remove several uses of unsafe (#8600)

This PR removes several uses of `unsafe`. I generally limited myself to
low hanging fruit that I could see. There are still a few remaining uses
of `unsafe` that looked a bit more difficult to remove (if possible at
all). But this gets rid of a good chunk of them.

I put each `unsafe` removal into its own commit with a justification for
why I did it. So I would encourage reviewing this PR commit-by-commit.
That way, we can legislate them independently. It's no problem to drop a
commit if we feel the `unsafe` should stay in that case.

crates/ruff_python_formatter/src/comments/map.rs

@@ -539,11 +539,11 @@ struct PartIndex(NonZeroU32);
 impl PartIndex {
     fn from_len(value: usize) -> Self {
         assert!(value < u32::MAX as usize);
-        // SAFETY:
+        // OK because:
         // * The `value < u32::MAX` guarantees that the add doesn't overflow.
         // * The `+ 1` guarantees that the index is not zero
-        #[allow(unsafe_code, clippy::cast_possible_truncation)]
-        Self(unsafe { std::num::NonZeroU32::new_unchecked((value as u32) + 1) })
+        #[allow(clippy::cast_possible_truncation)]
+        Self(std::num::NonZeroU32::new((value as u32) + 1).expect("valid value"))
     }
 
     fn value(self) -> usize {

crates/ruff_python_formatter/src/expression/binary_like.rs

@@ -1105,9 +1105,8 @@ impl OperatorIndex {
     fn new(index: usize) -> Self {
         assert_eq!(index % 2, 1, "Operator indices must be odd positions");
 
-        // SAFETY A value with a module 0 is guaranteed to never equal 0
-        #[allow(unsafe_code)]
-        Self(unsafe { NonZeroUsize::new_unchecked(index) })
+        // OK because a value with a modulo 1 is guaranteed to never equal 0
+        Self(NonZeroUsize::new(index).expect("valid index"))
     }
 
     const fn value(self) -> usize {