Enforce documenting unsafe code (#348)

Sh3Rm4n · web-flow · commit 22de3d03dc01 · 2023-11-28T09:23:45.000+01:00
diff --git a/src/adc.rs b/src/adc.rs
@@ -1025,23 +1025,26 @@ where
         }
 
         // Set the channel in the right sequence field
-        match sequence {
-            config::Sequence::One      => self.reg.sqr1.modify(|_, w| w.sq1().bits(channel.into())),
-            config::Sequence::Two      => self.reg.sqr1.modify(|_, w| w.sq2().bits(channel.into())),
-            config::Sequence::Three    => self.reg.sqr1.modify(|_, w| w.sq3().bits(channel.into())),
-            config::Sequence::Four     => self.reg.sqr1.modify(|_, w| w.sq4().bits(channel.into())),
-            config::Sequence::Five     => self.reg.sqr2.modify(|_, w| w.sq5().bits(channel.into())),
-            config::Sequence::Six      => self.reg.sqr2.modify(|_, w| w.sq6().bits(channel.into())),
-            config::Sequence::Seven    => self.reg.sqr2.modify(|_, w| w.sq7().bits(channel.into())),
-            config::Sequence::Eight    => self.reg.sqr2.modify(|_, w| w.sq8().bits(channel.into())),
-            config::Sequence::Nine     => self.reg.sqr2.modify(|_, w| w.sq9().bits(channel.into())),
-            config::Sequence::Ten      => self.reg.sqr3.modify(|_, w| w.sq10().bits(channel.into())),
-            config::Sequence::Eleven   => self.reg.sqr3.modify(|_, w| w.sq11().bits(channel.into())),
-            config::Sequence::Twelve   => self.reg.sqr3.modify(|_, w| w.sq12().bits(channel.into())),
-            config::Sequence::Thirteen => self.reg.sqr3.modify(|_, w| w.sq13().bits(channel.into())),
-            config::Sequence::Fourteen => self.reg.sqr3.modify(|_, w| w.sq14().bits(channel.into())),
-            config::Sequence::Fifteen  => self.reg.sqr4.modify(|_, w| w.sq15().bits(channel.into())),
-            config::Sequence::Sixteen  => self.reg.sqr4.modify(|_, w| w.sq16().bits(channel.into())),
+        // SAFETY: the channel.into() implementation ensures that those are valid values
+        unsafe {
+            match sequence {
+                config::Sequence::One      => self.reg.sqr1.modify(|_, w| w.sq1().bits(channel.into())),
+                config::Sequence::Two      => self.reg.sqr1.modify(|_, w| w.sq2().bits(channel.into())),
+                config::Sequence::Three    => self.reg.sqr1.modify(|_, w| w.sq3().bits(channel.into())),
+                config::Sequence::Four     => self.reg.sqr1.modify(|_, w| w.sq4().bits(channel.into())),
+                config::Sequence::Five     => self.reg.sqr2.modify(|_, w| w.sq5().bits(channel.into())),
+                config::Sequence::Six      => self.reg.sqr2.modify(|_, w| w.sq6().bits(channel.into())),
+                config::Sequence::Seven    => self.reg.sqr2.modify(|_, w| w.sq7().bits(channel.into())),
+                config::Sequence::Eight    => self.reg.sqr2.modify(|_, w| w.sq8().bits(channel.into())),
+                config::Sequence::Nine     => self.reg.sqr2.modify(|_, w| w.sq9().bits(channel.into())),
+                config::Sequence::Ten      => self.reg.sqr3.modify(|_, w| w.sq10().bits(channel.into())),
+                config::Sequence::Eleven   => self.reg.sqr3.modify(|_, w| w.sq11().bits(channel.into())),
+                config::Sequence::Twelve   => self.reg.sqr3.modify(|_, w| w.sq12().bits(channel.into())),
+                config::Sequence::Thirteen => self.reg.sqr3.modify(|_, w| w.sq13().bits(channel.into())),
+                config::Sequence::Fourteen => self.reg.sqr3.modify(|_, w| w.sq14().bits(channel.into())),
+                config::Sequence::Fifteen  => self.reg.sqr4.modify(|_, w| w.sq15().bits(channel.into())),
+                config::Sequence::Sixteen  => self.reg.sqr4.modify(|_, w| w.sq16().bits(channel.into())),
+            }
         }
     }
 
@@ -1323,10 +1326,14 @@ where
 
     /// Synchronously record a single sample of `pin`.
     fn read(&mut self, _pin: &mut Pin) -> nb::Result<Word, Self::Error> {
+        // NOTE: as ADC is not configurable (`OneShot` does not implement `Configurable`), we can't
+        // use the public methods to configure the ADC but have to fallback to the lower level
+        // methods.
+
         // self.set_pin_sequence_position(config::Sequence::One, pin);
-        self.reg
-            .sqr1
-            .modify(|_, w| unsafe { w.sq1().bits(Pin::channel().into()) });
+        self.reg.sqr1.modify(|_, w|
+                // SAFETY: channel().into() ensure the right channel value
+                unsafe { w.sq1().bits(Pin::channel().into()) });
 
         // Wait for the sequence to complete
 
diff --git a/src/can.rs b/src/can.rs
@@ -68,10 +68,12 @@ where
     }
 }
 
+// SAFETY: Can has ownership of the CAN peripheral and the pointer is pointing to the CAN peripheral
 unsafe impl<Tx, Rx> bxcan::Instance for Can<Tx, Rx> {
     const REGISTERS: *mut RegisterBlock = pac::CAN::ptr() as *mut _;
 }
 
+// SAFETY: The peripheral does own it's associated filter banks
 unsafe impl<Tx, Rx> bxcan::FilterOwner for Can<Tx, Rx> {
     const NUM_FILTER_BANKS: u8 = 28;
 }
diff --git a/src/dac.rs b/src/dac.rs
@@ -29,6 +29,8 @@ impl Dac {
     pub fn write_data(&mut self, data: u16) {
         self.regs.dhr12r1.write(|w| {
             #[allow(unused_unsafe)]
+            // SAFETY: Direct write to register for easier sharing between different stm32f3xx svd
+            // generated API
             unsafe {
                 w.dacc1dhr().bits(data)
             }
diff --git a/src/dma.rs b/src/dma.rs
@@ -64,21 +64,26 @@ impl<B, C: Channel, T: Target> Transfer<B, C, T> {
         B: WriteBuffer + 'static,
         T: OnChannel<C>,
     {
-        // NOTE(unsafe) We don't know the concrete type of `buffer` here, all
+        // SAFETY: We don't know the concrete type of `buffer` here, all
         // we can use are its `WriteBuffer` methods. Hence the only `&mut self`
         // method we can call is `write_buffer`, which is allowed by
         // `WriteBuffer`'s safety requirements.
         let (ptr, len) = unsafe { buffer.write_buffer() };
         let len = crate::expect!(u16::try_from(len).ok(), "buffer is too large");
 
-        // NOTE(unsafe) We are using the address of a 'static WriteBuffer here,
+        // SAFETY: We are using the address of a 'static WriteBuffer here,
         // which is guaranteed to be safe for DMA.
         unsafe { channel.set_memory_address(ptr as u32, Increment::Enable) };
         channel.set_transfer_length(len);
         channel.set_word_size::<B::Word>();
         channel.set_direction(Direction::FromPeripheral);
 
-        unsafe { Self::start(buffer, channel, target) }
+        // SAFTEY: we take ownership of the buffer, which is 'static as well, so it lives long
+        // enough (at least longer that the DMA transfer itself)
+        #[allow(clippy::undocumented_unsafe_blocks)]
+        unsafe {
+            Self::start(buffer, channel, target)
+        }
     }
 
     /// Start a DMA read transfer.
@@ -91,21 +96,26 @@ impl<B, C: Channel, T: Target> Transfer<B, C, T> {
         B: ReadBuffer + 'static,
         T: OnChannel<C>,
     {
-        // NOTE(unsafe) We don't know the concrete type of `buffer` here, all
+        // SAFETY: We don't know the concrete type of `buffer` here, all
         // we can use are its `ReadBuffer` methods. Hence there are no
         // `&mut self` methods we can call, so we are safe according to
         // `ReadBuffer`'s safety requirements.
         let (ptr, len) = unsafe { buffer.read_buffer() };
         let len = crate::expect!(u16::try_from(len).ok(), "buffer is too large");
 
-        // NOTE(unsafe) We are using the address of a 'static ReadBuffer here,
+        // SAFETY: We are using the address of a 'static ReadBuffer here,
         // which is guaranteed to be safe for DMA.
         unsafe { channel.set_memory_address(ptr as u32, Increment::Enable) };
         channel.set_transfer_length(len);
         channel.set_word_size::<B::Word>();
         channel.set_direction(Direction::FromMemory);
 
-        unsafe { Self::start(buffer, channel, target) }
+        // SAFTEY: We take ownership of the buffer, which is 'static as well, so it lives long
+        // enough (at least longer that the DMA transfer itself)
+        #[allow(clippy::undocumented_unsafe_blocks)]
+        unsafe {
+            Self::start(buffer, channel, target)
+        }
     }
 
     /// # Safety
@@ -315,7 +325,10 @@ pub trait Channel: private::Channel {
     unsafe fn set_peripheral_address(&mut self, address: u32, inc: Increment) {
         crate::assert!(!self.is_enabled());
 
-        self.ch().par.write(|w| w.pa().bits(address));
+        // SAFETY: If the caller does ensure, that address is valid address, this should be safe
+        unsafe {
+            self.ch().par.write(|w| w.pa().bits(address));
+        }
         self.ch().cr.modify(|_, w| w.pinc().variant(inc.into()));
     }
 
@@ -335,7 +348,10 @@ pub trait Channel: private::Channel {
     unsafe fn set_memory_address(&mut self, address: u32, inc: Increment) {
         crate::assert!(!self.is_enabled());
 
-        self.ch().mar.write(|w| w.ma().bits(address));
+        // SAFETY: If the caller does ensure, that address is valid address, this should be safe
+        unsafe {
+            self.ch().mar.write(|w| w.ma().bits(address));
+        }
         self.ch().cr.modify(|_, w| w.minc().variant(inc.into()));
     }
 
@@ -500,35 +516,31 @@ macro_rules! dma {
 
                     impl private::Channel for $Ci {
                         fn ch(&self) -> &pac::dma1::CH {
-                            // NOTE(unsafe) $Ci grants exclusive access to this register
+                            // SAFETY: $Ci grants exclusive access to this register
                             unsafe { &(*$DMAx::ptr()).$chi }
                         }
                     }
 
                     impl Channel for $Ci {
                         fn is_event_triggered(&self, event: Event) -> bool {
-                            use Event::*;
-
-                            // NOTE(unsafe) atomic read
+                            // SAFETY: atomic read
                             let flags = unsafe { (*$DMAx::ptr()).isr.read() };
                             match event {
-                                HalfTransfer => flags.$htifi().bit_is_set(),
-                                TransferComplete => flags.$tcifi().bit_is_set(),
-                                TransferError => flags.$teifi().bit_is_set(),
-                                Any => flags.$gifi().bit_is_set(),
+                                Event::HalfTransfer => flags.$htifi().bit_is_set(),
+                                Event::TransferComplete => flags.$tcifi().bit_is_set(),
+                                Event::TransferError => flags.$teifi().bit_is_set(),
+                                Event::Any => flags.$gifi().bit_is_set(),
                             }
                         }
 
                         fn clear_event(&mut self, event: Event) {
-                            use Event::*;
-
-                            // NOTE(unsafe) atomic write to a stateless register
+                            // SAFETY: atomic write to a stateless register
                             unsafe {
                                 (*$DMAx::ptr()).ifcr.write(|w| match event {
-                                    HalfTransfer => w.$chtifi().set_bit(),
-                                    TransferComplete => w.$ctcifi().set_bit(),
-                                    TransferError => w.$cteifi().set_bit(),
-                                    Any => w.$cgifi().set_bit(),
+                                    Event::HalfTransfer => w.$chtifi().set_bit(),
+                                    Event::TransferComplete => w.$ctcifi().set_bit(),
+                                    Event::TransferError => w.$cteifi().set_bit(),
+                                    Event::Any => w.$cgifi().set_bit(),
                                 });
                             }
                         }
diff --git a/src/gpio.rs b/src/gpio.rs
@@ -181,13 +181,13 @@ impl defmt::Format for Gpiox {
     }
 }
 
-// # SAFETY
+// SAFETY:
 // As Gpiox uses `dyn GpioRegExt` pointer internally, `Send` is not auto-implemented.
 // But since GpioExt does only do atomic operations without side-effects we can assume
 // that it safe to `Send` this type.
 unsafe impl Send for Gpiox {}
 
-// # SAFETY
+// SAFETY:
 // As Gpiox uses `dyn GpioRegExt` pointer internally, `Sync` is not auto-implemented.
 // But since GpioExt does only do atomic operations without side-effects we can assume
 // that it safe to `Send` this type.
@@ -500,13 +500,13 @@ where
     type Error = Infallible;
 
     fn set_high(&mut self) -> Result<(), Self::Error> {
-        // NOTE(unsafe) atomic write to a stateless register
+        // SAFETY: atomic write to a stateless register
         unsafe { (*self.gpio.ptr()).set_high(self.index.index()) };
         Ok(())
     }
 
     fn set_low(&mut self) -> Result<(), Self::Error> {
-        // NOTE(unsafe) atomic write to a stateless register
+        // SAFETY: atomic write to a stateless register
         unsafe { (*self.gpio.ptr()).set_low(self.index.index()) };
         Ok(())
     }
@@ -525,7 +525,7 @@ where
     }
 
     fn is_low(&self) -> Result<bool, Self::Error> {
-        // NOTE(unsafe) atomic read with no side effects
+        // SAFETY: atomic read with no side effects
         Ok(unsafe { (*self.gpio.ptr()).is_low(self.index.index()) })
     }
 }
@@ -540,7 +540,7 @@ where
     }
 
     fn is_set_low(&self) -> Result<bool, Self::Error> {
-        // NOTE(unsafe) atomic read with no side effects
+        // SAFETY: atomic read with no side effects
         Ok(unsafe { (*self.gpio.ptr()).is_set_low(self.index.index()) })
     }
 }
@@ -763,13 +763,13 @@ macro_rules! gpio_trait {
 
                 #[inline(always)]
                 fn set_high(&self, i: u8) {
-                    // NOTE(unsafe, write) atomic write to a stateless register
+                    // SAFETY: atomic write to a stateless register
                     unsafe { self.bsrr.write(|w| w.bits(1 << i)) };
                 }
 
                 #[inline(always)]
                 fn set_low(&self, i: u8) {
-                    // NOTE(unsafe, write) atomic write to a stateless register
+                    // SAFETY: atomic write to a stateless register
                     unsafe { self.bsrr.write(|w| w.bits(1 << (16 + i))) };
                 }
             }
@@ -792,6 +792,8 @@ macro_rules! r_trait {
                 #[inline]
                 fn $fn(&mut self, i: u8) {
                     let value = $gpioy::$xr::$enum::$VARIANT as u32;
+                    // SAFETY: The &mut abstracts all accesses to the register itself,
+                    // which makes sure that this register accesss is exclusive
                     unsafe { crate::modify_at!((*$GPIOX::ptr()).$xr, $bitwidth, i, value) };
                 }
             )+
@@ -931,6 +933,8 @@ macro_rules! gpio {
                 #[inline]
                 fn afx(&mut self, i: u8, x: u8) {
                     const BITWIDTH: u8 = 4;
+                    // SAFETY: the abstraction of AFRL should ensure exclusive access in addition
+                    // to the &mut exclusive reference
                     unsafe { crate::modify_at!((*$GPIOX::ptr()).afrh, BITWIDTH, i - 8, x as u32) };
                 }
             }
@@ -942,6 +946,8 @@ macro_rules! gpio {
                 #[inline]
                 fn afx(&mut self, i: u8, x: u8) {
                     const BITWIDTH: u8 = 4;
+                    // SAFETY: the abstraction of AFRL should ensure exclusive access in addition
+                    // to the &mut exclusive reference
                     unsafe { crate::modify_at!((*$GPIOX::ptr()).afrl, BITWIDTH, i, x as u32) };
                 }
             }
diff --git a/src/i2c.rs b/src/i2c.rs
@@ -472,7 +472,7 @@ macro_rules! i2c {
         $(
             impl Instance for $I2CX {
                 fn clock(clocks: &Clocks) -> Hertz {
-                    // NOTE(unsafe) atomic read with no side effects
+                    // SAFETY: atomic read of valid pointer with no side effects
                     match unsafe { (*RCC::ptr()).cfgr3.read().$i2cXsw().variant() } {
                         I2C1SW_A::Hsi => crate::rcc::HSI,
                         I2C1SW_A::Sysclk => clocks.sysclk(),
diff --git a/src/lib.rs b/src/lib.rs
@@ -123,6 +123,9 @@
 #![no_std]
 #![allow(clippy::upper_case_acronyms)]
 #![warn(missing_docs)]
+#![warn(clippy::missing_safety_doc)]
+#![warn(clippy::undocumented_unsafe_blocks)]
+#![warn(unsafe_op_in_unsafe_fn)]
 #![deny(macro_use_extern_crate)]
 #![cfg_attr(nightly, deny(rustdoc::broken_intra_doc_links))]
 #![cfg_attr(docsrs, feature(doc_cfg))]
diff --git a/src/pwm.rs b/src/pwm.rs
@@ -155,6 +155,10 @@
   [examples/pwm.rs]: https://github.com/stm32-rs/stm32f3xx-hal/blob/v0.6.1/examples/pwm.rs
 */
 
+// FIXME: this PWM module needs refactoring to ensure that no UB / race conditiotns is caused by unsafe acces to
+// mmaped registers.
+#![allow(clippy::undocumented_unsafe_blocks)]
+
 use core::marker::PhantomData;
 
 use crate::{
diff --git a/src/rcc.rs b/src/rcc.rs
@@ -167,13 +167,15 @@ macro_rules! bus_struct {
 
                 #[allow(unused)]
                 fn enr(&self) -> &rcc::$EN {
-                    // NOTE(unsafe) this proxy grants exclusive access to this register
+                    // FIXME: this should still be shared carefully
+                    // SAFETY: this proxy grants exclusive access to this register
                     unsafe { &(*RCC::ptr()).$en }
                 }
 
                 #[allow(unused)]
                 fn rstr(&self) -> &rcc::$RST {
-                    // NOTE(unsafe) this proxy grants exclusive access to this register
+                    // FIXME: this should still be shared carefully
+                    // SAFETY: this proxy grants exclusive access to this register
                     unsafe { &(*RCC::ptr()).$rst }
                 }
             }
@@ -365,7 +367,7 @@ impl BDCR {
     #[allow(clippy::unused_self)]
     #[must_use]
     pub(crate) fn bdcr(&mut self) -> &rcc::BDCR {
-        // NOTE(unsafe) this proxy grants exclusive access to this register
+        // SAFETY: this proxy grants exclusive access to this register
         unsafe { &(*RCC::ptr()).bdcr }
     }
 }
@@ -860,6 +862,8 @@ impl CFGR {
 
         let (usbpre, usbclk_valid) = usb_clocking::is_valid(sysclk, self.hse, pclk1, &pll_config);
 
+        // SAFETY: RCC ptr is guaranteed to be valid. This funciton is the first, which uses the
+        // RCC peripheral: RCC.constrain() -> Rcc -> CFGR
         let rcc = unsafe { &*RCC::ptr() };
 
         // enable HSE and wait for it to be ready
diff --git a/src/rtc.rs b/src/rtc.rs
@@ -115,8 +115,8 @@ impl Rtc {
         F: FnMut(&mut RTC),
     {
         // Disable write protection
-        self.rtc.wpr.write(|w| unsafe { w.bits(0xCA) });
-        self.rtc.wpr.write(|w| unsafe { w.bits(0x53) });
+        self.rtc.wpr.write(|w| w.key().bits(0xCA));
+        self.rtc.wpr.write(|w| w.key().bits(0x53));
         // Enter init mode
         let isr = self.rtc.isr.read();
         if isr.initf().bit_is_clear() {
@@ -253,6 +253,7 @@ impl Rtcc for Rtc {
         if !(1..=7).contains(&weekday) {
             return Err(Error::InvalidInputData);
         }
+        // SAFETY: check above ensures, that the weekday number is in the valid range (0x01 - 0x07)
         self.modify(|rtc| rtc.dr.modify(|_, w| unsafe { w.wdu().bits(weekday) }));
 
         Ok(())
diff --git a/src/serial.rs b/src/serial.rs
diff --git a/src/signature.rs b/src/signature.rs
diff --git a/src/syscfg.rs b/src/syscfg.rs
diff --git a/src/timer.rs b/src/timer.rs
diff --git a/src/usb.rs b/src/usb.rs

Original file line number	Diff line number	Diff line change
`@@ -68,10 +68,12 @@ where`
`68`	`68`	`}`
`69`	`69`	`}`
`70`	`70`
	`71`	`+// SAFETY: Can has ownership of the CAN peripheral and the pointer is pointing to the CAN peripheral`
`71`	`72`	`unsafe impl<Tx, Rx> bxcan::Instance for Can<Tx, Rx> {`
`72`	`73`	`const REGISTERS: mut RegisterBlock = pac::CAN::ptr() as mut _;`
`73`	`74`	`}`
`74`	`75`
	`76`	`+// SAFETY: The peripheral does own it's associated filter banks`
`75`	`77`	`unsafe impl<Tx, Rx> bxcan::FilterOwner for Can<Tx, Rx> {`
`76`	`78`	`const NUM_FILTER_BANKS: u8 = 28;`
`77`	`79`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@ impl Dac {`
`29`	`29`	`pub fn write_data(&mut self, data: u16) {`
`30`	`30`	`self.regs.dhr12r1.write(\|w\| {`
`31`	`31`	`#[allow(unused_unsafe)]`
	`32`	`+ // SAFETY: Direct write to register for easier sharing between different stm32f3xx svd`
	`33`	`+ // generated API`
`32`	`34`	`unsafe {`
`33`	`35`	`w.dacc1dhr().bits(data)`
`34`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -181,13 +181,13 @@ impl defmt::Format for Gpiox {`
`181`	`181`	`}`
`182`	`182`	`}`
`183`	`183`
`184`		`-// # SAFETY`
	`184`	`+// SAFETY:`
`185`	`185`	// As Gpiox uses `dyn GpioRegExt` pointer internally, `Send` is not auto-implemented.
`186`	`186`	`// But since GpioExt does only do atomic operations without side-effects we can assume`
`187`	`187`	// that it safe to `Send` this type.
`188`	`188`	`unsafe impl Send for Gpiox {}`
`189`	`189`
`190`		`-// # SAFETY`
	`190`	`+// SAFETY:`
`191`	`191`	// As Gpiox uses `dyn GpioRegExt` pointer internally, `Sync` is not auto-implemented.
`192`	`192`	`// But since GpioExt does only do atomic operations without side-effects we can assume`
`193`	`193`	// that it safe to `Send` this type.
`@@ -500,13 +500,13 @@ where`
`500`	`500`	`type Error = Infallible;`
`501`	`501`
`502`	`502`	`fn set_high(&mut self) -> Result<(), Self::Error> {`
`503`		`- // NOTE(unsafe) atomic write to a stateless register`
	`503`	`+ // SAFETY: atomic write to a stateless register`
`504`	`504`	`unsafe { (*self.gpio.ptr()).set_high(self.index.index()) };`
`505`	`505`	`Ok(())`
`506`	`506`	`}`
`507`	`507`
`508`	`508`	`fn set_low(&mut self) -> Result<(), Self::Error> {`
`509`		`- // NOTE(unsafe) atomic write to a stateless register`
	`509`	`+ // SAFETY: atomic write to a stateless register`
`510`	`510`	`unsafe { (*self.gpio.ptr()).set_low(self.index.index()) };`
`511`	`511`	`Ok(())`
`512`	`512`	`}`
`@@ -525,7 +525,7 @@ where`
`525`	`525`	`}`
`526`	`526`
`527`	`527`	`fn is_low(&self) -> Result<bool, Self::Error> {`
`528`		`- // NOTE(unsafe) atomic read with no side effects`
	`528`	`+ // SAFETY: atomic read with no side effects`
`529`	`529`	`Ok(unsafe { (*self.gpio.ptr()).is_low(self.index.index()) })`
`530`	`530`	`}`
`531`	`531`	`}`
`@@ -540,7 +540,7 @@ where`
`540`	`540`	`}`
`541`	`541`
`542`	`542`	`fn is_set_low(&self) -> Result<bool, Self::Error> {`
`543`		`- // NOTE(unsafe) atomic read with no side effects`
	`543`	`+ // SAFETY: atomic read with no side effects`
`544`	`544`	`Ok(unsafe { (*self.gpio.ptr()).is_set_low(self.index.index()) })`
`545`	`545`	`}`
`546`	`546`	`}`
`@@ -763,13 +763,13 @@ macro_rules! gpio_trait {`
`763`	`763`
`764`	`764`	`#[inline(always)]`
`765`	`765`	`fn set_high(&self, i: u8) {`
`766`		`- // NOTE(unsafe, write) atomic write to a stateless register`
	`766`	`+ // SAFETY: atomic write to a stateless register`
`767`	`767`	`unsafe { self.bsrr.write(\|w\| w.bits(1 << i)) };`
`768`	`768`	`}`
`769`	`769`
`770`	`770`	`#[inline(always)]`
`771`	`771`	`fn set_low(&self, i: u8) {`
`772`		`- // NOTE(unsafe, write) atomic write to a stateless register`
	`772`	`+ // SAFETY: atomic write to a stateless register`
`773`	`773`	`unsafe { self.bsrr.write(\|w\| w.bits(1 << (16 + i))) };`
`774`	`774`	`}`
`775`	`775`	`}`
`@@ -792,6 +792,8 @@ macro_rules! r_trait {`
`792`	`792`	`#[inline]`
`793`	`793`	`fn $fn(&mut self, i: u8) {`
`794`	`794`	`let value = $gpioy::$xr::$enum::$VARIANT as u32;`
	`795`	`+ // SAFETY: The &mut abstracts all accesses to the register itself,`
	`796`	`+ // which makes sure that this register accesss is exclusive`
`795`	`797`	`unsafe { crate::modify_at!((*$GPIOX::ptr()).$xr, $bitwidth, i, value) };`
`796`	`798`	`}`
`797`	`799`	`)+`
`@@ -931,6 +933,8 @@ macro_rules! gpio {`
`931`	`933`	`#[inline]`
`932`	`934`	`fn afx(&mut self, i: u8, x: u8) {`
`933`	`935`	`const BITWIDTH: u8 = 4;`
	`936`	`+ // SAFETY: the abstraction of AFRL should ensure exclusive access in addition`
	`937`	`+ // to the &mut exclusive reference`
`934`	`938`	`unsafe { crate::modify_at!((*$GPIOX::ptr()).afrh, BITWIDTH, i - 8, x as u32) };`
`935`	`939`	`}`
`936`	`940`	`}`
`@@ -942,6 +946,8 @@ macro_rules! gpio {`
`942`	`946`	`#[inline]`
`943`	`947`	`fn afx(&mut self, i: u8, x: u8) {`
`944`	`948`	`const BITWIDTH: u8 = 4;`
	`949`	`+ // SAFETY: the abstraction of AFRL should ensure exclusive access in addition`
	`950`	`+ // to the &mut exclusive reference`
`945`	`951`	`unsafe { crate::modify_at!((*$GPIOX::ptr()).afrl, BITWIDTH, i, x as u32) };`
`946`	`952`	`}`
`947`	`953`	`}`
Original file line number	Diff line number	Diff line change
`@@ -167,13 +167,15 @@ macro_rules! bus_struct {`
`167`	`167`
`168`	`168`	`#[allow(unused)]`
`169`	`169`	`fn enr(&self) -> &rcc::$EN {`
`170`		`- // NOTE(unsafe) this proxy grants exclusive access to this register`
	`170`	`+ // FIXME: this should still be shared carefully`
	`171`	`+ // SAFETY: this proxy grants exclusive access to this register`
`171`	`172`	`unsafe { &(*RCC::ptr()).$en }`
`172`	`173`	`}`
`173`	`174`
`174`	`175`	`#[allow(unused)]`
`175`	`176`	`fn rstr(&self) -> &rcc::$RST {`
`176`		`- // NOTE(unsafe) this proxy grants exclusive access to this register`
	`177`	`+ // FIXME: this should still be shared carefully`
	`178`	`+ // SAFETY: this proxy grants exclusive access to this register`
`177`	`179`	`unsafe { &(*RCC::ptr()).$rst }`
`178`	`180`	`}`
`179`	`181`	`}`
`@@ -365,7 +367,7 @@ impl BDCR {`
`365`	`367`	`#[allow(clippy::unused_self)]`
`366`	`368`	`#[must_use]`
`367`	`369`	`pub(crate) fn bdcr(&mut self) -> &rcc::BDCR {`
`368`		`- // NOTE(unsafe) this proxy grants exclusive access to this register`
	`370`	`+ // SAFETY: this proxy grants exclusive access to this register`
`369`	`371`	`unsafe { &(*RCC::ptr()).bdcr }`
`370`	`372`	`}`
`371`	`373`	`}`
`@@ -860,6 +862,8 @@ impl CFGR {`
`860`	`862`
`861`	`863`	`let (usbpre, usbclk_valid) = usb_clocking::is_valid(sysclk, self.hse, pclk1, &pll_config);`
`862`	`864`
	`865`	`+ // SAFETY: RCC ptr is guaranteed to be valid. This funciton is the first, which uses the`
	`866`	`+ // RCC peripheral: RCC.constrain() -> Rcc -> CFGR`
`863`	`867`	`let rcc = unsafe { &*RCC::ptr() };`
`864`	`868`
`865`	`869`	`// enable HSE and wait for it to be ready`