core/ptr/mod.rs
1//! Manually manage memory through raw pointers.
2//!
3//! *[See also the pointer primitive types](pointer).*
4//!
5//! # Safety
6//!
7//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8//! this to be safe, these pointers must be *valid* for the given access. Whether a pointer is valid
9//! depends on the operation it is used for (read or write), and the extent of the memory that is
10//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `*mut T`
12//! and `*const T` to access only a single value, in which case the documentation omits the size and
13//! implicitly assumes it to be `size_of::<T>()` bytes.
14//!
15//! The precise rules for validity are not determined yet. The guarantees that are
16//! provided at this point are very minimal:
17//!
18//! * For memory accesses of [size zero][zst], *every* pointer is valid, including the [null]
19//! pointer. The following points are only concerned with non-zero-sized accesses.
20//! * A [null] pointer is *never* valid.
21//! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be
22//! *dereferenceable*. The [provenance] of the pointer is used to determine which [allocated
23//! object] it is derived from; a pointer is dereferenceable if the memory range of the given size
24//! starting at the pointer is entirely contained within the bounds of that allocated object. Note
25//! that in Rust, every (stack-allocated) variable is considered a separate allocated object.
26//! * All accesses performed by functions in this module are *non-atomic* in the sense
27//! of [atomic operations] used to synchronize between threads. This means it is
28//! undefined behavior to perform two concurrent accesses to the same location from different
29//! threads unless both accesses only read from memory. Notice that this explicitly
30//! includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
31//! be used for inter-thread synchronization.
32//! * The result of casting a reference to a pointer is valid for as long as the
33//! underlying object is live and no reference (just raw pointers) is used to
34//! access the same memory. That is, reference and pointer accesses cannot be
35//! interleaved.
36//!
37//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
38//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
39//! will be provided eventually, as the [aliasing] rules are being determined. For more
40//! information, see the [book] as well as the section in the reference devoted
41//! to [undefined behavior][ub].
42//!
43//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
44//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
45//! [`NonNull::dangling`] are all dangling.
46//!
47//! ## Alignment
48//!
49//! Valid raw pointers as defined above are not necessarily properly aligned (where
50//! "proper" alignment is defined by the pointee type, i.e., `*const T` must be
51//! aligned to `mem::align_of::<T>()`). However, most functions require their
52//! arguments to be properly aligned, and will explicitly state
53//! this requirement in their documentation. Notable exceptions to this are
54//! [`read_unaligned`] and [`write_unaligned`].
55//!
56//! When a function requires proper alignment, it does so even if the access
57//! has size 0, i.e., even if memory is not actually touched. Consider using
58//! [`NonNull::dangling`] in such cases.
59//!
60//! ## Pointer to reference conversion
61//!
62//! When converting a pointer to a reference (e.g. via `&*ptr` or `&mut *ptr`),
63//! there are several rules that must be followed:
64//!
65//! * The pointer must be properly aligned.
66//!
67//! * It must be non-null.
68//!
69//! * It must be "dereferenceable" in the sense defined above.
70//!
71//! * The pointer must point to a [valid value] of type `T`.
72//!
73//! * You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we
74//! only give a rough overview here. The rules also depend on whether a mutable or a shared
75//! reference is being created.
76//! * When creating a mutable reference, then while this reference exists, the memory it points to
77//! must not get accessed (read or written) through any other pointer or reference not derived
78//! from this reference.
79//! * When creating a shared reference, then while this reference exists, the memory it points to
80//! must not get mutated (except inside `UnsafeCell`).
81//!
82//! If a pointer follows all of these rules, it is said to be
83//! *convertible to a (mutable or shared) reference*.
84// ^ we use this term instead of saying that the produced reference must
85// be valid, as the validity of a reference is easily confused for the
86// validity of the thing it refers to, and while the two concepts are
87// closely related, they are not identical.
88//!
89//! These rules apply even if the result is unused!
90//! (The part about being initialized is not yet fully decided, but until
91//! it is, the only safe approach is to ensure that they are indeed initialized.)
92//!
93//! An example of the implications of the above rules is that an expression such
94//! as `unsafe { &*(0 as *const u8) }` is Immediate Undefined Behavior.
95//!
96//! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values
97//!
98//! ## Allocated object
99//!
100//! An *allocated object* is a subset of program memory which is addressable
101//! from Rust, and within which pointer arithmetic is possible. Examples of
102//! allocated objects include heap allocations, stack-allocated variables,
103//! statics, and consts. The safety preconditions of some Rust operations -
104//! such as `offset` and field projections (`expr.field`) - are defined in
105//! terms of the allocated objects on which they operate.
106//!
107//! An allocated object has a base address, a size, and a set of memory
108//! addresses. It is possible for an allocated object to have zero size, but
109//! such an allocated object will still have a base address. The base address
110//! of an allocated object is not necessarily unique. While it is currently the
111//! case that an allocated object always has a set of memory addresses which is
112//! fully contiguous (i.e., has no "holes"), there is no guarantee that this
113//! will not change in the future.
114//!
115//! For any allocated object with `base` address, `size`, and a set of
116//! `addresses`, the following are guaranteed:
117//! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base +
118//! size)` (note that this requires `a < base + size`, not `a <= base + size`)
119//! - `base` is not equal to [`null()`] (i.e., the address with the numerical
120//! value 0)
121//! - `base + size <= usize::MAX`
122//! - `size <= isize::MAX`
123//!
124//! As a consequence of these guarantees, given any address `a` within the set
125//! of addresses of an allocated object:
126//! - It is guaranteed that `a - base` does not overflow `isize`
127//! - It is guaranteed that `a - base` is non-negative
128//! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within
129//! the allocated object), `base + o` will not wrap around the address space (in
130//! other words, will not overflow `usize`)
131//!
132//! [`null()`]: null
133//!
134//! # Provenance
135//!
136//! Pointers are not *simply* an "integer" or "address". For instance, it's uncontroversial
137//! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky"
138//! and the freed memory gets reallocated before your read/write (in fact this is the
139//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
140//! As another example, consider that [`wrapping_offset`] is documented to "remember"
141//! the allocated object that the original pointer points to, even if it is offset far
142//! outside the memory range occupied by that allocated object.
143//! To rationalize claims like this, pointers need to somehow be *more* than just their addresses:
144//! they must have **provenance**.
145//!
146//! A pointer value in Rust semantically contains the following information:
147//!
148//! * The **address** it points to, which can be represented by a `usize`.
149//! * The **provenance** it has, defining the memory it has permission to access. Provenance can be
150//! absent, in which case the pointer does not have permission to access any memory.
151//!
152//! The exact structure of provenance is not yet specified, but the permission defined by a
153//! pointer's provenance have a *spatial* component, a *temporal* component, and a *mutability*
154//! component:
155//!
156//! * Spatial: The set of memory addresses that the pointer is allowed to access.
157//! * Temporal: The timespan during which the pointer is allowed to access those memory addresses.
158//! * Mutability: Whether the pointer may only access the memory for reads, or also access it for
159//! writes. Note that this can interact with the other components, e.g. a pointer might permit
160//! mutation only for a subset of addresses, or only for a subset of its maximal timespan.
161//!
162//! When an [allocated object] is created, it has a unique Original Pointer. For alloc
163//! APIs this is literally the pointer the call returns, and for local variables and statics,
164//! this is the name of the variable/static. (This is mildly overloading the term "pointer"
165//! for the sake of brevity/exposition.)
166//!
167//! The Original Pointer for an allocated object has provenance that constrains the *spatial*
168//! permissions of this pointer to the memory range of the allocation, and the *temporal*
169//! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all
170//! pointers transitively derived from the Original Pointer through operations like [`offset`],
171//! borrowing, and pointer casts. Some operations may *shrink* the permissions of the derived
172//! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a
173//! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can
174//! shrink the temporal component of provenance). However, no operation can ever *grow* the
175//! permissions of the derived provenance: even if you "know" there is a larger allocation, you
176//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two
177//! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
178//!
179//! A reference to a place always has provenance over at least the memory that place occupies.
180//! A reference to a slice always has provenance over at least the range that slice describes.
181//! Whether and when exactly the provenance of a reference gets "shrunk" to *exactly* fit
182//! the memory it points to is not yet determined.
183//!
184//! A *shared* reference only ever has provenance that permits reading from memory,
185//! and never permits writes, except inside [`UnsafeCell`].
186//!
187//! Provenance can affect whether a program has undefined behavior:
188//!
189//! * It is undefined behavior to access memory through a pointer that does not have provenance over
190//! that memory. Note that a pointer "at the end" of its provenance is not actually outside its
191//! provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any
192//! provenance since they access an empty range of memory.
193//!
194//! * It is undefined behavior to [`offset`] a pointer across a memory range that is not contained
195//! in the allocated object it is derived from, or to [`offset_from`] two pointers not derived
196//! from the same allocated object. Provenance is used to say what exactly "derived from" even
197//! means: the lineage of a pointer is traced back to the Original Pointer it descends from, and
198//! that identifies the relevant allocated object. In particular, it's always UB to offset a
199//! pointer derived from something that is now deallocated, except if the offset is 0.
200//!
201//! But it *is* still sound to:
202//!
203//! * Create a pointer without provenance from just an address (see [`without_provenance`]). Such a
204//! pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
205//! useful for sentinel values like `null` *or* to represent a tagged pointer that will never be
206//! dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
207//! fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
208//! offset, read, write, etc).
209//!
210//! * Forge an allocation of size zero at any sufficiently aligned non-null address.
211//! i.e. the usual "ZSTs are fake, do what you want" rules apply.
212//!
213//! * [`wrapping_offset`] a pointer outside its provenance. This includes pointers
214//! which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks.
215//!
216//! * Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses
217//! *are* just integers, so there is always a coherent answer, even if the pointers are dangling
218//! or from different provenances. Note that if you get "lucky" and notice that a pointer at the
219//! end of one allocated object is the "same" address as the start of another allocated object,
220//! anything you do with that fact is *probably* going to be gibberish. The scope of that
221//! gibberish is kept under control by the fact that the two pointers *still* aren't allowed to
222//! access the other's allocation (bytes), because they still have different provenance.
223//!
224//! Note that the full definition of provenance in Rust is not decided yet, as this interacts
225//! with the as-yet undecided [aliasing] rules.
226//!
227//! ## Pointers Vs Integers
228//!
229//! From this discussion, it becomes very clear that a `usize` *cannot* accurately represent a pointer,
230//! and converting from a pointer to a `usize` is generally an operation which *only* extracts the
231//! address. Converting this address back into pointer requires somehow answering the question:
232//! which provenance should the resulting pointer have?
233//!
234//! Rust provides two ways of dealing with this situation: *Strict Provenance* and *Exposed Provenance*.
235//!
236//! Note that a pointer *can* represent a `usize` (via [`without_provenance`]), so the right type to
237//! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a
238//! pointer type.
239//!
240//! ## Strict Provenance
241//!
242//! "Strict Provenance" refers to a set of APIs designed to make working with provenance more
243//! explicit. They are intended as substitutes for casting a pointer to an integer and back.
244//!
245//! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of
246//! that operation. This benefits compiler optimizations, and it is pretty much a requirement for
247//! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer
248//! misuse.
249//!
250//! The key insight to making programming without integer-to-pointer casts *at all* viable is the
251//! [`with_addr`] method:
252//!
253//! ```text
254//! /// Creates a new pointer with the given address.
255//! ///
256//! /// This performs the same operation as an `addr as ptr` cast, but copies
257//! /// the *provenance* of `self` to the new pointer.
258//! /// This allows us to dynamically preserve and propagate this important
259//! /// information in a way that is otherwise impossible with a unary cast.
260//! ///
261//! /// This is equivalent to using `wrapping_offset` to offset `self` to the
262//! /// given address, and therefore has all the same capabilities and restrictions.
263//! pub fn with_addr(self, addr: usize) -> Self;
264//! ```
265//!
266//! So you're still able to drop down to the address representation and do whatever
267//! clever bit tricks you want *as long as* you're able to keep around a pointer
268//! into the allocation you care about that can "reconstitute" the provenance.
269//! Usually this is very easy, because you only are taking a pointer, messing with the address,
270//! and then immediately converting back to a pointer. To make this use case more ergonomic,
271//! we provide the [`map_addr`] method.
272//!
273//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
274//! [`addr`] method which promises that the returned address is not part of a
275//! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer
276//! casts to help you audit if your code conforms to strict provenance.
277//!
278//! ### Using Strict Provenance
279//!
280//! Most code needs no changes to conform to strict provenance, as the only really concerning
281//! operation is casts from usize to a pointer. For code which *does* cast a `usize` to a pointer,
282//! the scope of the change depends on exactly what you're doing.
283//!
284//! In general, you just need to make sure that if you want to convert a `usize` address to a
285//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
286//! that has sufficient provenance to perform that read/write itself. In this way all of your
287//! casts from an address to a pointer are essentially just applying offsets/indexing.
288//!
289//! This is generally trivial to do for simple cases like tagged pointers *as long as you
290//! represent the tagged pointer as an actual pointer and not a `usize`*. For instance:
291//!
292//! ```
293//! unsafe {
294//! // A flag we want to pack into our pointer
295//! static HAS_DATA: usize = 0x1;
296//! static FLAG_MASK: usize = !HAS_DATA;
297//!
298//! // Our value, which must have enough alignment to have spare least-significant-bits.
299//! let my_precious_data: u32 = 17;
300//! assert!(core::mem::align_of::<u32>() > 1);
301//!
302//! // Create a tagged pointer
303//! let ptr = &my_precious_data as *const u32;
304//! let tagged = ptr.map_addr(|addr| addr | HAS_DATA);
305//!
306//! // Check the flag:
307//! if tagged.addr() & HAS_DATA != 0 {
308//! // Untag and read the pointer
309//! let data = *tagged.map_addr(|addr| addr & FLAG_MASK);
310//! assert_eq!(data, 17);
311//! } else {
312//! unreachable!()
313//! }
314//! }
315//! ```
316//!
317//! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should
318//! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers,
319//! we would like to know why, and what needs to be done to fix it.)
320//!
321//! Situations where a valid pointer *must* be created from just an address, such as baremetal code
322//! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict
323//! provenance APIs and should use [exposed provenance](#exposed-provenance).
324//!
325//! ## Exposed Provenance
326//!
327//! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs.
328//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
329//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
330//! Integer-to-pointer casts do not (currently) have such a clear specification.
331//!
332//! However, there exist situations where integer-to-pointer casts cannot be avoided, or
333//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
334//! that `usize` can capture all the information that makes up a pointer.
335//! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without
336//! anywhere to obtain proper provenance from.
337//!
338//! Rust's model for dealing with integer-to-pointer casts is called *Exposed Provenance*. However,
339//! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and
340//! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for
341//! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide
342//! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not
343//! work (well) with tools like [Miri] and [CHERI].
344//!
345//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
346//! which are equivalent to `as` casts between pointers and integers.
347//! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the
348//! pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists
349//! for the purpose of specifying Rust but is not materialized in actual executions, except in
350//! tools like [Miri].)
351//! Memory which is outside the control of the Rust abstract machine (MMIO registers, for example)
352//! is always considered to be exposed, so long as this memory is disjoint from memory that will
353//! be used by the abstract machine such as the stack, heap, and statics.
354//! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously
355//! 'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so
356//! unlike in [`with_addr`] there is no indication of what the correct provenance for the returned
357//! pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously
358//! specify! The compiler will do its best to pick the right provenance for you, but currently we
359//! cannot provide any guarantees about which provenance the resulting pointer will have. Only one
360//! thing is clear: if there is *no* previously 'exposed' provenance that justifies the way the
361//! returned pointer will be used, the program has undefined behavior.
362//!
363//! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding
364//! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding
365//! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be
366//! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this
367//! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the
368//! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of
369//! integer-to-pointer casts.
370//!
371//! [aliasing]: ../../nomicon/aliasing.html
372//! [allocated object]: #allocated-object
373//! [provenance]: #provenance
374//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
375//! [ub]: ../../reference/behavior-considered-undefined.html
376//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
377//! [atomic operations]: crate::sync::atomic
378//! [`offset`]: pointer::offset
379//! [`offset_from`]: pointer::offset_from
380//! [`wrapping_offset`]: pointer::wrapping_offset
381//! [`with_addr`]: pointer::with_addr
382//! [`map_addr`]: pointer::map_addr
383//! [`addr`]: pointer::addr
384//! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize
385//! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr
386//! [`expose_provenance`]: pointer::expose_provenance
387//! [`with_exposed_provenance`]: with_exposed_provenance
388//! [Miri]: https://github.com/rust-lang/miri
389//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
390//! [Strict Provenance]: #strict-provenance
391//! [`UnsafeCell`]: core::cell::UnsafeCell
392
393#![stable(feature = "rust1", since = "1.0.0")]
394// There are many unsafe functions taking pointers that don't dereference them.
395#![allow(clippy::not_unsafe_ptr_arg_deref)]
396
397use crate::cmp::Ordering;
398use crate::intrinsics::const_eval_select;
399use crate::marker::FnPtr;
400use crate::mem::{self, MaybeUninit, SizedTypeProperties};
401use crate::{fmt, hash, intrinsics, ub_checks};
402
403mod alignment;
404#[unstable(feature = "ptr_alignment_type", issue = "102070")]
405pub use alignment::Alignment;
406
407#[stable(feature = "rust1", since = "1.0.0")]
408#[doc(inline)]
409pub use crate::intrinsics::copy;
410#[stable(feature = "rust1", since = "1.0.0")]
411#[doc(inline)]
412pub use crate::intrinsics::copy_nonoverlapping;
413#[stable(feature = "rust1", since = "1.0.0")]
414#[doc(inline)]
415pub use crate::intrinsics::write_bytes;
416
417mod metadata;
418#[unstable(feature = "ptr_metadata", issue = "81513")]
419pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata};
420
421mod non_null;
422#[stable(feature = "nonnull", since = "1.25.0")]
423pub use non_null::NonNull;
424
425mod unique;
426#[unstable(feature = "ptr_internals", issue = "none")]
427pub use unique::Unique;
428
429mod const_ptr;
430mod mut_ptr;
431
432/// Executes the destructor (if any) of the pointed-to value.
433///
434/// This is almost the same as calling [`ptr::read`] and discarding
435/// the result, but has the following advantages:
436// FIXME: say something more useful than "almost the same"?
437// There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a
438// `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place`
439// only requires that `*to_drop` be "valid for dropping" and we have not defined what that means. In
440// Miri it currently (May 2024) requires nothing at all for types without drop glue.
441///
442/// * It is *required* to use `drop_in_place` to drop unsized types like
443/// trait objects, because they can't be read out onto the stack and
444/// dropped normally.
445///
446/// * It is friendlier to the optimizer to do this over [`ptr::read`] when
447/// dropping manually allocated memory (e.g., in the implementations of
448/// `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
449/// sound to elide the copy.
450///
451/// * It can be used to drop [pinned] data when `T` is not `repr(packed)`
452/// (pinned data must not be moved before it is dropped).
453///
454/// Unaligned values cannot be dropped in place, they must be copied to an aligned
455/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
456/// done automatically by the compiler. This means the fields of packed structs
457/// are not dropped in-place.
458///
459/// [`ptr::read`]: self::read
460/// [`ptr::read_unaligned`]: self::read_unaligned
461/// [pinned]: crate::pin
462///
463/// # Safety
464///
465/// Behavior is undefined if any of the following conditions are violated:
466///
467/// * `to_drop` must be [valid] for both reads and writes.
468///
469/// * `to_drop` must be properly aligned, even if `T` has size 0.
470///
471/// * `to_drop` must be nonnull, even if `T` has size 0.
472///
473/// * The value `to_drop` points to must be valid for dropping, which may mean
474/// it must uphold additional invariants. These invariants depend on the type
475/// of the value being dropped. For instance, when dropping a Box, the box's
476/// pointer to the heap must be valid.
477///
478/// * While `drop_in_place` is executing, the only way to access parts of
479/// `to_drop` is through the `&mut self` references supplied to the
480/// `Drop::drop` methods that `drop_in_place` invokes.
481///
482/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
483/// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
484/// foo` counts as a use because it will cause the value to be dropped
485/// again. [`write()`] can be used to overwrite data without causing it to be
486/// dropped.
487///
488/// [valid]: self#safety
489///
490/// # Examples
491///
492/// Manually remove the last item from a vector:
493///
494/// ```
495/// use std::ptr;
496/// use std::rc::Rc;
497///
498/// let last = Rc::new(1);
499/// let weak = Rc::downgrade(&last);
500///
501/// let mut v = vec![Rc::new(0), last];
502///
503/// unsafe {
504/// // Get a raw pointer to the last element in `v`.
505/// let ptr = &mut v[1] as *mut _;
506/// // Shorten `v` to prevent the last item from being dropped. We do that first,
507/// // to prevent issues if the `drop_in_place` below panics.
508/// v.set_len(1);
509/// // Without a call `drop_in_place`, the last item would never be dropped,
510/// // and the memory it manages would be leaked.
511/// ptr::drop_in_place(ptr);
512/// }
513///
514/// assert_eq!(v, &[0.into()]);
515///
516/// // Ensure that the last item was dropped.
517/// assert!(weak.upgrade().is_none());
518/// ```
519#[stable(feature = "drop_in_place", since = "1.8.0")]
520#[lang = "drop_in_place"]
521#[allow(unconditional_recursion)]
522#[rustc_diagnostic_item = "ptr_drop_in_place"]
523pub unsafe fn drop_in_place<T: ?Sized>(to_drop: *mut T) {
524 // Code here does not matter - this is replaced by the
525 // real drop glue by the compiler.
526
527 // SAFETY: see comment above
528 unsafe { drop_in_place(to_drop) }
529}
530
531/// Creates a null raw pointer.
532///
533/// This function is equivalent to zero-initializing the pointer:
534/// `MaybeUninit::<*const T>::zeroed().assume_init()`.
535/// The resulting pointer has the address 0.
536///
537/// # Examples
538///
539/// ```
540/// use std::ptr;
541///
542/// let p: *const i32 = ptr::null();
543/// assert!(p.is_null());
544/// assert_eq!(p as usize, 0); // this pointer has the address 0
545/// ```
546#[inline(always)]
547#[must_use]
548#[stable(feature = "rust1", since = "1.0.0")]
549#[rustc_promotable]
550#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
551#[rustc_diagnostic_item = "ptr_null"]
552pub const fn null<T: ?Sized + Thin>() -> *const T {
553 from_raw_parts(without_provenance::<()>(0), ())
554}
555
556/// Creates a null mutable raw pointer.
557///
558/// This function is equivalent to zero-initializing the pointer:
559/// `MaybeUninit::<*mut T>::zeroed().assume_init()`.
560/// The resulting pointer has the address 0.
561///
562/// # Examples
563///
564/// ```
565/// use std::ptr;
566///
567/// let p: *mut i32 = ptr::null_mut();
568/// assert!(p.is_null());
569/// assert_eq!(p as usize, 0); // this pointer has the address 0
570/// ```
571#[inline(always)]
572#[must_use]
573#[stable(feature = "rust1", since = "1.0.0")]
574#[rustc_promotable]
575#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
576#[rustc_diagnostic_item = "ptr_null_mut"]
577pub const fn null_mut<T: ?Sized + Thin>() -> *mut T {
578 from_raw_parts_mut(without_provenance_mut::<()>(0), ())
579}
580
581/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
582///
583/// This is equivalent to `ptr::null().with_addr(addr)`.
584///
585/// Without provenance, this pointer is not associated with any actual allocation. Such a
586/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
587/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
588/// little more than a `usize` address in disguise.
589///
590/// This is different from `addr as *const T`, which creates a pointer that picks up a previously
591/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
592///
593/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
594#[inline(always)]
595#[must_use]
596#[stable(feature = "strict_provenance", since = "1.84.0")]
597#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
598pub const fn without_provenance<T>(addr: usize) -> *const T {
599 without_provenance_mut(addr)
600}
601
602/// Creates a new pointer that is dangling, but non-null and well-aligned.
603///
604/// This is useful for initializing types which lazily allocate, like
605/// `Vec::new` does.
606///
607/// Note that the pointer value may potentially represent a valid pointer to
608/// a `T`, which means this must not be used as a "not yet initialized"
609/// sentinel value. Types that lazily allocate must track initialization by
610/// some other means.
611#[inline(always)]
612#[must_use]
613#[stable(feature = "strict_provenance", since = "1.84.0")]
614#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
615pub const fn dangling<T>() -> *const T {
616 dangling_mut()
617}
618
619/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
620///
621/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
622///
623/// Without provenance, this pointer is not associated with any actual allocation. Such a
624/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
625/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
626/// little more than a `usize` address in disguise.
627///
628/// This is different from `addr as *mut T`, which creates a pointer that picks up a previously
629/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
630///
631/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
632#[inline(always)]
633#[must_use]
634#[stable(feature = "strict_provenance", since = "1.84.0")]
635#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
636pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
637 // An int-to-pointer transmute currently has exactly the intended semantics: it creates a
638 // pointer without provenance. Note that this is *not* a stable guarantee about transmute
639 // semantics, it relies on sysroot crates having special status.
640 // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
641 // pointer).
642 unsafe { mem::transmute(addr) }
643}
644
645/// Creates a new pointer that is dangling, but non-null and well-aligned.
646///
647/// This is useful for initializing types which lazily allocate, like
648/// `Vec::new` does.
649///
650/// Note that the pointer value may potentially represent a valid pointer to
651/// a `T`, which means this must not be used as a "not yet initialized"
652/// sentinel value. Types that lazily allocate must track initialization by
653/// some other means.
654#[inline(always)]
655#[must_use]
656#[stable(feature = "strict_provenance", since = "1.84.0")]
657#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
658pub const fn dangling_mut<T>() -> *mut T {
659 NonNull::dangling().as_ptr()
660}
661
662/// Converts an address back to a pointer, picking up some previously 'exposed'
663/// [provenance][crate::ptr#provenance].
664///
665/// This is fully equivalent to `addr as *const T`. The provenance of the returned pointer is that
666/// of *some* pointer that was previously exposed by passing it to
667/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
668/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
669/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
670/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
671///
672/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
673/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
674/// guarantees about which provenance the resulting pointer will have -- and therefore there
675/// is no definite specification for which memory the resulting pointer may access.
676///
677/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
678/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
679/// pointers and references that have been invalidated due to aliasing accesses cannot be used
680/// anymore, even if they have been exposed!
681///
682/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
683/// stay conformant with the Rust memory model. It is recommended to use [Strict
684/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
685/// possible.
686///
687/// On most platforms this will produce a value with the same bytes as the address. Platforms
688/// which need to store additional information in a pointer may not support this operation,
689/// since it is generally not possible to actually *compute* which provenance the returned
690/// pointer has to pick up.
691///
692/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
693#[must_use]
694#[inline(always)]
695#[stable(feature = "exposed_provenance", since = "1.84.0")]
696#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
697#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
698pub fn with_exposed_provenance<T>(addr: usize) -> *const T {
699 addr as *const T
700}
701
702/// Converts an address back to a mutable pointer, picking up some previously 'exposed'
703/// [provenance][crate::ptr#provenance].
704///
705/// This is fully equivalent to `addr as *mut T`. The provenance of the returned pointer is that
706/// of *some* pointer that was previously exposed by passing it to
707/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
708/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
709/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
710/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
711///
712/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
713/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
714/// guarantees about which provenance the resulting pointer will have -- and therefore there
715/// is no definite specification for which memory the resulting pointer may access.
716///
717/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
718/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
719/// pointers and references that have been invalidated due to aliasing accesses cannot be used
720/// anymore, even if they have been exposed!
721///
722/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
723/// stay conformant with the Rust memory model. It is recommended to use [Strict
724/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
725/// possible.
726///
727/// On most platforms this will produce a value with the same bytes as the address. Platforms
728/// which need to store additional information in a pointer may not support this operation,
729/// since it is generally not possible to actually *compute* which provenance the returned
730/// pointer has to pick up.
731///
732/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
733#[must_use]
734#[inline(always)]
735#[stable(feature = "exposed_provenance", since = "1.84.0")]
736#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
737#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
738pub fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
739 addr as *mut T
740}
741
742/// Converts a reference to a raw pointer.
743///
744/// For `r: &T`, `from_ref(r)` is equivalent to `r as *const T` (except for the caveat noted below),
745/// but is a bit safer since it will never silently change type or mutability, in particular if the
746/// code is refactored.
747///
748/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
749/// will end up dangling.
750///
751/// The caller must also ensure that the memory the pointer (non-transitively) points to is never
752/// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If
753/// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m:
754/// &mut T` into `*const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be
755/// used for mutation.
756///
757/// ## Interaction with lifetime extension
758///
759/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
760/// tail expressions. This code is valid, albeit in a non-obvious way:
761/// ```rust
762/// # type T = i32;
763/// # fn foo() -> T { 42 }
764/// // The temporary holding the return value of `foo` has its lifetime extended,
765/// // because the surrounding expression involves no function call.
766/// let p = &foo() as *const T;
767/// unsafe { p.read() };
768/// ```
769/// Naively replacing the cast with `from_ref` is not valid:
770/// ```rust,no_run
771/// # use std::ptr;
772/// # type T = i32;
773/// # fn foo() -> T { 42 }
774/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
775/// // because the surrounding expression involves a function call.
776/// let p = ptr::from_ref(&foo());
777/// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️
778/// ```
779/// The recommended way to write this code is to avoid relying on lifetime extension
780/// when raw pointers are involved:
781/// ```rust
782/// # use std::ptr;
783/// # type T = i32;
784/// # fn foo() -> T { 42 }
785/// let x = foo();
786/// let p = ptr::from_ref(&x);
787/// unsafe { p.read() };
788/// ```
789#[inline(always)]
790#[must_use]
791#[stable(feature = "ptr_from_ref", since = "1.76.0")]
792#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
793#[rustc_never_returns_null_ptr]
794#[rustc_diagnostic_item = "ptr_from_ref"]
795pub const fn from_ref<T: ?Sized>(r: &T) -> *const T {
796 r
797}
798
799/// Converts a mutable reference to a raw pointer.
800///
801/// For `r: &mut T`, `from_mut(r)` is equivalent to `r as *mut T` (except for the caveat noted
802/// below), but is a bit safer since it will never silently change type or mutability, in particular
803/// if the code is refactored.
804///
805/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
806/// will end up dangling.
807///
808/// ## Interaction with lifetime extension
809///
810/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
811/// tail expressions. This code is valid, albeit in a non-obvious way:
812/// ```rust
813/// # type T = i32;
814/// # fn foo() -> T { 42 }
815/// // The temporary holding the return value of `foo` has its lifetime extended,
816/// // because the surrounding expression involves no function call.
817/// let p = &mut foo() as *mut T;
818/// unsafe { p.write(T::default()) };
819/// ```
820/// Naively replacing the cast with `from_mut` is not valid:
821/// ```rust,no_run
822/// # use std::ptr;
823/// # type T = i32;
824/// # fn foo() -> T { 42 }
825/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
826/// // because the surrounding expression involves a function call.
827/// let p = ptr::from_mut(&mut foo());
828/// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️
829/// ```
830/// The recommended way to write this code is to avoid relying on lifetime extension
831/// when raw pointers are involved:
832/// ```rust
833/// # use std::ptr;
834/// # type T = i32;
835/// # fn foo() -> T { 42 }
836/// let mut x = foo();
837/// let p = ptr::from_mut(&mut x);
838/// unsafe { p.write(T::default()) };
839/// ```
840#[inline(always)]
841#[must_use]
842#[stable(feature = "ptr_from_ref", since = "1.76.0")]
843#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
844#[rustc_never_returns_null_ptr]
845pub const fn from_mut<T: ?Sized>(r: &mut T) -> *mut T {
846 r
847}
848
849/// Forms a raw slice from a pointer and a length.
850///
851/// The `len` argument is the number of **elements**, not the number of bytes.
852///
853/// This function is safe, but actually using the return value is unsafe.
854/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
855///
856/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
857///
858/// # Examples
859///
860/// ```rust
861/// use std::ptr;
862///
863/// // create a slice pointer when starting out with a pointer to the first element
864/// let x = [5, 6, 7];
865/// let raw_pointer = x.as_ptr();
866/// let slice = ptr::slice_from_raw_parts(raw_pointer, 3);
867/// assert_eq!(unsafe { &*slice }[2], 7);
868/// ```
869///
870/// You must ensure that the pointer is valid and not null before dereferencing
871/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
872///
873/// ```rust,should_panic
874/// use std::ptr;
875/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), 0);
876/// unsafe {
877/// danger.as_ref().expect("references must not be null");
878/// }
879/// ```
880#[inline]
881#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
882#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
883#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
884pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
885 from_raw_parts(data, len)
886}
887
888/// Forms a raw mutable slice from a pointer and a length.
889///
890/// The `len` argument is the number of **elements**, not the number of bytes.
891///
892/// Performs the same functionality as [`slice_from_raw_parts`], except that a
893/// raw mutable slice is returned, as opposed to a raw immutable slice.
894///
895/// This function is safe, but actually using the return value is unsafe.
896/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
897///
898/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
899///
900/// # Examples
901///
902/// ```rust
903/// use std::ptr;
904///
905/// let x = &mut [5, 6, 7];
906/// let raw_pointer = x.as_mut_ptr();
907/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, 3);
908///
909/// unsafe {
910/// (*slice)[2] = 99; // assign a value at an index in the slice
911/// };
912///
913/// assert_eq!(unsafe { &*slice }[2], 99);
914/// ```
915///
916/// You must ensure that the pointer is valid and not null before dereferencing
917/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
918///
919/// ```rust,should_panic
920/// use std::ptr;
921/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 0);
922/// unsafe {
923/// danger.as_mut().expect("references must not be null");
924/// }
925/// ```
926#[inline]
927#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
928#[rustc_const_stable(feature = "const_slice_from_raw_parts_mut", since = "1.83.0")]
929#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
930pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
931 from_raw_parts_mut(data, len)
932}
933
934/// Swaps the values at two mutable locations of the same type, without
935/// deinitializing either.
936///
937/// But for the following exceptions, this function is semantically
938/// equivalent to [`mem::swap`]:
939///
940/// * It operates on raw pointers instead of references. When references are
941/// available, [`mem::swap`] should be preferred.
942///
943/// * The two pointed-to values may overlap. If the values do overlap, then the
944/// overlapping region of memory from `x` will be used. This is demonstrated
945/// in the second example below.
946///
947/// * The operation is "untyped" in the sense that data may be uninitialized or otherwise violate
948/// the requirements of `T`. The initialization state is preserved exactly.
949///
950/// # Safety
951///
952/// Behavior is undefined if any of the following conditions are violated:
953///
954/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the
955/// other pointer is written. (This means if the memory ranges overlap, the two pointers must not
956/// be subject to aliasing restrictions relative to each other.)
957///
958/// * Both `x` and `y` must be properly aligned.
959///
960/// Note that even if `T` has size `0`, the pointers must be properly aligned.
961///
962/// [valid]: self#safety
963///
964/// # Examples
965///
966/// Swapping two non-overlapping regions:
967///
968/// ```
969/// use std::ptr;
970///
971/// let mut array = [0, 1, 2, 3];
972///
973/// let (x, y) = array.split_at_mut(2);
974/// let x = x.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[0..2]`
975/// let y = y.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[2..4]`
976///
977/// unsafe {
978/// ptr::swap(x, y);
979/// assert_eq!([2, 3, 0, 1], array);
980/// }
981/// ```
982///
983/// Swapping two overlapping regions:
984///
985/// ```
986/// use std::ptr;
987///
988/// let mut array: [i32; 4] = [0, 1, 2, 3];
989///
990/// let array_ptr: *mut i32 = array.as_mut_ptr();
991///
992/// let x = array_ptr as *mut [i32; 3]; // this is `array[0..3]`
993/// let y = unsafe { array_ptr.add(1) } as *mut [i32; 3]; // this is `array[1..4]`
994///
995/// unsafe {
996/// ptr::swap(x, y);
997/// // The indices `1..3` of the slice overlap between `x` and `y`.
998/// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
999/// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
1000/// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
1001/// // This implementation is defined to make the latter choice.
1002/// assert_eq!([1, 0, 1, 2], array);
1003/// }
1004/// ```
1005#[inline]
1006#[stable(feature = "rust1", since = "1.0.0")]
1007#[rustc_const_stable(feature = "const_swap", since = "1.85.0")]
1008#[rustc_diagnostic_item = "ptr_swap"]
1009pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
1010 // Give ourselves some scratch space to work with.
1011 // We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
1012 let mut tmp = MaybeUninit::<T>::uninit();
1013
1014 // Perform the swap
1015 // SAFETY: the caller must guarantee that `x` and `y` are
1016 // valid for writes and properly aligned. `tmp` cannot be
1017 // overlapping either `x` or `y` because `tmp` was just allocated
1018 // on the stack as a separate allocated object.
1019 unsafe {
1020 copy_nonoverlapping(x, tmp.as_mut_ptr(), 1);
1021 copy(y, x, 1); // `x` and `y` may overlap
1022 copy_nonoverlapping(tmp.as_ptr(), y, 1);
1023 }
1024}
1025
1026/// Swaps `count * size_of::<T>()` bytes between the two regions of memory
1027/// beginning at `x` and `y`. The two regions must *not* overlap.
1028///
1029/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
1030/// requirements of `T`. The initialization state is preserved exactly.
1031///
1032/// # Safety
1033///
1034/// Behavior is undefined if any of the following conditions are violated:
1035///
1036/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
1037/// size_of::<T>()` bytes.
1038///
1039/// * Both `x` and `y` must be properly aligned.
1040///
1041/// * The region of memory beginning at `x` with a size of `count *
1042/// size_of::<T>()` bytes must *not* overlap with the region of memory
1043/// beginning at `y` with the same size.
1044///
1045/// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`,
1046/// the pointers must be properly aligned.
1047///
1048/// [valid]: self#safety
1049///
1050/// # Examples
1051///
1052/// Basic usage:
1053///
1054/// ```
1055/// use std::ptr;
1056///
1057/// let mut x = [1, 2, 3, 4];
1058/// let mut y = [7, 8, 9];
1059///
1060/// unsafe {
1061/// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2);
1062/// }
1063///
1064/// assert_eq!(x, [7, 8, 3, 4]);
1065/// assert_eq!(y, [1, 2, 9]);
1066/// ```
1067#[inline]
1068#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
1069#[rustc_const_unstable(feature = "const_swap_nonoverlapping", issue = "133668")]
1070#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1071pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1072 ub_checks::assert_unsafe_precondition!(
1073 check_library_ub,
1074 "ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1075 and the specified memory ranges do not overlap",
1076 (
1077 x: *mut () = x as *mut (),
1078 y: *mut () = y as *mut (),
1079 size: usize = size_of::<T>(),
1080 align: usize = align_of::<T>(),
1081 count: usize = count,
1082 ) => {
1083 let zero_size = size == 0 || count == 0;
1084 ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size)
1085 && ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size)
1086 && ub_checks::maybe_is_nonoverlapping(x, y, size, count)
1087 }
1088 );
1089
1090 const_eval_select!(
1091 @capture[T] { x: *mut T, y: *mut T, count: usize }:
1092 if const {
1093 // At compile-time we want to always copy this in chunks of `T`, to ensure that if there
1094 // are pointers inside `T` we will copy them in one go rather than trying to copy a part
1095 // of a pointer (which would not work).
1096 // SAFETY: Same preconditions as this function
1097 unsafe { swap_nonoverlapping_simple_untyped(x, y, count) }
1098 } else {
1099 macro_rules! attempt_swap_as_chunks {
1100 ($ChunkTy:ty) => {
1101 if mem::align_of::<T>() >= mem::align_of::<$ChunkTy>()
1102 && mem::size_of::<T>() % mem::size_of::<$ChunkTy>() == 0
1103 {
1104 let x: *mut $ChunkTy = x.cast();
1105 let y: *mut $ChunkTy = y.cast();
1106 let count = count * (mem::size_of::<T>() / mem::size_of::<$ChunkTy>());
1107 // SAFETY: these are the same bytes that the caller promised were
1108 // ok, just typed as `MaybeUninit<ChunkTy>`s instead of as `T`s.
1109 // The `if` condition above ensures that we're not violating
1110 // alignment requirements, and that the division is exact so
1111 // that we don't lose any bytes off the end.
1112 return unsafe { swap_nonoverlapping_simple_untyped(x, y, count) };
1113 }
1114 };
1115 }
1116
1117 // Split up the slice into small power-of-two-sized chunks that LLVM is able
1118 // to vectorize (unless it's a special type with more-than-pointer alignment,
1119 // because we don't want to pessimize things like slices of SIMD vectors.)
1120 if mem::align_of::<T>() <= mem::size_of::<usize>()
1121 && (!mem::size_of::<T>().is_power_of_two()
1122 || mem::size_of::<T>() > mem::size_of::<usize>() * 2)
1123 {
1124 attempt_swap_as_chunks!(usize);
1125 attempt_swap_as_chunks!(u8);
1126 }
1127
1128 // SAFETY: Same preconditions as this function
1129 unsafe { swap_nonoverlapping_simple_untyped(x, y, count) }
1130 }
1131 )
1132}
1133
1134/// Same behavior and safety conditions as [`swap_nonoverlapping`]
1135///
1136/// LLVM can vectorize this (at least it can for the power-of-two-sized types
1137/// `swap_nonoverlapping` tries to use) so no need to manually SIMD it.
1138#[inline]
1139const unsafe fn swap_nonoverlapping_simple_untyped<T>(x: *mut T, y: *mut T, count: usize) {
1140 let x = x.cast::<MaybeUninit<T>>();
1141 let y = y.cast::<MaybeUninit<T>>();
1142 let mut i = 0;
1143 while i < count {
1144 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1145 let x = unsafe { x.add(i) };
1146 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1147 // and it's distinct from `x` since the ranges are non-overlapping
1148 let y = unsafe { y.add(i) };
1149
1150 // If we end up here, it's because we're using a simple type -- like
1151 // a small power-of-two-sized thing -- or a special type with particularly
1152 // large alignment, particularly SIMD types.
1153 // Thus, we're fine just reading-and-writing it, as either it's small
1154 // and that works well anyway or it's special and the type's author
1155 // presumably wanted things to be done in the larger chunk.
1156
1157 // SAFETY: we're only ever given pointers that are valid to read/write,
1158 // including being aligned, and nothing here panics so it's drop-safe.
1159 unsafe {
1160 let a: MaybeUninit<T> = read(x);
1161 let b: MaybeUninit<T> = read(y);
1162 write(x, b);
1163 write(y, a);
1164 }
1165
1166 i += 1;
1167 }
1168}
1169
1170/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1171///
1172/// Neither value is dropped.
1173///
1174/// This function is semantically equivalent to [`mem::replace`] except that it
1175/// operates on raw pointers instead of references. When references are
1176/// available, [`mem::replace`] should be preferred.
1177///
1178/// # Safety
1179///
1180/// Behavior is undefined if any of the following conditions are violated:
1181///
1182/// * `dst` must be [valid] for both reads and writes.
1183///
1184/// * `dst` must be properly aligned.
1185///
1186/// * `dst` must point to a properly initialized value of type `T`.
1187///
1188/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1189///
1190/// [valid]: self#safety
1191///
1192/// # Examples
1193///
1194/// ```
1195/// use std::ptr;
1196///
1197/// let mut rust = vec!['b', 'u', 's', 't'];
1198///
1199/// // `mem::replace` would have the same effect without requiring the unsafe
1200/// // block.
1201/// let b = unsafe {
1202/// ptr::replace(&mut rust[0], 'r')
1203/// };
1204///
1205/// assert_eq!(b, 'b');
1206/// assert_eq!(rust, &['r', 'u', 's', 't']);
1207/// ```
1208#[inline]
1209#[stable(feature = "rust1", since = "1.0.0")]
1210#[rustc_const_stable(feature = "const_replace", since = "1.83.0")]
1211#[rustc_diagnostic_item = "ptr_replace"]
1212pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1213 // SAFETY: the caller must guarantee that `dst` is valid to be
1214 // cast to a mutable reference (valid for writes, aligned, initialized),
1215 // and cannot overlap `src` since `dst` must point to a distinct
1216 // allocated object.
1217 unsafe {
1218 ub_checks::assert_unsafe_precondition!(
1219 check_language_ub,
1220 "ptr::replace requires that the pointer argument is aligned and non-null",
1221 (
1222 addr: *const () = dst as *const (),
1223 align: usize = align_of::<T>(),
1224 is_zst: bool = T::IS_ZST,
1225 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1226 );
1227 mem::replace(&mut *dst, src)
1228 }
1229}
1230
1231/// Reads the value from `src` without moving it. This leaves the
1232/// memory in `src` unchanged.
1233///
1234/// # Safety
1235///
1236/// Behavior is undefined if any of the following conditions are violated:
1237///
1238/// * `src` must be [valid] for reads.
1239///
1240/// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
1241/// case.
1242///
1243/// * `src` must point to a properly initialized value of type `T`.
1244///
1245/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1246///
1247/// # Examples
1248///
1249/// Basic usage:
1250///
1251/// ```
1252/// let x = 12;
1253/// let y = &x as *const i32;
1254///
1255/// unsafe {
1256/// assert_eq!(std::ptr::read(y), 12);
1257/// }
1258/// ```
1259///
1260/// Manually implement [`mem::swap`]:
1261///
1262/// ```
1263/// use std::ptr;
1264///
1265/// fn swap<T>(a: &mut T, b: &mut T) {
1266/// unsafe {
1267/// // Create a bitwise copy of the value at `a` in `tmp`.
1268/// let tmp = ptr::read(a);
1269///
1270/// // Exiting at this point (either by explicitly returning or by
1271/// // calling a function which panics) would cause the value in `tmp` to
1272/// // be dropped while the same value is still referenced by `a`. This
1273/// // could trigger undefined behavior if `T` is not `Copy`.
1274///
1275/// // Create a bitwise copy of the value at `b` in `a`.
1276/// // This is safe because mutable references cannot alias.
1277/// ptr::copy_nonoverlapping(b, a, 1);
1278///
1279/// // As above, exiting here could trigger undefined behavior because
1280/// // the same value is referenced by `a` and `b`.
1281///
1282/// // Move `tmp` into `b`.
1283/// ptr::write(b, tmp);
1284///
1285/// // `tmp` has been moved (`write` takes ownership of its second argument),
1286/// // so nothing is dropped implicitly here.
1287/// }
1288/// }
1289///
1290/// let mut foo = "foo".to_owned();
1291/// let mut bar = "bar".to_owned();
1292///
1293/// swap(&mut foo, &mut bar);
1294///
1295/// assert_eq!(foo, "bar");
1296/// assert_eq!(bar, "foo");
1297/// ```
1298///
1299/// ## Ownership of the Returned Value
1300///
1301/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1302/// If `T` is not [`Copy`], using both the returned value and the value at
1303/// `*src` can violate memory safety. Note that assigning to `*src` counts as a
1304/// use because it will attempt to drop the value at `*src`.
1305///
1306/// [`write()`] can be used to overwrite data without causing it to be dropped.
1307///
1308/// ```
1309/// use std::ptr;
1310///
1311/// let mut s = String::from("foo");
1312/// unsafe {
1313/// // `s2` now points to the same underlying memory as `s`.
1314/// let mut s2: String = ptr::read(&s);
1315///
1316/// assert_eq!(s2, "foo");
1317///
1318/// // Assigning to `s2` causes its original value to be dropped. Beyond
1319/// // this point, `s` must no longer be used, as the underlying memory has
1320/// // been freed.
1321/// s2 = String::default();
1322/// assert_eq!(s2, "");
1323///
1324/// // Assigning to `s` would cause the old value to be dropped again,
1325/// // resulting in undefined behavior.
1326/// // s = String::from("bar"); // ERROR
1327///
1328/// // `ptr::write` can be used to overwrite a value without dropping it.
1329/// ptr::write(&mut s, String::from("bar"));
1330/// }
1331///
1332/// assert_eq!(s, "bar");
1333/// ```
1334///
1335/// [valid]: self#safety
1336#[inline]
1337#[stable(feature = "rust1", since = "1.0.0")]
1338#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1339#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1340#[rustc_diagnostic_item = "ptr_read"]
1341pub const unsafe fn read<T>(src: *const T) -> T {
1342 // It would be semantically correct to implement this via `copy_nonoverlapping`
1343 // and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1344 // provides enough information to know that this is a typed operation.
1345
1346 // However, as of March 2023 the compiler was not capable of taking advantage
1347 // of that information. Thus, the implementation here switched to an intrinsic,
1348 // which lowers to `_0 = *src` in MIR, to address a few issues:
1349 //
1350 // - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1351 // turning the untyped copy into a typed load. As such, the generated
1352 // `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1353 // `!nonnull`, and `!noundef`, resulting in poorer optimization.
1354 // - Going through the extra local resulted in multiple extra copies, even
1355 // in optimized MIR. (Ignoring StorageLive/Dead, the intrinsic is one
1356 // MIR statement, while the previous implementation was eight.) LLVM
1357 // could sometimes optimize them away, but because `read` is at the core
1358 // of so many things, not having them in the first place improves what we
1359 // hand off to the backend. For example, `mem::replace::<Big>` previously
1360 // emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1361 // - In general, this approach keeps us from getting any more bugs (like
1362 // #106369) that boil down to "`read(p)` is worse than `*p`", as this
1363 // makes them look identical to the backend (or other MIR consumers).
1364 //
1365 // Future enhancements to MIR optimizations might well allow this to return
1366 // to the previous implementation, rather than using an intrinsic.
1367
1368 // SAFETY: the caller must guarantee that `src` is valid for reads.
1369 unsafe {
1370 #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1371 ub_checks::assert_unsafe_precondition!(
1372 check_language_ub,
1373 "ptr::read requires that the pointer argument is aligned and non-null",
1374 (
1375 addr: *const () = src as *const (),
1376 align: usize = align_of::<T>(),
1377 is_zst: bool = T::IS_ZST,
1378 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1379 );
1380 crate::intrinsics::read_via_copy(src)
1381 }
1382}
1383
1384/// Reads the value from `src` without moving it. This leaves the
1385/// memory in `src` unchanged.
1386///
1387/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1388///
1389/// # Safety
1390///
1391/// Behavior is undefined if any of the following conditions are violated:
1392///
1393/// * `src` must be [valid] for reads.
1394///
1395/// * `src` must point to a properly initialized value of type `T`.
1396///
1397/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1398/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1399/// value and the value at `*src` can [violate memory safety][read-ownership].
1400///
1401/// [read-ownership]: read#ownership-of-the-returned-value
1402/// [valid]: self#safety
1403///
1404/// ## On `packed` structs
1405///
1406/// Attempting to create a raw pointer to an `unaligned` struct field with
1407/// an expression such as `&packed.unaligned as *const FieldType` creates an
1408/// intermediate unaligned reference before converting that to a raw pointer.
1409/// That this reference is temporary and immediately cast is inconsequential
1410/// as the compiler always expects references to be properly aligned.
1411/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1412/// *undefined behavior* in your program.
1413///
1414/// Instead you must use the `&raw const` syntax to create the pointer.
1415/// You may use that constructed pointer together with this function.
1416///
1417/// An example of what not to do and how this relates to `read_unaligned` is:
1418///
1419/// ```
1420/// #[repr(packed, C)]
1421/// struct Packed {
1422/// _padding: u8,
1423/// unaligned: u32,
1424/// }
1425///
1426/// let packed = Packed {
1427/// _padding: 0x00,
1428/// unaligned: 0x01020304,
1429/// };
1430///
1431/// // Take the address of a 32-bit integer which is not aligned.
1432/// // In contrast to `&packed.unaligned as *const _`, this has no undefined behavior.
1433/// let unaligned = &raw const packed.unaligned;
1434///
1435/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1436/// assert_eq!(v, 0x01020304);
1437/// ```
1438///
1439/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1440///
1441/// # Examples
1442///
1443/// Read a `usize` value from a byte buffer:
1444///
1445/// ```
1446/// use std::mem;
1447///
1448/// fn read_usize(x: &[u8]) -> usize {
1449/// assert!(x.len() >= mem::size_of::<usize>());
1450///
1451/// let ptr = x.as_ptr() as *const usize;
1452///
1453/// unsafe { ptr.read_unaligned() }
1454/// }
1455/// ```
1456#[inline]
1457#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1458#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1459#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1460#[rustc_diagnostic_item = "ptr_read_unaligned"]
1461pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1462 let mut tmp = MaybeUninit::<T>::uninit();
1463 // SAFETY: the caller must guarantee that `src` is valid for reads.
1464 // `src` cannot overlap `tmp` because `tmp` was just allocated on
1465 // the stack as a separate allocated object.
1466 //
1467 // Also, since we just wrote a valid value into `tmp`, it is guaranteed
1468 // to be properly initialized.
1469 unsafe {
1470 copy_nonoverlapping(src as *const u8, tmp.as_mut_ptr() as *mut u8, mem::size_of::<T>());
1471 tmp.assume_init()
1472 }
1473}
1474
1475/// Overwrites a memory location with the given value without reading or
1476/// dropping the old value.
1477///
1478/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1479/// allocations or resources, so care should be taken not to overwrite an object
1480/// that should be dropped.
1481///
1482/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1483/// location pointed to by `dst`.
1484///
1485/// This is appropriate for initializing uninitialized memory, or overwriting
1486/// memory that has previously been [`read`] from.
1487///
1488/// # Safety
1489///
1490/// Behavior is undefined if any of the following conditions are violated:
1491///
1492/// * `dst` must be [valid] for writes.
1493///
1494/// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the
1495/// case.
1496///
1497/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1498///
1499/// [valid]: self#safety
1500///
1501/// # Examples
1502///
1503/// Basic usage:
1504///
1505/// ```
1506/// let mut x = 0;
1507/// let y = &mut x as *mut i32;
1508/// let z = 12;
1509///
1510/// unsafe {
1511/// std::ptr::write(y, z);
1512/// assert_eq!(std::ptr::read(y), 12);
1513/// }
1514/// ```
1515///
1516/// Manually implement [`mem::swap`]:
1517///
1518/// ```
1519/// use std::ptr;
1520///
1521/// fn swap<T>(a: &mut T, b: &mut T) {
1522/// unsafe {
1523/// // Create a bitwise copy of the value at `a` in `tmp`.
1524/// let tmp = ptr::read(a);
1525///
1526/// // Exiting at this point (either by explicitly returning or by
1527/// // calling a function which panics) would cause the value in `tmp` to
1528/// // be dropped while the same value is still referenced by `a`. This
1529/// // could trigger undefined behavior if `T` is not `Copy`.
1530///
1531/// // Create a bitwise copy of the value at `b` in `a`.
1532/// // This is safe because mutable references cannot alias.
1533/// ptr::copy_nonoverlapping(b, a, 1);
1534///
1535/// // As above, exiting here could trigger undefined behavior because
1536/// // the same value is referenced by `a` and `b`.
1537///
1538/// // Move `tmp` into `b`.
1539/// ptr::write(b, tmp);
1540///
1541/// // `tmp` has been moved (`write` takes ownership of its second argument),
1542/// // so nothing is dropped implicitly here.
1543/// }
1544/// }
1545///
1546/// let mut foo = "foo".to_owned();
1547/// let mut bar = "bar".to_owned();
1548///
1549/// swap(&mut foo, &mut bar);
1550///
1551/// assert_eq!(foo, "bar");
1552/// assert_eq!(bar, "foo");
1553/// ```
1554#[inline]
1555#[stable(feature = "rust1", since = "1.0.0")]
1556#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1557#[rustc_diagnostic_item = "ptr_write"]
1558#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1559pub const unsafe fn write<T>(dst: *mut T, src: T) {
1560 // Semantically, it would be fine for this to be implemented as a
1561 // `copy_nonoverlapping` and appropriate drop suppression of `src`.
1562
1563 // However, implementing via that currently produces more MIR than is ideal.
1564 // Using an intrinsic keeps it down to just the simple `*dst = move src` in
1565 // MIR (11 statements shorter, at the time of writing), and also allows
1566 // `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1567
1568 // SAFETY: the caller must guarantee that `dst` is valid for writes.
1569 // `dst` cannot overlap `src` because the caller has mutable access
1570 // to `dst` while `src` is owned by this function.
1571 unsafe {
1572 #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1573 ub_checks::assert_unsafe_precondition!(
1574 check_language_ub,
1575 "ptr::write requires that the pointer argument is aligned and non-null",
1576 (
1577 addr: *mut () = dst as *mut (),
1578 align: usize = align_of::<T>(),
1579 is_zst: bool = T::IS_ZST,
1580 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1581 );
1582 intrinsics::write_via_move(dst, src)
1583 }
1584}
1585
1586/// Overwrites a memory location with the given value without reading or
1587/// dropping the old value.
1588///
1589/// Unlike [`write()`], the pointer may be unaligned.
1590///
1591/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1592/// could leak allocations or resources, so care should be taken not to overwrite
1593/// an object that should be dropped.
1594///
1595/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1596/// location pointed to by `dst`.
1597///
1598/// This is appropriate for initializing uninitialized memory, or overwriting
1599/// memory that has previously been read with [`read_unaligned`].
1600///
1601/// # Safety
1602///
1603/// Behavior is undefined if any of the following conditions are violated:
1604///
1605/// * `dst` must be [valid] for writes.
1606///
1607/// [valid]: self#safety
1608///
1609/// ## On `packed` structs
1610///
1611/// Attempting to create a raw pointer to an `unaligned` struct field with
1612/// an expression such as `&packed.unaligned as *const FieldType` creates an
1613/// intermediate unaligned reference before converting that to a raw pointer.
1614/// That this reference is temporary and immediately cast is inconsequential
1615/// as the compiler always expects references to be properly aligned.
1616/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1617/// *undefined behavior* in your program.
1618///
1619/// Instead, you must use the `&raw mut` syntax to create the pointer.
1620/// You may use that constructed pointer together with this function.
1621///
1622/// An example of how to do it and how this relates to `write_unaligned` is:
1623///
1624/// ```
1625/// #[repr(packed, C)]
1626/// struct Packed {
1627/// _padding: u8,
1628/// unaligned: u32,
1629/// }
1630///
1631/// let mut packed: Packed = unsafe { std::mem::zeroed() };
1632///
1633/// // Take the address of a 32-bit integer which is not aligned.
1634/// // In contrast to `&packed.unaligned as *mut _`, this has no undefined behavior.
1635/// let unaligned = &raw mut packed.unaligned;
1636///
1637/// unsafe { std::ptr::write_unaligned(unaligned, 42) };
1638///
1639/// assert_eq!({packed.unaligned}, 42); // `{...}` forces copying the field instead of creating a reference.
1640/// ```
1641///
1642/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
1643/// (as can be seen in the `assert_eq!` above).
1644///
1645/// # Examples
1646///
1647/// Write a `usize` value to a byte buffer:
1648///
1649/// ```
1650/// use std::mem;
1651///
1652/// fn write_usize(x: &mut [u8], val: usize) {
1653/// assert!(x.len() >= mem::size_of::<usize>());
1654///
1655/// let ptr = x.as_mut_ptr() as *mut usize;
1656///
1657/// unsafe { ptr.write_unaligned(val) }
1658/// }
1659/// ```
1660#[inline]
1661#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1662#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1663#[rustc_diagnostic_item = "ptr_write_unaligned"]
1664#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1665pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
1666 // SAFETY: the caller must guarantee that `dst` is valid for writes.
1667 // `dst` cannot overlap `src` because the caller has mutable access
1668 // to `dst` while `src` is owned by this function.
1669 unsafe {
1670 copy_nonoverlapping((&raw const src) as *const u8, dst as *mut u8, mem::size_of::<T>());
1671 // We are calling the intrinsic directly to avoid function calls in the generated code.
1672 intrinsics::forget(src);
1673 }
1674}
1675
1676/// Performs a volatile read of the value from `src` without moving it. This
1677/// leaves the memory in `src` unchanged.
1678///
1679/// Volatile operations are intended to act on I/O memory, and are guaranteed
1680/// to not be elided or reordered by the compiler across other volatile
1681/// operations.
1682///
1683/// # Notes
1684///
1685/// Rust does not currently have a rigorously and formally defined memory model,
1686/// so the precise semantics of what "volatile" means here is subject to change
1687/// over time. That being said, the semantics will almost always end up pretty
1688/// similar to [C11's definition of volatile][c11].
1689///
1690/// The compiler shouldn't change the relative order or number of volatile
1691/// memory operations. However, volatile memory operations on zero-sized types
1692/// (e.g., if a zero-sized type is passed to `read_volatile`) are noops
1693/// and may be ignored.
1694///
1695/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
1696///
1697/// # Safety
1698///
1699/// Behavior is undefined if any of the following conditions are violated:
1700///
1701/// * `src` must be [valid] for reads.
1702///
1703/// * `src` must be properly aligned.
1704///
1705/// * `src` must point to a properly initialized value of type `T`.
1706///
1707/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of
1708/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1709/// value and the value at `*src` can [violate memory safety][read-ownership].
1710/// However, storing non-[`Copy`] types in volatile memory is almost certainly
1711/// incorrect.
1712///
1713/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1714///
1715/// [valid]: self#safety
1716/// [read-ownership]: read#ownership-of-the-returned-value
1717///
1718/// Just like in C, whether an operation is volatile has no bearing whatsoever
1719/// on questions involving concurrent access from multiple threads. Volatile
1720/// accesses behave exactly like non-atomic accesses in that regard. In particular,
1721/// a race between a `read_volatile` and any write operation to the same location
1722/// is undefined behavior.
1723///
1724/// # Examples
1725///
1726/// Basic usage:
1727///
1728/// ```
1729/// let x = 12;
1730/// let y = &x as *const i32;
1731///
1732/// unsafe {
1733/// assert_eq!(std::ptr::read_volatile(y), 12);
1734/// }
1735/// ```
1736#[inline]
1737#[stable(feature = "volatile", since = "1.9.0")]
1738#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1739#[rustc_diagnostic_item = "ptr_read_volatile"]
1740pub unsafe fn read_volatile<T>(src: *const T) -> T {
1741 // SAFETY: the caller must uphold the safety contract for `volatile_load`.
1742 unsafe {
1743 ub_checks::assert_unsafe_precondition!(
1744 check_language_ub,
1745 "ptr::read_volatile requires that the pointer argument is aligned and non-null",
1746 (
1747 addr: *const () = src as *const (),
1748 align: usize = align_of::<T>(),
1749 is_zst: bool = T::IS_ZST,
1750 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1751 );
1752 intrinsics::volatile_load(src)
1753 }
1754}
1755
1756/// Performs a volatile write of a memory location with the given value without
1757/// reading or dropping the old value.
1758///
1759/// Volatile operations are intended to act on I/O memory, and are guaranteed
1760/// to not be elided or reordered by the compiler across other volatile
1761/// operations.
1762///
1763/// `write_volatile` does not drop the contents of `dst`. This is safe, but it
1764/// could leak allocations or resources, so care should be taken not to overwrite
1765/// an object that should be dropped.
1766///
1767/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1768/// location pointed to by `dst`.
1769///
1770/// # Notes
1771///
1772/// Rust does not currently have a rigorously and formally defined memory model,
1773/// so the precise semantics of what "volatile" means here is subject to change
1774/// over time. That being said, the semantics will almost always end up pretty
1775/// similar to [C11's definition of volatile][c11].
1776///
1777/// The compiler shouldn't change the relative order or number of volatile
1778/// memory operations. However, volatile memory operations on zero-sized types
1779/// (e.g., if a zero-sized type is passed to `write_volatile`) are noops
1780/// and may be ignored.
1781///
1782/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
1783///
1784/// # Safety
1785///
1786/// Behavior is undefined if any of the following conditions are violated:
1787///
1788/// * `dst` must be [valid] for writes.
1789///
1790/// * `dst` must be properly aligned.
1791///
1792/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1793///
1794/// [valid]: self#safety
1795///
1796/// Just like in C, whether an operation is volatile has no bearing whatsoever
1797/// on questions involving concurrent access from multiple threads. Volatile
1798/// accesses behave exactly like non-atomic accesses in that regard. In particular,
1799/// a race between a `write_volatile` and any other operation (reading or writing)
1800/// on the same location is undefined behavior.
1801///
1802/// # Examples
1803///
1804/// Basic usage:
1805///
1806/// ```
1807/// let mut x = 0;
1808/// let y = &mut x as *mut i32;
1809/// let z = 12;
1810///
1811/// unsafe {
1812/// std::ptr::write_volatile(y, z);
1813/// assert_eq!(std::ptr::read_volatile(y), 12);
1814/// }
1815/// ```
1816#[inline]
1817#[stable(feature = "volatile", since = "1.9.0")]
1818#[rustc_diagnostic_item = "ptr_write_volatile"]
1819#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1820pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
1821 // SAFETY: the caller must uphold the safety contract for `volatile_store`.
1822 unsafe {
1823 ub_checks::assert_unsafe_precondition!(
1824 check_language_ub,
1825 "ptr::write_volatile requires that the pointer argument is aligned and non-null",
1826 (
1827 addr: *mut () = dst as *mut (),
1828 align: usize = align_of::<T>(),
1829 is_zst: bool = T::IS_ZST,
1830 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1831 );
1832 intrinsics::volatile_store(dst, src);
1833 }
1834}
1835
1836/// Align pointer `p`.
1837///
1838/// Calculate offset (in terms of elements of `size_of::<T>()` stride) that has to be applied
1839/// to pointer `p` so that pointer `p` would get aligned to `a`.
1840///
1841/// # Safety
1842/// `a` must be a power of two.
1843///
1844/// # Notes
1845/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
1846/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
1847/// constants.
1848///
1849/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
1850/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
1851/// than trying to adapt this to accommodate that change.
1852///
1853/// Any questions go to @nagisa.
1854#[allow(ptr_to_integer_transmute_in_consts)]
1855pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
1856 // FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
1857 // 1, where the method versions of these operations are not inlined.
1858 use intrinsics::{
1859 assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl,
1860 unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub,
1861 };
1862
1863 /// Calculate multiplicative modular inverse of `x` modulo `m`.
1864 ///
1865 /// This implementation is tailored for `align_offset` and has following preconditions:
1866 ///
1867 /// * `m` is a power-of-two;
1868 /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead)
1869 ///
1870 /// Implementation of this function shall not panic. Ever.
1871 #[inline]
1872 const unsafe fn mod_inv(x: usize, m: usize) -> usize {
1873 /// Multiplicative modular inverse table modulo 2⁴ = 16.
1874 ///
1875 /// Note, that this table does not contain values where inverse does not exist (i.e., for
1876 /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
1877 const INV_TABLE_MOD_16: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15];
1878 /// Modulo for which the `INV_TABLE_MOD_16` is intended.
1879 const INV_TABLE_MOD: usize = 16;
1880
1881 // SAFETY: `m` is required to be a power-of-two, hence non-zero.
1882 let m_minus_one = unsafe { unchecked_sub(m, 1) };
1883 let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - 1)) >> 1] as usize;
1884 let mut mod_gate = INV_TABLE_MOD;
1885 // We iterate "up" using the following formula:
1886 //
1887 // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
1888 //
1889 // This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
1890 // finally reduce the computation to our desired `m` by taking `inverse mod m`.
1891 //
1892 // This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
1893 // will always finish in at most 4 iterations.
1894 loop {
1895 // y = y * (2 - xy) mod n
1896 //
1897 // Note, that we use wrapping operations here intentionally – the original formula
1898 // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
1899 // usize::MAX` instead, because we take the result `mod n` at the end
1900 // anyway.
1901 if mod_gate >= m {
1902 break;
1903 }
1904 inverse = wrapping_mul(inverse, wrapping_sub(2usize, wrapping_mul(x, inverse)));
1905 let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
1906 if overflow {
1907 break;
1908 }
1909 mod_gate = new_gate;
1910 }
1911 inverse & m_minus_one
1912 }
1913
1914 let stride = mem::size_of::<T>();
1915
1916 let addr: usize = p.addr();
1917
1918 // SAFETY: `a` is a power-of-two, therefore non-zero.
1919 let a_minus_one = unsafe { unchecked_sub(a, 1) };
1920
1921 if stride == 0 {
1922 // SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
1923 // stay the same, so no offset will be able to align the pointer unless it is already
1924 // aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
1925 let p_mod_a = addr & a_minus_one;
1926 return if p_mod_a == 0 { 0 } else { usize::MAX };
1927 }
1928
1929 // SAFETY: `stride == 0` case has been handled by the special case above.
1930 let a_mod_stride = unsafe { unchecked_rem(a, stride) };
1931 if a_mod_stride == 0 {
1932 // SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
1933 // pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
1934 // offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
1935 // offset will be able to produce a `p` aligned to the specified `a`.
1936 //
1937 // The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
1938 // like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
1939 // redistributes operations around the load-bearing, but pessimizing `and` instruction
1940 // sufficiently for LLVM to be able to utilize the various optimizations it knows about.
1941 //
1942 // LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
1943 // at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
1944 // in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
1945 // computation produces.
1946
1947 let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(0, a);
1948 let byte_offset = wrapping_sub(aligned_address, addr);
1949 // FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
1950 // SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
1951 // the value by more than `a-1`, so even though the intermediate values might have
1952 // wrapped, the byte_offset is always in `[0, a)`.
1953 unsafe { assume(byte_offset < a) };
1954
1955 // SAFETY: `stride == 0` case has been handled by the special case above.
1956 let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
1957
1958 return if addr_mod_stride == 0 {
1959 // SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
1960 // addr has been verified to be aligned to the original type’s alignment requirements.
1961 unsafe { exact_div(byte_offset, stride) }
1962 } else {
1963 usize::MAX
1964 };
1965 }
1966
1967 // GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
1968 // misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
1969 // advantage of, etc. This case produces machine code that isn’t particularly high quality,
1970 // compared to the special cases above. The code produced here is still within the realm of
1971 // miracles, given the situations this case has to deal with.
1972
1973 // SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
1974 // FIXME(const-hack) replace with min
1975 let gcdpow = unsafe {
1976 let x = cttz_nonzero(stride);
1977 let y = cttz_nonzero(a);
1978 if x < y { x } else { y }
1979 };
1980 // SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`.
1981 let gcd = unsafe { unchecked_shl(1usize, gcdpow) };
1982 // SAFETY: gcd is always greater or equal to 1.
1983 if addr & unsafe { unchecked_sub(gcd, 1) } == 0 {
1984 // This branch solves for the following linear congruence equation:
1985 //
1986 // ` p + so = 0 mod a `
1987 //
1988 // `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
1989 // requested alignment.
1990 //
1991 // With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
1992 // `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
1993 //
1994 // ` p' + s'o = 0 mod a' `
1995 // ` o = (a' - (p' mod a')) * (s'^-1 mod a') `
1996 //
1997 // The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
1998 // second term is "how does incrementing `p` by `s` bytes change the relative alignment of
1999 // `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
2000 // formed if `a` and `s` are not co-prime.
2001 //
2002 // Furthermore, the result produced by this solution is not "minimal", so it is necessary
2003 // to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
2004
2005 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2006 // `a`.
2007 let a2 = unsafe { unchecked_shr(a, gcdpow) };
2008 // SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
2009 // in `a` (of which it has exactly one).
2010 let a2minus1 = unsafe { unchecked_sub(a2, 1) };
2011 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2012 // `a`.
2013 let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
2014 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2015 // `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
2016 // always be strictly greater than `(p % a) >> gcdpow`.
2017 let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
2018 // SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
2019 // because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
2020 return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
2021 }
2022
2023 // Cannot be aligned at all.
2024 usize::MAX
2025}
2026
2027/// Compares raw pointers for equality.
2028///
2029/// This is the same as using the `==` operator, but less generic:
2030/// the arguments have to be `*const T` raw pointers,
2031/// not anything that implements `PartialEq`.
2032///
2033/// This can be used to compare `&T` references (which coerce to `*const T` implicitly)
2034/// by their address rather than comparing the values they point to
2035/// (which is what the `PartialEq for &T` implementation does).
2036///
2037/// When comparing wide pointers, both the address and the metadata are tested for equality.
2038/// However, note that comparing trait object pointers (`*const dyn Trait`) is unreliable: pointers
2039/// to values of the same underlying type can compare inequal (because vtables are duplicated in
2040/// multiple codegen units), and pointers to values of *different* underlying type can compare equal
2041/// (since identical vtables can be deduplicated within a codegen unit).
2042///
2043/// # Examples
2044///
2045/// ```
2046/// use std::ptr;
2047///
2048/// let five = 5;
2049/// let other_five = 5;
2050/// let five_ref = &five;
2051/// let same_five_ref = &five;
2052/// let other_five_ref = &other_five;
2053///
2054/// assert!(five_ref == same_five_ref);
2055/// assert!(ptr::eq(five_ref, same_five_ref));
2056///
2057/// assert!(five_ref == other_five_ref);
2058/// assert!(!ptr::eq(five_ref, other_five_ref));
2059/// ```
2060///
2061/// Slices are also compared by their length (fat pointers):
2062///
2063/// ```
2064/// let a = [1, 2, 3];
2065/// assert!(std::ptr::eq(&a[..3], &a[..3]));
2066/// assert!(!std::ptr::eq(&a[..2], &a[..3]));
2067/// assert!(!std::ptr::eq(&a[0..2], &a[1..3]));
2068/// ```
2069#[stable(feature = "ptr_eq", since = "1.17.0")]
2070#[inline(always)]
2071#[must_use = "pointer comparison produces a value"]
2072#[rustc_diagnostic_item = "ptr_eq"]
2073#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2074pub fn eq<T: ?Sized>(a: *const T, b: *const T) -> bool {
2075 a == b
2076}
2077
2078/// Compares the *addresses* of the two pointers for equality,
2079/// ignoring any metadata in fat pointers.
2080///
2081/// If the arguments are thin pointers of the same type,
2082/// then this is the same as [`eq`].
2083///
2084/// # Examples
2085///
2086/// ```
2087/// use std::ptr;
2088///
2089/// let whole: &[i32; 3] = &[1, 2, 3];
2090/// let first: &i32 = &whole[0];
2091///
2092/// assert!(ptr::addr_eq(whole, first));
2093/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2094/// ```
2095#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2096#[inline(always)]
2097#[must_use = "pointer comparison produces a value"]
2098pub fn addr_eq<T: ?Sized, U: ?Sized>(p: *const T, q: *const U) -> bool {
2099 (p as *const ()) == (q as *const ())
2100}
2101
2102/// Compares the *addresses* of the two function pointers for equality.
2103///
2104/// This is the same as `f == g`, but using this function makes clear that the potentially
2105/// surprising semantics of function pointer comparison are involved.
2106///
2107/// There are **very few guarantees** about how functions are compiled and they have no intrinsic
2108/// “identity”; in particular, this comparison:
2109///
2110/// * May return `true` unexpectedly, in cases where functions are equivalent.
2111///
2112/// For example, the following program is likely (but not guaranteed) to print `(true, true)`
2113/// when compiled with optimization:
2114///
2115/// ```
2116/// let f: fn(i32) -> i32 = |x| x;
2117/// let g: fn(i32) -> i32 = |x| x + 0; // different closure, different body
2118/// let h: fn(u32) -> u32 = |x| x + 0; // different signature too
2119/// dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal
2120/// ```
2121///
2122/// * May return `false` in any case.
2123///
2124/// This is particularly likely with generic functions but may happen with any function.
2125/// (From an implementation perspective, this is possible because functions may sometimes be
2126/// processed more than once by the compiler, resulting in duplicate machine code.)
2127///
2128/// Despite these false positives and false negatives, this comparison can still be useful.
2129/// Specifically, if
2130///
2131/// * `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and
2132/// * `ptr::fn_addr_eq(f, g)` returns true,
2133///
2134/// then calling `f` and calling `g` will be equivalent.
2135///
2136///
2137/// # Examples
2138///
2139/// ```
2140/// use std::ptr;
2141///
2142/// fn a() { println!("a"); }
2143/// fn b() { println!("b"); }
2144/// assert!(!ptr::fn_addr_eq(a as fn(), b as fn()));
2145/// ```
2146///
2147/// [subtype]: https://doc.rust-lang.org/reference/subtyping.html
2148#[stable(feature = "ptr_fn_addr_eq", since = "1.85.0")]
2149#[inline(always)]
2150#[must_use = "function pointer comparison produces a value"]
2151pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool {
2152 f.addr() == g.addr()
2153}
2154
2155/// Hash a raw pointer.
2156///
2157/// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly)
2158/// by its address rather than the value it points to
2159/// (which is what the `Hash for &T` implementation does).
2160///
2161/// # Examples
2162///
2163/// ```
2164/// use std::hash::{DefaultHasher, Hash, Hasher};
2165/// use std::ptr;
2166///
2167/// let five = 5;
2168/// let five_ref = &five;
2169///
2170/// let mut hasher = DefaultHasher::new();
2171/// ptr::hash(five_ref, &mut hasher);
2172/// let actual = hasher.finish();
2173///
2174/// let mut hasher = DefaultHasher::new();
2175/// (five_ref as *const i32).hash(&mut hasher);
2176/// let expected = hasher.finish();
2177///
2178/// assert_eq!(actual, expected);
2179/// ```
2180#[stable(feature = "ptr_hash", since = "1.35.0")]
2181pub fn hash<T: ?Sized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2182 use crate::hash::Hash;
2183 hashee.hash(into);
2184}
2185
2186#[stable(feature = "fnptr_impls", since = "1.4.0")]
2187impl<F: FnPtr> PartialEq for F {
2188 #[inline]
2189 fn eq(&self, other: &Self) -> bool {
2190 self.addr() == other.addr()
2191 }
2192}
2193#[stable(feature = "fnptr_impls", since = "1.4.0")]
2194impl<F: FnPtr> Eq for F {}
2195
2196#[stable(feature = "fnptr_impls", since = "1.4.0")]
2197impl<F: FnPtr> PartialOrd for F {
2198 #[inline]
2199 fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2200 self.addr().partial_cmp(&other.addr())
2201 }
2202}
2203#[stable(feature = "fnptr_impls", since = "1.4.0")]
2204impl<F: FnPtr> Ord for F {
2205 #[inline]
2206 fn cmp(&self, other: &Self) -> Ordering {
2207 self.addr().cmp(&other.addr())
2208 }
2209}
2210
2211#[stable(feature = "fnptr_impls", since = "1.4.0")]
2212impl<F: FnPtr> hash::Hash for F {
2213 fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2214 state.write_usize(self.addr() as _)
2215 }
2216}
2217
2218#[stable(feature = "fnptr_impls", since = "1.4.0")]
2219impl<F: FnPtr> fmt::Pointer for F {
2220 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2221 fmt::pointer_fmt_inner(self.addr() as _, f)
2222 }
2223}
2224
2225#[stable(feature = "fnptr_impls", since = "1.4.0")]
2226impl<F: FnPtr> fmt::Debug for F {
2227 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2228 fmt::pointer_fmt_inner(self.addr() as _, f)
2229 }
2230}
2231
2232/// Creates a `const` raw pointer to a place, without creating an intermediate reference.
2233///
2234/// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is *soft-deprecated*;
2235/// use `&raw const` instead.
2236///
2237/// It is still an open question under which conditions writing through an `addr_of!`-created
2238/// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the
2239/// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is
2240/// based on a reference, local variable, or `static`, then until all details are decided, the same
2241/// rules as for shared references apply: it is UB to write through a pointer created with this
2242/// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`])
2243/// to create a raw pointer that definitely permits mutation.
2244///
2245/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2246/// and points to initialized data. For cases where those requirements do not hold,
2247/// raw pointers should be used instead. However, `&expr as *const _` creates a reference
2248/// before casting it to a raw pointer, and that reference is subject to the same rules
2249/// as all other references. This macro can create a raw pointer *without* creating
2250/// a reference first.
2251///
2252/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2253/// Doing that with `addr_of` would not make much sense since one could only
2254/// read the data, and that would be Undefined Behavior.
2255///
2256/// # Safety
2257///
2258/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2259/// place or requires the place to be dereferenceable. This means that `addr_of!((*ptr).field)`
2260/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2261/// However, `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2262///
2263/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2264/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2265/// `Index::index`, respectively. The statements above only apply when no such coercions are
2266/// applied.
2267///
2268/// [`offset`]: pointer::offset
2269///
2270/// # Example
2271///
2272/// **Correct usage: Creating a pointer to unaligned data**
2273///
2274/// ```
2275/// use std::ptr;
2276///
2277/// #[repr(packed)]
2278/// struct Packed {
2279/// f1: u8,
2280/// f2: u16,
2281/// }
2282///
2283/// let packed = Packed { f1: 1, f2: 2 };
2284/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2285/// let raw_f2 = ptr::addr_of!(packed.f2);
2286/// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2);
2287/// ```
2288///
2289/// **Incorrect usage: Out-of-bounds fields projection**
2290///
2291/// ```rust,no_run
2292/// use std::ptr;
2293///
2294/// #[repr(C)]
2295/// struct MyStruct {
2296/// field1: i32,
2297/// field2: i32,
2298/// }
2299///
2300/// let ptr: *const MyStruct = ptr::null();
2301/// let fieldptr = unsafe { ptr::addr_of!((*ptr).field2) }; // Undefined Behavior ⚠️
2302/// ```
2303///
2304/// The field projection `.field2` would offset the pointer by 4 bytes,
2305/// but the pointer is not in-bounds of an allocation for 4 bytes,
2306/// so this offset is Undefined Behavior.
2307/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2308/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2309/// no difference whether the pointer is null or dangling.)
2310#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2311#[rustc_macro_transparency = "semitransparent"]
2312pub macro addr_of($place:expr) {
2313 &raw const $place
2314}
2315
2316/// Creates a `mut` raw pointer to a place, without creating an intermediate reference.
2317///
2318/// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is *soft-deprecated*;
2319/// use `&raw mut` instead.
2320///
2321/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2322/// and points to initialized data. For cases where those requirements do not hold,
2323/// raw pointers should be used instead. However, `&mut expr as *mut _` creates a reference
2324/// before casting it to a raw pointer, and that reference is subject to the same rules
2325/// as all other references. This macro can create a raw pointer *without* creating
2326/// a reference first.
2327///
2328/// # Safety
2329///
2330/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2331/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((*ptr).field)`
2332/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2333/// However, `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2334///
2335/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2336/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2337/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2338/// applied.
2339///
2340/// [`offset`]: pointer::offset
2341///
2342/// # Examples
2343///
2344/// **Correct usage: Creating a pointer to unaligned data**
2345///
2346/// ```
2347/// use std::ptr;
2348///
2349/// #[repr(packed)]
2350/// struct Packed {
2351/// f1: u8,
2352/// f2: u16,
2353/// }
2354///
2355/// let mut packed = Packed { f1: 1, f2: 2 };
2356/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2357/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2358/// unsafe { raw_f2.write_unaligned(42); }
2359/// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference.
2360/// ```
2361///
2362/// **Correct usage: Creating a pointer to uninitialized data**
2363///
2364/// ```rust
2365/// use std::{ptr, mem::MaybeUninit};
2366///
2367/// struct Demo {
2368/// field: bool,
2369/// }
2370///
2371/// let mut uninit = MaybeUninit::<Demo>::uninit();
2372/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2373/// // and thus be Undefined Behavior!
2374/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2375/// unsafe { f1_ptr.write(true); }
2376/// let init = unsafe { uninit.assume_init() };
2377/// ```
2378///
2379/// **Incorrect usage: Out-of-bounds fields projection**
2380///
2381/// ```rust,no_run
2382/// use std::ptr;
2383///
2384/// #[repr(C)]
2385/// struct MyStruct {
2386/// field1: i32,
2387/// field2: i32,
2388/// }
2389///
2390/// let ptr: *mut MyStruct = ptr::null_mut();
2391/// let fieldptr = unsafe { ptr::addr_of_mut!((*ptr).field2) }; // Undefined Behavior ⚠️
2392/// ```
2393///
2394/// The field projection `.field2` would offset the pointer by 4 bytes,
2395/// but the pointer is not in-bounds of an allocation for 4 bytes,
2396/// so this offset is Undefined Behavior.
2397/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2398/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2399/// makes no difference whether the pointer is null or dangling.)
2400#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2401#[rustc_macro_transparency = "semitransparent"]
2402pub macro addr_of_mut($place:expr) {
2403 &raw mut $place
2404}