Clean (#282)

* Remove unsafe transmute_copy, add debug_assert bounds, zero GPU buffers, reduce FFI boilerplate

* Remove more unsafe, add debug_asserts to sparse stabs and GPU packing, fix Qulacs silent no-ops

* Promote row_xor_assign aliasing guard to release-mode assert

* Fix rustfmt formatting in gpu_stab.rs

* Add Panics doc section for row_xor_assign to satisfy clippy

Author: ciaranra

crates/pecos-core/src/bitset.rs

@@ -378,9 +378,7 @@ impl BitSet {
         for &index in indices {
             let word_idx = index / 64;
             let bit_idx = index % 64;
-            if word_idx < self.words.len()
-                && (unsafe { *self.words.get_unchecked(word_idx) } & (1u64 << bit_idx)) != 0
-            {
+            if word_idx < self.words.len() && (self.words[word_idx] & (1u64 << bit_idx)) != 0 {
                 count += 1;
             }
         }

crates/pecos-core/src/phase/quarter_phase.rs

@@ -44,6 +44,9 @@ impl Phase for QuarterPhase {
     }
 
     fn multiply(&self, other: &QuarterPhase) -> QuarterPhase {
+        use QuarterPhase::{MinusI, MinusOne, PlusI, PlusOne};
+        const VARIANTS: [QuarterPhase; 4] = [PlusOne, MinusOne, PlusI, MinusI];
+
         let lhs = *self as u8;
         let rhs = *other as u8;
 
@@ -53,10 +56,7 @@ impl Phase for QuarterPhase {
         // XOR imaginary parts
         let imaginary = (lhs ^ rhs) & 0b10;
 
-        let result = real | imaginary;
-
-        // Cast back to Phase
-        unsafe { std::mem::transmute(result) }
+        VARIANTS[(real | imaginary) as usize]
     }
 }
 

crates/pecos-core/src/phase/sign.rs

@@ -31,9 +31,12 @@ impl Phase for Sign {
         *self
     }
 
-    /// Multiplies two `Sign` values using XOR (superfast).
+    /// Multiplies two `Sign` values using XOR.
     fn multiply(&self, other: &Self) -> Self {
-        unsafe { std::mem::transmute((*self as u8) ^ (*other as u8)) }
+        match (*self as u8) ^ (*other as u8) {
+            0 => Sign::PlusOne,
+            _ => Sign::MinusOne,
+        }
     }
 }
 
@@ -51,8 +54,10 @@ impl TryFrom<QuarterPhase> for Sign {
 
 impl From<Sign> for QuarterPhase {
     fn from(sign: Sign) -> QuarterPhase {
-        // Safe because `Sign` variants map directly to `Phase` variants
-        unsafe { std::mem::transmute(sign as u8) }
+        match sign {
+            Sign::PlusOne => QuarterPhase::PlusOne,
+            Sign::MinusOne => QuarterPhase::MinusOne,
+        }
     }
 }
 

crates/pecos-cppsparsestab/src/lib.rs

@@ -80,20 +80,10 @@ pub struct CppSparseStab {
     num_qubits: usize,
 }
 
-// SAFETY: CppSparseStab can be safely sent between threads because:
-// 1. The C++ StateWrapper manages its own memory properly
-// 2. Each instance is used by only one thread at a time
-// 3. The underlying C++ code has no shared state between instances
-// 4. cxx::UniquePtr provides exclusive ownership
+// SAFETY: CppSparseStab can be moved between threads. Each instance owns its
+// C++ state exclusively via cxx::UniquePtr, and all access is through &mut self.
 unsafe impl Send for CppSparseStab {}
 
-// SAFETY: CppSparseStab can be safely shared between threads because:
-// 1. The underlying C++ StateWrapper is thread-safe for concurrent read access
-// 2. Each instance maintains its own independent state
-// 3. No global/shared mutable state is accessed
-// 4. cxx::UniquePtr ensures exclusive ownership semantics
-unsafe impl Sync for CppSparseStab {}
-
 impl CppSparseStab {
     /// Get mutable access to the underlying C++ state.
     ///

crates/pecos-cuquantum/src/stabilizer.rs

@@ -162,6 +162,11 @@ impl CuFrameSimulator {
                     "Failed to allocate M table: CUDA error {cuda_status}"
                 )));
             }
+
+            // Zero all GPU buffers (cudaMalloc does not guarantee zeroed memory)
+            (backend.cudaMemset)(x_table_device.cast(), 0, x_table_size);
+            (backend.cudaMemset)(z_table_device.cast(), 0, z_table_size);
+            (backend.cudaMemset)(m_table_device.cast(), 0, m_table_size);
         }
 
         Ok(Self {

crates/pecos-gpu-sims/src/gpu_stab.rs

@@ -29,11 +29,23 @@ const GATE_SWAP: u32 = 8;
 
 /// Pack a single-qubit gate into the queue format
 fn pack_single_gate(gate_type: u32, target: u32) -> u32 {
+    debug_assert!(
+        target <= 0x3FFF,
+        "qubit index {target} exceeds 14-bit limit"
+    );
     (gate_type & 0xF) | ((target & 0x3FFF) << 4)
 }
 
 /// Pack a two-qubit gate into the queue format
 fn pack_two_qubit_gate(gate_type: u32, control: u32, target: u32) -> u32 {
+    debug_assert!(
+        control <= 0x3FFF,
+        "control qubit index {control} exceeds 14-bit limit"
+    );
+    debug_assert!(
+        target <= 0x3FFF,
+        "target qubit index {target} exceeds 14-bit limit"
+    );
     (gate_type & 0xF) | ((target & 0x3FFF) << 4) | ((control & 0x3FFF) << 18)
 }
 
@@ -303,6 +315,12 @@ impl<R: Rng + SeedableRng + Debug> GpuStab<R> {
         }))
         .map_err(|e| format!("Failed to create device: {e}"))?;
 
+        if num_qubits > 0x3FFF {
+            return Err(format!(
+                "GpuStab supports at most {} qubits, got {num_qubits}",
+                0x3FFF
+            ));
+        }
         let num_qubits = num_qubits as u32;
         let gen_words = num_qubits.div_ceil(32);