[dan-robertson]

https://smallcultfollowing.com/babysteps/blog/2022/06/15/wha... Gives a good example (in rust) of a case where complex object ownership could lead to a bug. The summary of the example there looks like:

- you have some AST object and want to lower it in the compiler into an intermediate representation

- you want to add some interesting parts of the AST to your state while lowering and refer to them later in the lowering process

- This seems fine: the AST is first created, then you lower to the intermediate representation, then you can destroy the AST, so while you’re doing the lowering, the AST objects should all be alive and therefore ok to store references to in the lowerer-state

- However there is some mostly unnoticed code that is roughly desugaring some syntax by constructing temporary AST nodes

- So your addition may have your state including references to these temporary nodes

- And those temporary nodes are freed shortly after being created rather than after the lowering is all done

- Giving a quite subtle use-after-free.