feat(lint): add UnsafeTypecast lint

Cargo.toml

@@ -351,7 +351,6 @@ jiff = "0.2"
 heck = "0.5"
 uuid = "1.17.0"
 flate2 = "1.1"
-
 ## Pinned dependencies. Enabled for the workspace in crates/test-utils.
 
 # Use unicode-rs which has a smaller binary size than the default ICU4X as the IDNA backend, used

crates/lint/src/sol/med/mod.rs

@@ -3,4 +3,10 @@ use crate::sol::{EarlyLintPass, LateLintPass, SolLint};
 mod div_mul;
 use div_mul::DIVIDE_BEFORE_MULTIPLY;
 
-register_lints!((DivideBeforeMultiply, early, (DIVIDE_BEFORE_MULTIPLY)));
+mod unsafe_typecast;
+use unsafe_typecast::UNSAFE_TYPECAST;
+
+register_lints!(
+    (DivideBeforeMultiply, early, (DIVIDE_BEFORE_MULTIPLY)),
+    (UnsafeTypecast, late, (UNSAFE_TYPECAST))
+);

crates/lint/src/sol/med/unsafe_typecast.rs

@@ -0,0 +1,161 @@
+use super::UnsafeTypecast;
+use crate::{
+    linter::{LateLintPass, LintContext, Snippet},
+    sol::{Severity, SolLint},
+};
+use solar_sema::hir::{self, ExprKind, TypeKind};
+
+declare_forge_lint!(
+    UNSAFE_TYPECAST,
+    Severity::Med,
+    "unsafe-typecast",
+    "typecasts that can truncate values should be checked"
+);
+
+impl<'hir> LateLintPass<'hir> for UnsafeTypecast {
+    fn check_expr(
+        &mut self,
+        ctx: &LintContext<'_>,
+        hir: &'hir hir::Hir<'hir>,
+        expr: &'hir hir::Expr<'hir>,
+    ) {
+        // Check for type cast expressions: Type(value)
+        if let ExprKind::Call(call_expr, args, _) = &expr.kind
+            && let ExprKind::Type(target_type) = &call_expr.kind
+            && args.len() == 1
+            && let Some(first_arg) = args.exprs().next()
+            && is_unsafe_typecast_hir(hir, first_arg, target_type)
+        {
+            let suggestion = get_suggestion();
+            ctx.emit_with_fix(&UNSAFE_TYPECAST, expr.span, suggestion);
+        }
+    }
+}
+
+// Returns the suggested fix based on the unsafe typecast expression
+fn get_suggestion() -> Snippet {
+    Snippet::Block {
+        desc: Some("Consider disabling this lint if you're certain the cast is safe:"),
+        code: "// Cast is safe because [explain why]\n// forge-lint: disable-next-line(unsafe-typecast)".to_string(),
+    }
+}
+
+/// Checks if a typecast from the source expression to target type is unsafe.
+fn is_unsafe_typecast_hir(
+    hir: &hir::Hir<'_>,
+    source_expr: &hir::Expr<'_>,
+    target_type: &hir::Type<'_>,
+) -> bool {
+    // Get target elementary type
+    let TypeKind::Elementary(target_elem_type) = &target_type.kind else {
+        return false;
+    };
+
+    // Determine source type from the expression
+    let Some(source_elem_type) = infer_source_type(hir, source_expr) else {
+        return false;
+    };
+
+    is_unsafe_elementary_typecast(&source_elem_type, target_elem_type)
+}
+
+/// Infers the elementary type of a source expression.
+/// For cast chains, returns the ultimate source type, not intermediate cast results.
+fn infer_source_type(hir: &hir::Hir<'_>, expr: &hir::Expr<'_>) -> Option<hir::ElementaryType> {
+    use hir::{ElementaryType, ItemId, Lit as HirLit, Res};
+    use solar_ast::LitKind;
+
+    match &expr.kind {
+        // Recursive cast: Type(val)
+        ExprKind::Call(call_expr, args, _) => {
+            if let ExprKind::Type(_ty) = &call_expr.kind
+                && args.len() == 1
+                && let Some(first_arg) = args.exprs().next()
+            {
+                return infer_source_type(hir, first_arg);
+            }
+            None
+        }
+
+        // Identifiers (variables)
+        ExprKind::Ident(resolutions) => {
+            if let Some(Res::Item(ItemId::Variable(var_id))) = resolutions.first() {
+                let variable = hir.variable(*var_id);
+                if let TypeKind::Elementary(elem_type) = &variable.ty.kind {
+                    return Some(*elem_type);
+                }
+            }
+            None
+        }
+
+        // Handle literal strings/hex
+        ExprKind::Lit(HirLit { kind, .. }) => match kind {
+            LitKind::Str(_, bytes, _) => {
+                let byte_len = bytes.len().try_into().unwrap();
+                Some(ElementaryType::FixedBytes(solar_ast::TypeSize::new_fb_bytes(byte_len)))
+            }
+
+            LitKind::Address(_) => Some(ElementaryType::Address(false)),
+
+            LitKind::Bool(_) => Some(ElementaryType::Bool),
+
+            // Treat number literals as wide unsigned ints (won’t trigger linter)
+            LitKind::Number(_) => None,
+            LitKind::Rational(_) => None,
+            LitKind::Err(_) => None,
+        },
+
+        // Unary operations (e.g. -x)
+        ExprKind::Unary(op, inner_expr) => match op.kind {
+            solar_ast::UnOpKind::Neg => match infer_source_type(hir, inner_expr) {
+                Some(ElementaryType::UInt(size)) => Some(ElementaryType::Int(size)),
+                Some(signed_type @ ElementaryType::Int(_)) => Some(signed_type),
+                _ => Some(ElementaryType::Int(solar_ast::TypeSize::ZERO)),
+            },
+            _ => infer_source_type(hir, inner_expr),
+        },
+
+        _ => None,
+    }
+}
+
+/// Checks if a type cast from source_type to target_type is unsafe.
+fn is_unsafe_elementary_typecast(
+    source_type: &hir::ElementaryType,
+    target_type: &hir::ElementaryType,
+) -> bool {
+    use hir::ElementaryType;
+
+    match (source_type, target_type) {
+        // Numeric downcasts (smaller target size)
+        (ElementaryType::UInt(source_size), ElementaryType::UInt(target_size))
+        | (ElementaryType::Int(source_size), ElementaryType::Int(target_size)) => {
+            source_size.bits() > target_size.bits()
+        }
+
+        // Signed to unsigned conversion (potential loss of sign)
+        (ElementaryType::Int(_), ElementaryType::UInt(_)) => true,
+
+        // Unsigned to signed conversion with same or smaller size
+        (ElementaryType::UInt(source_size), ElementaryType::Int(target_size)) => {
+            source_size.bits() >= target_size.bits()
+        }
+
+        // Fixed bytes to smaller fixed bytes
+        (ElementaryType::FixedBytes(source_size), ElementaryType::FixedBytes(target_size)) => {
+            source_size.bytes() > target_size.bytes()
+        }
+
+        // Dynamic bytes to fixed bytes (potential truncation)
+        (ElementaryType::Bytes, ElementaryType::FixedBytes(_))
+        | (ElementaryType::String, ElementaryType::FixedBytes(_)) => true,
+
+        // Address to smaller uint (truncation) - address is 160 bits
+        (ElementaryType::Address(_), ElementaryType::UInt(target_size)) => target_size.bits() < 160,
+
+        // Address to int (sign issues)
+        (ElementaryType::Address(_), ElementaryType::Int(_)) => true,
+
+        _ => false,
+    }
+}