4 mod cast_abs_to_unsigned;
5 mod cast_enum_constructor;
8 mod cast_possible_truncation;
9 mod cast_possible_wrap;
10 mod cast_precision_loss;
11 mod cast_ptr_alignment;
14 mod cast_slice_different_sizes;
15 mod cast_slice_from_raw_parts;
17 mod fn_to_numeric_cast;
18 mod fn_to_numeric_cast_any;
19 mod fn_to_numeric_cast_with_truncation;
24 use clippy_utils::{is_hir_ty_cfg_dependant, meets_msrv, msrvs};
25 use rustc_hir::{Expr, ExprKind};
26 use rustc_lint::{LateContext, LateLintPass, LintContext};
27 use rustc_middle::lint::in_external_macro;
28 use rustc_semver::RustcVersion;
29 use rustc_session::{declare_tool_lint, impl_lint_pass};
31 declare_clippy_lint! {
33 /// Checks for casts from any numerical to a float type where
34 /// the receiving type cannot store all values from the original type without
35 /// rounding errors. This possible rounding is to be expected, so this lint is
36 /// `Allow` by default.
38 /// Basically, this warns on casting any integer with 32 or more bits to `f32`
39 /// or any 64-bit integer to `f64`.
41 /// ### Why is this bad?
42 /// It's not bad at all. But in some applications it can be
43 /// helpful to know where precision loss can take place. This lint can help find
44 /// those places in the code.
51 #[clippy::version = "pre 1.29.0"]
52 pub CAST_PRECISION_LOSS,
54 "casts that cause loss of precision, e.g., `x as f32` where `x: u64`"
57 declare_clippy_lint! {
59 /// Checks for casts from a signed to an unsigned numerical
60 /// type. In this case, negative values wrap around to large positive values,
61 /// which can be quite surprising in practice. However, as the cast works as
62 /// defined, this lint is `Allow` by default.
64 /// ### Why is this bad?
65 /// Possibly surprising results. You can activate this lint
66 /// as a one-time check to see where numerical wrapping can arise.
71 /// y as u128; // will return 18446744073709551615
73 #[clippy::version = "pre 1.29.0"]
76 "casts from signed types to unsigned types, e.g., `x as u32` where `x: i32`"
79 declare_clippy_lint! {
81 /// Checks for casts between numerical types that may
82 /// truncate large values. This is expected behavior, so the cast is `Allow` by
85 /// ### Why is this bad?
86 /// In some problem domains, it is good practice to avoid
87 /// truncation. This lint can be activated to help assess where additional
88 /// checks could be beneficial.
92 /// fn as_u8(x: u64) -> u8 {
96 #[clippy::version = "pre 1.29.0"]
97 pub CAST_POSSIBLE_TRUNCATION,
99 "casts that may cause truncation of the value, e.g., `x as u8` where `x: u32`, or `x as i32` where `x: f32`"
102 declare_clippy_lint! {
104 /// Checks for casts from an unsigned type to a signed type of
105 /// the same size. Performing such a cast is a 'no-op' for the compiler,
106 /// i.e., nothing is changed at the bit level, and the binary representation of
107 /// the value is reinterpreted. This can cause wrapping if the value is too big
108 /// for the target signed type. However, the cast works as defined, so this lint
109 /// is `Allow` by default.
111 /// ### Why is this bad?
112 /// While such a cast is not bad in itself, the results can
113 /// be surprising when this is not the intended behavior, as demonstrated by the
118 /// u32::MAX as i32; // will yield a value of `-1`
120 #[clippy::version = "pre 1.29.0"]
121 pub CAST_POSSIBLE_WRAP,
123 "casts that may cause wrapping around the value, e.g., `x as i32` where `x: u32` and `x > i32::MAX`"
126 declare_clippy_lint! {
128 /// Checks for casts between numerical types that may
129 /// be replaced by safe conversion functions.
131 /// ### Why is this bad?
132 /// Rust's `as` keyword will perform many kinds of
133 /// conversions, including silently lossy conversions. Conversion functions such
134 /// as `i32::from` will only perform lossless conversions. Using the conversion
135 /// functions prevents conversions from turning into silent lossy conversions if
136 /// the types of the input expressions ever change, and make it easier for
137 /// people reading the code to know that the conversion is lossless.
141 /// fn as_u64(x: u8) -> u64 {
146 /// Using `::from` would look like this:
149 /// fn as_u64(x: u8) -> u64 {
153 #[clippy::version = "pre 1.29.0"]
156 "casts using `as` that are known to be lossless, e.g., `x as u64` where `x: u8`"
159 declare_clippy_lint! {
161 /// Checks for casts to the same type, casts of int literals to integer types
162 /// and casts of float literals to float types.
164 /// ### Why is this bad?
165 /// It's just unnecessary.
169 /// let _ = 2i32 as i32;
170 /// let _ = 0.5 as f32;
179 #[clippy::version = "pre 1.29.0"]
180 pub UNNECESSARY_CAST,
182 "cast to the same type, e.g., `x as i32` where `x: i32`"
185 declare_clippy_lint! {
187 /// Checks for casts, using `as` or `pointer::cast`,
188 /// from a less-strictly-aligned pointer to a more-strictly-aligned pointer
190 /// ### Why is this bad?
191 /// Dereferencing the resulting pointer may be undefined
194 /// ### Known problems
195 /// Using `std::ptr::read_unaligned` and `std::ptr::write_unaligned` or similar
196 /// on the resulting pointer is fine. Is over-zealous: Casts with manual alignment checks or casts like
197 /// u64-> u8 -> u16 can be fine. Miri is able to do a more in-depth analysis.
201 /// let _ = (&1u8 as *const u8) as *const u16;
202 /// let _ = (&mut 1u8 as *mut u8) as *mut u16;
204 /// (&1u8 as *const u8).cast::<u16>();
205 /// (&mut 1u8 as *mut u8).cast::<u16>();
207 #[clippy::version = "pre 1.29.0"]
208 pub CAST_PTR_ALIGNMENT,
210 "cast from a pointer to a more-strictly-aligned pointer"
213 declare_clippy_lint! {
215 /// Checks for casts of function pointers to something other than usize
217 /// ### Why is this bad?
218 /// Casting a function pointer to anything other than usize/isize is not portable across
219 /// architectures, because you end up losing bits if the target type is too small or end up with a
220 /// bunch of extra bits that waste space and add more instructions to the final binary than
221 /// strictly necessary for the problem
223 /// Casting to isize also doesn't make sense since there are no signed addresses.
227 /// fn fun() -> i32 { 1 }
228 /// let _ = fun as i64;
233 /// # fn fun() -> i32 { 1 }
234 /// let _ = fun as usize;
236 #[clippy::version = "pre 1.29.0"]
237 pub FN_TO_NUMERIC_CAST,
239 "casting a function pointer to a numeric type other than usize"
242 declare_clippy_lint! {
244 /// Checks for casts of a function pointer to a numeric type not wide enough to
247 /// ### Why is this bad?
248 /// Such a cast discards some bits of the function's address. If this is intended, it would be more
249 /// clearly expressed by casting to usize first, then casting the usize to the intended type (with
250 /// a comment) to perform the truncation.
254 /// fn fn1() -> i16 {
257 /// let _ = fn1 as i32;
262 /// // Cast to usize first, then comment with the reason for the truncation
263 /// fn fn1() -> i16 {
266 /// let fn_ptr = fn1 as usize;
267 /// let fn_ptr_truncated = fn_ptr as i32;
269 #[clippy::version = "pre 1.29.0"]
270 pub FN_TO_NUMERIC_CAST_WITH_TRUNCATION,
272 "casting a function pointer to a numeric type not wide enough to store the address"
275 declare_clippy_lint! {
277 /// Checks for casts of a function pointer to any integer type.
279 /// ### Why is this bad?
280 /// Casting a function pointer to an integer can have surprising results and can occur
281 /// accidentally if parentheses are omitted from a function call. If you aren't doing anything
282 /// low-level with function pointers then you can opt-out of casting functions to integers in
283 /// order to avoid mistakes. Alternatively, you can use this lint to audit all uses of function
284 /// pointer casts in your code.
288 /// // fn1 is cast as `usize`
289 /// fn fn1() -> u16 {
292 /// let _ = fn1 as usize;
297 /// // maybe you intended to call the function?
298 /// fn fn2() -> u16 {
301 /// let _ = fn2() as usize;
305 /// // maybe you intended to cast it to a function type?
306 /// fn fn3() -> u16 {
309 /// let _ = fn3 as fn() -> u16;
311 #[clippy::version = "1.58.0"]
312 pub FN_TO_NUMERIC_CAST_ANY,
314 "casting a function pointer to any integer type"
317 declare_clippy_lint! {
319 /// Checks for casts of `&T` to `&mut T` anywhere in the code.
321 /// ### Why is this bad?
322 /// It’s basically guaranteed to be undefined behavior.
323 /// `UnsafeCell` is the only way to obtain aliasable data that is considered
330 /// *(r as *const _ as *mut _) += 1;
335 /// Instead consider using interior mutability types.
338 /// use std::cell::UnsafeCell;
340 /// fn x(r: &UnsafeCell<i32>) {
346 #[clippy::version = "1.33.0"]
349 "a cast of reference to a mutable pointer"
352 declare_clippy_lint! {
354 /// Checks for expressions where a character literal is cast
355 /// to `u8` and suggests using a byte literal instead.
357 /// ### Why is this bad?
358 /// In general, casting values to smaller types is
359 /// error-prone and should be avoided where possible. In the particular case of
360 /// converting a character literal to u8, it is easy to avoid by just using a
361 /// byte literal instead. As an added bonus, `b'a'` is even slightly shorter
362 /// than `'a' as u8`.
369 /// A better version, using the byte literal:
374 #[clippy::version = "pre 1.29.0"]
377 "casting a character literal to `u8` truncates"
380 declare_clippy_lint! {
382 /// Checks for `as` casts between raw pointers without changing its mutability,
383 /// namely `*const T` to `*const U` and `*mut T` to `*mut U`.
385 /// ### Why is this bad?
386 /// Though `as` casts between raw pointers is not terrible, `pointer::cast` is safer because
387 /// it cannot accidentally change the pointer's mutability nor cast the pointer to other types like `usize`.
391 /// let ptr: *const u32 = &42_u32;
392 /// let mut_ptr: *mut u32 = &mut 42_u32;
393 /// let _ = ptr as *const i32;
394 /// let _ = mut_ptr as *mut i32;
398 /// let ptr: *const u32 = &42_u32;
399 /// let mut_ptr: *mut u32 = &mut 42_u32;
400 /// let _ = ptr.cast::<i32>();
401 /// let _ = mut_ptr.cast::<i32>();
403 #[clippy::version = "1.51.0"]
406 "casting using `as` from and to raw pointers that doesn't change its mutability, where `pointer::cast` could take the place of `as`"
409 declare_clippy_lint! {
411 /// Checks for casts from an enum type to an integral type which will definitely truncate the
414 /// ### Why is this bad?
415 /// The resulting integral value will not match the value of the variant it came from.
419 /// enum E { X = 256 };
420 /// let _ = E::X as u8;
422 #[clippy::version = "1.61.0"]
423 pub CAST_ENUM_TRUNCATION,
425 "casts from an enum type to an integral type which will truncate the value"
428 declare_clippy_lint! {
430 /// Checks for `as` casts between raw pointers to slices with differently sized elements.
432 /// ### Why is this bad?
433 /// The produced raw pointer to a slice does not update its length metadata. The produced
434 /// pointer will point to a different number of bytes than the original pointer because the
435 /// length metadata of a raw slice pointer is in elements rather than bytes.
436 /// Producing a slice reference from the raw pointer will either create a slice with
437 /// less data (which can be surprising) or create a slice with more data and cause Undefined Behavior.
442 /// let a = [1_i32, 2, 3, 4];
443 /// let p = &a as *const [i32] as *const [u8];
445 /// println!("{:?}", &*p);
448 /// // Undefined Behavior (note: also potential alignment issues)
450 /// let a = [1_u8, 2, 3, 4];
451 /// let p = &a as *const [u8] as *const [u32];
453 /// println!("{:?}", &*p);
456 /// Instead use `ptr::slice_from_raw_parts` to construct a slice from a data pointer and the correct length
458 /// let a = [1_i32, 2, 3, 4];
459 /// let old_ptr = &a as *const [i32];
460 /// // The data pointer is cast to a pointer to the target `u8` not `[u8]`
461 /// // The length comes from the known length of 4 i32s times the 4 bytes per i32
462 /// let new_ptr = core::ptr::slice_from_raw_parts(old_ptr as *const u8, 16);
464 /// println!("{:?}", &*new_ptr);
467 #[clippy::version = "1.61.0"]
468 pub CAST_SLICE_DIFFERENT_SIZES,
470 "casting using `as` between raw pointers to slices of types with different sizes"
473 declare_clippy_lint! {
475 /// Checks for casts from an enum tuple constructor to an integer.
477 /// ### Why is this bad?
478 /// The cast is easily confused with casting a c-like enum value to an integer.
482 /// enum E { X(i32) };
483 /// let _ = E::X as usize;
485 #[clippy::version = "1.61.0"]
486 pub CAST_ENUM_CONSTRUCTOR,
488 "casts from an enum tuple constructor to an integer"
491 declare_clippy_lint! {
493 /// Checks for uses of the `abs()` method that cast the result to unsigned.
495 /// ### Why is this bad?
496 /// The `unsigned_abs()` method avoids panic when called on the MIN value.
500 /// let x: i32 = -42;
501 /// let y: u32 = x.abs() as u32;
505 /// let x: i32 = -42;
506 /// let y: u32 = x.unsigned_abs();
508 #[clippy::version = "1.62.0"]
509 pub CAST_ABS_TO_UNSIGNED,
511 "casting the result of `abs()` to an unsigned integer can panic"
514 declare_clippy_lint! {
516 /// Check for the usage of `as _` conversion using inferred type.
518 /// ### Why is this bad?
519 /// The conversion might include lossy conversion and dangerous cast that might go
520 /// undetected due to the type being inferred.
522 /// The lint is allowed by default as using `_` is less wordy than always specifying the type.
526 /// fn foo(n: usize) {}
527 /// let n: u16 = 256;
532 /// fn foo(n: usize) {}
533 /// let n: u16 = 256;
536 #[clippy::version = "1.63.0"]
539 "detects `as _` conversion"
542 declare_clippy_lint! {
544 /// Checks for the usage of `&expr as *const T` or
545 /// `&mut expr as *mut T`, and suggest using `ptr::addr_of` or
546 /// `ptr::addr_of_mut` instead.
548 /// ### Why is this bad?
549 /// This would improve readability and avoid creating a reference
550 /// that points to an uninitialized value or unaligned place.
551 /// Read the `ptr::addr_of` docs for more information.
556 /// let p = &val as *const i32;
558 /// let mut val_mut = 1;
559 /// let p_mut = &mut val_mut as *mut i32;
564 /// let p = std::ptr::addr_of!(val);
566 /// let mut val_mut = 1;
567 /// let p_mut = std::ptr::addr_of_mut!(val_mut);
569 #[clippy::version = "1.60.0"]
572 "borrowing just to cast to a raw pointer"
575 declare_clippy_lint! {
577 /// Checks for a raw slice being cast to a slice pointer
579 /// ### Why is this bad?
580 /// This can result in multiple `&mut` references to the same location when only a pointer is
582 /// `ptr::slice_from_raw_parts` is a safe alternative that doesn't require
583 /// the same [safety requirements] to be upheld.
587 /// let _: *const [u8] = std::slice::from_raw_parts(ptr, len) as *const _;
588 /// let _: *mut [u8] = std::slice::from_raw_parts_mut(ptr, len) as *mut _;
592 /// let _: *const [u8] = std::ptr::slice_from_raw_parts(ptr, len);
593 /// let _: *mut [u8] = std::ptr::slice_from_raw_parts_mut(ptr, len);
595 /// [safety requirements]: https://doc.rust-lang.org/std/slice/fn.from_raw_parts.html#safety
596 #[clippy::version = "1.65.0"]
597 pub CAST_SLICE_FROM_RAW_PARTS,
599 "casting a slice created from a pointer and length to a slice pointer"
602 declare_clippy_lint! {
604 /// Checks for the result of a `&self`-taking `as_ptr` being cast to a mutable pointer
606 /// ### Why is this bad?
607 /// Since `as_ptr` takes a `&self`, the pointer won't have write permissions unless interior
608 /// mutability is used, making it unlikely that having it as a mutable pointer is correct.
612 /// let string = String::with_capacity(1);
613 /// let ptr = string.as_ptr() as *mut u8;
614 /// unsafe { ptr.write(4) }; // UNDEFINED BEHAVIOUR
618 /// let mut string = String::with_capacity(1);
619 /// let ptr = string.as_mut_ptr();
620 /// unsafe { ptr.write(4) };
622 #[clippy::version = "1.66.0"]
625 "casting the result of the `&self`-taking `as_ptr` to a mutabe pointer"
628 declare_clippy_lint! {
630 /// Checks for a known NaN float being cast to an integer
632 /// ### Why is this bad?
633 /// NaNs are cast into zero, so one could simply use this and make the
634 /// code more readable. The lint could also hint at a programmer error.
638 /// let _: (0.0_f32 / 0.0) as u64;
644 #[clippy::version = "1.64.0"]
647 "casting a known floating-point NaN into an integer"
651 msrv: Option<RustcVersion>,
656 pub fn new(msrv: Option<RustcVersion>) -> Self {
661 impl_lint_pass!(Casts => [
664 CAST_POSSIBLE_TRUNCATION,
669 CAST_SLICE_DIFFERENT_SIZES,
671 FN_TO_NUMERIC_CAST_ANY,
673 FN_TO_NUMERIC_CAST_WITH_TRUNCATION,
676 CAST_ENUM_TRUNCATION,
677 CAST_ENUM_CONSTRUCTOR,
678 CAST_ABS_TO_UNSIGNED,
681 CAST_SLICE_FROM_RAW_PARTS,
686 impl<'tcx> LateLintPass<'tcx> for Casts {
687 fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'_>) {
688 if !in_external_macro(cx.sess(), expr.span) {
689 ptr_as_ptr::check(cx, expr, self.msrv);
692 if expr.span.from_expansion() {
696 if let ExprKind::Cast(cast_expr, cast_to_hir) = expr.kind {
697 if is_hir_ty_cfg_dependant(cx, cast_to_hir) {
700 let (cast_from, cast_to) = (
701 cx.typeck_results().expr_ty(cast_expr),
702 cx.typeck_results().expr_ty(expr),
705 if unnecessary_cast::check(cx, expr, cast_expr, cast_from, cast_to) {
708 cast_slice_from_raw_parts::check(cx, expr, cast_expr, cast_to, self.msrv);
709 as_ptr_cast_mut::check(cx, expr, cast_expr, cast_to);
710 fn_to_numeric_cast_any::check(cx, expr, cast_expr, cast_from, cast_to);
711 fn_to_numeric_cast::check(cx, expr, cast_expr, cast_from, cast_to);
712 fn_to_numeric_cast_with_truncation::check(cx, expr, cast_expr, cast_from, cast_to);
714 if cast_to.is_numeric() && !in_external_macro(cx.sess(), expr.span) {
715 cast_possible_truncation::check(cx, expr, cast_expr, cast_from, cast_to);
716 if cast_from.is_numeric() {
717 cast_possible_wrap::check(cx, expr, cast_from, cast_to);
718 cast_precision_loss::check(cx, expr, cast_from, cast_to);
719 cast_sign_loss::check(cx, expr, cast_expr, cast_from, cast_to);
720 cast_abs_to_unsigned::check(cx, expr, cast_expr, cast_from, cast_to, self.msrv);
721 cast_nan_to_int::check(cx, expr, cast_expr, cast_from, cast_to);
723 cast_lossless::check(cx, expr, cast_expr, cast_from, cast_to, self.msrv);
724 cast_enum_constructor::check(cx, expr, cast_expr, cast_from);
727 as_underscore::check(cx, expr, cast_to_hir);
729 if meets_msrv(self.msrv, msrvs::BORROW_AS_PTR) {
730 borrow_as_ptr::check(cx, expr, cast_expr, cast_to_hir);
734 cast_ref_to_mut::check(cx, expr);
735 cast_ptr_alignment::check(cx, expr);
736 char_lit_as_u8::check(cx, expr);
737 ptr_as_ptr::check(cx, expr, self.msrv);
738 cast_slice_different_sizes::check(cx, expr, self.msrv);
741 extract_msrv_attr!(LateContext);