Please see <URL:https://sourceforge.net/tracker/index.php?func=detail&aid=442665&group_id=10894&atid=110894> -- I filed this bug with the TCL maintainers too. Here's what I told them: The function Tcl_GetsObjCmd in tclIOCmd.c can corrupt a freed object if it is called with objc == 3. This is because it retrieves resultPtr and does not increment its reference count, but then calls Tcl_ObjSetVar2, which causes the retrieved resultPtr object to be released. I will attach a patch, which I hope is correct (if not, please E-mail me and let me know why, so I can understand all of this better; I barely understand it). I'll attach the same patch I sent to them.
Created attachment 24087 [details] patch to fix tcl crash
I've looked at the patch and it indeed seems to fix and obvious logic problem. I'll watch the comp.lang.tcl and sourceforge to see the progress of this patch. I'm putting it in the next public beta because the fix seems to make sense.