Date: Wed, 15 Feb 2006 16:34:32 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: Kris Kennaway <kris@obsecurity.org> Cc: Ivan Kolosovskiy <agava-develop@yandex.ru>, freebsd-stable@freebsd.org Subject: Re: Strange process Message-ID: <20060215223432.GH70956@dan.emsphone.com> In-Reply-To: <20060215215608.GA55676@xor.obsecurity.org> References: <1140027060.83368.11.camel@r4.agava-guns.domain> <20060215194204.GC70956@dan.emsphone.com> <20060215215608.GA55676@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Feb 15), Kris Kennaway said: > On Wed, Feb 15, 2006 at 01:42:04PM -0600, Dan Nelson wrote: > > In the last episode (Feb 15), Ivan Kolosovskiy said: > > > top: > > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND > > > 38410 findfile 1 96 0 0K 0K START 0 0:00 0.00% grotty > > > > > > ps: > > > host$ ps -waux | grep grotty > > > findfile 38410 0,0 0,0 0 0 p6 REJ 19:57 0:00,25 [grotty] > > > > E in the STAT column means the process is trying to exit, but > > can't. What does "ps lp 38410" print? The MWCHAN column should say > > where in the kernel the process is stuck. > > I often see this too. For example: > > PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND > 5357 kkenn 1 96 0 0K 0K START 0:00 0.35% xpdf > > > ps -waux | grep xpdf > kkenn 5357 0.3 0.0 0 0 ?? RE Sun08PM 0:00.20 [xpdf] > > > ps lp 5357 > UID PID PPID CPU PRI NI VSZ RSS MWCHAN STAT TT TIME COMMAND That syntax should have worked... Try a plain "px axl | grep xpdf" instead. I think top's START state corresponds to the ~200-line window of code in kern_fork.c:fork1() between p_state=PRS_NEW and p_state=PRS_NORMAL, but I'm not positive. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060215223432.GH70956>