There’s a time a process is suddenly killed, but has no idea which process or who killed it. There are couple of ways to identify, but using SystemTap is one clear way to identify it.
SystemTap is a script language that can be loaded into Linux kernel and interact safely in kernel to monitoring or modifying the kernel. You can find some details about that in https://sourceware.org/systemtap/
Below is the script I wrote to track the reason of process exit.
#!/usr/bin/env stap
global target_name;
probe begin {
target_name = @1;
printf("Tracking %s for all signals and exit()n", target_name);
}
probe syscall.exit* {
if(execname() == target_name) {
printf("%s is called %sn", execname(), probefunc());
pt = pid2task(pid())
printf("%sn", task_ancestry(pt, 1))
}
}
probe signal.send {
if (pid_name == target_name) {
printf("%s was sent to %s(pid:%d) by %s(%d) uid:%dn",
sig_name, pid_name, sig_pid, execname(), pid(), uid())
pt = pid2task(pid())
printf("sender details: %sn", task_ancestry(pt, 1))
printf(" USER : %sn", env_var("USER"))
printf(" HOME : %sn", env_var("HOME"))
printf(" PWD : %sn", env_var("PWD"))
}
}
You can tracking it by running the below. Here it’s tracking ‘gedit’ processes.
$ stap sigcatchall.stp gedit
Tracking gedit for all signals and exit()
gedit is called sys_exit_group
swapper(0m0.000000000s)=>init(0m0.174981973s)=>gnome-terminal(26m31.551837053s)=>bash(30m22.998868972s)=>gedit(78m24.009384612s)
SIGTERM was sent to gedit(pid:26492) by bash(25672) uid:500
sender details: swapper(0m0.000000000s)=>init(0m0.174981973s)=>gnome-terminal(26m31.551837053s)=>bash(33m48.188089503s)
USER : sungju
HOME : /home/sungju
PWD : /home/sungju
Sungju's Slow Life 
Leave a Reply