Make it unsafe to define NMI handlers

Author: jonas-schievink

cortex-m-rt/macros/src/lib.rs

@@ -113,6 +113,14 @@ pub fn entry(args: TokenStream, input: TokenStream) -> TokenStream {
     .into()
 }
 
+#[derive(Debug, PartialEq)]
+enum Exception {
+    DefaultHandler,
+    HardFault,
+    NonMaskableInt,
+    Other,
+}
+
 #[proc_macro_attribute]
 pub fn exception(args: TokenStream, input: TokenStream) -> TokenStream {
     let mut f = parse_macro_input!(input as ItemFn);
@@ -130,28 +138,38 @@ pub fn exception(args: TokenStream, input: TokenStream) -> TokenStream {
     let fspan = f.span();
     let ident = f.sig.ident.clone();
 
-    enum Exception {
-        DefaultHandler,
-        HardFault,
-        Other,
-    }
-
     let ident_s = ident.to_string();
     let exn = match &*ident_s {
         "DefaultHandler" => Exception::DefaultHandler,
         "HardFault" => Exception::HardFault,
+        "NonMaskableInt" => Exception::NonMaskableInt,
         // NOTE that at this point we don't check if the exception is available on the target (e.g.
         // MemoryManagement is not available on Cortex-M0)
-        "NonMaskableInt" | "MemoryManagement" | "BusFault" | "UsageFault" | "SecureFault"
-        | "SVCall" | "DebugMonitor" | "PendSV" | "SysTick" => Exception::Other,
+        "MemoryManagement" | "BusFault" | "UsageFault" | "SecureFault" | "SVCall"
+        | "DebugMonitor" | "PendSV" | "SysTick" => Exception::Other,
         _ => {
             return parse::Error::new(ident.span(), "This is not a valid exception name")
                 .to_compile_error()
                 .into();
         }
     };
 
-    // XXX should we blacklist other attributes?
+    if f.sig.unsafety.is_none() {
+        match exn {
+            Exception::DefaultHandler | Exception::HardFault | Exception::NonMaskableInt => {
+                // These are unsafe to define.
+                let name = if exn == Exception::DefaultHandler {
+                    format!("`DefaultHandler`")
+                } else {
+                    format!("`{:?}` handler", exn)
+                };
+                return parse::Error::new(ident.span(), format_args!("defining a {} is unsafe and requires an `unsafe fn` (see the cortex-m-rt docs)", name))
+                    .to_compile_error()
+                    .into();
+            }
+            Exception::Other => {}
+        }
+    }
 
     match exn {
         Exception::DefaultHandler => {
@@ -174,7 +192,7 @@ pub fn exception(args: TokenStream, input: TokenStream) -> TokenStream {
             if !valid_signature {
                 return parse::Error::new(
                     fspan,
-                    "`DefaultHandler` must have signature `[unsafe] fn(i16) [-> !]`",
+                    "`DefaultHandler` must have signature `unsafe fn(i16) [-> !]`",
                 )
                 .to_compile_error()
                 .into();
@@ -231,7 +249,7 @@ pub fn exception(args: TokenStream, input: TokenStream) -> TokenStream {
             if !valid_signature {
                 return parse::Error::new(
                     fspan,
-                    "`HardFault` handler must have signature `[unsafe] fn(&ExceptionFrame) -> !`",
+                    "`HardFault` handler must have signature `unsafe fn(&ExceptionFrame) -> !`",
                 )
                 .to_compile_error()
                 .into();
@@ -257,7 +275,7 @@ pub fn exception(args: TokenStream, input: TokenStream) -> TokenStream {
             )
             .into()
         }
-        Exception::Other => {
+        Exception::NonMaskableInt | Exception::Other => {
             let valid_signature = f.sig.constness.is_none()
                 && f.vis == Visibility::Inherited
                 && f.sig.abi.is_none()

cortex-m-rt/tests/compile-fail/default-handler-bad-signature-1.rs

@@ -12,5 +12,5 @@ fn foo() -> ! {
 }
 
 #[exception]
-fn DefaultHandler(_irqn: i16, undef: u32) {}
-//~^ ERROR `DefaultHandler` must have signature `[unsafe] fn(i16) [-> !]`
+unsafe fn DefaultHandler(_irqn: i16, undef: u32) {}
+//~^ ERROR `DefaultHandler` must have signature `unsafe fn(i16) [-> !]`

cortex-m-rt/tests/compile-fail/default-handler-bad-signature-2.rs

@@ -12,7 +12,7 @@ fn foo() -> ! {
 }
 
 #[exception]
-fn DefaultHandler(_irqn: i16) -> u32 {
-    //~^ ERROR `DefaultHandler` must have signature `[unsafe] fn(i16) [-> !]`
+unsafe fn DefaultHandler(_irqn: i16) -> u32 {
+    //~^ ERROR `DefaultHandler` must have signature `unsafe fn(i16) [-> !]`
     0
 }

cortex-m-rt/tests/compile-fail/default-handler-hidden.rs

@@ -18,5 +18,5 @@ mod hidden {
     use cortex_m_rt::exception;
 
     #[exception]
-    fn DefaultHandler(_irqn: i16) {}
+    unsafe fn DefaultHandler(_irqn: i16) {}
 }

cortex-m-rt/tests/compile-fail/default-handler-twice.rs

@@ -12,11 +12,11 @@ fn foo() -> ! {
 }
 
 #[exception]
-fn DefaultHandler(_irqn: i16) {}
+unsafe fn DefaultHandler(_irqn: i16) {}
 
 pub mod reachable {
     use cortex_m_rt::exception;
 
     #[exception] //~ ERROR symbol `DefaultHandler` is already defined
-    fn DefaultHandler(_irqn: i16) {}
+    unsafe fn DefaultHandler(_irqn: i16) {}
 }

cortex-m-rt/tests/compile-fail/exception-nmi-unsafe.rs

@@ -0,0 +1,24 @@
+#![no_main]
+#![no_std]
+
+extern crate cortex_m_rt;
+extern crate panic_halt;
+
+use cortex_m_rt::{entry, exception};
+
+#[entry]
+fn foo() -> ! {
+    loop {}
+}
+
+#[exception]
+fn DefaultHandler(_irq: i16) {}
+//~^ ERROR defining a `DefaultHandler` is unsafe and requires an `unsafe fn`
+
+#[exception]
+fn HardFault() {}
+//~^ ERROR defining a `HardFault` handler is unsafe and requires an `unsafe fn`
+
+#[exception]
+fn NonMaskableInt() {}
+//~^ ERROR defining a `NonMaskableInt` handler is unsafe and requires an `unsafe fn`

cortex-m-rt/tests/compile-fail/hard-fault-bad-signature-1.rs

@@ -12,7 +12,7 @@ fn foo() -> ! {
 }
 
 #[exception]
-fn HardFault(_ef: &ExceptionFrame, undef: u32) -> ! {
-    //~^ ERROR `HardFault` handler must have signature `[unsafe] fn(&ExceptionFrame) -> !`
+unsafe fn HardFault(_ef: &ExceptionFrame, undef: u32) -> ! {
+    //~^ ERROR `HardFault` handler must have signature `unsafe fn(&ExceptionFrame) -> !`
     loop {}
 }

cortex-m-rt/tests/compile-fail/hard-fault-twice.rs

@@ -12,15 +12,15 @@ fn foo() -> ! {
 }
 
 #[exception]
-fn HardFault(_ef: &ExceptionFrame) -> ! {
+unsafe fn HardFault(_ef: &ExceptionFrame) -> ! {
     loop {}
 }
 
 pub mod reachable {
     use cortex_m_rt::{exception, ExceptionFrame};
 
     #[exception] //~ ERROR symbol `HardFault` is already defined
-    fn HardFault(_ef: &ExceptionFrame) -> ! {
+    unsafe fn HardFault(_ef: &ExceptionFrame) -> ! {
         loop {}
     }
 }

cortex-m-rt/tests/compile-fail/unsafe-init-static.rs

@@ -29,12 +29,12 @@ fn SVCall() {
 }
 
 #[exception]
-fn DefaultHandler(_irq: i16) {
+unsafe fn DefaultHandler(_irq: i16) {
     static mut X: u32 = init();  //~ ERROR requires unsafe
 }
 
 #[exception]
-fn HardFault(_frame: &cortex_m_rt::ExceptionFrame) -> ! {
+unsafe fn HardFault(_frame: &cortex_m_rt::ExceptionFrame) -> ! {
     static mut X: u32 = init();  //~ ERROR requires unsafe
     loop {}
 }