How does Linux "kill" a process?

process kill process-management

16,971

Solution 1

Sending kill -9 to a process doesn't require the process' cooperation (like handling a signal), it just kills it off.

You're presuming that because some signals can be caught and ignored they all involve cooperation. But as per man 2 signal, "the signals SIGKILL and SIGSTOP cannot be caught or ignored". SIGTERM can be caught, which is why plain kill is not always effective – generally this means something in the process's handler has gone awry.¹

If a process doesn't (or can't) define a handler for a given signal, the kernel performs a default action. In the case of SIGTERM and SIGKILL, this is to terminate the process (unless its PID is 1; the kernel will not terminate init)² meaning its file handles are closed, its memory returned to the system pool, its parent receives SIGCHILD, its orphan children are inherited by init, etc., just as if it had called exit (see man 2 exit). The process no longer exists – unless it ends up as a zombie, in which case it is still listed in the kernel's process table with some information; that happens when its parent does not wait and deal with this information properly. However, zombie processes no longer have any memory allocated to them and hence cannot continue to execute.

Is there something like a global table in memory where Linux keeps references to all resources taken up by a process and when I "kill" a process Linux simply goes through that table and frees the resources one by one?

I think that's accurate enough. Physical memory is tracked by page (one page usually equalling a 4 KB chunk) and those pages are taken from and returned to a global pool. It's a little more complicated in that some freed pages are cached in case the data they contain is required again (that is, data which was read from a still existing file).

Manpages talk about "signals" but surely that's just an abstraction.

Sure, all signals are an abstraction. They're conceptual, just like "processes". I'm playing semantics a bit, but if you mean SIGKILL is qualitatively different than SIGTERM, then yes and no. Yes in the sense that it can't be caught, but no in the sense that they are both signals. By analogy, an apple is not an orange but apples and oranges are, according to a preconceived definition, both fruit. SIGKILL seems more abstract since you can't catch it, but it is still a signal. Here's an example of SIGTERM handling, I'm sure you've seen these before:

#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>

void sighandler (int signum, siginfo_t *info, void *context) {
    fprintf (
        stderr,
        "Received %d from pid %u, uid %u.\n",
        info->si_signo,
        info->si_pid,
        info->si_uid
    );
}

int main (void) {
    struct sigaction sa;
    memset(&sa, 0, sizeof(sa));
    sa.sa_sigaction = sighandler;
    sa.sa_flags = SA_SIGINFO;
    sigaction(SIGTERM, &sa, NULL);
    while (1) sleep(10);
    return 0;
}

This process will just sleep forever. You can run it in a terminal and send it SIGTERM with kill. It spits out stuff like:

Received 15 from pid 25331, uid 1066.

1066 is my UID. The PID will be that of the shell from which kill is executed, or the PID of kill if you fork it (kill 25309 & echo $?).

Again, there's no point in setting a handler for SIGKILL because it won't work.³ If I kill -9 25309 the process will terminate. But that's still a signal; the kernel has the information about who sent the signal, what kind of signal it is, etc.

^{1. If you haven't looked at the list of possible signals, see kill -l.}

^{2. Another exception, as Tim Post mentions below, applies to processes in uninterruptible sleep. These can't be woken up until the underlying issue is resolved, and so have ALL signals (including SIGKILL) deferred for the duration. A process can't create that situation on purpose, however.}

^{3. This doesn't mean using kill -9 is a better thing to do in practice. My example handler is a bad one in the sense that it doesn't lead to exit(). The real purpose of a SIGTERM handler is to give the process a chance to do things like clean up temporary files, then exit voluntarily. If you use kill -9, it doesn't get this chance, so only do that if the "exit voluntarily" part seems to have failed.}

Solution 2

Each process runs for scheduled time and then is interrupted by hardware timer, to give its CPU core for other tasks. This is why it is possible to have much more processes than there are CPU cores, or even run all operating system with lots of processes on one single core CPU.

After the process is interrupted, the control returns to the kernel code. That code can then make a decision not to resume the execution of the interrupted process, without any cooperation from the process side. kill -9 may end up execution in any line of your program.

16,971

polym

[email protected]

Updated on September 18, 2022

Comments

polym over 1 year
It often baffles me that, although I have been working professionally with computers for several decades and Linux for a decade, I actually treat most of the OS' functionality as a black box, not unlike magic.

Today I thought about the kill command, and while I use it multiple times per day (both in its "normal" and -9 flavor) I must admit that I have absolutely no idea how it works behind the scenes.

From my viewpoint, if a running process is "hung", I call kill on its PID, and then it suddenly isn't running anymore. Magic!

What really happens there? Manpages talk about "signals" but surely that's just an abstraction. Sending kill -9 to a process doesn't require the process' cooperation (like handling a signal), it just kills it off.
- How does Linux stop the process from continuing to take up CPU time?
- Is it removed from scheduling?
- Does it disconnect the process from its open file handles?
- How is the process' virtual memory released?
- Is there something like a global table in memory, where Linux keeps references to all resources taken up by a process, and when I "kill" a process, Linux simply goes through that table and frees the resources one by one?
I'd really like to know all that!
- Admin over 10 years
  
  Obligatory kill -9 reference.
- Admin over 4 years
  
  This answer of mine on a question about SIGKILL specifically might be relevant here also.
S edwards over 10 years

Ok but what kill the process with -9because that's the real problem how who desice that this one should die ! ;)
goldilocks over 10 years

@Kiwy : The kernel. IPC including signals pass through it; the kernel implements the default actions.
Alex Miller over 10 years

Might be worth mentioning that disk sleep (D) preempts all signals, while the process is in that state. Hence trying to kill -9 certain I/O bound processes isn't going to work, at least not immediately.
JRFerguson over 10 years

I'd add that since a kill -9 can't be caught, a process receiving it can't perform any cleanup (e.g. removing temporary files, freeing shared memory, etc.) before it exits. Hence, use kill -9 (a.k.a kill -kill) only as a last resort. Begin with a kill -hup and/or kill -term first and then use kill -kill as the final blow.
clever over 10 years

"The process no longer exists -- unless it ends up as a zombie, in which case it is still listed in the kernel's process table with some information" actually, all processes go into zombie state when they die, and the zombie will disappear when the parent does waitpid on the child, normally that happens too fast for you to see it happen
rents over 8 years

Is this same in windows? I mean from an application's perspective, does the application need to take care whether a supporting component (say an engine it is communicating with) dies and it was running on windows or linux? Can you suggest any good book to study about this or under what CS course are these topics covered under?