Avoid creating intermediate Rust references when taking pointers of memory / extern statics

[lschuermann]

Pull Request Overview

Avoid creating intermediate references to extern statics during process loading, setting up the RISC-V PMP, creating non-volatile storage drivers, and when taking the addresses of registers in chips. Extern statics are inaccessible in safe Rust code by default. However, when we perform an operation such as &_sapp as *const u8, we create a Rust reference to the underlying memory that is (a) safely dereferencable, and (b) does not necessarily conform to Rust requirements concerning initialized memory.

This PR switches those occurrences to use core::ptr::addr_of (and its mutable sibling), a macro explicitly designed to return the address of some memory location without creating an intermediate reference.

Suggested-by: Alyssa Haroldsen kupiakos@google.com @kupiakos

Testing Strategy

This pull request was tested by compiling.

TODO or Help Wanted

Blocked on #3597. Will need to port those changes to the new Kernel-protection PMP instances as well.

Documentation Updated

• Updated the relevant files in /docs, or no updates are required.

Formatting

• Ran make prepush.

[valexandru]

This pull request partially fixes the issue regarding the usage of shared/mutable reference of mutable static is discouraged that I created here when compiling with the latest rust nightly compiler, but maybe it could also solve the remaining issue in the board files such as this one:

warning: mutable reference of mutable static is discouraged
   --> boards/microbit_v2/src/main.rs:773:9
    |
773 |         &mut PROCESSES,
    |         ^^^^^^^^^^^^^^ mutable reference of mutable static
    |
    = note: for more information, see issue #114447 <https://github.com/rust-lang/rust/issues/114447>
    = note: reference of mutable static is a hard error from 2024 edition
    = note: mutable statics can be written to by multiple threads: aliasing violations or data races will cause undefined behavior
help: mutable references are dangerous since if there's any other pointer or reference used for that static while the reference lives, that's UB; use `addr_of_mut!` instead to create a raw pointer
    |
773 |         addr_of_mut!(PROCESSES),
    |         ~~~~~~~~~~~~~~~~~~~~~~~

[kupiakos]

Looks great, thank you!

[lschuermann]

This should be ready now. I changed the newly introduced casts of #3597, as well as new boards added. I further extended this PR to also change all intermediate references which are subsequently converted to pointers across the entire codebase, using the following RegEx to find such usages:

git grep -E '&[a-zA-Z0-9\_\.]* as \*'

We may still be missing some usages that don't match on the above, but this should be a good step toward resolving #3841.

[lschuermann]

I tried to remove the unsafe here, but the compiler still insists that this is a usage of an extern static. I think this is due to the implementation of a macro, which uses an experimental syntax that still triggers the safety lint.

[bradjc]

Merging this soon if anyone has any comments.