Create implicit_transmute_types lint.

[Flying-Toast]

Type inference is useful in most cases, but it can cause issues around usage of transmute. Even though a specific usage of transmute may have been confirmed to be sound, someone might unintentionally change a piece of surrounding code that causes the transmuted types to change and possibly become unsound. Despite that, transmute() will happily continue to infer these changed types.

This commit adds a lint implicit_transmute_types that catches calls to transmute without an explicit turbofish. The idea is that the initial author of code that uses a transmute will verify the soundness of converting between the two types, and enfore those types on the transmute call. If the types end up changing later, typecheck will fail and force the transmute call to be updated and remind the user to reassess the soundness of transmuting between the new types.

[rustbot]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @xFrednet (or someone else) soon.

Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (S-waiting-on-review and S-waiting-on-author) stays updated, invoking these commands when appropriate:

• @rustbot author: the review is finished, PR author should check the comments and take action accordingly
• @rustbot review: the author is ready for a review, this PR will be queued again in the reviewer's queue

[Centri3]

This looks pretty good, thank you! I've left some comments.

[Centri3]

I feel like having a configuration option to also disallow this would be nice, you can probably check the 1st and 2nd arguments of the last segment to see if either are _

[xFrednet]

Hey @Flying-Toast welcome to Clippy 👋

Thank you for starting the review @Centri3. You're welcome to continue it, and ping me once everything is done :)

[Centri3]

I think I've already said everything I wanted to ^^ feel free to give your thoughts

[xFrednet]

Hey, I think this is a good start. I left some comments. You're welcome to reach out to @Centri3 or me if you have any questions! :)

[xFrednet]

I would classify this more as a restriction lint and also think it should be allow-by-default.

I've looked at examples where I used transmute and found this one, where I like the code more without the types:

#[must_use]
pub fn a_to_b(&self, src: A) -> B {
    assert_eq!(size_of::<A>(), 4);
    assert_eq!(size_of::<B>(), 4);
    unsafe { transmute(src) }
}

There are definitely good reasons to have the types, but most projects would probably not directly agree with this. So, could you please change to group to restriction?

I think the amount of tests, which needed to be adjusted also speaks for this change :)

[xFrednet]

I mostly agree with this statement, but feel like the explanation could be clearer. Also the example of changing a type might be confusing. I imagined this:

struct A(u32);
struct B(f32);
let a = A(1);
let b: B = unsafe { transmute(src) };

changing B to be B(f64) would be accepted by the lint, but would be unsound. I think it should be more highlighted that there could be a problem if the usage changes. How about this description:

    /// ### Why is this bad?
    /// Rust uses inference to determine the types if they're not specified.
    /// This can cause the transmuted types to change accidentally and the
    /// transmute becoming unsound. Specifying the types ensures that any
    /// changes will either be compatible or cause an error.
    ///
    /// ### Example
    /// ```rust
    /// # use core::mem::transmute;
    /// # fn accept_dest(_: u32) {}
    /// let source = 42;
    /// let dest = unsafe { transmute(source) };
    ///
    /// // Changing `accept_dest` might change the target type of the transmute
    /// // and make it unsound.
    /// accept_dest(dest);
    /// ```
    /// 
    /// Use instead:
    /// ```rust
    /// # use core::mem::transmute;
    /// # fn accept_dest(_: u32) {}
    /// let source = 42;
    /// let dest = unsafe { transmute::<i32, u32>(source) };
    ///
    /// // Changing `accept_dest` will cause an error if the argument is
    /// // no longer an u32.
    /// accept_dest(dest);
    /// ```

[xFrednet]

NIT: You can undo the changes in this and the other file, when you move the lint to restriction, as that will make the lint allow-by-default. This is fine, but that way we can make the PR a bit cleaner :)

[xFrednet]

Could you add a check, to ensure that the code doesn't come from macros? You can checkout in_external_macro for this :)

[xFrednet]

Printing types like this can sometimes cause problems, when rustc can't determine the correct path for an item. This should be:

Suggested change

	Applicability::MachineApplicable
	Applicability::MaybeIncorrect

[xFrednet]

Can you add some more tests, with structs and other more complex types? Maybe play with String, struct A(u32) etc. These files don't get executed, so the transmutes can be unsound, without spawning nostril dragons 😉

[xFrednet]

Here we could optionally check, that the two types are not the infer ones ::<_, _>. But that's an optional improvement. You're welcome to pick it up, or we just create a follow-up issue for this :)

[xFrednet]

Ping @Flying-Toast, this is a ping from triage. Do you plan to continue this PR in the near future?

[Flying-Toast]

Ping @Flying-Toast, this is a ping from triage. Do you plan to continue this PR in the near future?

Probably not, so I'm fine closing it or if someone else wants to take it over.

[xFrednet]

Okay, thank you for the time and effort you already put into this PR. :D