Saturday, February 13, 2010

What is in the heap?

How to find out what is there in a process heap? Here is some Solaris fu that I found handy from a usenet post from Jonathan Adams (netbsd archives)

Let's say you have a core dump already. If you don't have it, you can always get one using gcore.

Run pmap on the core file. Look at the segment of interest. It would show you the a lot of information, starting with address, permissions, heap/stack or the name of the file that is mapped (in case of dynamically loaded libraries, for example). Once you have identified the segment of interest (which was a segment whose size was too big, in my case), use it address and get the program header using elfdump.

elfdump -p core | ggrep -iB1 -A4 FFFFFFFF7DA00000
Program Header[6]:
p_vaddr: 0xffffffff7da00000 p_flags: [ PF_W PF_R ]
p_paddr: 0 p_type: [ PT_LOAD ]
p_filesz: 0x10000 p_memsz: 0x10000
p_offset: 0x1840c8 p_align: 0

Now that you know the offset at which your segment is (p_offset), and the size, copy it using dd

dd if=core of=/tmp/data ibs=1 size=65536 seek=1589448

At this point, you could run strings on the segment to get some idea of what is contained in there.

No comments: