Borrowed pointers in destructors enable use-after-free crashes

[bblum]

This struct has a borrowed pointer to another one of itself. By making it mutable, I can build a cycle, and then no matter the order that the destructors run, the second one will segfault because the first one's id will have been freed.

This is sort of related to #3164, and more closely related to #3039.

Probably accessing mutable &-pointers in destructors should be unsafe. If they are immutable, it should be impossible to build a cycle.

struct oops {
    mut a: option<&oops>;
    id: ~~str;
    new(+a: option<&oops>, +id: ~~str) {
        self.a = a; self.id = id; 
    }   
    drop {
        do self.a.iter |nbr| {
            #error["Me: %?; Neighbour: %?", self.id, nbr.id];
        }   
    }   
}

fn main() {
    let x = oops(none, ~~"x");
    let y = oops(some(&x), ~~"y");
    x.a = some(&y);
}

[bblum]

It occurs to me I could also abuse the cycle collector to cause even immutable borrowed pointers to escape their lifetimes. Build a cycle of @-boxes with a borrowed pointer to a thing in it, don't refer to the cycle after the thing gets freed, but the cycle is not collected until later, at which point if the destructors access it it's a use-after-free.

[catamorphism]

Blocked on #4301 -- de-milestoning.

[thestinger]

d4fee24 limited destructors to Owned types, so this is disallowed now.