2 mod cast_possible_truncation;
3 mod cast_possible_wrap;
4 mod cast_precision_loss;
5 mod cast_ptr_alignment;
9 mod fn_to_numeric_cast;
10 mod fn_to_numeric_cast_any;
11 mod fn_to_numeric_cast_with_truncation;
16 use clippy_utils::is_hir_ty_cfg_dependant;
17 use rustc_hir::{Expr, ExprKind};
18 use rustc_lint::{LateContext, LateLintPass, LintContext};
19 use rustc_middle::lint::in_external_macro;
20 use rustc_semver::RustcVersion;
21 use rustc_session::{declare_tool_lint, impl_lint_pass};
23 declare_clippy_lint! {
25 /// Checks for casts from any numerical to a float type where
26 /// the receiving type cannot store all values from the original type without
27 /// rounding errors. This possible rounding is to be expected, so this lint is
28 /// `Allow` by default.
30 /// Basically, this warns on casting any integer with 32 or more bits to `f32`
31 /// or any 64-bit integer to `f64`.
33 /// ### Why is this bad?
34 /// It's not bad at all. But in some applications it can be
35 /// helpful to know where precision loss can take place. This lint can help find
36 /// those places in the code.
43 #[clippy::version = "pre 1.29.0"]
44 pub CAST_PRECISION_LOSS,
46 "casts that cause loss of precision, e.g., `x as f32` where `x: u64`"
49 declare_clippy_lint! {
51 /// Checks for casts from a signed to an unsigned numerical
52 /// type. In this case, negative values wrap around to large positive values,
53 /// which can be quite surprising in practice. However, as the cast works as
54 /// defined, this lint is `Allow` by default.
56 /// ### Why is this bad?
57 /// Possibly surprising results. You can activate this lint
58 /// as a one-time check to see where numerical wrapping can arise.
63 /// y as u128; // will return 18446744073709551615
65 #[clippy::version = "pre 1.29.0"]
68 "casts from signed types to unsigned types, e.g., `x as u32` where `x: i32`"
71 declare_clippy_lint! {
73 /// Checks for casts between numerical types that may
74 /// truncate large values. This is expected behavior, so the cast is `Allow` by
77 /// ### Why is this bad?
78 /// In some problem domains, it is good practice to avoid
79 /// truncation. This lint can be activated to help assess where additional
80 /// checks could be beneficial.
84 /// fn as_u8(x: u64) -> u8 {
88 #[clippy::version = "pre 1.29.0"]
89 pub CAST_POSSIBLE_TRUNCATION,
91 "casts that may cause truncation of the value, e.g., `x as u8` where `x: u32`, or `x as i32` where `x: f32`"
94 declare_clippy_lint! {
96 /// Checks for casts from an unsigned type to a signed type of
97 /// the same size. Performing such a cast is a 'no-op' for the compiler,
98 /// i.e., nothing is changed at the bit level, and the binary representation of
99 /// the value is reinterpreted. This can cause wrapping if the value is too big
100 /// for the target signed type. However, the cast works as defined, so this lint
101 /// is `Allow` by default.
103 /// ### Why is this bad?
104 /// While such a cast is not bad in itself, the results can
105 /// be surprising when this is not the intended behavior, as demonstrated by the
110 /// u32::MAX as i32; // will yield a value of `-1`
112 #[clippy::version = "pre 1.29.0"]
113 pub CAST_POSSIBLE_WRAP,
115 "casts that may cause wrapping around the value, e.g., `x as i32` where `x: u32` and `x > i32::MAX`"
118 declare_clippy_lint! {
120 /// Checks for casts between numerical types that may
121 /// be replaced by safe conversion functions.
123 /// ### Why is this bad?
124 /// Rust's `as` keyword will perform many kinds of
125 /// conversions, including silently lossy conversions. Conversion functions such
126 /// as `i32::from` will only perform lossless conversions. Using the conversion
127 /// functions prevents conversions from turning into silent lossy conversions if
128 /// the types of the input expressions ever change, and make it easier for
129 /// people reading the code to know that the conversion is lossless.
133 /// fn as_u64(x: u8) -> u64 {
138 /// Using `::from` would look like this:
141 /// fn as_u64(x: u8) -> u64 {
145 #[clippy::version = "pre 1.29.0"]
148 "casts using `as` that are known to be lossless, e.g., `x as u64` where `x: u8`"
151 declare_clippy_lint! {
153 /// Checks for casts to the same type, casts of int literals to integer types
154 /// and casts of float literals to float types.
156 /// ### Why is this bad?
157 /// It's just unnecessary.
161 /// let _ = 2i32 as i32;
162 /// let _ = 0.5 as f32;
171 #[clippy::version = "pre 1.29.0"]
172 pub UNNECESSARY_CAST,
174 "cast to the same type, e.g., `x as i32` where `x: i32`"
177 declare_clippy_lint! {
179 /// Checks for casts, using `as` or `pointer::cast`,
180 /// from a less-strictly-aligned pointer to a more-strictly-aligned pointer
182 /// ### Why is this bad?
183 /// Dereferencing the resulting pointer may be undefined
186 /// ### Known problems
187 /// Using `std::ptr::read_unaligned` and `std::ptr::write_unaligned` or similar
188 /// on the resulting pointer is fine. Is over-zealous: Casts with manual alignment checks or casts like
189 /// u64-> u8 -> u16 can be fine. Miri is able to do a more in-depth analysis.
193 /// let _ = (&1u8 as *const u8) as *const u16;
194 /// let _ = (&mut 1u8 as *mut u8) as *mut u16;
196 /// (&1u8 as *const u8).cast::<u16>();
197 /// (&mut 1u8 as *mut u8).cast::<u16>();
199 #[clippy::version = "pre 1.29.0"]
200 pub CAST_PTR_ALIGNMENT,
202 "cast from a pointer to a more-strictly-aligned pointer"
205 declare_clippy_lint! {
207 /// Checks for casts of function pointers to something other than usize
209 /// ### Why is this bad?
210 /// Casting a function pointer to anything other than usize/isize is not portable across
211 /// architectures, because you end up losing bits if the target type is too small or end up with a
212 /// bunch of extra bits that waste space and add more instructions to the final binary than
213 /// strictly necessary for the problem
215 /// Casting to isize also doesn't make sense since there are no signed addresses.
220 /// fn fun() -> i32 { 1 }
221 /// let a = fun as i64;
224 /// fn fun2() -> i32 { 1 }
225 /// let a = fun2 as usize;
227 #[clippy::version = "pre 1.29.0"]
228 pub FN_TO_NUMERIC_CAST,
230 "casting a function pointer to a numeric type other than usize"
233 declare_clippy_lint! {
235 /// Checks for casts of a function pointer to a numeric type not wide enough to
238 /// ### Why is this bad?
239 /// Such a cast discards some bits of the function's address. If this is intended, it would be more
240 /// clearly expressed by casting to usize first, then casting the usize to the intended type (with
241 /// a comment) to perform the truncation.
246 /// fn fn1() -> i16 {
249 /// let _ = fn1 as i32;
251 /// // Better: Cast to usize first, then comment with the reason for the truncation
252 /// fn fn2() -> i16 {
255 /// let fn_ptr = fn2 as usize;
256 /// let fn_ptr_truncated = fn_ptr as i32;
258 #[clippy::version = "pre 1.29.0"]
259 pub FN_TO_NUMERIC_CAST_WITH_TRUNCATION,
261 "casting a function pointer to a numeric type not wide enough to store the address"
264 declare_clippy_lint! {
266 /// Checks for casts of a function pointer to any integer type.
268 /// ### Why is this bad?
269 /// Casting a function pointer to an integer can have surprising results and can occur
270 /// accidentally if parantheses are omitted from a function call. If you aren't doing anything
271 /// low-level with function pointers then you can opt-out of casting functions to integers in
272 /// order to avoid mistakes. Alternatively, you can use this lint to audit all uses of function
273 /// pointer casts in your code.
277 /// // Bad: fn1 is cast as `usize`
278 /// fn fn1() -> u16 {
281 /// let _ = fn1 as usize;
283 /// // Good: maybe you intended to call the function?
284 /// fn fn2() -> u16 {
287 /// let _ = fn2() as usize;
289 /// // Good: maybe you intended to cast it to a function type?
290 /// fn fn3() -> u16 {
293 /// let _ = fn3 as fn() -> u16;
295 #[clippy::version = "1.58.0"]
296 pub FN_TO_NUMERIC_CAST_ANY,
298 "casting a function pointer to any integer type"
301 declare_clippy_lint! {
303 /// Checks for casts of `&T` to `&mut T` anywhere in the code.
305 /// ### Why is this bad?
306 /// It’s basically guaranteed to be undefined behaviour.
307 /// `UnsafeCell` is the only way to obtain aliasable data that is considered
314 /// *(r as *const _ as *mut _) += 1;
319 /// Instead consider using interior mutability types.
322 /// use std::cell::UnsafeCell;
324 /// fn x(r: &UnsafeCell<i32>) {
330 #[clippy::version = "1.33.0"]
333 "a cast of reference to a mutable pointer"
336 declare_clippy_lint! {
338 /// Checks for expressions where a character literal is cast
339 /// to `u8` and suggests using a byte literal instead.
341 /// ### Why is this bad?
342 /// In general, casting values to smaller types is
343 /// error-prone and should be avoided where possible. In the particular case of
344 /// converting a character literal to u8, it is easy to avoid by just using a
345 /// byte literal instead. As an added bonus, `b'a'` is even slightly shorter
346 /// than `'a' as u8`.
353 /// A better version, using the byte literal:
358 #[clippy::version = "pre 1.29.0"]
361 "casting a character literal to `u8` truncates"
364 declare_clippy_lint! {
366 /// Checks for `as` casts between raw pointers without changing its mutability,
367 /// namely `*const T` to `*const U` and `*mut T` to `*mut U`.
369 /// ### Why is this bad?
370 /// Though `as` casts between raw pointers is not terrible, `pointer::cast` is safer because
371 /// it cannot accidentally change the pointer's mutability nor cast the pointer to other types like `usize`.
375 /// let ptr: *const u32 = &42_u32;
376 /// let mut_ptr: *mut u32 = &mut 42_u32;
377 /// let _ = ptr as *const i32;
378 /// let _ = mut_ptr as *mut i32;
382 /// let ptr: *const u32 = &42_u32;
383 /// let mut_ptr: *mut u32 = &mut 42_u32;
384 /// let _ = ptr.cast::<i32>();
385 /// let _ = mut_ptr.cast::<i32>();
387 #[clippy::version = "1.51.0"]
390 "casting using `as` from and to raw pointers that doesn't change its mutability, where `pointer::cast` could take the place of `as`"
393 declare_clippy_lint! {
395 /// Checks for casts from an enum type to an integral type which will definitely truncate the
398 /// ### Why is this bad?
399 /// The resulting integral value will not match the value of the variant it came from.
403 /// enum E { X = 256 };
404 /// let _ = E::X as u8;
406 #[clippy::version = "1.60.0"]
407 pub CAST_ENUM_TRUNCATION,
409 "casts from an enum type to an integral type which will truncate the value"
413 msrv: Option<RustcVersion>,
418 pub fn new(msrv: Option<RustcVersion>) -> Self {
423 impl_lint_pass!(Casts => [
426 CAST_POSSIBLE_TRUNCATION,
432 FN_TO_NUMERIC_CAST_ANY,
434 FN_TO_NUMERIC_CAST_WITH_TRUNCATION,
437 CAST_ENUM_TRUNCATION,
440 impl<'tcx> LateLintPass<'tcx> for Casts {
441 fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'_>) {
442 if !in_external_macro(cx.sess(), expr.span) {
443 ptr_as_ptr::check(cx, expr, &self.msrv);
446 if expr.span.from_expansion() {
450 if let ExprKind::Cast(cast_expr, cast_to) = expr.kind {
451 if is_hir_ty_cfg_dependant(cx, cast_to) {
454 let (cast_from, cast_to) = (
455 cx.typeck_results().expr_ty(cast_expr),
456 cx.typeck_results().expr_ty(expr),
459 if unnecessary_cast::check(cx, expr, cast_expr, cast_from, cast_to) {
463 fn_to_numeric_cast_any::check(cx, expr, cast_expr, cast_from, cast_to);
464 fn_to_numeric_cast::check(cx, expr, cast_expr, cast_from, cast_to);
465 fn_to_numeric_cast_with_truncation::check(cx, expr, cast_expr, cast_from, cast_to);
467 if cast_to.is_numeric() && !in_external_macro(cx.sess(), expr.span) {
468 cast_possible_truncation::check(cx, expr, cast_expr, cast_from, cast_to);
469 if cast_from.is_numeric() {
470 cast_possible_wrap::check(cx, expr, cast_from, cast_to);
471 cast_precision_loss::check(cx, expr, cast_from, cast_to);
472 cast_sign_loss::check(cx, expr, cast_expr, cast_from, cast_to);
474 cast_lossless::check(cx, expr, cast_expr, cast_from, cast_to, &self.msrv);
478 cast_ref_to_mut::check(cx, expr);
479 cast_ptr_alignment::check(cx, expr);
480 char_lit_as_u8::check(cx, expr);
483 extract_msrv_attr!(LateContext);