Anybody know of any good resources on when it's ok to mark @rustlang functions that use unsafe code as safe? I feel like while there's been some good highly technical analysis, there's not a ton of resources of how to think about `unsafe`.
But because set_len is where the safety guarantees must be manually upheld for the *entire* structure to be correct, that's where it's marked unsafe. And even though things like reading from a vec have lots of unsafe operations inside of them, they all have a safe external API.