fix: eliminate unsound ptr::read double-drop UB in write_to_file (Program + Library)

[amathxbt]

Summary

Fixes #2814

Eliminates latent undefined behaviour (double-drop) in both Program::write_to_file and Library::write_to_file by replacing an unsound unsafe { core::ptr::read(&*err) } with the safe equivalent *err.

---

The Bug — Unsound ptr::read Causes Double-Drop

Both functions wrap file I/O in std::panic::catch_unwind to recover panics from the non-fallible ByteWriter API. In the panic handler:

// BEFORE — unsound in both core/src/program/mod.rs:161 and
//          crates/assembly-syntax/src/library/mod.rs:427
Ok(err) => unsafe { core::ptr::read(&*err) },

Why This Is Undefined Behaviour

p.downcast::<std::io::Error>() returns Ok(Box<io::Error>). The code:

1. Dereferences the Box<io::Error> to get a &io::Error
2. ptr::read performs a bitwise copy of the io::Error out of the box — without consuming the box
3. The Box<io::Error> is then dropped at end of scope, freeing the memory that was already bitwise-copied out

This is a double-drop: the io::Error's destructor runs twice on the same memory — once via the value returned by ptr::read, and once when the Box is dropped. That is explicitly undefined behaviour in Rust.

From the docs: "Like forget, ptr::read does not run the destructor of self... The caller is responsible for managing the lifetime of the value."

The misleading // SAFETY comments claim it is "guaranteed safe" — but no such guarantee exists. The original author likely intended a safe move but reached for ptr::read unnecessarily.

Why It Hasn't Triggered Yet

The panic payload in the current WriteAdapter implementation is a formatted String message, not a boxed io::Error. So downcast::<io::Error>() currently returns Err, and the Ok(err) arm is never reached. However:

• This is a silent latent hazard that activates the moment WriteAdapter is refactored to panic with an actual io::Error
• The // SAFETY comment actively misleads future maintainers into thinking the unsafe block is correct
• Tools like Miri and cargo-careful will flag this as UB today

---

The Fix — Safe Deref-Move

// AFTER — both files
Ok(err) => *err,

*err on a Box<T> in a value position performs a deref-move: it consumes the Box, moves the inner io::Error out, and the box's allocation is freed exactly once. This is entirely safe, requires no unsafe, and is idiomatic Rust.

Files Changed

File	Location	Change
core/src/program/mod.rs	Line 161	unsafe { core::ptr::read(&*err) } → *err
crates/assembly-syntax/src/library/mod.rs	Line 427	unsafe { core::ptr::read(&*err) } → *err

---

Pre-PR Checklist

• Branch forked from next
• Semantic commit messages (fix(core): ..., fix(assembly-syntax): ...)
• Linked to issue Latent undefined behaviour in IO panic recovery (ptr::read causes double-drop) #2814
• No unsafe code introduced — removes unsafe, replaces with safe equivalent
• Zero functional behaviour change for current code paths
• No new dependencies

[huitseeker]

Could we add a small regression test that forces this downcast::<std::io::Error>() arm in both Program::write_to_file and Library::write_to_file, so this UB pattern is less likely to come back later?