core/ptr/mod.rs
1//! Manually manage memory through raw pointers.
2//!
3//! *[See also the pointer primitive types](pointer).*
4//!
5//! # Safety
6//!
7//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8//! this to be safe, these pointers must be *valid* for the given access. Whether a pointer is valid
9//! depends on the operation it is used for (read or write), and the extent of the memory that is
10//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `*mut T`
12//! and `*const T` to access only a single value, in which case the documentation omits the size and
13//! implicitly assumes it to be `size_of::<T>()` bytes.
14//!
15//! The precise rules for validity are not determined yet. The guarantees that are
16//! provided at this point are very minimal:
17//!
18//! * A [null] pointer is *never* valid for reads/writes.
19//! * For memory accesses of [size zero][zst], *every* non-null pointer is valid for reads/writes.
20//! The following points are only concerned with non-zero-sized accesses.
21//! * For a pointer to be valid for reads/writes, it is necessary, but not always sufficient, that
22//! the pointer be *dereferenceable*. The [provenance] of the pointer is used to determine which
23//! [allocation] it is derived from; a pointer is dereferenceable if the memory range of the given
24//! size starting at the pointer is entirely contained within the bounds of that allocation. Note
25//! that in Rust, every (stack-allocated) variable is considered a separate allocation.
26//! * All accesses performed by functions in this module are *non-atomic* in the sense
27//! of [atomic operations] used to synchronize between threads. This means it is
28//! undefined behavior to perform two concurrent accesses to the same location from different
29//! threads unless both accesses only read from memory.
30//! * The result of casting a reference to a pointer is valid for reads/writes for as long as the
31//! underlying allocation is live and no reference (just raw pointers) is used to
32//! access the same memory. That is, reference and pointer accesses cannot be
33//! interleaved.
34//!
35//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
36//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
37//! will be provided eventually, as the [aliasing] rules are being determined. For more
38//! information, see the [book] as well as the section in the reference devoted
39//! to [undefined behavior][ub].
40//!
41//! Note that some operations such as [`read`] and [`write`][`write()`] do allow null pointers if
42//! the total size of the access is zero. However, other operations internally convert pointers into
43//! references. Therefore, the general notion of "valid for reads/writes" excludes null pointers,
44//! and the specific operations that permit null pointers mention that as an exception. Furthermore,
45//! [`read_volatile`] and [`write_volatile`] can be used in even more situations; see their
46//! documentation for details.
47//!
48//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
49//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
50//! [`NonNull::dangling`] are all dangling.
51//!
52//! ## Alignment
53//!
54//! Valid raw pointers as defined above are not necessarily properly aligned (where
55//! "proper" alignment is defined by the pointee type, i.e., `*const T` must be
56//! aligned to `align_of::<T>()`). However, most functions require their
57//! arguments to be properly aligned, and will explicitly state
58//! this requirement in their documentation. Notable exceptions to this are
59//! [`read_unaligned`] and [`write_unaligned`].
60//!
61//! When a function requires proper alignment, it does so even if the access
62//! has size 0, i.e., even if memory is not actually touched. Consider using
63//! [`NonNull::dangling`] in such cases.
64//!
65//! ## Pointer to reference conversion
66//!
67//! When converting a pointer to a reference (e.g. via `&*ptr` or `&mut *ptr`),
68//! there are several rules that must be followed:
69//!
70//! * The pointer must be properly aligned.
71//!
72//! * It must be non-null.
73//!
74//! * It must be "dereferenceable" in the sense defined above.
75//!
76//! * The pointer must point to a [valid value] of type `T`.
77//!
78//! * You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we
79//! only give a rough overview here. The rules also depend on whether a mutable or a shared
80//! reference is being created.
81//! * When creating a mutable reference, then while this reference exists, the memory it points to
82//! must not get accessed (read or written) through any other pointer or reference not derived
83//! from this reference.
84//! * When creating a shared reference, then while this reference exists, the memory it points to
85//! must not get mutated (except inside `UnsafeCell`).
86//!
87//! If a pointer follows all of these rules, it is said to be
88//! *convertible to a (mutable or shared) reference*.
89// ^ we use this term instead of saying that the produced reference must
90// be valid, as the validity of a reference is easily confused for the
91// validity of the thing it refers to, and while the two concepts are
92// closely related, they are not identical.
93//!
94//! These rules apply even if the result is unused!
95//! (The part about being initialized is not yet fully decided, but until
96//! it is, the only safe approach is to ensure that they are indeed initialized.)
97//!
98//! An example of the implications of the above rules is that an expression such
99//! as `unsafe { &*(0 as *const u8) }` is Immediate Undefined Behavior.
100//!
101//! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values
102//!
103//! ## Allocation
104//!
105//! <a id="allocated-object"></a> <!-- keep old URLs working -->
106//!
107//! An *allocation* is a subset of program memory which is addressable
108//! from Rust, and within which pointer arithmetic is possible. Examples of
109//! allocations include heap allocations, stack-allocated variables,
110//! statics, and consts. The safety preconditions of some Rust operations -
111//! such as `offset` and field projections (`expr.field`) - are defined in
112//! terms of the allocations on which they operate.
113//!
114//! An allocation has a base address, a size, and a set of memory
115//! addresses. It is possible for an allocation to have zero size, but
116//! such an allocation will still have a base address. The base address
117//! of an allocation is not necessarily unique. While it is currently the
118//! case that an allocation always has a set of memory addresses which is
119//! fully contiguous (i.e., has no "holes"), there is no guarantee that this
120//! will not change in the future.
121//!
122//! Allocations must behave like "normal" memory: in particular, reads must not have
123//! side-effects, and writes must become visible to other threads using the usual synchronization
124//! primitives.
125//!
126//! For any allocation with `base` address, `size`, and a set of
127//! `addresses`, the following are guaranteed:
128//! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base +
129//! size)` (note that this requires `a < base + size`, not `a <= base + size`)
130//! - `base` is not equal to [`null()`] (i.e., the address with the numerical
131//! value 0)
132//! - `base + size <= usize::MAX`
133//! - `size <= isize::MAX`
134//!
135//! As a consequence of these guarantees, given any address `a` within the set
136//! of addresses of an allocation:
137//! - It is guaranteed that `a - base` does not overflow `isize`
138//! - It is guaranteed that `a - base` is non-negative
139//! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within
140//! the allocation), `base + o` will not wrap around the address space (in
141//! other words, will not overflow `usize`)
142//!
143//! [`null()`]: null
144//!
145//! # Provenance
146//!
147//! Pointers are not *simply* an "integer" or "address". For instance, it's uncontroversial
148//! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky"
149//! and the freed memory gets reallocated before your read/write (in fact this is the
150//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
151//! As another example, consider that [`wrapping_offset`] is documented to "remember"
152//! the allocation that the original pointer points to, even if it is offset far
153//! outside the memory range occupied by that allocation.
154//! To rationalize claims like this, pointers need to somehow be *more* than just their addresses:
155//! they must have **provenance**.
156//!
157//! A pointer value in Rust semantically contains the following information:
158//!
159//! * The **address** it points to, which can be represented by a `usize`.
160//! * The **provenance** it has, defining the memory it has permission to access. Provenance can be
161//! absent, in which case the pointer does not have permission to access any memory.
162//!
163//! The exact structure of provenance is not yet specified, but the permission defined by a
164//! pointer's provenance have a *spatial* component, a *temporal* component, and a *mutability*
165//! component:
166//!
167//! * Spatial: The set of memory addresses that the pointer is allowed to access.
168//! * Temporal: The timespan during which the pointer is allowed to access those memory addresses.
169//! * Mutability: Whether the pointer may only access the memory for reads, or also access it for
170//! writes. Note that this can interact with the other components, e.g. a pointer might permit
171//! mutation only for a subset of addresses, or only for a subset of its maximal timespan.
172//!
173//! When an [allocation] is created, it has a unique Original Pointer. For alloc
174//! APIs this is literally the pointer the call returns, and for local variables and statics,
175//! this is the name of the variable/static. (This is mildly overloading the term "pointer"
176//! for the sake of brevity/exposition.)
177//!
178//! The Original Pointer for an allocation has provenance that constrains the *spatial*
179//! permissions of this pointer to the memory range of the allocation, and the *temporal*
180//! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all
181//! pointers transitively derived from the Original Pointer through operations like [`offset`],
182//! borrowing, and pointer casts. Some operations may *shrink* the permissions of the derived
183//! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a
184//! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can
185//! shrink the temporal component of provenance). However, no operation can ever *grow* the
186//! permissions of the derived provenance: even if you "know" there is a larger allocation, you
187//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two
188//! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
189//!
190//! A reference to a place always has provenance over at least the memory that place occupies.
191//! A reference to a slice always has provenance over at least the range that slice describes.
192//! Whether and when exactly the provenance of a reference gets "shrunk" to *exactly* fit
193//! the memory it points to is not yet determined.
194//!
195//! A *shared* reference only ever has provenance that permits reading from memory,
196//! and never permits writes, except inside [`UnsafeCell`].
197//!
198//! Provenance can affect whether a program has undefined behavior:
199//!
200//! * It is undefined behavior to access memory through a pointer that does not have provenance over
201//! that memory. Note that a pointer "at the end" of its provenance is not actually outside its
202//! provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any
203//! provenance since they access an empty range of memory.
204//!
205//! * It is undefined behavior to [`offset`] a pointer across a memory range that is not contained
206//! in the allocation it is derived from, or to [`offset_from`] two pointers not derived
207//! from the same allocation. Provenance is used to say what exactly "derived from" even
208//! means: the lineage of a pointer is traced back to the Original Pointer it descends from, and
209//! that identifies the relevant allocation. In particular, it's always UB to offset a
210//! pointer derived from something that is now deallocated, except if the offset is 0.
211//!
212//! But it *is* still sound to:
213//!
214//! * Create a pointer without provenance from just an address (see [`without_provenance`]). Such a
215//! pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
216//! useful for sentinel values like `null` *or* to represent a tagged pointer that will never be
217//! dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
218//! fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
219//! offset, read, write, etc).
220//!
221//! * Forge an allocation of size zero at any sufficiently aligned non-null address.
222//! i.e. the usual "ZSTs are fake, do what you want" rules apply.
223//!
224//! * [`wrapping_offset`] a pointer outside its provenance. This includes pointers
225//! which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks.
226//!
227//! * Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses
228//! *are* just integers, so there is always a coherent answer, even if the pointers are dangling
229//! or from different provenances. Note that if you get "lucky" and notice that a pointer at the
230//! end of one allocation is the "same" address as the start of another allocation,
231//! anything you do with that fact is *probably* going to be gibberish. The scope of that
232//! gibberish is kept under control by the fact that the two pointers *still* aren't allowed to
233//! access the other's allocation (bytes), because they still have different provenance.
234//!
235//! Note that the full definition of provenance in Rust is not decided yet, as this interacts
236//! with the as-yet undecided [aliasing] rules.
237//!
238//! ## Pointers Vs Integers
239//!
240//! From this discussion, it becomes very clear that a `usize` *cannot* accurately represent a pointer,
241//! and converting from a pointer to a `usize` is generally an operation which *only* extracts the
242//! address. Converting this address back into pointer requires somehow answering the question:
243//! which provenance should the resulting pointer have?
244//!
245//! Rust provides two ways of dealing with this situation: *Strict Provenance* and *Exposed Provenance*.
246//!
247//! Note that a pointer *can* represent a `usize` (via [`without_provenance`]), so the right type to
248//! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a
249//! pointer type.
250//!
251//! ## Strict Provenance
252//!
253//! "Strict Provenance" refers to a set of APIs designed to make working with provenance more
254//! explicit. They are intended as substitutes for casting a pointer to an integer and back.
255//!
256//! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of
257//! that operation. This benefits compiler optimizations, and it is pretty much a requirement for
258//! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer
259//! misuse.
260//!
261//! The key insight to making programming without integer-to-pointer casts *at all* viable is the
262//! [`with_addr`] method:
263//!
264//! ```text
265//! /// Creates a new pointer with the given address and the provenance of `self`.
266//! ///
267//! /// This is similar to a `addr as *const T` cast,
268//! /// but copies the provenance of `self` to the new pointer.
269//! /// This avoids the inherent ambiguity of the unary cast.
270//! ///
271//! /// This is equivalent to using `wrapping_offset` to offset `self` to the given address,
272//! /// and therefore has all the same capabilities and restrictions.
273//! pub fn with_addr(self, addr: usize) -> Self;
274//! ```
275//!
276//! So you're still able to drop down to the address representation and do whatever
277//! clever bit tricks you want *as long as* you're able to keep around a pointer
278//! into the allocation you care about that can "reconstitute" the provenance.
279//! Usually this is very easy, because you only are taking a pointer, messing with the address,
280//! and then immediately converting back to a pointer. To make this use case more ergonomic,
281//! we provide the [`map_addr`] method.
282//!
283//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
284//! [`addr`] method which promises that the returned address is not part of a
285//! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer
286//! casts to help you audit if your code conforms to strict provenance.
287//!
288//! ### Using Strict Provenance
289//!
290//! Most code needs no changes to conform to strict provenance, as the only really concerning
291//! operation is casts from `usize` to a pointer. For code which *does* cast a `usize` to a pointer,
292//! the scope of the change depends on exactly what you're doing.
293//!
294//! In general, you just need to make sure that if you want to convert a `usize` address to a
295//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
296//! that has sufficient provenance to perform that read/write itself. In this way all of your
297//! casts from an address to a pointer are essentially just applying offsets/indexing.
298//!
299//! This is generally trivial to do for simple cases like tagged pointers *as long as you
300//! represent the tagged pointer as an actual pointer and not a `usize`*. For instance:
301//!
302//! ```
303//! // A flag we want to pack into our pointer
304//! static HAS_DATA: usize = 0x1;
305//! static FLAG_MASK: usize = !HAS_DATA;
306//!
307//! // Our value, which must have enough alignment to have spare least-significant-bits.
308//! let my_precious_data: u32 = 17;
309//! assert!(align_of::<u32>() > 1);
310//!
311//! // Create a tagged pointer
312//! let ptr = &my_precious_data as *const u32;
313//! let tagged = ptr.map_addr(|addr| addr | HAS_DATA);
314//!
315//! // Check the flag:
316//! if tagged.addr() & HAS_DATA != 0 {
317//! // Untag and read the pointer
318//! let data = unsafe { *tagged.map_addr(|addr| addr & FLAG_MASK) };
319//! assert_eq!(data, 17);
320//! } else {
321//! unreachable!()
322//! }
323//! ```
324//!
325//! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should
326//! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers,
327//! we would like to know why, and what needs to be done to fix it.)
328//!
329//! Situations where a valid pointer *must* be created from just an address, such as baremetal code
330//! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict
331//! provenance APIs and should use [exposed provenance](#exposed-provenance).
332//!
333//! ## Exposed Provenance
334//!
335//! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs.
336//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
337//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
338//! Integer-to-pointer casts do not (currently) have such a clear specification.
339//!
340//! However, there exist situations where integer-to-pointer casts cannot be avoided, or
341//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
342//! that `usize` can capture all the information that makes up a pointer.
343//! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without
344//! anywhere to obtain proper provenance from.
345//!
346//! Rust's model for dealing with integer-to-pointer casts is called *Exposed Provenance*. However,
347//! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and
348//! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for
349//! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide
350//! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not
351//! work (well) with tools like [Miri] and [CHERI].
352//!
353//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
354//! which are equivalent to `as` casts between pointers and integers.
355//! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the
356//! pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists
357//! for the purpose of specifying Rust but is not materialized in actual executions, except in
358//! tools like [Miri].)
359//! Memory which is outside the control of the Rust abstract machine (MMIO registers, for example)
360//! is always considered to be exposed, so long as this memory is disjoint from memory that will
361//! be used by the abstract machine such as the stack, heap, and statics.
362//! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously
363//! 'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so
364//! unlike in [`with_addr`] there is no indication of what the correct provenance for the returned
365//! pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously
366//! specify! The compiler will do its best to pick the right provenance for you, but currently we
367//! cannot provide any guarantees about which provenance the resulting pointer will have. Only one
368//! thing is clear: if there is *no* previously 'exposed' provenance that justifies the way the
369//! returned pointer will be used, the program has undefined behavior.
370//!
371//! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding
372//! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding
373//! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be
374//! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this
375//! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the
376//! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of
377//! integer-to-pointer casts.
378//!
379//! [aliasing]: ../../nomicon/aliasing.html
380//! [allocation]: #allocation
381//! [provenance]: #provenance
382//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
383//! [ub]: ../../reference/behavior-considered-undefined.html
384//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
385//! [atomic operations]: crate::sync::atomic
386//! [`offset`]: pointer::offset
387//! [`offset_from`]: pointer::offset_from
388//! [`wrapping_offset`]: pointer::wrapping_offset
389//! [`with_addr`]: pointer::with_addr
390//! [`map_addr`]: pointer::map_addr
391//! [`addr`]: pointer::addr
392//! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize
393//! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr
394//! [`expose_provenance`]: pointer::expose_provenance
395//! [`with_exposed_provenance`]: with_exposed_provenance
396//! [Miri]: https://github.com/rust-lang/miri
397//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
398//! [Strict Provenance]: #strict-provenance
399//! [`UnsafeCell`]: core::cell::UnsafeCell
400
401#![stable(feature = "rust1", since = "1.0.0")]
402// There are many unsafe functions taking pointers that don't dereference them.
403#![allow(clippy::not_unsafe_ptr_arg_deref)]
404
405use crate::cmp::Ordering;
406use crate::intrinsics::const_eval_select;
407use crate::marker::{Destruct, FnPtr, PointeeSized};
408use crate::mem::{self, MaybeUninit, SizedTypeProperties};
409use crate::num::NonZero;
410use crate::{fmt, hash, intrinsics, ub_checks};
411
412#[unstable(feature = "ptr_alignment_type", issue = "102070")]
413#[deprecated(since = "1.96.0", note = "moved from `ptr` to `mem`")]
414/// Deprecated re-export of [mem::Alignment].
415pub type Alignment = mem::Alignment;
416
417mod metadata;
418#[unstable(feature = "ptr_metadata", issue = "81513")]
419pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata};
420
421mod non_null;
422#[stable(feature = "nonnull", since = "1.25.0")]
423pub use non_null::NonNull;
424
425mod unique;
426#[unstable(feature = "ptr_internals", issue = "none")]
427pub use unique::Unique;
428
429mod const_ptr;
430mod mut_ptr;
431
432// Some functions are defined here because they accidentally got made
433// available in this module on stable. See <https://github.com/rust-lang/rust/issues/15702>.
434// (`transmute` also falls into this category, but it cannot be wrapped due to the
435// check that `T` and `U` have the same size.)
436
437/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
438/// and destination must *not* overlap.
439///
440/// For regions of memory which might overlap, use [`copy`] instead.
441///
442/// `copy_nonoverlapping` is semantically equivalent to C's [`memcpy`], but
443/// with the source and destination arguments swapped,
444/// and `count` counting the number of `T`s instead of bytes.
445///
446/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
447/// requirements of `T`. The initialization state is preserved exactly.
448///
449/// [`memcpy`]: https://en.cppreference.com/w/c/string/byte/memcpy
450///
451/// # Safety
452///
453/// Behavior is undefined if any of the following conditions are violated:
454///
455/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes or that number must be 0.
456///
457/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes or that number must be 0.
458///
459/// * Both `src` and `dst` must be properly aligned.
460///
461/// * The region of memory beginning at `src` with a size of `count *
462/// size_of::<T>()` bytes must *not* overlap with the region of memory
463/// beginning at `dst` with the same size.
464///
465/// Like [`read`], `copy_nonoverlapping` creates a bitwise copy of `T`, regardless of
466/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using *both* the values
467/// in the region beginning at `*src` and the region beginning at `*dst` can
468/// [violate memory safety][read-ownership].
469///
470/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
471/// `0`, the pointers must be properly aligned.
472///
473/// [`read`]: crate::ptr::read
474/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
475/// [valid]: crate::ptr#safety
476///
477/// # Examples
478///
479/// Manually implement [`Vec::append`]:
480///
481/// ```
482/// use std::ptr;
483///
484/// /// Moves all the elements of `src` into `dst`, leaving `src` empty.
485/// fn append<T>(dst: &mut Vec<T>, src: &mut Vec<T>) {
486/// let src_len = src.len();
487/// let dst_len = dst.len();
488///
489/// // Ensure that `dst` has enough capacity to hold all of `src`.
490/// dst.reserve(src_len);
491///
492/// unsafe {
493/// // The call to add is always safe because `Vec` will never
494/// // allocate more than `isize::MAX` bytes.
495/// let dst_ptr = dst.as_mut_ptr().add(dst_len);
496/// let src_ptr = src.as_ptr();
497///
498/// // Truncate `src` without dropping its contents. We do this first,
499/// // to avoid problems in case something further down panics.
500/// src.set_len(0);
501///
502/// // The two regions cannot overlap because mutable references do
503/// // not alias, and two different vectors cannot own the same
504/// // memory.
505/// ptr::copy_nonoverlapping(src_ptr, dst_ptr, src_len);
506///
507/// // Notify `dst` that it now holds the contents of `src`.
508/// dst.set_len(dst_len + src_len);
509/// }
510/// }
511///
512/// let mut a = vec!['r'];
513/// let mut b = vec!['u', 's', 't'];
514///
515/// append(&mut a, &mut b);
516///
517/// assert_eq!(a, &['r', 'u', 's', 't']);
518/// assert!(b.is_empty());
519/// ```
520///
521/// [`Vec::append`]: ../../std/vec/struct.Vec.html#method.append
522#[doc(alias = "memcpy")]
523#[stable(feature = "rust1", since = "1.0.0")]
524#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
525#[inline(always)]
526#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
527#[rustc_diagnostic_item = "ptr_copy_nonoverlapping"]
528pub const unsafe fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: usize) {
529 ub_checks::assert_unsafe_precondition!(
530 check_language_ub,
531 "ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null \
532 and the specified memory ranges do not overlap",
533 (
534 src: *const () = src as *const (),
535 dst: *mut () = dst as *mut (),
536 size: usize = size_of::<T>(),
537 align: usize = align_of::<T>(),
538 count: usize = count,
539 ) => {
540 let zero_size = count == 0 || size == 0;
541 ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
542 && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
543 && ub_checks::maybe_is_nonoverlapping(src, dst, size, count)
544 }
545 );
546
547 // SAFETY: the safety contract for `copy_nonoverlapping` must be
548 // upheld by the caller.
549 unsafe { crate::intrinsics::copy_nonoverlapping(src, dst, count) }
550}
551
552/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
553/// and destination may overlap.
554///
555/// If the source and destination will *never* overlap,
556/// [`copy_nonoverlapping`] can be used instead.
557///
558/// `copy` is semantically equivalent to C's [`memmove`], but
559/// with the source and destination arguments swapped,
560/// and `count` counting the number of `T`s instead of bytes.
561/// Copying takes place as if the bytes were copied from `src`
562/// to a temporary array and then copied from the array to `dst`.
563///
564/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
565/// requirements of `T`. The initialization state is preserved exactly.
566///
567/// [`memmove`]: https://en.cppreference.com/w/c/string/byte/memmove
568///
569/// # Safety
570///
571/// Behavior is undefined if any of the following conditions are violated:
572///
573/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes or that number must be 0.
574///
575/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes or that number must be 0,
576/// and `dst` must remain valid even when `src` is read for `count * size_of::<T>()` bytes. (This
577/// means if the memory ranges overlap, the `dst` pointer must not be invalidated by `src` reads.)
578///
579/// * Both `src` and `dst` must be properly aligned.
580///
581/// Like [`read`], `copy` creates a bitwise copy of `T`, regardless of
582/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the values
583/// in the region beginning at `*src` and the region beginning at `*dst` can
584/// [violate memory safety][read-ownership].
585///
586/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
587/// `0`, the pointers must be properly aligned.
588///
589/// [`read`]: crate::ptr::read
590/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
591/// [valid]: crate::ptr#safety
592///
593/// # Examples
594///
595/// Efficiently create a Rust vector from an unsafe buffer:
596///
597/// ```
598/// use std::ptr;
599///
600/// /// # Safety
601/// ///
602/// /// * `ptr` must be correctly aligned for its type and non-zero.
603/// /// * `ptr` must be valid for reads of `elts` contiguous elements of type `T`.
604/// /// * Those elements must not be used after calling this function unless `T: Copy`.
605/// # #[allow(dead_code)]
606/// unsafe fn from_buf_raw<T>(ptr: *const T, elts: usize) -> Vec<T> {
607/// let mut dst = Vec::with_capacity(elts);
608///
609/// // SAFETY: Our precondition ensures the source is aligned and valid,
610/// // and `Vec::with_capacity` ensures that we have usable space to write them.
611/// unsafe { ptr::copy(ptr, dst.as_mut_ptr(), elts); }
612///
613/// // SAFETY: We created it with this much capacity earlier,
614/// // and the previous `copy` has initialized these elements.
615/// unsafe { dst.set_len(elts); }
616/// dst
617/// }
618/// ```
619#[doc(alias = "memmove")]
620#[stable(feature = "rust1", since = "1.0.0")]
621#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
622#[inline(always)]
623#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
624#[rustc_diagnostic_item = "ptr_copy"]
625pub const unsafe fn copy<T>(src: *const T, dst: *mut T, count: usize) {
626 // SAFETY: the safety contract for `copy` must be upheld by the caller.
627 unsafe {
628 ub_checks::assert_unsafe_precondition!(
629 check_language_ub,
630 "ptr::copy requires that both pointer arguments are aligned and non-null",
631 (
632 src: *const () = src as *const (),
633 dst: *mut () = dst as *mut (),
634 align: usize = align_of::<T>(),
635 zero_size: bool = T::IS_ZST || count == 0,
636 ) =>
637 ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
638 && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
639 );
640 crate::intrinsics::copy(src, dst, count)
641 }
642}
643
644/// Sets `count * size_of::<T>()` bytes of memory starting at `dst` to
645/// `val`.
646///
647/// `write_bytes` is similar to C's [`memset`], but sets `count *
648/// size_of::<T>()` bytes to `val`.
649///
650/// [`memset`]: https://en.cppreference.com/w/c/string/byte/memset
651///
652/// # Safety
653///
654/// Behavior is undefined if any of the following conditions are violated:
655///
656/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
657///
658/// * `dst` must be properly aligned.
659///
660/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
661/// `0`, the pointer must be properly aligned.
662///
663/// Additionally, note that changing `*dst` in this way can easily lead to undefined behavior (UB)
664/// later if the written bytes are not a valid representation of some `T`. For instance, the
665/// following is an **incorrect** use of this function:
666///
667/// ```rust,no_run
668/// unsafe {
669/// let mut value: u8 = 0;
670/// let ptr: *mut bool = &mut value as *mut u8 as *mut bool;
671/// let _bool = ptr.read(); // This is fine, `ptr` points to a valid `bool`.
672/// ptr.write_bytes(42u8, 1); // This function itself does not cause UB...
673/// let _bool = ptr.read(); // ...but it makes this operation UB! ⚠️
674/// }
675/// ```
676///
677/// [valid]: crate::ptr#safety
678///
679/// # Examples
680///
681/// Basic usage:
682///
683/// ```
684/// use std::ptr;
685///
686/// let mut vec = vec![0u32; 4];
687/// unsafe {
688/// let vec_ptr = vec.as_mut_ptr();
689/// ptr::write_bytes(vec_ptr, 0xfe, 2);
690/// }
691/// assert_eq!(vec, [0xfefefefe, 0xfefefefe, 0, 0]);
692/// ```
693#[doc(alias = "memset")]
694#[stable(feature = "rust1", since = "1.0.0")]
695#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
696#[inline(always)]
697#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
698#[rustc_diagnostic_item = "ptr_write_bytes"]
699pub const unsafe fn write_bytes<T>(dst: *mut T, val: u8, count: usize) {
700 // SAFETY: the safety contract for `write_bytes` must be upheld by the caller.
701 unsafe {
702 ub_checks::assert_unsafe_precondition!(
703 check_language_ub,
704 "ptr::write_bytes requires that the destination pointer is aligned and non-null",
705 (
706 addr: *const () = dst as *const (),
707 align: usize = align_of::<T>(),
708 zero_size: bool = T::IS_ZST || count == 0,
709 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, zero_size)
710 );
711 crate::intrinsics::write_bytes(dst, val, count)
712 }
713}
714
715/// Executes the destructor (if any) of the pointed-to value.
716///
717/// This is almost the same as calling [`ptr::read`] and discarding
718/// the result, but has the following advantages:
719// FIXME: say something more useful than "almost the same"?
720// There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a
721// `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place`
722// only requires that `*to_drop` be "valid for dropping" and we have not defined what that means. In
723// Miri it currently (May 2024) requires nothing at all for types without drop glue.
724///
725/// * It is *required* to use `drop_in_place` to drop unsized types like
726/// trait objects, because they can't be read out onto the stack and
727/// dropped normally.
728///
729/// * It is friendlier to the optimizer to do this over [`ptr::read`] when
730/// dropping manually allocated memory (e.g., in the implementations of
731/// `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
732/// sound to elide the copy.
733///
734/// * It can be used to drop [pinned] data when `T` is not `repr(packed)`
735/// (pinned data must not be moved before it is dropped).
736///
737/// Unaligned values cannot be dropped in place, they must be copied to an aligned
738/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
739/// done automatically by the compiler. This means the fields of packed structs
740/// are not dropped in-place.
741///
742/// [`ptr::read`]: self::read
743/// [`ptr::read_unaligned`]: self::read_unaligned
744/// [pinned]: crate::pin
745///
746/// # Safety
747///
748/// Behavior is undefined if any of the following conditions are violated:
749///
750/// * `to_drop` must be [valid] for both reads and writes.
751///
752/// * `to_drop` must be properly aligned, even if `T` has size 0.
753///
754/// * `to_drop` must be nonnull, even if `T` has size 0.
755///
756/// * The value `to_drop` points to must be valid for dropping, which may mean
757/// it must uphold additional invariants. These invariants depend on the type
758/// of the value being dropped. For instance, when dropping a Box, the box's
759/// pointer to the heap must be valid.
760///
761/// * While `drop_in_place` is executing, the only way to access parts of
762/// `to_drop` is through the `&mut self` references supplied to the
763/// `Drop::drop` methods that `drop_in_place` invokes.
764///
765/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
766/// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
767/// foo` counts as a use because it will cause the value to be dropped
768/// again. [`write()`] can be used to overwrite data without causing it to be
769/// dropped.
770///
771/// [valid]: self#safety
772///
773/// # Examples
774///
775/// Manually remove the last item from a vector:
776///
777/// ```
778/// use std::ptr;
779/// use std::rc::Rc;
780///
781/// let last = Rc::new(1);
782/// let weak = Rc::downgrade(&last);
783///
784/// let mut v = vec![Rc::new(0), last];
785///
786/// unsafe {
787/// // Get a raw pointer to the last element in `v`.
788/// let ptr = &mut v[1] as *mut _;
789/// // Shorten `v` to prevent the last item from being dropped. We do that first,
790/// // to prevent issues if the `drop_in_place` below panics.
791/// v.set_len(1);
792/// // Without a call `drop_in_place`, the last item would never be dropped,
793/// // and the memory it manages would be leaked.
794/// ptr::drop_in_place(ptr);
795/// }
796///
797/// assert_eq!(v, &[0.into()]);
798///
799/// // Ensure that the last item was dropped.
800/// assert!(weak.upgrade().is_none());
801/// ```
802#[inline(always)]
803#[stable(feature = "drop_in_place", since = "1.8.0")]
804#[rustc_diagnostic_item = "ptr_drop_in_place"]
805#[rustc_const_unstable(feature = "const_drop_in_place", issue = "109342")]
806pub const unsafe fn drop_in_place<T: PointeeSized>(to_drop: *mut T)
807where
808 T: [const] Destruct,
809{
810 // Due to historic reasons, `drop_in_place` takes a pointer rather than a reference,
811 // which results in worse codegen since we don't apply noalias/dereferenceable llvm
812 // attributes to pointer arguments. To workaround this without breaking public
813 // interface, `drop_in_place` calls the lang item, rather than being one directly.
814
815 // SAFETY:
816 // - compiler glue has the same safety requirements as this function
817 // - the pointer must be valid as per the safety requirement of this function
818 unsafe { drop_glue(&mut *to_drop) }
819}
820
821/// Helper function for `drop_in_place`. The compiler replaces this by the actual drop glue.
822#[lang = "drop_glue"]
823pub(crate) const unsafe fn drop_glue<T: PointeeSized>(_: &mut T)
824where
825 T: [const] Destruct,
826{
827 // Code here does not matter - this is replaced by the
828 // real drop glue by the compiler.
829}
830
831/// Creates a null raw pointer.
832///
833/// This function is equivalent to zero-initializing the pointer:
834/// `MaybeUninit::<*const T>::zeroed().assume_init()`.
835/// The resulting pointer has the address 0.
836///
837/// # Examples
838///
839/// ```
840/// use std::ptr;
841///
842/// let p: *const i32 = ptr::null();
843/// assert!(p.is_null());
844/// assert_eq!(p as usize, 0); // this pointer has the address 0
845/// ```
846#[inline(always)]
847#[must_use]
848#[stable(feature = "rust1", since = "1.0.0")]
849#[rustc_promotable]
850#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
851#[rustc_diagnostic_item = "ptr_null"]
852pub const fn null<T: PointeeSized + Thin>() -> *const T {
853 from_raw_parts(without_provenance::<()>(0), ())
854}
855
856/// Creates a null mutable raw pointer.
857///
858/// This function is equivalent to zero-initializing the pointer:
859/// `MaybeUninit::<*mut T>::zeroed().assume_init()`.
860/// The resulting pointer has the address 0.
861///
862/// # Examples
863///
864/// ```
865/// use std::ptr;
866///
867/// let p: *mut i32 = ptr::null_mut();
868/// assert!(p.is_null());
869/// assert_eq!(p as usize, 0); // this pointer has the address 0
870/// ```
871#[inline(always)]
872#[must_use]
873#[stable(feature = "rust1", since = "1.0.0")]
874#[rustc_promotable]
875#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
876#[rustc_diagnostic_item = "ptr_null_mut"]
877pub const fn null_mut<T: PointeeSized + Thin>() -> *mut T {
878 from_raw_parts_mut(without_provenance_mut::<()>(0), ())
879}
880
881/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
882///
883/// This is equivalent to `ptr::null().with_addr(addr)`.
884///
885/// Without provenance, this pointer is not associated with any actual allocation. Such a
886/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
887/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
888/// little more than a `usize` address in disguise.
889///
890/// This is different from `addr as *const T`, which creates a pointer that picks up a previously
891/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
892///
893/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
894#[inline(always)]
895#[must_use]
896#[stable(feature = "strict_provenance", since = "1.84.0")]
897#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
898#[rustc_diagnostic_item = "ptr_without_provenance"]
899pub const fn without_provenance<T>(addr: usize) -> *const T {
900 without_provenance_mut(addr)
901}
902
903/// Creates a new pointer that is dangling, but non-null and well-aligned.
904///
905/// This is useful for initializing types which lazily allocate, like
906/// `Vec::new` does.
907///
908/// Note that the address of the returned pointer may potentially
909/// be that of a valid pointer, which means this must not be used
910/// as a "not yet initialized" sentinel value.
911/// Types that lazily allocate must track initialization by some other means.
912#[inline(always)]
913#[must_use]
914#[stable(feature = "strict_provenance", since = "1.84.0")]
915#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
916pub const fn dangling<T>() -> *const T {
917 dangling_mut()
918}
919
920/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
921///
922/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
923///
924/// Without provenance, this pointer is not associated with any actual allocation. Such a
925/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
926/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
927/// little more than a `usize` address in disguise.
928///
929/// This is different from `addr as *mut T`, which creates a pointer that picks up a previously
930/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
931///
932/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
933#[inline(always)]
934#[must_use]
935#[stable(feature = "strict_provenance", since = "1.84.0")]
936#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
937#[rustc_diagnostic_item = "ptr_without_provenance_mut"]
938#[allow(integer_to_ptr_transmutes)] // Expected semantics here.
939pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
940 // An int-to-pointer transmute currently has exactly the intended semantics: it creates a
941 // pointer without provenance. Note that this is *not* a stable guarantee about transmute
942 // semantics, it relies on sysroot crates having special status.
943 // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
944 // pointer).
945 unsafe { mem::transmute(addr) }
946}
947
948/// Creates a new pointer that is dangling, but non-null and well-aligned.
949///
950/// This is useful for initializing types which lazily allocate, like
951/// `Vec::new` does.
952///
953/// Note that the address of the returned pointer may potentially
954/// be that of a valid pointer, which means this must not be used
955/// as a "not yet initialized" sentinel value.
956/// Types that lazily allocate must track initialization by some other means.
957#[inline(always)]
958#[must_use]
959#[stable(feature = "strict_provenance", since = "1.84.0")]
960#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
961pub const fn dangling_mut<T>() -> *mut T {
962 NonNull::dangling().as_ptr()
963}
964
965/// Converts an address back to a pointer, picking up some previously 'exposed'
966/// [provenance][crate::ptr#provenance].
967///
968/// This is fully equivalent to `addr as *const T`. The provenance of the returned pointer is that
969/// of *some* pointer that was previously exposed by passing it to
970/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
971/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
972/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
973/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
974///
975/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
976/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
977/// guarantees about which provenance the resulting pointer will have -- and therefore there
978/// is no definite specification for which memory the resulting pointer may access.
979///
980/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
981/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
982/// pointers and references that have been invalidated due to aliasing accesses cannot be used
983/// anymore, even if they have been exposed!
984///
985/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
986/// stay conformant with the Rust memory model. It is recommended to use [Strict
987/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
988/// possible.
989///
990/// On most platforms this will produce a value with the same bytes as the address. Platforms
991/// which need to store additional information in a pointer may not support this operation,
992/// since it is generally not possible to actually *compute* which provenance the returned
993/// pointer has to pick up.
994///
995/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
996#[must_use]
997#[inline(always)]
998#[stable(feature = "exposed_provenance", since = "1.84.0")]
999#[rustc_const_stable(feature = "const_exposed_provenance", since = "1.91.0")]
1000#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1001#[allow(implicit_provenance_casts)] // this *is* the explicit provenance API one should use instead
1002pub const fn with_exposed_provenance<T>(addr: usize) -> *const T {
1003 addr as *const T
1004}
1005
1006/// Converts an address back to a mutable pointer, picking up some previously 'exposed'
1007/// [provenance][crate::ptr#provenance].
1008///
1009/// This is fully equivalent to `addr as *mut T`. The provenance of the returned pointer is that
1010/// of *some* pointer that was previously exposed by passing it to
1011/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
1012/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
1013/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
1014/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
1015///
1016/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
1017/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
1018/// guarantees about which provenance the resulting pointer will have -- and therefore there
1019/// is no definite specification for which memory the resulting pointer may access.
1020///
1021/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
1022/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
1023/// pointers and references that have been invalidated due to aliasing accesses cannot be used
1024/// anymore, even if they have been exposed!
1025///
1026/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
1027/// stay conformant with the Rust memory model. It is recommended to use [Strict
1028/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
1029/// possible.
1030///
1031/// On most platforms this will produce a value with the same bytes as the address. Platforms
1032/// which need to store additional information in a pointer may not support this operation,
1033/// since it is generally not possible to actually *compute* which provenance the returned
1034/// pointer has to pick up.
1035///
1036/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
1037#[must_use]
1038#[inline(always)]
1039#[stable(feature = "exposed_provenance", since = "1.84.0")]
1040#[rustc_const_stable(feature = "const_exposed_provenance", since = "1.91.0")]
1041#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1042#[allow(implicit_provenance_casts)] // this *is* the explicit provenance API one should use instead
1043pub const fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
1044 addr as *mut T
1045}
1046
1047/// Converts a reference to a raw pointer.
1048///
1049/// For `r: &T`, `from_ref(r)` is equivalent to `r as *const T` (except for the caveat noted below),
1050/// but is a bit safer since it will never silently change type or mutability, in particular if the
1051/// code is refactored.
1052///
1053/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1054/// will end up dangling.
1055///
1056/// The caller must also ensure that the memory the pointer (non-transitively) points to is never
1057/// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If
1058/// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m:
1059/// &mut T` into `*const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be
1060/// used for mutation.
1061///
1062/// ## Interaction with lifetime extension
1063///
1064/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1065/// tail expressions. This code is valid, albeit in a non-obvious way:
1066/// ```rust
1067/// # type T = i32;
1068/// # fn foo() -> T { 42 }
1069/// // The temporary holding the return value of `foo` has its lifetime extended,
1070/// // because the surrounding expression involves no function call.
1071/// let p = &foo() as *const T;
1072/// unsafe { p.read() };
1073/// ```
1074/// Naively replacing the cast with `from_ref` is not valid:
1075/// ```rust,no_run
1076/// # use std::ptr;
1077/// # type T = i32;
1078/// # fn foo() -> T { 42 }
1079/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1080/// // because the surrounding expression involves a function call.
1081/// let p = ptr::from_ref(&foo());
1082/// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️
1083/// ```
1084/// The recommended way to write this code is to avoid relying on lifetime extension
1085/// when raw pointers are involved:
1086/// ```rust
1087/// # use std::ptr;
1088/// # type T = i32;
1089/// # fn foo() -> T { 42 }
1090/// let x = foo();
1091/// let p = ptr::from_ref(&x);
1092/// unsafe { p.read() };
1093/// ```
1094#[inline(always)]
1095#[must_use]
1096#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1097#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1098#[rustc_never_returns_null_ptr]
1099#[rustc_diagnostic_item = "ptr_from_ref"]
1100pub const fn from_ref<T: PointeeSized>(r: &T) -> *const T {
1101 r
1102}
1103
1104/// Converts a mutable reference to a raw pointer.
1105///
1106/// For `r: &mut T`, `from_mut(r)` is equivalent to `r as *mut T` (except for the caveat noted
1107/// below), but is a bit safer since it will never silently change type or mutability, in particular
1108/// if the code is refactored.
1109///
1110/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1111/// will end up dangling.
1112///
1113/// ## Interaction with lifetime extension
1114///
1115/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1116/// tail expressions. This code is valid, albeit in a non-obvious way:
1117/// ```rust
1118/// # type T = i32;
1119/// # fn foo() -> T { 42 }
1120/// // The temporary holding the return value of `foo` has its lifetime extended,
1121/// // because the surrounding expression involves no function call.
1122/// let p = &mut foo() as *mut T;
1123/// unsafe { p.write(T::default()) };
1124/// ```
1125/// Naively replacing the cast with `from_mut` is not valid:
1126/// ```rust,no_run
1127/// # use std::ptr;
1128/// # type T = i32;
1129/// # fn foo() -> T { 42 }
1130/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1131/// // because the surrounding expression involves a function call.
1132/// let p = ptr::from_mut(&mut foo());
1133/// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️
1134/// ```
1135/// The recommended way to write this code is to avoid relying on lifetime extension
1136/// when raw pointers are involved:
1137/// ```rust
1138/// # use std::ptr;
1139/// # type T = i32;
1140/// # fn foo() -> T { 42 }
1141/// let mut x = foo();
1142/// let p = ptr::from_mut(&mut x);
1143/// unsafe { p.write(T::default()) };
1144/// ```
1145#[inline(always)]
1146#[must_use]
1147#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1148#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1149#[rustc_never_returns_null_ptr]
1150pub const fn from_mut<T: PointeeSized>(r: &mut T) -> *mut T {
1151 r
1152}
1153
1154/// Forms a raw slice from a pointer and a length.
1155///
1156/// The `len` argument is the number of **elements**, not the number of bytes.
1157///
1158/// This function is safe, but actually using the return value is unsafe.
1159/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
1160///
1161/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
1162///
1163/// # Examples
1164///
1165/// ```rust
1166/// use std::ptr;
1167///
1168/// // create a slice pointer when starting out with a pointer to the first element
1169/// let x = [5, 6, 7];
1170/// let raw_pointer = x.as_ptr();
1171/// let slice = ptr::slice_from_raw_parts(raw_pointer, 3);
1172/// assert_eq!(unsafe { &*slice }[2], 7);
1173/// ```
1174///
1175/// You must ensure that the pointer is valid and not null before dereferencing
1176/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1177///
1178/// ```rust,should_panic
1179/// use std::ptr;
1180/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), 0);
1181/// unsafe {
1182/// danger.as_ref().expect("references must not be null");
1183/// }
1184/// ```
1185#[inline]
1186#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1187#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
1188#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
1189pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
1190 from_raw_parts(data, len)
1191}
1192
1193/// Forms a raw mutable slice from a pointer and a length.
1194///
1195/// The `len` argument is the number of **elements**, not the number of bytes.
1196///
1197/// Performs the same functionality as [`slice_from_raw_parts`], except that a
1198/// raw mutable slice is returned, as opposed to a raw immutable slice.
1199///
1200/// This function is safe, but actually using the return value is unsafe.
1201/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
1202///
1203/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
1204///
1205/// # Examples
1206///
1207/// ```rust
1208/// use std::ptr;
1209///
1210/// let x = &mut [5, 6, 7];
1211/// let raw_pointer = x.as_mut_ptr();
1212/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, 3);
1213///
1214/// unsafe {
1215/// (*slice)[2] = 99; // assign a value at an index in the slice
1216/// };
1217///
1218/// assert_eq!(unsafe { &*slice }[2], 99);
1219/// ```
1220///
1221/// You must ensure that the pointer is valid and not null before dereferencing
1222/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1223///
1224/// ```rust,should_panic
1225/// use std::ptr;
1226/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 0);
1227/// unsafe {
1228/// danger.as_mut().expect("references must not be null");
1229/// }
1230/// ```
1231#[inline]
1232#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1233#[rustc_const_stable(feature = "const_slice_from_raw_parts_mut", since = "1.83.0")]
1234#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
1235pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
1236 from_raw_parts_mut(data, len)
1237}
1238
1239/// Swaps the values at two mutable locations of the same type, without
1240/// deinitializing either.
1241///
1242/// But for the following exceptions, this function is semantically
1243/// equivalent to [`mem::swap`]:
1244///
1245/// * It operates on raw pointers instead of references. When references are
1246/// available, [`mem::swap`] should be preferred.
1247///
1248/// * The two pointed-to values may overlap. If the values do overlap, then the
1249/// overlapping region of memory from `x` will be used. This is demonstrated
1250/// in the second example below.
1251///
1252/// * The operation is "untyped" in the sense that data may be uninitialized or otherwise violate
1253/// the requirements of `T`. The initialization state is preserved exactly.
1254///
1255/// # Safety
1256///
1257/// Behavior is undefined if any of the following conditions are violated:
1258///
1259/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the
1260/// other pointer is written. (This means if the memory ranges overlap, the two pointers must not
1261/// be subject to aliasing restrictions relative to each other.)
1262///
1263/// * Both `x` and `y` must be properly aligned.
1264///
1265/// Note that even if `T` has size `0`, the pointers must be properly aligned.
1266///
1267/// [valid]: self#safety
1268///
1269/// # Examples
1270///
1271/// Swapping two non-overlapping regions:
1272///
1273/// ```
1274/// use std::ptr;
1275///
1276/// let mut array = [0, 1, 2, 3];
1277///
1278/// let (x, y) = array.split_at_mut(2);
1279/// let x = x.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[0..2]`
1280/// let y = y.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[2..4]`
1281///
1282/// unsafe {
1283/// ptr::swap(x, y);
1284/// assert_eq!([2, 3, 0, 1], array);
1285/// }
1286/// ```
1287///
1288/// Swapping two overlapping regions:
1289///
1290/// ```
1291/// use std::ptr;
1292///
1293/// let mut array: [i32; 4] = [0, 1, 2, 3];
1294///
1295/// let array_ptr: *mut i32 = array.as_mut_ptr();
1296///
1297/// let x = array_ptr as *mut [i32; 3]; // this is `array[0..3]`
1298/// let y = unsafe { array_ptr.add(1) } as *mut [i32; 3]; // this is `array[1..4]`
1299///
1300/// unsafe {
1301/// ptr::swap(x, y);
1302/// // The indices `1..3` of the slice overlap between `x` and `y`.
1303/// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
1304/// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
1305/// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
1306/// // This implementation is defined to make the latter choice.
1307/// assert_eq!([1, 0, 1, 2], array);
1308/// }
1309/// ```
1310#[inline]
1311#[stable(feature = "rust1", since = "1.0.0")]
1312#[rustc_const_stable(feature = "const_swap", since = "1.85.0")]
1313#[rustc_diagnostic_item = "ptr_swap"]
1314pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
1315 // Give ourselves some scratch space to work with.
1316 // We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
1317 let mut tmp = MaybeUninit::<T>::uninit();
1318
1319 // Perform the swap
1320 // SAFETY: the caller must guarantee that `x` and `y` are
1321 // valid for writes and properly aligned. `tmp` cannot be
1322 // overlapping either `x` or `y` because `tmp` was just allocated
1323 // on the stack as a separate allocation.
1324 unsafe {
1325 copy_nonoverlapping(x, tmp.as_mut_ptr(), 1);
1326 copy(y, x, 1); // `x` and `y` may overlap
1327 copy_nonoverlapping(tmp.as_ptr(), y, 1);
1328 }
1329}
1330
1331/// Swaps `count * size_of::<T>()` bytes between the two regions of memory
1332/// beginning at `x` and `y`. The two regions must *not* overlap.
1333///
1334/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
1335/// requirements of `T`. The initialization state is preserved exactly.
1336///
1337/// # Safety
1338///
1339/// Behavior is undefined if any of the following conditions are violated:
1340///
1341/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
1342/// size_of::<T>()` bytes.
1343///
1344/// * Both `x` and `y` must be properly aligned.
1345///
1346/// * The region of memory beginning at `x` with a size of `count *
1347/// size_of::<T>()` bytes must *not* overlap with the region of memory
1348/// beginning at `y` with the same size.
1349///
1350/// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`,
1351/// the pointers must be properly aligned.
1352///
1353/// [valid]: self#safety
1354///
1355/// # Examples
1356///
1357/// Basic usage:
1358///
1359/// ```
1360/// use std::ptr;
1361///
1362/// let mut x = [1, 2, 3, 4];
1363/// let mut y = [7, 8, 9];
1364///
1365/// unsafe {
1366/// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2);
1367/// }
1368///
1369/// assert_eq!(x, [7, 8, 3, 4]);
1370/// assert_eq!(y, [1, 2, 9]);
1371/// ```
1372#[inline]
1373#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
1374#[rustc_const_stable(feature = "const_swap_nonoverlapping", since = "1.88.0")]
1375#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1376#[rustc_allow_const_fn_unstable(const_eval_select)] // both implementations behave the same
1377#[track_caller]
1378pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1379 ub_checks::assert_unsafe_precondition!(
1380 check_library_ub,
1381 "ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1382 and the specified memory ranges do not overlap",
1383 (
1384 x: *mut () = x as *mut (),
1385 y: *mut () = y as *mut (),
1386 size: usize = size_of::<T>(),
1387 align: usize = align_of::<T>(),
1388 count: usize = count,
1389 ) => {
1390 let zero_size = size == 0 || count == 0;
1391 ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size)
1392 && ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size)
1393 && ub_checks::maybe_is_nonoverlapping(x, y, size, count)
1394 }
1395 );
1396
1397 const_eval_select!(
1398 @capture[T] { x: *mut T, y: *mut T, count: usize }:
1399 if const {
1400 // At compile-time we don't need all the special code below.
1401 // SAFETY: Same preconditions as this function
1402 unsafe { swap_nonoverlapping_const(x, y, count) }
1403 } else {
1404 // Going though a slice here helps codegen know the size fits in `isize`
1405 let slice = slice_from_raw_parts_mut(x, count);
1406 // SAFETY: This is all readable from the pointer, meaning it's one
1407 // allocation, and thus cannot be more than isize::MAX bytes.
1408 let bytes = unsafe { mem::size_of_val_raw::<[T]>(slice) };
1409 if let Some(bytes) = NonZero::new(bytes) {
1410 // SAFETY: These are the same ranges, just expressed in a different
1411 // type, so they're still non-overlapping.
1412 unsafe { swap_nonoverlapping_bytes(x.cast(), y.cast(), bytes) };
1413 }
1414 }
1415 )
1416}
1417
1418/// Same behavior and safety conditions as [`swap_nonoverlapping`]
1419#[inline]
1420const unsafe fn swap_nonoverlapping_const<T>(x: *mut T, y: *mut T, count: usize) {
1421 let mut i = 0;
1422 while i < count {
1423 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1424 let x = unsafe { x.add(i) };
1425 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1426 // and it's distinct from `x` since the ranges are non-overlapping
1427 let y = unsafe { y.add(i) };
1428
1429 // SAFETY: we're only ever given pointers that are valid to read/write,
1430 // including being aligned, and nothing here panics so it's drop-safe.
1431 unsafe {
1432 // Note that it's critical that these use `copy_nonoverlapping`,
1433 // rather than `read`/`write`, to avoid #134713 if T has padding.
1434 let mut temp = MaybeUninit::<T>::uninit();
1435 copy_nonoverlapping(x, temp.as_mut_ptr(), 1);
1436 copy_nonoverlapping(y, x, 1);
1437 copy_nonoverlapping(temp.as_ptr(), y, 1);
1438 }
1439
1440 i += 1;
1441 }
1442}
1443
1444// Don't let MIR inline this, because we really want it to keep its noalias metadata
1445#[rustc_no_mir_inline]
1446#[inline]
1447fn swap_chunk<const N: usize>(x: &mut MaybeUninit<[u8; N]>, y: &mut MaybeUninit<[u8; N]>) {
1448 let a = *x;
1449 let b = *y;
1450 *x = b;
1451 *y = a;
1452}
1453
1454#[inline]
1455unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1456 // Same as `swap_nonoverlapping::<[u8; N]>`.
1457 unsafe fn swap_nonoverlapping_chunks<const N: usize>(
1458 x: *mut MaybeUninit<[u8; N]>,
1459 y: *mut MaybeUninit<[u8; N]>,
1460 chunks: NonZero<usize>,
1461 ) {
1462 let chunks = chunks.get();
1463 for i in 0..chunks {
1464 // SAFETY: i is in [0, chunks) so the adds and dereferences are in-bounds.
1465 unsafe { swap_chunk(&mut *x.add(i), &mut *y.add(i)) };
1466 }
1467 }
1468
1469 // Same as `swap_nonoverlapping_bytes`, but accepts at most 1+2+4=7 bytes
1470 #[inline]
1471 unsafe fn swap_nonoverlapping_short(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1472 // Tail handling for auto-vectorized code sometimes has element-at-a-time behaviour,
1473 // see <https://github.com/rust-lang/rust/issues/134946>.
1474 // By swapping as different sizes, rather than as a loop over bytes,
1475 // we make sure not to end up with, say, seven byte-at-a-time copies.
1476
1477 let bytes = bytes.get();
1478 let mut i = 0;
1479 macro_rules! swap_prefix {
1480 ($($n:literal)+) => {$(
1481 if (bytes & $n) != 0 {
1482 // SAFETY: `i` can only have the same bits set as those in bytes,
1483 // so these `add`s are in-bounds of `bytes`. But the bit for
1484 // `$n` hasn't been set yet, so the `$n` bytes that `swap_chunk`
1485 // will read and write are within the usable range.
1486 unsafe { swap_chunk::<$n>(&mut*x.add(i).cast(), &mut*y.add(i).cast()) };
1487 i |= $n;
1488 }
1489 )+};
1490 }
1491 swap_prefix!(4 2 1);
1492 debug_assert_eq!(i, bytes);
1493 }
1494
1495 const CHUNK_SIZE: usize = size_of::<*const ()>();
1496 let bytes = bytes.get();
1497
1498 let chunks = bytes / CHUNK_SIZE;
1499 let tail = bytes % CHUNK_SIZE;
1500 if let Some(chunks) = NonZero::new(chunks) {
1501 // SAFETY: this is bytes/CHUNK_SIZE*CHUNK_SIZE bytes, which is <= bytes,
1502 // so it's within the range of our non-overlapping bytes.
1503 unsafe { swap_nonoverlapping_chunks::<CHUNK_SIZE>(x.cast(), y.cast(), chunks) };
1504 }
1505 if let Some(tail) = NonZero::new(tail) {
1506 const { assert!(CHUNK_SIZE <= 8) };
1507 let delta = chunks * CHUNK_SIZE;
1508 // SAFETY: the tail length is below CHUNK SIZE because of the remainder,
1509 // and CHUNK_SIZE is at most 8 by the const assert, so tail <= 7
1510 unsafe { swap_nonoverlapping_short(x.add(delta), y.add(delta), tail) };
1511 }
1512}
1513
1514/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1515///
1516/// Neither value is dropped.
1517///
1518/// This function is semantically equivalent to [`mem::replace`] except that it
1519/// operates on raw pointers instead of references. When references are
1520/// available, [`mem::replace`] should be preferred.
1521///
1522/// # Safety
1523///
1524/// Behavior is undefined if any of the following conditions are violated:
1525///
1526/// * `dst` must be [valid] for both reads and writes or `T` must be a ZST.
1527///
1528/// * `dst` must be properly aligned.
1529///
1530/// * `dst` must point to a properly initialized value of type `T`.
1531///
1532/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1533///
1534/// [valid]: self#safety
1535///
1536/// # Examples
1537///
1538/// ```
1539/// use std::ptr;
1540///
1541/// let mut rust = vec!['b', 'u', 's', 't'];
1542///
1543/// // `mem::replace` would have the same effect without requiring the unsafe
1544/// // block.
1545/// let b = unsafe {
1546/// ptr::replace(&mut rust[0], 'r')
1547/// };
1548///
1549/// assert_eq!(b, 'b');
1550/// assert_eq!(rust, &['r', 'u', 's', 't']);
1551/// ```
1552#[inline]
1553#[stable(feature = "rust1", since = "1.0.0")]
1554#[rustc_const_stable(feature = "const_replace", since = "1.83.0")]
1555#[rustc_diagnostic_item = "ptr_replace"]
1556#[track_caller]
1557pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1558 // SAFETY: the caller must guarantee that `dst` is valid to be
1559 // cast to a mutable reference (valid for writes, aligned, initialized),
1560 // and cannot overlap `src` since `dst` must point to a distinct
1561 // allocation. We are excluding null (with a ZST check) before creating a reference.
1562 unsafe {
1563 ub_checks::assert_unsafe_precondition!(
1564 check_language_ub,
1565 "ptr::replace requires that the pointer argument is aligned and non-null",
1566 (
1567 addr: *const () = dst as *const (),
1568 align: usize = align_of::<T>(),
1569 is_zst: bool = T::IS_ZST,
1570 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1571 );
1572 if T::IS_ZST {
1573 // If `T` is a ZST, `dst` is allowed to be null. However, we also don't have to actually
1574 // do anything since there isn't actually any data to be copied anyway. All values of
1575 // type `T` are bit-identical, so we can just return `src` here.
1576 return src;
1577 }
1578 mem::replace(&mut *dst, src)
1579 }
1580}
1581
1582/// Reads the value from `src` without moving it. This leaves the
1583/// memory in `src` unchanged.
1584///
1585/// # Safety
1586///
1587/// Behavior is undefined if any of the following conditions are violated:
1588///
1589/// * `src` must be [valid] for reads or `T` must be a ZST.
1590///
1591/// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
1592/// case.
1593///
1594/// * `src` must point to a properly initialized value of type `T`.
1595///
1596/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1597///
1598/// # Examples
1599///
1600/// Basic usage:
1601///
1602/// ```
1603/// let x = 12;
1604/// let y = &x as *const i32;
1605///
1606/// unsafe {
1607/// assert_eq!(std::ptr::read(y), 12);
1608/// }
1609/// ```
1610///
1611/// Manually implement [`mem::swap`]:
1612///
1613/// ```
1614/// use std::ptr;
1615///
1616/// fn swap<T>(a: &mut T, b: &mut T) {
1617/// unsafe {
1618/// // Create a bitwise copy of the value at `a` in `tmp`.
1619/// let tmp = ptr::read(a);
1620///
1621/// // Exiting at this point (either by explicitly returning or by
1622/// // calling a function which panics) would cause the value in `tmp` to
1623/// // be dropped while the same value is still referenced by `a`. This
1624/// // could trigger undefined behavior if `T` is not `Copy`.
1625///
1626/// // Create a bitwise copy of the value at `b` in `a`.
1627/// // This is safe because mutable references cannot alias.
1628/// ptr::copy_nonoverlapping(b, a, 1);
1629///
1630/// // As above, exiting here could trigger undefined behavior because
1631/// // the same value is referenced by `a` and `b`.
1632///
1633/// // Move `tmp` into `b`.
1634/// ptr::write(b, tmp);
1635///
1636/// // `tmp` has been moved (`write` takes ownership of its second argument),
1637/// // so nothing is dropped implicitly here.
1638/// }
1639/// }
1640///
1641/// let mut foo = "foo".to_owned();
1642/// let mut bar = "bar".to_owned();
1643///
1644/// swap(&mut foo, &mut bar);
1645///
1646/// assert_eq!(foo, "bar");
1647/// assert_eq!(bar, "foo");
1648/// ```
1649///
1650/// ## Ownership of the Returned Value
1651///
1652/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1653/// If `T` is not [`Copy`], using both the returned value and the value at
1654/// `*src` can violate memory safety. Note that assigning to `*src` counts as a
1655/// use because it will attempt to drop the value at `*src`.
1656///
1657/// [`write()`] can be used to overwrite data without causing it to be dropped.
1658///
1659/// ```
1660/// use std::ptr;
1661///
1662/// let mut s = String::from("foo");
1663/// unsafe {
1664/// // `s2` now points to the same underlying memory as `s`.
1665/// let mut s2: String = ptr::read(&s);
1666///
1667/// assert_eq!(s2, "foo");
1668///
1669/// // Assigning to `s2` causes its original value to be dropped. Beyond
1670/// // this point, `s` must no longer be used, as the underlying memory has
1671/// // been freed.
1672/// s2 = String::default();
1673/// assert_eq!(s2, "");
1674///
1675/// // Assigning to `s` would cause the old value to be dropped again,
1676/// // resulting in undefined behavior.
1677/// // s = String::from("bar"); // ERROR
1678///
1679/// // `ptr::write` can be used to overwrite a value without dropping it.
1680/// ptr::write(&mut s, String::from("bar"));
1681/// }
1682///
1683/// assert_eq!(s, "bar");
1684/// ```
1685///
1686/// [valid]: self#safety
1687#[inline]
1688#[stable(feature = "rust1", since = "1.0.0")]
1689#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1690#[track_caller]
1691#[rustc_diagnostic_item = "ptr_read"]
1692pub const unsafe fn read<T>(src: *const T) -> T {
1693 // It would be semantically correct to implement this via `copy_nonoverlapping`
1694 // and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1695 // provides enough information to know that this is a typed operation.
1696
1697 // However, as of March 2023 the compiler was not capable of taking advantage
1698 // of that information. Thus, the implementation here switched to an intrinsic,
1699 // which lowers to `_0 = *src` in MIR, to address a few issues:
1700 //
1701 // - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1702 // turning the untyped copy into a typed load. As such, the generated
1703 // `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1704 // `!nonnull`, and `!noundef`, resulting in poorer optimization.
1705 // - Going through the extra local resulted in multiple extra copies, even
1706 // in optimized MIR. (Ignoring StorageLive/Dead, the intrinsic is one
1707 // MIR statement, while the previous implementation was eight.) LLVM
1708 // could sometimes optimize them away, but because `read` is at the core
1709 // of so many things, not having them in the first place improves what we
1710 // hand off to the backend. For example, `mem::replace::<Big>` previously
1711 // emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1712 // - In general, this approach keeps us from getting any more bugs (like
1713 // #106369) that boil down to "`read(p)` is worse than `*p`", as this
1714 // makes them look identical to the backend (or other MIR consumers).
1715 //
1716 // Future enhancements to MIR optimizations might well allow this to return
1717 // to the previous implementation, rather than using an intrinsic.
1718
1719 // SAFETY: the caller must guarantee that `src` is valid for reads.
1720 unsafe {
1721 #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1722 ub_checks::assert_unsafe_precondition!(
1723 check_language_ub,
1724 "ptr::read requires that the pointer argument is aligned and non-null",
1725 (
1726 addr: *const () = src as *const (),
1727 align: usize = align_of::<T>(),
1728 is_zst: bool = T::IS_ZST,
1729 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1730 );
1731 crate::intrinsics::read_via_copy(src)
1732 }
1733}
1734
1735/// Reads the value from `src` without moving it. This leaves the
1736/// memory in `src` unchanged.
1737///
1738/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1739///
1740/// # Safety
1741///
1742/// Behavior is undefined if any of the following conditions are violated:
1743///
1744/// * `src` must be [valid] for reads.
1745///
1746/// * `src` must point to a properly initialized value of type `T`.
1747///
1748/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1749/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1750/// value and the value at `*src` can [violate memory safety][read-ownership].
1751///
1752/// [read-ownership]: read#ownership-of-the-returned-value
1753/// [valid]: self#safety
1754///
1755/// ## On `packed` structs
1756///
1757/// Attempting to create a raw pointer to an `unaligned` struct field with
1758/// an expression such as `&packed.unaligned as *const FieldType` creates an
1759/// intermediate unaligned reference before converting that to a raw pointer.
1760/// That this reference is temporary and immediately cast is inconsequential
1761/// as the compiler always expects references to be properly aligned.
1762/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1763/// *undefined behavior* in your program.
1764///
1765/// Instead you must use the `&raw const` syntax to create the pointer.
1766/// You may use that constructed pointer together with this function.
1767///
1768/// An example of what not to do and how this relates to `read_unaligned` is:
1769///
1770/// ```
1771/// #[repr(packed, C)]
1772/// struct Packed {
1773/// _padding: u8,
1774/// unaligned: u32,
1775/// }
1776///
1777/// let packed = Packed {
1778/// _padding: 0x00,
1779/// unaligned: 0x01020304,
1780/// };
1781///
1782/// // Take the address of a 32-bit integer which is not aligned.
1783/// // In contrast to `&packed.unaligned as *const _`, this has no undefined behavior.
1784/// let unaligned = &raw const packed.unaligned;
1785///
1786/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1787/// assert_eq!(v, 0x01020304);
1788/// ```
1789///
1790/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1791///
1792/// # Examples
1793///
1794/// Read a `usize` value from a byte buffer:
1795///
1796/// ```
1797/// fn read_usize(x: &[u8]) -> usize {
1798/// assert!(x.len() >= size_of::<usize>());
1799///
1800/// let ptr = x.as_ptr() as *const usize;
1801///
1802/// unsafe { ptr.read_unaligned() }
1803/// }
1804/// ```
1805#[inline]
1806#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1807#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1808#[track_caller]
1809#[rustc_diagnostic_item = "ptr_read_unaligned"]
1810pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1811 // Always true thanks to the repr, but to demonstrate
1812 const {
1813 assert!(mem::offset_of!(Packed::<T>, 0) == 0);
1814 assert!(size_of::<T>() == size_of::<Packed<T>>());
1815 }
1816
1817 let src = src.cast::<Packed<T>>();
1818 // SAFETY: the caller must guarantee that `src` is valid for reads.
1819 // Reading it as `Packed<T>` instead of `T` reads those same bytes because
1820 // it's the same size (thus zero offset), but with alignment 1 instead.
1821 //
1822 // Similarly, because it's the same bytes it's sound to transmute from the
1823 // `Packed<T>` to `T`. Transmute is a value-based (not a place-based)
1824 // operation that doesn't care about alignment.
1825 unsafe {
1826 let packed = read(src);
1827 // Can't just destructure because that's not allowed in const fn
1828 mem::transmute_neo(packed)
1829 }
1830}
1831
1832/// Overwrites a memory location with the given value without reading or
1833/// dropping the old value.
1834///
1835/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1836/// allocations or resources, so care should be taken not to overwrite an object
1837/// that should be dropped.
1838///
1839/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1840/// location pointed to by `dst`.
1841///
1842/// This is appropriate for initializing uninitialized memory, or overwriting
1843/// memory that has previously been [`read`] from.
1844///
1845/// # Safety
1846///
1847/// Behavior is undefined if any of the following conditions are violated:
1848///
1849/// * `dst` must be [valid] for writes or `T` must be a ZST.
1850///
1851/// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the
1852/// case.
1853///
1854/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1855///
1856/// [valid]: self#safety
1857///
1858/// # Examples
1859///
1860/// Basic usage:
1861///
1862/// ```
1863/// let mut x = 0;
1864/// let y = &mut x as *mut i32;
1865/// let z = 12;
1866///
1867/// unsafe {
1868/// std::ptr::write(y, z);
1869/// assert_eq!(std::ptr::read(y), 12);
1870/// }
1871/// ```
1872///
1873/// Manually implement [`mem::swap`]:
1874///
1875/// ```
1876/// use std::ptr;
1877///
1878/// fn swap<T>(a: &mut T, b: &mut T) {
1879/// unsafe {
1880/// // Create a bitwise copy of the value at `a` in `tmp`.
1881/// let tmp = ptr::read(a);
1882///
1883/// // Exiting at this point (either by explicitly returning or by
1884/// // calling a function which panics) would cause the value in `tmp` to
1885/// // be dropped while the same value is still referenced by `a`. This
1886/// // could trigger undefined behavior if `T` is not `Copy`.
1887///
1888/// // Create a bitwise copy of the value at `b` in `a`.
1889/// // This is safe because mutable references cannot alias.
1890/// ptr::copy_nonoverlapping(b, a, 1);
1891///
1892/// // As above, exiting here could trigger undefined behavior because
1893/// // the same value is referenced by `a` and `b`.
1894///
1895/// // Move `tmp` into `b`.
1896/// ptr::write(b, tmp);
1897///
1898/// // `tmp` has been moved (`write` takes ownership of its second argument),
1899/// // so nothing is dropped implicitly here.
1900/// }
1901/// }
1902///
1903/// let mut foo = "foo".to_owned();
1904/// let mut bar = "bar".to_owned();
1905///
1906/// swap(&mut foo, &mut bar);
1907///
1908/// assert_eq!(foo, "bar");
1909/// assert_eq!(bar, "foo");
1910/// ```
1911#[inline]
1912#[stable(feature = "rust1", since = "1.0.0")]
1913#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1914#[rustc_diagnostic_item = "ptr_write"]
1915#[track_caller]
1916pub const unsafe fn write<T>(dst: *mut T, src: T) {
1917 // Semantically, it would be fine for this to be implemented as a
1918 // `copy_nonoverlapping` and appropriate drop suppression of `src`.
1919
1920 // However, implementing via that currently produces more MIR than is ideal.
1921 // Using an intrinsic keeps it down to just the simple `*dst = move src` in
1922 // MIR (11 statements shorter, at the time of writing), and also allows
1923 // `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1924
1925 // SAFETY: the caller must guarantee that `dst` is valid for writes.
1926 // `dst` cannot overlap `src` because the caller has mutable access
1927 // to `dst` while `src` is owned by this function.
1928 unsafe {
1929 #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1930 ub_checks::assert_unsafe_precondition!(
1931 check_language_ub,
1932 "ptr::write requires that the pointer argument is aligned and non-null",
1933 (
1934 addr: *mut () = dst as *mut (),
1935 align: usize = align_of::<T>(),
1936 is_zst: bool = T::IS_ZST,
1937 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1938 );
1939 intrinsics::write_via_move(dst, src)
1940 }
1941}
1942
1943/// Overwrites a memory location with the given value without reading or
1944/// dropping the old value.
1945///
1946/// Unlike [`write()`], the pointer may be unaligned.
1947///
1948/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1949/// could leak allocations or resources, so care should be taken not to overwrite
1950/// an object that should be dropped.
1951///
1952/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1953/// location pointed to by `dst`.
1954///
1955/// This is appropriate for initializing uninitialized memory, or overwriting
1956/// memory that has previously been read with [`read_unaligned`].
1957///
1958/// # Safety
1959///
1960/// Behavior is undefined if any of the following conditions are violated:
1961///
1962/// * `dst` must be [valid] for writes.
1963///
1964/// [valid]: self#safety
1965///
1966/// ## On `packed` structs
1967///
1968/// Attempting to create a raw pointer to an `unaligned` struct field with
1969/// an expression such as `&packed.unaligned as *const FieldType` creates an
1970/// intermediate unaligned reference before converting that to a raw pointer.
1971/// That this reference is temporary and immediately cast is inconsequential
1972/// as the compiler always expects references to be properly aligned.
1973/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1974/// *undefined behavior* in your program.
1975///
1976/// Instead, you must use the `&raw mut` syntax to create the pointer.
1977/// You may use that constructed pointer together with this function.
1978///
1979/// An example of how to do it and how this relates to `write_unaligned` is:
1980///
1981/// ```
1982/// #[repr(packed, C)]
1983/// struct Packed {
1984/// _padding: u8,
1985/// unaligned: u32,
1986/// }
1987///
1988/// let mut packed: Packed = unsafe { std::mem::zeroed() };
1989///
1990/// // Take the address of a 32-bit integer which is not aligned.
1991/// // In contrast to `&packed.unaligned as *mut _`, this has no undefined behavior.
1992/// let unaligned = &raw mut packed.unaligned;
1993///
1994/// unsafe { std::ptr::write_unaligned(unaligned, 42) };
1995///
1996/// assert_eq!({packed.unaligned}, 42); // `{...}` forces copying the field instead of creating a reference.
1997/// ```
1998///
1999/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
2000/// (as can be seen in the `assert_eq!` above).
2001///
2002/// # Examples
2003///
2004/// Write a `usize` value to a byte buffer:
2005///
2006/// ```
2007/// fn write_usize(x: &mut [u8], val: usize) {
2008/// assert!(x.len() >= size_of::<usize>());
2009///
2010/// let ptr = x.as_mut_ptr() as *mut usize;
2011///
2012/// unsafe { ptr.write_unaligned(val) }
2013/// }
2014/// ```
2015#[inline]
2016#[stable(feature = "ptr_unaligned", since = "1.17.0")]
2017#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
2018#[rustc_diagnostic_item = "ptr_write_unaligned"]
2019#[track_caller]
2020pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
2021 // Always true thanks to the repr, but to demonstrate
2022 const {
2023 assert!(mem::offset_of!(Packed::<T>, 0) == 0);
2024 assert!(size_of::<T>() == size_of::<Packed<T>>());
2025 }
2026
2027 let dst = dst.cast::<Packed<T>>();
2028 let src = Packed(src);
2029 // SAFETY: the caller must guarantee that `dst` is valid for writes.
2030 // Writing it as `Packed<T>` instead of `T` writes those same bytes because
2031 // it's the same size (thus zero offset), but with alignment 1 instead.
2032 unsafe { write(dst, src) }
2033}
2034
2035/// Performs a volatile read of the value from `src` without moving it.
2036///
2037/// Volatile operations are intended to act on I/O memory. As such, they are considered externally
2038/// observable events (just like syscalls, but less opaque), and are guaranteed to not be elided or
2039/// reordered by the compiler across other externally observable events. With this in mind, there
2040/// are two cases of usage that need to be distinguished:
2041///
2042/// - When a volatile operation is used for memory inside an [allocation], it behaves exactly like
2043/// [`read`], except for the additional guarantee that it won't be elided or reordered (see
2044/// above). This implies that the operation will actually access memory and not e.g. be lowered to
2045/// reusing data from a previous read. Other than that, all the usual rules for memory accesses
2046/// apply (including provenance). In particular, just like in C, whether an operation is volatile
2047/// has no bearing whatsoever on questions involving concurrent accesses from multiple threads.
2048/// Volatile accesses behave exactly like non-atomic accesses in that regard.
2049///
2050/// - Volatile operations, however, may also be used to access memory that is _outside_ of any Rust
2051/// allocation. In this use-case, the pointer does *not* have to be [valid] for reads. This is
2052/// typically used for CPU and peripheral registers that must be accessed via an I/O memory
2053/// mapping, most commonly at fixed addresses reserved by the hardware. These often have special
2054/// semantics associated to their manipulation, and cannot be used as general purpose memory.
2055/// Here, any address value is possible, including 0 and [`usize::MAX`], so long as the semantics
2056/// of such a read are well-defined by the target hardware. The provenance of the pointer is
2057/// irrelevant, and it can be created with [`without_provenance`]. The access must not trap. It
2058/// can cause side-effects, but those must not affect Rust-allocated memory in any way. This
2059/// access is still not considered [atomic], and as such it cannot be used for inter-thread
2060/// synchronization.
2061///
2062/// Note that volatile memory operations where T is a zero-sized type are noops and may be ignored.
2063///
2064/// [allocation]: crate::ptr#allocated-object
2065/// [atomic]: crate::sync::atomic#memory-model-for-atomic-accesses
2066///
2067/// # Load splitting
2068///
2069/// Exactly which hardware loads are performed by this function is, in general, highly target-dependent.
2070///
2071/// For a simple scalar, such as when `T` is a thin pointer, this will typically be one load assuming
2072/// your target supports a load of exactly that size and alignment.
2073///
2074/// For anything else, it will be split into multiple loads in some unspecified way.
2075/// This can happen even for scalars: notably, on many targets loading a `u128` will still need to be split,
2076/// despite being "one" scalar. On many targets loading anything larger than a pointer will need to be split.
2077/// On all current targets a load larger than 64 bytes will need to be split.
2078/// Any load whose size is not a power of two will also almost certainly need to be split.
2079///
2080/// There is no stability guarantee on how that splitting happens. It may change at any point.
2081///
2082/// # Safety
2083///
2084/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of whether `T` is
2085/// [`Copy`]. If `T` is not [`Copy`], using both the returned value and the value at `*src` can
2086/// [violate memory safety][read-ownership]. However, storing non-[`Copy`] types in volatile memory
2087/// is almost certainly incorrect.
2088///
2089/// Behavior is undefined if any of the following conditions are violated:
2090///
2091/// * `src` must be either [valid] for reads, or `T` must be a ZST, or `src` must point to memory
2092/// outside of all Rust allocations and reading from that memory must:
2093/// - not trap, and
2094/// - not cause any memory inside a Rust allocation to be modified.
2095///
2096/// * `src` must be properly aligned.
2097///
2098/// * Reading from `src` must produce a properly initialized value of type `T`.
2099///
2100/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2101///
2102/// [valid]: self#safety
2103/// [read-ownership]: read#ownership-of-the-returned-value
2104///
2105/// # Examples
2106///
2107/// Basic usage:
2108///
2109/// ```
2110/// let x = 12;
2111/// let y = &x as *const i32;
2112///
2113/// unsafe {
2114/// assert_eq!(std::ptr::read_volatile(y), 12);
2115/// }
2116/// ```
2117#[inline]
2118#[stable(feature = "volatile", since = "1.9.0")]
2119#[track_caller]
2120#[rustc_diagnostic_item = "ptr_read_volatile"]
2121pub unsafe fn read_volatile<T>(src: *const T) -> T {
2122 // SAFETY: the caller must uphold the safety contract for `volatile_load`.
2123 unsafe {
2124 ub_checks::assert_unsafe_precondition!(
2125 check_language_ub,
2126 "ptr::read_volatile requires that the pointer argument is aligned",
2127 (
2128 addr: *const () = src as *const (),
2129 align: usize = align_of::<T>(),
2130 ) => ub_checks::maybe_is_aligned(addr, align)
2131 );
2132 intrinsics::volatile_load(src)
2133 }
2134}
2135
2136/// Performs a volatile write of a memory location with the given value without reading or dropping
2137/// the old value.
2138///
2139/// Volatile operations are intended to act on I/O memory. As such, they are considered externally
2140/// observable events (just like syscalls), and are guaranteed to not be elided or reordered by the
2141/// compiler across other externally observable events. With this in mind, there are two cases of
2142/// usage that need to be distinguished:
2143///
2144/// - When a volatile operation is used for memory inside an [allocation], it behaves exactly like
2145/// [`write`][write()], except for the additional guarantee that it won't be elided or reordered
2146/// (see above). This implies that the operation will actually access memory and not e.g. be
2147/// lowered to a register access. Other than that, all the usual rules for memory accesses apply
2148/// (including provenance). In particular, just like in C, whether an operation is volatile has no
2149/// bearing whatsoever on questions involving concurrent access from multiple threads. Volatile
2150/// accesses behave exactly like non-atomic accesses in that regard.
2151///
2152/// - Volatile operations, however, may also be used to access memory that is _outside_ of any Rust
2153/// allocation. In this use-case, the pointer does *not* have to be [valid] for writes. This is
2154/// typically used for CPU and peripheral registers that must be accessed via an I/O memory
2155/// mapping, most commonly at fixed addresses reserved by the hardware. These often have special
2156/// semantics associated to their manipulation, and cannot be used as general purpose memory.
2157/// Here, any address value is possible, including 0 and [`usize::MAX`], so long as the semantics
2158/// of such a write are well-defined by the target hardware. The provenance of the pointer is
2159/// irrelevant, and it can be created with [`without_provenance`]. The access must not trap. It
2160/// can cause side-effects, but those must not affect Rust-allocated memory in any way. This
2161/// access is still not considered [atomic], and as such it cannot be used for inter-thread
2162/// synchronization.
2163///
2164/// Note that volatile memory operations on zero-sized types (e.g., if a zero-sized type is passed
2165/// to `write_volatile`) are noops and may be ignored.
2166///
2167/// `write_volatile` does not drop the contents of `dst`. This is safe, but it could leak
2168/// allocations or resources, so care should be taken not to overwrite an object that should be
2169/// dropped when operating on Rust memory. Additionally, it does not drop `src`. Semantically, `src`
2170/// is moved into the location pointed to by `dst`.
2171///
2172/// [allocation]: crate::ptr#allocated-object
2173/// [atomic]: crate::sync::atomic#memory-model-for-atomic-accesses
2174///
2175/// # Store splitting
2176///
2177/// Exactly which hardware stores are performed by this function is, in general, highly target-dependent.
2178///
2179/// For a simple scalar, such as when `T` is a thin pointer, this will typically be one store assuming
2180/// your target supports a store of exactly that size and alignment.
2181///
2182/// For anything else, it will be split into multiple stores in some unspecified way.
2183/// This can happen even for scalars: notably, on many targets storing a `u128` will still need to be split,
2184/// despite being "one" scalar. On many targets storing anything larger than a pointer will need to be split.
2185/// On all current targets a store larger than 64 bytes will need to be split.
2186/// Any store whose size is not a power of two will also almost certainly need to be split.
2187///
2188/// There is no stability guarantee on how that splitting happens. It may change at any point.
2189///
2190/// # Safety
2191///
2192/// Behavior is undefined if any of the following conditions are violated:
2193///
2194/// * `dst` must be either [valid] for writes, or `T` must be a ZST, or `dst` must point to memory
2195/// outside of all Rust allocations and writing to that memory must:
2196/// - not trap, and
2197/// - not cause any memory inside a Rust allocation to be modified.
2198///
2199/// * `dst` must be properly aligned.
2200///
2201/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2202///
2203/// [valid]: self#safety
2204///
2205/// # Examples
2206///
2207/// Basic usage:
2208///
2209/// ```
2210/// let mut x = 0;
2211/// let y = &mut x as *mut i32;
2212/// let z = 12;
2213///
2214/// unsafe {
2215/// std::ptr::write_volatile(y, z);
2216/// assert_eq!(std::ptr::read_volatile(y), 12);
2217/// }
2218/// ```
2219#[inline]
2220#[stable(feature = "volatile", since = "1.9.0")]
2221#[rustc_diagnostic_item = "ptr_write_volatile"]
2222#[track_caller]
2223pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
2224 // SAFETY: the caller must uphold the safety contract for `volatile_store`.
2225 unsafe {
2226 ub_checks::assert_unsafe_precondition!(
2227 check_language_ub,
2228 "ptr::write_volatile requires that the pointer argument is aligned",
2229 (
2230 addr: *mut () = dst as *mut (),
2231 align: usize = align_of::<T>(),
2232 ) => ub_checks::maybe_is_aligned(addr, align)
2233 );
2234 intrinsics::volatile_store(dst, src);
2235 }
2236}
2237
2238/// Calculate an element-offset that increases a pointer's alignment.
2239///
2240/// Calculate an element-offset (not byte-offset) that when added to a given pointer `p`, increases `p`'s alignment to at least the given alignment `a`.
2241///
2242/// # Safety
2243/// `a` must be a power of two.
2244///
2245/// # Notes
2246/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
2247/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
2248/// constants.
2249///
2250/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
2251/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
2252/// than trying to adapt this to accommodate that change.
2253///
2254/// Any questions go to @nagisa.
2255#[allow(ptr_to_integer_transmute_in_consts)]
2256pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
2257 // FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
2258 // 1, where the method versions of these operations are not inlined.
2259 use intrinsics::{
2260 assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl,
2261 unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub,
2262 };
2263
2264 /// Calculate multiplicative modular inverse of `x` modulo `m`.
2265 ///
2266 /// This implementation is tailored for `align_offset` and has following preconditions:
2267 ///
2268 /// * `m` is a power-of-two;
2269 /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead)
2270 ///
2271 /// Implementation of this function shall not panic. Ever.
2272 #[inline]
2273 const unsafe fn mod_inv(x: usize, m: usize) -> usize {
2274 /// Multiplicative modular inverse table modulo 2⁴ = 16.
2275 ///
2276 /// Note, that this table does not contain values where inverse does not exist (i.e., for
2277 /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
2278 const INV_TABLE_MOD_16: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15];
2279 /// Modulo for which the `INV_TABLE_MOD_16` is intended.
2280 const INV_TABLE_MOD: usize = 16;
2281
2282 // SAFETY: `m` is required to be a power-of-two, hence non-zero.
2283 let m_minus_one = unsafe { unchecked_sub(m, 1) };
2284 let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - 1)) >> 1] as usize;
2285 let mut mod_gate = INV_TABLE_MOD;
2286 // We iterate "up" using the following formula:
2287 //
2288 // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
2289 //
2290 // This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
2291 // finally reduce the computation to our desired `m` by taking `inverse mod m`.
2292 //
2293 // This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
2294 // will always finish in at most 4 iterations.
2295 loop {
2296 // y = y * (2 - xy) mod n
2297 //
2298 // Note, that we use wrapping operations here intentionally – the original formula
2299 // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
2300 // usize::MAX` instead, because we take the result `mod n` at the end
2301 // anyway.
2302 if mod_gate >= m {
2303 break;
2304 }
2305 inverse = wrapping_mul(inverse, wrapping_sub(2usize, wrapping_mul(x, inverse)));
2306 let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
2307 if overflow {
2308 break;
2309 }
2310 mod_gate = new_gate;
2311 }
2312 inverse & m_minus_one
2313 }
2314
2315 let stride = size_of::<T>();
2316
2317 let addr: usize = p.addr();
2318
2319 // SAFETY: `a` is a power-of-two, therefore non-zero.
2320 let a_minus_one = unsafe { unchecked_sub(a, 1) };
2321
2322 if stride == 0 {
2323 // SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
2324 // stay the same, so no offset will be able to align the pointer unless it is already
2325 // aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
2326 let p_mod_a = addr & a_minus_one;
2327 return if p_mod_a == 0 { 0 } else { usize::MAX };
2328 }
2329
2330 // SAFETY: `stride == 0` case has been handled by the special case above.
2331 let a_mod_stride = unsafe { unchecked_rem(a, stride) };
2332 if a_mod_stride == 0 {
2333 // SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
2334 // pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
2335 // offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
2336 // offset will be able to produce a `p` aligned to the specified `a`.
2337 //
2338 // The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
2339 // like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
2340 // redistributes operations around the load-bearing, but pessimizing `and` instruction
2341 // sufficiently for LLVM to be able to utilize the various optimizations it knows about.
2342 //
2343 // LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
2344 // at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
2345 // in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
2346 // computation produces.
2347
2348 let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(0, a);
2349 let byte_offset = wrapping_sub(aligned_address, addr);
2350 // FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
2351 // SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
2352 // the value by more than `a-1`, so even though the intermediate values might have
2353 // wrapped, the byte_offset is always in `[0, a)`.
2354 unsafe { assume(byte_offset < a) };
2355
2356 // SAFETY: `stride == 0` case has been handled by the special case above.
2357 let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
2358
2359 return if addr_mod_stride == 0 {
2360 // SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
2361 // addr has been verified to be aligned to the original type’s alignment requirements.
2362 unsafe { exact_div(byte_offset, stride) }
2363 } else {
2364 usize::MAX
2365 };
2366 }
2367
2368 // GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
2369 // misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
2370 // advantage of, etc. This case produces machine code that isn’t particularly high quality,
2371 // compared to the special cases above. The code produced here is still within the realm of
2372 // miracles, given the situations this case has to deal with.
2373
2374 // SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
2375 // FIXME(const-hack) replace with min
2376 let gcdpow = unsafe {
2377 let x = cttz_nonzero(stride);
2378 let y = cttz_nonzero(a);
2379 if x < y { x } else { y }
2380 };
2381 // SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`.
2382 let gcd = unsafe { unchecked_shl(1usize, gcdpow) };
2383 // SAFETY: gcd is always greater or equal to 1.
2384 if addr & unsafe { unchecked_sub(gcd, 1) } == 0 {
2385 // This branch solves for the following linear congruence equation:
2386 //
2387 // ` p + so = 0 mod a `
2388 //
2389 // `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
2390 // requested alignment.
2391 //
2392 // With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
2393 // `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
2394 //
2395 // ` p' + s'o = 0 mod a' `
2396 // ` o = (a' - (p' mod a')) * (s'^-1 mod a') `
2397 //
2398 // The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
2399 // second term is "how does incrementing `p` by `s` bytes change the relative alignment of
2400 // `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
2401 // formed if `a` and `s` are not co-prime.
2402 //
2403 // Furthermore, the result produced by this solution is not "minimal", so it is necessary
2404 // to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
2405
2406 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2407 // `a`.
2408 let a2 = unsafe { unchecked_shr(a, gcdpow) };
2409 // SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
2410 // in `a` (of which it has exactly one).
2411 let a2minus1 = unsafe { unchecked_sub(a2, 1) };
2412 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2413 // `a`.
2414 let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
2415 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2416 // `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
2417 // always be strictly greater than `(p % a) >> gcdpow`.
2418 let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
2419 // SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
2420 // because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
2421 return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
2422 }
2423
2424 // Cannot be aligned at all.
2425 usize::MAX
2426}
2427
2428/// Compares raw pointers for equality.
2429///
2430/// This is the same as using the `==` operator, but less generic:
2431/// the arguments have to be `*const T` raw pointers,
2432/// not anything that implements `PartialEq`.
2433///
2434/// This can be used to compare `&T` references (which coerce to `*const T` implicitly)
2435/// by their address rather than comparing the values they point to
2436/// (which is what the `PartialEq for &T` implementation does).
2437///
2438/// When comparing wide pointers, both the address and the metadata are tested for equality.
2439/// However, note that comparing trait object pointers (`*const dyn Trait`) is unreliable: pointers
2440/// to values of the same underlying type can compare inequal (because vtables are duplicated in
2441/// multiple codegen units), and pointers to values of *different* underlying type can compare equal
2442/// (since identical vtables can be deduplicated within a codegen unit).
2443///
2444/// # Examples
2445///
2446/// ```
2447/// use std::ptr;
2448///
2449/// let five = 5;
2450/// let other_five = 5;
2451/// let five_ref = &five;
2452/// let same_five_ref = &five;
2453/// let other_five_ref = &other_five;
2454///
2455/// assert!(five_ref == same_five_ref);
2456/// assert!(ptr::eq(five_ref, same_five_ref));
2457///
2458/// assert!(five_ref == other_five_ref);
2459/// assert!(!ptr::eq(five_ref, other_five_ref));
2460/// ```
2461///
2462/// Slices are also compared by their length (fat pointers):
2463///
2464/// ```
2465/// let a = [1, 2, 3];
2466/// assert!(std::ptr::eq(&a[..3], &a[..3]));
2467/// assert!(!std::ptr::eq(&a[..2], &a[..3]));
2468/// assert!(!std::ptr::eq(&a[0..2], &a[1..3]));
2469/// ```
2470#[stable(feature = "ptr_eq", since = "1.17.0")]
2471#[inline(always)]
2472#[must_use = "pointer comparison produces a value"]
2473#[rustc_diagnostic_item = "ptr_eq"]
2474#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2475pub fn eq<T: PointeeSized>(a: *const T, b: *const T) -> bool {
2476 a == b
2477}
2478
2479/// Compares the *addresses* of the two pointers for equality,
2480/// ignoring any metadata in fat pointers.
2481///
2482/// If the arguments are thin pointers of the same type,
2483/// then this is the same as [`eq`].
2484///
2485/// # Examples
2486///
2487/// ```
2488/// use std::ptr;
2489///
2490/// let whole: &[i32; 3] = &[1, 2, 3];
2491/// let first: &i32 = &whole[0];
2492///
2493/// assert!(ptr::addr_eq(whole, first));
2494/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2495/// ```
2496#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2497#[inline(always)]
2498#[must_use = "pointer comparison produces a value"]
2499pub fn addr_eq<T: PointeeSized, U: PointeeSized>(p: *const T, q: *const U) -> bool {
2500 (p as *const ()) == (q as *const ())
2501}
2502
2503/// Compares the *addresses* of the two function pointers for equality.
2504///
2505/// This is the same as `f == g`, but using this function makes clear that the potentially
2506/// surprising semantics of function pointer comparison are involved.
2507///
2508/// There are **very few guarantees** about how functions are compiled and they have no intrinsic
2509/// “identity”; in particular, this comparison:
2510///
2511/// * May return `true` unexpectedly, in cases where functions are equivalent.
2512///
2513/// For example, the following program is likely (but not guaranteed) to print `(true, true)`
2514/// when compiled with optimization:
2515///
2516/// ```
2517/// let f: fn(i32) -> i32 = |x| x;
2518/// let g: fn(i32) -> i32 = |x| x + 0; // different closure, different body
2519/// let h: fn(u32) -> u32 = |x| x + 0; // different signature too
2520/// dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal
2521/// ```
2522///
2523/// * May return `false` in any case.
2524///
2525/// This is particularly likely with generic functions but may happen with any function.
2526/// (From an implementation perspective, this is possible because functions may sometimes be
2527/// processed more than once by the compiler, resulting in duplicate machine code.)
2528///
2529/// Despite these false positives and false negatives, this comparison can still be useful.
2530/// Specifically, if
2531///
2532/// * `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and
2533/// * `ptr::fn_addr_eq(f, g)` returns true,
2534///
2535/// then calling `f` and calling `g` will be equivalent.
2536///
2537///
2538/// # Examples
2539///
2540/// ```
2541/// use std::ptr;
2542///
2543/// fn a() { println!("a"); }
2544/// fn b() { println!("b"); }
2545/// assert!(!ptr::fn_addr_eq(a as fn(), b as fn()));
2546/// ```
2547///
2548/// [subtype]: https://doc.rust-lang.org/reference/subtyping.html
2549#[stable(feature = "ptr_fn_addr_eq", since = "1.85.0")]
2550#[inline(always)]
2551#[must_use = "function pointer comparison produces a value"]
2552pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool {
2553 f.addr() == g.addr()
2554}
2555
2556/// Hash a raw pointer.
2557///
2558/// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly)
2559/// by its address rather than the value it points to
2560/// (which is what the `Hash for &T` implementation does).
2561///
2562/// # Examples
2563///
2564/// ```
2565/// use std::hash::{DefaultHasher, Hash, Hasher};
2566/// use std::ptr;
2567///
2568/// let five = 5;
2569/// let five_ref = &five;
2570///
2571/// let mut hasher = DefaultHasher::new();
2572/// ptr::hash(five_ref, &mut hasher);
2573/// let actual = hasher.finish();
2574///
2575/// let mut hasher = DefaultHasher::new();
2576/// (five_ref as *const i32).hash(&mut hasher);
2577/// let expected = hasher.finish();
2578///
2579/// assert_eq!(actual, expected);
2580/// ```
2581#[stable(feature = "ptr_hash", since = "1.35.0")]
2582pub fn hash<T: PointeeSized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2583 use crate::hash::Hash;
2584 hashee.hash(into);
2585}
2586
2587#[stable(feature = "fnptr_impls", since = "1.4.0")]
2588#[diagnostic::on_const(
2589 message = "pointers cannot be reliably compared during const eval",
2590 note = "see issue #53020 <https://github.com/rust-lang/rust/issues/53020> for more information"
2591)]
2592impl<F: FnPtr> PartialEq for F {
2593 #[inline]
2594 fn eq(&self, other: &Self) -> bool {
2595 self.addr() == other.addr()
2596 }
2597}
2598#[stable(feature = "fnptr_impls", since = "1.4.0")]
2599#[diagnostic::on_const(
2600 message = "pointers cannot be reliably compared during const eval",
2601 note = "see issue #53020 <https://github.com/rust-lang/rust/issues/53020> for more information"
2602)]
2603impl<F: FnPtr> Eq for F {}
2604
2605#[stable(feature = "fnptr_impls", since = "1.4.0")]
2606#[diagnostic::on_const(
2607 message = "pointers cannot be reliably compared during const eval",
2608 note = "see issue #53020 <https://github.com/rust-lang/rust/issues/53020> for more information"
2609)]
2610impl<F: FnPtr> PartialOrd for F {
2611 #[inline]
2612 fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2613 self.addr().partial_cmp(&other.addr())
2614 }
2615}
2616#[stable(feature = "fnptr_impls", since = "1.4.0")]
2617#[diagnostic::on_const(
2618 message = "pointers cannot be reliably compared during const eval",
2619 note = "see issue #53020 <https://github.com/rust-lang/rust/issues/53020> for more information"
2620)]
2621impl<F: FnPtr> Ord for F {
2622 #[inline]
2623 fn cmp(&self, other: &Self) -> Ordering {
2624 self.addr().cmp(&other.addr())
2625 }
2626}
2627
2628#[stable(feature = "fnptr_impls", since = "1.4.0")]
2629impl<F: FnPtr> hash::Hash for F {
2630 fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2631 state.write_usize(self.addr().addr())
2632 }
2633}
2634
2635#[stable(feature = "fnptr_impls", since = "1.4.0")]
2636impl<F: FnPtr> fmt::Pointer for F {
2637 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2638 fmt::pointer_fmt_inner(self.addr().addr(), f)
2639 }
2640}
2641
2642#[stable(feature = "fnptr_impls", since = "1.4.0")]
2643impl<F: FnPtr> fmt::Debug for F {
2644 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2645 fmt::pointer_fmt_inner(self.addr().addr(), f)
2646 }
2647}
2648
2649/// Creates a `const` raw pointer to a place, without creating an intermediate reference.
2650///
2651/// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is *soft-deprecated*;
2652/// use `&raw const` instead.
2653///
2654/// It is still an open question under which conditions writing through an `addr_of!`-created
2655/// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the
2656/// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is
2657/// based on a reference, local variable, or `static`, then until all details are decided, the same
2658/// rules as for shared references apply: it is UB to write through a pointer created with this
2659/// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`])
2660/// to create a raw pointer that definitely permits mutation.
2661///
2662/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2663/// and points to initialized data. For cases where those requirements do not hold,
2664/// raw pointers should be used instead. However, `&expr as *const _` creates a reference
2665/// before casting it to a raw pointer, and that reference is subject to the same rules
2666/// as all other references. This macro can create a raw pointer *without* creating
2667/// a reference first.
2668///
2669/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2670/// Doing that with `addr_of` would not make much sense since one could only
2671/// read the data, and that would be Undefined Behavior.
2672///
2673/// # Safety
2674///
2675/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2676/// place or requires the place to be dereferenceable. This means that `addr_of!((*ptr).field)`
2677/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2678/// However, `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2679///
2680/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2681/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2682/// `Index::index`, respectively. The statements above only apply when no such coercions are
2683/// applied.
2684///
2685/// [`offset`]: pointer::offset
2686///
2687/// # Example
2688///
2689/// **Correct usage: Creating a pointer to unaligned data**
2690///
2691/// ```
2692/// use std::ptr;
2693///
2694/// #[repr(packed)]
2695/// struct Packed {
2696/// f1: u8,
2697/// f2: u16,
2698/// }
2699///
2700/// let packed = Packed { f1: 1, f2: 2 };
2701/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2702/// let raw_f2 = ptr::addr_of!(packed.f2);
2703/// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2);
2704/// ```
2705///
2706/// **Incorrect usage: Out-of-bounds fields projection**
2707///
2708/// ```rust,no_run
2709/// use std::ptr;
2710///
2711/// #[repr(C)]
2712/// struct MyStruct {
2713/// field1: i32,
2714/// field2: i32,
2715/// }
2716///
2717/// let ptr: *const MyStruct = ptr::null();
2718/// let fieldptr = unsafe { ptr::addr_of!((*ptr).field2) }; // Undefined Behavior ⚠️
2719/// ```
2720///
2721/// The field projection `.field2` would offset the pointer by 4 bytes,
2722/// but the pointer is not in-bounds of an allocation for 4 bytes,
2723/// so this offset is Undefined Behavior.
2724/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2725/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2726/// no difference whether the pointer is null or dangling.)
2727#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2728#[rustc_macro_transparency = "semiopaque"]
2729pub macro addr_of($place:expr) {
2730 &raw const $place
2731}
2732
2733/// Creates a `mut` raw pointer to a place, without creating an intermediate reference.
2734///
2735/// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is *soft-deprecated*;
2736/// use `&raw mut` instead.
2737///
2738/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2739/// and points to initialized data. For cases where those requirements do not hold,
2740/// raw pointers should be used instead. However, `&mut expr as *mut _` creates a reference
2741/// before casting it to a raw pointer, and that reference is subject to the same rules
2742/// as all other references. This macro can create a raw pointer *without* creating
2743/// a reference first.
2744///
2745/// # Safety
2746///
2747/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2748/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((*ptr).field)`
2749/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2750/// However, `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2751///
2752/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2753/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2754/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2755/// applied.
2756///
2757/// [`offset`]: pointer::offset
2758///
2759/// # Examples
2760///
2761/// **Correct usage: Creating a pointer to unaligned data**
2762///
2763/// ```
2764/// use std::ptr;
2765///
2766/// #[repr(packed)]
2767/// struct Packed {
2768/// f1: u8,
2769/// f2: u16,
2770/// }
2771///
2772/// let mut packed = Packed { f1: 1, f2: 2 };
2773/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2774/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2775/// unsafe { raw_f2.write_unaligned(42); }
2776/// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference.
2777/// ```
2778///
2779/// **Correct usage: Creating a pointer to uninitialized data**
2780///
2781/// ```rust
2782/// use std::{ptr, mem::MaybeUninit};
2783///
2784/// struct Demo {
2785/// field: bool,
2786/// }
2787///
2788/// let mut uninit = MaybeUninit::<Demo>::uninit();
2789/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2790/// // and thus be Undefined Behavior!
2791/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2792/// unsafe { f1_ptr.write(true); }
2793/// let init = unsafe { uninit.assume_init() };
2794/// ```
2795///
2796/// **Incorrect usage: Out-of-bounds fields projection**
2797///
2798/// ```rust,no_run
2799/// use std::ptr;
2800///
2801/// #[repr(C)]
2802/// struct MyStruct {
2803/// field1: i32,
2804/// field2: i32,
2805/// }
2806///
2807/// let ptr: *mut MyStruct = ptr::null_mut();
2808/// let fieldptr = unsafe { ptr::addr_of_mut!((*ptr).field2) }; // Undefined Behavior ⚠️
2809/// ```
2810///
2811/// The field projection `.field2` would offset the pointer by 4 bytes,
2812/// but the pointer is not in-bounds of an allocation for 4 bytes,
2813/// so this offset is Undefined Behavior.
2814/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2815/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2816/// makes no difference whether the pointer is null or dangling.)
2817#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2818#[rustc_macro_transparency = "semiopaque"]
2819pub macro addr_of_mut($place:expr) {
2820 &raw mut $place
2821}
2822
2823#[repr(C, packed)]
2824struct Packed<T>(T);