NAME

ctfdump — dump parts of ctf data from files

SYNOPSIS

ctfdump [-cdfhlsSt] [-p parent] [-u outfile] file

DESCRIPTION

The ctfdump utility dumps and decodes the CTF data contained inside of ELF objects and raw CTF files.

ctfdump can dump information about the CTF header, the labels encoded in the CTF container, the types of data objects, the internal string table, the types of the return function and the arguments for functions, and of course, it displays information about the types defined in the CTF container.

ctfdump can also be used to dump out the raw CTF data and send it to another file. When writing out data, it always ensures that the CTF data is decompressed. In this form, the CTF data can be inspected using ctfdump and other tools such as mdb(1).

ctfdump in -c mode will generate C-style output, which can be used for comparison. Note that this output is not directly compilable.

When no options are specified, ctfdump displays all information, except the C-style output. However, when the -u option is used, then no information is displayed by default, unless requested through the appropriate option.

OPTIONS

The following options are supported:

-c: Generate C-style output.
-d: Dump the types of symbols that correspond to objects.
-f: Dump the types of the return values and arguments of the functions.
-h: Dump the CTF header
-l: Dump all CTF labels associated with the file.
-p parent: Use the type information in parent to supplement output. This is useful when a ctfdump CTF container has been uniquified against parent. This allows ctfdump to use the names of types when used with -t.
-s: Dump the internal CTF string table
-S: Displays statistics about the CTF container.
-t: Dump the type information contained in the CTF container.
-u outfile: Copies the uncompressed CTF data to the file specified by outfile. This can be used to make it easier to inspect the raw CTF data.

OUTPUT

When the ctfdump utility is executed with its default options, it prints out a textual representation of the CTF information. Note, the output format of ctfdump is subject to change at any time and should not be relied upon as a stable format to be used for parsing.

CTF Header

This section describes the values in the CTF header. Each line in the section describes the value of one of the members of the header. For more information on the meaning and interpretation of these members, see ctf(5).

Label Table

This section describes information about the labels present in the CTF information. Each entry in this section, if present, starts with a number and is followed by a string. An example entry in the label section might look like:

...
   2270 joyent_20151001T070028Z
...

The number, 2270, represents the last type that the label applies to. The string, joyent_20151001T070028Z, is the name of the label. In this case, if there were no other labels, it would indicate that the label applied to all types up to, and including, the type number 2270. For more information on how labels are used with CTF information, see the section The Label Section in ctf(5).

Data Objects

This section describes the type information relating to data objects from the symbol table. An entry for a data object consists of four columns. The first column is just a monotonic ID. The second number is the type id of the object. The third column is the name of the symbol and the fourth column is the corresponding index from the symbol table.

Take for example, the following couple of entries:

...
  [0] 13        hz (48)
  [1] 78        _nd (49)
  [2] 1656      __pfmt_label (56)
  [3] 926       _aio_hash (68)
  [4] 13        _lio_free (70)
  [5] 1321      u8_number_of_bytes (73)
...

Let's take the first entry in the list above. The symbol is named hz. It is the first data object, as indicated by the number zero in brackets. It has a type id of 13 and in this case, it has a symbol table index of 48.

Functions

This section describes the type information for functions. For each function present in the symbol table with type information, the function's entry into the function section, the function's name, the function's symbol table index, the function's return type, and the types of the function's arguments are printed. If a function is a variadic function, then the variadic argument is printed as the string '...'.

Take for example, the following couple of entries:

...
  [687] pfprint_stack (3110) returns: 11 args: (385, 115, 29, 1704, 223, 116, 2)
  [688] pfprint_stddev (3111) returns: 11 args: (385, 115, 29, 1704, 223, 116, 2)
  [689] pfprint_quantize (3112) returns: 11 args: (385, 115, 29, 1704, 223, 116, 2)
  [690] pfprint_lquantize (3113) returns: 11 args: (385, 115, 29, 1704, 223, 116, 2)
  [691] pfprint_llquantize (3114) returns: 11 args: (385, 115, 29, 1704, 223, 116, 2)
...

The first column is the function's entry number in the function type information section. It is enclosed in brackets. The next column is the function's name and it is followed in parenthesis by the its index in the symbol table. The following portions of this entry describe the return type and then all of the arguments, in positional order.

Types

The types section gives information about each type in the CTF container. Each entry begins with its type identifier. The type identifier may either be in square brackets or in angle brackets. If the type identifier is enclosed in angle brackets, then that represents that it is a root type or top-level type. If it is square brackets, then it is not. For more information on root types, see ctf(5).

Next, the type will have its name and kind. If it is an array, it will be followed with a subscript that describes the number of entries in the array. If it is a pointer, it will followed by the * symbol to indicate that it is a pointer. If the type has the const, volatile, typedef, or restrict keyword applied to it, that will precede the name. All of these reference types, including pointer, will then be followed with an example of the type that they refer to.

Types which are an integral or floating point value will be followed by information about their encoding and the number of bits represented in the type.

Arrays will be followed by two different entries, the contents and index. The contents member contains the type id of the array's contents and the index member describes a type which can represent the array's index.

Structures and unions will be preceded with the corresponding C keyword, struct or union. After that, the size in bytes of the structure will be indicated. On each subsequent line, a single member will be listed. That line will contain the member's name, it's type identifier, and the offset into the structure that the member starts at. The first values is in bits, which is what CTF encodes. It is then followed by bytes and the bit offset into the byte. That is the value ‘2.5’ indicates that it starts at the 5th bit in the 2nd byte (i.e. bit 21).

The following show examples of type information for all of these different types:

...
  [155] struct ctf_merge_handle (80 bytes)
        cmh_inputs type=165 off=0 bits (0.0 bytes)
        cmh_ninputs type=6 off=256 bits (32.0 bytes)
        cmh_nthreads type=6 off=288 bits (36.0 bytes)
        cmh_unique type=65 off=320 bits (40.0 bytes)
        cmh_msyms type=115 off=384 bits (48.0 bytes)
        cmh_ofd type=34 off=416 bits (52.0 bytes)
        cmh_flags type=34 off=448 bits (56.0 bytes)
        cmh_label type=94 off=512 bits (64.0 bytes)
        cmh_pname type=94 off=576 bits (72.0 bytes)

  <156> typedef ctf_merge_t refers to 155
  [157] struct __va_list_tag (24 bytes)
        gp_offset type=5 off=0 bits (0.0 bytes)
        fp_offset type=5 off=32 bits (4.0 bytes)
        overflow_arg_area type=41 off=64 bits (8.0 bytes)
        reg_save_area type=41 off=128 bits (16.0 bytes)

  [158] struct __va_list_tag [1] contents: 157, index: 9
...

String Table

This section describes all of the strings that are present in the CTF container. Each line represents an entry in the string table. First the byte offset into the string table is shown in brackets and then the string's value is displayed. Note the following examples:

  [0] \0
  [1] joyent_20151001T070028Z
  [25] char
  [30] long
  [35] short

Statistics

This section contains miscellaneous statistics about the CTF data present. Each line contains a single statistic. A brief explanation of the statistic is placed first, followed by an equals sign, and then finally the value.

EXIT STATUS

0: Execution completed successfully.
1: A fatal error occurred.
2: Invalid command line options were specified.

EXAMPLES

Example 1 Displaying the Type Section of a Single File

The following example dumps the type section of the file /usr/lib/libc.so.1.

$ ctfdump -t /usr/lib/libc.so.1
- Types ----------------------------------------------------

  <1> int encoding=SIGNED offset=0 bits=32
  <2> long encoding=SIGNED offset=0 bits=32
  <3> typedef pid_t refers to 2
  <4> unsigned int encoding=0x0 offset=0 bits=32
  <5> typedef uid_t refers to 4
  <6> typedef gid_t refers to 5
  <7> typedef uintptr_t refers to 4
...

Example 2 Dumping the CTF data to Another File

The following example dumps the entire CTF data from the file /usr/lib/libc.so.1 and places it into the file ctf.out. This then shows how you can use the mdb(1) to inspect its contents.

$ ctfdump -u ctf.out /usr/lib/libc.so.1
$ mdb ./ctf.out
> ::typedef -r /usr/lib/libctf.so.1
> 0::print ctf_header_t
{
    cth_preamble = {
        ctp_magic = 0xcff1
        ctp_version = 0x2
        ctp_flags = 0
    }
    cth_parlabel = 0
    cth_parname = 0
    cth_lbloff = 0
    cth_objtoff = 0x8
    cth_funcoff = 0x5e0
    cth_typeoff = 0x7178
    cth_stroff = 0x12964
    cth_strlen = 0x7c9c
}

Example 3 Dumping C-style output

$ ctfdump -c ./genunix | more
/* Types */

typedef Elf64_Addr Addr;

typedef unsigned char Bool;

typedef struct CK_AES_CCM_PARAMS CK_AES_CCM_PARAMS;

typedef struct CK_AES_GCM_PARAMS CK_AES_GCM_PARAMS;
...

INTERFACE STABILITY

The command syntax is Committed. The output format is Uncommitted.