Access violation from CreateProcess() from inside a Job

I have Python code like the following embedded in mod_wsgi / Python 2.7 inside an Apache httpd 2.4 server on Windows. It sometimes raises a WindowsError: [Error 998] Invalid access to memory location. from the CreateProcess call. It happens very infrequently, just around every 1-5 days. 32-Bit process, but also happens with a different error (Access Violation) in 64-Bit.

I checked that pywin32 properly sets a modifiable lpCmdLine argument.
I also tried to do the same via ctypes but had the same problems.
The Apache httpd runs inside a job and a valid desktop name is given.

import os
import win32con
import win32process
import win32api
import subprocess

def launch_sub_process(environ, args, desktop_name, tmp_file):
 myenv = os.environ.copy()
 myenv["PYTHONOPTIMIZE"] = "2"

 # The reason we cannot use subprocess..., it does not allow setting
 # lpDesktop in STARTUPINFO
 startupinfo = win32process.STARTUPINFO()
 startupinfo.lpDesktop = desktop_name

 # CREATE_BREAKAWAY_FROM_JOB = 0x01000000 isn't defined in our
 # pywin32 version.
 createflags = (
 win32con.DETACHED_PROCESS |
 0x01000000 |
 win32con.CREATE_UNICODE_ENVIRONMENT)

 cmdline = subprocess.list2cmdline(args)

 # pywin32 special, if we pass CREATE_UNICODE_ENVIRONMENT
 # we must convert env to unicode ourselfs too, why?
 myenv = unicode(k): unicode(v) for k, v in myenv.items()

 p_handle, th, worker_pid, _ = win32process.CreateProcess(
 None, # appName
 cmdline, # cmdLine
 None, # processAttributes
 None, # threadAttributes
 False, # inherit handles
 createflags, # creation flags
 myenv, # environ
 None, # current directory
 startupinfo # pystartupinfo
 )
 win32api.CloseHandle(th)

 # Wait for the process to start
 child_infos = wait_for_process(tmp_file,
 p_handle,
 worker_pid)

 return child_infos["port"], worker_pid

The only traceback i managed to capture was from inside the Windows API. It looks like a classical overflow that trashed the return address.

The stored exception information can be accessed via .ecxr.
(c8c.9c8): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=01b6bac1 edx=00000053 esi=00000000 edi=01b6c308
eip=75b4360d esp=01b6bf64 ebp=01b6c500 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
KERNELBASE!NtWow64CsrBasepCreateProcess+0xc:
75b4360d c20400 ret 4

0:002> kb
# ChildEBP RetAddr Args to Child 
00 01b6bf60 75b4320f 01b6c308 0a2ad7c4 016ec340 KERNELBASE!NtWow64CsrBasepCreateProcess+0xc
01 01b6c500 75b424dc 00000000 00000000 18092780 KERNELBASE!CreateProcessInternalW+0xcf6

This looks like it happend just after the process creation is done and only the communication with the CSRSS.exe process needs to complete.

Does anyone have a hint what limits might be hit or how to fix this?

asked Nov 13 '18 at 14:22

schlenk

5,7591423

You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

– zett42
Nov 13 '18 at 18:50

Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

– schlenk
Nov 14 '18 at 16:34

add a comment |

import os
import win32con
import win32process
import win32api
import subprocess

def launch_sub_process(environ, args, desktop_name, tmp_file):
 myenv = os.environ.copy()
 myenv["PYTHONOPTIMIZE"] = "2"

 # The reason we cannot use subprocess..., it does not allow setting
 # lpDesktop in STARTUPINFO
 startupinfo = win32process.STARTUPINFO()
 startupinfo.lpDesktop = desktop_name

 # CREATE_BREAKAWAY_FROM_JOB = 0x01000000 isn't defined in our
 # pywin32 version.
 createflags = (
 win32con.DETACHED_PROCESS |
 0x01000000 |
 win32con.CREATE_UNICODE_ENVIRONMENT)

 cmdline = subprocess.list2cmdline(args)

 # pywin32 special, if we pass CREATE_UNICODE_ENVIRONMENT
 # we must convert env to unicode ourselfs too, why?
 myenv = unicode(k): unicode(v) for k, v in myenv.items()

 p_handle, th, worker_pid, _ = win32process.CreateProcess(
 None, # appName
 cmdline, # cmdLine
 None, # processAttributes
 None, # threadAttributes
 False, # inherit handles
 createflags, # creation flags
 myenv, # environ
 None, # current directory
 startupinfo # pystartupinfo
 )
 win32api.CloseHandle(th)

 # Wait for the process to start
 child_infos = wait_for_process(tmp_file,
 p_handle,
 worker_pid)

 return child_infos["port"], worker_pid

The only traceback i managed to capture was from inside the Windows API. It looks like a classical overflow that trashed the return address.

The stored exception information can be accessed via .ecxr.
(c8c.9c8): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=01b6bac1 edx=00000053 esi=00000000 edi=01b6c308
eip=75b4360d esp=01b6bf64 ebp=01b6c500 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
KERNELBASE!NtWow64CsrBasepCreateProcess+0xc:
75b4360d c20400 ret 4

0:002> kb
# ChildEBP RetAddr Args to Child 
00 01b6bf60 75b4320f 01b6c308 0a2ad7c4 016ec340 KERNELBASE!NtWow64CsrBasepCreateProcess+0xc
01 01b6c500 75b424dc 00000000 00000000 18092780 KERNELBASE!CreateProcessInternalW+0xcf6

This looks like it happend just after the process creation is done and only the communication with the CSRSS.exe process needs to complete.

Does anyone have a hint what limits might be hit or how to fix this?

asked Nov 13 '18 at 14:22

schlenk

5,7591423

You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

– zett42
Nov 13 '18 at 18:50

Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

– schlenk
Nov 14 '18 at 16:34

add a comment |

import os
import win32con
import win32process
import win32api
import subprocess

def launch_sub_process(environ, args, desktop_name, tmp_file):
 myenv = os.environ.copy()
 myenv["PYTHONOPTIMIZE"] = "2"

 # The reason we cannot use subprocess..., it does not allow setting
 # lpDesktop in STARTUPINFO
 startupinfo = win32process.STARTUPINFO()
 startupinfo.lpDesktop = desktop_name

 # CREATE_BREAKAWAY_FROM_JOB = 0x01000000 isn't defined in our
 # pywin32 version.
 createflags = (
 win32con.DETACHED_PROCESS |
 0x01000000 |
 win32con.CREATE_UNICODE_ENVIRONMENT)

 cmdline = subprocess.list2cmdline(args)

 # pywin32 special, if we pass CREATE_UNICODE_ENVIRONMENT
 # we must convert env to unicode ourselfs too, why?
 myenv = unicode(k): unicode(v) for k, v in myenv.items()

 p_handle, th, worker_pid, _ = win32process.CreateProcess(
 None, # appName
 cmdline, # cmdLine
 None, # processAttributes
 None, # threadAttributes
 False, # inherit handles
 createflags, # creation flags
 myenv, # environ
 None, # current directory
 startupinfo # pystartupinfo
 )
 win32api.CloseHandle(th)

 # Wait for the process to start
 child_infos = wait_for_process(tmp_file,
 p_handle,
 worker_pid)

 return child_infos["port"], worker_pid

The only traceback i managed to capture was from inside the Windows API. It looks like a classical overflow that trashed the return address.

The stored exception information can be accessed via .ecxr.
(c8c.9c8): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=01b6bac1 edx=00000053 esi=00000000 edi=01b6c308
eip=75b4360d esp=01b6bf64 ebp=01b6c500 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
KERNELBASE!NtWow64CsrBasepCreateProcess+0xc:
75b4360d c20400 ret 4

0:002> kb
# ChildEBP RetAddr Args to Child 
00 01b6bf60 75b4320f 01b6c308 0a2ad7c4 016ec340 KERNELBASE!NtWow64CsrBasepCreateProcess+0xc
01 01b6c500 75b424dc 00000000 00000000 18092780 KERNELBASE!CreateProcessInternalW+0xcf6

This looks like it happend just after the process creation is done and only the communication with the CSRSS.exe process needs to complete.

Does anyone have a hint what limits might be hit or how to fix this?

asked Nov 13 '18 at 14:22

schlenk

5,7591423

import os
import win32con
import win32process
import win32api
import subprocess

def launch_sub_process(environ, args, desktop_name, tmp_file):
 myenv = os.environ.copy()
 myenv["PYTHONOPTIMIZE"] = "2"

 # The reason we cannot use subprocess..., it does not allow setting
 # lpDesktop in STARTUPINFO
 startupinfo = win32process.STARTUPINFO()
 startupinfo.lpDesktop = desktop_name

 # CREATE_BREAKAWAY_FROM_JOB = 0x01000000 isn't defined in our
 # pywin32 version.
 createflags = (
 win32con.DETACHED_PROCESS |
 0x01000000 |
 win32con.CREATE_UNICODE_ENVIRONMENT)

 cmdline = subprocess.list2cmdline(args)

 # pywin32 special, if we pass CREATE_UNICODE_ENVIRONMENT
 # we must convert env to unicode ourselfs too, why?
 myenv = unicode(k): unicode(v) for k, v in myenv.items()

 p_handle, th, worker_pid, _ = win32process.CreateProcess(
 None, # appName
 cmdline, # cmdLine
 None, # processAttributes
 None, # threadAttributes
 False, # inherit handles
 createflags, # creation flags
 myenv, # environ
 None, # current directory
 startupinfo # pystartupinfo
 )
 win32api.CloseHandle(th)

 # Wait for the process to start
 child_infos = wait_for_process(tmp_file,
 p_handle,
 worker_pid)

 return child_infos["port"], worker_pid

The only traceback i managed to capture was from inside the Windows API. It looks like a classical overflow that trashed the return address.

The stored exception information can be accessed via .ecxr.
(c8c.9c8): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=01b6bac1 edx=00000053 esi=00000000 edi=01b6c308
eip=75b4360d esp=01b6bf64 ebp=01b6c500 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
KERNELBASE!NtWow64CsrBasepCreateProcess+0xc:
75b4360d c20400 ret 4

0:002> kb
# ChildEBP RetAddr Args to Child 
00 01b6bf60 75b4320f 01b6c308 0a2ad7c4 016ec340 KERNELBASE!NtWow64CsrBasepCreateProcess+0xc
01 01b6c500 75b424dc 00000000 00000000 18092780 KERNELBASE!CreateProcessInternalW+0xcf6

This looks like it happend just after the process creation is done and only the communication with the CSRSS.exe process needs to complete.

Does anyone have a hint what limits might be hit or how to fix this?

python winapi win32-process

asked Nov 13 '18 at 14:22

schlenk

5,7591423

asked Nov 13 '18 at 14:22

schlenk

5,7591423

asked Nov 13 '18 at 14:22

schlenk

5,7591423

asked Nov 13 '18 at 14:22

schlenk

5,7591423

asked Nov 13 '18 at 14:22

schlenk

5,7591423

You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

– zett42
Nov 13 '18 at 18:50

Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

– schlenk
Nov 14 '18 at 16:34

add a comment |

You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

– zett42
Nov 13 '18 at 18:50

Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

– schlenk
Nov 14 '18 at 16:34

You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

– zett42
Nov 13 '18 at 18:50

Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

– schlenk
Nov 14 '18 at 16:34

add a comment |

0

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53283138%2faccess-violation-from-createprocess-from-inside-a-job%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

0

active

oldest

votes

0

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Odtnhj