Reduce unsafe code and detect soundness bugs with equivalence checks against safe code

For discussions on this idea see the RFC on the Rust Internals forum and Rust Secure Code Working Group.

To indicate preference of safety over performance: add --cfg reduce_unsafe to your RUSTFLAGS.

reduce_unsafe::unchecked! runs the unsafe code unless the --cfg reduce_unsafe flag is present.

reduce_unsafe::checked! uses debug_assertions to decide between reduce_unsafe::unchecked! and running both branches and panics if they diverge.

If you have unsafe code which you believe is sound which could be implemented (slower) with safe code, consider using the reduce_unsafe::checked! or reduce_unsafe::unchecked! macros or #[cfg(reduce_unsafe)] attribute.

let my_str = unsafe {
    str::from_utf8_unchecked(bytes)
};

becomes

let my_str = reduce_unsafe::checked!(
    unsafe { str::from_utf8_unchecked(bytes) },
    str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
);

or if the returned type does not implement PartialEq or there are visible side effects

let my_str = reduce_unsafe::unchecked!(
    unsafe { str::from_utf8_unchecked(bytes) },
    str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
);