Merge pull request #3131 from dflemstr/less-implicit-panics

Less implicit panics
2025-09-28 21:01:06 +00:00 · 2024-06-28 23:41:02 +00:00 · 2024-06-28 23:41:02 +00:00 · bd0243d12f
commit bd0243d12f
parent 26e660722c 662e97f7b5
18 changed files with 69 additions and 43 deletions
--- a/embassy-boot-nrf/src/lib.rs
+++ b/embassy-boot-nrf/src/lib.rs
@ -20,7 +20,13 @@ impl<const BUFFER_SIZE: usize> BootLoader<BUFFER_SIZE> {
    pub fn prepare<ACTIVE: NorFlash, DFU: NorFlash, STATE: NorFlash>(
        config: BootLoaderConfig<ACTIVE, DFU, STATE>,
    ) -> Self {
-        Self::try_prepare::<ACTIVE, DFU, STATE>(config).expect("Boot prepare error")
+        if let Ok(loader) = Self::try_prepare::<ACTIVE, DFU, STATE>(config) {
            loader
        } else {
            // Use explicit panic instead of .expect() to ensure this gets routed via defmt/etc.
            // properly
            panic!("Boot prepare error")
        }
    }
    /// Inspect the bootloader state and perform actions required before booting, such as swapping firmware
--- a/embassy-boot-rp/src/lib.rs
+++ b/embassy-boot-rp/src/lib.rs
@ -21,7 +21,13 @@ impl<const BUFFER_SIZE: usize> BootLoader<BUFFER_SIZE> {
    pub fn prepare<ACTIVE: NorFlash, DFU: NorFlash, STATE: NorFlash>(
        config: BootLoaderConfig<ACTIVE, DFU, STATE>,
    ) -> Self {
-        Self::try_prepare::<ACTIVE, DFU, STATE>(config).expect("Boot prepare error")
+        if let Ok(loader) = Self::try_prepare::<ACTIVE, DFU, STATE>(config) {
            loader
        } else {
            // Use explicit panic instead of .expect() to ensure this gets routed via defmt/etc.
            // properly
            panic!("Boot prepare error")
        }
    }
    /// Inspect the bootloader state and perform actions required before booting, such as swapping firmware
--- a/embassy-boot-stm32/src/lib.rs
+++ b/embassy-boot-stm32/src/lib.rs
@ -20,7 +20,13 @@ impl BootLoader {
    pub fn prepare<ACTIVE: NorFlash, DFU: NorFlash, STATE: NorFlash, const BUFFER_SIZE: usize>(
        config: BootLoaderConfig<ACTIVE, DFU, STATE>,
    ) -> Self {
-        Self::try_prepare::<ACTIVE, DFU, STATE, BUFFER_SIZE>(config).expect("Boot prepare error")
+        if let Ok(loader) = Self::try_prepare::<ACTIVE, DFU, STATE, BUFFER_SIZE>(config) {
            loader
        } else {
            // Use explicit panic instead of .expect() to ensure this gets routed via defmt/etc.
            // properly
            panic!("Boot prepare error")
        }
    }
    /// Inspect the bootloader state and perform actions required before booting, such as swapping firmware
--- a/embassy-boot/src/test_flash/asynch.rs
+++ b/embassy-boot/src/test_flash/asynch.rs
@ -43,7 +43,7 @@ where
    }
    fn create_partition<T: NorFlash>(mutex: &Mutex<NoopRawMutex, T>) -> Partition<NoopRawMutex, T> {
-        Partition::new(mutex, 0, mutex.try_lock().unwrap().capacity() as u32)
+        Partition::new(mutex, 0, unwrap!(mutex.try_lock()).capacity() as u32)
    }
 }
--- a/embassy-stm32/src/can/bxcan/registers.rs
+++ b/embassy-stm32/src/can/bxcan/registers.rs
@ -299,9 +299,9 @@ impl Registers {
        mb.tdtr().write(|w| w.set_dlc(frame.header().len() as u8));
        mb.tdlr()
-            .write(|w| w.0 = u32::from_ne_bytes(frame.data()[0..4].try_into().unwrap()));
+            .write(|w| w.0 = u32::from_ne_bytes(unwrap!(frame.data()[0..4].try_into())));
        mb.tdhr()
-            .write(|w| w.0 = u32::from_ne_bytes(frame.data()[4..8].try_into().unwrap()));
+            .write(|w| w.0 = u32::from_ne_bytes(unwrap!(frame.data()[4..8].try_into())));
        let id: IdReg = frame.id().into();
        mb.tir().write(|w| {
            w.0 = id.0;
@ -321,7 +321,7 @@ impl Registers {
            data[4..8].copy_from_slice(&mb.tdhr().read().0.to_ne_bytes());
            let len = mb.tdtr().read().dlc();
-            Some(Frame::new(Header::new(id.id(), len, id.rtr()), &data).unwrap())
+            Some(unwrap!(Frame::new(Header::new(id.id(), len, id.rtr()), &data)))
        } else {
            // Abort request failed because the frame was already sent (or being sent) on
            // the bus. All mailboxes are now free. This can happen for small prescaler
@ -404,12 +404,12 @@ impl Registers {
        let rir = fifo.rir().read();
        let id: embedded_can::Id = if rir.ide() == Ide::STANDARD {
-            embedded_can::StandardId::new(rir.stid()).unwrap().into()
+            unwrap!(embedded_can::StandardId::new(rir.stid())).into()
        } else {
            let stid = (rir.stid() & 0x7FF) as u32;
            let exid = rir.exid() & 0x3FFFF;
            let id = (stid << 18) | (exid);
-            embedded_can::ExtendedId::new(id).unwrap().into()
+            unwrap!(embedded_can::ExtendedId::new(id)).into()
        };
        let rdtr = fifo.rdtr().read();
        let data_len = rdtr.dlc();
@ -422,7 +422,7 @@ impl Registers {
        data[0..4].copy_from_slice(&fifo.rdlr().read().0.to_ne_bytes());
        data[4..8].copy_from_slice(&fifo.rdhr().read().0.to_ne_bytes());
-        let frame = Frame::new(Header::new(id, data_len, rtr), &data).unwrap();
+        let frame = unwrap!(Frame::new(Header::new(id, data_len, rtr), &data));
        let envelope = Envelope { ts, frame };
        rfr.modify(|v| v.set_rfom(true));
@ -484,13 +484,9 @@ impl IdReg {
    /// Returns the identifier.
    fn id(self) -> embedded_can::Id {
        if self.is_extended() {
-            embedded_can::ExtendedId::new(self.0 >> Self::EXTENDED_SHIFT)
+            unwrap!(embedded_can::ExtendedId::new(self.0 >> Self::EXTENDED_SHIFT)).into()
                .unwrap()
                .into()
        } else {
-            embedded_can::StandardId::new((self.0 >> Self::STANDARD_SHIFT) as u16)
+            unwrap!(embedded_can::StandardId::new((self.0 >> Self::STANDARD_SHIFT) as u16)).into()
                .unwrap()
                .into()
        }
    }
--- a/embassy-stm32/src/flash/asynch.rs
+++ b/embassy-stm32/src/flash/asynch.rs
@ -117,7 +117,7 @@ pub(super) async unsafe fn write_chunked(base: u32, size: u32, offset: u32, byte
            family::lock();
        });
-        family::write(address, chunk.try_into().unwrap()).await?;
+        family::write(address, unwrap!(chunk.try_into())).await?;
        address += WRITE_SIZE as u32;
    }
    Ok(())
--- a/embassy-stm32/src/flash/common.rs
+++ b/embassy-stm32/src/flash/common.rs
@ -125,7 +125,7 @@ pub(super) unsafe fn write_chunk_unlocked(address: u32, chunk: &[u8]) -> Result<
        family::lock();
    });
-    family::blocking_write(address, chunk.try_into().unwrap())
+    family::blocking_write(address, unwrap!(chunk.try_into()))
 }
 pub(super) unsafe fn write_chunk_with_critical_section(address: u32, chunk: &[u8]) -> Result<(), Error> {
--- a/embassy-stm32/src/flash/f0.rs
+++ b/embassy-stm32/src/flash/f0.rs
@ -37,7 +37,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
    let mut address = start_address;
    for chunk in buf.chunks(2) {
-        write_volatile(address as *mut u16, u16::from_le_bytes(chunk.try_into().unwrap()));
+        write_volatile(address as *mut u16, u16::from_le_bytes(unwrap!(chunk.try_into())));
        address += chunk.len() as u32;
        // prevents parallelism errors
--- a/embassy-stm32/src/flash/f1f3.rs
+++ b/embassy-stm32/src/flash/f1f3.rs
@ -37,7 +37,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
    let mut address = start_address;
    for chunk in buf.chunks(2) {
-        write_volatile(address as *mut u16, u16::from_le_bytes(chunk.try_into().unwrap()));
+        write_volatile(address as *mut u16, u16::from_le_bytes(unwrap!(chunk.try_into())));
        address += chunk.len() as u32;
        // prevents parallelism errors
--- a/embassy-stm32/src/flash/f4.rs
+++ b/embassy-stm32/src/flash/f4.rs
@ -277,7 +277,7 @@ pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE])
 unsafe fn write_start(start_address: u32, buf: &[u8; WRITE_SIZE]) {
    let mut address = start_address;
    for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
        address += val.len() as u32;
        // prevents parallelism errors
@ -379,7 +379,7 @@ fn get_result(sr: Sr) -> Result<(), Error> {
 }
 fn save_data_cache_state() {
-    let dual_bank = get_flash_regions().last().unwrap().bank == FlashBank::Bank2;
+    let dual_bank = unwrap!(get_flash_regions().last()).bank == FlashBank::Bank2;
    if dual_bank {
        // Disable data cache during write/erase if there are two banks, see errata 2.2.12
        let dcen = pac::FLASH.acr().read().dcen();
@ -391,7 +391,7 @@ fn save_data_cache_state() {
 }
 fn restore_data_cache_state() {
-    let dual_bank = get_flash_regions().last().unwrap().bank == FlashBank::Bank2;
+    let dual_bank = unwrap!(get_flash_regions().last()).bank == FlashBank::Bank2;
    if dual_bank {
        // Restore data cache if it was enabled
        let dcen = DATA_CACHE_WAS_ENABLED.load(Ordering::Relaxed);
@ -410,7 +410,7 @@ pub(crate) fn assert_not_corrupted_read(end_address: u32) {
    #[allow(unused)]
    let second_bank_read =
-        get_flash_regions().last().unwrap().bank == FlashBank::Bank2 && end_address > (FLASH_SIZE / 2) as u32;
+        unwrap!(get_flash_regions().last()).bank == FlashBank::Bank2 && end_address > (FLASH_SIZE / 2) as u32;
    #[cfg(any(
        feature = "stm32f427ai",
--- a/embassy-stm32/src/flash/f7.rs
+++ b/embassy-stm32/src/flash/f7.rs
@ -40,7 +40,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
    let mut address = start_address;
    for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
        address += val.len() as u32;
        // prevents parallelism errors
--- a/embassy-stm32/src/flash/g.rs
+++ b/embassy-stm32/src/flash/g.rs
@ -41,7 +41,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
    let mut address = start_address;
    for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
        address += val.len() as u32;
        // prevents parallelism errors
--- a/embassy-stm32/src/flash/h50.rs
+++ b/embassy-stm32/src/flash/h50.rs
@ -44,7 +44,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
    let mut address = start_address;
    for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
        address += val.len() as u32;
        // prevents parallelism errors
--- a/embassy-stm32/src/flash/h7.rs
+++ b/embassy-stm32/src/flash/h7.rs
@ -62,7 +62,7 @@ pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE])
    let mut res = None;
    let mut address = start_address;
    for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
        address += val.len() as u32;
        res = Some(blocking_wait_ready(bank));
@ -71,7 +71,7 @@ pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE])
                w.set_eop(true);
            }
        });
-        if res.unwrap().is_err() {
+        if unwrap!(res).is_err() {
            break;
        }
    }
@ -82,7 +82,7 @@ pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE])
    bank.cr().write(|w| w.set_pg(false));
-    res.unwrap()
+    unwrap!(res)
 }
 pub(crate) unsafe fn blocking_erase_sector(sector: &FlashSector) -> Result<(), Error> {
--- a/embassy-stm32/src/flash/l.rs
+++ b/embassy-stm32/src/flash/l.rs
@ -63,7 +63,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
    let mut address = start_address;
    for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
        address += val.len() as u32;
        // prevents parallelism errors
--- a/embassy-stm32/src/flash/u0.rs
+++ b/embassy-stm32/src/flash/u0.rs
@ -41,7 +41,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
    let mut address = start_address;
    for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
        address += val.len() as u32;
        // prevents parallelism errors
--- a/embassy-stm32/src/flash/u5.rs
+++ b/embassy-stm32/src/flash/u5.rs
@ -56,7 +56,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
    let mut address = start_address;
    for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
        address += val.len() as u32;
        // prevents parallelism errors
--- a/embassy-stm32/src/rcc/mod.rs
+++ b/embassy-stm32/src/rcc/mod.rs
@ -138,11 +138,17 @@ impl RccInfo {
    pub(crate) fn enable_and_reset_with_cs(&self, _cs: CriticalSection) {
        if self.refcount_idx_or_0xff != 0xff {
            let refcount_idx = self.refcount_idx_or_0xff as usize;
-            unsafe {
+
-                crate::_generated::REFCOUNTS[refcount_idx] += 1;
+            // Use .get_mut instead of []-operator so that we control how bounds checks happen.
-            }
+            // Otherwise, core::fmt will be pulled in here in order to format the integer in the
-            if unsafe { crate::_generated::REFCOUNTS[refcount_idx] } > 1 {
+            // out-of-bounds error.
-                return;
+            if let Some(refcount) = unsafe { crate::_generated::REFCOUNTS.get_mut(refcount_idx) } {
                *refcount += 1;
                if *refcount > 1 {
                    return;
                }
            } else {
                panic!("refcount_idx out of bounds: {}", refcount_idx)
            }
        }
@ -196,11 +202,17 @@ impl RccInfo {
    pub(crate) fn disable_with_cs(&self, _cs: CriticalSection) {
        if self.refcount_idx_or_0xff != 0xff {
            let refcount_idx = self.refcount_idx_or_0xff as usize;
-            unsafe {
+
-                crate::_generated::REFCOUNTS[refcount_idx] -= 1;
+            // Use .get_mut instead of []-operator so that we control how bounds checks happen.
-            }
+            // Otherwise, core::fmt will be pulled in here in order to format the integer in the
-            if unsafe { crate::_generated::REFCOUNTS[refcount_idx] } > 0 {
+            // out-of-bounds error.
-                return;
+            if let Some(refcount) = unsafe { crate::_generated::REFCOUNTS.get_mut(refcount_idx) } {
                *refcount -= 1;
                if *refcount > 0 {
                    return;
                }
            } else {
                panic!("refcount_idx out of bounds: {}", refcount_idx)
            }
        }