BufWriter: Note non-obvious safety assumption in BorrowedBuf::set_init usage.

CC #78485, #117693.

Author: briansmith

library/std/src/io/copy.rs

@@ -219,9 +219,11 @@ impl<I: Write + ?Sized> BufferedWriterSpec for BufWriter<I> {
         loop {
             let buf = self.buffer_mut();
             let mut read_buf: BorrowedBuf<'_> = buf.spare_capacity_mut().into();
-
             if init {
-                // SAFETY: init is either 0 or the init_len from the previous iteration.
+                // SAFETY: `init` is only true after `reader` initializes `read_buf`.
+                // `flush_buf` won't cause any part of the spare capacity to become uninitialized or
+                // cause `self.buf` to reallocate, so it is OK to persist this across `flush_buf`
+                // calls. FIXME: This seems like a dangerous assumption.
                 unsafe { read_buf.set_init() };
             }