Why can pop_front() cause panic in 7.4 Panic Safety ?

[tjliupeng]

in https://rust-unofficial.github.io/too-many-lists/sixth-panics.html, it says that the line

debug_assert!(self.len == 1);

can cause problem.

How?

There is a paragraph below to explain the cause:

We have our boxed_node on the stack, and we've extracted the element from it. If we were to return at this point, the Box would be dropped, and the node would be freed. Do you see it now..? self.back is still pointing at that freed node! Once we implement the rest of our collection and start using self.back for things, this could result in a use-after-free!

If the user just calls the API of this list, it is impossible to get to this situation.