Open gnzlbg opened 5 years ago
@rustbot modify labels: T-lang T-doc
cc @rust-lang/wg-unsafe-code-guidelines @rust-lang/lang
Previous issue: https://github.com/rust-lang/rust/issues/50765
And also: https://github.com/rust-lang-nursery/reference/issues/348
Related: https://github.com/rust-lang/rust/pull/60840#issuecomment-492435720
The assumption this PR is making is that once [MIR]
drop
returns to a function, whether it succeeds or panics, it is UB for the function to then access that local.
It was decided in, I think, #14875, that
Drop::drop
can panic, and if this happens, the value must be leaked (at least in a generic context), that is, it cannot be re-dropped again and doing that could invoke UB (that's at least what generic unsafe code needs to assume).This does not appear to be documented anywhere. These semantics make the following snippet have undefined behavior due to double-drops (playground uses
T = Vec<HasDrop>
):To avoid UB, that snippet must be changed to unconditionally leak the value independently of whether
drop_in_place
succeeded or failed:cc @Centril - this might be a T-lang issue, I don't know the best way to word this, and I can't find any RFC designing this part of the language.