Mark init function as unsafe

[kitcatier]

Hello, I found a soundness issue in this crate.

bkernel/stm32f4/nvic.rs

Lines 113 to 130 in 521e100

	pub fn init(nvic: &NvicInit) {
	unsafe {
	if nvic.enable {
	let mut tmppriority = (0x700 - (AIRCR.get() & 0x700)) >> 0x08;
	let tmppre = 0x4 - tmppriority;
	let tmpsub = 0x0F >> tmppriority;
	tmppriority = u32::from(nvic.priority) << tmppre;
	tmppriority |= u32::from(nvic.subpriority) & tmpsub;
	tmppriority <<= 0x04;
	IPR[nvic.irq_channel as usize].set(tmppriority);
	ISER[nvic.irq_channel as usize >> 5].set(0x1 << (nvic.irq_channel as u8 & 0x1F));
	} else {
	ICER[nvic.irq_channel as usize >> 5].set(0x1 << (nvic.irq_channel as u8 & 0x1F));
	}
	}
	}

It is not a good choice to mark the entire function body as unsafe, which will make the caller ignore the safety requirements that the function parameters must guarantee.
Marking them unsafe also means that callers must make sure they know what they're doing.

[rasendubi]

Cool, what unsoundness is possible?

[kitcatier]

Cool, what unsoundness is possible?

get()/set() functions needs to ensure that the parameter must be:
https://doc.rust-lang.org/core/intrinsics/fn.volatile_load.html

• src must be valid for reads.
• src must be properly aligned.
• src must point to a properly initialized value of type T.
  https://doc.rust-lang.org/core/ptr/fn.write_volatile.html
• dst must be valid for writes.
• dst must be properly aligned.
  It seems that the safety requirements of the parameters are not clear to others callers.

[rasendubi]

Sure. What rule is violated? What are the safety requirements of parameters?