decode: use exact decoded length rather than estimation

[mina86]

Fixes: #210
Fixes: #212

[mina86]

By the way, I’m beginning to think that the interface for the internal_decode should be completely changed. Specifically to something like:

fn internal_decode(
    dst: *mut [MaybeUninit<u8>],
    src: *const [u8],
) -> Result<(), DecodeError>;

With the following contract:

• (*dst).len() / 3 == (*src).len() / 4,
• (*dst).len() % 3 == (*src).len() % 4 == 0,
• source has no padding bytes and
• dst and src either do not overlap, or dst as *mut () == src as *const ().

This would help address the following issues:

• FR: Provide decode_inplace function #190,
• Precise length checking in decode_slice #210,
• 0.21.0: decode_slice: Unexpected behavior for exact-size output slice #212,
• DecoderReader accepts incorrect input #226 and make those optimisations sound:
• perf(decode): optimize Vec alloc/resize #179 and
• perf(encode): vec alloc & utf8 unchecked #180.

[tgross35]

@mina86 any chance you are able to push this over the line? The author suggested in #210 (comment) that maybe this could be split up into smaller PRs.

By the way, I’m beginning to think that the interface for the internal_decode should be completely changed. Specifically to something like:

fn internal_decode(
    dst: *mut [MaybeUninit<u8>],
    src: *const [u8],
) -> Result<(), DecodeError>;

FYI this would need to be an unsafe function, and MaybeUninit doesn't add anything to integers (since all possible byte representations are valid integers)

[marshallpierce]

I'm quite happy to rearrange APIs to have nice new features, but unsafe is going to be a pretty hard sell. It adds quite a burden on users who are in environments that require auditing all unsafe.