Create implicit_transmute_types lint.

Type inference is useful in most cases, but it can cause issues around usage of transmute.
Even though a specific usage of transmute may have been confirmed to be sound, someone might
unintentionally change a piece of surrounding code that causes the transmuted types to
change and possibly become unsound. Despite that, transmute() will happily continue to infer these
changed types.

This commit adds a lint `implicit_transmute_types` that catches calls to transmute without
an explicit turbofish. The idea is that the initial author of code that uses a transmute will
verify the soundness of converting between the two types, and enfore those types on the transmute
call. If the types end up changing later, typecheck will fail and force the transmute call to be
updated and remind the user to reassess the soundness of transmuting between the new types.

Author: Flying-Toast

CHANGELOG.md

@@ -4857,6 +4857,7 @@ Released 2018-09-13
 [`implicit_return`]: https://rust-lang.github.io/rust-clippy/master/index.html#implicit_return
 [`implicit_saturating_add`]: https://rust-lang.github.io/rust-clippy/master/index.html#implicit_saturating_add
 [`implicit_saturating_sub`]: https://rust-lang.github.io/rust-clippy/master/index.html#implicit_saturating_sub
+[`implicit_transmute_types`]: https://rust-lang.github.io/rust-clippy/master/index.html#implicit_transmute_types
 [`imprecise_flops`]: https://rust-lang.github.io/rust-clippy/master/index.html#imprecise_flops
 [`inconsistent_digit_grouping`]: https://rust-lang.github.io/rust-clippy/master/index.html#inconsistent_digit_grouping
 [`inconsistent_struct_constructor`]: https://rust-lang.github.io/rust-clippy/master/index.html#inconsistent_struct_constructor

clippy_lints/src/declared_lints.rs

@@ -206,6 +206,7 @@ pub(crate) static LINTS: &[&crate::LintInfo] = &[
     crate::implicit_return::IMPLICIT_RETURN_INFO,
     crate::implicit_saturating_add::IMPLICIT_SATURATING_ADD_INFO,
     crate::implicit_saturating_sub::IMPLICIT_SATURATING_SUB_INFO,
+    crate::implicit_transmute_types::IMPLICIT_TRANSMUTE_TYPES_INFO,
     crate::inconsistent_struct_constructor::INCONSISTENT_STRUCT_CONSTRUCTOR_INFO,
     crate::incorrect_impls::INCORRECT_CLONE_IMPL_ON_COPY_TYPE_INFO,
     crate::index_refutable_slice::INDEX_REFUTABLE_SLICE_INFO,

clippy_lints/src/implicit_transmute_types.rs

@@ -0,0 +1,108 @@
+use clippy_utils::{diagnostics::span_lint_and_then, is_diagnostic_item_or_ctor, last_path_segment};
+use rustc_errors::Applicability;
+use rustc_hir::{self as hir, ExprKind};
+use rustc_lint::{LateContext, LateLintPass};
+use rustc_session::{declare_lint_pass, declare_tool_lint};
+use rustc_span::symbol::sym;
+
+declare_clippy_lint! {
+    /// ### What it does
+    /// Checks for calls to [`transmute`] without explicit type parameters
+    /// (i.e. without turbofish syntax).
+    ///
+    /// ### Why is this bad?
+    /// In most cases Rust's type inference is helpful, however it can cause
+    /// problems with [`transmute`]. `transmute` is wildly unsafe
+    /// unless the types being transmuted are known to be compatible. As such,
+    /// a seemingly innocent change in something's type can end up making a
+    /// previously-valid transmute suddenly become unsound. Thus it is
+    /// good practice to always be explicit about the types you expect to be
+    /// transmuting between, so that the compiler will force you to
+    /// reexamine the transmute if either type changes.
+    ///
+    /// ### Example
+    /// ```rust
+    /// #[repr(transparent)]
+    /// struct CharWrapper {
+    ///     _inner: char,
+    /// }
+    ///
+    /// let wrapped = CharWrapper { _inner: 'a' };
+    /// let transmuted = unsafe { core::mem::transmute(wrapped) };
+    ///
+    /// // This is sound now, but if it gets changed in the future to
+    /// // something that expects a type other than `char`, the transmute
+    /// // would infer it returns that type, which is likely unsound.
+    /// let _ = char::is_lowercase(transmuted);
+    /// ```
+    ///
+    /// Specify type parameters:
+    /// ```rust
+    /// # #[repr(transparent)]
+    /// # struct CharWrapper {
+    /// #     _inner: char,
+    /// # }
+    /// let wrapped = CharWrapper { _inner: 'a' };
+    /// // Because we explicitly specify the types for the transmute, any change in
+    /// // surrounding code that would cause the transmute call to infer different
+    /// // types will now be caught by typechecking, forcing us to come back and
+    /// // reassess the soundsness of transmuting between the new types.
+    /// let transmuted = unsafe { core::mem::transmute::<CharWrapper, char>(wrapped) };
+    ///
+    /// let _ = char::is_lowercase(transmuted);
+    /// ```
+    ///
+    /// If you decide that you *do* want the types to be inferred,
+    /// you can silence the lint by conveying your intention explicitly:
+    /// ```rust
+    /// # use std::mem::transmute;
+    /// # fn main() {
+    /// #     unsafe {
+    /// #         let foo: i32 = 123;
+    /// #         let _: u32 =
+    /// transmute::<_, _>(foo);
+    /// #     }
+    /// # }
+    /// ```
+    ///
+    /// [`transmute`]: https://doc.rust-lang.org/core/mem/fn.transmute.html
+    #[clippy::version = "1.72.0"]
+    pub IMPLICIT_TRANSMUTE_TYPES,
+    style,
+    "calling mem::transmute without explicit type parameters"
+}
+
+declare_lint_pass!(ImplicitTransmuteTypes => [IMPLICIT_TRANSMUTE_TYPES]);
+
+impl<'tcx> LateLintPass<'tcx> for ImplicitTransmuteTypes {
+    fn check_expr(&mut self, cx: &LateContext<'_>, e: &hir::Expr<'_>) {
+        if let ExprKind::Call(func, _) = &e.kind
+            && let ExprKind::Path(qpath) = &func.kind
+            && let Some(def_id) = cx.qpath_res(qpath, func.hir_id).opt_def_id()
+            && is_diagnostic_item_or_ctor(cx, def_id, sym::transmute)
+            && last_path_segment(qpath).args.is_none()
+        {
+            let suggestion_span = qpath.span().shrink_to_hi();
+
+            let substs = cx.typeck_results().node_substs(func.hir_id);
+            let srctype = substs.type_at(0);
+            let dsttype = substs.type_at(1);
+
+
+            span_lint_and_then(
+                cx,
+                IMPLICIT_TRANSMUTE_TYPES,
+                e.span,
+                "`transmute` called without explicit type parameters",
+                |b| {
+                    b.span_suggestion_verbose(
+                        suggestion_span,
+                        "consider specifying the types intended to be transmuted",
+                        format!("::<{srctype}, {dsttype}>"),
+                        Applicability::MachineApplicable
+                    );
+                }
+            );
+        }
+    }
+}

clippy_lints/src/lib.rs

@@ -149,6 +149,7 @@ mod implicit_hasher;
 mod implicit_return;
 mod implicit_saturating_add;
 mod implicit_saturating_sub;
+mod implicit_transmute_types;
 mod inconsistent_struct_constructor;
 mod incorrect_impls;
 mod index_refutable_slice;
@@ -1072,6 +1073,7 @@ pub fn register_plugins(store: &mut rustc_lint::LintStore, sess: &Session, conf:
     });
     store.register_late_pass(|_| Box::new(manual_range_patterns::ManualRangePatterns));
     store.register_early_pass(|| Box::new(visibility::Visibility));
+    store.register_late_pass(|_| Box::new(implicit_transmute_types::ImplicitTransmuteTypes));
     // add lints here, do not remove this comment, it's used in `new_lint`
 }
 

tests/ui/author/issue_3849.rs

@@ -1,7 +1,7 @@
 #![allow(dead_code)]
 #![allow(clippy::zero_ptr)]
 #![allow(clippy::transmute_ptr_to_ref)]
-#![allow(clippy::transmuting_null)]
+#![allow(clippy::transmuting_null, clippy::implicit_transmute_types)]
 
 pub const ZPTR: *const usize = 0 as *const _;
 

tests/ui/blocks_in_if_conditions.fixed

@@ -44,7 +44,7 @@ fn condition_is_unsafe_block() {
     let a: i32 = 1;
 
     // this should not warn because the condition is an unsafe block
-    if unsafe { 1u32 == std::mem::transmute(a) } {
+    if unsafe { 1u32 == std::mem::transmute::<i32, u32>(a) } {
         println!("1u32 == a");
     }
 }

tests/ui/blocks_in_if_conditions.rs

@@ -44,7 +44,7 @@ fn condition_is_unsafe_block() {
     let a: i32 = 1;
 
     // this should not warn because the condition is an unsafe block
-    if unsafe { 1u32 == std::mem::transmute(a) } {
+    if unsafe { 1u32 == std::mem::transmute::<i32, u32>(a) } {
         println!("1u32 == a");
     }
 }

tests/ui/crashes/ice-4968.rs

@@ -1,7 +1,7 @@
 // Test for https://github.com/rust-lang/rust-clippy/issues/4968
 
 #![warn(clippy::unsound_collection_transmute)]
-#![allow(clippy::transmute_undefined_repr)]
+#![allow(clippy::transmute_undefined_repr, clippy::implicit_transmute_types)]
 
 trait Trait {
     type Assoc;

tests/ui/implicit_transmute_types.fixed

@@ -0,0 +1,14 @@
+//@run-rustfix
+#![allow(unused)]
+#![warn(clippy::implicit_transmute_types)]
+
+use std::mem;
+
+fn main() {
+    unsafe {
+        let _: u32 = mem::transmute::<i32, u32>(123i32);
+
+        let _: u32 = mem::transmute::<i32, u32>(123i32);
+        let _: u32 = mem::transmute::<_, _>(123i32);
+    }
+}

tests/ui/implicit_transmute_types.rs

@@ -0,0 +1,14 @@
+//@run-rustfix
+#![allow(unused)]
+#![warn(clippy::implicit_transmute_types)]
+
+use std::mem;
+
+fn main() {
+    unsafe {
+        let _: u32 = mem::transmute(123i32);
+
+        let _: u32 = mem::transmute::<i32, u32>(123i32);
+        let _: u32 = mem::transmute::<_, _>(123i32);
+    }
+}

tests/ui/implicit_transmute_types.stderr

@@ -0,0 +1,14 @@
+error: `transmute` called without explicit type parameters
+  --> $DIR/implicit_transmute_types.rs:9:22
+   |
+LL |         let _: u32 = mem::transmute(123i32);
+   |                      ^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: `-D clippy::implicit-transmute-types` implied by `-D warnings`
+help: consider specifying the types intended to be transmuted
+   |
+LL |         let _: u32 = mem::transmute::<i32, u32>(123i32);
+   |                                    ++++++++++++
+
+error: aborting due to previous error
+

tests/ui/missing_const_for_fn/could_be_const.rs

@@ -1,5 +1,5 @@
 #![warn(clippy::missing_const_for_fn)]
-#![allow(incomplete_features, clippy::let_and_return)]
+#![allow(incomplete_features, clippy::let_and_return, clippy::implicit_transmute_types)]
 #![feature(const_mut_refs)]
 #![feature(const_trait_impl)]
 

tests/ui/ptr_cast_constness.fixed

@@ -2,7 +2,12 @@
 //@aux-build:proc_macros.rs:proc-macro
 
 #![warn(clippy::ptr_cast_constness)]
-#![allow(clippy::transmute_ptr_to_ref, clippy::unnecessary_cast, unused)]
+#![allow(
+    clippy::implicit_transmute_types,
+    clippy::transmute_ptr_to_ref,
+    clippy::unnecessary_cast,
+    unused
+)]
 
 extern crate proc_macros;
 use proc_macros::{external, inline_macros};

tests/ui/ptr_cast_constness.rs

@@ -2,7 +2,12 @@
 //@aux-build:proc_macros.rs:proc-macro
 
 #![warn(clippy::ptr_cast_constness)]
-#![allow(clippy::transmute_ptr_to_ref, clippy::unnecessary_cast, unused)]
+#![allow(
+    clippy::implicit_transmute_types,
+    clippy::transmute_ptr_to_ref,
+    clippy::unnecessary_cast,
+    unused
+)]
 
 extern crate proc_macros;
 use proc_macros::{external, inline_macros};

tests/ui/ptr_cast_constness.stderr

@@ -1,43 +1,43 @@
 error: `as` casting between raw pointers while changing only its constness
-  --> $DIR/ptr_cast_constness.rs:11:41
+  --> $DIR/ptr_cast_constness.rs:16:41
    |
 LL |     let _: &mut T = std::mem::transmute(p as *mut T);
    |                                         ^^^^^^^^^^^ help: try `pointer::cast_mut`, a safer alternative: `p.cast_mut()`
    |
    = note: `-D clippy::ptr-cast-constness` implied by `-D warnings`
 
 error: `as` casting between raw pointers while changing only its constness
-  --> $DIR/ptr_cast_constness.rs:12:19
+  --> $DIR/ptr_cast_constness.rs:17:19
    |
 LL |     let _ = &mut *(p as *mut T);
    |                   ^^^^^^^^^^^^^ help: try `pointer::cast_mut`, a safer alternative: `p.cast_mut()`
 
 error: `as` casting between raw pointers while changing only its constness
-  --> $DIR/ptr_cast_constness.rs:27:17
+  --> $DIR/ptr_cast_constness.rs:32:17
    |
 LL |         let _ = *ptr_ptr as *mut u32;
    |                 ^^^^^^^^^^^^^^^^^^^^ help: try `pointer::cast_mut`, a safer alternative: `(*ptr_ptr).cast_mut()`
 
 error: `as` casting between raw pointers while changing only its constness
-  --> $DIR/ptr_cast_constness.rs:30:13
+  --> $DIR/ptr_cast_constness.rs:35:13
    |
 LL |     let _ = ptr as *mut u32;
    |             ^^^^^^^^^^^^^^^ help: try `pointer::cast_mut`, a safer alternative: `ptr.cast_mut()`
 
 error: `as` casting between raw pointers while changing only its constness
-  --> $DIR/ptr_cast_constness.rs:31:13
+  --> $DIR/ptr_cast_constness.rs:36:13
    |
 LL |     let _ = mut_ptr as *const u32;
    |             ^^^^^^^^^^^^^^^^^^^^^ help: try `pointer::cast_const`, a safer alternative: `mut_ptr.cast_const()`
 
 error: `as` casting between raw pointers while changing only its constness
-  --> $DIR/ptr_cast_constness.rs:60:13
+  --> $DIR/ptr_cast_constness.rs:65:13
    |
 LL |     let _ = ptr as *mut u32;
    |             ^^^^^^^^^^^^^^^ help: try `pointer::cast_mut`, a safer alternative: `ptr.cast_mut()`
 
 error: `as` casting between raw pointers while changing only its constness
-  --> $DIR/ptr_cast_constness.rs:61:13
+  --> $DIR/ptr_cast_constness.rs:66:13
    |
 LL |     let _ = mut_ptr as *const u32;
    |             ^^^^^^^^^^^^^^^^^^^^^ help: try `pointer::cast_const`, a safer alternative: `mut_ptr.cast_const()`

tests/ui/transmute.rs

@@ -1,4 +1,9 @@
-#![allow(dead_code, clippy::borrow_as_ptr, clippy::needless_lifetimes)]
+#![allow(
+    dead_code,
+    clippy::implicit_transmute_types,
+    clippy::borrow_as_ptr,
+    clippy::needless_lifetimes
+)]
 
 extern crate core;