Tcl Source Code

tclWinPipe.c cleans up its process list in an
exit handler created by Tcl_CreateExitHandler.
The problem with this is that the exit handler is
called too soon - with the pipe still open.
When, subsequently, Tcl_FinalizeIOSubsystem
closes the pipe, the code goes off to
TclCleanupChildren to collect the exit status
and reap the child processes.  That procedure
eventually gets into Tcl_WaitPid, which calls
PipeInit.  PipeInit sees that 'initialized' is false,
and winds up calling Tcl_CreateExitHandler to
re-establish the exit handler.

The memory used by the second exit handler
is trashed upon return to Tcl_Finalize by the
calls to Tcl_FinalizeMemorySubsystem and
Tcl_FinalizeThreadAlloc.  The exit handler pointer,
however, is still linked on the chain. Once the
process finally exits, there is another call to
Tcl_Finalize from tclWin32Dll.c (DllMain).
This call runs ProcExitHandler again (which
is innocuous; all it does is turn off the
'initialized' flag). Then Tcl_Finalize does
ckfree on the exit handler structure, which
was trashed in Tcl_FinalizeMemorySubsystem,
corrupting the heap.

It turns out that this, too, is *usually* innocuous,
because little allocated memory remains
this late in the process.  I have seen, however,
the 'ckfree' corrupt the lock table in msvcrtd.dll,
resulting in a crash deep in ntdll.dll on the
final cleanup of C runtime.

The attached patch is an attempt to fix it
in 8.4, and applies to 8.4.11rc5.  It works by
delaying cleanup of the pipe subsystem until
after all channels are closed.  It also adds
an assertion in Tcl_Finalize that no exit
handlers have been created in the dead
process.

Logged In: YES 
user_id=99768

Fix committed to HEAD and core-8-4-branch.  We might want to
re-tag 8.4.11 to accommodate it.

File Added - 139407: pipes.patch