Gn::new_scoped and similar functions are unsound

[SkiFire13]

Gn::new_scoped allows a coroutine to borrow non-'static data, but it doesn't (and can't) guarantee it will end before the lifetime expires since the coroutine may be leaked during a yield point. This is unsound because Rust guarantees that sync code either reaches the end of its execution (normally or with a panic doesn't matter) or the process ends. Leaking a coroutine prevents the code inside from actually ending normally or with a panic, thus it must be considered as if it is still executing (albeit without making any progress) until the end of the process. This however requires it to not borrow non-'static data, which is however what Gn::new_scoped allows to.

The API that most evidently relies on guarantee mentioned is std::thread::scope, and in fact here is an example of use-after-free due ot its assumptions being violated:

let foo = "foo".to_string();

let mut gen = generator::Gn::new_scoped(|mut s| {
    std::thread::scope(|s2| {
        s2.spawn(|| {
            std::thread::sleep(std::time::Duration::from_millis(500));
            println!("{foo}");
        });
        s.yield_(());
    });
    generator::done!();
});

gen.next();
std::mem::forget(gen);
drop(foo);
std::thread::sleep(std::time::Duration::from_millis(1000));

[Xudong-Huang]

oh, seems that we have to remove the non-static lifetime bound, or change the related API to unsafe

[Xudong-Huang]

now only static bound capture is safe to yield, please review if the change make sense @SkiFire13

[SkiFire13]

Yes the issue seems to be solved with that commit, or at least I don't see an obvious way to circumvent the restrictions you added.