FreeBSD userland core files have no section table, so the vendor and
OS detection in ObjectFileELF does not get a chance to set the arch
There is a special case in ObjectFileELF::GetSectionHeaderInfo for the
case that the ELF file and host have the same core (i.e., CPU) type.
If they do then an unknown OS or vendor is updated to match the host.
Unfortunately this does not work with cross-arch core file debugging -
e.g. debugging a FreeBSD/aarch64 core file on FreeBSD/i386. I'm using
the following workaround for now:
It does if there is no other viable work around.
One thing we do on MacOSX is to search through our mach-o core files for data at the start of memory page boundaries. This helps us to locate the /usr/lib/dylb mach header and allows us to determine info about the debug session contained within the core file.
Are there any data structures in the core file memory or ELF headers in memory you can look at to help you properly determine the contents of a core file and identify it as FreeBSD or Linux? Try and scrub through the core file contents, only for ELF core files of course, and try to figure things out.
If not, your approach sounds ok, but scrubbing memory and looking for strings, certain sections, data structures, magic byte patterns, maybe getting the AUXV data and figuring out the list of shared libraries that were loaded and then maybe looking at the path values and figuring out that some of the paths are FreeBSD or linux specific would go a long way to making a proper determination of the core files architecture.
Oh, of course. There is no section header, but the FreeBSD-specific
notes are in the phdr's NOTE segment. Unfortunately there's no program
header parsing in ObjectFileELF yet, but that will be the way to go.
... for notes, I mean. There are other uses of program headers already.
So does this mean you think you can find something in memory to help identify the actual architecture?
Indeed - the CPU architecture is set in the ELF header, so that's
fine. And there are notes that uniquely identify the file as a FreeBSD
core file, including the OS version (in struct prstatus):
Notes at offset 0x00000190 with length 0x00001b38:
Owner Data size Description
FreeBSD 0x00000078 NT_PRPSINFO (prpsinfo structure)
FreeBSD 0x00000140 NT_PRSTATUS (prstatus structure)
The only awkward part is the header and note parsing in ObjectFileELF,
which is a bit of a mess at the moment.