Previously, several functions in the implementation of `InliningString`
converted raw pointers to references as part of large blocks of code,
either via deref coercion or via `slice::from_raw_parts`. This created a
risk of Rust inferring reference lifetimes that were too long; this is
bad because it could result in a use-after-free or mutable aliasing.
This patch moves pointer-to-reference conversions in `InliningString` to
dedicated helper functions with explicit or easily-elided lifetimes to
avoid this issue.
This patch also introduces a
`InliningString::take_boxed_buf_invalidating` method, which provides a
way to move the boxed buffer out of an `InliningString` without aliasing
the box's heap allocation (which is not allowed). The `Drop`
implementation is reworked to use this method, as well as
`InliningString::into_boxed_str`.
A debug assertion in `encoding::url::percent_decode_utf8` previously
cast the result of `[u8]::as_ptr` to `*const u8`, which was redundant
because the return type of the `as_ptr` call was already `*const u8`.
This patch removes the redundant cast.
test.sh previously had each of its runs hard-coded; this patch changes
the script to loop over an array of cargo flags instead. This allows new
flags to be added to the array to easily add new runs to the test
script.
CappedString was previously backed by a `[u8; N]`, which required
zeroing the buffer on creation. It now uses a `[MaybeUninit<u8>; N]`,
which does need to be zeroed. This should improve the performance of
creating a new CappedString, at the cost of slightly more unsafe code
required in its implementation.
Additionally, `as_bytes` and `as_bytes_mut` methods were introduced.
These are primarily used internally in the implementation of
CappedString, but are also provided as part of the public API to allow
users to do low-level operations on the underlying buffer backing the
CappedString. `as_bytes_mut` is unsafe, as this method can be used to
violate the UTF-8 property of the CappedString, which is undefined
behaviour.
The unsafe_op_in_unsafe_fn lint was previously set to allow, meaning
that unsafe function calls and operations were allowed within unsafe
functions without a surrounding unsafe block. This patch changes the
lint to deny, for the purpose of making unsafe operations in the
codebase more explicit.
pantonshire