solana: Configure clippy to deny possible truncation

johnsaigle · johnsaigle · commit 464bd617a9b2 · 2024-03-14T10:00:58.000-04:00
Adds a clippy rule to block the inclusion of code that can result in
truncation (i.e. `as T` conversions)
Adds linting directive to existing instances in the code and add
comments about why they are safe
Add a unit test on bitmap length to confirm that the maximum possible
number of votes (i.e. maximum "length" of the bitmap) is within the
limits of u8.
diff --git a/.github/workflows/solana.yml b/.github/workflows/solana.yml
@@ -70,7 +70,7 @@ jobs:
         run: cargo check --workspace --tests --manifest-path solana/Cargo.toml
 
       - name: Run `cargo clippy`
-        run: cargo clippy --workspace --tests --manifest-path solana/Cargo.toml
+        run: cargo clippy --workspace --tests --manifest-path solana/Cargo.toml -- -Dclippy::cast_possible_truncation
 
       - name: Cache solana tools
         id: cache-solana
diff --git a/solana/programs/example-native-token-transfers/src/bitmap.rs b/solana/programs/example-native-token-transfers/src/bitmap.rs
@@ -31,8 +31,11 @@ impl Bitmap {
         BM::<128>::from_value(self.map).get(index as usize)
     }
 
+    #[allow(clippy::cast_possible_truncation)]
     pub fn count_enabled_votes(&self, enabled: Bitmap) -> u8 {
         let bm = BM::<128>::from_value(self.map) & BM::<128>::from_value(enabled.map);
+        // Conversion from usize to u8 is safe here. The Bitmap uses u128, so it's maximum length
+        // (number of true bits) is 128.
         bm.len() as u8
     }
 }
@@ -64,4 +67,10 @@ mod tests {
         enabled.set(18, false);
         assert_eq!(bm.count_enabled_votes(enabled), 1);
     }
+
+    #[test]
+    fn test_bitmap_len() {
+        let max_bitmap = Bitmap::from_value(u128::MAX);
+        assert_eq!(128, max_bitmap.count_enabled_votes(max_bitmap));
+    }
 }
diff --git a/solana/programs/example-native-token-transfers/src/queue/rate_limit.rs b/solana/programs/example-native-token-transfers/src/queue/rate_limit.rs
@@ -46,7 +46,9 @@ impl RateLimitState {
     /// Returns the capacity of the rate limiter.
     /// On-chain programs and unit tests should always use [`capacity`].
     /// This function is useful in solana-program-test, where the clock sysvar
-    ///
+    // Truncation is allowed here. Clippy warns about the final returned expression, but it is
+    // safe.
+    #[allow(clippy::cast_possible_truncation)]
     pub fn capacity_at(&self, now: UnixTimestamp) -> u64 {
         assert!(self.last_tx_timestamp <= now);
 
@@ -71,6 +73,10 @@ impl RateLimitState {
                 + time_passed as u128 * limit / (Self::RATE_LIMIT_DURATION as u128)
         };
 
+        // The use of `min` here prevents truncation.
+        // The value of `limit` is u64 in reality. If both `calculated_capacity` and `limit` are at
+        // their maxiumum possible values (u128::MAX and u64::MAX), then u64::MAX will be chosen by
+        // `min`. So truncation is not possible.
         calculated_capacity.min(limit) as u64
     }
 

Original file line number	Diff line number	Diff line change
`@@ -31,8 +31,11 @@ impl Bitmap {`
`31`	`31`	`BM::<128>::from_value(self.map).get(index as usize)`
`32`	`32`	`}`
`33`	`33`
	`34`	`+ #[allow(clippy::cast_possible_truncation)]`
`34`	`35`	`pub fn count_enabled_votes(&self, enabled: Bitmap) -> u8 {`
`35`	`36`	`let bm = BM::<128>::from_value(self.map) & BM::<128>::from_value(enabled.map);`
	`37`	`+ // Conversion from usize to u8 is safe here. The Bitmap uses u128, so it's maximum length`
	`38`	`+ // (number of true bits) is 128.`
`36`	`39`	`bm.len() as u8`
`37`	`40`	`}`
`38`	`41`	`}`
`@@ -64,4 +67,10 @@ mod tests {`
`64`	`67`	`enabled.set(18, false);`
`65`	`68`	`assert_eq!(bm.count_enabled_votes(enabled), 1);`
`66`	`69`	`}`
	`70`	`+`
	`71`	`+ #[test]`
	`72`	`+ fn test_bitmap_len() {`
	`73`	`+ let max_bitmap = Bitmap::from_value(u128::MAX);`
	`74`	`+ assert_eq!(128, max_bitmap.count_enabled_votes(max_bitmap));`
	`75`	`+ }`
`67`	`76`	`}`