Add job objects to terminate child processes on VM shutdown#40607
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces per-VM Windows Job Objects configured with JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE so that processes spawned by the WSL service (e.g., wslhost.exe, wslrelay.exe, and device host processes) are automatically terminated when the VM shuts down, preventing lingering processes from keeping package binaries/DLLs locked during upgrades.
Changes:
- Add a per-VM job object in
WslCoreVmand pass it through process-launch helpers so VM-scoped child processes are tied to VM lifetime. - Add a
SubProcess::SetJobObject()API that wiresPROC_THREAD_ATTRIBUTE_JOB_LISTinto process creation. - Add a job object in
DeviceHostProxyand assign the registered device host process to it.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/windows/service/exe/WslCoreVm.h | Adds a VM-scoped job handle member to own the kill-on-close job lifetime. |
| src/windows/service/exe/WslCoreVm.cpp | Creates/configures the job object and passes it to debug/relay/instance launches. |
| src/windows/service/exe/WslCoreInstance.h | Extends instance construction to accept/store a job handle for subprocess launches. |
| src/windows/service/exe/WslCoreInstance.cpp | Plumbs the job handle through to interop server launch. |
| src/windows/common/SubProcess.h | Adds SetJobObject() API and stores an optional job handle. |
| src/windows/common/SubProcess.cpp | Implements job attribute wiring via PROC_THREAD_ATTRIBUTE_JOB_LIST. |
| src/windows/common/helpers.hpp | Extends Launch* helper signatures with an optional job handle parameter. |
| src/windows/common/helpers.cpp | Plumbs job handle into SubProcess launches for wslhost/wslrelay. |
| src/windows/common/DeviceHostProxy.h | Adds a job handle to manage device-host process lifetime. |
| src/windows/common/DeviceHostProxy.cpp | Creates/configures the job and assigns the device host PID to it. |
benhillis
force-pushed
the
benhill/job-object-child-processes
branch
from
af651e7 to
ad5556a
Compare
JohnMcPMS
previously approved these changes
May 21, 2026
Member
JohnMcPMS
left a comment
JohnMcPMS
left a comment
There was a problem hiding this comment.
Looks reasonable, but I definitely don't know enough about the process graph to speak to its completeness.
JohnMcPMS
reviewed
May 21, 2026
Comment on lines
+268
to
+273
| m_processJobObject.reset(CreateJobObjectW(nullptr, nullptr)); | ||
| THROW_LAST_ERROR_IF(!m_processJobObject); | ||
|
|
||
| JOBOBJECT_EXTENDED_LIMIT_INFORMATION jobInfo{}; | ||
| jobInfo.BasicLimitInformation.LimitFlags = JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE; | ||
| THROW_IF_WIN32_BOOL_FALSE(SetInformationJobObject(m_processJobObject.get(), JobObjectExtendedLimitInformation, &jobInfo, sizeof(jobInfo))); |
Member
There was a problem hiding this comment.
This is the third instance of this code; probably worth a helper.
Add JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE job objects to ensure that child processes spawned by the service (wsldevicehost, wslhost.exe, wslrelay.exe) are terminated when the VM shuts down. This prevents lingering processes from holding DLLs locked during package upgrades. Changes: - DeviceHostProxy: Create a job object and assign the COM device host process to it in RegisterDeviceHost. - WslCoreVm: Create a per-VM job object and pass it to LaunchDebugConsole, LaunchKdRelay, LaunchPortRelay, and WslCoreInstance. - SubProcess: Add SetJobObject() which uses PROC_THREAD_ATTRIBUTE_JOB_LIST to assign the process to the job at creation time. - helpers: Add optional JobObject parameter to Launch* functions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Follow-up to the per-VM job object work: WSLCVirtualMachine::LaunchPortRelay spawns wslrelay.exe directly via SubProcess. Without a per-VM job object, if wslcsession.exe crashes or is force-killed before signaling m_vmTerminatingEvent, the spawned wslrelay.exe is orphaned and keeps wslrelay.exe locked. Create a JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE job in WSLCVirtualMachine::Initialize and pass it to LaunchPortRelay via SubProcess::SetJobObject, matching the pattern used in WslCoreVm. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member destruction order is reverse of declaration order. Declare m_processJobObject before m_portRelayChannelRead/Write so the pipes are destroyed first and the job object (which kills wslrelay.exe) is destroyed last. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
benhillis
force-pushed
the
benhill/job-object-child-processes
branch
from
abbd937 to
5d87a5f
Compare
Replace four near-identical CreateJobObject + SetInformationJobObject blocks with a single helpers::CreateKillOnCloseJob() call: - WslCoreVm - DeviceHostProxy - WSLCVirtualMachine - WSLCSessionManager Addresses code review feedback from JohnMcPMS. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
JohnMcPMS
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSEjob objects to ensure that child processes spawned by the service (wsldevicehost, wslhost.exe, wslrelay.exe) are terminated when the VM shuts down. This prevents lingering processes from holding DLLs locked during package upgrades.PR Checklist
cmake --build . -- -msucceeds)Detailed Description
Problem
During package upgrade,
wsldevicehost.dll(and potentiallywslhost.exe/wslrelay.exe) can remain running after the service exits, holding file locks that prevent the installer from replacing binaries.Solution
Create per-VM job objects with
JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE:RegisterDeviceHostPID) usingAssignProcessToJobObject.PROC_THREAD_ATTRIBUTE_JOB_LIST.SetJobObject()method that usesPROC_THREAD_ATTRIBUTE_JOB_LISTfor clean job assignment at process creation time.Launch*functions gain an optionalHANDLE JobObjectparameter (defaults tonullptrfor backward compatibility).When the VM is destroyed, the job handle closes and Windows automatically terminates all associated processes.
Validation Steps
cmake --build . -- -m(wslservice.exe, wsl.exe)