to generate a core dump on OS X when a process crashes, but what I really need to do is attach to a process, generate a core dump, then resume that process (without killing it).

A long time ago (maybe a year and a half ago) I had C code that would do this... It used the OS X kernel libraries to connect to a process, read all of its thread states and memory, and write that into a Mach-O file on disk. This worked great (and it's exactly what I'm looking for), but now I can't seem to find that code for the life of me. I seem to recall that code was related somewhat to the OS X system internals book, but that's just a vague recollection.

Does anyone know the code I'm talking about and could point me at it? If not does anyone know a good way of doing this preferably with some example code?

Edit: Here is the answer.

Information: http://osxbook.com/book/bonus/chapter8/core/

Program that will do it for you: http://osxbook.com/book/bonus/chapter8/core/download/gcore-1.3.tar.gz

+3  A: 

I believe you are looking for this information

Specifically:

/* UNIX Third Edition, circa early 1973 */
/* ken/sig.c */

core()
{
int s, *ip;
extern schar;

/* u is the user area */
u.u_error = 0;          /* reset error code to "no error" */
u.u_dirp = "core";      /* file name to search for */
ip = namei(&schar, 1);  /* do search; schar means it's a kernel string */

if (ip == NULL) {       /* failed to find */
    if (u.u_error)      /* because of some error */
        return(0);      /* so bail out */
    ip = maknode(0666); /* didn't exist; so create it */
}

if (!access(ip, IWRITE)) { /* check "write" permission; 0 means OK */
    itrunc(ip);            /* truncate the core file */

    /* first we write the user area */
    u.u_offset[0] = 0;     /* offset for I/O */
    u.u_offset[1] = 0;     /* offset for I/O */
    u.u_base = &u;         /* base address for I/O (user area itself) */
    u.u_count = USIZE*64;  /* bytes remaining for I/O; USIZE=8 */
    u.u_segflg = 1;        /* specify kernel address space */
    writei(ip);            /* do the write */

    /*
     * u_procp points to the process structure
     * p_size is the size of the process's swappable image (x 64 bytes) */
     */
    s = u.u_procp->p_size - USIZE; /* compute size left to write */

    /*
     * This sets up software prototype segmentation registers to implement
     * text(=0 here), data(=s here), and stack(=0 here) sizes specified.
     */
    estabur(0, s, 0);

    u.u_base = 0;          /* base address for I/O (start of space) */
    u.u_count = s*64;      /* s is in units of 64 bytes, so adjust */
    u.u_segflg = 0;        /* specify user address space */
    writei(ip);            /* do the write */
}
iput(ip);                  /* decrement inode reference count */
return(u.u_error==0);      /* done */
}
mbarnett
The code above is what he's comparing the code in the linked gzip to, so that's not correct, but the link (and specifically the gcore gzip) is exactly what I was looking for. Thanks!
LCC
That'll teach me to copy and paste more carefully
mbarnett