Defend against padding instability

[jswrenn]

In light of rust-lang/rust#129778, we should do more to defend against misconceptions about the durability of padding bytes across moves. For example, FromZeros::new_zeroed returns its value by-move, and so padding bytes within Self may not be 0.

We can do some combination of the following. First, we can aggressively sign-post this risk. As a rule, one shouldn't depend on the value of padding bytes.

Second, we can wrap zeroed types in a type that ensures padding remains preserved; e.g.:

union PaddingStable<T> {
    a: core::mem::ManuallyDrop<T>,
    b: [u8; core::mem::size_of::<u8>()]
}

[RalfJung]

union PaddingStable<T> {
    a: core::mem::ManuallyDrop<T>,
    b: [u8; core::mem::size_of::<u8>()]
}

The last u8 should be T, right?

[jswrenn]

Yeah, that's a typo. Unfortunately, using T there also isn't currently stable. For now, the best we can do is documentation, I think (#1660).

[joshlf]

If we need to add a utility type, we can do that when the need arises.

For now, I'll consider this closed by #1660.