Make some safety guarantees about deserialize_safe & internal_validate functions

[Dr-Emann]

At least for rust bindings, I'd like to be able to guarantee that:

• roaring{,64}_bitmap_internal_validate will never lead to Undefined Behavior (segfaults, etc) when called on a bitmap returned from a deserialize_safe function
• If roaring{,64}_bitmap_internal_validate returns true on a bitmap returned from a deserialize_safe function, that bitmap is valid and no valid use of that bitmap can lead to Undefined Behavior.
• Calling roaring{,64}_bitmap_free/roaring_bitmap_clear on a bitmap returned from a deserialize_safe function - even if the bitmap would return false from internal_validate - will not lead to undefined behavior or memory leaks.

Originally posted by @Dr-Emann in #661 (comment)

[lemire]

The first step would be to add testing.

Contributions welcome!

[lemire]

@Dr-Emann Bugs are always possible, but I think that we have made significant steps forward.

I would recommend closing this issue. From now on, if any of the statements you make is found to be untrue, we have a bug.

Thoughts?

[Dr-Emann]

Works for me. The rust fuzzers have been running for the past 2 weeks with no findings.

Do we want to put any of the guarantees into the header itself?

[lemire]

Ok. I will issue a PR about guarantees.