snap – process snapshots


Process snapshots are used to save a process image for debugging on another machine or at another time. They are like old Unix core dumps but can hold multiple process images and are smaller.

The first line of a snapshot begins with the prefix “process snapshot” and often contains other information as well, such as creation time, user name, system name, cpu type, and kernel type. This information is intended for humans, not programs. Programs reading snapshots should only check that this line begins with the specified prefix.

Throughout the rest of the snapshot, decimal strings are always right-justified, blank-padded to at least 11 characters, and followed by a single space character.

The rest of the snapshot is one or more records, each of which begins with a one-line header. This header is a decimal process id followed by an identification string, which denotes the type of data in the record.

Records of type fd, fpregs, kregs, noteid, ns, proc, regs, segment, and status are all formatted as a decimal number n followed by n bytes of data. This data is the contents of the file of the same name found in /proc.

The format of the mem and text sections is not as simple. These sections contain one or more page descriptions. Each describes a one kilobyte page of data. If the section is not a multiple of a kilobyte in size, the last page will be shorter. Each description begins with a one-byte flag. If the flag is r, then it is followed by a page of binary data. If the flag is z, then the data is understood to be zeros, and is omitted. If the flag is m or t, then it is followed by two decimal strings p and o, indicating that this page is the same as the page at offset o of the memory or text segment for process p. This data must have been previously described in the snapshot, and the offset must be a multiple of a kilobyte.

It is not guaranteed that any of the sections described above be in a process snapshot, although the snapshot quickly becomes useless when too much is missing.

Memory and text images may be incomplete. The memory or text file for a given process may be split across multiple disjoint sections in the snapshot.


proc(3), snap(4).