Assignments leave their place partially-destroyed if the destructor panics

[arielb1]

STR

struct Bomb;
struct Observer<'a>(&'a mut (String, Bomb));

impl Drop for Bomb {
    fn drop(&mut self) {
        panic!("panicking destructors ftw!");
    }
}

impl<'a> Drop for Observer<'a> {
    fn drop(&mut self) {
        let _spray = "0wned".to_owned();
        println!("{}", &self.0 .0);
    }
}

fn foo(b: &mut Observer) {
    *b.0 = ("~".to_owned(), Bomb);
}

fn main() {
    let mut bomb = ("clear".to_owned(), Bomb);
    let mut observer = Observer(&mut bomb);
    foo(&mut observer);
}

Results

The assignment to *b.0 within foo calls the drop-glue for the value inside. The new tuple ("~", Bomb) is created, and then the drop glue for the old value of b is executed. It first frees the original string, and then attempts to calls Bomb's destructor. As the latter destructor panics, the function unwinds without storing a value in the place of the missing String, leaving a &mut reference that points to an invalid value, which can later be observed by a destructor or recover.

Fixes

The new value for the destination is available the whole time - the panic handler can just write it in.

[pnkfelix]

cc me

[arielb1]

It must be noted that the assigned location is supposed to be borrowed mutably while the drop glue is called, so underhanded tricks used by the drop-glue to get a reference to that location (e.g. #30228, which led to the discovery of this issue) are just aliasing-UB.

[nikomatsakis]

cc me.

[pnkfelix]

triage: P-medium

[arielb1]

This is causing problems to my non-zeroing-drop work.