Use after free in push - Githubissues

It looks like if we try to destroy a pipe while we are starting up, this can lead to a use after free. This was observed as a segfault on Windows, and I've observed it on Linux as well, with the sanitizer:
=== RUN: Pipe notify works

  We can create a pipeline ✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔
    Dialing works ✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔
      We can send a frame ✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔
      Reconnection works ✔✔✔✔✔✔✔✔✔✔
        They still exchange frames ✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔
    Reject works ✔✔✔✔✔✔✔=================================================================
✔✔✔✔✔==9256==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00002fe60 at pc 0x55e4ddaf53b3 bp 0x7f9baef0d750 sp 0x7f9baef0d748
WRITE of size 8 at 0x61b00002fe60 thread T9
    #0 0x55e4ddaf53b2 in nni_list_append /home/runner/work/nng/nng/src/core/list.c:64:25
    #1 0x55e4ddb18b03 in push0_pipe_ready /home/runner/work/nng/nng/src/sp/protocol/pipeline0/push.c:216:3
    #2 0x55e4ddb1845f in push0_pipe_start /home/runner/work/nng/nng/src/sp/protocol/pipeline0/push.c:138:2
    #3 0x55e4ddb05fb9 in nni_dialer_add_pipe /home/runner/work/nng/nng/src/core/socket.c:1490:6
    #4 0x55e4ddaf0ee7 in dialer_connect_cb /home/runner/work/nng/nng/src/core/dialer.c:380:3
    #5 0x55e4ddb0c272 in nni_taskq_thread /home/runner/work/nng/nng/src/core/taskq.c:47:4
    #6 0x55e4ddb0d7cd in nni_thr_wrap /home/runner/work/nng/nng/src/core/thread.c:94:3
    #7 0x55e4ddb14a17 in nni_plat_thr_main /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:266:2
    #8 0x7f9bb95efb42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #9 0x7f9bb96819ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

0x61b00002fe60 is located 736 bytes inside of 1664-byte region [0x61b00002fb80,0x61b000030200)
freed by thread T10 here:
    #0 0x55e4dda8f3d2 in free (/home/runner/work/nng/nng/build/tests/pipe+0xc43d2) (BuildId: 39fa30e0862f9f7c872287602626f4af735245f2)
    #1 0x55e4ddb12b38 in nni_free /home/runner/work/nng/nng/src/platform/posix/posix_alloc.c:33:2
    #2 0x55e4ddaffc1c in pipe_destroy /home/runner/work/nng/nng/src/core/pipe.c:74:2
    #3 0x55e4ddb0026e in reap_worker /home/runner/work/nng/nng/src/core/reap.c:58:5
    #4 0x55e4ddb0d7cd in nni_thr_wrap /home/runner/work/nng/nng/src/core/thread.c:94:3
    #5 0x55e4ddb14a17 in nni_plat_thr_main /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:266:2
    #6 0x7f9bb95efb42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

previously allocated by thread T6 here:
    #0 0x55e4dda8f868 in __interceptor_calloc (/home/runner/work/nng/nng/build/tests/pipe+0xc4868) (BuildId: 39fa30e0862f9f7c872287602626f4af735245f2)
    #1 0x55e4ddb12af4 in nni_zalloc /home/runner/work/nng/nng/src/platform/posix/posix_alloc.c:26:19
    #2 0x55e4ddafe910 in pipe_create /home/runner/work/nng/nng/src/core/pipe.c:239:11
    #3 0x55e4ddafe6e3 in nni_pipe_create_dialer /home/runner/work/nng/nng/src/core/pipe.c:289:12
    #4 0x55e4ddb05c19 in nni_dialer_add_pipe /home/runner/work/nng/nng/src/core/socket.c:1464:6
    #5 0x55e4ddaf0ee7 in dialer_connect_cb /home/runner/work/nng/nng/src/core/dialer.c:380:3
    #6 0x55e4ddb0c272 in nni_taskq_thread /home/runner/work/nng/nng/src/core/taskq.c:47:4
    #7 0x55e4ddb0d7cd in nni_thr_wrap /home/runner/work/nng/nng/src/core/thread.c:94:3
    #8 0x55e4ddb14a17 in nni_plat_thr_main /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:266:2
    #9 0x7f9bb95efb42  (/lib/x86_64-linux-gnu/libc.so.6+0x94b42) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

Thread T9 created by T0 here:
    #0 0x55e4dda78afc in pthread_create (/home/runner/work/nng/nng/build/tests/pipe+0xadafc) (BuildId: 39fa30e0862f9f7c872287602626f4af735245f2)
    #1 0x55e4ddb14850 in nni_plat_thr_init /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:279:7
    #2 0x55e4ddb0d51d in nni_thr_init /home/runner/work/nng/nng/src/core/thread.c:121:12
    #3 0x55e4ddb0bf79 in nni_taskq_init /home/runner/work/nng/nng/src/core/taskq.c:92:8
    #4 0x55e4ddb0d092 in nni_taskq_sys_init /home/runner/work/nng/nng/src/core/taskq.c:261:10
    #5 0x55e4ddaf4e2c in nni_init_helper /home/runner/work/nng/nng/src/core/init.c:35:13
    #6 0x55e4ddb14e75 in nni_plat_init /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:422:12
    #7 0x55e4ddaf4def in nni_init /home/runner/work/nng/nng/src/core/init.c:55:10
    #8 0x55e4ddb20900 in nng_mtx_alloc /home/runner/work/nng/nng/src/supplemental/util/platform.c:80:9
    #9 0x55e4ddacbc37 in conveyMainImpl /home/runner/work/nng/nng/tests/pipe.c:[116](https://github.com/nanomsg/nng/actions/runs/4750500258/jobs/8438744401?pr=1652#step:6:117):1
    #10 0x55e4ddad3a54 in conveyMain /home/runner/work/nng/nng/tests/convey.c:1045:6
    #11 0x55e4ddacf391 in main /home/runner/work/nng/nng/tests/pipe.c:116:1
    #12 0x7f9bb9584d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

Thread T10 created by T0 here:
    #0 0x55e4dda78afc in pthread_create (/home/runner/work/nng/nng/build/tests/pipe+0xadafc) (BuildId: 39fa30e0862f9f7c872287602626f4af735245f2)
    #1 0x55e4ddb14850 in nni_plat_thr_init /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:279:7
    #2 0x55e4ddb0d51d in nni_thr_init /home/runner/work/nng/nng/src/core/thread.c:[121](https://github.com/nanomsg/nng/actions/runs/4750500258/jobs/8438744401?pr=1652#step:6:122):12
    #3 0x55e4ddb000ae in nni_reap_sys_init /home/runner/work/nng/nng/src/core/reap.c:110:12
    #4 0x55e4ddaf4e3d in nni_init_helper /home/runner/work/nng/nng/src/core/init.c:36:13
    #5 0x55e4ddb14e75 in nni_plat_init /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:422:12
    #6 0x55e4ddaf4def in nni_init /home/runner/work/nng/nng/src/core/init.c:55:10
    #7 0x55e4ddb20900 in nng_mtx_alloc /home/runner/work/nng/nng/src/supplemental/util/platform.c:80:9
    #8 0x55e4ddacbc37 in conveyMainImpl /home/runner/work/nng/nng/tests/pipe.c:116:1
    #9 0x55e4ddad3a54 in conveyMain /home/runner/work/nng/nng/tests/convey.c:1045:6
    #10 0x55e4ddacf391 in main /home/runner/work/nng/nng/tests/pipe.c:116:1
    #11 0x7f9bb9584d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

Thread T6 created by T0 here:
    #0 0x55e4dda78afc in pthread_create (/home/runner/work/nng/nng/build/tests/pipe+0xadafc) (BuildId: 39fa30e0862f9f7c872287602626f4af735245f2)
    #1 0x55e4ddb[148](https://github.com/nanomsg/nng/actions/runs/4750500258/jobs/8438744401?pr=1652#step:6:149)50 in nni_plat_thr_init /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:279:7
    #2 0x55e4ddb0d51d in nni_thr_init /home/runner/work/nng/nng/src/core/thread.c:121:12
    #3 0x55e4ddb0bf79 in nni_taskq_init /home/runner/work/nng/nng/src/core/taskq.c:92:8
    #4 0x55e4ddb0d092 in nni_taskq_sys_init /home/runner/work/nng/nng/src/core/taskq.c:261:10
    #5 0x55e4ddaf4e2c in nni_init_helper /home/runner/work/nng/nng/src/core/init.c:35:13
    #6 0x55e4ddb14e75 in nni_plat_init /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:422:12
    #7 0x55e4ddaf4def in nni_init /home/runner/work/nng/nng/src/core/init.c:55:10
    #8 0x55e4ddb20900 in nng_mtx_alloc /home/runner/work/nng/nng/src/supplemental/util/platform.c:80:9
    #9 0x55e4ddacbc37 in conveyMainImpl /home/runner/work/nng/nng/tests/pipe.c:116:1
    #10 0x55e4ddad3a54 in conveyMain /home/runner/work/nng/nng/tests/convey.c:1045:6
    #11 0x55e4ddacf391 in main /home/runner/work/nng/nng/tests/pipe.c:116:1
    #12 0x7f9bb9584d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: heap-use-after-free /home/runner/work/nng/nng/src/core/list.c:64:25 in nni_list_append
nanomsg / nng

Use after free in push #1653
