Merge pull request #3131 from dflemstr/less-implicit-panics

Less implicit panics

18 files changed, 69 insertions, 43 deletions

diff --git a/embassy-boot-nrf/src/lib.rs b/embassy-boot-nrf/src/lib.rs
index d53e78895..e5bc870b5 100644
--- a/embassy-boot-nrf/src/lib.rs
+++ b/embassy-boot-nrf/src/lib.rs
@@ -20,7 +20,13 @@ impl<const BUFFER_SIZE: usize> BootLoader<BUFFER_SIZE> {
     pub fn prepare<ACTIVE: NorFlash, DFU: NorFlash, STATE: NorFlash>(
         config: BootLoaderConfig<ACTIVE, DFU, STATE>,
     ) -> Self {
-        Self::try_prepare::<ACTIVE, DFU, STATE>(config).expect("Boot prepare error")
+        if let Ok(loader) = Self::try_prepare::<ACTIVE, DFU, STATE>(config) {
+            loader
+        } else {
+            // Use explicit panic instead of .expect() to ensure this gets routed via defmt/etc.
+            // properly
+            panic!("Boot prepare error")
+        }
     }
 
     /// Inspect the bootloader state and perform actions required before booting, such as swapping firmware
diff --git a/embassy-boot-rp/src/lib.rs b/embassy-boot-rp/src/lib.rs
index d0a393bed..3e1731f5e 100644
--- a/embassy-boot-rp/src/lib.rs
+++ b/embassy-boot-rp/src/lib.rs
@@ -21,7 +21,13 @@ impl<const BUFFER_SIZE: usize> BootLoader<BUFFER_SIZE> {
     pub fn prepare<ACTIVE: NorFlash, DFU: NorFlash, STATE: NorFlash>(
         config: BootLoaderConfig<ACTIVE, DFU, STATE>,
     ) -> Self {
-        Self::try_prepare::<ACTIVE, DFU, STATE>(config).expect("Boot prepare error")
+        if let Ok(loader) = Self::try_prepare::<ACTIVE, DFU, STATE>(config) {
+            loader
+        } else {
+            // Use explicit panic instead of .expect() to ensure this gets routed via defmt/etc.
+            // properly
+            panic!("Boot prepare error")
+        }
     }
 
     /// Inspect the bootloader state and perform actions required before booting, such as swapping firmware
diff --git a/embassy-boot-stm32/src/lib.rs b/embassy-boot-stm32/src/lib.rs
index 708441835..387cc0ce5 100644
--- a/embassy-boot-stm32/src/lib.rs
+++ b/embassy-boot-stm32/src/lib.rs
@@ -20,7 +20,13 @@ impl BootLoader {
     pub fn prepare<ACTIVE: NorFlash, DFU: NorFlash, STATE: NorFlash, const BUFFER_SIZE: usize>(
         config: BootLoaderConfig<ACTIVE, DFU, STATE>,
     ) -> Self {
-        Self::try_prepare::<ACTIVE, DFU, STATE, BUFFER_SIZE>(config).expect("Boot prepare error")
+        if let Ok(loader) = Self::try_prepare::<ACTIVE, DFU, STATE, BUFFER_SIZE>(config) {
+            loader
+        } else {
+            // Use explicit panic instead of .expect() to ensure this gets routed via defmt/etc.
+            // properly
+            panic!("Boot prepare error")
+        }
     }
 
     /// Inspect the bootloader state and perform actions required before booting, such as swapping firmware
diff --git a/embassy-boot/src/test_flash/asynch.rs b/embassy-boot/src/test_flash/asynch.rs
index 3ac9e71ab..c67f2495c 100644
--- a/embassy-boot/src/test_flash/asynch.rs
+++ b/embassy-boot/src/test_flash/asynch.rs
@@ -43,7 +43,7 @@ where
     }
 
     fn create_partition<T: NorFlash>(mutex: &Mutex<NoopRawMutex, T>) -> Partition<NoopRawMutex, T> {
-        Partition::new(mutex, 0, mutex.try_lock().unwrap().capacity() as u32)
+        Partition::new(mutex, 0, unwrap!(mutex.try_lock()).capacity() as u32)
     }
 }
 
diff --git a/embassy-stm32/src/can/bxcan/registers.rs b/embassy-stm32/src/can/bxcan/registers.rs
index 5f3d70e25..c5de1c683 100644
--- a/embassy-stm32/src/can/bxcan/registers.rs
+++ b/embassy-stm32/src/can/bxcan/registers.rs
@@ -299,9 +299,9 @@ impl Registers {
         mb.tdtr().write(|w| w.set_dlc(frame.header().len() as u8));
 
         mb.tdlr()
-            .write(|w| w.0 = u32::from_ne_bytes(frame.data()[0..4].try_into().unwrap()));
+            .write(|w| w.0 = u32::from_ne_bytes(unwrap!(frame.data()[0..4].try_into())));
         mb.tdhr()
-            .write(|w| w.0 = u32::from_ne_bytes(frame.data()[4..8].try_into().unwrap()));
+            .write(|w| w.0 = u32::from_ne_bytes(unwrap!(frame.data()[4..8].try_into())));
         let id: IdReg = frame.id().into();
         mb.tir().write(|w| {
             w.0 = id.0;
@@ -321,7 +321,7 @@ impl Registers {
             data[4..8].copy_from_slice(&mb.tdhr().read().0.to_ne_bytes());
             let len = mb.tdtr().read().dlc();
 
-            Some(Frame::new(Header::new(id.id(), len, id.rtr()), &data).unwrap())
+            Some(unwrap!(Frame::new(Header::new(id.id(), len, id.rtr()), &data)))
         } else {
             // Abort request failed because the frame was already sent (or being sent) on
             // the bus. All mailboxes are now free. This can happen for small prescaler
@@ -404,12 +404,12 @@ impl Registers {
 
         let rir = fifo.rir().read();
         let id: embedded_can::Id = if rir.ide() == Ide::STANDARD {
-            embedded_can::StandardId::new(rir.stid()).unwrap().into()
+            unwrap!(embedded_can::StandardId::new(rir.stid())).into()
         } else {
             let stid = (rir.stid() & 0x7FF) as u32;
             let exid = rir.exid() & 0x3FFFF;
             let id = (stid << 18) | (exid);
-            embedded_can::ExtendedId::new(id).unwrap().into()
+            unwrap!(embedded_can::ExtendedId::new(id)).into()
         };
         let rdtr = fifo.rdtr().read();
         let data_len = rdtr.dlc();
@@ -422,7 +422,7 @@ impl Registers {
         data[0..4].copy_from_slice(&fifo.rdlr().read().0.to_ne_bytes());
         data[4..8].copy_from_slice(&fifo.rdhr().read().0.to_ne_bytes());
 
-        let frame = Frame::new(Header::new(id, data_len, rtr), &data).unwrap();
+        let frame = unwrap!(Frame::new(Header::new(id, data_len, rtr), &data));
         let envelope = Envelope { ts, frame };
 
         rfr.modify(|v| v.set_rfom(true));
@@ -484,13 +484,9 @@ impl IdReg {
     /// Returns the identifier.
     fn id(self) -> embedded_can::Id {
         if self.is_extended() {
-            embedded_can::ExtendedId::new(self.0 >> Self::EXTENDED_SHIFT)
-                .unwrap()
-                .into()
+            unwrap!(embedded_can::ExtendedId::new(self.0 >> Self::EXTENDED_SHIFT)).into()
         } else {
-            embedded_can::StandardId::new((self.0 >> Self::STANDARD_SHIFT) as u16)
-                .unwrap()
-                .into()
+            unwrap!(embedded_can::StandardId::new((self.0 >> Self::STANDARD_SHIFT) as u16)).into()
         }
     }
 
diff --git a/embassy-stm32/src/flash/asynch.rs b/embassy-stm32/src/flash/asynch.rs
index 97eaece81..9468ac632 100644
--- a/embassy-stm32/src/flash/asynch.rs
+++ b/embassy-stm32/src/flash/asynch.rs
@@ -117,7 +117,7 @@ pub(super) async unsafe fn write_chunked(base: u32, size: u32, offset: u32, byte
             family::lock();
         });
 
-        family::write(address, chunk.try_into().unwrap()).await?;
+        family::write(address, unwrap!(chunk.try_into())).await?;
         address += WRITE_SIZE as u32;
     }
     Ok(())
diff --git a/embassy-stm32/src/flash/common.rs b/embassy-stm32/src/flash/common.rs
index f8561edb3..8ec4bb2a1 100644
--- a/embassy-stm32/src/flash/common.rs
+++ b/embassy-stm32/src/flash/common.rs
@@ -125,7 +125,7 @@ pub(super) unsafe fn write_chunk_unlocked(address: u32, chunk: &[u8]) -> Result<
         family::lock();
     });
 
-    family::blocking_write(address, chunk.try_into().unwrap())
+    family::blocking_write(address, unwrap!(chunk.try_into()))
 }
 
 pub(super) unsafe fn write_chunk_with_critical_section(address: u32, chunk: &[u8]) -> Result<(), Error> {
diff --git a/embassy-stm32/src/flash/f0.rs b/embassy-stm32/src/flash/f0.rs
index e2f135208..402312f68 100644
--- a/embassy-stm32/src/flash/f0.rs
+++ b/embassy-stm32/src/flash/f0.rs
@@ -37,7 +37,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
     let mut address = start_address;
     for chunk in buf.chunks(2) {
-        write_volatile(address as *mut u16, u16::from_le_bytes(chunk.try_into().unwrap()));
+        write_volatile(address as *mut u16, u16::from_le_bytes(unwrap!(chunk.try_into())));
         address += chunk.len() as u32;
 
         // prevents parallelism errors
diff --git a/embassy-stm32/src/flash/f1f3.rs b/embassy-stm32/src/flash/f1f3.rs
index b16354a74..e66842e31 100644
--- a/embassy-stm32/src/flash/f1f3.rs
+++ b/embassy-stm32/src/flash/f1f3.rs
@@ -37,7 +37,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
     let mut address = start_address;
     for chunk in buf.chunks(2) {
-        write_volatile(address as *mut u16, u16::from_le_bytes(chunk.try_into().unwrap()));
+        write_volatile(address as *mut u16, u16::from_le_bytes(unwrap!(chunk.try_into())));
         address += chunk.len() as u32;
 
         // prevents parallelism errors
diff --git a/embassy-stm32/src/flash/f4.rs b/embassy-stm32/src/flash/f4.rs
index 2634fba37..d0bb957ee 100644
--- a/embassy-stm32/src/flash/f4.rs
+++ b/embassy-stm32/src/flash/f4.rs
@@ -277,7 +277,7 @@ pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE])
 unsafe fn write_start(start_address: u32, buf: &[u8; WRITE_SIZE]) {
     let mut address = start_address;
     for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
         address += val.len() as u32;
 
         // prevents parallelism errors
@@ -379,7 +379,7 @@ fn get_result(sr: Sr) -> Result<(), Error> {
 }
 
 fn save_data_cache_state() {
-    let dual_bank = get_flash_regions().last().unwrap().bank == FlashBank::Bank2;
+    let dual_bank = unwrap!(get_flash_regions().last()).bank == FlashBank::Bank2;
     if dual_bank {
         // Disable data cache during write/erase if there are two banks, see errata 2.2.12
         let dcen = pac::FLASH.acr().read().dcen();
@@ -391,7 +391,7 @@ fn save_data_cache_state() {
 }
 
 fn restore_data_cache_state() {
-    let dual_bank = get_flash_regions().last().unwrap().bank == FlashBank::Bank2;
+    let dual_bank = unwrap!(get_flash_regions().last()).bank == FlashBank::Bank2;
     if dual_bank {
         // Restore data cache if it was enabled
         let dcen = DATA_CACHE_WAS_ENABLED.load(Ordering::Relaxed);
@@ -410,7 +410,7 @@ pub(crate) fn assert_not_corrupted_read(end_address: u32) {
 
     #[allow(unused)]
     let second_bank_read =
-        get_flash_regions().last().unwrap().bank == FlashBank::Bank2 && end_address > (FLASH_SIZE / 2) as u32;
+        unwrap!(get_flash_regions().last()).bank == FlashBank::Bank2 && end_address > (FLASH_SIZE / 2) as u32;
 
     #[cfg(any(
         feature = "stm32f427ai",
diff --git a/embassy-stm32/src/flash/f7.rs b/embassy-stm32/src/flash/f7.rs
index 72de0b445..09ebe9db9 100644
--- a/embassy-stm32/src/flash/f7.rs
+++ b/embassy-stm32/src/flash/f7.rs
@@ -40,7 +40,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
     let mut address = start_address;
     for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
         address += val.len() as u32;
 
         // prevents parallelism errors
diff --git a/embassy-stm32/src/flash/g.rs b/embassy-stm32/src/flash/g.rs
index 6a5adc941..01a0c603f 100644
--- a/embassy-stm32/src/flash/g.rs
+++ b/embassy-stm32/src/flash/g.rs
@@ -41,7 +41,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
     let mut address = start_address;
     for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
         address += val.len() as u32;
 
         // prevents parallelism errors
diff --git a/embassy-stm32/src/flash/h50.rs b/embassy-stm32/src/flash/h50.rs
index 56ea7a421..82e77d130 100644
--- a/embassy-stm32/src/flash/h50.rs
+++ b/embassy-stm32/src/flash/h50.rs
@@ -44,7 +44,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
     let mut address = start_address;
     for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
         address += val.len() as u32;
 
         // prevents parallelism errors
diff --git a/embassy-stm32/src/flash/h7.rs b/embassy-stm32/src/flash/h7.rs
index e32a82eef..254915381 100644
--- a/embassy-stm32/src/flash/h7.rs
+++ b/embassy-stm32/src/flash/h7.rs
@@ -62,7 +62,7 @@ pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE])
     let mut res = None;
     let mut address = start_address;
     for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
         address += val.len() as u32;
 
         res = Some(blocking_wait_ready(bank));
@@ -71,7 +71,7 @@ pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE])
                 w.set_eop(true);
             }
         });
-        if res.unwrap().is_err() {
+        if unwrap!(res).is_err() {
             break;
         }
     }
@@ -82,7 +82,7 @@ pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE])
 
     bank.cr().write(|w| w.set_pg(false));
 
-    res.unwrap()
+    unwrap!(res)
 }
 
 pub(crate) unsafe fn blocking_erase_sector(sector: &FlashSector) -> Result<(), Error> {
diff --git a/embassy-stm32/src/flash/l.rs b/embassy-stm32/src/flash/l.rs
index b14224bff..a0bfeb395 100644
--- a/embassy-stm32/src/flash/l.rs
+++ b/embassy-stm32/src/flash/l.rs
@@ -63,7 +63,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
     let mut address = start_address;
     for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
         address += val.len() as u32;
 
         // prevents parallelism errors
diff --git a/embassy-stm32/src/flash/u0.rs b/embassy-stm32/src/flash/u0.rs
index dfc5a2f76..bfdbd15a5 100644
--- a/embassy-stm32/src/flash/u0.rs
+++ b/embassy-stm32/src/flash/u0.rs
@@ -41,7 +41,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
     let mut address = start_address;
     for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
         address += val.len() as u32;
 
         // prevents parallelism errors
diff --git a/embassy-stm32/src/flash/u5.rs b/embassy-stm32/src/flash/u5.rs
index ddd4d73ff..0601017ce 100644
--- a/embassy-stm32/src/flash/u5.rs
+++ b/embassy-stm32/src/flash/u5.rs
@@ -56,7 +56,7 @@ pub(crate) unsafe fn disable_blocking_write() {
 pub(crate) unsafe fn blocking_write(start_address: u32, buf: &[u8; WRITE_SIZE]) -> Result<(), Error> {
     let mut address = start_address;
     for val in buf.chunks(4) {
-        write_volatile(address as *mut u32, u32::from_le_bytes(val.try_into().unwrap()));
+        write_volatile(address as *mut u32, u32::from_le_bytes(unwrap!(val.try_into())));
         address += val.len() as u32;
 
         // prevents parallelism errors
diff --git a/embassy-stm32/src/rcc/mod.rs b/embassy-stm32/src/rcc/mod.rs
index 0bf344c40..024c63cf5 100644
--- a/embassy-stm32/src/rcc/mod.rs
+++ b/embassy-stm32/src/rcc/mod.rs
@@ -138,11 +138,17 @@ impl RccInfo {
     pub(crate) fn enable_and_reset_with_cs(&self, _cs: CriticalSection) {
         if self.refcount_idx_or_0xff != 0xff {
             let refcount_idx = self.refcount_idx_or_0xff as usize;
-            unsafe {
-                crate::_generated::REFCOUNTS[refcount_idx] += 1;
-            }
-            if unsafe { crate::_generated::REFCOUNTS[refcount_idx] } > 1 {
-                return;
+
+            // Use .get_mut instead of []-operator so that we control how bounds checks happen.
+            // Otherwise, core::fmt will be pulled in here in order to format the integer in the
+            // out-of-bounds error.
+            if let Some(refcount) = unsafe { crate::_generated::REFCOUNTS.get_mut(refcount_idx) } {
+                *refcount += 1;
+                if *refcount > 1 {
+                    return;
+                }
+            } else {
+                panic!("refcount_idx out of bounds: {}", refcount_idx)
             }
         }
 
@@ -196,11 +202,17 @@ impl RccInfo {
     pub(crate) fn disable_with_cs(&self, _cs: CriticalSection) {
         if self.refcount_idx_or_0xff != 0xff {
             let refcount_idx = self.refcount_idx_or_0xff as usize;
-            unsafe {
-                crate::_generated::REFCOUNTS[refcount_idx] -= 1;
-            }
-            if unsafe { crate::_generated::REFCOUNTS[refcount_idx] } > 0 {
-                return;
+
+            // Use .get_mut instead of []-operator so that we control how bounds checks happen.
+            // Otherwise, core::fmt will be pulled in here in order to format the integer in the
+            // out-of-bounds error.
+            if let Some(refcount) = unsafe { crate::_generated::REFCOUNTS.get_mut(refcount_idx) } {
+                *refcount -= 1;
+                if *refcount > 0 {
+                    return;
+                }
+            } else {
+                panic!("refcount_idx out of bounds: {}", refcount_idx)
             }
         }