Access violation from CreateProcess() from inside a Job










0















I have Python code like the following embedded in mod_wsgi / Python 2.7 inside an Apache httpd 2.4 server on Windows. It sometimes raises a WindowsError: [Error 998] Invalid access to memory location. from the CreateProcess call. It happens very infrequently, just around every 1-5 days. 32-Bit process, but also happens with a different error (Access Violation) in 64-Bit.



I checked that pywin32 properly sets a modifiable lpCmdLine argument.
I also tried to do the same via ctypes but had the same problems.
The Apache httpd runs inside a job and a valid desktop name is given.



import os
import win32con
import win32process
import win32api
import subprocess

def launch_sub_process(environ, args, desktop_name, tmp_file):
myenv = os.environ.copy()
myenv["PYTHONOPTIMIZE"] = "2"

# The reason we cannot use subprocess..., it does not allow setting
# lpDesktop in STARTUPINFO
startupinfo = win32process.STARTUPINFO()
startupinfo.lpDesktop = desktop_name

# CREATE_BREAKAWAY_FROM_JOB = 0x01000000 isn't defined in our
# pywin32 version.
createflags = (
win32con.DETACHED_PROCESS |
0x01000000 |
win32con.CREATE_UNICODE_ENVIRONMENT)

cmdline = subprocess.list2cmdline(args)

# pywin32 special, if we pass CREATE_UNICODE_ENVIRONMENT
# we must convert env to unicode ourselfs too, why?
myenv = unicode(k): unicode(v) for k, v in myenv.items()

p_handle, th, worker_pid, _ = win32process.CreateProcess(
None, # appName
cmdline, # cmdLine
None, # processAttributes
None, # threadAttributes
False, # inherit handles
createflags, # creation flags
myenv, # environ
None, # current directory
startupinfo # pystartupinfo
)
win32api.CloseHandle(th)

# Wait for the process to start
child_infos = wait_for_process(tmp_file,
p_handle,
worker_pid)

return child_infos["port"], worker_pid


The only traceback i managed to capture was from inside the Windows API. It looks like a classical overflow that trashed the return address.



The stored exception information can be accessed via .ecxr.
(c8c.9c8): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=01b6bac1 edx=00000053 esi=00000000 edi=01b6c308
eip=75b4360d esp=01b6bf64 ebp=01b6c500 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
KERNELBASE!NtWow64CsrBasepCreateProcess+0xc:
75b4360d c20400 ret 4

0:002> kb
# ChildEBP RetAddr Args to Child
00 01b6bf60 75b4320f 01b6c308 0a2ad7c4 016ec340 KERNELBASE!NtWow64CsrBasepCreateProcess+0xc
01 01b6c500 75b424dc 00000000 00000000 18092780 KERNELBASE!CreateProcessInternalW+0xcf6


This looks like it happend just after the process creation is done and only the communication with the CSRSS.exe process needs to complete.



Does anyone have a hint what limits might be hit or how to fix this?










share|improve this question






















  • You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

    – zett42
    Nov 13 '18 at 18:50











  • Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

    – schlenk
    Nov 14 '18 at 16:34















0















I have Python code like the following embedded in mod_wsgi / Python 2.7 inside an Apache httpd 2.4 server on Windows. It sometimes raises a WindowsError: [Error 998] Invalid access to memory location. from the CreateProcess call. It happens very infrequently, just around every 1-5 days. 32-Bit process, but also happens with a different error (Access Violation) in 64-Bit.



I checked that pywin32 properly sets a modifiable lpCmdLine argument.
I also tried to do the same via ctypes but had the same problems.
The Apache httpd runs inside a job and a valid desktop name is given.



import os
import win32con
import win32process
import win32api
import subprocess

def launch_sub_process(environ, args, desktop_name, tmp_file):
myenv = os.environ.copy()
myenv["PYTHONOPTIMIZE"] = "2"

# The reason we cannot use subprocess..., it does not allow setting
# lpDesktop in STARTUPINFO
startupinfo = win32process.STARTUPINFO()
startupinfo.lpDesktop = desktop_name

# CREATE_BREAKAWAY_FROM_JOB = 0x01000000 isn't defined in our
# pywin32 version.
createflags = (
win32con.DETACHED_PROCESS |
0x01000000 |
win32con.CREATE_UNICODE_ENVIRONMENT)

cmdline = subprocess.list2cmdline(args)

# pywin32 special, if we pass CREATE_UNICODE_ENVIRONMENT
# we must convert env to unicode ourselfs too, why?
myenv = unicode(k): unicode(v) for k, v in myenv.items()

p_handle, th, worker_pid, _ = win32process.CreateProcess(
None, # appName
cmdline, # cmdLine
None, # processAttributes
None, # threadAttributes
False, # inherit handles
createflags, # creation flags
myenv, # environ
None, # current directory
startupinfo # pystartupinfo
)
win32api.CloseHandle(th)

# Wait for the process to start
child_infos = wait_for_process(tmp_file,
p_handle,
worker_pid)

return child_infos["port"], worker_pid


The only traceback i managed to capture was from inside the Windows API. It looks like a classical overflow that trashed the return address.



The stored exception information can be accessed via .ecxr.
(c8c.9c8): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=01b6bac1 edx=00000053 esi=00000000 edi=01b6c308
eip=75b4360d esp=01b6bf64 ebp=01b6c500 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
KERNELBASE!NtWow64CsrBasepCreateProcess+0xc:
75b4360d c20400 ret 4

0:002> kb
# ChildEBP RetAddr Args to Child
00 01b6bf60 75b4320f 01b6c308 0a2ad7c4 016ec340 KERNELBASE!NtWow64CsrBasepCreateProcess+0xc
01 01b6c500 75b424dc 00000000 00000000 18092780 KERNELBASE!CreateProcessInternalW+0xcf6


This looks like it happend just after the process creation is done and only the communication with the CSRSS.exe process needs to complete.



Does anyone have a hint what limits might be hit or how to fix this?










share|improve this question






















  • You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

    – zett42
    Nov 13 '18 at 18:50











  • Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

    – schlenk
    Nov 14 '18 at 16:34













0












0








0








I have Python code like the following embedded in mod_wsgi / Python 2.7 inside an Apache httpd 2.4 server on Windows. It sometimes raises a WindowsError: [Error 998] Invalid access to memory location. from the CreateProcess call. It happens very infrequently, just around every 1-5 days. 32-Bit process, but also happens with a different error (Access Violation) in 64-Bit.



I checked that pywin32 properly sets a modifiable lpCmdLine argument.
I also tried to do the same via ctypes but had the same problems.
The Apache httpd runs inside a job and a valid desktop name is given.



import os
import win32con
import win32process
import win32api
import subprocess

def launch_sub_process(environ, args, desktop_name, tmp_file):
myenv = os.environ.copy()
myenv["PYTHONOPTIMIZE"] = "2"

# The reason we cannot use subprocess..., it does not allow setting
# lpDesktop in STARTUPINFO
startupinfo = win32process.STARTUPINFO()
startupinfo.lpDesktop = desktop_name

# CREATE_BREAKAWAY_FROM_JOB = 0x01000000 isn't defined in our
# pywin32 version.
createflags = (
win32con.DETACHED_PROCESS |
0x01000000 |
win32con.CREATE_UNICODE_ENVIRONMENT)

cmdline = subprocess.list2cmdline(args)

# pywin32 special, if we pass CREATE_UNICODE_ENVIRONMENT
# we must convert env to unicode ourselfs too, why?
myenv = unicode(k): unicode(v) for k, v in myenv.items()

p_handle, th, worker_pid, _ = win32process.CreateProcess(
None, # appName
cmdline, # cmdLine
None, # processAttributes
None, # threadAttributes
False, # inherit handles
createflags, # creation flags
myenv, # environ
None, # current directory
startupinfo # pystartupinfo
)
win32api.CloseHandle(th)

# Wait for the process to start
child_infos = wait_for_process(tmp_file,
p_handle,
worker_pid)

return child_infos["port"], worker_pid


The only traceback i managed to capture was from inside the Windows API. It looks like a classical overflow that trashed the return address.



The stored exception information can be accessed via .ecxr.
(c8c.9c8): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=01b6bac1 edx=00000053 esi=00000000 edi=01b6c308
eip=75b4360d esp=01b6bf64 ebp=01b6c500 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
KERNELBASE!NtWow64CsrBasepCreateProcess+0xc:
75b4360d c20400 ret 4

0:002> kb
# ChildEBP RetAddr Args to Child
00 01b6bf60 75b4320f 01b6c308 0a2ad7c4 016ec340 KERNELBASE!NtWow64CsrBasepCreateProcess+0xc
01 01b6c500 75b424dc 00000000 00000000 18092780 KERNELBASE!CreateProcessInternalW+0xcf6


This looks like it happend just after the process creation is done and only the communication with the CSRSS.exe process needs to complete.



Does anyone have a hint what limits might be hit or how to fix this?










share|improve this question














I have Python code like the following embedded in mod_wsgi / Python 2.7 inside an Apache httpd 2.4 server on Windows. It sometimes raises a WindowsError: [Error 998] Invalid access to memory location. from the CreateProcess call. It happens very infrequently, just around every 1-5 days. 32-Bit process, but also happens with a different error (Access Violation) in 64-Bit.



I checked that pywin32 properly sets a modifiable lpCmdLine argument.
I also tried to do the same via ctypes but had the same problems.
The Apache httpd runs inside a job and a valid desktop name is given.



import os
import win32con
import win32process
import win32api
import subprocess

def launch_sub_process(environ, args, desktop_name, tmp_file):
myenv = os.environ.copy()
myenv["PYTHONOPTIMIZE"] = "2"

# The reason we cannot use subprocess..., it does not allow setting
# lpDesktop in STARTUPINFO
startupinfo = win32process.STARTUPINFO()
startupinfo.lpDesktop = desktop_name

# CREATE_BREAKAWAY_FROM_JOB = 0x01000000 isn't defined in our
# pywin32 version.
createflags = (
win32con.DETACHED_PROCESS |
0x01000000 |
win32con.CREATE_UNICODE_ENVIRONMENT)

cmdline = subprocess.list2cmdline(args)

# pywin32 special, if we pass CREATE_UNICODE_ENVIRONMENT
# we must convert env to unicode ourselfs too, why?
myenv = unicode(k): unicode(v) for k, v in myenv.items()

p_handle, th, worker_pid, _ = win32process.CreateProcess(
None, # appName
cmdline, # cmdLine
None, # processAttributes
None, # threadAttributes
False, # inherit handles
createflags, # creation flags
myenv, # environ
None, # current directory
startupinfo # pystartupinfo
)
win32api.CloseHandle(th)

# Wait for the process to start
child_infos = wait_for_process(tmp_file,
p_handle,
worker_pid)

return child_infos["port"], worker_pid


The only traceback i managed to capture was from inside the Windows API. It looks like a classical overflow that trashed the return address.



The stored exception information can be accessed via .ecxr.
(c8c.9c8): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=01b6bac1 edx=00000053 esi=00000000 edi=01b6c308
eip=75b4360d esp=01b6bf64 ebp=01b6c500 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
KERNELBASE!NtWow64CsrBasepCreateProcess+0xc:
75b4360d c20400 ret 4

0:002> kb
# ChildEBP RetAddr Args to Child
00 01b6bf60 75b4320f 01b6c308 0a2ad7c4 016ec340 KERNELBASE!NtWow64CsrBasepCreateProcess+0xc
01 01b6c500 75b424dc 00000000 00000000 18092780 KERNELBASE!CreateProcessInternalW+0xcf6


This looks like it happend just after the process creation is done and only the communication with the CSRSS.exe process needs to complete.



Does anyone have a hint what limits might be hit or how to fix this?







python winapi win32-process






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 '18 at 14:22









schlenkschlenk

5,7591423




5,7591423












  • You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

    – zett42
    Nov 13 '18 at 18:50











  • Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

    – schlenk
    Nov 14 '18 at 16:34

















  • You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

    – zett42
    Nov 13 '18 at 18:50











  • Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

    – schlenk
    Nov 14 '18 at 16:34
















You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

– zett42
Nov 13 '18 at 18:50





You can try to pass appName argument to CreateProcess, in which case CreateProcess doesn't modify the cmdLine argument.

– zett42
Nov 13 '18 at 18:50













Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

– schlenk
Nov 14 '18 at 16:34





Thanks for the suggestion. Might try that, but it should not matter, as the cmdLine buffer is in writeable memory.

– schlenk
Nov 14 '18 at 16:34












0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53283138%2faccess-violation-from-createprocess-from-inside-a-job%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53283138%2faccess-violation-from-createprocess-from-inside-a-job%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







這個網誌中的熱門文章

How to read a connectionString WITH PROVIDER in .NET Core?

Node.js Script on GitHub Pages or Amazon S3

Museum of Modern and Contemporary Art of Trento and Rovereto