feat: add cast_ptr_sized_int lint

Introduce a new restriction lint to identify casts between pointer-sized
integer types (`usize`, `isize`) and fixed-size integer types.

Encourage the use of `TryFrom` or `TryInto` over direct `as` casts to make
potential platform-specific truncation or zero-extension explicit and handled.

Also Provide machine-applicable suggestions to replace risky casts with fallible
conversions while excluding constant contexts where such traits are not yet stable.

Closes: #9231

Author: ab22593k

CHANGELOG.md

@@ -6318,6 +6318,7 @@ Released 2018-09-13
 [`cast_possible_wrap`]: https://rust-lang.github.io/rust-clippy/master/index.html#cast_possible_wrap
 [`cast_precision_loss`]: https://rust-lang.github.io/rust-clippy/master/index.html#cast_precision_loss
 [`cast_ptr_alignment`]: https://rust-lang.github.io/rust-clippy/master/index.html#cast_ptr_alignment
+[`cast_ptr_sized_int`]: https://rust-lang.github.io/rust-clippy/master/index.html#cast_ptr_sized_int
 [`cast_ref_to_mut`]: https://rust-lang.github.io/rust-clippy/master/index.html#cast_ref_to_mut
 [`cast_sign_loss`]: https://rust-lang.github.io/rust-clippy/master/index.html#cast_sign_loss
 [`cast_slice_different_sizes`]: https://rust-lang.github.io/rust-clippy/master/index.html#cast_slice_different_sizes

clippy_lints/src/casts/cast_ptr_sized_int.rs

@@ -0,0 +1,70 @@
+use clippy_utils::diagnostics::span_lint_and_then;
+use clippy_utils::is_in_const_context;
+use clippy_utils::source::snippet;
+use clippy_utils::sugg::Sugg;
+use clippy_utils::ty::is_isize_or_usize;
+use rustc_errors::Applicability;
+use rustc_hir::Expr;
+use rustc_lint::LateContext;
+use rustc_middle::ty::Ty;
+use rustc_span::Span;
+
+use super::CAST_PTR_SIZED_INT;
+
+/// Checks for casts between pointer-sized integer types (`usize`/`isize`) and
+/// fixed-size integer types (like `u64`, `i32`, etc.).
+pub(super) fn check<'tcx>(
+    cx: &LateContext<'tcx>,
+    expr: &Expr<'_>,
+    cast_from_expr: &Expr<'_>,
+    cast_from: Ty<'tcx>,
+    cast_to: Ty<'tcx>,
+    cast_to_span: Span,
+) {
+    // Only lint integer-to-integer casts
+    if !cast_from.is_integral() || !cast_to.is_integral() {
+        return;
+    }
+
+    let from_is_ptr_sized = is_isize_or_usize(cast_from);
+    let to_is_ptr_sized = is_isize_or_usize(cast_to);
+
+    // Only lint if exactly one side is pointer-sized
+    // (if both are pointer-sized or neither is, other lints handle it)
+    if from_is_ptr_sized == to_is_ptr_sized {
+        return;
+    }
+
+    let (ptr_sized_ty, fixed_ty, direction) = if from_is_ptr_sized {
+        (cast_from, cast_to, "to")
+    } else {
+        (cast_to, cast_from, "from")
+    };
+
+    let msg = format!("casting `{cast_from}` to `{cast_to}`: the result depends on the target architecture");
+
+    span_lint_and_then(cx, CAST_PTR_SIZED_INT, expr.span, msg, |diag| {
+        let help_msg = format!(
+            "`{ptr_sized_ty}` varies in size depending on the target architecture (32-bit or 64-bit), \
+            so casting {direction} `{fixed_ty}` may behave differently across platforms"
+        );
+        diag.help(help_msg);
+
+        // Suggest using TryFrom/TryInto for safer conversion
+        if !is_in_const_context(cx) {
+            let cast_to_snip = snippet(cx, cast_to_span, "..");
+            let suggestion = if cast_to_snip == "_" {
+                format!("{}.try_into()", Sugg::hir(cx, cast_from_expr, "..").maybe_paren())
+            } else {
+                format!("{cast_to_snip}::try_from({})", Sugg::hir(cx, cast_from_expr, ".."))
+            };
+
+            diag.span_suggestion_verbose(
+                expr.span,
+                "if this is intentional, consider using `TryFrom` or `TryInto` and handle the error",
+                suggestion,
+                Applicability::MaybeIncorrect,
+            );
+        }
+    });
+}

clippy_lints/src/casts/mod.rs

@@ -10,6 +10,7 @@ mod cast_possible_truncation;
 mod cast_possible_wrap;
 mod cast_precision_loss;
 mod cast_ptr_alignment;
+mod cast_ptr_sized_int;
 mod cast_sign_loss;
 mod cast_slice_different_sizes;
 mod cast_slice_from_raw_parts;
@@ -814,6 +815,42 @@ declare_clippy_lint! {
     "casting a primitive method pointer to any integer type"
 }
 
+declare_clippy_lint! {
+    /// ### What it does
+    /// Checks for casts between pointer-sized integer types (`usize`/`isize`)
+    /// and fixed-size integer types (like `u64`, `i32`, etc.).
+    ///
+    /// ### Why is this bad?
+    /// `usize` and `isize` have sizes that depend on the target architecture
+    /// (32-bit on 32-bit platforms, 64-bit on 64-bit platforms). Casting between
+    /// these and fixed-size integers can lead to subtle, platform-specific bugs:
+    ///
+    /// - `usize as u64`: On 64-bit platforms this is lossless, but on 32-bit
+    ///   platforms the upper 32 bits are always zero.
+    /// - `u64 as usize`: On 32-bit platforms this truncates, but on 64-bit
+    ///   platforms it's lossless.
+    ///
+    /// Using `TryFrom`/`TryInto` makes the potential for failure explicit.
+    ///
+    /// ### Example
+    /// ```no_run
+    /// pub fn foo(x: usize) -> u64 {
+    ///     x as u64
+    /// }
+    /// ```
+    ///
+    /// Use instead:
+    /// ```no_run
+    /// pub fn foo(x: usize) -> u64 {
+    ///     u64::try_from(x).expect("usize should fit in u64")
+    /// }
+    /// ```
+    #[clippy::version = "1.89.0"]
+    pub CAST_PTR_SIZED_INT,
+    restriction,
+    "casts between pointer-sized and fixed-size integer types may behave differently across platforms"
+}
+
 declare_clippy_lint! {
     /// ### What it does
     /// Checks for bindings (constants, statics, or let bindings) that are defined
@@ -878,6 +915,7 @@ impl_lint_pass!(Casts => [
     AS_POINTER_UNDERSCORE,
     MANUAL_DANGLING_PTR,
     CONFUSING_METHOD_TO_NUMERIC_CAST,
+    CAST_PTR_SIZED_INT,
     NEEDLESS_TYPE_CAST,
 ]);
 
@@ -923,6 +961,7 @@ impl<'tcx> LateLintPass<'tcx> for Casts {
                     cast_sign_loss::check(cx, expr, cast_from_expr, cast_from, cast_to, self.msrv);
                     cast_abs_to_unsigned::check(cx, expr, cast_from_expr, cast_from, cast_to, self.msrv);
                     cast_nan_to_int::check(cx, expr, cast_from_expr, cast_from, cast_to);
+                    cast_ptr_sized_int::check(cx, expr, cast_from_expr, cast_from, cast_to, cast_to_hir.span);
                 }
                 cast_lossless::check(cx, expr, cast_from_expr, cast_from, cast_to, cast_to_hir, self.msrv);
                 cast_enum_constructor::check(cx, expr, cast_from_expr, cast_from);

clippy_lints/src/declared_lints.rs

@@ -61,6 +61,7 @@ pub static LINTS: &[&::declare_clippy_lint::LintInfo] = &[
     crate::casts::CAST_POSSIBLE_WRAP_INFO,
     crate::casts::CAST_PRECISION_LOSS_INFO,
     crate::casts::CAST_PTR_ALIGNMENT_INFO,
+    crate::casts::CAST_PTR_SIZED_INT_INFO,
     crate::casts::CAST_SIGN_LOSS_INFO,
     crate::casts::CAST_SLICE_DIFFERENT_SIZES_INFO,
     crate::casts::CAST_SLICE_FROM_RAW_PARTS_INFO,

tests/ui/cast_ptr_sized_int.fixed

@@ -0,0 +1,91 @@
+#![warn(clippy::cast_ptr_sized_int)]
+#![allow(clippy::unnecessary_cast, clippy::unnecessary_fallible_conversions)]
+
+fn main() {
+    // usize to fixed-size unsigned
+    let x: usize = 42;
+    let _ = u8::try_from(x); //~ cast_ptr_sized_int
+    let _ = u16::try_from(x); //~ cast_ptr_sized_int
+    let _ = u32::try_from(x); //~ cast_ptr_sized_int
+    let _ = u64::try_from(x); //~ cast_ptr_sized_int
+    let _ = u128::try_from(x); //~ cast_ptr_sized_int
+
+    // usize to fixed-size signed
+    let _ = i8::try_from(x); //~ cast_ptr_sized_int
+    let _ = i16::try_from(x); //~ cast_ptr_sized_int
+    let _ = i32::try_from(x); //~ cast_ptr_sized_int
+    let _ = i64::try_from(x); //~ cast_ptr_sized_int
+    let _ = i128::try_from(x); //~ cast_ptr_sized_int
+
+    // isize to fixed-size unsigned
+    let y: isize = 42;
+    let _ = u8::try_from(y); //~ cast_ptr_sized_int
+    let _ = u16::try_from(y); //~ cast_ptr_sized_int
+    let _ = u32::try_from(y); //~ cast_ptr_sized_int
+    let _ = u64::try_from(y); //~ cast_ptr_sized_int
+    let _ = u128::try_from(y); //~ cast_ptr_sized_int
+
+    // isize to fixed-size signed
+    let _ = i8::try_from(y); //~ cast_ptr_sized_int
+    let _ = i16::try_from(y); //~ cast_ptr_sized_int
+    let _ = i32::try_from(y); //~ cast_ptr_sized_int
+    let _ = i64::try_from(y); //~ cast_ptr_sized_int
+    let _ = i128::try_from(y); //~ cast_ptr_sized_int
+
+    // fixed-size unsigned to usize
+    let a: u8 = 1;
+    let b: u16 = 1;
+    let c: u32 = 1;
+    let d: u64 = 1;
+    let e: u128 = 1;
+    let _ = usize::try_from(a); //~ cast_ptr_sized_int
+    let _ = usize::try_from(b); //~ cast_ptr_sized_int
+    let _ = usize::try_from(c); //~ cast_ptr_sized_int
+    let _ = usize::try_from(d); //~ cast_ptr_sized_int
+    let _ = usize::try_from(e); //~ cast_ptr_sized_int
+
+    // fixed-size signed to usize
+    let f: i8 = 1;
+    let g: i16 = 1;
+    let h: i32 = 1;
+    let i: i64 = 1;
+    let j: i128 = 1;
+    let _ = usize::try_from(f); //~ cast_ptr_sized_int
+    let _ = usize::try_from(g); //~ cast_ptr_sized_int
+    let _ = usize::try_from(h); //~ cast_ptr_sized_int
+    let _ = usize::try_from(i); //~ cast_ptr_sized_int
+    let _ = usize::try_from(j); //~ cast_ptr_sized_int
+
+    // fixed-size to isize
+    let _ = isize::try_from(a); //~ cast_ptr_sized_int
+    let _ = isize::try_from(b); //~ cast_ptr_sized_int
+    let _ = isize::try_from(c); //~ cast_ptr_sized_int
+    let _ = isize::try_from(d); //~ cast_ptr_sized_int
+    let _ = isize::try_from(e); //~ cast_ptr_sized_int
+    let _ = isize::try_from(f); //~ cast_ptr_sized_int
+    let _ = isize::try_from(g); //~ cast_ptr_sized_int
+    let _ = isize::try_from(h); //~ cast_ptr_sized_int
+    let _ = isize::try_from(i); //~ cast_ptr_sized_int
+    let _ = isize::try_from(j); //~ cast_ptr_sized_int
+}
+
+// These should NOT trigger the lint
+
+fn no_lint_same_kind() {
+    // usize to isize (both pointer-sized, handled by other lints)
+    let x: usize = 42;
+    let _ = x as isize;
+
+    // isize to usize (both pointer-sized, handled by other lints)
+    let y: isize = 42;
+    let _ = y as usize;
+
+    // fixed-size to fixed-size (not pointer-sized, handled by other lints)
+    let a: u32 = 1;
+    let _ = a as u64;
+    let _ = a as i64;
+
+    let b: i32 = 1;
+    let _ = b as i64;
+    let _ = b as u64;
+}

tests/ui/cast_ptr_sized_int.rs

@@ -0,0 +1,91 @@
+#![warn(clippy::cast_ptr_sized_int)]
+#![allow(clippy::unnecessary_cast, clippy::unnecessary_fallible_conversions)]
+
+fn main() {
+    // usize to fixed-size unsigned
+    let x: usize = 42;
+    let _ = x as u8; //~ cast_ptr_sized_int
+    let _ = x as u16; //~ cast_ptr_sized_int
+    let _ = x as u32; //~ cast_ptr_sized_int
+    let _ = x as u64; //~ cast_ptr_sized_int
+    let _ = x as u128; //~ cast_ptr_sized_int
+
+    // usize to fixed-size signed
+    let _ = x as i8; //~ cast_ptr_sized_int
+    let _ = x as i16; //~ cast_ptr_sized_int
+    let _ = x as i32; //~ cast_ptr_sized_int
+    let _ = x as i64; //~ cast_ptr_sized_int
+    let _ = x as i128; //~ cast_ptr_sized_int
+
+    // isize to fixed-size unsigned
+    let y: isize = 42;
+    let _ = y as u8; //~ cast_ptr_sized_int
+    let _ = y as u16; //~ cast_ptr_sized_int
+    let _ = y as u32; //~ cast_ptr_sized_int
+    let _ = y as u64; //~ cast_ptr_sized_int
+    let _ = y as u128; //~ cast_ptr_sized_int
+
+    // isize to fixed-size signed
+    let _ = y as i8; //~ cast_ptr_sized_int
+    let _ = y as i16; //~ cast_ptr_sized_int
+    let _ = y as i32; //~ cast_ptr_sized_int
+    let _ = y as i64; //~ cast_ptr_sized_int
+    let _ = y as i128; //~ cast_ptr_sized_int
+
+    // fixed-size unsigned to usize
+    let a: u8 = 1;
+    let b: u16 = 1;
+    let c: u32 = 1;
+    let d: u64 = 1;
+    let e: u128 = 1;
+    let _ = a as usize; //~ cast_ptr_sized_int
+    let _ = b as usize; //~ cast_ptr_sized_int
+    let _ = c as usize; //~ cast_ptr_sized_int
+    let _ = d as usize; //~ cast_ptr_sized_int
+    let _ = e as usize; //~ cast_ptr_sized_int
+
+    // fixed-size signed to usize
+    let f: i8 = 1;
+    let g: i16 = 1;
+    let h: i32 = 1;
+    let i: i64 = 1;
+    let j: i128 = 1;
+    let _ = f as usize; //~ cast_ptr_sized_int
+    let _ = g as usize; //~ cast_ptr_sized_int
+    let _ = h as usize; //~ cast_ptr_sized_int
+    let _ = i as usize; //~ cast_ptr_sized_int
+    let _ = j as usize; //~ cast_ptr_sized_int
+
+    // fixed-size to isize
+    let _ = a as isize; //~ cast_ptr_sized_int
+    let _ = b as isize; //~ cast_ptr_sized_int
+    let _ = c as isize; //~ cast_ptr_sized_int
+    let _ = d as isize; //~ cast_ptr_sized_int
+    let _ = e as isize; //~ cast_ptr_sized_int
+    let _ = f as isize; //~ cast_ptr_sized_int
+    let _ = g as isize; //~ cast_ptr_sized_int
+    let _ = h as isize; //~ cast_ptr_sized_int
+    let _ = i as isize; //~ cast_ptr_sized_int
+    let _ = j as isize; //~ cast_ptr_sized_int
+}
+
+// These should NOT trigger the lint
+
+fn no_lint_same_kind() {
+    // usize to isize (both pointer-sized, handled by other lints)
+    let x: usize = 42;
+    let _ = x as isize;
+
+    // isize to usize (both pointer-sized, handled by other lints)
+    let y: isize = 42;
+    let _ = y as usize;
+
+    // fixed-size to fixed-size (not pointer-sized, handled by other lints)
+    let a: u32 = 1;
+    let _ = a as u64;
+    let _ = a as i64;
+
+    let b: i32 = 1;
+    let _ = b as i64;
+    let _ = b as u64;
+}