Program::write_to_file (core/src/program/mod.rs:162) and Library::write_to_file (crates/assembly-syntax/src/library/mod.rs:427) wrap file operations in std::panic::catch_unwind and attempt to convert panics into std::io::Error. On success the code does:

unsafe { core::ptr::read(&*err) }

This is unsound: ptr::read performs a bitwise copy of the std::io::Error out of the box, but the original Box<std::io::Error> is then dropped at end of scope, leading to double-drop (undefined behaviour).

In practice, the current serialization writer panics with a formatted message payload (not an io::Error payload), so the downcast branch is unlikely to be taken. This makes the unsafe extraction a latent UB hazard that could become reachable under future refactors.

Fix: replace ptr::read(&*err) with *err to move the error out of the box.