Safe CFRunLoop methods accept and dereference a raw pointer

[kevinmehall]

The CFRunLoop methods add_timer, remove_timer contains_source, add_source, remove_source, contains_observer, add_observer, remove_observer accept an argument mode of type CFRunLoopMode, which is a type alias for *const __CFString. This parameter is passed on to the underlying functions which dereference it, so these methods are unsound because nothing prevents safe code from passing an invalid pointer.

I confirmed that the following line without unsafe segfaults:

run_loop.add_source(&source.unwrap(), 0x1234 as *mut _)

Ironically, correct usage requires unsafe, because the kCFRunLoopDefaultMode and kCFRunLoopCommonModes that are normally passed here are extern statics that requires unsafe to access.