Chomp::inner() uses std::ptr::read unaligned to move out the value from a raw pointer. If the original value is an owned type (e.g. Box), calling inner() moves out the ownership, but the original variable will still be dropped at the end of its scope. This causes the same heap memory to be freed twice, resulting in a double-free and undefined behavior.

This can be triggered through safe public APIs — Chomp::new() and Chomp::inner() — with no unsafe required from the caller.