Avoid unsafe in const macro translations except where necessary (#1339)

Atop #1306, as I'd rather not regress all const translations to be
`unsafe` in master now that we translate const macros by default.

Author: kkysen

c2rust-transpile/src/translator/mod.rs

@@ -2158,7 +2158,7 @@ impl<'c> Translation<'c> {
         ctx: ExprContext,
         expansions: &[CExprId],
     ) -> TranslationResult<(Box<Expr>, CTypeId)> {
-        let (mut val, ty) = expansions
+        let (val, ty) = expansions
             .iter()
             .try_fold::<Option<(WithStmts<Box<Expr>>, CTypeId)>, _, _>(None, |canonical, &id| {
                 self.can_convert_const_macro_expansion(id)?;
@@ -2195,7 +2195,6 @@ impl<'c> Translation<'c> {
             })?
             .ok_or_else(|| format_err!("Could not find a valid type for macro"))?;
 
-        val.set_unsafe();
         val.to_unsafe_pure_expr()
             .map(|val| (val, ty))
             .ok_or_else(|| TranslationError::generic("Macro expansion is not a pure expression"))
@@ -2701,7 +2700,15 @@ impl<'c> Translation<'c> {
                 let mut init = init?;
 
                 stmts.append(init.stmts_mut());
-                let init = init.into_value();
+                // A `const` context is not "already unsafe" the way code within a `fn` is
+                // (since we translate all `fn`s as `unsafe`). Therefore, in `const` contexts,
+                // expose any underlying unsafety in the initializer with an `unsafe` block.
+                let init = if ctx.is_const {
+                    init.to_unsafe_pure_expr()
+                        .expect("init should not have any statements")
+                } else {
+                    init.into_value()
+                };
 
                 let zeroed = self.implicit_default_expr(typ.ctype, false)?;
                 let zeroed = if ctx.is_const {
@@ -3756,21 +3763,26 @@ impl<'c> Translation<'c> {
                         };
 
                         let lhs = self.convert_expr(ctx.used(), arr, None)?;
-                        Ok(lhs.map(|lhs| {
+                        lhs.and_then(|lhs| {
                             // stmts.extend(lhs.stmts_mut());
                             // is_unsafe = is_unsafe || lhs.is_unsafe();
 
                             // Don't dereference the offset if we're still within the variable portion
                             if let Some(elt_type_id) = var_elt_type_id {
                                 let mul = self.compute_size_of_expr(elt_type_id);
-                                pointer_offset(lhs, rhs, mul, false, true)
+                                Ok(WithStmts::new_unsafe_val(pointer_offset(
+                                    lhs, rhs, mul, false, true,
+                                )))
                             } else {
-                                mk().index_expr(lhs, cast_int(rhs, "usize", false))
+                                Ok(WithStmts::new_val(
+                                    mk().index_expr(lhs, cast_int(rhs, "usize", false)),
+                                ))
                             }
-                        }))
+                        })
                     } else {
                         // LHS must be ref decayed for the offset method call's self param
-                        let lhs = self.convert_expr(ctx.used().decay_ref(), *lhs, None)?;
+                        let mut lhs = self.convert_expr(ctx.used().decay_ref(), *lhs, None)?;
+                        lhs.set_unsafe(); // `pointer_offset` is unsafe.
                         lhs.result_map(|lhs| {
                             // stmts.extend(lhs.stmts_mut());
                             // is_unsafe = is_unsafe || lhs.is_unsafe();
@@ -3838,7 +3850,7 @@ impl<'c> Translation<'c> {
 
                     // Function pointer call
                     _ => {
-                        let callee = self.convert_expr(ctx.used(), func, None)?;
+                        let mut callee = self.convert_expr(ctx.used(), func, None)?;
                         let make_fn_ty = |ret_ty: Box<Type>| {
                             let ret_ty = match *ret_ty {
                                 Type::Tuple(TypeTuple { elems: ref v, .. }) if v.is_empty() => ReturnType::Default,
@@ -3856,6 +3868,7 @@ impl<'c> Translation<'c> {
                                 // K&R function pointer without arguments
                                 let ret_ty = self.convert_type(ret_ty.ctype)?;
                                 let target_ty = make_fn_ty(ret_ty);
+                                callee.set_unsafe();
                                 callee.map(|fn_ptr| {
                                     let fn_ptr = unwrap_function_pointer(fn_ptr);
                                     transmute_expr(mk().infer_ty(), target_ty, fn_ptr)
@@ -3865,6 +3878,7 @@ impl<'c> Translation<'c> {
                                 // We have to infer the return type from our expression type
                                 let ret_ty = self.convert_type(call_expr_ty.ctype)?;
                                 let target_ty = make_fn_ty(ret_ty);
+                                callee.set_unsafe();
                                 callee.map(|fn_ptr| {
                                     transmute_expr(mk().infer_ty(), target_ty, fn_ptr)
                                 })