ARM64: Add try_from()/unwrap() in cases where it's safe

JBYoshi · JonathanWoollett-Light · commit 970495adf87d · 2023-10-09T18:31:31.000+01:00
Some places in the code don't allow us to re-type values to let the
compiler verify that those conversions are safe, particularly with
length values. All of these are marked with comments justifying why
they are safe.

I've done this in a separate commit because my dev setup doesn't use
ARM. In case something ARM-specific breaks in CI, I'd like to be able to
keep those changes in their own commits so I can debug more easily.

Signed-off-by: Jonathan Browne &lt;12983479+JBYoshi@users.noreply.github.com&gt;
diff --git a/src/vmm/src/arch/aarch64/cache_info.rs b/src/vmm/src/arch/aarch64/cache_info.rs
@@ -248,11 +248,14 @@ fn mask_str2bit_count(mask_str: &str) -> Result<u16, CacheInfoError> {
         if s_zero_free.is_empty() {
             s_zero_free = "0";
         }
-        bit_count += u32::from_str_radix(s_zero_free, 16)
-            .map_err(|err| {
-                CacheInfoError::InvalidCacheAttr("shared_cpu_map".to_string(), err.to_string())
-            })?
-            .count_ones() as u16;
+        bit_count += u16::try_from(
+            u32::from_str_radix(s_zero_free, 16)
+                .map_err(|err| {
+                    CacheInfoError::InvalidCacheAttr("shared_cpu_map".to_string(), err.to_string())
+                })?
+                .count_ones(),
+        )
+        .unwrap(); // Safe because this is at most 32
     }
     if bit_count == 0 {
         return Err(CacheInfoError::InvalidCacheAttr(
diff --git a/src/vmm/src/arch/aarch64/fdt.rs b/src/vmm/src/arch/aarch64/fdt.rs
@@ -169,8 +169,11 @@ fn create_cpu_nodes(fdt: &mut FdtWriter, vcpu_mpidr: &[u64]) -> Result<(), FdtEr
             // The operation is safe since we already checked when creating cache attributes that
             // cpus_per_unit is not 0 (.e look for mask_str2bit_count function).
             let cache_phandle = LAST_CACHE_PHANDLE
-                - (num_cpus * (cache.level - 2) as usize + cpu_index / cache.cpus_per_unit as usize)
-                    as u32;
+                - u32::try_from(
+                    num_cpus * (cache.level - 2) as usize
+                        + cpu_index / cache.cpus_per_unit as usize,
+                )
+                .unwrap(); // Safe because the number of CPUs is bounded
 
             if prev_level != cache.level {
                 fdt.property_u32("next-level-cache", cache_phandle)?;
diff --git a/src/vmm/src/cpu_config/aarch64/custom_cpu_template.rs b/src/vmm/src/cpu_config/aarch64/custom_cpu_template.rs
@@ -63,7 +63,8 @@ impl CustomCpuTemplate {
             let reg_size = reg_size(modifier.addr);
             match RegSize::from(reg_size) {
                 RegSize::U32 | RegSize::U64 => {
-                    let limit = 2u128.pow(reg_size as u32 * 8) - 1;
+                    // Safe to unwrap because the number of bits is limited
+                    let limit = 2u128.pow(u32::try_from(reg_size).unwrap() * 8) - 1;
                     if limit < modifier.bitmap.value || limit < modifier.bitmap.filter {
                         return Err(serde_json::Error::custom(format!(
                             "Invalid size of bitmap for register {:#x}, should be <= {} bits",
