On Mon, Aug 05, 2019 at 08:57:45PM -0400, Fred Smith wrote:
Hi all!
I'm stuck on something really bizarre that is happening to a product I "own" at work. It's a C program, built on CentOS, runs on CentOs or RHEL, has been in circulation since the early 00's, is in use at hundreds of sites.
recently, at multiple customer sites it has started just going away. no core file (yes, ulimit is configured), nothing in any of its (several) log files. it's just gone.
running it under strace until it dies reveals that every thread has been given a SIGKILL.
How does one figure out who deliverd a SIGKILL? For other, non-fatal, signals it is possible to glean the PID of the sending process in a signal handler, but obviously you can't do that for SIGKILL because the app doesn't survive the signal.
I'm grasping at straws here, and am open to almost any kind of suggestion that can be followed-up (as compared to "beats me" which is where I am now).
OK, more information.
Found a recipe to cause systemtap to emit a line of text identifying the sender of the SIGKILL.
probe signal.send { if (sig_name == "SIGKILL") printf("%s was sent to %s (pid:%d) by %s uid:%d\n", sig_name, pid_name, sig_pid, execname(), uid())
unfortunately, it says the program is killing itself:
SIGKILL was sent to myprog (pid:12269) by myprog uid:1000
So,... now I'm wondering how one figures that out. nowhere in my source code does it explicitly raise any signal, much less SIGKILL. So there must be some underlying library or system call or something doing it.