pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/www/firefox115



Module Name:    pkgsrc
Committed By:   ryoon
Date:           Fri Aug 16 15:15:37 UTC 2024

Modified Files:
        pkgsrc/www/firefox115: Makefile distinfo
        pkgsrc/www/firefox115/patches: patch-js_public_Utility.h
Added Files:
        pkgsrc/www/firefox115/files:
            third__party_rust_encoding__rs_.cargo-checksum.json
        pkgsrc/www/firefox115/patches: patch-llvm18 patch-rust-1.78.0

Log Message:
www/firefox115: FIx build with lang/rust-1.79.0

* Use patches from FreeBSD Ports to fix build error with lang/rust-1.79.0.
* Tested under NetBSD/amd64 9 and 10, and NetBSD/i386 9 and 10.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 pkgsrc/www/firefox115/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/firefox115/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/www/firefox115/files/third__party_rust_encoding__rs_.cargo-checksum.json
cvs rdiff -u -r1.2 -r1.3 \
    pkgsrc/www/firefox115/patches/patch-js_public_Utility.h
cvs rdiff -u -r0 -r1.1 pkgsrc/www/firefox115/patches/patch-llvm18 \
    pkgsrc/www/firefox115/patches/patch-rust-1.78.0

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/firefox115/Makefile
diff -u pkgsrc/www/firefox115/Makefile:1.27 pkgsrc/www/firefox115/Makefile:1.28
--- pkgsrc/www/firefox115/Makefile:1.27 Thu Aug  8 03:54:49 2024
+++ pkgsrc/www/firefox115/Makefile      Fri Aug 16 15:15:36 2024
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.27 2024/08/08 03:54:49 gutteridge Exp $
+# $NetBSD: Makefile,v 1.28 2024/08/16 15:15:36 ryoon Exp $
 
 FIREFOX_VER=           ${MOZ_BRANCH}${MOZ_BRANCH_MINOR}
 MOZ_BRANCH=            115.14
@@ -95,6 +95,14 @@ SUBST_STAGE.paths=              pre-conf
 SUBST_FILES.paths=              ../firefox.sh
 SUBST_VARS.paths=               PREFIX MOZILLA
 
+SUBST_CLASSES+=                        rust178
+SUBST_STAGE.rust178=           pre-configure
+SUBST_MESSAGE.rust178=         Clearing cargo checksums
+SUBST_FILES.rust178=           third_party/rust/bindgen/.cargo-checksum.json
+SUBST_FILES.rust178+=          third_party/rust/any_all_workaround/.cargo-checksum.json
+SUBST_FILES.rust178+=          third_party/rust/encoding_rs/.cargo-checksum.json
+SUBST_SED.rust178=             -e 's/\("files":{\)[^}]*/\1/'
+
 .include "mozilla-common.mk"
 .include "options.mk"
 
@@ -175,6 +183,9 @@ INSTALLATION_DIRS+= share/applications
 
 post-extract:
        ${CP} ${FILESDIR}/firefox.sh ${WRKDIR}/firefox.sh
+       # patch(1) of NetBSD 9 cannot handle long line.
+       ${CP} ${FILESDIR}/third__party_rust_encoding__rs_.cargo-checksum.json \
+               ${WRKSRC}/third_party/rust/encoding_rs/.cargo-checksum.json
 
 post-install:
 .if ${OPSYS} == "NetBSD" && ${X11_TYPE} == "native"

Index: pkgsrc/www/firefox115/distinfo
diff -u pkgsrc/www/firefox115/distinfo:1.13 pkgsrc/www/firefox115/distinfo:1.14
--- pkgsrc/www/firefox115/distinfo:1.13 Thu Aug  8 03:54:49 2024
+++ pkgsrc/www/firefox115/distinfo      Fri Aug 16 15:15:36 2024
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.13 2024/08/08 03:54:49 gutteridge Exp $
+$NetBSD: distinfo,v 1.14 2024/08/16 15:15:36 ryoon Exp $
 
 BLAKE2s (firefox-115.14.0esr.source.tar.xz) = 34f0f8e821073cf601ea75a4c3a295e62f10be56a9f38be087bfdcd7d84c64e4
 SHA512 (firefox-115.14.0esr.source.tar.xz) = dd40c1fd3cf454dbf33a85d38e47bb0e736ed89b829643653e239f43232441f4e9f3c7876f058ff2e6f19daf2b50a8f2d13274e9a107d8a258a6067d1fc43f54
@@ -22,16 +22,18 @@ SHA1 (patch-intl_lwbrk_LineBreaker.cpp) 
 SHA1 (patch-ipc_chromium_src_base_message__pump__libevent.cc) = 298642a3527804115b398fb7904a3596962932e3
 SHA1 (patch-ipc_chromium_src_base_platform__thread__posix.cc) = 35d20981d33ccdb1d8ffb8039e48798777f11658
 SHA1 (patch-ipc_glue_GeckoChildProcessHost.cpp) = 6cdd0fe60455eab8f9846257c2bfea207f19478b
-SHA1 (patch-js_public_Utility.h) = e3916ecc334196950543350dcd28f3b31cc239d0
+SHA1 (patch-js_public_Utility.h) = bb5464a0398b91693ab362e6b9b06d48429b9e7d
 SHA1 (patch-js_src_jit_FlushICache.cpp) = b7536050d06e87612fbedc7ce269b5f120eb0ce9
 SHA1 (patch-js_src_jit_ProcessExecutableMemory.cpp) = 1e25924a29e3700b0e0e5d143f1db35029b431fb
 SHA1 (patch-js_src_util_NativeStack.cpp) = a0a16d8d8d78d3cc3f4d2a508586f1a7821f7dba
 SHA1 (patch-js_src_vm_ArrayBufferObject.cpp) = 374ffc0ce12e1c5babf2e553aba96612b0a30b1e
+SHA1 (patch-llvm18) = d349d2f2311b95d42e92476b232b79bdd49cece4
 SHA1 (patch-media_ffvpx_libavutil_arm_bswap.h) = de58daa0fd23d4fec50426602b65c9ea5862558a
 SHA1 (patch-media_libpng_pngpriv.h) = c8084332560017cd7c9b519b61d125fa28af0dbc
 SHA1 (patch-media_libtheora_lib_info.c) = f6dbf536d73859a1ff78304c2e9f6a6f74dac01f
 SHA1 (patch-modules_fdlibm_src_math__private.h) = e20b6c23011d7123cbbd64a500eb8ce8c426620e
 SHA1 (patch-nsprpub_pr_src_pthreads_ptsynch.c) = b0d1f6a6e0eb852b0fd0238ad3f8ed3166c60a50
+SHA1 (patch-rust-1.78.0) = aa83482a831ab2ee8b38f57c1b7873719e5f8b5b
 SHA1 (patch-security_nss_lib_freebl_mpi_mpi.c) = a7cd867916524770609d1c307a65b315b88456f4
 SHA1 (patch-third__party_js_cfworker_build.sh) = 46cdf97b99cf01080f290ae8d9a33b5f869fc3e4
 SHA1 (patch-third__party_libwebrtc_modules_desktop__capture_linux_wayland_egl__dmabuf.cc) = 455be625b5de2f6f1f4b2dbb6c8cb33ca16c2583

Index: pkgsrc/www/firefox115/patches/patch-js_public_Utility.h
diff -u pkgsrc/www/firefox115/patches/patch-js_public_Utility.h:1.2 pkgsrc/www/firefox115/patches/patch-js_public_Utility.h:1.3
--- pkgsrc/www/firefox115/patches/patch-js_public_Utility.h:1.2 Thu Aug  1 15:21:26 2024
+++ pkgsrc/www/firefox115/patches/patch-js_public_Utility.h     Fri Aug 16 15:15:37 2024
@@ -1,8 +1,11 @@
-$NetBSD: patch-js_public_Utility.h,v 1.2 2024/08/01 15:21:26 ryoon Exp $
+$NetBSD: patch-js_public_Utility.h,v 1.3 2024/08/16 15:15:37 ryoon Exp $
 
---- js/public/Utility.h.orig   2024-07-23 09:35:47.511722387 +0000
+- kludge to build on NetBSD/i386 10.0
+  https://mail-index.netbsd.org/pkgsrc-users/2024/07/16/msg039900.html
+
+--- js/public/Utility.h.orig   2024-07-04 17:04:15.000000000 +0000
 +++ js/public/Utility.h
-@@ -478,9 +478,6 @@ static inline void js_free(void* p) {
+@@ -482,9 +482,6 @@ static inline void js_free(void* p) {
  #define JS_DECLARE_NEW_METHODS(NEWNAME, ALLOCATOR, QUALIFIERS)              \
    template <class T, typename... Args>                                      \
    QUALIFIERS T* MOZ_HEAP_ALLOCATOR NEWNAME(Args&&... args) {                \
@@ -12,7 +15,7 @@ $NetBSD: patch-js_public_Utility.h,v 1.2
      void* memory = ALLOCATOR(sizeof(T));                                    \
      return MOZ_LIKELY(memory) ? new (memory) T(std::forward<Args>(args)...) \
                                : nullptr;                                    \
-@@ -497,9 +494,6 @@ static inline void js_free(void* p) {
+@@ -501,9 +498,6 @@ static inline void js_free(void* p) {
  #define JS_DECLARE_NEW_ARENA_METHODS(NEWNAME, ALLOCATOR, QUALIFIERS)           \
    template <class T, typename... Args>                                         \
    QUALIFIERS T* MOZ_HEAP_ALLOCATOR NEWNAME(arena_id_t arena, Args&&... args) { \

Added files:

Index: pkgsrc/www/firefox115/files/third__party_rust_encoding__rs_.cargo-checksum.json
diff -u /dev/null pkgsrc/www/firefox115/files/third__party_rust_encoding__rs_.cargo-checksum.json:1.1
--- /dev/null   Fri Aug 16 15:15:37 2024
+++ pkgsrc/www/firefox115/files/third__party_rust_encoding__rs_.cargo-checksum.json     Fri Aug 16 15:15:37 2024
@@ -0,0 +1 @@
+{"files":{"CONTRIBUTING.md":"ca1901f3e8532fb4cec894fd3664f0eaa898c0c4b961d1b992d1ed54eacf362a","COPYRIGHT":"11789f45bb180841cd362a5eee6789c68ddb573a11105e30768c308a6add0190","Cargo.toml":"22a4d210c92dae9f32c6944ef340ee8fdd027f99c081577e8907123e2a93383e","Ideas.md":"b7452893f500163868d8de52c09addaf91e1632454ed02e892c467ed7ec39dbd","LICENSE-APACHE":"cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30","LICENSE-MIT":"3fa4ca83dcc9237839b1bdeb2e6d16bdfb5ec0c5ce42b24694d8bbf0dcbef72c","LICENSE-WHATWG":"838118388fe5c2e7f1dbbaeed13e1c7f3ebf88be91319c7c1d77c18e987d1a50","README.md":"1d08aefcb92afa81b18154049c9abbcad4540a23f7172e9f9bbed5af33f1a087","ci/miri.sh":"43cb8d82f49e3bfe2d2274b6ccd6f0714a4188ccef0cecc040829883cfdbee25","doc/Big5.txt":"f73a2edc5cb6c2d140ba6e07f4542e1c4a234950378acde1df93480f0ca0be0b","doc/EUC-JP.txt":"ee2818b907d0137f40a9ab9fd525fc700a44dbdddb6cf0c157a656566bae4bf1","doc/EUC-KR.txt":"71d9e2ccf3b124e8bdfb433c8cf2773fd878077038d0cec3c7237a50f4a78a30","doc/GB
 
K.txt":"c1b522b5a799884e5001da661f42c5a8f4d0acb9ef1d74b206f22b5f65365606","doc/IBM866.txt":"a5a433e804d0f83af785015179fbc1d9b0eaf1f7960efcd04093e136b51fbd0e","doc/ISO-2022-JP.txt":"af86684f5a8f0e2868d7b2c292860140c3d2e5527530ca091f1b28198e8e2fe6","doc/ISO-8859-10.txt":"6d3949ad7c81ca176895101ed81a1db7df1060d64e262880b94bd31bb344ab4d","doc/ISO-8859-13.txt":"3951dd89cf93f7729148091683cf8511f4529388b7dc8dcd0d62eaed55be93fa","doc/ISO-8859-14.txt":"3d330784a0374fd255a38b47949675cc7168c800530534b0a01cac6edc623adc","doc/ISO-8859-15.txt":"24b1084aab5127a85aab99153f86e24694d0a3615f53b5ce23683f97cf66c47a","doc/ISO-8859-16.txt":"ce0272559b92ba76d7a7e476f6424ae4a5cc72e75b183611b08392e44add4d25","doc/ISO-8859-2.txt":"18ceff88c13d1b5ba455a3919b1e3de489045c4c3d2dd7e8527c125c75d54aad","doc/ISO-8859-3.txt":"21798404c68f4f5db59223362f24999da96968c0628427321fccce7d2849a130","doc/ISO-8859-4.txt":"d27f6520c6c5bfbcc19176b71d081cdb3bccde1622bb3e420d5680e812632d53","doc/ISO-8859-5.txt":"a10ec8d6ea7a78ad15d
 
a7275f6cb1a3365118527e28f9af6d0d5830501303f3a","doc/ISO-8859-6.txt":"ccda8a2efc96115336bdd77776637b9712425e44fbcf745353b9057fbef144e7","doc/ISO-8859-7.txt":"17900fa1f27a445958f0a77d7d9056be375a6bd7ee4492aa680c7c1500bab85e","doc/ISO-8859-8-I.txt":"8357555646d54265a9b9ffa3e68b08d132312f1561c60108ff9b8b1167b6ecf2","doc/ISO-8859-8.txt":"72cd6f3afb7b4a9c16a66a362473315770b7755d72c86c870e52fc3eba86c8af","doc/KOI8-R.txt":"839cf19a38da994488004ed7814b1f6151640156a9a2af02bf2efca745fb5966","doc/KOI8-U.txt":"0cc76624ed1f024183e2298b7e019957da2c70c8ca06e0fc4e6f353f50a5054f","doc/Shift_JIS.txt":"34c49141818cb9ddbcf59cc858f78a79be8ad148d563f26415108ae1f148443f","doc/UTF-16BE.txt":"e2e280d8acbaa6d2a6b3569d60e17500a285f2baa0df3363dd85537cd5a1ef8f","doc/UTF-16LE.txt":"70bdc170e3fc5298ba68f10125fb5eeb8b077036cc96bb4416c4de396f6d76c1","doc/UTF-8.txt":"ea7bae742e613010ced002cf4b601a737d2203fad65e115611451bc4428f548a","doc/gb18030.txt":"dc71378a8f07a2d8659f69ee81fb8791fef56ba86f124b429978285237bb4a7b","
 
doc/macintosh.txt":"57491e53866711b4672d9b9ff35380b9dac9e0d8e3d6c20bdd6140603687c023","doc/replacement.txt":"4b6c3bbd7999d9d4108a281594bd02d13607e334a95465afff8c2c08d395f0e4","doc/windows-1250.txt":"61296bb6a21cdab602300d32ecfba434cb82de5ac3bc88d58710d2f125e28d39","doc/windows-1251.txt":"7deea1c61dea1485c8ff02db2c7d578db7a9aab63ab1cfd02ec04b515864689e","doc/windows-1252.txt":"933ef3bdddfce5ee132b9f1a1aa8b47423d2587bbe475b19028d0a6d38e180b6","doc/windows-1253.txt":"1a38748b88e99071a5c7b3d5456ead4caedeabab50d50d658be105bc113714de","doc/windows-1254.txt":"f8372f86c6f8d642563cd6ddc025260553292a39423df1683a98670bd7bf2b47","doc/windows-1255.txt":"4e5852494730054e2da258a74e1b9d780abbcdd8ce22ebc218ca2efe9e90493d","doc/windows-1256.txt":"c0879c5172abedead302a406e8f60d9cd9598694a0ffa4fd288ffe4fef7b8ea1","doc/windows-1257.txt":"c28a0c9f964fcb2b46d21f537c402446501a2800670481d6abf9fd9e9018d523","doc/windows-1258.txt":"5019ae4d61805c79aacbf17c93793342dbb098d65a1837783bc3e2c6d6a23602","doc/windows
 
-874.txt":"4ef0e4501c5feba8b17aee1818602ed44b36ca8475db771ce2fc16d392cabecc","doc/x-mac-cyrillic.txt":"58be154d8a888ca3d484b83b44f749823ef339ab27f14d90ca9a856f5050a8bd","doc/x-user-defined.txt":"f9cd07c4321bf5cfb0be4bdddd251072999b04a6cf7a6f5bc63709a84e2c1ffc","generate-encoding-data.py":"be989dd25c6b946e3e8745fdc8e8a80fcf24b3be99ad0b4b78153ba3f6ab6310","rustfmt.toml":"85c1a3b4382fd89e991cbb81b70fb52780472edc064c963943cdaaa56e0a2030","src/ascii.rs":"588e38b01e666d5e7462617ea7e90a108d608dec9e016f3d273ac0744af2e05d","src/big5.rs":"ec6e2913011a38e9a3e825a1731f139a7ca1d5b264fefae51a3cc1a68a57cef9","src/data.rs":"8a617cc57032092d65850eb27e00de687c80aea3299e839a1f58b42d0b35abf3","src/euc_jp.rs":"32047f5b540188c4cb19c07165f846b9786a09f18e315ed3e9bda1293dae52aa","src/euc_kr.rs":"9b25afc72d9378700eecfac58d55ad1c5946d6cd0ccde2c29c08200ef2de6bb9","src/gb18030.rs":"808587168d73f0c80f8520f0ca9b161866ed2efeb17a05e85fdf3b8efe7ba28a","src/handles.rs":"b08cef1f5785bb6a4822f2e844c6df1b046b737b7a075e4
 
593eaa8c4208e9fe2","src/iso_2022_jp.rs":"9bb485e82574f4b7d4b2364f0ff276acb6a0bc111758420a3b0ec5e04c196652","src/lib.rs":"834f44b670ec48ee82c0e12223d1567313fdd9f88bca5f4b117c82c1828f559f","src/macros.rs":"200997f8870de8bfd8cdc475e92115df42108c0df661e49d3d1cbc32056e1d99","src/mem.rs":"948571137d3b151df8db4fb2c733e74ae595d055cdf0ad83abcab9341d6adabe","src/replacement.rs":"7660b34a53f8c1ca2bdfa0e51e843ec28326950952ad8bc96569feb93ac62308","src/shift_jis.rs":"6951ae67e36b1a12fa3a30734957f444d8b1b4ae0e2bde52060b29bd0f16d9d9","src/simd_funcs.rs":"05c6e77af74bfe73cd39a752067c11425d6b46e5da419910f54bf75a5c02a984","src/single_byte.rs":"3ad87116fb339434a4b58e8f2b15485f2b66b9f7814d708f16194ed08f6d6ccf","src/test_data/big5_in.txt":"4c5a8691f8dc717311889c63894026d2fb62725a86c4208ca274a9cc8d42a503","src/test_data/big5_in_ref.txt":"99d399e17750cf9c7cf30bb253dbfe35b81c4fcbdead93cfa48b1429213473c7","src/test_data/big5_out.txt":"6193ca97c297aa20e09396038d18e938bb7ea331c26f0f2454097296723a0b13","src/tes
 
t_data/big5_out_ref.txt":"36567691f557df144f6cc520015a87038dfa156f296fcf103b56ae9a718be1fc","src/test_data/euc_kr_in.txt":"c86a7224f3215fa0d04e685622a752fdc72763e8ae076230c7fd62de57ec4074","src/test_data/euc_kr_in_ref.txt":"1f419f4ca47d708b54c73c461545a022ae2e20498fdbf8005a483d752a204883","src/test_data/euc_kr_out.txt":"e7f32e026f70be1e1b58e0047baf7d3d2c520269c4f9b9992e158b4decb0a1a3","src/test_data/euc_kr_out_ref.txt":"c9907857980b20b8e9e3b584482ed6567a2be6185d72237b6322f0404944924e","src/test_data/gb18030_in.txt":"ab7231b2d3e9afacdbd7d7f3b9e5361a7ff9f7e1cfdb4f3bd905b9362b309e53","src/test_data/gb18030_in_ref.txt":"dc5069421adca2043c55f5012b55a76fdff651d22e6e699fd0978f8d5706815c","src/test_data/gb18030_out.txt":"f0208d527f5ca63de7d9a0323be8d5cf12d8a104b2943d92c2701f0c3364dac1","src/test_data/gb18030_out_ref.txt":"6819fe47627e4ea01027003fc514b9f21a1322e732d7f1fb92cc6c5455bc6c07","src/test_data/iso_2022_jp_in.txt":"cd24bbdcb1834e25db54646fbf4c41560a13dc7540f6be3dba4f5d97d44513af","sr
 
c/test_data/iso_2022_jp_in_ref.txt":"3dc4e6a5e06471942d086b16c9440945e78415f6f3f47e43717e4bc2eac2cdf5","src/test_data/iso_2022_jp_out.txt":"9b6f015329dda6c3f9ee5ce6dbd6fa9c89acc21283e886836c78b8d833480c21","src/test_data/iso_2022_jp_out_ref.txt":"78cb260093a20116ad9a42f43b05d1848c5ab100b6b9a850749809e943884b35","src/test_data/jis0208_in.txt":"6df3030553ffb0a6615bb33dc8ea9dca6d9623a9028e2ffec754ce3c3da824cc","src/test_data/jis0208_in_ref.txt":"3dc4e6a5e06471942d086b16c9440945e78415f6f3f47e43717e4bc2eac2cdf5","src/test_data/jis0208_out.txt":"4ec24477e1675ce750733bdc3c5add1cd27b6bd4ce1f09289564646e9654e857","src/test_data/jis0208_out_ref.txt":"c3e1cef5032b2b1d93a406f31ff940c4e2dfe8859b8b17ca2761fee7a75a0e48","src/test_data/jis0212_in.txt":"c011f0dd72bd7c8cd922df9374ef8d2769a77190514c77f6c62b415852eeb9fe","src/test_data/jis0212_in_ref.txt":"7d9458b3d2f73e7092a7f505c08ce1d233dde18aa679fbcf9889256239cc9e06","src/test_data/shift_jis_in.txt":"02e389ccef0dd2122e63f503899402cb7f797912c2444cc8
 
0ab93131116c5524","src/test_data/shift_jis_in_ref.txt":"512f985950ca902e643c88682dba9708b7c38d3c5ec2925168ab00ac94ab19f9","src/test_data/shift_jis_out.txt":"5fbc44da7bf639bf6cfe0fa1fd3eba7102b88f81919c9ea991302712f69426fb","src/test_data/shift_jis_out_ref.txt":"466322c6fed8286c64582731755290c2296508efdd258826e6279686649b481f","src/test_labels_names.rs":"23a2e11b02b3b8d15fb5613a625e3edb2c61e70e3c581abfd638719a4088200d","src/testing.rs":"f59e671e95a98a56f6b573e8c6be4d71e670bf52f7e20eb1605d990aafa1894e","src/utf_16.rs":"c071a147fad38d750c2c247e141b76b929a48007b99f26b2922b9caecdaf2f25","src/utf_8.rs":"7b7d887b347f1aefa03246b028a36a72758a4ce76c28f3b45c19467851aa7839","src/variant.rs":"1fab5363588a1554a7169de8731ea9cded7ac63ea35caabdd1c27a8dde68c27b","src/x_user_defined.rs":"9456ca46168ef86c98399a2536f577ef7be3cdde90c0c51392d8ac48519d3fae"},"package":"b45de904aa0b010bce2ab45264d0631681847fa7b6f2eaa7dab7619943bc4f59"}

Index: pkgsrc/www/firefox115/patches/patch-llvm18
diff -u /dev/null pkgsrc/www/firefox115/patches/patch-llvm18:1.1
--- /dev/null   Fri Aug 16 15:15:37 2024
+++ pkgsrc/www/firefox115/patches/patch-llvm18  Fri Aug 16 15:15:37 2024
@@ -0,0 +1,199 @@
+From cd10f3ba0d83f34ca978cc4c7a552b72fdd068aa Mon Sep 17 00:00:00 2001
+From: David Tolnay <dtolnay%gmail.com@localhost>
+Date: Tue, 28 Nov 2023 11:18:39 -0800
+Subject: [PATCH 1/2] Flatten cursor.kind() matching in Item::parse down to one
+ match
+
+---
+ bindgen/ir/item.rs | 84 ++++++++++++++++++++++------------------------
+ 1 file changed, 41 insertions(+), 43 deletions(-)
+
+diff --git bindgen/ir/item.rs bindgen/ir/item.rs
+index 0556452bfa..4f2d361e51 100644
+--- third_party/rust/bindgen/ir/item.rs
++++ third_party/rust/bindgen/ir/item.rs
+@@ -1427,53 +1427,52 @@
+             }
+         }
+ 
+-        // Guess how does clang treat extern "C" blocks?
+-        if cursor.kind() == CXCursor_UnexposedDecl {
+-            Err(ParseError::Recurse)
+-        } else {
++        match cursor.kind() {
++            // Guess how does clang treat extern "C" blocks?
++            CXCursor_UnexposedDecl => Err(ParseError::Recurse),
++
+             // We allowlist cursors here known to be unhandled, to prevent being
+             // too noisy about this.
+-            match cursor.kind() {
+-                CXCursor_MacroDefinition |
+-                CXCursor_MacroExpansion |
+-                CXCursor_UsingDeclaration |
+-                CXCursor_UsingDirective |
+-                CXCursor_StaticAssert |
+-                CXCursor_FunctionTemplate => {
+-                    debug!(
+-                        "Unhandled cursor kind {:?}: {:?}",
+-                        cursor.kind(),
+-                        cursor
+-                    );
+-                }
+-                CXCursor_InclusionDirective => {
+-                    let file = cursor.get_included_file_name();
+-                    match file {
+-                        None => {
+-                            warn!(
+-                                "Inclusion of a nameless file in {:?}",
+-                                cursor
+-                            );
+-                        }
+-                        Some(filename) => {
+-                            ctx.include_file(filename);
+-                        }
+-                    }
+-                }
+-                _ => {
+-                    // ignore toplevel operator overloads
+-                    let spelling = cursor.spelling();
+-                    if !spelling.starts_with("operator") {
++            CXCursor_MacroDefinition |
++            CXCursor_MacroExpansion |
++            CXCursor_UsingDeclaration |
++            CXCursor_UsingDirective |
++            CXCursor_StaticAssert |
++            CXCursor_FunctionTemplate => {
++                debug!(
++                    "Unhandled cursor kind {:?}: {:?}",
++                    cursor.kind(),
++                    cursor
++                );
++                Err(ParseError::Continue)
++            }
++            CXCursor_InclusionDirective => {
++                let file = cursor.get_included_file_name();
++                match file {
++                    None => {
+                         warn!(
+-                            "Unhandled cursor kind {:?}: {:?}",
+-                            cursor.kind(),
++                            "Inclusion of a nameless file in {:?}",
+                             cursor
+                         );
+                     }
++                    Some(filename) => {
++                        ctx.include_file(filename);
++                    }
+                 }
++                Err(ParseError::Continue)
++            }
++            _ => {
++                // ignore toplevel operator overloads
++                let spelling = cursor.spelling();
++                if !spelling.starts_with("operator") {
++                    warn!(
++                        "Unhandled cursor kind {:?}: {:?}",
++                        cursor.kind(),
++                        cursor
++                    );
++                }
++                Err(ParseError::Continue)
+             }
+-
+-            Err(ParseError::Continue)
+         }
+     }
+ 
+
+From 2997017b5a3065b83e9d76f0080d6cb99c94c0c1 Mon Sep 17 00:00:00 2001
+From: David Tolnay <dtolnay%gmail.com@localhost>
+Date: Tue, 28 Nov 2023 11:21:18 -0800
+Subject: [PATCH 2/2] Handle CXCursor_LinkageSpec in Clang 18+
+
+---
+ bindgen/ir/item.rs | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git bindgen/ir/item.rs bindgen/ir/item.rs
+index 4f2d361e51..dd587b088b 100644
+--- third_party/rust/bindgen/ir/item.rs
++++ third_party/rust/bindgen/ir/item.rs
+@@ -1433,8 +1433,11 @@ impl Item {
+         }
+ 
+         match cursor.kind() {
+-            // Guess how does clang treat extern "C" blocks?
+-            CXCursor_UnexposedDecl => Err(ParseError::Recurse),
++            // On Clang 18+, extern "C" is reported accurately as a LinkageSpec.
++            // Older LLVM treat it as UnexposedDecl.
++            CXCursor_LinkageSpec | CXCursor_UnexposedDecl => {
++                Err(ParseError::Recurse)
++            }
+ 
+             // We allowlist cursors here known to be unhandled, to prevent being
+             // too noisy about this.
+diff --git dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp
+--- dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp
++++ dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp
+@@ -97,11 +97,11 @@
+     uint32_t width_;
+     uint32_t height_;
+     uint8_t y_;
+     uint8_t u_;
+     uint8_t v_;
+-    uint32_t timestamp_;
++    uint64_t timestamp_;
+   } idr_nalu;
+ };
+ #pragma pack(pop)
+ 
+ #define ENCODED_FRAME_MAGIC 0x004000b8
+diff --git dom/media/gtest/TestGMPRemoveAndDelete.cpp dom/media/gtest/TestGMPRemoveAndDelete.cpp
+--- dom/media/gtest/TestGMPRemoveAndDelete.cpp
++++ dom/media/gtest/TestGMPRemoveAndDelete.cpp
+@@ -359,11 +359,11 @@
+       uint32_t width_;
+       uint32_t height_;
+       uint8_t y_;
+       uint8_t u_;
+       uint8_t v_;
+-      uint32_t timestamp_;
++      uint64_t timestamp_;
+     } idr_nalu;
+   };
+ #pragma pack(pop)
+ 
+   GMPVideoFrame* absFrame;
+diff --git dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h
+--- dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h
++++ dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h
+@@ -300,11 +300,11 @@
+ 
+   struct InputImageData {
+     int64_t timestamp_us;
+   };
+   // Map rtp time -> input image data
+-  DataMutex<std::map<uint32_t, InputImageData>> mInputImageMap;
++  DataMutex<std::map<uint64_t, InputImageData>> mInputImageMap;
+ 
+   MediaEventProducer<uint64_t> mInitPluginEvent;
+   MediaEventProducer<uint64_t> mReleasePluginEvent;
+ };
+ 
+diff --git dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp
+--- dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp
++++ dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp
+@@ -538,11 +538,11 @@
+     return;
+   }
+ 
+   webrtc::VideoFrameType ft;
+   GmpFrameTypeToWebrtcFrameType(aEncodedFrame->FrameType(), &ft);
+-  uint32_t timestamp = (aEncodedFrame->TimeStamp() * 90ll + 999) / 1000;
++  uint64_t timestamp = (aEncodedFrame->TimeStamp() * 90ll + 999) / 1000;
+ 
+   GMP_LOG_DEBUG("GMP Encoded: %" PRIu64 ", type %d, len %d",
+                 aEncodedFrame->TimeStamp(), aEncodedFrame->BufferType(),
+                 aEncodedFrame->Size());
+ 
+
Index: pkgsrc/www/firefox115/patches/patch-rust-1.78.0
diff -u /dev/null pkgsrc/www/firefox115/patches/patch-rust-1.78.0:1.1
--- /dev/null   Fri Aug 16 15:15:37 2024
+++ pkgsrc/www/firefox115/patches/patch-rust-1.78.0     Fri Aug 16 15:15:37 2024
@@ -0,0 +1,3564 @@
+Adapted from https://hg.mozilla.org/mozilla-central/rev/1db2ef126a6a
+--
+
+# HG changeset patch
+# User Henri Sivonen <hsivonen%hsivonen.fi@localhost>
+# Date 1714462184 0
+# Node ID 1db2ef126a6a8555dbf50345e16492c977b42e92
+# Parent  a545e84b3674c4878f2e618b7bce23058f2ac690
+Bug 1882209 - Update encoding_rs to 0.8.34 to deal with rustc changes. r=glandium,supply-chain-reviewers
+
+Differential Revision: https://phabricator.services.mozilla.com/D207167
+
+diff --git a/.cargo/config.in b/.cargo/config.in
+--- .cargo/config.in
++++ .cargo/config.in
+@@ -35,31 +35,31 @@ git = "https://github.com/gfx-rs/wgpu";
+ rev = "f71a1bc736fde37509262ca03e91d8f56a13aeb5"
+ replace-with = "vendored-sources"
+ 
+ [source."git+https://github.com/glandium/warp?rev=4af45fae95bc98b0eba1ef0db17e1dac471bb23d";]
+ git = "https://github.com/glandium/warp";
+ rev = "4af45fae95bc98b0eba1ef0db17e1dac471bb23d"
+ replace-with = "vendored-sources"
+ 
++[source."git+https://github.com/hsivonen/any_all_workaround?rev=7fb1b7034c9f172aade21ee1c8554e8d8a48af80";]
++git = "https://github.com/hsivonen/any_all_workaround";
++rev = "7fb1b7034c9f172aade21ee1c8554e8d8a48af80"
++replace-with = "vendored-sources"
++
+ [source."git+https://github.com/hsivonen/chardetng?rev=3484d3e3ebdc8931493aa5df4d7ee9360a90e76b";]
+ git = "https://github.com/hsivonen/chardetng";
+ rev = "3484d3e3ebdc8931493aa5df4d7ee9360a90e76b"
+ replace-with = "vendored-sources"
+ 
+ [source."git+https://github.com/hsivonen/chardetng_c?rev=ed8a4c6f900a90d4dbc1d64b856e61490a1c3570";]
+ git = "https://github.com/hsivonen/chardetng_c";
+ rev = "ed8a4c6f900a90d4dbc1d64b856e61490a1c3570"
+ replace-with = "vendored-sources"
+ 
+-[source."git+https://github.com/hsivonen/packed_simd?rev=e588ceb568878e1a3156ea9ce551d5b63ef0cdc4";]
+-git = "https://github.com/hsivonen/packed_simd";
+-rev = "e588ceb568878e1a3156ea9ce551d5b63ef0cdc4"
+-replace-with = "vendored-sources"
+-
+ [source."git+https://github.com/jfkthame/mapped_hyph.git?rev=c7651a0cffff41996ad13c44f689bd9cd2192c01";]
+ git = "https://github.com/jfkthame/mapped_hyph.git";
+ rev = "c7651a0cffff41996ad13c44f689bd9cd2192c01"
+ replace-with = "vendored-sources"
+ 
+ [source."git+https://github.com/mozilla-spidermonkey/jsparagus?rev=64ba08e24749616de2344112f226d1ef4ba893ae";]
+ git = "https://github.com/mozilla-spidermonkey/jsparagus";
+ rev = "64ba08e24749616de2344112f226d1ef4ba893ae"
+diff --git a/Cargo.lock b/Cargo.lock
+--- Cargo.lock
++++ Cargo.lock
+@@ -80,16 +80,25 @@ dependencies = [
+ name = "android_system_properties"
+ version = "0.1.5"
+ source = "registry+https://github.com/rust-lang/crates.io-index";
+ checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+ dependencies = [
+  "libc",
+ ]
+ 
++[[package]]
++name = "any_all_workaround"
++version = "0.1.0"
++source = "git+https://github.com/hsivonen/any_all_workaround?rev=7fb1b7034c9f172aade21ee1c8554e8d8a48af80#7fb1b7034c9f172aade21ee1c8554e8d8a48af80";
++dependencies = [
++ "cfg-if 1.0.0",
++ "version_check",
++]
++
+ [[package]]
+ name = "anyhow"
+ version = "1.0.69"
+ source = "registry+https://github.com/rust-lang/crates.io-index";
+ checksum = "224afbd727c3d6e4b90103ece64b8d1b67fbb1973b1046c2281eed3f3803f800"
+ 
+ [[package]]
+ name = "app_services_logger"
+@@ -1431,22 +1440,22 @@ dependencies = [
+  "encoding_rs",
+  "nserror",
+  "nsstring",
+  "xmldecl",
+ ]
+ 
+ [[package]]
+ name = "encoding_rs"
+-version = "0.8.33"
++version = "0.8.34"
+ source = "registry+https://github.com/rust-lang/crates.io-index";
+-checksum = "7268b386296a025e474d5140678f75d6de9493ae55a5d709eeb9dd08149945e1"
++checksum = "b45de904aa0b010bce2ab45264d0631681847fa7b6f2eaa7dab7619943bc4f59"
+ dependencies = [
++ "any_all_workaround",
+  "cfg-if 1.0.0",
+- "packed_simd",
+ ]
+ 
+ [[package]]
+ name = "enum-primitive-derive"
+ version = "0.2.2"
+ source = "registry+https://github.com/rust-lang/crates.io-index";
+ checksum = "c375b9c5eadb68d0a6efee2999fef292f45854c3444c86f09d8ab086ba942b0e"
+ dependencies = [
+@@ -3901,25 +3910,16 @@ checksum = "8d91edf4fbb970279443471345a4e8c491bf05bb283b3e6c88e4e606fd8c181b"
+ [[package]]
+ name = "oxilangtag-ffi"
+ version = "0.1.0"
+ dependencies = [
+  "nsstring",
+  "oxilangtag",
+ ]
+ 
+-[[package]]
+-name = "packed_simd"
+-version = "0.3.9"
+-source = "git+https://github.com/hsivonen/packed_simd?rev=e588ceb568878e1a3156ea9ce551d5b63ef0cdc4#e588ceb568878e1a3156ea9ce551d5b63ef0cdc4";
+-dependencies = [
+- "cfg-if 1.0.0",
+- "num-traits",
+-]
+-
+ [[package]]
+ name = "parking_lot"
+ version = "0.11.2"
+ source = "registry+https://github.com/rust-lang/crates.io-index";
+ checksum = "7d17b78036a60663b797adeaee46f5c9dfebb86948d1255007a1d6be0271ff99"
+ dependencies = [
+  "instant",
+  "lock_api",
+diff --git a/Cargo.toml b/Cargo.toml
+--- Cargo.toml
++++ Cargo.toml
+@@ -154,22 +154,22 @@ rure = { path = "third_party/rust/rure" }
+ 
+ # 0.31.1 but without rust-cssparser#342.
+ # TODO: Remove these, and just use v0.31.1 once bug 1836219 lands
+ # (which will get syn 2 into the tree).
+ cssparser = { path = "third_party/rust/cssparser" }
+ cssparser-macros = { path = "third_party/rust/cssparser-macros" }
+ 
+ # Other overrides
++any_all_workaround = { git = "https://github.com/hsivonen/any_all_workaround";, rev = "7fb1b7034c9f172aade21ee1c8554e8d8a48af80" }
+ chardetng = { git = "https://github.com/hsivonen/chardetng";, rev="3484d3e3ebdc8931493aa5df4d7ee9360a90e76b" }
+ chardetng_c = { git = "https://github.com/hsivonen/chardetng_c";, rev="ed8a4c6f900a90d4dbc1d64b856e61490a1c3570" }
+ coremidi = { git = "https://github.com/chris-zen/coremidi.git";, rev="fc68464b5445caf111e41f643a2e69ccce0b4f83" }
+ firefox-on-glean = { path = "toolkit/components/glean/api" }
+ libudev-sys = { path = "dom/webauthn/libudev-sys" }
+-packed_simd = { git = "https://github.com/hsivonen/packed_simd";, rev = "e588ceb568878e1a3156ea9ce551d5b63ef0cdc4" }
+ midir = { git = "https://github.com/mozilla/midir.git";, rev = "519e651241e867af3391db08f9ae6400bc023e18" }
+ # warp 0.3.3 + https://github.com/seanmonstar/warp/pull/1007
+ warp = { git = "https://github.com/glandium/warp";, rev = "4af45fae95bc98b0eba1ef0db17e1dac471bb23d" }
+ 
+ # application-services overrides to make updating them all simpler.
+ interrupt-support = { git = "https://github.com/mozilla/application-services";, rev = "86c84c217036c12283d19368867323a66bf35883" }
+ sql-support = { git = "https://github.com/mozilla/application-services";, rev = "86c84c217036c12283d19368867323a66bf35883" }
+ sync15 = { git = "https://github.com/mozilla/application-services";, rev = "86c84c217036c12283d19368867323a66bf35883" }
+diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
+--- supply-chain/audits.toml
++++ supply-chain/audits.toml
+@@ -596,16 +596,29 @@ who = "Mike Hommey <mh+mozilla@glandium.
+ criteria = "safe-to-deploy"
+ delta = "0.1.2 -> 0.1.4"
+ 
+ [[audits.android_system_properties]]
+ who = "Mike Hommey <mh+mozilla%glandium.org@localhost>"
+ criteria = "safe-to-deploy"
+ delta = "0.1.4 -> 0.1.5"
+ 
++[[audits.any_all_workaround]]
++who = "Henri Sivonen <hsivonen%hsivonen.fi@localhost>"
++criteria = "safe-to-deploy"
++version = "0.1.0"
++notes = "The little code that is in this crate I reviewed and modified from packed_simd (which has previously been vendored in full instead of just this small part)."
++
++[[audits.any_all_workaround]]
++who = "Henri Sivonen <hsivonen%hsivonen.fi@localhost>"
++criteria = "safe-to-deploy"
++delta = "0.1.0 -> 0.1.0@git:7fb1b7034c9f172aade21ee1c8554e8d8a48af80"
++importable = false
++notes = "This is a trivial workaround copied from elsewhere in m-c, specifically qcms."
++
+ [[audits.anyhow]]
+ who = "Mike Hommey <mh+mozilla%glandium.org@localhost>"
+ criteria = "safe-to-deploy"
+ delta = "1.0.57 -> 1.0.61"
+ 
+ [[audits.anyhow]]
+ who = "Bobby Holley <bobbyholley%gmail.com@localhost>"
+ criteria = "safe-to-deploy"
+diff --git a/supply-chain/config.toml b/supply-chain/config.toml
+--- supply-chain/config.toml
++++ supply-chain/config.toml
+@@ -14,16 +14,20 @@ url = "https://raw.githubusercontent.com
+ url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml";
+ 
+ [imports.isrg]
+ url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml";
+ 
+ [imports.mozilla]
+ url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml";
+ 
++[policy.any_all_workaround]
++audit-as-crates-io = true
++notes = "This is the upstream code plus the ARM intrinsics workaround from qcms, see bug 1882209."
++
+ [policy.autocfg]
+ audit-as-crates-io = true
+ notes = "This is the upstream code plus a few local fixes, see bug 1685697."
+ 
+ [policy.chardetng]
+ audit-as-crates-io = true
+ notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
+ 
+diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
+--- supply-chain/imports.lock
++++ supply-chain/imports.lock
+@@ -115,16 +115,23 @@ user-name = "David Tolnay"
+ 
+ [[publisher.encoding_rs]]
+ version = "0.8.33"
+ when = "2023-08-23"
+ user-id = 4484
+ user-login = "hsivonen"
+ user-name = "Henri Sivonen"
+ 
++[[publisher.encoding_rs]]
++version = "0.8.34"
++when = "2024-04-10"
++user-id = 4484
++user-login = "hsivonen"
++user-name = "Henri Sivonen"
++
+ [[publisher.etagere]]
+ version = "0.2.7"
+ when = "2022-05-04"
+ user-id = 1281
+ user-login = "nical"
+ user-name = "Nicolas Silva"
+ 
+ [[publisher.euclid]]
+diff --git a/third_party/rust/any_all_workaround/.cargo-checksum.json b/third_party/rust/any_all_workaround/.cargo-checksum.json
+new file mode 100644
+--- /dev/null
++++ third_party/rust/any_all_workaround/.cargo-checksum.json
+@@ -0,0 +1,1 @@
++{"files":{"Cargo.toml":"f8c127449dc9432d404c21c99833e4617ab88a797445af249a7fe3c989985d6d","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"6485b8ed310d3f0340bf1ad1f47645069ce4069dcc6bb46c7d5c6faf41de1fdb","LICENSE-MIT-QCMS":"36d847ae882f6574ebc72f56a4f354e4f104fde4a584373496482e97d52d31bc","README.md":"4c617b8ced3a27b7edecf0e5e41ed451c04e88dab529e7a35fccc4e1551efbd7","build.rs":"56b29ab6da3e49075bfd0a7b690267c8016298bf0d332e2e68bbaf19decbbf71","src/lib.rs":"7118106690b9d25c5d0a3e2079feb83d76f1d434d0da36b9d0351806d27c850d"},"package":null}
+\ No newline at end of file
+diff --git a/third_party/rust/any_all_workaround/Cargo.toml b/third_party/rust/any_all_workaround/Cargo.toml
+new file mode 100644
+--- /dev/null
++++ third_party/rust/any_all_workaround/Cargo.toml
+@@ -0,0 +1,28 @@
++# THIS FILE IS AUTOMATICALLY GENERATED BY CARGO
++#
++# When uploading crates to the registry Cargo will automatically
++# "normalize" Cargo.toml files for maximal compatibility
++# with all versions of Cargo and also rewrite `path` dependencies
++# to registry (e.g., crates.io) dependencies.
++#
++# If you are reading this file be aware that the original Cargo.toml
++# will likely look very different (and much more reasonable).
++# See Cargo.toml.orig for the original contents.
++
++[package]
++edition = "2021"
++name = "any_all_workaround"
++version = "0.1.0"
++authors = ["Henri Sivonen <hsivonen%hsivonen.fi@localhost>"]
++description = "Workaround for bad LLVM codegen for boolean reductions on 32-bit ARM"
++homepage = "https://docs.rs/any_all_workaround/";
++documentation = "https://docs.rs/any_all_workaround/";
++readme = "README.md"
++license = "MIT OR Apache-2.0"
++repository = "https://github.com/hsivonen/any_all_workaround";
++
++[dependencies]
++cfg-if = "1.0"
++
++[build-dependencies]
++version_check = "0.9"
+diff --git a/third_party/rust/packed_simd/LICENSE-APACHE b/third_party/rust/any_all_workaround/LICENSE-APACHE
+rename from third_party/rust/packed_simd/LICENSE-APACHE
+rename to third_party/rust/any_all_workaround/LICENSE-APACHE
+diff --git a/third_party/rust/packed_simd/LICENSE-MIT b/third_party/rust/any_all_workaround/LICENSE-MIT
+rename from third_party/rust/packed_simd/LICENSE-MIT
+rename to third_party/rust/any_all_workaround/LICENSE-MIT
+diff --git a/third_party/rust/any_all_workaround/LICENSE-MIT-QCMS b/third_party/rust/any_all_workaround/LICENSE-MIT-QCMS
+new file mode 100644
+--- /dev/null
++++ third_party/rust/any_all_workaround/LICENSE-MIT-QCMS
+@@ -0,0 +1,21 @@
++qcms
++Copyright (C) 2009-2024 Mozilla Corporation
++Copyright (C) 1998-2007 Marti Maria
++
++Permission is hereby granted, free of charge, to any person obtaining 
++a copy of this software and associated documentation files (the "Software"), 
++to deal in the Software without restriction, including without limitation 
++the rights to use, copy, modify, merge, publish, distribute, sublicense, 
++and/or sell copies of the Software, and to permit persons to whom the Software 
++is furnished to do so, subject to the following conditions:
++
++The above copyright notice and this permission notice shall be included in 
++all copies or substantial portions of the Software.
++
++THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
++EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO 
++THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
++NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 
++LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 
++OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 
++WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+diff --git a/third_party/rust/any_all_workaround/README.md b/third_party/rust/any_all_workaround/README.md
+new file mode 100644
+--- /dev/null
++++ third_party/rust/any_all_workaround/README.md
+@@ -0,0 +1,13 @@
++# any_all_workaround
++
++This is a workaround for bad codegen ([Rust bug](https://github.com/rust-lang/portable-simd/issues/146), [LLVM bug](https://github.com/llvm/llvm-project/issues/50466)) for the `any()` and `all()` 
reductions for NEON-backed SIMD vectors on 32-bit ARM. On other platforms these delegate to `any()` and `all()` in `core::simd`.
++
++The plan is to abandon this crate once the LLVM bug is fixed or `core::simd` works around the LLVM bug.
++
++The code is forked from the [`packed_simd` crate](https://raw.githubusercontent.com/hsivonen/packed_simd/d938e39bee9bc5c222f5f2f2a0df9e53b5ce36ae/src/codegen/reductions/mask/arm.rs).
++
++This crate requires Nightly Rust as it depends on the `portable_simd` feature.
++
++# License
++
++`MIT OR Apache-2.0`, since that's how `packed_simd` is licensed. (The ARM intrinsics Rust version workaround is from qcms, see LICENSE-MIT-QCMS.)
+diff --git a/third_party/rust/any_all_workaround/build.rs b/third_party/rust/any_all_workaround/build.rs
+new file mode 100644
+--- /dev/null
++++ third_party/rust/any_all_workaround/build.rs
+@@ -0,0 +1,7 @@
++extern crate version_check as rustc;
++
++fn main() {
++    if rustc::is_min_version("1.78.0").unwrap_or(false) {
++        println!("cargo:rustc-cfg=stdsimd_split");
++    }
++}
+diff --git a/third_party/rust/any_all_workaround/src/lib.rs b/third_party/rust/any_all_workaround/src/lib.rs
+new file mode 100644
+--- /dev/null
++++ third_party/rust/any_all_workaround/src/lib.rs
+@@ -0,0 +1,110 @@
++// This code began as a fork of
++// https://raw.githubusercontent.com/rust-lang/packed_simd/d938e39bee9bc5c222f5f2f2a0df9e53b5ce36ae/src/codegen/reductions/mask/arm.rs
++// which didn't have a license header on the file, but Cargo.toml said "MIT OR Apache-2.0".
++// See LICENSE-MIT and LICENSE-APACHE.
++
++#![no_std]
++#![feature(portable_simd)]
++#![cfg_attr(
++    all(
++        stdsimd_split,
++        target_arch = "arm",
++        target_endian = "little",
++        target_feature = "neon",
++        target_feature = "v7"
++    ),
++    feature(stdarch_arm_neon_intrinsics)
++)]
++#![cfg_attr(
++    all(
++        not(stdsimd_split),
++        target_arch = "arm",
++        target_endian = "little",
++        target_feature = "neon",
++        target_feature = "v7"
++    ),
++    feature(stdsimd)
++)]
++
++use cfg_if::cfg_if;
++use core::simd::mask16x8;
++use core::simd::mask32x4;
++use core::simd::mask8x16;
++
++cfg_if! {
++    if #[cfg(all(target_arch = "arm", target_endian = "little", target_feature = "neon", target_feature = "v7"))] {
++        use core::simd::mask8x8;
++        use core::simd::mask16x4;
++        use core::simd::mask32x2;
++        macro_rules! arm_128_v7_neon_impl {
++            ($all:ident, $any:ident, $id:ident, $half:ident, $vpmin:ident, $vpmax:ident) => {
++                #[inline]
++                pub fn $all(s: $id) -> bool {
++                    use core::arch::arm::$vpmin;
++                    use core::mem::transmute;
++                    unsafe {
++                        union U {
++                            halves: ($half, $half),
++                            vec: $id,
++                        }
++                        let halves = U { vec: s }.halves;
++                        let h: $half = transmute($vpmin(transmute(halves.0), transmute(halves.1)));
++                        h.all()
++                    }
++                }
++                #[inline]
++                pub fn $any(s: $id) -> bool {
++                    use core::arch::arm::$vpmax;
++                    use core::mem::transmute;
++                    unsafe {
++                        union U {
++                            halves: ($half, $half),
++                            vec: $id,
++                        }
++                        let halves = U { vec: s }.halves;
++                        let h: $half = transmute($vpmax(transmute(halves.0), transmute(halves.1)));
++                        h.any()
++                    }
++                }
++            }
++        }
++    } else {
++        macro_rules! arm_128_v7_neon_impl {
++            ($all:ident, $any:ident, $id:ident, $half:ident, $vpmin:ident, $vpmax:ident) => {
++                #[inline(always)]
++                pub fn $all(s: $id) -> bool {
++                    s.all()
++                }
++                #[inline(always)]
++                pub fn $any(s: $id) -> bool {
++                    s.any()
++                }
++            }
++        }
++    }
++}
++
++arm_128_v7_neon_impl!(
++    all_mask8x16,
++    any_mask8x16,
++    mask8x16,
++    mask8x8,
++    vpmin_u8,
++    vpmax_u8
++);
++arm_128_v7_neon_impl!(
++    all_mask16x8,
++    any_mask16x8,
++    mask16x8,
++    mask16x4,
++    vpmin_u16,
++    vpmax_u16
++);
++arm_128_v7_neon_impl!(
++    all_mask32x4,
++    any_mask32x4,
++    mask32x4,
++    mask32x2,
++    vpmin_u32,
++    vpmax_u32
++);
+diff --git a/third_party/rust/encoding_rs/Cargo.toml b/third_party/rust/encoding_rs/Cargo.toml
+--- third_party/rust/encoding_rs/Cargo.toml
++++ third_party/rust/encoding_rs/Cargo.toml
+@@ -6,18 +6,19 @@
+ # to registry (e.g., crates.io) dependencies.
+ #
+ # If you are reading this file be aware that the original Cargo.toml
+ # will likely look very different (and much more reasonable).
+ # See Cargo.toml.orig for the original contents.
+ 
+ [package]
+ edition = "2018"
++rust-version = "1.36"
+ name = "encoding_rs"
+-version = "0.8.33"
++version = "0.8.34"
+ authors = ["Henri Sivonen <hsivonen%hsivonen.fi@localhost>"]
+ description = "A Gecko-oriented implementation of the Encoding Standard"
+ homepage = "https://docs.rs/encoding_rs/";
+ documentation = "https://docs.rs/encoding_rs/";
+ readme = "README.md"
+ keywords = [
+     "encoding",
+     "web",
+@@ -31,23 +32,23 @@ categories = [
+     "internationalization",
+ ]
+ license = "(Apache-2.0 OR MIT) AND BSD-3-Clause"
+ repository = "https://github.com/hsivonen/encoding_rs";
+ 
+ [profile.release]
+ lto = true
+ 
++[dependencies.any_all_workaround]
++version = "0.1.0"
++optional = true
++
+ [dependencies.cfg-if]
+ version = "1.0"
+ 
+-[dependencies.packed_simd]
+-version = "0.3.9"
+-optional = true
+-
+ [dependencies.serde]
+ version = "1.0"
+ optional = true
+ 
+ [dev-dependencies.bincode]
+ version = "1.0"
+ 
+ [dev-dependencies.serde_derive]
+@@ -69,15 +70,9 @@ fast-legacy-encode = [
+     "fast-hanja-encode",
+     "fast-kanji-encode",
+     "fast-gb-hanzi-encode",
+     "fast-big5-hanzi-encode",
+ ]
+ less-slow-big5-hanzi-encode = []
+ less-slow-gb-hanzi-encode = []
+ less-slow-kanji-encode = []
+-simd-accel = [
+-    "packed_simd",
+-    "packed_simd/into_bits",
+-]
+-
+-[badges.travis-ci]
+-repository = "hsivonen/encoding_rs"
++simd-accel = ["any_all_workaround"]
+diff --git a/third_party/rust/encoding_rs/README.md b/third_party/rust/encoding_rs/README.md
+--- third_party/rust/encoding_rs/README.md
++++ third_party/rust/encoding_rs/README.md
+@@ -162,50 +162,36 @@ wrappers.
+ * [C++](https://github.com/hsivonen/recode_cpp)
+ 
+ ## Optional features
+ 
+ There are currently these optional cargo features:
+ 
+ ### `simd-accel`
+ 
+-Enables SIMD acceleration using the nightly-dependent `packed_simd` crate.
++Enables SIMD acceleration using the nightly-dependent `portable_simd` standard
++library feature.
+ 
+ This is an opt-in feature, because enabling this feature _opts out_ of Rust's
+ guarantees of future compilers compiling old code (aka. "stability story").
+ 
+ Currently, this has not been tested to be an improvement except for these
+-targets:
++targets and enabling the `simd-accel` feature is expected to break the build
++on other targets:
+ 
+ * x86_64
+ * i686
+ * aarch64
+ * thumbv7neon
+ 
+ If you use nightly Rust, you use targets whose first component is one of the
+ above, and you are prepared _to have to revise your configuration when updating
+ Rust_, you should enable this feature. Otherwise, please _do not_ enable this
+ feature.
+ 
+-_Note!_ If you are compiling for a target that does not have 128-bit SIMD
+-enabled as part of the target definition and you are enabling 128-bit SIMD
+-using `-C target_feature`, you need to enable the `core_arch` Cargo feature
+-for `packed_simd` to compile a crates.io snapshot of `core_arch` instead of
+-using the standard-library copy of `core::arch`, because the `core::arch`
+-module of the pre-compiled standard library has been compiled with the
+-assumption that the CPU doesn't have 128-bit SIMD. At present this applies
+-mainly to 32-bit ARM targets whose first component does not include the
+-substring `neon`.
+-
+-The encoding_rs side of things has not been properly set up for POWER,
+-PowerPC, MIPS, etc., SIMD at this time, so even if you were to follow
+-the advice from the previous paragraph, you probably shouldn't use
+-the `simd-accel` option on the less mainstream architectures at this
+-time.
+-
+ Used by Firefox.
+ 
+ ### `serde`
+ 
+ Enables support for serializing and deserializing `&'static Encoding`-typed
+ struct fields using [Serde][1].
+ 
+ [1]: https://serde.rs/
+@@ -376,18 +362,19 @@ It is a goal to support the latest stabl
+ the version of Rust that's used for Firefox Nightly.
+ 
+ At this time, there is no firm commitment to support a version older than
+ what's required by Firefox, and there is no commitment to treat MSRV changes
+ as semver-breaking, because this crate depends on `cfg-if`, which doesn't
+ appear to treat MSRV changes as semver-breaking, so it would be useless for
+ this crate to treat MSRV changes as semver-breaking.
+ 
+-As of 2021-02-04, MSRV appears to be Rust 1.36.0 for using the crate and
++As of 2024-04-04, MSRV appears to be Rust 1.36.0 for using the crate and
+ 1.42.0 for doc tests to pass without errors about the global allocator.
++With the `simd-accel` feature, the MSRV is even higher.
+ 
+ ## Compatibility with rust-encoding
+ 
+ A compatibility layer that implements the rust-encoding API on top of
+ encoding_rs is
+ [provided as a separate crate](https://github.com/hsivonen/encoding_rs_compat)
+ (cannot be uploaded to crates.io). The compatibility layer was originally
+ written with the assuption that Firefox would need it, but it is not currently
+@@ -441,20 +428,27 @@ To regenerate the generated code:
+ - [x] Implement the rust-encoding API in terms of encoding_rs.
+ - [x] Add SIMD acceleration for Aarch64.
+ - [x] Investigate the use of NEON on 32-bit ARM.
+ - [ ] ~Investigate Björn Höhrmann's lookup table acceleration for UTF-8 as
+       adapted to Rust in rust-encoding.~
+ - [x] Add actually fast CJK encode options.
+ - [ ] ~Investigate [Bob Steagall's lookup table acceleration for 
UTF-8](https://github.com/BobSteagall/CppNow2018/blob/master/FastConversionFromUTF-8/Fast%20Conversion%20From%20UTF-8%20with%20C%2B%2B%2C%20DFAs%2C%20and%20SSE%20Intrinsics%20-%20Bob%20Steagall%20-%20C%2B%2BNow%202018.pdf).~
+ - [x] Provide a build mode that works without `alloc` (with lesser API surface).
+-- [ ] Migrate to `std::simd` once it is stable and declare 1.0.
++- [x] Migrate to `std::simd` ~once it is stable and declare 1.0.~
++- [ ] Migrate `unsafe` slice access by larger types than `u8`/`u16` to `align_to`.
+ 
+ ## Release Notes
+ 
++### 0.8.34
++
++* Use the `portable_simd` nightly feature of the standard library instead of the `packed_simd` crate. Only affects the `simd-accel` optional nightly feature.
++* Internal documentation improvements and minor code improvements around `unsafe`.
++* Added `rust-version` to `Cargo.toml`.
++
+ ### 0.8.33
+ 
+ * Use `packed_simd` instead of `packed_simd_2` again now that updates are back under the `packed_simd` name. Only affects the `simd-accel` optional nightly feature.
+ 
+ ### 0.8.32
+ 
+ * Removed `build.rs`. (This removal should resolve false positives reported by some antivirus products. This may break some build configurations that have opted out of Rust's guarantees against 
future build breakage.)
+ * Internal change to what API is used for reinterpreting the lane configuration of SIMD vectors.
+diff --git a/third_party/rust/encoding_rs/src/ascii.rs b/third_party/rust/encoding_rs/src/ascii.rs
+--- third_party/rust/encoding_rs/src/ascii.rs
++++ third_party/rust/encoding_rs/src/ascii.rs
+@@ -46,71 +46,87 @@ cfg_if! {
+         #[allow(dead_code)]
+         #[inline(always)]
+         fn likely(b: bool) -> bool {
+             b
+         }
+     }
+ }
+ 
++// Safety invariants for masks: data & mask = 0 for valid ASCII or basic latin utf-16
++
+ // `as` truncates, so works on 32-bit, too.
+ #[allow(dead_code)]
+ pub const ASCII_MASK: usize = 0x8080_8080_8080_8080u64 as usize;
+ 
+ // `as` truncates, so works on 32-bit, too.
+ #[allow(dead_code)]
+ pub const BASIC_LATIN_MASK: usize = 0xFF80_FF80_FF80_FF80u64 as usize;
+ 
+ #[allow(unused_macros)]
+ macro_rules! ascii_naive {
+     ($name:ident, $src_unit:ty, $dst_unit:ty) => {
++        /// Safety: src and dst must have len_unit elements and be aligned
++        /// Safety-usable invariant: will return Some() when it fails
++        /// to convert. The first value will be a u8 that is > 127.
+         #[inline(always)]
+         pub unsafe fn $name(
+             src: *const $src_unit,
+             dst: *mut $dst_unit,
+             len: usize,
+         ) -> Option<($src_unit, usize)> {
+             // Yes, manually omitting the bound check here matters
+             // a lot for perf.
+             for i in 0..len {
++                // Safety: len invariant used here
+                 let code_unit = *(src.add(i));
++                // Safety: Upholds safety-usable invariant here
+                 if code_unit > 127 {
+                     return Some((code_unit, i));
+                 }
++                // Safety: len invariant used here
+                 *(dst.add(i)) = code_unit as $dst_unit;
+             }
+             return None;
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! ascii_alu {
+     ($name:ident,
++     // safety invariant: src/dst MUST be u8
+      $src_unit:ty,
+      $dst_unit:ty,
++     // Safety invariant: stride_fn must consume and produce two usizes, and return the index of the first non-ascii when it fails
+      $stride_fn:ident) => {
++        /// Safety: src and dst must have len elements, src is valid for read, dst is valid for
++        /// write
++        /// Safety-usable invariant: will return Some() when it fails
++        /// to convert. The first value will be a u8 that is > 127.
+         #[cfg_attr(feature = "cargo-clippy", allow(never_loop, cast_ptr_alignment))]
+         #[inline(always)]
+         pub unsafe fn $name(
+             src: *const $src_unit,
+             dst: *mut $dst_unit,
+             len: usize,
+         ) -> Option<($src_unit, usize)> {
+             let mut offset = 0usize;
+             // This loop is only broken out of as a `goto` forward
+             loop {
++                // Safety: until_alignment becomes the number of bytes we need to munch until we are aligned to usize
+                 let mut until_alignment = {
+                     // Check if the other unit aligns if we move the narrower unit
+                     // to alignment.
+                     //               if ::core::mem::size_of::<$src_unit>() == ::core::mem::size_of::<$dst_unit>() {
+                     // ascii_to_ascii
+                     let src_alignment = (src as usize) & ALU_ALIGNMENT_MASK;
+                     let dst_alignment = (dst as usize) & ALU_ALIGNMENT_MASK;
+                     if src_alignment != dst_alignment {
++                        // Safety: bails early and ends up in the naïve branch where usize-alignment doesn't matter
+                         break;
+                     }
+                     (ALU_ALIGNMENT - src_alignment) & ALU_ALIGNMENT_MASK
+                     //               } else if ::core::mem::size_of::<$src_unit>() < ::core::mem::size_of::<$dst_unit>() {
+                     // ascii_to_basic_latin
+                     //                   let src_until_alignment = (ALIGNMENT - ((src as usize) & ALIGNMENT_MASK)) & ALIGNMENT_MASK;
+                     //                   if (dst.add(src_until_alignment) as usize) & ALIGNMENT_MASK != 0 {
+                     //                       break;
+@@ -129,74 +145,104 @@ macro_rules! ascii_alu {
+                     // Moving pointers to alignment seems to be a pessimization on
+                     // x86_64 for operations that have UTF-16 as the internal
+                     // Unicode representation. However, since it seems to be a win
+                     // on ARM (tested ARMv7 code running on ARMv8 [rpi3]), except
+                     // mixed results when encoding from UTF-16 and since x86 and
+                     // x86_64 should be using SSE2 in due course, keeping the move
+                     // to alignment here. It would be good to test on more ARM CPUs
+                     // and on real MIPS and POWER hardware.
++                    //
++                    // Safety: This is the naïve code once again, for `until_alignment` bytes
+                     while until_alignment != 0 {
+                         let code_unit = *(src.add(offset));
+                         if code_unit > 127 {
++                            // Safety: Upholds safety-usable invariant here
+                             return Some((code_unit, offset));
+                         }
+                         *(dst.add(offset)) = code_unit as $dst_unit;
++                        // Safety: offset is the number of bytes copied so far
+                         offset += 1;
+                         until_alignment -= 1;
+                     }
+                     let len_minus_stride = len - ALU_STRIDE_SIZE;
+                     loop {
++                        // Safety: num_ascii is known to be a byte index of a non-ascii byte due to stride_fn's invariant
+                         if let Some(num_ascii) = $stride_fn(
++                            // Safety: These are known to be valid and aligned since we have at
++                            // least ALU_STRIDE_SIZE data in these buffers, and offset is the
++                            // number of elements copied so far, which according to the
++                            // until_alignment calculation above will cause both src and dst to be
++                            // aligned to usize after this add
+                             src.add(offset) as *const usize,
+                             dst.add(offset) as *mut usize,
+                         ) {
+                             offset += num_ascii;
++                            // Safety: Upholds safety-usable invariant here by indexing into non-ascii byte
+                             return Some((*(src.add(offset)), offset));
+                         }
++                        // Safety: offset continues to be the number of bytes copied so far, and
++                        // maintains usize alignment for the next loop iteration
+                         offset += ALU_STRIDE_SIZE;
++                        // Safety: This is `offset > len - stride. This loop will continue as long as
++                        // `offset <= len - stride`, which means there are `stride` bytes to still be read.
+                         if offset > len_minus_stride {
+                             break;
+                         }
+                     }
+                 }
+                 break;
+             }
++
++            // Safety: This is the naïve code, same as ascii_naive, and has no requirements
++            // other than src/dst being valid for the the right lens
+             while offset < len {
++                // Safety: len invariant used here
+                 let code_unit = *(src.add(offset));
+                 if code_unit > 127 {
++                    // Safety: Upholds safety-usable invariant here
+                     return Some((code_unit, offset));
+                 }
++                // Safety: len invariant used here
+                 *(dst.add(offset)) = code_unit as $dst_unit;
+                 offset += 1;
+             }
+             None
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! basic_latin_alu {
+     ($name:ident,
++    // safety invariant: use u8 for src/dest for ascii, and u16 for basic_latin
+      $src_unit:ty,
+      $dst_unit:ty,
++    // safety invariant: stride function must munch ALU_STRIDE_SIZE*size(src_unit) bytes off of src and
++    // write ALU_STRIDE_SIZE*size(dst_unit) bytes to dst
+      $stride_fn:ident) => {
++        /// Safety: src and dst must have len elements, src is valid for read, dst is valid for
++        /// write
++        /// Safety-usable invariant: will return Some() when it fails
++        /// to convert. The first value will be a u8 that is > 127.
+         #[cfg_attr(
+             feature = "cargo-clippy",
+             allow(never_loop, cast_ptr_alignment, cast_lossless)
+         )]
+         #[inline(always)]
+         pub unsafe fn $name(
+             src: *const $src_unit,
+             dst: *mut $dst_unit,
+             len: usize,
+         ) -> Option<($src_unit, usize)> {
+             let mut offset = 0usize;
+             // This loop is only broken out of as a `goto` forward
+             loop {
++                // Safety: until_alignment becomes the number of bytes we need to munch from src/dest until we are aligned to usize
++                // We ensure basic-latin has the same alignment as ascii, starting with ascii since it is smaller.
+                 let mut until_alignment = {
+                     // Check if the other unit aligns if we move the narrower unit
+                     // to alignment.
+                     //               if ::core::mem::size_of::<$src_unit>() == ::core::mem::size_of::<$dst_unit>() {
+                     // ascii_to_ascii
+                     //                   let src_alignment = (src as usize) & ALIGNMENT_MASK;
+                     //                   let dst_alignment = (dst as usize) & ALIGNMENT_MASK;
+                     //                   if src_alignment != dst_alignment {
+@@ -232,66 +278,89 @@ macro_rules! basic_latin_alu {
+                     // Moving pointers to alignment seems to be a pessimization on
+                     // x86_64 for operations that have UTF-16 as the internal
+                     // Unicode representation. However, since it seems to be a win
+                     // on ARM (tested ARMv7 code running on ARMv8 [rpi3]), except
+                     // mixed results when encoding from UTF-16 and since x86 and
+                     // x86_64 should be using SSE2 in due course, keeping the move
+                     // to alignment here. It would be good to test on more ARM CPUs
+                     // and on real MIPS and POWER hardware.
++                    //
++                    // Safety: This is the naïve code once again, for `until_alignment` bytes
+                     while until_alignment != 0 {
+                         let code_unit = *(src.add(offset));
+                         if code_unit > 127 {
++                            // Safety: Upholds safety-usable invariant here
+                             return Some((code_unit, offset));
+                         }
+                         *(dst.add(offset)) = code_unit as $dst_unit;
++                        // Safety: offset is the number of bytes copied so far
+                         offset += 1;
+                         until_alignment -= 1;
+                     }
+                     let len_minus_stride = len - ALU_STRIDE_SIZE;
+                     loop {
+                         if !$stride_fn(
++                            // Safety: These are known to be valid and aligned since we have at
++                            // least ALU_STRIDE_SIZE data in these buffers, and offset is the
++                            // number of elements copied so far, which according to the
++                            // until_alignment calculation above will cause both src and dst to be
++                            // aligned to usize after this add
+                             src.add(offset) as *const usize,
+                             dst.add(offset) as *mut usize,
+                         ) {
+                             break;
+                         }
++                        // Safety: offset continues to be the number of bytes copied so far, and
++                        // maintains usize alignment for the next loop iteration
+                         offset += ALU_STRIDE_SIZE;
++                        // Safety: This is `offset > len - stride. This loop will continue as long as
++                        // `offset <= len - stride`, which means there are `stride` bytes to still be read.
+                         if offset > len_minus_stride {
+                             break;
+                         }
+                     }
+                 }
+                 break;
+             }
++            // Safety: This is the naïve code once again, for leftover bytes
+             while offset < len {
++                // Safety: len invariant used here
+                 let code_unit = *(src.add(offset));
+                 if code_unit > 127 {
++                    // Safety: Upholds safety-usable invariant here
+                     return Some((code_unit, offset));
+                 }
++                // Safety: len invariant used here
+                 *(dst.add(offset)) = code_unit as $dst_unit;
+                 offset += 1;
+             }
+             None
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! latin1_alu {
++    // safety invariant: stride function must munch ALU_STRIDE_SIZE*size(src_unit) bytes off of src and
++    // write ALU_STRIDE_SIZE*size(dst_unit) bytes to dst
+     ($name:ident, $src_unit:ty, $dst_unit:ty, $stride_fn:ident) => {
++        /// Safety: src and dst must have len elements, src is valid for read, dst is valid for
++        /// write
+         #[cfg_attr(
+             feature = "cargo-clippy",
+             allow(never_loop, cast_ptr_alignment, cast_lossless)
+         )]
+         #[inline(always)]
+         pub unsafe fn $name(src: *const $src_unit, dst: *mut $dst_unit, len: usize) {
+             let mut offset = 0usize;
+             // This loop is only broken out of as a `goto` forward
+             loop {
++                // Safety: until_alignment becomes the number of bytes we need to munch from src/dest until we are aligned to usize
++                // We ensure the UTF-16 side has the same alignment as the Latin-1 side, starting with Latin-1 since it is smaller.
+                 let mut until_alignment = {
+                     if ::core::mem::size_of::<$src_unit>() < ::core::mem::size_of::<$dst_unit>() {
+                         // unpack
+                         let src_until_alignment = (ALU_ALIGNMENT
+                             - ((src as usize) & ALU_ALIGNMENT_MASK))
+                             & ALU_ALIGNMENT_MASK;
+                         if (dst.wrapping_add(src_until_alignment) as usize) & ALU_ALIGNMENT_MASK
+                             != 0
+@@ -308,373 +377,485 @@ macro_rules! latin1_alu {
+                             != 0
+                         {
+                             break;
+                         }
+                         dst_until_alignment
+                     }
+                 };
+                 if until_alignment + ALU_STRIDE_SIZE <= len {
++                    // Safety: This is the naïve code once again, for `until_alignment` bytes
+                     while until_alignment != 0 {
+                         let code_unit = *(src.add(offset));
+                         *(dst.add(offset)) = code_unit as $dst_unit;
++                        // Safety: offset is the number of bytes copied so far
+                         offset += 1;
+                         until_alignment -= 1;
+                     }
+                     let len_minus_stride = len - ALU_STRIDE_SIZE;
+                     loop {
+                         $stride_fn(
++                            // Safety: These are known to be valid and aligned since we have at
++                            // least ALU_STRIDE_SIZE data in these buffers, and offset is the
++                            // number of elements copied so far, which according to the
++                            // until_alignment calculation above will cause both src and dst to be
++                            // aligned to usize after this add
+                             src.add(offset) as *const usize,
+                             dst.add(offset) as *mut usize,
+                         );
++                        // Safety: offset continues to be the number of bytes copied so far, and
++                        // maintains usize alignment for the next loop iteration
+                         offset += ALU_STRIDE_SIZE;
++                        // Safety: This is `offset > len - stride. This loop will continue as long as
++                        // `offset <= len - stride`, which means there are `stride` bytes to still be read.
+                         if offset > len_minus_stride {
+                             break;
+                         }
+                     }
+                 }
+                 break;
+             }
++            // Safety: This is the naïve code once again, for leftover bytes
+             while offset < len {
++                // Safety: len invariant used here
+                 let code_unit = *(src.add(offset));
+                 *(dst.add(offset)) = code_unit as $dst_unit;
+                 offset += 1;
+             }
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! ascii_simd_check_align {
+     (
+         $name:ident,
+         $src_unit:ty,
+         $dst_unit:ty,
++        // Safety: This function must require aligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_both_aligned:ident,
++        // Safety: This function must require aligned/unaligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_src_aligned:ident,
++        // Safety: This function must require unaligned/aligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_dst_aligned:ident,
++        // Safety: This function must require unaligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_neither_aligned:ident
+     ) => {
++        /// Safety: src/dst must be valid for reads/writes of `len` elements of their units.
++        ///
++        /// Safety-usable invariant: will return Some() when it encounters non-ASCII, with the first element in the Some being
++        /// guaranteed to be non-ASCII (> 127), and the second being the offset where it is found
+         #[inline(always)]
+         pub unsafe fn $name(
+             src: *const $src_unit,
+             dst: *mut $dst_unit,
+             len: usize,
+         ) -> Option<($src_unit, usize)> {
+             let mut offset = 0usize;
++            // Safety: if this check succeeds we're valid for reading/writing at least `SIMD_STRIDE_SIZE` elements.
+             if SIMD_STRIDE_SIZE <= len {
+                 let len_minus_stride = len - SIMD_STRIDE_SIZE;
+                 // XXX Should we first process one stride unconditionally as unaligned to
+                 // avoid the cost of the branchiness below if the first stride fails anyway?
+                 // XXX Should we just use unaligned SSE2 access unconditionally? It seems that
+                 // on Haswell, it would make sense to just use unaligned and not bother
+                 // checking. Need to benchmark older architectures before deciding.
+                 let dst_masked = (dst as usize) & SIMD_ALIGNMENT_MASK;
++                // Safety: checking whether src is aligned
+                 if ((src as usize) & SIMD_ALIGNMENT_MASK) == 0 {
++                    // Safety: Checking whether dst is aligned
+                     if dst_masked == 0 {
+                         loop {
++                            // Safety: We're valid to read/write SIMD_STRIDE_SIZE elements and have the appropriate alignments
+                             if !$stride_both_aligned(src.add(offset), dst.add(offset)) {
+                                 break;
+                             }
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - SIMD_STRIDE_SIZE` which means we always have at least `SIMD_STRIDE_SIZE` elements to munch next time.
+                             if offset > len_minus_stride {
+                                 break;
+                             }
+                         }
+                     } else {
+                         loop {
++                            // Safety: We're valid to read/write SIMD_STRIDE_SIZE elements and have the appropriate alignments
+                             if !$stride_src_aligned(src.add(offset), dst.add(offset)) {
+                                 break;
+                             }
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - SIMD_STRIDE_SIZE` which means we always have at least `SIMD_STRIDE_SIZE` elements to munch next time.
+                             if offset > len_minus_stride {
+                                 break;
+                             }
+                         }
+                     }
+                 } else {
+                     if dst_masked == 0 {
+                         loop {
++                            // Safety: We're valid to read/write SIMD_STRIDE_SIZE elements and have the appropriate alignments
+                             if !$stride_dst_aligned(src.add(offset), dst.add(offset)) {
+                                 break;
+                             }
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - SIMD_STRIDE_SIZE` which means we always have at least `SIMD_STRIDE_SIZE` elements to munch next time.
+                             if offset > len_minus_stride {
+                                 break;
+                             }
+                         }
+                     } else {
+                         loop {
++                            // Safety: We're valid to read/write SIMD_STRIDE_SIZE elements and have the appropriate alignments
+                             if !$stride_neither_aligned(src.add(offset), dst.add(offset)) {
+                                 break;
+                             }
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - SIMD_STRIDE_SIZE` which means we always have at least `SIMD_STRIDE_SIZE` elements to munch next time.
+                             if offset > len_minus_stride {
+                                 break;
+                             }
+                         }
+                     }
+                 }
+             }
+             while offset < len {
++                // Safety: uses len invariant here and below
+                 let code_unit = *(src.add(offset));
+                 if code_unit > 127 {
++                    // Safety: upholds safety-usable invariant
+                     return Some((code_unit, offset));
+                 }
+                 *(dst.add(offset)) = code_unit as $dst_unit;
+                 offset += 1;
+             }
+             None
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! ascii_simd_check_align_unrolled {
+     (
+         $name:ident,
+         $src_unit:ty,
+         $dst_unit:ty,
++        // Safety: This function must require aligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_both_aligned:ident,
++        // Safety: This function must require aligned/unaligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_src_aligned:ident,
++        // Safety: This function must require unaligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_neither_aligned:ident,
++        // Safety: This function must require aligned src/dest that are valid for reading/writing 2*SIMD_STRIDE_SIZE src_unit/dst_unit
+         $double_stride_both_aligned:ident,
++        // Safety: This function must require aligned/unaligned src/dest that are valid for reading/writing 2*SIMD_STRIDE_SIZE src_unit/dst_unit
+         $double_stride_src_aligned:ident
+     ) => {
+-        #[inline(always)]
++        /// Safety: src/dst must be valid for reads/writes of `len` elements of their units.
++        ///
++        /// Safety-usable invariant: will return Some() when it encounters non-ASCII, with the first element in the Some being
++        /// guaranteed to be non-ASCII (> 127), and the second being the offset where it is found        #[inline(always)]
+         pub unsafe fn $name(
+             src: *const $src_unit,
+             dst: *mut $dst_unit,
+             len: usize,
+         ) -> Option<($src_unit, usize)> {
+             let unit_size = ::core::mem::size_of::<$src_unit>();
+             let mut offset = 0usize;
+             // This loop is only broken out of as a goto forward without
+             // actually looping
+             'outer: loop {
++                // Safety: if this check succeeds we're valid for reading/writing at least `SIMD_STRIDE_SIZE` elements.
+                 if SIMD_STRIDE_SIZE <= len {
+                     // First, process one unaligned
++                    // Safety: this is safe to call since we're valid for this read/write
+                     if !$stride_neither_aligned(src, dst) {
+                         break 'outer;
+                     }
+                     offset = SIMD_STRIDE_SIZE;
+ 
+                     // We have now seen 16 ASCII bytes. Let's guess that
+                     // there will be enough more to justify more expense
+                     // in the case of non-ASCII.
+                     // Use aligned reads for the sake of old microachitectures.
++                    //
++                    // Safety: this correctly calculates the number of src_units that need to be read before the remaining list is aligned.
++                    // This is less that SIMD_ALIGNMENT, which is also SIMD_STRIDE_SIZE (as documented)
+                     let until_alignment = ((SIMD_ALIGNMENT
+                         - ((src.add(offset) as usize) & SIMD_ALIGNMENT_MASK))
+                         & SIMD_ALIGNMENT_MASK)
+                         / unit_size;
+-                    // This addition won't overflow, because even in the 32-bit PAE case the
++                    // Safety: This addition won't overflow, because even in the 32-bit PAE case the
+                     // address space holds enough code that the slice length can't be that
+                     // close to address space size.
+                     // offset now equals SIMD_STRIDE_SIZE, hence times 3 below.
++                    //
++                    // Safety: if this check succeeds we're valid for reading/writing at least `2 * SIMD_STRIDE_SIZE` elements plus `until_alignment`.
++                    // The extra SIMD_STRIDE_SIZE in the condition is because `offset` is already `SIMD_STRIDE_SIZE`.
+                     if until_alignment + (SIMD_STRIDE_SIZE * 3) <= len {
+                         if until_alignment != 0 {
++                            // Safety: this is safe to call since we're valid for this read/write (and more), and don't care about alignment
++                            // This will copy over bytes that get decoded twice since it's not incrementing `offset` by SIMD_STRIDE_SIZE. This is fine.
+                             if !$stride_neither_aligned(src.add(offset), dst.add(offset)) {
+                                 break;
+                             }
+                             offset += until_alignment;
+                         }
++                        // Safety: At this point we're valid for reading/writing 2*SIMD_STRIDE_SIZE elements
++                        // Safety: Now `offset` is aligned for `src`
+                         let len_minus_stride_times_two = len - (SIMD_STRIDE_SIZE * 2);
++                        // Safety: This is whether dst is aligned
+                         let dst_masked = (dst.add(offset) as usize) & SIMD_ALIGNMENT_MASK;
+                         if dst_masked == 0 {
+                             loop {
++                                // Safety: both are aligned, we can call the aligned function. We're valid for reading/writing double stride from the initial condition
++                                // and the loop break condition below
+                                 if let Some(advance) =
+                                     $double_stride_both_aligned(src.add(offset), dst.add(offset))
+                                 {
+                                     offset += advance;
+                                     let code_unit = *(src.add(offset));
++                                    // Safety: uses safety-usable invariant on ascii_to_ascii_simd_double_stride to return
++                                    // guaranteed non-ascii
+                                     return Some((code_unit, offset));
+                                 }
+                                 offset += SIMD_STRIDE_SIZE * 2;
++                                // Safety: This is `offset > len - 2 * SIMD_STRIDE_SIZE` which means we always have at least `2 * SIMD_STRIDE_SIZE` elements to munch next time.
+                                 if offset > len_minus_stride_times_two {
+                                     break;
+                                 }
+                             }
++                            // Safety: We're valid for reading/writing one more, and can still assume alignment
+                             if offset + SIMD_STRIDE_SIZE <= len {
+                                 if !$stride_both_aligned(src.add(offset), dst.add(offset)) {
+                                     break 'outer;
+                                 }
+                                 offset += SIMD_STRIDE_SIZE;
+                             }
+                         } else {
+                             loop {
++                                // Safety: only src is aligned here. We're valid for reading/writing double stride from the initial condition
++                                // and the loop break condition below
+                                 if let Some(advance) =
+                                     $double_stride_src_aligned(src.add(offset), dst.add(offset))
+                                 {
+                                     offset += advance;
+                                     let code_unit = *(src.add(offset));
++                                    // Safety: uses safety-usable invariant on ascii_to_ascii_simd_double_stride to return
++                                    // guaranteed non-ascii
+                                     return Some((code_unit, offset));
+                                 }
+                                 offset += SIMD_STRIDE_SIZE * 2;
++                                // Safety: This is `offset > len - 2 * SIMD_STRIDE_SIZE` which means we always have at least `2 * SIMD_STRIDE_SIZE` elements to munch next time.
++
+                                 if offset > len_minus_stride_times_two {
+                                     break;
+                                 }
+                             }
++                            // Safety: We're valid for reading/writing one more, and can still assume alignment
+                             if offset + SIMD_STRIDE_SIZE <= len {
+                                 if !$stride_src_aligned(src.add(offset), dst.add(offset)) {
+                                     break 'outer;
+                                 }
+                                 offset += SIMD_STRIDE_SIZE;
+                             }
+                         }
+                     } else {
+                         // At most two iterations, so unroll
+                         if offset + SIMD_STRIDE_SIZE <= len {
++                            // Safety: The check above ensures we're allowed to read/write this, and we don't use alignment
+                             if !$stride_neither_aligned(src.add(offset), dst.add(offset)) {
+                                 break;
+                             }
+                             offset += SIMD_STRIDE_SIZE;
+                             if offset + SIMD_STRIDE_SIZE <= len {
++                                // Safety: The check above ensures we're allowed to read/write this, and we don't use alignment
+                                 if !$stride_neither_aligned(src.add(offset), dst.add(offset)) {
+                                     break;
+                                 }
+                                 offset += SIMD_STRIDE_SIZE;
+                             }
+                         }
+                     }
+                 }
+                 break 'outer;
+             }
+             while offset < len {
++                // Safety: relies straightforwardly on the `len` invariant
+                 let code_unit = *(src.add(offset));
+                 if code_unit > 127 {
++                    // Safety-usable invariant upheld here
+                     return Some((code_unit, offset));
+                 }
+                 *(dst.add(offset)) = code_unit as $dst_unit;
+                 offset += 1;
+             }
+             None
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! latin1_simd_check_align {
+     (
+         $name:ident,
+         $src_unit:ty,
+         $dst_unit:ty,
++        // Safety: This function must require aligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_both_aligned:ident,
++        // Safety: This function must require aligned/unaligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_src_aligned:ident,
++        // Safety: This function must require unaligned/aligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_dst_aligned:ident,
++        // Safety: This function must require unaligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_neither_aligned:ident
++
+     ) => {
++        /// Safety: src/dst must be valid for reads/writes of `len` elements of their units.
+         #[inline(always)]
+         pub unsafe fn $name(src: *const $src_unit, dst: *mut $dst_unit, len: usize) {
+             let mut offset = 0usize;
++            // Safety: if this check succeeds we're valid for reading/writing at least `SIMD_STRIDE_SIZE` elements.
+             if SIMD_STRIDE_SIZE <= len {
+                 let len_minus_stride = len - SIMD_STRIDE_SIZE;
++                // Whether dst is aligned
+                 let dst_masked = (dst as usize) & SIMD_ALIGNMENT_MASK;
++                // Whether src is aligned
+                 if ((src as usize) & SIMD_ALIGNMENT_MASK) == 0 {
+                     if dst_masked == 0 {
+                         loop {
++                            // Safety: Both were aligned, we can use the aligned function
+                             $stride_both_aligned(src.add(offset), dst.add(offset));
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - SIMD_STRIDE_SIZE`, which means in the next iteration we're valid for
++                            // reading/writing at least SIMD_STRIDE_SIZE elements.
+                             if offset > len_minus_stride {
+                                 break;
+                             }
+                         }
+                     } else {
+                         loop {
++                            // Safety: src was aligned, dst was not
+                             $stride_src_aligned(src.add(offset), dst.add(offset));
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - SIMD_STRIDE_SIZE`, which means in the next iteration we're valid for
++                            // reading/writing at least SIMD_STRIDE_SIZE elements.
+                             if offset > len_minus_stride {
+                                 break;
+                             }
+                         }
+                     }
+                 } else {
+                     if dst_masked == 0 {
+                         loop {
++                            // Safety: src was aligned, dst was not
+                             $stride_dst_aligned(src.add(offset), dst.add(offset));
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - SIMD_STRIDE_SIZE`, which means in the next iteration we're valid for
++                            // reading/writing at least SIMD_STRIDE_SIZE elements.
+                             if offset > len_minus_stride {
+                                 break;
+                             }
+                         }
+                     } else {
+                         loop {
++                            // Safety: Neither were aligned
+                             $stride_neither_aligned(src.add(offset), dst.add(offset));
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - SIMD_STRIDE_SIZE`, which means in the next iteration we're valid for
++                            // reading/writing at least SIMD_STRIDE_SIZE elements.
+                             if offset > len_minus_stride {
+                                 break;
+                             }
+                         }
+                     }
+                 }
+             }
+             while offset < len {
++                // Safety: relies straightforwardly on the `len` invariant
+                 let code_unit = *(src.add(offset));
+                 *(dst.add(offset)) = code_unit as $dst_unit;
+                 offset += 1;
+             }
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! latin1_simd_check_align_unrolled {
+     (
+         $name:ident,
+         $src_unit:ty,
+         $dst_unit:ty,
++        // Safety: This function must require aligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_both_aligned:ident,
++        // Safety: This function must require aligned/unaligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_src_aligned:ident,
++        // Safety: This function must require unaligned/aligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_dst_aligned:ident,
++        // Safety: This function must require unaligned src/dest that are valid for reading/writing SIMD_STRIDE_SIZE src_unit/dst_unit
+         $stride_neither_aligned:ident
+     ) => {
++        /// Safety: src/dst must be valid for reads/writes of `len` elements of their units.
+         #[inline(always)]
+         pub unsafe fn $name(src: *const $src_unit, dst: *mut $dst_unit, len: usize) {
+             let unit_size = ::core::mem::size_of::<$src_unit>();
+             let mut offset = 0usize;
++            // Safety: if this check succeeds we're valid for reading/writing at least `SIMD_STRIDE_SIZE` elements.
+             if SIMD_STRIDE_SIZE <= len {
++                // Safety: this correctly calculates the number of src_units that need to be read before the remaining list is aligned.
++                // This is by definition less than SIMD_STRIDE_SIZE.
+                 let mut until_alignment = ((SIMD_STRIDE_SIZE
+                     - ((src as usize) & SIMD_ALIGNMENT_MASK))
+                     & SIMD_ALIGNMENT_MASK)
+                     / unit_size;
+                 while until_alignment != 0 {
++                    // Safety: This is a straightforward copy, since until_alignment is < SIMD_STRIDE_SIZE < len, this is in-bounds
+                     *(dst.add(offset)) = *(src.add(offset)) as $dst_unit;
+                     offset += 1;
+                     until_alignment -= 1;
+                 }
++                // Safety: here offset will be `until_alignment`, i.e. enough to align `src`.
+                 let len_minus_stride = len - SIMD_STRIDE_SIZE;
++                // Safety: if this check succeeds we're valid for reading/writing at least `2 * SIMD_STRIDE_SIZE` elements.
+                 if offset + SIMD_STRIDE_SIZE * 2 <= len {
+                     let len_minus_stride_times_two = len_minus_stride - SIMD_STRIDE_SIZE;
++                    // Safety: at this point src is known to be aligned at offset, dst is not.
+                     if (dst.add(offset) as usize) & SIMD_ALIGNMENT_MASK == 0 {
+                         loop {
++                            // Safety: We checked alignment of dst above, we can use the alignment functions. We're allowed to read/write 2*SIMD_STRIDE_SIZE elements, which we do.
+                             $stride_both_aligned(src.add(offset), dst.add(offset));
+                             offset += SIMD_STRIDE_SIZE;
+                             $stride_both_aligned(src.add(offset), dst.add(offset));
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - 2 * SIMD_STRIDE_SIZE` which means we always have at least `2 * SIMD_STRIDE_SIZE` elements to munch next time.
+                             if offset > len_minus_stride_times_two {
+                                 break;
+                             }
+                         }
+                     } else {
+                         loop {
++                            // Safety: we ensured alignment of src already.
+                             $stride_src_aligned(src.add(offset), dst.add(offset));
+                             offset += SIMD_STRIDE_SIZE;
+                             $stride_src_aligned(src.add(offset), dst.add(offset));
+                             offset += SIMD_STRIDE_SIZE;
++                            // Safety: This is `offset > len - 2 * SIMD_STRIDE_SIZE` which means we always have at least `2 * SIMD_STRIDE_SIZE` elements to munch next time.
+                             if offset > len_minus_stride_times_two {
+                                 break;
+                             }
+                         }
+                     }
+                 }
++                // Safety: This is `offset > len - SIMD_STRIDE_SIZE` which means we are valid to munch SIMD_STRIDE_SIZE more elements, which we do
+                 if offset < len_minus_stride {
+                     $stride_src_aligned(src.add(offset), dst.add(offset));
+                     offset += SIMD_STRIDE_SIZE;
+                 }
+             }
+             while offset < len {
++                // Safety: uses len invariant here and below
+                 let code_unit = *(src.add(offset));
+                 // On x86_64, this loop autovectorizes but in the pack
+                 // case there are instructions whose purpose is to make sure
+                 // each u16 in the vector is truncated before packing. However,
+                 // since we don't care about saturating behavior of SSE2 packing
+                 // when the input isn't Latin1, those instructions are useless.
+                 // Unfortunately, using the `assume` intrinsic to lie to the
+                 // optimizer doesn't make LLVM omit the trunctation that we
+@@ -688,138 +869,180 @@ macro_rules! latin1_simd_check_align_unr
+                 offset += 1;
+             }
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! ascii_simd_unalign {
++    // Safety: stride_neither_aligned must be a function that requires src/dest be valid for unaligned reads/writes for SIMD_STRIDE_SIZE elements of type src_unit/dest_unit
+     ($name:ident, $src_unit:ty, $dst_unit:ty, $stride_neither_aligned:ident) => {
++        /// Safety: src and dst must be valid for reads/writes of len elements of type src_unit/dst_unit
++        ///
++        /// Safety-usable invariant: will return Some() when it encounters non-ASCII, with the first element in the Some being
++        /// guaranteed to be non-ASCII (> 127), and the second being the offset where it is found
+         #[inline(always)]
+         pub unsafe fn $name(
+             src: *const $src_unit,
+             dst: *mut $dst_unit,
+             len: usize,
+         ) -> Option<($src_unit, usize)> {
+             let mut offset = 0usize;
++            // Safety: if this check succeeds we're valid for reading/writing at least `stride` elements.
+             if SIMD_STRIDE_SIZE <= len {
+                 let len_minus_stride = len - SIMD_STRIDE_SIZE;
+                 loop {
++                    // Safety: We know we're valid for `stride` reads/writes, so we can call this function. We don't need alignment.
+                     if !$stride_neither_aligned(src.add(offset), dst.add(offset)) {
+                         break;
+                     }
+                     offset += SIMD_STRIDE_SIZE;
++                    // This is `offset > len - stride` which means we always have at least `stride` elements to munch next time.
+                     if offset > len_minus_stride {
+                         break;
+                     }
+                 }
+             }
+             while offset < len {
++                // Safety: Uses len invariant here and below
+                 let code_unit = *(src.add(offset));
+                 if code_unit > 127 {
++                    // Safety-usable invariant upheld here
+                     return Some((code_unit, offset));
+                 }
+                 *(dst.add(offset)) = code_unit as $dst_unit;
+                 offset += 1;
+             }
+             None
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! latin1_simd_unalign {
++    // Safety: stride_neither_aligned must be a function that requires src/dest be valid for unaligned reads/writes for SIMD_STRIDE_SIZE elements of type src_unit/dest_unit
+     ($name:ident, $src_unit:ty, $dst_unit:ty, $stride_neither_aligned:ident) => {
++        /// Safety: src and dst must be valid for unaligned reads/writes of len elements of type src_unit/dst_unit
+         #[inline(always)]
+         pub unsafe fn $name(src: *const $src_unit, dst: *mut $dst_unit, len: usize) {
+             let mut offset = 0usize;
++            // Safety: if this check succeeds we're valid for reading/writing at least `stride` elements.
+             if SIMD_STRIDE_SIZE <= len {
+                 let len_minus_stride = len - SIMD_STRIDE_SIZE;
+                 loop {
++                    // Safety: We know we're valid for `stride` reads/writes, so we can call this function. We don't need alignment.
+                     $stride_neither_aligned(src.add(offset), dst.add(offset));
+                     offset += SIMD_STRIDE_SIZE;
++                    // This is `offset > len - stride` which means we always have at least `stride` elements to munch next time.
+                     if offset > len_minus_stride {
+                         break;
+                     }
+                 }
+             }
+             while offset < len {
++                // Safety: Uses len invariant here
+                 let code_unit = *(src.add(offset));
+                 *(dst.add(offset)) = code_unit as $dst_unit;
+                 offset += 1;
+             }
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! ascii_to_ascii_simd_stride {
++    // Safety: load/store must be valid for 16 bytes of read/write, which may be unaligned. (candidates: `(load|store)(16|8)_(unaligned|aligned)` functions)
+     ($name:ident, $load:ident, $store:ident) => {
++        /// Safety: src and dst must be valid for 16 bytes of read/write according to
++        /// the $load/$store fn, which may allow for unaligned reads/writes or require
++        /// alignment to either 16x8 or u8x16.
+         #[inline(always)]
+         pub unsafe fn $name(src: *const u8, dst: *mut u8) -> bool {
+             let simd = $load(src);
+             if !simd_is_ascii(simd) {
+                 return false;
+             }
+             $store(dst, simd);
+             true
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! ascii_to_ascii_simd_double_stride {
++    // Safety: store must be valid for 32 bytes of write, which may be unaligned (candidates: `store(8|16)_(aligned|unaligned)`)
+     ($name:ident, $store:ident) => {
++        /// Safety: src must be valid for 32 bytes of aligned u8x16 read
++        /// dst must be valid for 32 bytes of unaligned write according to
++        /// the $store fn, which may allow for unaligned writes or require
++        /// alignment to either 16x8 or u8x16.
++        ///
++        /// Safety-usable invariant: Returns Some(index) if the element at `index` is invalid ASCII
+         #[inline(always)]
+         pub unsafe fn $name(src: *const u8, dst: *mut u8) -> Option<usize> {
+             let first = load16_aligned(src);
+             let second = load16_aligned(src.add(SIMD_STRIDE_SIZE));
+             $store(dst, first);
+             if unlikely(!simd_is_ascii(first | second)) {
++                // Safety: mask_ascii produces a mask of all the high bits.
+                 let mask_first = mask_ascii(first);
+                 if mask_first != 0 {
++                    // Safety: on little endian systems this will be the number of ascii bytes
++                    // before the first non-ascii, i.e. valid for indexing src
++                    // TODO SAFETY: What about big-endian systems?
+                     return Some(mask_first.trailing_zeros() as usize);
+                 }
+                 $store(dst.add(SIMD_STRIDE_SIZE), second);
+                 let mask_second = mask_ascii(second);
++                // Safety: on little endian systems this will be the number of ascii bytes
++                // before the first non-ascii, i.e. valid for indexing src
+                 return Some(SIMD_STRIDE_SIZE + mask_second.trailing_zeros() as usize);
+             }
+             $store(dst.add(SIMD_STRIDE_SIZE), second);
+             None
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! ascii_to_basic_latin_simd_stride {
++    // Safety: load/store must be valid for 16 bytes of read/write, which may be unaligned. (candidates: `(load|store)(16|8)_(unaligned|aligned)` functions)
+     ($name:ident, $load:ident, $store:ident) => {
++        /// Safety: src and dst must be valid for 16/32 bytes of read/write according to
++        /// the $load/$store fn, which may allow for unaligned reads/writes or require
++        /// alignment to either 16x8 or u8x16.
+         #[inline(always)]
+         pub unsafe fn $name(src: *const u8, dst: *mut u16) -> bool {
+             let simd = $load(src);
+             if !simd_is_ascii(simd) {
+                 return false;
+             }
+             let (first, second) = simd_unpack(simd);
+             $store(dst, first);
+             $store(dst.add(8), second);
+             true
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! ascii_to_basic_latin_simd_double_stride {
++    // Safety: store must be valid for 16 bytes of write, which may be unaligned
+     ($name:ident, $store:ident) => {
++        /// Safety: src must be valid for 2*SIMD_STRIDE_SIZE bytes of aligned reads,
++        /// aligned to either 16x8 or u8x16.
++        /// dst must be valid for 2*SIMD_STRIDE_SIZE bytes of aligned or unaligned reads
+         #[inline(always)]
+         pub unsafe fn $name(src: *const u8, dst: *mut u16) -> Option<usize> {
+             let first = load16_aligned(src);
+             let second = load16_aligned(src.add(SIMD_STRIDE_SIZE));
+             let (a, b) = simd_unpack(first);
+             $store(dst, a);
++            // Safety: divide by 2 since it's a u16 pointer
+             $store(dst.add(SIMD_STRIDE_SIZE / 2), b);
+             if unlikely(!simd_is_ascii(first | second)) {
+                 let mask_first = mask_ascii(first);
+                 if mask_first != 0 {
+                     return Some(mask_first.trailing_zeros() as usize);
+                 }
+                 let (c, d) = simd_unpack(second);
+                 $store(dst.add(SIMD_STRIDE_SIZE), c);
+@@ -832,47 +1055,59 @@ macro_rules! ascii_to_basic_latin_simd_d
+             $store(dst.add(SIMD_STRIDE_SIZE + (SIMD_STRIDE_SIZE / 2)), d);
+             None
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! unpack_simd_stride {
++    // Safety: load/store must be valid for 16 bytes of read/write, which may be unaligned. (candidates: `(load|store)(16|8)_(unaligned|aligned)` functions)
+     ($name:ident, $load:ident, $store:ident) => {
++        /// Safety: src and dst must be valid for 16 bytes of read/write according to
++        /// the $load/$store fn, which may allow for unaligned reads/writes or require
++        /// alignment to either 16x8 or u8x16.
+         #[inline(always)]
+         pub unsafe fn $name(src: *const u8, dst: *mut u16) {
+             let simd = $load(src);
+             let (first, second) = simd_unpack(simd);
+             $store(dst, first);
+             $store(dst.add(8), second);
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! basic_latin_to_ascii_simd_stride {
++    // Safety: load/store must be valid for 16 bytes of read/write, which may be unaligned. (candidates: `(load|store)(16|8)_(unaligned|aligned)` functions)
+     ($name:ident, $load:ident, $store:ident) => {
++        /// Safety: src and dst must be valid for 32/16 bytes of read/write according to
++        /// the $load/$store fn, which may allow for unaligned reads/writes or require
++        /// alignment to either 16x8 or u8x16.
+         #[inline(always)]
+         pub unsafe fn $name(src: *const u16, dst: *mut u8) -> bool {
+             let first = $load(src);
+             let second = $load(src.add(8));
+             if simd_is_basic_latin(first | second) {
+                 $store(dst, simd_pack(first, second));
+                 true
+             } else {
+                 false
+             }
+         }
+     };
+ }
+ 
+ #[allow(unused_macros)]
+ macro_rules! pack_simd_stride {
++    // Safety: load/store must be valid for 16 bytes of read/write, which may be unaligned. (candidates: `(load|store)(16|8)_(unaligned|aligned)` functions)
+     ($name:ident, $load:ident, $store:ident) => {
++        /// Safety: src and dst must be valid for 32/16 bytes of read/write according to
++        /// the $load/$store fn, which may allow for unaligned reads/writes or require
++        /// alignment to either 16x8 or u8x16.
+         #[inline(always)]
+         pub unsafe fn $name(src: *const u16, dst: *mut u8) {
+             let first = $load(src);
+             let second = $load(src.add(8));
+             $store(dst, simd_pack(first, second));
+         }
+     };
+ }
+@@ -888,24 +1123,28 @@ cfg_if! {
+ //        pub const ALIGNMENT: usize = 8;
+ 
+         pub const ALU_STRIDE_SIZE: usize = 16;
+ 
+         pub const ALU_ALIGNMENT: usize = 8;
+ 
+         pub const ALU_ALIGNMENT_MASK: usize = 7;
+ 
++        // Safety for stride macros: We stick to the load8_aligned/etc family of functions. We consistently produce
++        // neither_unaligned variants using only unaligned inputs.
+         ascii_to_ascii_simd_stride!(ascii_to_ascii_stride_neither_aligned, load16_unaligned, store16_unaligned);
+ 
+         ascii_to_basic_latin_simd_stride!(ascii_to_basic_latin_stride_neither_aligned, load16_unaligned, store8_unaligned);
+         unpack_simd_stride!(unpack_stride_neither_aligned, load16_unaligned, store8_unaligned);
+ 
+         basic_latin_to_ascii_simd_stride!(basic_latin_to_ascii_stride_neither_aligned, load8_unaligned, store16_unaligned);
+         pack_simd_stride!(pack_stride_neither_aligned, load8_unaligned, store16_unaligned);
+ 
++        // Safety for conversion macros: We use the unalign macro with unalign functions above. All stride functions were produced
++        // by stride macros that universally munch a single SIMD_STRIDE_SIZE worth of elements.
+         ascii_simd_unalign!(ascii_to_ascii, u8, u8, ascii_to_ascii_stride_neither_aligned);
+         ascii_simd_unalign!(ascii_to_basic_latin, u8, u16, ascii_to_basic_latin_stride_neither_aligned);
+         ascii_simd_unalign!(basic_latin_to_ascii, u16, u8, basic_latin_to_ascii_stride_neither_aligned);
+         latin1_simd_unalign!(unpack_latin1, u8, u16, unpack_stride_neither_aligned);
+         latin1_simd_unalign!(pack_latin1, u16, u8, pack_stride_neither_aligned);
+     } else if #[cfg(all(feature = "simd-accel", target_endian = "little", target_feature = "neon"))] {
+         // SIMD with different instructions for aligned and unaligned loads and stores.
+         //
+@@ -914,16 +1153,19 @@ cfg_if! {
+         // but the benchmark results I see don't agree.
+ 
+         pub const SIMD_STRIDE_SIZE: usize = 16;
+ 
+         pub const MAX_STRIDE_SIZE: usize = 16;
+ 
+         pub const SIMD_ALIGNMENT_MASK: usize = 15;
+ 
++        // Safety for stride macros: We stick to the load8_aligned/etc family of functions. We consistently name
++        // aligned/unaligned functions according to src/dst being aligned/unaligned
++
+         ascii_to_ascii_simd_stride!(ascii_to_ascii_stride_both_aligned, load16_aligned, store16_aligned);
+         ascii_to_ascii_simd_stride!(ascii_to_ascii_stride_src_aligned, load16_aligned, store16_unaligned);
+         ascii_to_ascii_simd_stride!(ascii_to_ascii_stride_dst_aligned, load16_unaligned, store16_aligned);
+         ascii_to_ascii_simd_stride!(ascii_to_ascii_stride_neither_aligned, load16_unaligned, store16_unaligned);
+ 
+         ascii_to_basic_latin_simd_stride!(ascii_to_basic_latin_stride_both_aligned, load16_aligned, store8_aligned);
+         ascii_to_basic_latin_simd_stride!(ascii_to_basic_latin_stride_src_aligned, load16_aligned, store8_unaligned);
+         ascii_to_basic_latin_simd_stride!(ascii_to_basic_latin_stride_dst_aligned, load16_unaligned, store8_aligned);
+@@ -939,36 +1181,43 @@ cfg_if! {
+         basic_latin_to_ascii_simd_stride!(basic_latin_to_ascii_stride_dst_aligned, load8_unaligned, store16_aligned);
+         basic_latin_to_ascii_simd_stride!(basic_latin_to_ascii_stride_neither_aligned, load8_unaligned, store16_unaligned);
+ 
+         pack_simd_stride!(pack_stride_both_aligned, load8_aligned, store16_aligned);
+         pack_simd_stride!(pack_stride_src_aligned, load8_aligned, store16_unaligned);
+         pack_simd_stride!(pack_stride_dst_aligned, load8_unaligned, store16_aligned);
+         pack_simd_stride!(pack_stride_neither_aligned, load8_unaligned, store16_unaligned);
+ 
++        // Safety for conversion macros: We use the correct pattern of both/src/dst/neither here. All stride functions were produced
++        // by stride macros that universally munch a single SIMD_STRIDE_SIZE worth of elements.
++
+         ascii_simd_check_align!(ascii_to_ascii, u8, u8, ascii_to_ascii_stride_both_aligned, ascii_to_ascii_stride_src_aligned, ascii_to_ascii_stride_dst_aligned, 
ascii_to_ascii_stride_neither_aligned);
+         ascii_simd_check_align!(ascii_to_basic_latin, u8, u16, ascii_to_basic_latin_stride_both_aligned, ascii_to_basic_latin_stride_src_aligned, ascii_to_basic_latin_stride_dst_aligned, 
ascii_to_basic_latin_stride_neither_aligned);
+         ascii_simd_check_align!(basic_latin_to_ascii, u16, u8, basic_latin_to_ascii_stride_both_aligned, basic_latin_to_ascii_stride_src_aligned, basic_latin_to_ascii_stride_dst_aligned, 
basic_latin_to_ascii_stride_neither_aligned);
+         latin1_simd_check_align!(unpack_latin1, u8, u16, unpack_stride_both_aligned, unpack_stride_src_aligned, unpack_stride_dst_aligned, unpack_stride_neither_aligned);
+         latin1_simd_check_align!(pack_latin1, u16, u8, pack_stride_both_aligned, pack_stride_src_aligned, pack_stride_dst_aligned, pack_stride_neither_aligned);
+     } else if #[cfg(all(feature = "simd-accel", target_feature = "sse2"))] {
+         // SIMD with different instructions for aligned and unaligned loads and stores.
+         //
+         // Newer microarchitectures are not supposed to have a performance difference between
+         // aligned and unaligned SSE2 loads and stores when the address is actually aligned,
+         // but the benchmark results I see don't agree.
+ 
+         pub const SIMD_STRIDE_SIZE: usize = 16;
+ 
++        /// Safety-usable invariant: This should be identical to SIMD_STRIDE_SIZE (used by ascii_simd_check_align_unrolled)
+         pub const SIMD_ALIGNMENT: usize = 16;
+ 
+         pub const MAX_STRIDE_SIZE: usize = 16;
+ 
+         pub const SIMD_ALIGNMENT_MASK: usize = 15;
+ 
++        // Safety for stride macros: We stick to the load8_aligned/etc family of functions. We consistently name
++        // aligned/unaligned functions according to src/dst being aligned/unaligned
++
+         ascii_to_ascii_simd_double_stride!(ascii_to_ascii_simd_double_stride_both_aligned, store16_aligned);
+         ascii_to_ascii_simd_double_stride!(ascii_to_ascii_simd_double_stride_src_aligned, store16_unaligned);
+ 
+         ascii_to_basic_latin_simd_double_stride!(ascii_to_basic_latin_simd_double_stride_both_aligned, store8_aligned);
+         ascii_to_basic_latin_simd_double_stride!(ascii_to_basic_latin_simd_double_stride_src_aligned, store8_unaligned);
+ 
+         ascii_to_ascii_simd_stride!(ascii_to_ascii_stride_both_aligned, load16_aligned, store16_aligned);
+         ascii_to_ascii_simd_stride!(ascii_to_ascii_stride_src_aligned, load16_aligned, store16_unaligned);
+@@ -984,33 +1233,43 @@ cfg_if! {
+         basic_latin_to_ascii_simd_stride!(basic_latin_to_ascii_stride_both_aligned, load8_aligned, store16_aligned);
+         basic_latin_to_ascii_simd_stride!(basic_latin_to_ascii_stride_src_aligned, load8_aligned, store16_unaligned);
+         basic_latin_to_ascii_simd_stride!(basic_latin_to_ascii_stride_dst_aligned, load8_unaligned, store16_aligned);
+         basic_latin_to_ascii_simd_stride!(basic_latin_to_ascii_stride_neither_aligned, load8_unaligned, store16_unaligned);
+ 
+         pack_simd_stride!(pack_stride_both_aligned, load8_aligned, store16_aligned);
+         pack_simd_stride!(pack_stride_src_aligned, load8_aligned, store16_unaligned);
+ 
++        // Safety for conversion macros: We use the correct pattern of both/src/dst/neither/double_both/double_src here. All stride functions were produced
++        // by stride macros that universally munch a single SIMD_STRIDE_SIZE worth of elements.
++
+         ascii_simd_check_align_unrolled!(ascii_to_ascii, u8, u8, ascii_to_ascii_stride_both_aligned, ascii_to_ascii_stride_src_aligned, ascii_to_ascii_stride_neither_aligned, 
ascii_to_ascii_simd_double_stride_both_aligned, ascii_to_ascii_simd_double_stride_src_aligned);
+         ascii_simd_check_align_unrolled!(ascii_to_basic_latin, u8, u16, ascii_to_basic_latin_stride_both_aligned, ascii_to_basic_latin_stride_src_aligned, 
ascii_to_basic_latin_stride_neither_aligned, ascii_to_basic_latin_simd_double_stride_both_aligned, ascii_to_basic_latin_simd_double_stride_src_aligned);
+ 
+         ascii_simd_check_align!(basic_latin_to_ascii, u16, u8, basic_latin_to_ascii_stride_both_aligned, basic_latin_to_ascii_stride_src_aligned, basic_latin_to_ascii_stride_dst_aligned, 
basic_latin_to_ascii_stride_neither_aligned);
+         latin1_simd_check_align_unrolled!(unpack_latin1, u8, u16, unpack_stride_both_aligned, unpack_stride_src_aligned, unpack_stride_dst_aligned, unpack_stride_neither_aligned);
+         latin1_simd_check_align_unrolled!(pack_latin1, u16, u8, pack_stride_both_aligned, pack_stride_src_aligned, pack_stride_dst_aligned, pack_stride_neither_aligned);
+     } else if #[cfg(all(target_endian = "little", target_pointer_width = "64"))] {
+         // Aligned ALU word, little-endian, 64-bit
+ 
++        /// Safety invariant: this is the amount of bytes consumed by
++        /// unpack_alu. This will be twice the pointer width, as it consumes two usizes.
++        /// This is also the number of bytes produced by pack_alu.
++        /// This is also the number of u16 code units produced/consumed by unpack_alu/pack_alu respectively.
+         pub const ALU_STRIDE_SIZE: usize = 16;
+ 
+         pub const MAX_STRIDE_SIZE: usize = 16;
+ 
++        // Safety invariant: this is the pointer width in bytes
+         pub const ALU_ALIGNMENT: usize = 8;
+ 
++        // Safety invariant: this is a mask for getting the bits of a pointer not aligned to ALU_ALIGNMENT
+         pub const ALU_ALIGNMENT_MASK: usize = 7;
+ 
++        /// Safety: dst must point to valid space for writing four `usize`s
+         #[inline(always)]
+         unsafe fn unpack_alu(word: usize, second_word: usize, dst: *mut usize) {
+             let first = ((0x0000_0000_FF00_0000usize & word) << 24) |
+                         ((0x0000_0000_00FF_0000usize & word) << 16) |
+                         ((0x0000_0000_0000_FF00usize & word) << 8) |
+                         (0x0000_0000_0000_00FFusize & word);
+             let second = ((0xFF00_0000_0000_0000usize & word) >> 8) |
+                          ((0x00FF_0000_0000_0000usize & word) >> 16) |
+@@ -1019,22 +1278,24 @@ cfg_if! {
+             let third = ((0x0000_0000_FF00_0000usize & second_word) << 24) |
+                         ((0x0000_0000_00FF_0000usize & second_word) << 16) |
+                         ((0x0000_0000_0000_FF00usize & second_word) << 8) |
+                         (0x0000_0000_0000_00FFusize & second_word);
+             let fourth = ((0xFF00_0000_0000_0000usize & second_word) >> 8) |
+                          ((0x00FF_0000_0000_0000usize & second_word) >> 16) |
+                          ((0x0000_FF00_0000_0000usize & second_word) >> 24) |
+                          ((0x0000_00FF_0000_0000usize & second_word) >> 32);
++            // Safety: fn invariant used here
+             *dst = first;
+             *(dst.add(1)) = second;
+             *(dst.add(2)) = third;
+             *(dst.add(3)) = fourth;
+         }
+ 
++        /// Safety: dst must point to valid space for writing two `usize`s
+         #[inline(always)]
+         unsafe fn pack_alu(first: usize, second: usize, third: usize, fourth: usize, dst: *mut usize) {
+             let word = ((0x00FF_0000_0000_0000usize & second) << 8) |
+                        ((0x0000_00FF_0000_0000usize & second) << 16) |
+                        ((0x0000_0000_00FF_0000usize & second) << 24) |
+                        ((0x0000_0000_0000_00FFusize & second) << 32) |
+                        ((0x00FF_0000_0000_0000usize & first) >> 24) |
+                        ((0x0000_00FF_0000_0000usize & first) >> 16) |
+@@ -1043,70 +1304,88 @@ cfg_if! {
+             let second_word = ((0x00FF_0000_0000_0000usize & fourth) << 8) |
+                               ((0x0000_00FF_0000_0000usize & fourth) << 16) |
+                               ((0x0000_0000_00FF_0000usize & fourth) << 24) |
+                               ((0x0000_0000_0000_00FFusize & fourth) << 32) |
+                               ((0x00FF_0000_0000_0000usize & third) >> 24) |
+                               ((0x0000_00FF_0000_0000usize & third) >> 16) |
+                               ((0x0000_0000_00FF_0000usize & third) >> 8) |
+                               (0x0000_0000_0000_00FFusize & third);
++            // Safety: fn invariant used here
+             *dst = word;
+             *(dst.add(1)) = second_word;
+         }
+     } else if #[cfg(all(target_endian = "little", target_pointer_width = "32"))] {
+         // Aligned ALU word, little-endian, 32-bit
+ 
++        /// Safety invariant: this is the amount of bytes consumed by
++        /// unpack_alu. This will be twice the pointer width, as it consumes two usizes.
++        /// This is also the number of bytes produced by pack_alu.
++        /// This is also the number of u16 code units produced/consumed by unpack_alu/pack_alu respectively.
+         pub const ALU_STRIDE_SIZE: usize = 8;
+ 
+         pub const MAX_STRIDE_SIZE: usize = 8;
+ 
++        // Safety invariant: this is the pointer width in bytes
+         pub const ALU_ALIGNMENT: usize = 4;
+ 
++        // Safety invariant: this is a mask for getting the bits of a pointer not aligned to ALU_ALIGNMENT
+         pub const ALU_ALIGNMENT_MASK: usize = 3;
+ 
++        /// Safety: dst must point to valid space for writing four `usize`s
+         #[inline(always)]
+         unsafe fn unpack_alu(word: usize, second_word: usize, dst: *mut usize) {
+             let first = ((0x0000_FF00usize & word) << 8) |
+                         (0x0000_00FFusize & word);
+             let second = ((0xFF00_0000usize & word) >> 8) |
+                          ((0x00FF_0000usize & word) >> 16);
+             let third = ((0x0000_FF00usize & second_word) << 8) |
+                         (0x0000_00FFusize & second_word);
+             let fourth = ((0xFF00_0000usize & second_word) >> 8) |
+                          ((0x00FF_0000usize & second_word) >> 16);
++            // Safety: fn invariant used here
+             *dst = first;
+             *(dst.add(1)) = second;
+             *(dst.add(2)) = third;
+             *(dst.add(3)) = fourth;
+         }
+ 
++        /// Safety: dst must point to valid space for writing two `usize`s
+         #[inline(always)]
+         unsafe fn pack_alu(first: usize, second: usize, third: usize, fourth: usize, dst: *mut usize) {
+             let word = ((0x00FF_0000usize & second) << 8) |
+                        ((0x0000_00FFusize & second) << 16) |
+                        ((0x00FF_0000usize & first) >> 8) |
+                        (0x0000_00FFusize & first);
+             let second_word = ((0x00FF_0000usize & fourth) << 8) |
+                               ((0x0000_00FFusize & fourth) << 16) |
+                               ((0x00FF_0000usize & third) >> 8) |
+                               (0x0000_00FFusize & third);
++            // Safety: fn invariant used here
+             *dst = word;
+             *(dst.add(1)) = second_word;
+         }
+     } else if #[cfg(all(target_endian = "big", target_pointer_width = "64"))] {
+         // Aligned ALU word, big-endian, 64-bit
+ 
++        /// Safety invariant: this is the amount of bytes consumed by
++        /// unpack_alu. This will be twice the pointer width, as it consumes two usizes.
++        /// This is also the number of bytes produced by pack_alu.
++        /// This is also the number of u16 code units produced/consumed by unpack_alu/pack_alu respectively.
+         pub const ALU_STRIDE_SIZE: usize = 16;
+ 
+         pub const MAX_STRIDE_SIZE: usize = 16;
+ 
++        // Safety invariant: this is the pointer width in bytes
+         pub const ALU_ALIGNMENT: usize = 8;
+ 
++        // Safety invariant: this is a mask for getting the bits of a pointer not aligned to ALU_ALIGNMENT
+         pub const ALU_ALIGNMENT_MASK: usize = 7;
+ 
++        /// Safety: dst must point to valid space for writing four `usize`s
+         #[inline(always)]
+         unsafe fn unpack_alu(word: usize, second_word: usize, dst: *mut usize) {
+             let first = ((0xFF00_0000_0000_0000usize & word) >> 8) |
+                          ((0x00FF_0000_0000_0000usize & word) >> 16) |
+                          ((0x0000_FF00_0000_0000usize & word) >> 24) |
+                          ((0x0000_00FF_0000_0000usize & word) >> 32);
+             let second = ((0x0000_0000_FF00_0000usize & word) << 24) |
+                         ((0x0000_0000_00FF_0000usize & word) << 16) |
+@@ -1115,22 +1394,24 @@ cfg_if! {
+             let third = ((0xFF00_0000_0000_0000usize & second_word) >> 8) |
+                          ((0x00FF_0000_0000_0000usize & second_word) >> 16) |
+                          ((0x0000_FF00_0000_0000usize & second_word) >> 24) |
+                          ((0x0000_00FF_0000_0000usize & second_word) >> 32);
+             let fourth = ((0x0000_0000_FF00_0000usize & second_word) << 24) |
+                         ((0x0000_0000_00FF_0000usize & second_word) << 16) |
+                         ((0x0000_0000_0000_FF00usize & second_word) << 8) |
+                         (0x0000_0000_0000_00FFusize & second_word);
++            // Safety: fn invariant used here
+             *dst = first;
+             *(dst.add(1)) = second;
+             *(dst.add(2)) = third;
+             *(dst.add(3)) = fourth;
+         }
+ 
++        /// Safety: dst must point to valid space for writing two `usize`s
+         #[inline(always)]
+         unsafe fn pack_alu(first: usize, second: usize, third: usize, fourth: usize, dst: *mut usize) {
+             let word = ((0x00FF0000_00000000usize & first) << 8) |
+                        ((0x000000FF_00000000usize & first) << 16) |
+                        ((0x00000000_00FF0000usize & first) << 24) |
+                        ((0x00000000_000000FFusize & first) << 32) |
+                        ((0x00FF0000_00000000usize & second) >> 24) |
+                        ((0x000000FF_00000000usize & second) >> 16) |
+@@ -1139,67 +1420,80 @@ cfg_if! {
+             let second_word = ((0x00FF0000_00000000usize & third) << 8) |
+                               ((0x000000FF_00000000usize & third) << 16) |
+                               ((0x00000000_00FF0000usize & third) << 24) |
+                               ((0x00000000_000000FFusize & third) << 32) |
+                               ((0x00FF0000_00000000usize & fourth) >> 24) |
+                               ((0x000000FF_00000000usize & fourth) >> 16) |
+                               ((0x00000000_00FF0000usize & fourth) >> 8) |
+                               (0x00000000_000000FFusize &  fourth);
++            // Safety: fn invariant used here
+             *dst = word;
+             *(dst.add(1)) = second_word;
+         }
+     } else if #[cfg(all(target_endian = "big", target_pointer_width = "32"))] {
+         // Aligned ALU word, big-endian, 32-bit
+ 
++        /// Safety invariant: this is the amount of bytes consumed by
++        /// unpack_alu. This will be twice the pointer width, as it consumes two usizes.
++        /// This is also the number of bytes produced by pack_alu.
++        /// This is also the number of u16 code units produced/consumed by unpack_alu/pack_alu respectively.
+         pub const ALU_STRIDE_SIZE: usize = 8;
+ 
+         pub const MAX_STRIDE_SIZE: usize = 8;
+ 
++        // Safety invariant: this is the pointer width in bytes
+         pub const ALU_ALIGNMENT: usize = 4;
+ 
++        // Safety invariant: this is a mask for getting the bits of a pointer not aligned to ALU_ALIGNMENT
+         pub const ALU_ALIGNMENT_MASK: usize = 3;
+ 
++        /// Safety: dst must point to valid space for writing four `usize`s
+         #[inline(always)]
+         unsafe fn unpack_alu(word: usize, second_word: usize, dst: *mut usize) {
+             let first = ((0xFF00_0000usize & word) >> 8) |
+                          ((0x00FF_0000usize & word) >> 16);
+             let second = ((0x0000_FF00usize & word) << 8) |
+                         (0x0000_00FFusize & word);
+             let third = ((0xFF00_0000usize & second_word) >> 8) |
+                          ((0x00FF_0000usize & second_word) >> 16);
+             let fourth = ((0x0000_FF00usize & second_word) << 8) |
+                         (0x0000_00FFusize & second_word);
++            // Safety: fn invariant used here
+             *dst = first;
+             *(dst.add(1)) = second;
+             *(dst.add(2)) = third;
+             *(dst.add(3)) = fourth;
+         }
+ 
++        /// Safety: dst must point to valid space for writing two `usize`s
+         #[inline(always)]
+         unsafe fn pack_alu(first: usize, second: usize, third: usize, fourth: usize, dst: *mut usize) {
+             let word = ((0x00FF_0000usize & first) << 8) |
+                        ((0x0000_00FFusize & first) << 16) |
+                        ((0x00FF_0000usize & second) >> 8) |
+                        (0x0000_00FFusize & second);
+             let second_word = ((0x00FF_0000usize & third) << 8) |
+                               ((0x0000_00FFusize & third) << 16) |
+                               ((0x00FF_0000usize & fourth) >> 8) |
+                               (0x0000_00FFusize & fourth);
++            // Safety: fn invariant used here
+             *dst = word;
+             *(dst.add(1)) = second_word;
+         }
+     } else {
+         ascii_naive!(ascii_to_ascii, u8, u8);
+         ascii_naive!(ascii_to_basic_latin, u8, u16);
+         ascii_naive!(basic_latin_to_ascii, u16, u8);
+     }
+ }
+ 
+ cfg_if! {
++    // Safety-usable invariant: this counts the zeroes from the "first byte" of utf-8 data packed into a usize
++    // with the target endianness
+     if #[cfg(target_endian = "little")] {
+         #[allow(dead_code)]
+         #[inline(always)]
+         fn count_zeros(word: usize) -> u32 {
+             word.trailing_zeros()
+         }
+     } else {
+         #[allow(dead_code)]
+@@ -1207,208 +1501,272 @@ cfg_if! {
+         fn count_zeros(word: usize) -> u32 {
+             word.leading_zeros()
+         }
+     }
+ }
+ 
+ cfg_if! {
+     if #[cfg(all(feature = "simd-accel", target_endian = "little", target_arch = "disabled"))] {
++        /// Safety-usable invariant: Will return the value and position of the first non-ASCII byte in the slice in a Some if found.
++        /// In other words, the first element of the Some is always `> 127`
+         #[inline(always)]
+         pub fn validate_ascii(slice: &[u8]) -> Option<(u8, usize)> {
+             let src = slice.as_ptr();
+             let len = slice.len();
+             let mut offset = 0usize;
++            // Safety: if this check succeeds we're valid for reading/writing at least `stride` elements.
+             if SIMD_STRIDE_SIZE <= len {
+                 let len_minus_stride = len - SIMD_STRIDE_SIZE;
+                 loop {
++                    // Safety: src at offset is valid for a `SIMD_STRIDE_SIZE` read
+                     let simd = unsafe { load16_unaligned(src.add(offset)) };
+                     if !simd_is_ascii(simd) {
+                         break;
+                     }
+                     offset += SIMD_STRIDE_SIZE;
++                    // This is `offset > len - SIMD_STRIDE_SIZE` which means we always have at least `SIMD_STRIDE_SIZE` elements to munch next time.
+                     if offset > len_minus_stride {
+                         break;
+                     }
+                 }
+             }
+             while offset < len {
+                 let code_unit = slice[offset];
+                 if code_unit > 127 {
++                    // Safety: Safety-usable invariant upheld here
+                     return Some((code_unit, offset));
+                 }
+                 offset += 1;
+             }
+             None
+         }
+     } else if #[cfg(all(feature = "simd-accel", target_feature = "sse2"))] {
++        /// Safety-usable invariant: will return Some() when it encounters non-ASCII, with the first element in the Some being
++        /// guaranteed to be non-ASCII (> 127), and the second being the offset where it is found
+         #[inline(always)]
+         pub fn validate_ascii(slice: &[u8]) -> Option<(u8, usize)> {
+             let src = slice.as_ptr();
+             let len = slice.len();
+             let mut offset = 0usize;
++            // Safety: if this check succeeds we're valid for reading at least `stride` elements.
+             if SIMD_STRIDE_SIZE <= len {
+                 // First, process one unaligned vector
++                // Safety: src is valid for a `SIMD_STRIDE_SIZE` read
+                 let simd = unsafe { load16_unaligned(src) };
+                 let mask = mask_ascii(simd);
+                 if mask != 0 {
+                     offset = mask.trailing_zeros() as usize;
+                     let non_ascii = unsafe { *src.add(offset) };
+                     return Some((non_ascii, offset));
+                 }
+                 offset = SIMD_STRIDE_SIZE;
++                // Safety: Now that offset has changed we don't yet know how much it is valid for
+ 
+                 // We have now seen 16 ASCII bytes. Let's guess that
+                 // there will be enough more to justify more expense
+                 // in the case of non-ASCII.
+                 // Use aligned reads for the sake of old microachitectures.
++                // Safety: this correctly calculates the number of src_units that need to be read before the remaining list is aligned.
++                // This is by definition less than SIMD_ALIGNMENT, which is defined to be equal to SIMD_STRIDE_SIZE.
+                 let until_alignment = unsafe { (SIMD_ALIGNMENT - ((src.add(offset) as usize) & SIMD_ALIGNMENT_MASK)) & SIMD_ALIGNMENT_MASK };
+                 // This addition won't overflow, because even in the 32-bit PAE case the
+                 // address space holds enough code that the slice length can't be that
+                 // close to address space size.
+                 // offset now equals SIMD_STRIDE_SIZE, hence times 3 below.
++                //
++                // Safety: if this check succeeds we're valid for reading at least `2 * SIMD_STRIDE_SIZE` elements plus `until_alignment`.
++                // The extra SIMD_STRIDE_SIZE in the condition is because `offset` is already `SIMD_STRIDE_SIZE`.
+                 if until_alignment + (SIMD_STRIDE_SIZE * 3) <= len {
+                     if until_alignment != 0 {
++                        // Safety: this is safe to call since we're valid for this read (and more), and don't care about alignment
++                        // This will copy over bytes that get decoded twice since it's not incrementing `offset` by SIMD_STRIDE_SIZE. This is fine.
+                         let simd = unsafe { load16_unaligned(src.add(offset)) };
+                         let mask = mask_ascii(simd);
+                         if mask != 0 {
+                             offset += mask.trailing_zeros() as usize;
+                             let non_ascii = unsafe { *src.add(offset) };
+                             return Some((non_ascii, offset));
+                         }
+                         offset += until_alignment;
+                     }
++                    // Safety: At this point we're valid for reading 2*SIMD_STRIDE_SIZE elements
++                    // Safety: Now `offset` is aligned for `src`
+                     let len_minus_stride_times_two = len - (SIMD_STRIDE_SIZE * 2);
+                     loop {
++                        // Safety: We were valid for this read, and were aligned.
+                         let first = unsafe { load16_aligned(src.add(offset)) };
+                         let second = unsafe { load16_aligned(src.add(offset + SIMD_STRIDE_SIZE)) };
+                         if !simd_is_ascii(first | second) {
++                            // Safety: mask_ascii produces a mask of all the high bits.
+                             let mask_first = mask_ascii(first);
+                             if mask_first != 0 {
++                                // Safety: on little endian systems this will be the number of ascii bytes
++                                // before the first non-ascii, i.e. valid for indexing src
++                                // TODO SAFETY: What about big-endian systems?
+                                 offset += mask_first.trailing_zeros() as usize;
+                             } else {
+                                 let mask_second = mask_ascii(second);
++                                // Safety: on little endian systems this will be the number of ascii bytes
++                                // before the first non-ascii, i.e. valid for indexing src
+                                 offset += SIMD_STRIDE_SIZE + mask_second.trailing_zeros() as usize;
+                             }
++                            // Safety: We know this is non-ASCII, and can uphold the safety-usable invariant here
+                             let non_ascii = unsafe { *src.add(offset) };
++
+                             return Some((non_ascii, offset));
+                         }
+                         offset += SIMD_STRIDE_SIZE * 2;
++                        // Safety: This is `offset > len - 2 * SIMD_STRIDE_SIZE` which means we always have at least `2 * SIMD_STRIDE_SIZE` elements to munch next time.
+                         if offset > len_minus_stride_times_two {
+                             break;
+                         }
+                     }
++                    // Safety: if this check succeeds we're valid for reading at least `SIMD_STRIDE_SIZE`
+                     if offset + SIMD_STRIDE_SIZE <= len {
+-                         let simd = unsafe { load16_aligned(src.add(offset)) };
+-                         let mask = mask_ascii(simd);
++                        // Safety: We were valid for this read, and were aligned.
++                        let simd = unsafe { load16_aligned(src.add(offset)) };
++                        // Safety: mask_ascii produces a mask of all the high bits.
++                        let mask = mask_ascii(simd);
+                         if mask != 0 {
++                            // Safety: on little endian systems this will be the number of ascii bytes
++                            // before the first non-ascii, i.e. valid for indexing src
+                             offset += mask.trailing_zeros() as usize;
+                             let non_ascii = unsafe { *src.add(offset) };
++                            // Safety: We know this is non-ASCII, and can uphold the safety-usable invariant here
+                             return Some((non_ascii, offset));
+                         }
+                         offset += SIMD_STRIDE_SIZE;
+                     }
+                 } else {
++                    // Safety: this is the unaligned branch
+                     // At most two iterations, so unroll
++                    // Safety: if this check succeeds we're valid for reading at least `SIMD_STRIDE_SIZE`
+                     if offset + SIMD_STRIDE_SIZE <= len {
++                        // Safety: We're valid for this read but must use an unaligned read
+                         let simd = unsafe { load16_unaligned(src.add(offset)) };
+                         let mask = mask_ascii(simd);
+                         if mask != 0 {
+                             offset += mask.trailing_zeros() as usize;
+                             let non_ascii = unsafe { *src.add(offset) };
++                            // Safety-usable invariant upheld here (same as above)
+                             return Some((non_ascii, offset));
+                         }
+                         offset += SIMD_STRIDE_SIZE;
++                        // Safety: if this check succeeds we're valid for reading at least `SIMD_STRIDE_SIZE`
+                         if offset + SIMD_STRIDE_SIZE <= len {
++                            // Safety: We're valid for this read but must use an unaligned read
+                              let simd = unsafe { load16_unaligned(src.add(offset)) };
+                              let mask = mask_ascii(simd);
+                             if mask != 0 {
+                                 offset += mask.trailing_zeros() as usize;
+                                 let non_ascii = unsafe { *src.add(offset) };
++                                // Safety-usable invariant upheld here (same as above)
+                                 return Some((non_ascii, offset));
+                             }
+                             offset += SIMD_STRIDE_SIZE;
+                         }
+                     }
+                 }
+             }
+             while offset < len {
++                // Safety: relies straightforwardly on the `len` invariant
+                 let code_unit = unsafe { *(src.add(offset)) };
+                 if code_unit > 127 {
++                    // Safety-usable invariant upheld here
+                     return Some((code_unit, offset));
+                 }
+                 offset += 1;
+             }
+             None
+         }
+     } else {
++        // Safety-usable invariant: returns byte index of first non-ascii byte
+         #[inline(always)]
+         fn find_non_ascii(word: usize, second_word: usize) -> Option<usize> {
+             let word_masked = word & ASCII_MASK;
+             let second_masked = second_word & ASCII_MASK;
+             if (word_masked | second_masked) == 0 {
++                // Both are ascii, invariant upheld
+                 return None;
+             }
+             if word_masked != 0 {
+                 let zeros = count_zeros(word_masked);
+-                // `zeros` now contains 7 (for the seven bits of non-ASCII)
++                // `zeros` now contains 0 to 7 (for the seven bits of masked ASCII in little endian,
++                // or up to 7 bits of non-ASCII in big endian if the first byte is non-ASCII)
+                 // plus 8 times the number of ASCII in text order before the
+                 // non-ASCII byte in the little-endian case or 8 times the number of ASCII in
+                 // text order before the non-ASCII byte in the big-endian case.
+                 let num_ascii = (zeros >> 3) as usize;
++                // Safety-usable invariant upheld here
+                 return Some(num_ascii);
+             }
+             let zeros = count_zeros(second_masked);
+-            // `zeros` now contains 7 (for the seven bits of non-ASCII)
++            // `zeros` now contains 0 to 7 (for the seven bits of masked ASCII in little endian,
++            // or up to 7 bits of non-ASCII in big endian if the first byte is non-ASCII)
+             // plus 8 times the number of ASCII in text order before the
+             // non-ASCII byte in the little-endian case or 8 times the number of ASCII in
+             // text order before the non-ASCII byte in the big-endian case.
+             let num_ascii = (zeros >> 3) as usize;
++            // Safety-usable invariant upheld here
+             Some(ALU_ALIGNMENT + num_ascii)
+         }
+ 
++        /// Safety: `src` must be valid for the reads of two `usize`s
++        ///
++        /// Safety-usable invariant: will return byte index of first non-ascii byte
+         #[inline(always)]
+         unsafe fn validate_ascii_stride(src: *const usize) -> Option<usize> {
+             let word = *src;
+             let second_word = *(src.add(1));
+             find_non_ascii(word, second_word)
+         }
+ 
++        /// Safety-usable invariant: will return Some() when it encounters non-ASCII, with the first element in the Some being
++        /// guaranteed to be non-ASCII (> 127), and the second being the offset where it is found
+         #[cfg_attr(feature = "cargo-clippy", allow(cast_ptr_alignment))]
+         #[inline(always)]
+         pub fn validate_ascii(slice: &[u8]) -> Option<(u8, usize)> {
+             let src = slice.as_ptr();
+             let len = slice.len();
+             let mut offset = 0usize;
+             let mut until_alignment = (ALU_ALIGNMENT - ((src as usize) & ALU_ALIGNMENT_MASK)) & ALU_ALIGNMENT_MASK;
++            // Safety: If this check fails we're valid to read `until_alignment + ALU_STRIDE_SIZE` elements
+             if until_alignment + ALU_STRIDE_SIZE <= len {
+                 while until_alignment != 0 {
+                     let code_unit = slice[offset];
+                     if code_unit > 127 {
++                        // Safety-usable invairant upheld here
+                         return Some((code_unit, offset));
+                     }
+                     offset += 1;
+                     until_alignment -= 1;
+                 }
++                // Safety: At this point we have read until_alignment elements and
++                // are valid for `ALU_STRIDE_SIZE` more.
+                 let len_minus_stride = len - ALU_STRIDE_SIZE;
+                 loop {
++                    // Safety: we were valid for this read
+                     let ptr = unsafe { src.add(offset) as *const usize };
+                     if let Some(num_ascii) = unsafe { validate_ascii_stride(ptr) } {
+                         offset += num_ascii;
++                        // Safety-usable invairant upheld here using the invariant from validate_ascii_stride()
+                         return Some((unsafe { *(src.add(offset)) }, offset));
+                     }
+                     offset += ALU_STRIDE_SIZE;
++                    // Safety: This is `offset > ALU_STRIDE_SIZE` which means we always have at least `2 * ALU_STRIDE_SIZE` elements to munch next time.
+                     if offset > len_minus_stride {
+                         break;
+                     }
+                 }
+             }
+             while offset < len {
+                 let code_unit = slice[offset];
+                 if code_unit > 127 {
++                    // Safety-usable invairant upheld here
+                     return Some((code_unit, offset));
+                 }
+                 offset += 1;
+            }
+            None
+         }
+ 
+     }
+@@ -1423,70 +1781,88 @@ cfg_if! {
+         // vector reads without vector writes.
+ 
+         pub const ALU_STRIDE_SIZE: usize = 8;
+ 
+         pub const ALU_ALIGNMENT: usize = 4;
+ 
+         pub const ALU_ALIGNMENT_MASK: usize = 3;
+     } else {
++        // Safety: src points to two valid `usize`s, dst points to four valid `usize`s
+         #[inline(always)]
+         unsafe fn unpack_latin1_stride_alu(src: *const usize, dst: *mut usize) {
++            // Safety: src safety invariant used here
+             let word = *src;
+             let second_word = *(src.add(1));
++            // Safety: dst safety invariant passed down
+             unpack_alu(word, second_word, dst);
+         }
+ 
++        // Safety: src points to four valid `usize`s, dst points to two valid `usize`s
+         #[inline(always)]
+         unsafe fn pack_latin1_stride_alu(src: *const usize, dst: *mut usize) {
++            // Safety: src safety invariant used here
+             let first = *src;
+             let second = *(src.add(1));
+             let third = *(src.add(2));
+             let fourth = *(src.add(3));
++            // Safety: dst safety invariant passed down
+             pack_alu(first, second, third, fourth, dst);
+         }
+ 
++        // Safety: src points to two valid `usize`s, dst points to four valid `usize`s
+         #[inline(always)]
+         unsafe fn ascii_to_basic_latin_stride_alu(src: *const usize, dst: *mut usize) -> bool {
++            // Safety: src safety invariant used here
+             let word = *src;
+             let second_word = *(src.add(1));
+             // Check if the words contains non-ASCII
+             if (word & ASCII_MASK) | (second_word & ASCII_MASK) != 0 {
+                 return false;
+             }
++            // Safety: dst safety invariant passed down
+             unpack_alu(word, second_word, dst);
+             true
+         }
+ 
++        // Safety: src points four valid `usize`s, dst points to two valid `usize`s
+         #[inline(always)]
+         unsafe fn basic_latin_to_ascii_stride_alu(src: *const usize, dst: *mut usize) -> bool {
++            // Safety: src safety invariant used here
+             let first = *src;
+             let second = *(src.add(1));
+             let third = *(src.add(2));
+             let fourth = *(src.add(3));
+             if (first & BASIC_LATIN_MASK) | (second & BASIC_LATIN_MASK) | (third & BASIC_LATIN_MASK) | (fourth & BASIC_LATIN_MASK) != 0 {
+                 return false;
+             }
++            // Safety: dst safety invariant passed down
+             pack_alu(first, second, third, fourth, dst);
+             true
+         }
+ 
++        // Safety: src, dst both point to two valid `usize`s each
++        // Safety-usable invariant: Will return byte index of first non-ascii byte.
+         #[inline(always)]
+         unsafe fn ascii_to_ascii_stride(src: *const usize, dst: *mut usize) -> Option<usize> {
++            // Safety: src safety invariant used here
+             let word = *src;
+             let second_word = *(src.add(1));
++            // Safety: src safety invariant used here
+             *dst = word;
+             *(dst.add(1)) = second_word;
++            // Relies on safety-usable invariant here
+             find_non_ascii(word, second_word)
+         }
+ 
+         basic_latin_alu!(ascii_to_basic_latin, u8, u16, ascii_to_basic_latin_stride_alu);
+         basic_latin_alu!(basic_latin_to_ascii, u16, u8, basic_latin_to_ascii_stride_alu);
+         latin1_alu!(unpack_latin1, u8, u16, unpack_latin1_stride_alu);
+         latin1_alu!(pack_latin1, u16, u8, pack_latin1_stride_alu);
++        // Safety invariant upheld: ascii_to_ascii_stride will return byte index of first non-ascii if found
+         ascii_alu!(ascii_to_ascii, u8, u8, ascii_to_ascii_stride);
+     }
+ }
+ 
+ pub fn ascii_valid_up_to(bytes: &[u8]) -> usize {
+     match validate_ascii(bytes) {
+         None => bytes.len(),
+         Some((_, num_valid)) => num_valid,
+diff --git a/third_party/rust/encoding_rs/src/handles.rs b/third_party/rust/encoding_rs/src/handles.rs
+--- third_party/rust/encoding_rs/src/handles.rs
++++ third_party/rust/encoding_rs/src/handles.rs
+@@ -29,17 +29,17 @@ use crate::simd_funcs::*;
+ #[cfg(all(
+     feature = "simd-accel",
+     any(
+         target_feature = "sse2",
+         all(target_endian = "little", target_arch = "aarch64"),
+         all(target_endian = "little", target_feature = "neon")
+     )
+ ))]
+-use packed_simd::u16x8;
++use core::simd::u16x8;
+ 
+ use super::DecoderResult;
+ use super::EncoderResult;
+ use crate::ascii::*;
+ use crate::utf_8::convert_utf8_to_utf16_up_to_invalid;
+ use crate::utf_8::utf8_valid_up_to;
+ 
+ pub enum Space<T> {
+@@ -85,84 +85,100 @@ impl Endian for LittleEndian {
+     const OPPOSITE_ENDIAN: bool = false;
+ 
+     #[cfg(target_endian = "big")]
+     const OPPOSITE_ENDIAN: bool = true;
+ }
+ 
+ #[derive(Debug, Copy, Clone)]
+ struct UnalignedU16Slice {
++    // Safety invariant: ptr must be valid for reading 2*len bytes
+     ptr: *const u8,
+     len: usize,
+ }
+ 
+ impl UnalignedU16Slice {
++    /// Safety: ptr must be valid for reading 2*len bytes
+     #[inline(always)]
+     pub unsafe fn new(ptr: *const u8, len: usize) -> UnalignedU16Slice {
++        // Safety: field invariant passed up to caller here
+         UnalignedU16Slice { ptr, len }
+     }
+ 
+     #[inline(always)]
+     pub fn trim_last(&mut self) {
+         assert!(self.len > 0);
++        // Safety: invariant upheld here: a slice is still valid with a shorter len
+         self.len -= 1;
+     }
+ 
+     #[inline(always)]
+     pub fn at(&self, i: usize) -> u16 {
+         use core::mem::MaybeUninit;
+ 
+         assert!(i < self.len);
+         unsafe {
+             let mut u: MaybeUninit<u16> = MaybeUninit::uninit();
++            // Safety: i is at most len - 1, which works here
+             ::core::ptr::copy_nonoverlapping(self.ptr.add(i * 2), u.as_mut_ptr() as *mut u8, 2);
++            // Safety: valid read above lets us do this
+             u.assume_init()
+         }
+     }
+ 
+     #[cfg(feature = "simd-accel")]
+     #[inline(always)]
+     pub fn simd_at(&self, i: usize) -> u16x8 {
++        // Safety: i/len are on the scale of u16s, each one corresponds to 2 u8s
+         assert!(i + SIMD_STRIDE_SIZE / 2 <= self.len);
+         let byte_index = i * 2;
++        // Safety: load16_unaligned needs SIMD_STRIDE_SIZE=16 u8 elements to read,
++        // or 16/2 = 8 u16 elements to read.
++        // We have checked that we have at least that many above.
++
+         unsafe { to_u16_lanes(load16_unaligned(self.ptr.add(byte_index))) }
+     }
+ 
+     #[inline(always)]
+     pub fn len(&self) -> usize {
+         self.len
+     }
+ 
+     #[inline(always)]
+     pub fn tail(&self, from: usize) -> UnalignedU16Slice {
+         // XXX the return value should be restricted not to
+         // outlive self.
+         assert!(from <= self.len);
++        // Safety: This upholds the same invariant: `from` is in bounds and we're returning a shorter slice
+         unsafe { UnalignedU16Slice::new(self.ptr.add(from * 2), self.len - from) }
+     }
+ 
+     #[cfg(feature = "simd-accel")]
+     #[inline(always)]
+     pub fn copy_bmp_to<E: Endian>(&self, other: &mut [u16]) -> Option<(u16, usize)> {
+         assert!(self.len <= other.len());
+         let mut offset = 0;
++        // Safety: SIMD_STRIDE_SIZE is measured in bytes, whereas len is in u16s. We check we can
++        // munch SIMD_STRIDE_SIZE / 2 u16s which means we can write SIMD_STRIDE_SIZE u8s
+         if SIMD_STRIDE_SIZE / 2 <= self.len {
+             let len_minus_stride = self.len - SIMD_STRIDE_SIZE / 2;
+             loop {
+                 let mut simd = self.simd_at(offset);
+                 if E::OPPOSITE_ENDIAN {
+                     simd = simd_byte_swap(simd);
+                 }
++                // Safety: we have enough space on the other side to write this
+                 unsafe {
+                     store8_unaligned(other.as_mut_ptr().add(offset), simd);
+                 }
+                 if contains_surrogates(simd) {
+                     break;
+                 }
+                 offset += SIMD_STRIDE_SIZE / 2;
++                // Safety: This ensures we still have space for writing SIMD_STRIDE_SIZE u8s
+                 if offset > len_minus_stride {
+                     break;
+                 }
+             }
+         }
+         while offset < self.len {
+             let unit = swap_if_opposite_endian::<E>(self.at(offset));
+             other[offset] = unit;
+@@ -231,33 +247,37 @@ fn copy_unaligned_basic_latin_to_ascii<E
+ #[cfg(feature = "simd-accel")]
+ #[inline(always)]
+ fn copy_unaligned_basic_latin_to_ascii<E: Endian>(
+     src: UnalignedU16Slice,
+     dst: &mut [u8],
+ ) -> CopyAsciiResult<usize, (u16, usize)> {
+     let len = ::core::cmp::min(src.len(), dst.len());
+     let mut offset = 0;
++    // Safety: This check ensures we are able to read/write at least SIMD_STRIDE_SIZE elements
+     if SIMD_STRIDE_SIZE <= len {
+         let len_minus_stride = len - SIMD_STRIDE_SIZE;
+         loop {
+             let mut first = src.simd_at(offset);
+             let mut second = src.simd_at(offset + (SIMD_STRIDE_SIZE / 2));
+             if E::OPPOSITE_ENDIAN {
+                 first = simd_byte_swap(first);
+                 second = simd_byte_swap(second);
+             }
+             if !simd_is_basic_latin(first | second) {
+                 break;
+             }
+             let packed = simd_pack(first, second);
++            // Safety: We are able to write SIMD_STRIDE_SIZE elements in this iteration
+             unsafe {
+                 store16_unaligned(dst.as_mut_ptr().add(offset), packed);
+             }
+             offset += SIMD_STRIDE_SIZE;
++            // Safety: This is `offset > len - SIMD_STRIDE_SIZE`, which ensures that we can write at least SIMD_STRIDE_SIZE elements
++            // in the next iteration
+             if offset > len_minus_stride {
+                 break;
+             }
+         }
+     }
+     copy_unaligned_basic_latin_to_ascii_alu::<E>(src.tail(offset), &mut dst[offset..], offset)
+ }
+ 
+@@ -632,94 +652,106 @@ impl<'a> Utf16Destination<'a> {
+     #[inline(always)]
+     fn write_astral(&mut self, astral: u32) {
+         debug_assert!(astral > 0xFFFF);
+         debug_assert!(astral <= 0x10_FFFF);
+         self.write_code_unit((0xD7C0 + (astral >> 10)) as u16);
+         self.write_code_unit((0xDC00 + (astral & 0x3FF)) as u16);
+     }
+     #[inline(always)]
+-    pub fn write_surrogate_pair(&mut self, high: u16, low: u16) {
++    fn write_surrogate_pair(&mut self, high: u16, low: u16) {
+         self.write_code_unit(high);
+         self.write_code_unit(low);
+     }
+     #[inline(always)]
+     fn write_big5_combination(&mut self, combined: u16, combining: u16) {
+         self.write_bmp_excl_ascii(combined);
+         self.write_bmp_excl_ascii(combining);
+     }
++    // Safety-usable invariant: CopyAsciiResult::GoOn will only contain bytes >=0x80
+     #[inline(always)]
+     pub fn copy_ascii_from_check_space_bmp<'b>(
+         &'b mut self,
+         source: &mut ByteSource,
+     ) -> CopyAsciiResult<(DecoderResult, usize, usize), (u8, Utf16BmpHandle<'b, 'a>)> {
+         let non_ascii_ret = {
+             let src_remaining = &source.slice[source.pos..];
+             let dst_remaining = &mut self.slice[self.pos..];
+             let (pending, length) = if dst_remaining.len() < src_remaining.len() {
+                 (DecoderResult::OutputFull, dst_remaining.len())
+             } else {
+                 (DecoderResult::InputEmpty, src_remaining.len())
+             };
++            // Safety: This function is documented as needing valid pointers for src/dest and len, which
++            // is true since we've passed the minumum length of the two
+             match unsafe {
+                 ascii_to_basic_latin(src_remaining.as_ptr(), dst_remaining.as_mut_ptr(), length)
+             } {
+                 None => {
+                     source.pos += length;
+                     self.pos += length;
+                     return CopyAsciiResult::Stop((pending, source.pos, self.pos));
+                 }
++                // Safety: the function is documented as returning bytes >=0x80 in the Some
+                 Some((non_ascii, consumed)) => {
+                     source.pos += consumed;
+                     self.pos += consumed;
+                     source.pos += 1; // +1 for non_ascii
++                                     // Safety: non-ascii bubbled out here
+                     non_ascii
+                 }
+             }
+         };
++        // Safety: non-ascii returned here
+         CopyAsciiResult::GoOn((non_ascii_ret, Utf16BmpHandle::new(self)))
+     }
++    // Safety-usable invariant: CopyAsciiResult::GoOn will only contain bytes >=0x80
+     #[inline(always)]
+     pub fn copy_ascii_from_check_space_astral<'b>(
+         &'b mut self,
+         source: &mut ByteSource,
+     ) -> CopyAsciiResult<(DecoderResult, usize, usize), (u8, Utf16AstralHandle<'b, 'a>)> {
+         let non_ascii_ret = {
+             let dst_len = self.slice.len();
+             let src_remaining = &source.slice[source.pos..];
+             let dst_remaining = &mut self.slice[self.pos..];
+             let (pending, length) = if dst_remaining.len() < src_remaining.len() {
+                 (DecoderResult::OutputFull, dst_remaining.len())
+             } else {
+                 (DecoderResult::InputEmpty, src_remaining.len())
+             };
++            // Safety: This function is documented as needing valid pointers for src/dest and len, which
++            // is true since we've passed the minumum length of the two
+             match unsafe {
+                 ascii_to_basic_latin(src_remaining.as_ptr(), dst_remaining.as_mut_ptr(), length)
+             } {
+                 None => {
+                     source.pos += length;
+                     self.pos += length;
+                     return CopyAsciiResult::Stop((pending, source.pos, self.pos));
+                 }
++                // Safety: the function is documented as returning bytes >=0x80 in the Some
+                 Some((non_ascii, consumed)) => {
+                     source.pos += consumed;
+                     self.pos += consumed;
+                     if self.pos + 1 < dst_len {
+                         source.pos += 1; // +1 for non_ascii
++                                         // Safety: non-ascii bubbled out here
+                         non_ascii
+                     } else {
+                         return CopyAsciiResult::Stop((
+                             DecoderResult::OutputFull,
+                             source.pos,
+                             self.pos,
+                         ));
+                     }
+                 }
+             }
+         };
++        // Safety: non-ascii returned here
+         CopyAsciiResult::GoOn((non_ascii_ret, Utf16AstralHandle::new(self)))
+     }
+     #[inline(always)]
+     pub fn copy_utf8_up_to_invalid_from(&mut self, source: &mut ByteSource) {
+         let src_remaining = &source.slice[source.pos..];
+         let dst_remaining = &mut self.slice[self.pos..];
+         let (read, written) = convert_utf8_to_utf16_up_to_invalid(src_remaining, dst_remaining);
+         source.pos += read;
+diff --git a/third_party/rust/encoding_rs/src/lib.rs b/third_party/rust/encoding_rs/src/lib.rs
+--- third_party/rust/encoding_rs/src/lib.rs
++++ third_party/rust/encoding_rs/src/lib.rs
+@@ -684,37 +684,26 @@
+ //! <tr><td>TIS-620</td><td>windows-874</td></tr>
+ //! </tbody>
+ //! </table>
+ //!
+ //! See the section [_UTF-16LE, UTF-16BE and Unicode Encoding Schemes_](#utf-16le-utf-16be-and-unicode-encoding-schemes)
+ //! for discussion about the UTF-16 family.
+ 
+ #![no_std]
+-#![cfg_attr(feature = "simd-accel", feature(core_intrinsics))]
++#![cfg_attr(feature = "simd-accel", feature(core_intrinsics, portable_simd))]
+ 
+ #[cfg(feature = "alloc")]
+ #[cfg_attr(test, macro_use)]
+ extern crate alloc;
+ 
+ extern crate core;
+ #[macro_use]
+ extern crate cfg_if;
+ 
+-#[cfg(all(
+-    feature = "simd-accel",
+-    any(
+-        target_feature = "sse2",
+-        all(target_endian = "little", target_arch = "aarch64"),
+-        all(target_endian = "little", target_feature = "neon")
+-    )
+-))]
+-#[macro_use(shuffle)]
+-extern crate packed_simd;
+-
+ #[cfg(feature = "serde")]
+ extern crate serde;
+ 
+ #[cfg(all(test, feature = "serde"))]
+ extern crate bincode;
+ #[cfg(all(test, feature = "serde"))]
+ #[macro_use]
+ extern crate serde_derive;
+diff --git a/third_party/rust/encoding_rs/src/mem.rs b/third_party/rust/encoding_rs/src/mem.rs
+--- third_party/rust/encoding_rs/src/mem.rs
++++ third_party/rust/encoding_rs/src/mem.rs
+@@ -111,16 +111,21 @@ macro_rules! by_unit_check_alu {
+                             until_alignment -= 1;
+                         }
+                         if accu >= $bound {
+                             return false;
+                         }
+                     }
+                     let len_minus_stride = len - ALU_ALIGNMENT / unit_size;
+                     if offset + (4 * (ALU_ALIGNMENT / unit_size)) <= len {
++                        // Safety: the above check lets us perform 4 consecutive reads of
++                        // length ALU_ALIGNMENT / unit_size. ALU_ALIGNMENT is the size of usize, and unit_size
++                        // is the size of the `src` pointer, so this is equal to performing four usize reads.
++                        //
++                        // This invariant is upheld on all loop iterations
+                         let len_minus_unroll = len - (4 * (ALU_ALIGNMENT / unit_size));
+                         loop {
+                             let unroll_accu = unsafe { *(src.add(offset) as *const usize) }
+                                 | unsafe {
+                                     *(src.add(offset + (ALU_ALIGNMENT / unit_size)) as *const usize)
+                                 }
+                                 | unsafe {
+                                     *(src.add(offset + (2 * (ALU_ALIGNMENT / unit_size)))
+@@ -129,22 +134,24 @@ macro_rules! by_unit_check_alu {
+                                 | unsafe {
+                                     *(src.add(offset + (3 * (ALU_ALIGNMENT / unit_size)))
+                                         as *const usize)
+                                 };
+                             if unroll_accu & $mask != 0 {
+                                 return false;
+                             }
+                             offset += 4 * (ALU_ALIGNMENT / unit_size);
++                            // Safety: this check lets us continue to perform the 4 reads earlier
+                             if offset > len_minus_unroll {
+                                 break;
+                             }
+                         }
+                     }
+                     while offset <= len_minus_stride {
++                        // Safety: the above check lets us perform one usize read.
+                         accu |= unsafe { *(src.add(offset) as *const usize) };
+                         offset += ALU_ALIGNMENT / unit_size;
+                     }
+                 }
+             }
+             for &unit in &buffer[offset..] {
+                 accu |= unit as usize;
+             }
+@@ -184,16 +191,21 @@ macro_rules! by_unit_check_simd {
+                             until_alignment -= 1;
+                         }
+                         if accu >= $bound {
+                             return false;
+                         }
+                     }
+                     let len_minus_stride = len - SIMD_STRIDE_SIZE / unit_size;
+                     if offset + (4 * (SIMD_STRIDE_SIZE / unit_size)) <= len {
++                        // Safety: the above check lets us perform 4 consecutive reads of
++                        // length SIMD_STRIDE_SIZE / unit_size. SIMD_STRIDE_SIZE is the size of $simd_ty, and unit_size
++                        // is the size of the `src` pointer, so this is equal to performing four $simd_ty reads.
++                        //
++                        // This invariant is upheld on all loop iterations
+                         let len_minus_unroll = len - (4 * (SIMD_STRIDE_SIZE / unit_size));
+                         loop {
+                             let unroll_accu = unsafe { *(src.add(offset) as *const $simd_ty) }
+                                 | unsafe {
+                                     *(src.add(offset + (SIMD_STRIDE_SIZE / unit_size))
+                                         as *const $simd_ty)
+                                 }
+                                 | unsafe {
+@@ -203,23 +215,25 @@ macro_rules! by_unit_check_simd {
+                                 | unsafe {
+                                     *(src.add(offset + (3 * (SIMD_STRIDE_SIZE / unit_size)))
+                                         as *const $simd_ty)
+                                 };
+                             if !$func(unroll_accu) {
+                                 return false;
+                             }
+                             offset += 4 * (SIMD_STRIDE_SIZE / unit_size);
++                            // Safety: this check lets us continue to perform the 4 reads earlier
+                             if offset > len_minus_unroll {
+                                 break;
+                             }
+                         }
+                     }
+                     let mut simd_accu = $splat;
+                     while offset <= len_minus_stride {
++                        // Safety: the above check lets us perform one $simd_ty read.
+                         simd_accu = simd_accu | unsafe { *(src.add(offset) as *const $simd_ty) };
+                         offset += SIMD_STRIDE_SIZE / unit_size;
+                     }
+                     if !$func(simd_accu) {
+                         return false;
+                     }
+                 }
+             }
+@@ -229,18 +243,18 @@ macro_rules! by_unit_check_simd {
+             accu < $bound
+         }
+     };
+ }
+ 
+ cfg_if! {
+     if #[cfg(all(feature = "simd-accel", any(target_feature = "sse2", all(target_endian = "little", target_arch = "aarch64"), all(target_endian = "little", target_feature = "neon"))))] {
+         use crate::simd_funcs::*;
+-        use packed_simd::u8x16;
+-        use packed_simd::u16x8;
++        use core::simd::u8x16;
++        use core::simd::u16x8;
+ 
+         const SIMD_ALIGNMENT: usize = 16;
+ 
+         const SIMD_ALIGNMENT_MASK: usize = 15;
+ 
+         by_unit_check_simd!(is_ascii_impl, u8, u8x16::splat(0), u8x16, 0x80, simd_is_ascii);
+         by_unit_check_simd!(is_basic_latin_impl, u16, u16x8::splat(0), u16x8, 0x80, simd_is_basic_latin);
+         by_unit_check_simd!(is_utf16_latin1_impl, u16, u16x8::splat(0), u16x8, 0x100, simd_is_latin1);
+diff --git a/third_party/rust/encoding_rs/src/simd_funcs.rs b/third_party/rust/encoding_rs/src/simd_funcs.rs
+--- third_party/rust/encoding_rs/src/simd_funcs.rs
++++ third_party/rust/encoding_rs/src/simd_funcs.rs
+@@ -2,65 +2,84 @@
+ // file at the top-level directory of this distribution.
+ //
+ // Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
+ // https://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+ // <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your
+ // option. This file may not be copied, modified, or distributed
+ // except according to those terms.
+ 
+-use packed_simd::u16x8;
+-use packed_simd::u8x16;
+-use packed_simd::IntoBits;
++use any_all_workaround::all_mask16x8;
++use any_all_workaround::all_mask8x16;
++use any_all_workaround::any_mask16x8;
++use any_all_workaround::any_mask8x16;
++use core::simd::cmp::SimdPartialEq;
++use core::simd::cmp::SimdPartialOrd;
++use core::simd::mask16x8;
++use core::simd::mask8x16;
++use core::simd::simd_swizzle;
++use core::simd::u16x8;
++use core::simd::u8x16;
++use core::simd::ToBytes;
+ 
+ // TODO: Migrate unaligned access to stdlib code if/when the RFC
+ // https://github.com/rust-lang/rfcs/pull/1725 is implemented.
+ 
++/// Safety invariant: ptr must be valid for an unaligned read of 16 bytes
+ #[inline(always)]
+ pub unsafe fn load16_unaligned(ptr: *const u8) -> u8x16 {
+-    let mut simd = ::core::mem::uninitialized();
+-    ::core::ptr::copy_nonoverlapping(ptr, &mut simd as *mut u8x16 as *mut u8, 16);
+-    simd
++    let mut simd = ::core::mem::MaybeUninit::<u8x16>::uninit();
++    ::core::ptr::copy_nonoverlapping(ptr, simd.as_mut_ptr() as *mut u8, 16);
++    // Safety: copied 16 bytes of initialized memory into this, it is now initialized
++    simd.assume_init()
+ }
+ 
++/// Safety invariant: ptr must be valid for an aligned-for-u8x16 read of 16 bytes
+ #[allow(dead_code)]
+ #[inline(always)]
+ pub unsafe fn load16_aligned(ptr: *const u8) -> u8x16 {
+     *(ptr as *const u8x16)
+ }
+ 
++/// Safety invariant: ptr must be valid for an unaligned store of 16 bytes
+ #[inline(always)]
+ pub unsafe fn store16_unaligned(ptr: *mut u8, s: u8x16) {
+     ::core::ptr::copy_nonoverlapping(&s as *const u8x16 as *const u8, ptr, 16);
+ }
+ 
++/// Safety invariant: ptr must be valid for an aligned-for-u8x16 store of 16 bytes
+ #[allow(dead_code)]
+ #[inline(always)]
+ pub unsafe fn store16_aligned(ptr: *mut u8, s: u8x16) {
+     *(ptr as *mut u8x16) = s;
+ }
+ 
++/// Safety invariant: ptr must be valid for an unaligned read of 16 bytes
+ #[inline(always)]
+ pub unsafe fn load8_unaligned(ptr: *const u16) -> u16x8 {
+-    let mut simd = ::core::mem::uninitialized();
+-    ::core::ptr::copy_nonoverlapping(ptr as *const u8, &mut simd as *mut u16x8 as *mut u8, 16);
+-    simd
++    let mut simd = ::core::mem::MaybeUninit::<u16x8>::uninit();
++    ::core::ptr::copy_nonoverlapping(ptr as *const u8, simd.as_mut_ptr() as *mut u8, 16);
++    // Safety: copied 16 bytes of initialized memory into this, it is now initialized
++    simd.assume_init()
+ }
+ 
++/// Safety invariant: ptr must be valid for an aligned-for-u16x8 read of 16 bytes
+ #[allow(dead_code)]
+ #[inline(always)]
+ pub unsafe fn load8_aligned(ptr: *const u16) -> u16x8 {
+     *(ptr as *const u16x8)
+ }
+ 
++/// Safety invariant: ptr must be valid for an unaligned store of 16 bytes
+ #[inline(always)]
+ pub unsafe fn store8_unaligned(ptr: *mut u16, s: u16x8) {
+     ::core::ptr::copy_nonoverlapping(&s as *const u16x8 as *const u8, ptr as *mut u8, 16);
+ }
+ 
++/// Safety invariant: ptr must be valid for an aligned-for-u16x8 store of 16 bytes
+ #[allow(dead_code)]
+ #[inline(always)]
+ pub unsafe fn store8_aligned(ptr: *mut u16, s: u16x8) {
+     *(ptr as *mut u16x8) = s;
+ }
+ 
+ cfg_if! {
+     if #[cfg(all(target_feature = "sse2", target_arch = "x86_64"))] {
+@@ -95,234 +114,241 @@ cfg_if! {
+ pub fn simd_byte_swap(s: u16x8) -> u16x8 {
+     let left = s << 8;
+     let right = s >> 8;
+     left | right
+ }
+ 
+ #[inline(always)]
+ pub fn to_u16_lanes(s: u8x16) -> u16x8 {
+-    s.into_bits()
++    u16x8::from_ne_bytes(s)
+ }
+ 
+ cfg_if! {
+     if #[cfg(target_feature = "sse2")] {
+ 
+         // Expose low-level mask instead of higher-level conclusion,
+         // because the non-ASCII case would perform less well otherwise.
++        // Safety-usable invariant: This returned value is whether each high bit is set
+         #[inline(always)]
+         pub fn mask_ascii(s: u8x16) -> i32 {
+             unsafe {
+-                _mm_movemask_epi8(s.into_bits())
++                _mm_movemask_epi8(s.into())
+             }
+         }
+ 
+     } else {
+ 
+     }
+ }
+ 
+ cfg_if! {
+     if #[cfg(target_feature = "sse2")] {
+         #[inline(always)]
+         pub fn simd_is_ascii(s: u8x16) -> bool {
+             unsafe {
+-                _mm_movemask_epi8(s.into_bits()) == 0
++                // Safety: We have cfg()d the correct platform
++                _mm_movemask_epi8(s.into()) == 0
+             }
+         }
+     } else if #[cfg(target_arch = "aarch64")]{
+         #[inline(always)]
+         pub fn simd_is_ascii(s: u8x16) -> bool {
+             unsafe {
+-                vmaxvq_u8(s.into_bits()) < 0x80
++                // Safety: We have cfg()d the correct platform
++                vmaxvq_u8(s.into()) < 0x80
+             }
+         }
+     } else {
+         #[inline(always)]
+         pub fn simd_is_ascii(s: u8x16) -> bool {
+             // This optimizes better on ARM than
+             // the lt formulation.
+             let highest_ascii = u8x16::splat(0x7F);
+-            !s.gt(highest_ascii).any()
++            !any_mask8x16(s.simd_gt(highest_ascii))
+         }
+     }
+ }
+ 
+ cfg_if! {
+     if #[cfg(target_feature = "sse2")] {
+         #[inline(always)]
+         pub fn simd_is_str_latin1(s: u8x16) -> bool {
+             if simd_is_ascii(s) {
+                 return true;
+             }
+             let above_str_latin1 = u8x16::splat(0xC4);
+-            s.lt(above_str_latin1).all()
++            s.simd_lt(above_str_latin1).all()
+         }
+     } else if #[cfg(target_arch = "aarch64")]{
+         #[inline(always)]
+         pub fn simd_is_str_latin1(s: u8x16) -> bool {
+             unsafe {
+-                vmaxvq_u8(s.into_bits()) < 0xC4
++                // Safety: We have cfg()d the correct platform
++                vmaxvq_u8(s.into()) < 0xC4
+             }
+         }
+     } else {
+         #[inline(always)]
+         pub fn simd_is_str_latin1(s: u8x16) -> bool {
+             let above_str_latin1 = u8x16::splat(0xC4);
+-            s.lt(above_str_latin1).all()
++            all_mask8x16(s.simd_lt(above_str_latin1))
+         }
+     }
+ }
+ 
+ cfg_if! {
+     if #[cfg(target_arch = "aarch64")]{
+         #[inline(always)]
+         pub fn simd_is_basic_latin(s: u16x8) -> bool {
+             unsafe {
+-                vmaxvq_u16(s.into_bits()) < 0x80
++                // Safety: We have cfg()d the correct platform
++                vmaxvq_u16(s.into()) < 0x80
+             }
+         }
+ 
+         #[inline(always)]
+         pub fn simd_is_latin1(s: u16x8) -> bool {
+             unsafe {
+-                vmaxvq_u16(s.into_bits()) < 0x100
++                // Safety: We have cfg()d the correct platform
++                vmaxvq_u16(s.into()) < 0x100
+             }
+         }
+     } else {
+         #[inline(always)]
+         pub fn simd_is_basic_latin(s: u16x8) -> bool {
+             let above_ascii = u16x8::splat(0x80);
+-            s.lt(above_ascii).all()
++            all_mask16x8(s.simd_lt(above_ascii))
+         }
+ 
+         #[inline(always)]
+         pub fn simd_is_latin1(s: u16x8) -> bool {
+             // For some reason, on SSE2 this formulation
+             // seems faster in this case while the above
+             // function is better the other way round...
+             let highest_latin1 = u16x8::splat(0xFF);
+-            !s.gt(highest_latin1).any()
++            !any_mask16x8(s.simd_gt(highest_latin1))
+         }
+     }
+ }
+ 
+ #[inline(always)]
+ pub fn contains_surrogates(s: u16x8) -> bool {
+     let mask = u16x8::splat(0xF800);
+     let surrogate_bits = u16x8::splat(0xD800);
+-    (s & mask).eq(surrogate_bits).any()
++    any_mask16x8((s & mask).simd_eq(surrogate_bits))
+ }
+ 
+ cfg_if! {
+     if #[cfg(target_arch = "aarch64")]{
+         macro_rules! aarch64_return_false_if_below_hebrew {
+             ($s:ident) => ({
+                 unsafe {
+-                    if vmaxvq_u16($s.into_bits()) < 0x0590 {
++                    // Safety: We have cfg()d the correct platform
++                    if vmaxvq_u16($s.into()) < 0x0590 {
+                         return false;
+                     }
+                 }
+             })
+         }
+ 
+         macro_rules! non_aarch64_return_false_if_all {
+             ($s:ident) => ()
+         }
+     } else {
+         macro_rules! aarch64_return_false_if_below_hebrew {
+             ($s:ident) => ()
+         }
+ 
+         macro_rules! non_aarch64_return_false_if_all {
+             ($s:ident) => ({
+-                if $s.all() {
++                if all_mask16x8($s) {
+                     return false;
+                 }
+             })
+         }
+     }
+ }
+ 
+ macro_rules! in_range16x8 {
+     ($s:ident, $start:expr, $end:expr) => {{
+         // SIMD sub is wrapping
+-        ($s - u16x8::splat($start)).lt(u16x8::splat($end - $start))
++        ($s - u16x8::splat($start)).simd_lt(u16x8::splat($end - $start))
+     }};
+ }
+ 
+ #[inline(always)]
+ pub fn is_u16x8_bidi(s: u16x8) -> bool {
+     // We try to first quickly refute the RTLness of the vector. If that
+     // fails, we do the real RTL check, so in that case we end up wasting
+     // the work for the up-front quick checks. Even the quick-check is
+     // two-fold in order to return `false` ASAP if everything is below
+     // Hebrew.
+ 
+     aarch64_return_false_if_below_hebrew!(s);
+ 
+-    let below_hebrew = s.lt(u16x8::splat(0x0590));
++    let below_hebrew = s.simd_lt(u16x8::splat(0x0590));
+ 
+     non_aarch64_return_false_if_all!(below_hebrew);
+ 
+-    if (below_hebrew | in_range16x8!(s, 0x0900, 0x200F) | in_range16x8!(s, 0x2068, 0xD802)).all() {
++    if all_mask16x8(
++        below_hebrew | in_range16x8!(s, 0x0900, 0x200F) | in_range16x8!(s, 0x2068, 0xD802),
++    ) {
+         return false;
+     }
+ 
+     // Quick refutation failed. Let's do the full check.
+ 
+-    (in_range16x8!(s, 0x0590, 0x0900)
+-        | in_range16x8!(s, 0xFB1D, 0xFE00)
+-        | in_range16x8!(s, 0xFE70, 0xFEFF)
+-        | in_range16x8!(s, 0xD802, 0xD804)
+-        | in_range16x8!(s, 0xD83A, 0xD83C)
+-        | s.eq(u16x8::splat(0x200F))
+-        | s.eq(u16x8::splat(0x202B))
+-        | s.eq(u16x8::splat(0x202E))
+-        | s.eq(u16x8::splat(0x2067)))
+-    .any()
++    any_mask16x8(
++        (in_range16x8!(s, 0x0590, 0x0900)
++            | in_range16x8!(s, 0xFB1D, 0xFE00)
++            | in_range16x8!(s, 0xFE70, 0xFEFF)
++            | in_range16x8!(s, 0xD802, 0xD804)
++            | in_range16x8!(s, 0xD83A, 0xD83C)
++            | s.simd_eq(u16x8::splat(0x200F))
++            | s.simd_eq(u16x8::splat(0x202B))
++            | s.simd_eq(u16x8::splat(0x202E))
++            | s.simd_eq(u16x8::splat(0x2067))),
++    )
+ }
+ 
+ #[inline(always)]
+ pub fn simd_unpack(s: u8x16) -> (u16x8, u16x8) {
+-    unsafe {
+-        let first: u8x16 = shuffle!(
+-            s,
+-            u8x16::splat(0),
+-            [0, 16, 1, 17, 2, 18, 3, 19, 4, 20, 5, 21, 6, 22, 7, 23]
+-        );
+-        let second: u8x16 = shuffle!(
+-            s,
+-            u8x16::splat(0),
+-            [8, 24, 9, 25, 10, 26, 11, 27, 12, 28, 13, 29, 14, 30, 15, 31]
+-        );
+-        (first.into_bits(), second.into_bits())
+-    }
++    let first: u8x16 = simd_swizzle!(
++        s,
++        u8x16::splat(0),
++        [0, 16, 1, 17, 2, 18, 3, 19, 4, 20, 5, 21, 6, 22, 7, 23]
++    );
++    let second: u8x16 = simd_swizzle!(
++        s,
++        u8x16::splat(0),
++        [8, 24, 9, 25, 10, 26, 11, 27, 12, 28, 13, 29, 14, 30, 15, 31]
++    );
++    (u16x8::from_ne_bytes(first), u16x8::from_ne_bytes(second))
+ }
+ 
+ cfg_if! {
+     if #[cfg(target_feature = "sse2")] {
+         #[inline(always)]
+         pub fn simd_pack(a: u16x8, b: u16x8) -> u8x16 {
+             unsafe {
+-                _mm_packus_epi16(a.into_bits(), b.into_bits()).into_bits()
++                // Safety: We have cfg()d the correct platform
++                _mm_packus_epi16(a.into(), b.into()).into()
+             }
+         }
+     } else {
+         #[inline(always)]
+         pub fn simd_pack(a: u16x8, b: u16x8) -> u8x16 {
+-            unsafe {
+-                let first: u8x16 = a.into_bits();
+-                let second: u8x16 = b.into_bits();
+-                shuffle!(
+-                    first,
+-                    second,
+-                    [0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30]
+-                )
+-            }
++            let first: u8x16 = a.to_ne_bytes();
++            let second: u8x16 = b.to_ne_bytes();
++            simd_swizzle!(
++                first,
++                second,
++                [0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30]
++            )
+         }
+     }
+ }
+ 
+ #[cfg(test)]
+ mod tests {
+     use super::*;
+     use alloc::vec::Vec;
+diff --git a/third_party/rust/encoding_rs/src/single_byte.rs b/third_party/rust/encoding_rs/src/single_byte.rs
+--- third_party/rust/encoding_rs/src/single_byte.rs
++++ third_party/rust/encoding_rs/src/single_byte.rs
+@@ -48,16 +48,19 @@ impl SingleByteDecoder {
+                 CopyAsciiResult::GoOn((mut non_ascii, mut handle)) => 'middle: loop {
+                     // Start non-boilerplate
+                     //
+                     // Since the non-ASCIIness of `non_ascii` is hidden from
+                     // the optimizer, it can't figure out that it's OK to
+                     // statically omit the bound check when accessing
+                     // `[u16; 128]` with an index
+                     // `non_ascii as usize - 0x80usize`.
++                    //
++                    // Safety: `non_ascii` is a u8 byte >=0x80, from the invariants
++                    // on Utf8Destination::copy_ascii_from_check_space_bmp()
+                     let mapped =
+                         unsafe { *(self.table.get_unchecked(non_ascii as usize - 0x80usize)) };
+                     // let mapped = self.table[non_ascii as usize - 0x80usize];
+                     if mapped == 0u16 {
+                         return (
+                             DecoderResult::Malformed(1, 0),
+                             source.consumed(),
+                             handle.written(),
+@@ -146,82 +149,103 @@ impl SingleByteDecoder {
+         dst: &mut [u16],
+         _last: bool,
+     ) -> (DecoderResult, usize, usize) {
+         let (pending, length) = if dst.len() < src.len() {
+             (DecoderResult::OutputFull, dst.len())
+         } else {
+             (DecoderResult::InputEmpty, src.len())
+         };
++        // Safety invariant: converted <= length. Quite often we have `converted < length`
++        // which will be separately marked.
+         let mut converted = 0usize;
+         'outermost: loop {
+             match unsafe {
++                // Safety: length is the minimum length, `src/dst + x` will always be valid for reads/writes of `len - x`
+                 ascii_to_basic_latin(
+                     src.as_ptr().add(converted),
+                     dst.as_mut_ptr().add(converted),
+                     length - converted,
+                 )
+             } {
+                 None => {
+                     return (pending, length, length);
+                 }
+                 Some((mut non_ascii, consumed)) => {
++                    // Safety invariant: `converted <= length` upheld, since this can only consume
++                    // up to `length - converted` bytes.
++                    //
++                    // Furthermore, in this context,
++                    // we can assume `converted < length` since this branch is only ever hit when
++                    // ascii_to_basic_latin fails to consume the entire slice
+                     converted += consumed;
+                     'middle: loop {
+                         // `converted` doesn't count the reading of `non_ascii` yet.
+                         // Since the non-ASCIIness of `non_ascii` is hidden from
+                         // the optimizer, it can't figure out that it's OK to
+                         // statically omit the bound check when accessing
+                         // `[u16; 128]` with an index
+                         // `non_ascii as usize - 0x80usize`.
++                        //
++                        // Safety: We can rely on `non_ascii` being between `0x80` and `0xFF` due to
++                        // the invariants of `ascii_to_basic_latin()`, and our table has enough space for that.
+                         let mapped =
+                             unsafe { *(self.table.get_unchecked(non_ascii as usize - 0x80usize)) };
+                         // let mapped = self.table[non_ascii as usize - 0x80usize];
+                         if mapped == 0u16 {
+                             return (
+                                 DecoderResult::Malformed(1, 0),
+                                 converted + 1, // +1 `for non_ascii`
+                                 converted,
+                             );
+                         }
+                         unsafe {
+-                            // The bound check has already been performed
++                            // Safety: As mentioned above, `converted < length`
+                             *(dst.get_unchecked_mut(converted)) = mapped;
+                         }
++                        // Safety: `converted <= length` upheld, since `converted < length` before this
+                         converted += 1;
+                         // Next, handle ASCII punctuation and non-ASCII without
+                         // going back to ASCII acceleration. Non-ASCII scripts
+                         // use ASCII punctuation, so this avoid going to
+                         // acceleration just for punctuation/space and then
+                         // failing. This is a significant boost to non-ASCII
+                         // scripts.
+                         // TODO: Split out Latin converters without this part
+                         // this stuff makes Latin script-conversion slower.
+                         if converted == length {
+                             return (pending, length, length);
+                         }
++                        // Safety: We are back to `converted < length` because of the == above
++                        // and can perform this check.
+                         let mut b = unsafe { *(src.get_unchecked(converted)) };
++                        // Safety: `converted < length` is upheld for this loop
+                         'innermost: loop {
+                             if b > 127 {
+                                 non_ascii = b;
+                                 continue 'middle;
+                             }
+                             // Testing on Haswell says that we should write the
+                             // byte unconditionally instead of trying to unread it
+                             // to make it part of the next SIMD stride.
+                             unsafe {
++                                // Safety: `converted < length` is true for this loop
+                                 *(dst.get_unchecked_mut(converted)) = u16::from(b);
+                             }
++                            // Safety: We are now at `converted <= length`. We should *not* `continue`
++                            // the loop without reverifying
+                             converted += 1;
+                             if b < 60 {
+                                 // We've got punctuation
+                                 if converted == length {
+                                     return (pending, length, length);
+                                 }
++                                // Safety: we're back to `converted <= length` because of the == above
+                                 b = unsafe { *(src.get_unchecked(converted)) };
++                                // Safety: The loop continues as `converted < length`
+                                 continue 'innermost;
+                             }
+                             // We've got markup or ASCII text
+                             continue 'outermost;
+                         }
+                     }
+                 }
+             }
+@@ -229,16 +253,18 @@ impl SingleByteDecoder {
+     }
+ 
+     pub fn latin1_byte_compatible_up_to(&self, buffer: &[u8]) -> usize {
+         let mut bytes = buffer;
+         let mut total = 0;
+         loop {
+             if let Some((non_ascii, offset)) = validate_ascii(bytes) {
+                 total += offset;
++                // Safety: We can rely on `non_ascii` being between `0x80` and `0xFF` due to
++                // the invariants of `ascii_to_basic_latin()`, and our table has enough space for that.
+                 let mapped = unsafe { *(self.table.get_unchecked(non_ascii as usize - 0x80usize)) };
+                 if mapped != u16::from(non_ascii) {
+                     return total;
+                 }
+                 total += 1;
+                 bytes = &bytes[offset + 1..];
+             } else {
+                 return total;
+@@ -379,64 +405,89 @@ impl SingleByteEncoder {
+         dst: &mut [u8],
+         _last: bool,
+     ) -> (EncoderResult, usize, usize) {
+         let (pending, length) = if dst.len() < src.len() {
+             (EncoderResult::OutputFull, dst.len())
+         } else {
+             (EncoderResult::InputEmpty, src.len())
+         };
++        // Safety invariant: converted <= length. Quite often we have `converted < length`
++        // which will be separately marked.
+         let mut converted = 0usize;
+         'outermost: loop {
+             match unsafe {
++                // Safety: length is the minimum length, `src/dst + x` will always be valid for reads/writes of `len - x`
+                 basic_latin_to_ascii(
+                     src.as_ptr().add(converted),
+                     dst.as_mut_ptr().add(converted),
+                     length - converted,
+                 )
+             } {
+                 None => {
+                     return (pending, length, length);
+                 }
+                 Some((mut non_ascii, consumed)) => {
++                    // Safety invariant: `converted <= length` upheld, since this can only consume
++                    // up to `length - converted` bytes.
++                    //
++                    // Furthermore, in this context,
++                    // we can assume `converted < length` since this branch is only ever hit when
++                    // ascii_to_basic_latin fails to consume the entire slice
+                     converted += consumed;
+                     'middle: loop {
+                         // `converted` doesn't count the reading of `non_ascii` yet.
+                         match self.encode_u16(non_ascii) {
+                             Some(byte) => {
+                                 unsafe {
++                                    // Safety: we're allowed this access since `converted < length`
+                                     *(dst.get_unchecked_mut(converted)) = byte;
+                                 }
+                                 converted += 1;
++                                // `converted <= length` now
+                             }
+                             None => {
+                                 // At this point, we need to know if we
+                                 // have a surrogate.
+                                 let high_bits = non_ascii & 0xFC00u16;
+                                 if high_bits == 0xD800u16 {
+                                     // high surrogate
+                                     if converted + 1 == length {
+                                         // End of buffer. This surrogate is unpaired.
+                                         return (
+                                             EncoderResult::Unmappable('\u{FFFD}'),
+                                             converted + 1, // +1 `for non_ascii`
+                                             converted,
+                                         );
+                                     }
++                                    // Safety: convered < length from outside the match, and `converted + 1 != length`,
++                                    // So `converted + 1 < length` as well. We're in bounds
+                                     let second =
+                                         u32::from(unsafe { *src.get_unchecked(converted + 1) });
+                                     if second & 0xFC00u32 != 0xDC00u32 {
+                                         return (
+                                             EncoderResult::Unmappable('\u{FFFD}'),
+                                             converted + 1, // +1 `for non_ascii`
+                                             converted,
+                                         );
+                                     }
+                                     // The next code unit is a low surrogate.
+                                     let astral: char = unsafe {
++                                        // Safety: We can rely on non_ascii being 0xD800-0xDBFF since the high bits are 0xD800
++                                        // Then, (non_ascii << 10 - 0xD800 << 10) becomes between (0 to 0x3FF) << 10, which is between
++                                        // 0x400 to 0xffc00. Adding the 0x10000 gives a range of 0x10400 to 0x10fc00. Subtracting the 0xDC00
++                                        // gives 0x2800 to 0x102000
++                                        // The second term is between 0xDC00 and 0xDFFF from the check above. This gives a maximum
++                                        // possible range of (0x10400 + 0xDC00) to (0x102000 + 0xDFFF) which is 0x1E000 to 0x10ffff.
++                                        // This is in range.
++                                        //
++                                        // From a Unicode principles perspective this can also be verified as we have checked that `non_ascii` is a high surrogate
++                                        // (0xD800..=0xDBFF), and that `second` is a low surrogate (`0xDC00..=0xDFFF`), and we are applying reverse of the UTC16 transformation
++                                        // algorithm <https://en.wikipedia.org/wiki/UTF-16#Code_points_from_U+010000_to_U+10FFFF>, by applying the high surrogate - 0xD800 to the
++                                        // high ten bits, and the low surrogate - 0xDc00 to the low ten bits, and then adding 0x10000
+                                         ::core::char::from_u32_unchecked(
+                                             (u32::from(non_ascii) << 10) + second
+                                                 - (((0xD800u32 << 10) - 0x1_0000u32) + 0xDC00u32),
+                                         )
+                                     };
+                                     return (
+                                         EncoderResult::Unmappable(astral),
+                                         converted + 2, // +2 `for non_ascii` and `second`
+@@ -451,52 +502,63 @@ impl SingleByteEncoder {
+                                         converted,
+                                     );
+                                 }
+                                 return (
+                                     EncoderResult::unmappable_from_bmp(non_ascii),
+                                     converted + 1, // +1 `for non_ascii`
+                                     converted,
+                                 );
++                                // Safety: This branch diverges, so no need to uphold invariants on `converted`
+                             }
+                         }
+                         // Next, handle ASCII punctuation and non-ASCII without
+                         // going back to ASCII acceleration. Non-ASCII scripts
+                         // use ASCII punctuation, so this avoid going to
+                         // acceleration just for punctuation/space and then
+                         // failing. This is a significant boost to non-ASCII
+                         // scripts.
+                         // TODO: Split out Latin converters without this part
+                         // this stuff makes Latin script-conversion slower.
+                         if converted == length {
+                             return (pending, length, length);
+                         }
++                        // Safety: we're back to `converted < length` due to the == above and can perform
++                        // the unchecked read
+                         let mut unit = unsafe { *(src.get_unchecked(converted)) };
+                         'innermost: loop {
++                            // Safety: This loop always begins with `converted < length`, see
++                            // the invariant outside and the comment on the continue below
+                             if unit > 127 {
+                                 non_ascii = unit;
+                                 continue 'middle;
+                             }
+                             // Testing on Haswell says that we should write the
+                             // byte unconditionally instead of trying to unread it
+                             // to make it part of the next SIMD stride.
+                             unsafe {
++                                // Safety: Can rely on converted < length
+                                 *(dst.get_unchecked_mut(converted)) = unit as u8;
+                             }
+                             converted += 1;
++                            // `converted <= length` here
+                             if unit < 60 {
+                                 // We've got punctuation
+                                 if converted == length {
+                                     return (pending, length, length);
+                                 }
++                                // Safety: `converted < length` due to the == above. The read is safe.
+                                 unit = unsafe { *(src.get_unchecked(converted)) };
++                                // Safety: This only happens if `converted < length`, maintaining it
+                                 continue 'innermost;
+                             }
+                             // We've got markup or ASCII text
+                             continue 'outermost;
++                            // Safety: All other routes to here diverge so the continue is the only
++                            // way to run the innermost loop.
+                         }
+                     }
+                 }
+             }
+         }
+     }
+ }
+ 
+diff --git a/third_party/rust/encoding_rs/src/x_user_defined.rs b/third_party/rust/encoding_rs/src/x_user_defined.rs
+--- third_party/rust/encoding_rs/src/x_user_defined.rs
++++ third_party/rust/encoding_rs/src/x_user_defined.rs
+@@ -9,22 +9,23 @@
+ 
+ use super::*;
+ use crate::handles::*;
+ use crate::variant::*;
+ 
+ cfg_if! {
+     if #[cfg(feature = "simd-accel")] {
+         use simd_funcs::*;
+-        use packed_simd::u16x8;
++        use core::simd::u16x8;
++        use core::simd::cmp::SimdPartialOrd;
+ 
+         #[inline(always)]
+         fn shift_upper(unpacked: u16x8) -> u16x8 {
+             let highest_ascii = u16x8::splat(0x7F);
+-            unpacked + unpacked.gt(highest_ascii).select(u16x8::splat(0xF700), u16x8::splat(0))        }
++            unpacked + unpacked.simd_gt(highest_ascii).select(u16x8::splat(0xF700), u16x8::splat(0))        }
+     } else {
+     }
+ }
+ 
+ pub struct UserDefinedDecoder;
+ 
+ impl UserDefinedDecoder {
+     pub fn new() -> VariantDecoder {
+@@ -111,20 +112,25 @@ impl UserDefinedDecoder {
+         } else {
+             (DecoderResult::InputEmpty, src.len())
+         };
+         // Not bothering with alignment
+         let tail_start = length & !0xF;
+         let simd_iterations = length >> 4;
+         let src_ptr = src.as_ptr();
+         let dst_ptr = dst.as_mut_ptr();
++        // Safety: This is `for i in 0..length / 16`
+         for i in 0..simd_iterations {
++            // Safety: This is in bounds: length is the minumum valid length for both src/dst
++            // and i ranges to length/16, so multiplying by 16 will always be `< length` and can do
++            // a 16 byte read
+             let input = unsafe { load16_unaligned(src_ptr.add(i * 16)) };
+             let (first, second) = simd_unpack(input);
+             unsafe {
++                // Safety: same as above, but this is two consecutive 8-byte reads
+                 store8_unaligned(dst_ptr.add(i * 16), shift_upper(first));
+                 store8_unaligned(dst_ptr.add((i * 16) + 8), shift_upper(second));
+             }
+         }
+         let src_tail = &src[tail_start..length];
+         let dst_tail = &mut dst[tail_start..length];
+         src_tail
+             .iter()
+
+--- config/makefiles/rust.mk.orig      2024-08-01 18:27:37.000000000 +0000
++++ config/makefiles/rust.mk
+@@ -249,7 +252,7 @@ endif
+ ifndef RUSTC_BOOTSTRAP
+ RUSTC_BOOTSTRAP := mozglue_static,qcms
+ ifdef MOZ_RUST_SIMD
+-RUSTC_BOOTSTRAP := $(RUSTC_BOOTSTRAP),encoding_rs,packed_simd
++RUSTC_BOOTSTRAP := $(RUSTC_BOOTSTRAP),encoding_rs,any_all_workaround
+ endif
+ export RUSTC_BOOTSTRAP
+ endif



Home | Main Index | Thread Index | Old Index