Remove one instance of library UB from Array

Add the ability to add unsafe + safety docs to arbitrary methods through codegen
More accurately track the safety invariant of `Array`:
- Make all methods of `InnerArray` that return `VariantArray` unsafe
- Make `Array::as_inner()` unsafe
- Add `Array::as_inner_ref()` to allow safe usage of immutable methods
- Reword some safety docs

Author: lilizoey

godot-codegen/src/generator/builtins.rs

@@ -163,6 +163,21 @@ fn make_special_builtin_methods(class_name: &TyName, _ctx: &Context) -> TokenStr
     }
 }
 
+/// Get the safety docs of a method if it should be unsafe
+fn method_safety_doc(class_name: &TyName, method: &BuiltinMethod) -> Option<TokenStream> {
+    if class_name.godot_ty == "Array" {
+        if &method.return_value().type_tokens().to_string() == "VariantArray" {
+            return Some(quote! {
+                #[doc = "# Safety"]
+                #[doc = ""]
+                #[doc = "You must ensure that the returned array fulfils the safety invariants of [`Array`](crate::builtin::Array)"]
+            });
+        }
+    }
+
+    None
+}
+
 fn make_builtin_method_definition(
     builtin_class: &BuiltinClass,
     method: &BuiltinMethod,
@@ -220,12 +235,15 @@ fn make_builtin_method_definition(
         )*/
     };
 
+    let safety_doc = method_safety_doc(builtin_class.name(), method);
+
     functions_common::make_function_definition(
         method,
         &FnCode {
             receiver,
             varcall_invocation,
             ptrcall_invocation,
         },
+        safety_doc,
     )
 }

godot-codegen/src/generator/classes.rs

@@ -469,5 +469,6 @@ fn make_class_method_definition(
             varcall_invocation,
             ptrcall_invocation,
         },
+        None,
     )
 }

godot-codegen/src/generator/functions_common.rs

@@ -82,7 +82,11 @@ impl FnDefinitions {
     }
 }
 
-pub fn make_function_definition(sig: &dyn Function, code: &FnCode) -> FnDefinition {
+pub fn make_function_definition(
+    sig: &dyn Function,
+    code: &FnCode,
+    safety_doc: Option<TokenStream>,
+) -> FnDefinition {
     let has_default_params = default_parameters::function_uses_default_params(sig);
     let vis = if has_default_params {
         // Public API mapped by separate function.
@@ -92,7 +96,9 @@ pub fn make_function_definition(sig: &dyn Function, code: &FnCode) -> FnDefiniti
         make_vis(sig.is_private())
     };
 
-    let (maybe_unsafe, safety_doc) = if function_uses_pointers(sig) {
+    let (maybe_unsafe, safety_doc) = if let Some(safety_doc) = safety_doc {
+        (quote! { unsafe }, safety_doc)
+    } else if function_uses_pointers(sig) {
         (
             quote! { unsafe },
             quote! {

godot-codegen/src/generator/utility_functions.rs

@@ -78,6 +78,7 @@ pub(crate) fn make_utility_function_definition(function: &UtilityFunction) -> To
             varcall_invocation,
             ptrcall_invocation,
         },
+        None,
     );
 
     // Utility functions have no builders.

godot-codegen/src/generator/virtual_traits.rs

@@ -124,6 +124,7 @@ fn make_virtual_method(method: &ClassMethod) -> Option<TokenStream> {
             varcall_invocation: TokenStream::new(),
             ptrcall_invocation: TokenStream::new(),
         },
+        None,
     );
 
     // Virtual methods have no builders.