Technical Blog Post
Abstract
PROBEVUE: KILL() [WHO KILLED MY PROCESS?]
Body
This small probevue script will let you know who killed your process. Sometimes you might see that a process gets killed for no obvious reason and you have no idea who killed it. Of course here we're not talking about process dying because of a SEGV or SIGBUS, due to programming errors, but a genuine kill.
In the script below you can of course replace the 'when' filter for the probe by another signal. The script has to be run as root like this:
# probevue -s 8 -o signal2.out signal2.pb
The output file, signal2.out here, might look like this:
[ksh - 21823906 - 73335243] sent SIGKILL to pid 36307324
The script is:
/*
* signal2.pb: Track the usage of 'kill(SIGKILL)' onto processes.
*
* Run as user 'root' using the following command line:
*
* probevue -s 8 -o signal2.out signal2.pb
*
*
* dalla
*/
int kill(int pid, int signo);
@@syscall:*:kill:entry
when (__arg2 == SIGKILL)
{
printf("[%s - %d - %d] sent SIGKILL to pid %d\n",
__pname, __pid, __tid, __arg1);
}
UID
ibm13286419