Fix double drop in BlobVec::replace_unchecked (#2597)

Author: sapir

crates/bevy_ecs/src/storage/blob_vec.rs

@@ -87,7 +87,12 @@ impl BlobVec {
 
     /// # Safety
     /// - index must be in bounds
-    /// - memory must be reserved and uninitialized
+    /// - the memory in the `BlobVec` starting at index `index`, of a size matching this `BlobVec`'s
+    /// `item_layout`, must have been previously allocated, but not initialized yet
+    /// - the memory at `*value` must be previously initialized with an item matching this
+    /// `BlobVec`'s `item_layout`
+    /// - the item that was stored in `*value` is left logically uninitialised/moved out of after
+    /// calling this function, and as such should not be used or dropped by the caller.
     #[inline]
     pub unsafe fn initialize_unchecked(&mut self, index: usize, value: *mut u8) {
         debug_assert!(index < self.len());
@@ -97,12 +102,24 @@ impl BlobVec {
 
     /// # Safety
     /// - index must be in-bounds
-    //  - memory must be previously initialized
+    /// - the memory in the `BlobVec` starting at index `index`, of a size matching this `BlobVec`'s
+    /// `item_layout`, must have been previously initialized with an item matching this `BlobVec`'s
+    /// item_layout
+    /// - the memory at `*value` must also be previously initialized with an item matching this
+    /// `BlobVec`'s `item_layout`
+    /// - the item that was stored in `*value` is left logically uninitialised/moved out of after
+    /// calling this function, and as such should not be used or dropped by the caller.
     pub unsafe fn replace_unchecked(&mut self, index: usize, value: *mut u8) {
         debug_assert!(index < self.len());
         let ptr = self.get_unchecked(index);
+        // If `drop` panics, then when the collection is dropped during stack unwinding, the
+        // collection's `Drop` impl will call `drop` again for the old value (which is still stored
+        // in the collection), so we get a double drop. To prevent that, we set len to 0 until we're
+        // done.
+        let old_len = std::mem::replace(&mut self.len, 0);
         (self.drop)(ptr);
         std::ptr::copy_nonoverlapping(value, ptr, self.item_layout.size());
+        self.len = old_len;
     }
 
     /// increases the length by one (and grows the vec if needed) with uninitialized memory and

crates/bevy_ecs/src/storage/sparse_set.rs

@@ -123,13 +123,18 @@ impl ComponentSparseSet {
         self.dense.len() == 0
     }
 
-    /// Inserts the `entity` key and component `value` pair into this sparse set.
-    /// The caller is responsible for ensuring the value is not dropped. This collection will drop
-    /// the value when needed.
+    /// Inserts the `entity` key and component `value` pair into this sparse
+    /// set. This collection takes ownership of the contents of `value`, and
+    /// will drop the value when needed. Also, it may overwrite the contents of
+    /// the `value` pointer if convenient. The caller is responsible for
+    /// ensuring it does not drop `*value` after calling `insert`.
     ///
     /// # Safety
-    /// The `value` pointer must point to a valid address that matches the `Layout`
-    ///  inside the `ComponentInfo` given when constructing this sparse set.
+    /// * The `value` pointer must point to a valid address that matches the
+    ///   `Layout` inside the `ComponentInfo` given when constructing this
+    ///   sparse set.
+    /// * The caller is responsible for ensuring it does not drop `*value` after
+    ///   calling `insert`.
     pub unsafe fn insert(&mut self, entity: Entity, value: *mut u8, change_tick: u32) {
         if let Some(&dense_index) = self.sparse.get(entity) {
             self.dense.replace_unchecked(dense_index, value);