From 73c76ebb9a4899d19b768d6dd4668a3b126a8f31 Mon Sep 17 00:00:00 2001
From: whitequark <whitequark@whitequark.org>
Date: Mon, 2 Oct 2017 03:09:46 +0000
Subject: [PATCH] firmware: eliminate most transmutes and document the rest.
 NFC.

---
 artiq/firmware/ksupport/eh.rs         | 2 +-
 artiq/firmware/ksupport/lib.rs        | 2 +-
 artiq/firmware/liblogger_artiq/lib.rs | 5 ++---
 artiq/firmware/runtime/session.rs     | 4 +++-
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/artiq/firmware/ksupport/eh.rs b/artiq/firmware/ksupport/eh.rs
index 05f7a68a0..ef2bf96cf 100644
--- a/artiq/firmware/ksupport/eh.rs
+++ b/artiq/firmware/ksupport/eh.rs
@@ -409,7 +409,7 @@ static mut INFLIGHT: ExceptionInfo = ExceptionInfo {
 #[export_name="__artiq_raise"]
 #[unwind]
 pub unsafe extern fn raise(exception: *const Exception) -> ! {
-    // Zing! The Exception<'a> as Exception<'static> cast is not really sound in case
+    // Zing! The Exception<'a> to Exception<'static> transmute is not really sound in case
     // the exception is ever captured. Fortunately, they currently aren't, and we save
     // on the hassle of having to allocate exceptions somewhere except on stack.
     INFLIGHT.exception = Some(mem::transmute::<Exception, Exception<'static>>(*exception));
diff --git a/artiq/firmware/ksupport/lib.rs b/artiq/firmware/ksupport/lib.rs
index 904c069e1..0f3112af8 100644
--- a/artiq/firmware/ksupport/lib.rs
+++ b/artiq/firmware/ksupport/lib.rs
@@ -34,7 +34,7 @@ fn send(request: &Message) {
 
 fn recv<R, F: FnOnce(&Message) -> R>(f: F) -> R {
     while mailbox::receive() == 0 {}
-    let result = f(unsafe { mem::transmute::<usize, &Message>(mailbox::receive()) });
+    let result = f(unsafe { &*(mailbox::receive() as *const Message) });
     mailbox::acknowledge();
     result
 }
diff --git a/artiq/firmware/liblogger_artiq/lib.rs b/artiq/firmware/liblogger_artiq/lib.rs
index 87f6c53d1..67b2c36f5 100644
--- a/artiq/firmware/liblogger_artiq/lib.rs
+++ b/artiq/firmware/liblogger_artiq/lib.rs
@@ -4,7 +4,6 @@ extern crate log;
 extern crate log_buffer;
 extern crate board;
 
-use core::{mem, ptr};
 use core::cell::{Cell, RefCell};
 use core::fmt::Write;
 use log::{Log, LogMetadata, LogRecord, LogLevelFilter, MaxLogLevelFilter};
@@ -43,12 +42,12 @@ impl BufferLogger {
         f();
         log::shutdown_logger_raw().unwrap();
         unsafe {
-            LOGGER = ptr::null();
+            LOGGER = 0 as *const _;
         }
     }
 
     pub fn with<R, F: FnOnce(&BufferLogger) -> R>(f: F) -> R {
-        f(unsafe { mem::transmute::<*const BufferLogger, &BufferLogger>(LOGGER) })
+        f(unsafe { &*LOGGER })
     }
 
     pub fn clear(&self) {
diff --git a/artiq/firmware/runtime/session.rs b/artiq/firmware/runtime/session.rs
index fa698b198..e28a620e4 100644
--- a/artiq/firmware/runtime/session.rs
+++ b/artiq/firmware/runtime/session.rs
@@ -150,7 +150,7 @@ fn kern_recv_notrace<R, F>(io: &Io, f: F) -> io::Result<R>
         return Err(io::Error::new(io::ErrorKind::InvalidData, message))
     }
 
-    f(unsafe { mem::transmute::<usize, &kern::Message>(mailbox::receive()) })
+    f(unsafe { &*(mailbox::receive() as *const kern::Message) })
 }
 
 fn kern_recv_dotrace(reply: &kern::Message) {
@@ -445,6 +445,8 @@ fn process_kern_message(io: &Io, mut stream: Option<&mut TcpStream>,
             &kern::CacheGetRequest { key } => {
                 let value = session.congress.cache.get(key);
                 kern_send(io, &kern::CacheGetReply {
+                    // Zing! This transmute is only safe because we dynamically track
+                    // whether the kernel has borrowed any values from the cache.
                     value: unsafe { mem::transmute::<*const [i32], &'static [i32]>(value) }
                 })
             }