How to find out who is killing my process

There’s a time a process is suddenly killed, but has no idea which process or who killed it. There are couple of ways to identify, but using SystemTap is one clear way to identify it.

SystemTap is a script language that can be loaded into Linux kernel and interact safely in kernel to monitoring or modifying the kernel. You can find some details about that in https://sourceware.org/systemtap/

Below is the script I wrote to track the reason of process exit.

#!/usr/bin/env stap

global target_name;

probe begin {
        target_name = @1;
        printf("Tracking %s for all signals and exit()n", target_name);
}

probe syscall.exit* {
        if(execname() == target_name) {
                printf("%s is called %sn", execname(), probefunc());
                pt = pid2task(pid())
                printf("%sn", task_ancestry(pt, 1))
        }
}

probe signal.send {
        if (pid_name == target_name) {
                printf("%s was sent to %s(pid:%d) by %s(%d) uid:%dn",
                                sig_name, pid_name, sig_pid, execname(), pid(), uid())
                pt = pid2task(pid())
                printf("sender details: %sn", task_ancestry(pt, 1))
                printf("         USER : %sn", env_var("USER"))
                printf("         HOME : %sn", env_var("HOME"))
                printf("         PWD  : %sn", env_var("PWD"))
        }
}

You can tracking it by running the below. Here it’s tracking ‘gedit’ processes.

$ stap sigcatchall.stp gedit
Tracking gedit for all signals and exit()
gedit is called sys_exit_group
swapper(0m0.000000000s)=>init(0m0.174981973s)=>gnome-terminal(26m31.551837053s)=>bash(30m22.998868972s)=>gedit(78m24.009384612s)
SIGTERM was sent to gedit(pid:26492) by bash(25672) uid:500
sender details: swapper(0m0.000000000s)=>init(0m0.174981973s)=>gnome-terminal(26m31.551837053s)=>bash(33m48.188089503s)
         USER : sungju
         HOME : /home/sungju
         PWD  : /home/sungju

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.