fix FillError::fill double free

Author: lcnr

library/core/src/array/mod.rs

@@ -12,7 +12,7 @@ use crate::convert::{Infallible, TryFrom};
 use crate::fmt;
 use crate::hash::{self, Hash};
 use crate::marker::Unsize;
-use crate::mem::MaybeUninit;
+use crate::mem::{self, MaybeUninit};
 use crate::slice::{Iter, IterMut};
 
 mod iter;
@@ -259,10 +259,14 @@ impl<T, const N: usize> FillError<T, N> {
         // an array of `T`.
         //
         // With that, this initialization satisfies the invariants.
+        //
         // FIXME: actually use `mem::transmute` here, once it
         // works with const generics:
         //     `mem::transmute::<[MaybeUninit<T>; N], [T; N]>(array)`
-        Ok(unsafe { crate::ptr::read(&self.array as *const [MaybeUninit<T>; N] as *const [T; N]) })
+        let arr = unsafe { crate::mem::transmute_copy::<_, [T; N]>(&self.array) };
+        // We forget `self` to not drop anything here.
+        mem::forget(self);
+        Ok(arr)
     }
 }
 

library/core/tests/array.rs

@@ -341,7 +341,7 @@ fn array_collects() {
 
 #[test]
 #[should_panic(expected = "test succeeded")]
-fn array_collect_drop_safety() {
+fn array_collect_panic_safety() {
     use core::sync::atomic::AtomicUsize;
     use core::sync::atomic::Ordering;
     static DROPPED: AtomicUsize = AtomicUsize::new(0);
@@ -368,3 +368,22 @@ fn array_collect_drop_safety() {
     assert_eq!(DROPPED.load(Ordering::SeqCst), num_to_create);
     panic!("test succeeded")
 }
+
+#[test]
+fn array_collect_no_double_drop() {
+    use core::sync::atomic::AtomicUsize;
+    use core::sync::atomic::Ordering;
+    static DROPPED: AtomicUsize = AtomicUsize::new(0);
+    struct DropCounter;
+    impl Drop for DropCounter {
+        fn drop(&mut self) {
+            DROPPED.fetch_add(1, Ordering::SeqCst);
+        }
+    }
+
+    const LEN: usize = 10;
+    let items = [0; LEN];
+    let _ = FillError::<DropCounter, 10>::new().fill(items.iter().map(|_| DropCounter)).unwrap();
+
+    assert_eq!(DROPPED.load(Ordering::SeqCst), LEN);
+}