Previously, several functions in the implementation of `InliningString`
converted raw pointers to references as part of large blocks of code,
either via deref coercion or via `slice::from_raw_parts`. This created a
risk of Rust inferring reference lifetimes that were too long; this is
bad because it could result in a use-after-free or mutable aliasing.
This patch moves pointer-to-reference conversions in `InliningString` to
dedicated helper functions with explicit or easily-elided lifetimes to
avoid this issue.
This patch also introduces a
`InliningString::take_boxed_buf_invalidating` method, which provides a
way to move the boxed buffer out of an `InliningString` without aliasing
the box's heap allocation (which is not allowed). The `Drop`
implementation is reworked to use this method, as well as
`InliningString::into_boxed_str`.
The unsafe_op_in_unsafe_fn lint was previously set to allow, meaning
that unsafe function calls and operations were allowed within unsafe
functions without a surrounding unsafe block. This patch changes the
lint to deny, for the purpose of making unsafe operations in the
codebase more explicit.
pantonshire