In getAllResponsesOrFirstErrorWithCancellation , we accept a vector of futures and a cancellation token. We return a future that is resolved once all the input-futures resolve with success, or one resolves with an error.

When any of the input futures resolve with an error, we use the cancellation token to cancel the work that produces results for the other futures. However, instead of waiting for this cancellation to "take", and ensuring all input futures resolve (which they should promptly after the cancellation), we short-circuit and ready the output future with a Cancelled status. This means that, when the future returned by the function is readied, there still may be code scheduled to run to produce results for the input-futures that hasn't observed the cancellation yet. If that code captures references to variables whose lifetime is guaranteed only while the result-future of getAllResponsesOrFirstErrorWithCancellation is not yet readied, it could read dead/destroyed objects.

The safe contract for this function should be: "once the output future is resolved, all input futures have resolved, with either cancellation/error or success", which would resolve the lifetime issue.