Store the Windows process HANDLE in Execution to avoid pid reuse races

Unlike Unix, Windows doesn't have a "zombie" state where the numeric pid remains valid after the subprocess has exited. Instead, the numeric process ID becomes invalid immediately once the process has exited. Per the Windows documentation of GetProcessId and related APIs, "Until a process terminates, its process identifier uniquely identifies it on the system."

On Windows, instead of closing/discarding the process HANDLE immediately after CreateProcess returns, retain the HANDLE in Execution and only close it once monitorProcessTermination returns. This resolve a race condition where the process could have exited between the period where CloseProcess was called and monitorProcessTermination is called. Now we simply use the original process handle to wait for the process to exit and retrieve its exit code, rather than "reverse engineering" its HANDLE from its numeric pid using OpenProcess.

Closes #92

Author: jakepetroules

Sources/Subprocess/API.swift

@@ -644,39 +644,40 @@ public func runDetached(
     output: FileDescriptor? = nil,
     error: FileDescriptor? = nil
 ) throws -> ProcessIdentifier {
+    let execution: Execution
     switch (input, output, error) {
     case (.none, .none, .none):
         let processInput = NoInput()
         let processOutput = DiscardedOutput()
         let processError = DiscardedOutput()
-        return try configuration.spawn(
+        execution = try configuration.spawn(
             withInput: try processInput.createPipe(),
             outputPipe: try processOutput.createPipe(),
             errorPipe: try processError.createPipe()
-        ).execution.processIdentifier
+        ).execution
     case (.none, .none, .some(let errorFd)):
         let processInput = NoInput()
         let processOutput = DiscardedOutput()
         let processError = FileDescriptorOutput(
             fileDescriptor: errorFd,
             closeAfterSpawningProcess: false
         )
-        return try configuration.spawn(
+        execution = try configuration.spawn(
             withInput: try processInput.createPipe(),
             outputPipe: try processOutput.createPipe(),
             errorPipe: try processError.createPipe()
-        ).execution.processIdentifier
+        ).execution
     case (.none, .some(let outputFd), .none):
         let processInput = NoInput()
         let processOutput = FileDescriptorOutput(
             fileDescriptor: outputFd, closeAfterSpawningProcess: false
         )
         let processError = DiscardedOutput()
-        return try configuration.spawn(
+        execution = try configuration.spawn(
             withInput: try processInput.createPipe(),
             outputPipe: try processOutput.createPipe(),
             errorPipe: try processError.createPipe()
-        ).execution.processIdentifier
+        ).execution
     case (.none, .some(let outputFd), .some(let errorFd)):
         let processInput = NoInput()
         let processOutput = FileDescriptorOutput(
@@ -687,23 +688,23 @@ public func runDetached(
             fileDescriptor: errorFd,
             closeAfterSpawningProcess: false
         )
-        return try configuration.spawn(
+        execution = try configuration.spawn(
             withInput: try processInput.createPipe(),
             outputPipe: try processOutput.createPipe(),
             errorPipe: try processError.createPipe()
-        ).execution.processIdentifier
+        ).execution
     case (.some(let inputFd), .none, .none):
         let processInput = FileDescriptorInput(
             fileDescriptor: inputFd,
             closeAfterSpawningProcess: false
         )
         let processOutput = DiscardedOutput()
         let processError = DiscardedOutput()
-        return try configuration.spawn(
+        execution = try configuration.spawn(
             withInput: try processInput.createPipe(),
             outputPipe: try processOutput.createPipe(),
             errorPipe: try processError.createPipe()
-        ).execution.processIdentifier
+        ).execution
     case (.some(let inputFd), .none, .some(let errorFd)):
         let processInput = FileDescriptorInput(
             fileDescriptor: inputFd, closeAfterSpawningProcess: false
@@ -713,11 +714,11 @@ public func runDetached(
             fileDescriptor: errorFd,
             closeAfterSpawningProcess: false
         )
-        return try configuration.spawn(
+        execution = try configuration.spawn(
             withInput: try processInput.createPipe(),
             outputPipe: try processOutput.createPipe(),
             errorPipe: try processError.createPipe()
-        ).execution.processIdentifier
+        ).execution
     case (.some(let inputFd), .some(let outputFd), .none):
         let processInput = FileDescriptorInput(
             fileDescriptor: inputFd,
@@ -728,11 +729,11 @@ public func runDetached(
             closeAfterSpawningProcess: false
         )
         let processError = DiscardedOutput()
-        return try configuration.spawn(
+        execution = try configuration.spawn(
             withInput: try processInput.createPipe(),
             outputPipe: try processOutput.createPipe(),
             errorPipe: try processError.createPipe()
-        ).execution.processIdentifier
+        ).execution
     case (.some(let inputFd), .some(let outputFd), .some(let errorFd)):
         let processInput = FileDescriptorInput(
             fileDescriptor: inputFd,
@@ -746,11 +747,13 @@ public func runDetached(
             fileDescriptor: errorFd,
             closeAfterSpawningProcess: false
         )
-        return try configuration.spawn(
+        execution = try configuration.spawn(
             withInput: try processInput.createPipe(),
             outputPipe: try processOutput.createPipe(),
             errorPipe: try processError.createPipe()
-        ).execution.processIdentifier
+        ).execution
     }
+    execution.release()
+    return execution.processIdentifier
 }
 

Sources/Subprocess/Configuration.swift

@@ -103,7 +103,7 @@ public struct Configuration: Sendable {
         // even if `body` throws, and we are not leaving zombie processes in the
         // process table which will cause the process termination monitoring thread
         // to effectively hang due to the pid never being awaited
-        let terminationStatus = try await Subprocess.monitorProcessTermination(forProcessWithIdentifier: processIdentifier)
+        let terminationStatus = try await Subprocess.monitorProcessTermination(forExecution: _spawnResult.execution)
 
         return try ExecutionResult(terminationStatus: terminationStatus, value: result.get())
     }

Sources/Subprocess/Execution.swift

@@ -35,13 +35,16 @@ public struct Execution: Sendable {
     public let processIdentifier: ProcessIdentifier
 
     #if os(Windows)
+    internal nonisolated(unsafe) let processInformation: PROCESS_INFORMATION
     internal let consoleBehavior: PlatformOptions.ConsoleBehavior
 
     init(
         processIdentifier: ProcessIdentifier,
+        processInformation: PROCESS_INFORMATION,
         consoleBehavior: PlatformOptions.ConsoleBehavior
     ) {
         self.processIdentifier = processIdentifier
+        self.processInformation = processInformation
         self.consoleBehavior = consoleBehavior
     }
     #else
@@ -51,6 +54,17 @@ public struct Execution: Sendable {
         self.processIdentifier = processIdentifier
     }
     #endif  // os(Windows)
+
+    internal func release() {
+        #if os(Windows)
+        guard CloseHandle(processInformation.hThread) else {
+            fatalError("Failed to close thread HANDLE: \(SubprocessError.UnderlyingError(rawValue: GetLastError()))")
+        }
+        guard CloseHandle(processInformation.hProcess) else {
+            fatalError("Failed to close process HANDLE: \(SubprocessError.UnderlyingError(rawValue: GetLastError()))")
+        }
+        #endif
+    }
 }
 
 // MARK: - Output Capture

Sources/Subprocess/Platforms/Subprocess+Darwin.swift

@@ -485,18 +485,18 @@ extension String {
 // MARK: - Process Monitoring
 @Sendable
 internal func monitorProcessTermination(
-    forProcessWithIdentifier pid: ProcessIdentifier
+    forExecution execution: Execution
 ) async throws -> TerminationStatus {
     return try await withCheckedThrowingContinuation { continuation in
         let source = DispatchSource.makeProcessSource(
-            identifier: pid.value,
+            identifier: execution.processIdentifier.value,
             eventMask: [.exit],
             queue: .global()
         )
         source.setEventHandler {
             source.cancel()
             var siginfo = siginfo_t()
-            let rc = waitid(P_PID, id_t(pid.value), &siginfo, WEXITED)
+            let rc = waitid(P_PID, id_t(execution.processIdentifier.value), &siginfo, WEXITED)
             guard rc == 0 else {
                 continuation.resume(
                     throwing: SubprocessError(

Sources/Subprocess/Platforms/Subprocess+Linux.swift

@@ -265,7 +265,7 @@ extension String {
 // MARK: - Process Monitoring
 @Sendable
 internal func monitorProcessTermination(
-    forProcessWithIdentifier pid: ProcessIdentifier
+    forExecution execution: Execution
 ) async throws -> TerminationStatus {
     try await withCheckedThrowingContinuation { continuation in
         _childProcessContinuations.withLock { continuations in
@@ -274,7 +274,7 @@ internal func monitorProcessTermination(
             // the child process has terminated and manages to acquire the lock before
             // we add this continuation to the dictionary, then it will simply loop
             // and report the status again.
-            let oldContinuation = continuations.updateValue(continuation, forKey: pid.value)
+            let oldContinuation = continuations.updateValue(continuation, forKey: execution.processIdentifier.value)
             precondition(oldContinuation == nil)
 
             // Wake up the waiter thread if it is waiting for more child processes.

Sources/Subprocess/Platforms/Subprocess+Windows.swift

@@ -116,54 +116,33 @@ extension Configuration {
                 }
             }
         }
-        // We don't need the handle objects, so close it right away
-        guard CloseHandle(processInfo.hThread) else {
-            let windowsError = GetLastError()
-            try self.safelyCloseMultiple(
-                inputRead: inputReadFileDescriptor,
-                inputWrite: inputWriteFileDescriptor,
-                outputRead: outputReadFileDescriptor,
-                outputWrite: outputWriteFileDescriptor,
-                errorRead: errorReadFileDescriptor,
-                errorWrite: errorWriteFileDescriptor
-            )
-            throw SubprocessError(
-                code: .init(.spawnFailed),
-                underlyingError: .init(rawValue: windowsError)
-            )
-        }
-        guard CloseHandle(processInfo.hProcess) else {
-            let windowsError = GetLastError()
-            try self.safelyCloseMultiple(
-                inputRead: inputReadFileDescriptor,
-                inputWrite: inputWriteFileDescriptor,
-                outputRead: outputReadFileDescriptor,
-                outputWrite: outputWriteFileDescriptor,
-                errorRead: errorReadFileDescriptor,
-                errorWrite: errorWriteFileDescriptor
-            )
-            throw SubprocessError(
-                code: .init(.spawnFailed),
-                underlyingError: .init(rawValue: windowsError)
-            )
-        }
-
-        try self.safelyCloseMultiple(
-            inputRead: inputReadFileDescriptor,
-            inputWrite: nil,
-            outputRead: nil,
-            outputWrite: outputWriteFileDescriptor,
-            errorRead: nil,
-            errorWrite: errorWriteFileDescriptor
-        )
 
         let pid = ProcessIdentifier(
             value: processInfo.dwProcessId
         )
         let execution = Execution(
             processIdentifier: pid,
+            processInformation: processInfo,
             consoleBehavior: self.platformOptions.consoleBehavior
         )
+
+        do {
+            // After spawn finishes, close all child side fds
+            try self.safelyCloseMultiple(
+                inputRead: inputReadFileDescriptor,
+                inputWrite: nil,
+                outputRead: nil,
+                outputWrite: outputWriteFileDescriptor,
+                errorRead: nil,
+                errorWrite: errorWriteFileDescriptor
+            )
+        } catch {
+            // If spawn() throws, monitorProcessTermination or runDetached
+            // won't have an opportunity to call release, so do it here to avoid leaking the handles.
+            execution.release()
+            throw error
+        }
+
         return SpawnResult(
             execution: execution,
             inputWriteEnd: inputWriteFileDescriptor?.createPlatformDiskIO(),
@@ -259,55 +238,33 @@ extension Configuration {
                 }
             }
         }
-        // We don't need the handle objects, so close it right away
-        guard CloseHandle(processInfo.hThread) else {
-            let windowsError = GetLastError()
-            try self.safelyCloseMultiple(
-                inputRead: inputReadFileDescriptor,
-                inputWrite: inputWriteFileDescriptor,
-                outputRead: outputReadFileDescriptor,
-                outputWrite: outputWriteFileDescriptor,
-                errorRead: errorReadFileDescriptor,
-                errorWrite: errorWriteFileDescriptor
-            )
-            throw SubprocessError(
-                code: .init(.spawnFailed),
-                underlyingError: .init(rawValue: windowsError)
-            )
-        }
-        guard CloseHandle(processInfo.hProcess) else {
-            let windowsError = GetLastError()
-            try self.safelyCloseMultiple(
-                inputRead: inputReadFileDescriptor,
-                inputWrite: inputWriteFileDescriptor,
-                outputRead: outputReadFileDescriptor,
-                outputWrite: outputWriteFileDescriptor,
-                errorRead: errorReadFileDescriptor,
-                errorWrite: errorWriteFileDescriptor
-            )
-            throw SubprocessError(
-                code: .init(.spawnFailed),
-                underlyingError: .init(rawValue: windowsError)
-            )
-        }
-
-        // After spawn finishes, close all child side fds
-        try self.safelyCloseMultiple(
-            inputRead: inputReadFileDescriptor,
-            inputWrite: nil,
-            outputRead: nil,
-            outputWrite: outputWriteFileDescriptor,
-            errorRead: nil,
-            errorWrite: errorWriteFileDescriptor
-        )
 
         let pid = ProcessIdentifier(
             value: processInfo.dwProcessId
         )
         let execution = Execution(
             processIdentifier: pid,
+            processInformation: processInfo,
             consoleBehavior: self.platformOptions.consoleBehavior
         )
+
+        do {
+            // After spawn finishes, close all child side fds
+            try self.safelyCloseMultiple(
+                inputRead: inputReadFileDescriptor,
+                inputWrite: nil,
+                outputRead: nil,
+                outputWrite: outputWriteFileDescriptor,
+                errorRead: nil,
+                errorWrite: errorWriteFileDescriptor
+            )
+        } catch {
+            // If spawn() throws, monitorProcessTermination or runDetached
+            // won't have an opportunity to call release, so do it here to avoid leaking the handles.
+            execution.release()
+            throw error
+        }
+
         return SpawnResult(
             execution: execution,
             inputWriteEnd: inputWriteFileDescriptor?.createPlatformDiskIO(),
@@ -464,7 +421,7 @@ extension PlatformOptions: CustomStringConvertible, CustomDebugStringConvertible
 // MARK: - Process Monitoring
 @Sendable
 internal func monitorProcessTermination(
-    forProcessWithIdentifier pid: ProcessIdentifier
+    forExecution execution: Execution
 ) async throws -> TerminationStatus {
     // Once the continuation resumes, it will need to unregister the wait, so
     // yield the wait handle back to the calling scope.
@@ -473,15 +430,8 @@ internal func monitorProcessTermination(
         if let waitHandle {
             _ = UnregisterWait(waitHandle)
         }
-    }
-    guard
-        let processHandle = OpenProcess(
-            DWORD(PROCESS_QUERY_INFORMATION | SYNCHRONIZE),
-            false,
-            pid.value
-        )
-    else {
-        return .exited(1)
+
+        execution.release()
     }
 
     try? await withCheckedThrowingContinuation { (continuation: CheckedContinuation<Void, any Error>) in
@@ -500,7 +450,7 @@ internal func monitorProcessTermination(
         guard
             RegisterWaitForSingleObject(
                 &waitHandle,
-                processHandle,
+                execution.processHandle,
                 callback,
                 context,
                 INFINITE,
@@ -518,7 +468,7 @@ internal func monitorProcessTermination(
     }
 
     var status: DWORD = 0
-    guard GetExitCodeProcess(processHandle, &status) else {
+    guard GetExitCodeProcess(execution.processHandle, &status) else {
         // The child process terminated but we couldn't get its status back.
         // Assume generic failure.
         return .exited(1)