core/ptr/
mod.rs

1//! Manually manage memory through raw pointers.
2//!
3//! *[See also the pointer primitive types](pointer).*
4//!
5//! # Safety
6//!
7//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8//! this to be safe, these pointers must be *valid* for the given access. Whether a pointer is valid
9//! depends on the operation it is used for (read or write), and the extent of the memory that is
10//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `*mut T`
12//! and `*const T` to access only a single value, in which case the documentation omits the size and
13//! implicitly assumes it to be `size_of::<T>()` bytes.
14//!
15//! The precise rules for validity are not determined yet. The guarantees that are
16//! provided at this point are very minimal:
17//!
18//! * For memory accesses of [size zero][zst], *every* pointer is valid, including the [null]
19//!   pointer. The following points are only concerned with non-zero-sized accesses.
20//! * A [null] pointer is *never* valid.
21//! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be
22//!   *dereferenceable*. The [provenance] of the pointer is used to determine which [allocated
23//!   object] it is derived from; a pointer is dereferenceable if the memory range of the given size
24//!   starting at the pointer is entirely contained within the bounds of that allocated object. Note
25//!   that in Rust, every (stack-allocated) variable is considered a separate allocated object.
26//! * All accesses performed by functions in this module are *non-atomic* in the sense
27//!   of [atomic operations] used to synchronize between threads. This means it is
28//!   undefined behavior to perform two concurrent accesses to the same location from different
29//!   threads unless both accesses only read from memory. Notice that this explicitly
30//!   includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
31//!   be used for inter-thread synchronization.
32//! * The result of casting a reference to a pointer is valid for as long as the
33//!   underlying object is live and no reference (just raw pointers) is used to
34//!   access the same memory. That is, reference and pointer accesses cannot be
35//!   interleaved.
36//!
37//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
38//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
39//! will be provided eventually, as the [aliasing] rules are being determined. For more
40//! information, see the [book] as well as the section in the reference devoted
41//! to [undefined behavior][ub].
42//!
43//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
44//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
45//! [`NonNull::dangling`] are all dangling.
46//!
47//! ## Alignment
48//!
49//! Valid raw pointers as defined above are not necessarily properly aligned (where
50//! "proper" alignment is defined by the pointee type, i.e., `*const T` must be
51//! aligned to `align_of::<T>()`). However, most functions require their
52//! arguments to be properly aligned, and will explicitly state
53//! this requirement in their documentation. Notable exceptions to this are
54//! [`read_unaligned`] and [`write_unaligned`].
55//!
56//! When a function requires proper alignment, it does so even if the access
57//! has size 0, i.e., even if memory is not actually touched. Consider using
58//! [`NonNull::dangling`] in such cases.
59//!
60//! ## Pointer to reference conversion
61//!
62//! When converting a pointer to a reference (e.g. via `&*ptr` or `&mut *ptr`),
63//! there are several rules that must be followed:
64//!
65//! * The pointer must be properly aligned.
66//!
67//! * It must be non-null.
68//!
69//! * It must be "dereferenceable" in the sense defined above.
70//!
71//! * The pointer must point to a [valid value] of type `T`.
72//!
73//! * You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we
74//!   only give a rough overview here. The rules also depend on whether a mutable or a shared
75//!   reference is being created.
76//!   * When creating a mutable reference, then while this reference exists, the memory it points to
77//!     must not get accessed (read or written) through any other pointer or reference not derived
78//!     from this reference.
79//!   * When creating a shared reference, then while this reference exists, the memory it points to
80//!     must not get mutated (except inside `UnsafeCell`).
81//!
82//! If a pointer follows all of these rules, it is said to be
83//! *convertible to a (mutable or shared) reference*.
84// ^ we use this term instead of saying that the produced reference must
85// be valid, as the validity of a reference is easily confused for the
86// validity of the thing it refers to, and while the two concepts are
87// closely related, they are not identical.
88//!
89//! These rules apply even if the result is unused!
90//! (The part about being initialized is not yet fully decided, but until
91//! it is, the only safe approach is to ensure that they are indeed initialized.)
92//!
93//! An example of the implications of the above rules is that an expression such
94//! as `unsafe { &*(0 as *const u8) }` is Immediate Undefined Behavior.
95//!
96//! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values
97//!
98//! ## Allocated object
99//!
100//! An *allocated object* is a subset of program memory which is addressable
101//! from Rust, and within which pointer arithmetic is possible. Examples of
102//! allocated objects include heap allocations, stack-allocated variables,
103//! statics, and consts. The safety preconditions of some Rust operations -
104//! such as `offset` and field projections (`expr.field`) - are defined in
105//! terms of the allocated objects on which they operate.
106//!
107//! An allocated object has a base address, a size, and a set of memory
108//! addresses. It is possible for an allocated object to have zero size, but
109//! such an allocated object will still have a base address. The base address
110//! of an allocated object is not necessarily unique. While it is currently the
111//! case that an allocated object always has a set of memory addresses which is
112//! fully contiguous (i.e., has no "holes"), there is no guarantee that this
113//! will not change in the future.
114//!
115//! For any allocated object with `base` address, `size`, and a set of
116//! `addresses`, the following are guaranteed:
117//! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base +
118//!   size)` (note that this requires `a < base + size`, not `a <= base + size`)
119//! - `base` is not equal to [`null()`] (i.e., the address with the numerical
120//!   value 0)
121//! - `base + size <= usize::MAX`
122//! - `size <= isize::MAX`
123//!
124//! As a consequence of these guarantees, given any address `a` within the set
125//! of addresses of an allocated object:
126//! - It is guaranteed that `a - base` does not overflow `isize`
127//! - It is guaranteed that `a - base` is non-negative
128//! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within
129//!   the allocated object), `base + o` will not wrap around the address space (in
130//!   other words, will not overflow `usize`)
131//!
132//! [`null()`]: null
133//!
134//! # Provenance
135//!
136//! Pointers are not *simply* an "integer" or "address". For instance, it's uncontroversial
137//! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky"
138//! and the freed memory gets reallocated before your read/write (in fact this is the
139//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
140//! As another example, consider that [`wrapping_offset`] is documented to "remember"
141//! the allocated object that the original pointer points to, even if it is offset far
142//! outside the memory range occupied by that allocated object.
143//! To rationalize claims like this, pointers need to somehow be *more* than just their addresses:
144//! they must have **provenance**.
145//!
146//! A pointer value in Rust semantically contains the following information:
147//!
148//! * The **address** it points to, which can be represented by a `usize`.
149//! * The **provenance** it has, defining the memory it has permission to access. Provenance can be
150//!   absent, in which case the pointer does not have permission to access any memory.
151//!
152//! The exact structure of provenance is not yet specified, but the permission defined by a
153//! pointer's provenance have a *spatial* component, a *temporal* component, and a *mutability*
154//! component:
155//!
156//! * Spatial: The set of memory addresses that the pointer is allowed to access.
157//! * Temporal: The timespan during which the pointer is allowed to access those memory addresses.
158//! * Mutability: Whether the pointer may only access the memory for reads, or also access it for
159//!   writes. Note that this can interact with the other components, e.g. a pointer might permit
160//!   mutation only for a subset of addresses, or only for a subset of its maximal timespan.
161//!
162//! When an [allocated object] is created, it has a unique Original Pointer. For alloc
163//! APIs this is literally the pointer the call returns, and for local variables and statics,
164//! this is the name of the variable/static. (This is mildly overloading the term "pointer"
165//! for the sake of brevity/exposition.)
166//!
167//! The Original Pointer for an allocated object has provenance that constrains the *spatial*
168//! permissions of this pointer to the memory range of the allocation, and the *temporal*
169//! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all
170//! pointers transitively derived from the Original Pointer through operations like [`offset`],
171//! borrowing, and pointer casts. Some operations may *shrink* the permissions of the derived
172//! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a
173//! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can
174//! shrink the temporal component of provenance). However, no operation can ever *grow* the
175//! permissions of the derived provenance: even if you "know" there is a larger allocation, you
176//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two
177//! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
178//!
179//! A reference to a place always has provenance over at least the memory that place occupies.
180//! A reference to a slice always has provenance over at least the range that slice describes.
181//! Whether and when exactly the provenance of a reference gets "shrunk" to *exactly* fit
182//! the memory it points to is not yet determined.
183//!
184//! A *shared* reference only ever has provenance that permits reading from memory,
185//! and never permits writes, except inside [`UnsafeCell`].
186//!
187//! Provenance can affect whether a program has undefined behavior:
188//!
189//! * It is undefined behavior to access memory through a pointer that does not have provenance over
190//!   that memory. Note that a pointer "at the end" of its provenance is not actually outside its
191//!   provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any
192//!   provenance since they access an empty range of memory.
193//!
194//! * It is undefined behavior to [`offset`] a pointer across a memory range that is not contained
195//!   in the allocated object it is derived from, or to [`offset_from`] two pointers not derived
196//!   from the same allocated object. Provenance is used to say what exactly "derived from" even
197//!   means: the lineage of a pointer is traced back to the Original Pointer it descends from, and
198//!   that identifies the relevant allocated object. In particular, it's always UB to offset a
199//!   pointer derived from something that is now deallocated, except if the offset is 0.
200//!
201//! But it *is* still sound to:
202//!
203//! * Create a pointer without provenance from just an address (see [`without_provenance`]). Such a
204//!   pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
205//!   useful for sentinel values like `null` *or* to represent a tagged pointer that will never be
206//!   dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
207//!   fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
208//!   offset, read, write, etc).
209//!
210//! * Forge an allocation of size zero at any sufficiently aligned non-null address.
211//!   i.e. the usual "ZSTs are fake, do what you want" rules apply.
212//!
213//! * [`wrapping_offset`] a pointer outside its provenance. This includes pointers
214//!   which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks.
215//!
216//! * Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses
217//!   *are* just integers, so there is always a coherent answer, even if the pointers are dangling
218//!   or from different provenances. Note that if you get "lucky" and notice that a pointer at the
219//!   end of one allocated object is the "same" address as the start of another allocated object,
220//!   anything you do with that fact is *probably* going to be gibberish. The scope of that
221//!   gibberish is kept under control by the fact that the two pointers *still* aren't allowed to
222//!   access the other's allocation (bytes), because they still have different provenance.
223//!
224//! Note that the full definition of provenance in Rust is not decided yet, as this interacts
225//! with the as-yet undecided [aliasing] rules.
226//!
227//! ## Pointers Vs Integers
228//!
229//! From this discussion, it becomes very clear that a `usize` *cannot* accurately represent a pointer,
230//! and converting from a pointer to a `usize` is generally an operation which *only* extracts the
231//! address. Converting this address back into pointer requires somehow answering the question:
232//! which provenance should the resulting pointer have?
233//!
234//! Rust provides two ways of dealing with this situation: *Strict Provenance* and *Exposed Provenance*.
235//!
236//! Note that a pointer *can* represent a `usize` (via [`without_provenance`]), so the right type to
237//! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a
238//! pointer type.
239//!
240//! ## Strict Provenance
241//!
242//! "Strict Provenance" refers to a set of APIs designed to make working with provenance more
243//! explicit. They are intended as substitutes for casting a pointer to an integer and back.
244//!
245//! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of
246//! that operation. This benefits compiler optimizations, and it is pretty much a requirement for
247//! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer
248//! misuse.
249//!
250//! The key insight to making programming without integer-to-pointer casts *at all* viable is the
251//! [`with_addr`] method:
252//!
253//! ```text
254//!     /// Creates a new pointer with the given address.
255//!     ///
256//!     /// This performs the same operation as an `addr as ptr` cast, but copies
257//!     /// the *provenance* of `self` to the new pointer.
258//!     /// This allows us to dynamically preserve and propagate this important
259//!     /// information in a way that is otherwise impossible with a unary cast.
260//!     ///
261//!     /// This is equivalent to using `wrapping_offset` to offset `self` to the
262//!     /// given address, and therefore has all the same capabilities and restrictions.
263//!     pub fn with_addr(self, addr: usize) -> Self;
264//! ```
265//!
266//! So you're still able to drop down to the address representation and do whatever
267//! clever bit tricks you want *as long as* you're able to keep around a pointer
268//! into the allocation you care about that can "reconstitute" the provenance.
269//! Usually this is very easy, because you only are taking a pointer, messing with the address,
270//! and then immediately converting back to a pointer. To make this use case more ergonomic,
271//! we provide the [`map_addr`] method.
272//!
273//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
274//! [`addr`] method which promises that the returned address is not part of a
275//! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer
276//! casts to help you audit if your code conforms to strict provenance.
277//!
278//! ### Using Strict Provenance
279//!
280//! Most code needs no changes to conform to strict provenance, as the only really concerning
281//! operation is casts from `usize` to a pointer. For code which *does* cast a `usize` to a pointer,
282//! the scope of the change depends on exactly what you're doing.
283//!
284//! In general, you just need to make sure that if you want to convert a `usize` address to a
285//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
286//! that has sufficient provenance to perform that read/write itself. In this way all of your
287//! casts from an address to a pointer are essentially just applying offsets/indexing.
288//!
289//! This is generally trivial to do for simple cases like tagged pointers *as long as you
290//! represent the tagged pointer as an actual pointer and not a `usize`*. For instance:
291//!
292//! ```
293//! unsafe {
294//!     // A flag we want to pack into our pointer
295//!     static HAS_DATA: usize = 0x1;
296//!     static FLAG_MASK: usize = !HAS_DATA;
297//!
298//!     // Our value, which must have enough alignment to have spare least-significant-bits.
299//!     let my_precious_data: u32 = 17;
300//!     assert!(align_of::<u32>() > 1);
301//!
302//!     // Create a tagged pointer
303//!     let ptr = &my_precious_data as *const u32;
304//!     let tagged = ptr.map_addr(|addr| addr | HAS_DATA);
305//!
306//!     // Check the flag:
307//!     if tagged.addr() & HAS_DATA != 0 {
308//!         // Untag and read the pointer
309//!         let data = *tagged.map_addr(|addr| addr & FLAG_MASK);
310//!         assert_eq!(data, 17);
311//!     } else {
312//!         unreachable!()
313//!     }
314//! }
315//! ```
316//!
317//! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should
318//! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers,
319//! we would like to know why, and what needs to be done to fix it.)
320//!
321//! Situations where a valid pointer *must* be created from just an address, such as baremetal code
322//! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict
323//! provenance APIs and should use [exposed provenance](#exposed-provenance).
324//!
325//! ## Exposed Provenance
326//!
327//! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs.
328//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
329//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
330//! Integer-to-pointer casts do not (currently) have such a clear specification.
331//!
332//! However, there exist situations where integer-to-pointer casts cannot be avoided, or
333//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
334//! that `usize` can capture all the information that makes up a pointer.
335//! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without
336//! anywhere to obtain proper provenance from.
337//!
338//! Rust's model for dealing with integer-to-pointer casts is called *Exposed Provenance*. However,
339//! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and
340//! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for
341//! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide
342//! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not
343//! work (well) with tools like [Miri] and [CHERI].
344//!
345//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
346//! which are equivalent to `as` casts between pointers and integers.
347//! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the
348//!   pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists
349//!   for the purpose of specifying Rust but is not materialized in actual executions, except in
350//!   tools like [Miri].)
351//!   Memory which is outside the control of the Rust abstract machine (MMIO registers, for example)
352//!   is always considered to be exposed, so long as this memory is disjoint from memory that will
353//!   be used by the abstract machine such as the stack, heap, and statics.
354//! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously
355//!   'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so
356//!   unlike in [`with_addr`] there is no indication of what the correct provenance for the returned
357//!   pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously
358//!   specify! The compiler will do its best to pick the right provenance for you, but currently we
359//!   cannot provide any guarantees about which provenance the resulting pointer will have. Only one
360//!   thing is clear: if there is *no* previously 'exposed' provenance that justifies the way the
361//!   returned pointer will be used, the program has undefined behavior.
362//!
363//! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding
364//! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding
365//! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be
366//! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this
367//! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the
368//! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of
369//! integer-to-pointer casts.
370//!
371//! [aliasing]: ../../nomicon/aliasing.html
372//! [allocated object]: #allocated-object
373//! [provenance]: #provenance
374//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
375//! [ub]: ../../reference/behavior-considered-undefined.html
376//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
377//! [atomic operations]: crate::sync::atomic
378//! [`offset`]: pointer::offset
379//! [`offset_from`]: pointer::offset_from
380//! [`wrapping_offset`]: pointer::wrapping_offset
381//! [`with_addr`]: pointer::with_addr
382//! [`map_addr`]: pointer::map_addr
383//! [`addr`]: pointer::addr
384//! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize
385//! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr
386//! [`expose_provenance`]: pointer::expose_provenance
387//! [`with_exposed_provenance`]: with_exposed_provenance
388//! [Miri]: https://github.com/rust-lang/miri
389//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
390//! [Strict Provenance]: #strict-provenance
391//! [`UnsafeCell`]: core::cell::UnsafeCell
392
393#![stable(feature = "rust1", since = "1.0.0")]
394// There are many unsafe functions taking pointers that don't dereference them.
395#![allow(clippy::not_unsafe_ptr_arg_deref)]
396
397use crate::cmp::Ordering;
398use crate::intrinsics::const_eval_select;
399use crate::marker::FnPtr;
400use crate::mem::{self, MaybeUninit, SizedTypeProperties};
401use crate::num::NonZero;
402use crate::{fmt, hash, intrinsics, ub_checks};
403
404mod alignment;
405#[unstable(feature = "ptr_alignment_type", issue = "102070")]
406pub use alignment::Alignment;
407
408mod metadata;
409#[unstable(feature = "ptr_metadata", issue = "81513")]
410pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata};
411
412mod non_null;
413#[stable(feature = "nonnull", since = "1.25.0")]
414pub use non_null::NonNull;
415
416mod unique;
417#[unstable(feature = "ptr_internals", issue = "none")]
418pub use unique::Unique;
419
420mod const_ptr;
421mod mut_ptr;
422
423// Some functions are defined here because they accidentally got made
424// available in this module on stable. See <https://github.com/rust-lang/rust/issues/15702>.
425// (`transmute` also falls into this category, but it cannot be wrapped due to the
426// check that `T` and `U` have the same size.)
427
428/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
429/// and destination must *not* overlap.
430///
431/// For regions of memory which might overlap, use [`copy`] instead.
432///
433/// `copy_nonoverlapping` is semantically equivalent to C's [`memcpy`], but
434/// with the source and destination arguments swapped,
435/// and `count` counting the number of `T`s instead of bytes.
436///
437/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
438/// requirements of `T`. The initialization state is preserved exactly.
439///
440/// [`memcpy`]: https://en.cppreference.com/w/c/string/byte/memcpy
441///
442/// # Safety
443///
444/// Behavior is undefined if any of the following conditions are violated:
445///
446/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
447///
448/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
449///
450/// * Both `src` and `dst` must be properly aligned.
451///
452/// * The region of memory beginning at `src` with a size of `count *
453///   size_of::<T>()` bytes must *not* overlap with the region of memory
454///   beginning at `dst` with the same size.
455///
456/// Like [`read`], `copy_nonoverlapping` creates a bitwise copy of `T`, regardless of
457/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using *both* the values
458/// in the region beginning at `*src` and the region beginning at `*dst` can
459/// [violate memory safety][read-ownership].
460///
461/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
462/// `0`, the pointers must be properly aligned.
463///
464/// [`read`]: crate::ptr::read
465/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
466/// [valid]: crate::ptr#safety
467///
468/// # Examples
469///
470/// Manually implement [`Vec::append`]:
471///
472/// ```
473/// use std::ptr;
474///
475/// /// Moves all the elements of `src` into `dst`, leaving `src` empty.
476/// fn append<T>(dst: &mut Vec<T>, src: &mut Vec<T>) {
477///     let src_len = src.len();
478///     let dst_len = dst.len();
479///
480///     // Ensure that `dst` has enough capacity to hold all of `src`.
481///     dst.reserve(src_len);
482///
483///     unsafe {
484///         // The call to add is always safe because `Vec` will never
485///         // allocate more than `isize::MAX` bytes.
486///         let dst_ptr = dst.as_mut_ptr().add(dst_len);
487///         let src_ptr = src.as_ptr();
488///
489///         // Truncate `src` without dropping its contents. We do this first,
490///         // to avoid problems in case something further down panics.
491///         src.set_len(0);
492///
493///         // The two regions cannot overlap because mutable references do
494///         // not alias, and two different vectors cannot own the same
495///         // memory.
496///         ptr::copy_nonoverlapping(src_ptr, dst_ptr, src_len);
497///
498///         // Notify `dst` that it now holds the contents of `src`.
499///         dst.set_len(dst_len + src_len);
500///     }
501/// }
502///
503/// let mut a = vec!['r'];
504/// let mut b = vec!['u', 's', 't'];
505///
506/// append(&mut a, &mut b);
507///
508/// assert_eq!(a, &['r', 'u', 's', 't']);
509/// assert!(b.is_empty());
510/// ```
511///
512/// [`Vec::append`]: ../../std/vec/struct.Vec.html#method.append
513#[doc(alias = "memcpy")]
514#[stable(feature = "rust1", since = "1.0.0")]
515#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
516#[inline(always)]
517#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
518#[rustc_diagnostic_item = "ptr_copy_nonoverlapping"]
519pub const unsafe fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: usize) {
520    ub_checks::assert_unsafe_precondition!(
521        check_language_ub,
522        "ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null \
523        and the specified memory ranges do not overlap",
524        (
525            src: *const () = src as *const (),
526            dst: *mut () = dst as *mut (),
527            size: usize = size_of::<T>(),
528            align: usize = align_of::<T>(),
529            count: usize = count,
530        ) => {
531            let zero_size = count == 0 || size == 0;
532            ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
533                && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
534                && ub_checks::maybe_is_nonoverlapping(src, dst, size, count)
535        }
536    );
537
538    // SAFETY: the safety contract for `copy_nonoverlapping` must be
539    // upheld by the caller.
540    unsafe { crate::intrinsics::copy_nonoverlapping(src, dst, count) }
541}
542
543/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
544/// and destination may overlap.
545///
546/// If the source and destination will *never* overlap,
547/// [`copy_nonoverlapping`] can be used instead.
548///
549/// `copy` is semantically equivalent to C's [`memmove`], but
550/// with the source and destination arguments swapped,
551/// and `count` counting the number of `T`s instead of bytes.
552/// Copying takes place as if the bytes were copied from `src`
553/// to a temporary array and then copied from the array to `dst`.
554///
555/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
556/// requirements of `T`. The initialization state is preserved exactly.
557///
558/// [`memmove`]: https://en.cppreference.com/w/c/string/byte/memmove
559///
560/// # Safety
561///
562/// Behavior is undefined if any of the following conditions are violated:
563///
564/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
565///
566/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes, and must remain valid even
567///   when `src` is read for `count * size_of::<T>()` bytes. (This means if the memory ranges
568///   overlap, the `dst` pointer must not be invalidated by `src` reads.)
569///
570/// * Both `src` and `dst` must be properly aligned.
571///
572/// Like [`read`], `copy` creates a bitwise copy of `T`, regardless of
573/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the values
574/// in the region beginning at `*src` and the region beginning at `*dst` can
575/// [violate memory safety][read-ownership].
576///
577/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
578/// `0`, the pointers must be properly aligned.
579///
580/// [`read`]: crate::ptr::read
581/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
582/// [valid]: crate::ptr#safety
583///
584/// # Examples
585///
586/// Efficiently create a Rust vector from an unsafe buffer:
587///
588/// ```
589/// use std::ptr;
590///
591/// /// # Safety
592/// ///
593/// /// * `ptr` must be correctly aligned for its type and non-zero.
594/// /// * `ptr` must be valid for reads of `elts` contiguous elements of type `T`.
595/// /// * Those elements must not be used after calling this function unless `T: Copy`.
596/// # #[allow(dead_code)]
597/// unsafe fn from_buf_raw<T>(ptr: *const T, elts: usize) -> Vec<T> {
598///     let mut dst = Vec::with_capacity(elts);
599///
600///     // SAFETY: Our precondition ensures the source is aligned and valid,
601///     // and `Vec::with_capacity` ensures that we have usable space to write them.
602///     unsafe { ptr::copy(ptr, dst.as_mut_ptr(), elts); }
603///
604///     // SAFETY: We created it with this much capacity earlier,
605///     // and the previous `copy` has initialized these elements.
606///     unsafe { dst.set_len(elts); }
607///     dst
608/// }
609/// ```
610#[doc(alias = "memmove")]
611#[stable(feature = "rust1", since = "1.0.0")]
612#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
613#[inline(always)]
614#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
615#[rustc_diagnostic_item = "ptr_copy"]
616pub const unsafe fn copy<T>(src: *const T, dst: *mut T, count: usize) {
617    // SAFETY: the safety contract for `copy` must be upheld by the caller.
618    unsafe {
619        ub_checks::assert_unsafe_precondition!(
620            check_language_ub,
621            "ptr::copy requires that both pointer arguments are aligned and non-null",
622            (
623                src: *const () = src as *const (),
624                dst: *mut () = dst as *mut (),
625                align: usize = align_of::<T>(),
626                zero_size: bool = T::IS_ZST || count == 0,
627            ) =>
628            ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
629                && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
630        );
631        crate::intrinsics::copy(src, dst, count)
632    }
633}
634
635/// Sets `count * size_of::<T>()` bytes of memory starting at `dst` to
636/// `val`.
637///
638/// `write_bytes` is similar to C's [`memset`], but sets `count *
639/// size_of::<T>()` bytes to `val`.
640///
641/// [`memset`]: https://en.cppreference.com/w/c/string/byte/memset
642///
643/// # Safety
644///
645/// Behavior is undefined if any of the following conditions are violated:
646///
647/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
648///
649/// * `dst` must be properly aligned.
650///
651/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
652/// `0`, the pointer must be properly aligned.
653///
654/// Additionally, note that changing `*dst` in this way can easily lead to undefined behavior (UB)
655/// later if the written bytes are not a valid representation of some `T`. For instance, the
656/// following is an **incorrect** use of this function:
657///
658/// ```rust,no_run
659/// unsafe {
660///     let mut value: u8 = 0;
661///     let ptr: *mut bool = &mut value as *mut u8 as *mut bool;
662///     let _bool = ptr.read(); // This is fine, `ptr` points to a valid `bool`.
663///     ptr.write_bytes(42u8, 1); // This function itself does not cause UB...
664///     let _bool = ptr.read(); // ...but it makes this operation UB! ⚠️
665/// }
666/// ```
667///
668/// [valid]: crate::ptr#safety
669///
670/// # Examples
671///
672/// Basic usage:
673///
674/// ```
675/// use std::ptr;
676///
677/// let mut vec = vec![0u32; 4];
678/// unsafe {
679///     let vec_ptr = vec.as_mut_ptr();
680///     ptr::write_bytes(vec_ptr, 0xfe, 2);
681/// }
682/// assert_eq!(vec, [0xfefefefe, 0xfefefefe, 0, 0]);
683/// ```
684#[doc(alias = "memset")]
685#[stable(feature = "rust1", since = "1.0.0")]
686#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
687#[inline(always)]
688#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
689#[rustc_diagnostic_item = "ptr_write_bytes"]
690pub const unsafe fn write_bytes<T>(dst: *mut T, val: u8, count: usize) {
691    // SAFETY: the safety contract for `write_bytes` must be upheld by the caller.
692    unsafe {
693        ub_checks::assert_unsafe_precondition!(
694            check_language_ub,
695            "ptr::write_bytes requires that the destination pointer is aligned and non-null",
696            (
697                addr: *const () = dst as *const (),
698                align: usize = align_of::<T>(),
699                zero_size: bool = T::IS_ZST || count == 0,
700            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, zero_size)
701        );
702        crate::intrinsics::write_bytes(dst, val, count)
703    }
704}
705
706/// Executes the destructor (if any) of the pointed-to value.
707///
708/// This is almost the same as calling [`ptr::read`] and discarding
709/// the result, but has the following advantages:
710// FIXME: say something more useful than "almost the same"?
711// There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a
712// `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place`
713// only requires that `*to_drop` be "valid for dropping" and we have not defined what that means. In
714// Miri it currently (May 2024) requires nothing at all for types without drop glue.
715///
716/// * It is *required* to use `drop_in_place` to drop unsized types like
717///   trait objects, because they can't be read out onto the stack and
718///   dropped normally.
719///
720/// * It is friendlier to the optimizer to do this over [`ptr::read`] when
721///   dropping manually allocated memory (e.g., in the implementations of
722///   `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
723///   sound to elide the copy.
724///
725/// * It can be used to drop [pinned] data when `T` is not `repr(packed)`
726///   (pinned data must not be moved before it is dropped).
727///
728/// Unaligned values cannot be dropped in place, they must be copied to an aligned
729/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
730/// done automatically by the compiler. This means the fields of packed structs
731/// are not dropped in-place.
732///
733/// [`ptr::read`]: self::read
734/// [`ptr::read_unaligned`]: self::read_unaligned
735/// [pinned]: crate::pin
736///
737/// # Safety
738///
739/// Behavior is undefined if any of the following conditions are violated:
740///
741/// * `to_drop` must be [valid] for both reads and writes.
742///
743/// * `to_drop` must be properly aligned, even if `T` has size 0.
744///
745/// * `to_drop` must be nonnull, even if `T` has size 0.
746///
747/// * The value `to_drop` points to must be valid for dropping, which may mean
748///   it must uphold additional invariants. These invariants depend on the type
749///   of the value being dropped. For instance, when dropping a Box, the box's
750///   pointer to the heap must be valid.
751///
752/// * While `drop_in_place` is executing, the only way to access parts of
753///   `to_drop` is through the `&mut self` references supplied to the
754///   `Drop::drop` methods that `drop_in_place` invokes.
755///
756/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
757/// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
758/// foo` counts as a use because it will cause the value to be dropped
759/// again. [`write()`] can be used to overwrite data without causing it to be
760/// dropped.
761///
762/// [valid]: self#safety
763///
764/// # Examples
765///
766/// Manually remove the last item from a vector:
767///
768/// ```
769/// use std::ptr;
770/// use std::rc::Rc;
771///
772/// let last = Rc::new(1);
773/// let weak = Rc::downgrade(&last);
774///
775/// let mut v = vec![Rc::new(0), last];
776///
777/// unsafe {
778///     // Get a raw pointer to the last element in `v`.
779///     let ptr = &mut v[1] as *mut _;
780///     // Shorten `v` to prevent the last item from being dropped. We do that first,
781///     // to prevent issues if the `drop_in_place` below panics.
782///     v.set_len(1);
783///     // Without a call `drop_in_place`, the last item would never be dropped,
784///     // and the memory it manages would be leaked.
785///     ptr::drop_in_place(ptr);
786/// }
787///
788/// assert_eq!(v, &[0.into()]);
789///
790/// // Ensure that the last item was dropped.
791/// assert!(weak.upgrade().is_none());
792/// ```
793#[stable(feature = "drop_in_place", since = "1.8.0")]
794#[lang = "drop_in_place"]
795#[allow(unconditional_recursion)]
796#[rustc_diagnostic_item = "ptr_drop_in_place"]
797pub unsafe fn drop_in_place<T: ?Sized>(to_drop: *mut T) {
798    // Code here does not matter - this is replaced by the
799    // real drop glue by the compiler.
800
801    // SAFETY: see comment above
802    unsafe { drop_in_place(to_drop) }
803}
804
805/// Creates a null raw pointer.
806///
807/// This function is equivalent to zero-initializing the pointer:
808/// `MaybeUninit::<*const T>::zeroed().assume_init()`.
809/// The resulting pointer has the address 0.
810///
811/// # Examples
812///
813/// ```
814/// use std::ptr;
815///
816/// let p: *const i32 = ptr::null();
817/// assert!(p.is_null());
818/// assert_eq!(p as usize, 0); // this pointer has the address 0
819/// ```
820#[inline(always)]
821#[must_use]
822#[stable(feature = "rust1", since = "1.0.0")]
823#[rustc_promotable]
824#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
825#[rustc_diagnostic_item = "ptr_null"]
826pub const fn null<T: ?Sized + Thin>() -> *const T {
827    from_raw_parts(without_provenance::<()>(0), ())
828}
829
830/// Creates a null mutable raw pointer.
831///
832/// This function is equivalent to zero-initializing the pointer:
833/// `MaybeUninit::<*mut T>::zeroed().assume_init()`.
834/// The resulting pointer has the address 0.
835///
836/// # Examples
837///
838/// ```
839/// use std::ptr;
840///
841/// let p: *mut i32 = ptr::null_mut();
842/// assert!(p.is_null());
843/// assert_eq!(p as usize, 0); // this pointer has the address 0
844/// ```
845#[inline(always)]
846#[must_use]
847#[stable(feature = "rust1", since = "1.0.0")]
848#[rustc_promotable]
849#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
850#[rustc_diagnostic_item = "ptr_null_mut"]
851pub const fn null_mut<T: ?Sized + Thin>() -> *mut T {
852    from_raw_parts_mut(without_provenance_mut::<()>(0), ())
853}
854
855/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
856///
857/// This is equivalent to `ptr::null().with_addr(addr)`.
858///
859/// Without provenance, this pointer is not associated with any actual allocation. Such a
860/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
861/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
862/// little more than a `usize` address in disguise.
863///
864/// This is different from `addr as *const T`, which creates a pointer that picks up a previously
865/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
866///
867/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
868#[inline(always)]
869#[must_use]
870#[stable(feature = "strict_provenance", since = "1.84.0")]
871#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
872pub const fn without_provenance<T>(addr: usize) -> *const T {
873    without_provenance_mut(addr)
874}
875
876/// Creates a new pointer that is dangling, but non-null and well-aligned.
877///
878/// This is useful for initializing types which lazily allocate, like
879/// `Vec::new` does.
880///
881/// Note that the pointer value may potentially represent a valid pointer to
882/// a `T`, which means this must not be used as a "not yet initialized"
883/// sentinel value. Types that lazily allocate must track initialization by
884/// some other means.
885#[inline(always)]
886#[must_use]
887#[stable(feature = "strict_provenance", since = "1.84.0")]
888#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
889pub const fn dangling<T>() -> *const T {
890    dangling_mut()
891}
892
893/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
894///
895/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
896///
897/// Without provenance, this pointer is not associated with any actual allocation. Such a
898/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
899/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
900/// little more than a `usize` address in disguise.
901///
902/// This is different from `addr as *mut T`, which creates a pointer that picks up a previously
903/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
904///
905/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
906#[inline(always)]
907#[must_use]
908#[stable(feature = "strict_provenance", since = "1.84.0")]
909#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
910pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
911    // An int-to-pointer transmute currently has exactly the intended semantics: it creates a
912    // pointer without provenance. Note that this is *not* a stable guarantee about transmute
913    // semantics, it relies on sysroot crates having special status.
914    // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
915    // pointer).
916    unsafe { mem::transmute(addr) }
917}
918
919/// Creates a new pointer that is dangling, but non-null and well-aligned.
920///
921/// This is useful for initializing types which lazily allocate, like
922/// `Vec::new` does.
923///
924/// Note that the pointer value may potentially represent a valid pointer to
925/// a `T`, which means this must not be used as a "not yet initialized"
926/// sentinel value. Types that lazily allocate must track initialization by
927/// some other means.
928#[inline(always)]
929#[must_use]
930#[stable(feature = "strict_provenance", since = "1.84.0")]
931#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
932pub const fn dangling_mut<T>() -> *mut T {
933    NonNull::dangling().as_ptr()
934}
935
936/// Converts an address back to a pointer, picking up some previously 'exposed'
937/// [provenance][crate::ptr#provenance].
938///
939/// This is fully equivalent to `addr as *const T`. The provenance of the returned pointer is that
940/// of *some* pointer that was previously exposed by passing it to
941/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
942/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
943/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
944/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
945///
946/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
947/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
948/// guarantees about which provenance the resulting pointer will have -- and therefore there
949/// is no definite specification for which memory the resulting pointer may access.
950///
951/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
952/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
953/// pointers and references that have been invalidated due to aliasing accesses cannot be used
954/// anymore, even if they have been exposed!
955///
956/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
957/// stay conformant with the Rust memory model. It is recommended to use [Strict
958/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
959/// possible.
960///
961/// On most platforms this will produce a value with the same bytes as the address. Platforms
962/// which need to store additional information in a pointer may not support this operation,
963/// since it is generally not possible to actually *compute* which provenance the returned
964/// pointer has to pick up.
965///
966/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
967#[must_use]
968#[inline(always)]
969#[stable(feature = "exposed_provenance", since = "1.84.0")]
970#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
971#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
972pub fn with_exposed_provenance<T>(addr: usize) -> *const T {
973    addr as *const T
974}
975
976/// Converts an address back to a mutable pointer, picking up some previously 'exposed'
977/// [provenance][crate::ptr#provenance].
978///
979/// This is fully equivalent to `addr as *mut T`. The provenance of the returned pointer is that
980/// of *some* pointer that was previously exposed by passing it to
981/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
982/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
983/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
984/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
985///
986/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
987/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
988/// guarantees about which provenance the resulting pointer will have -- and therefore there
989/// is no definite specification for which memory the resulting pointer may access.
990///
991/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
992/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
993/// pointers and references that have been invalidated due to aliasing accesses cannot be used
994/// anymore, even if they have been exposed!
995///
996/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
997/// stay conformant with the Rust memory model. It is recommended to use [Strict
998/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
999/// possible.
1000///
1001/// On most platforms this will produce a value with the same bytes as the address. Platforms
1002/// which need to store additional information in a pointer may not support this operation,
1003/// since it is generally not possible to actually *compute* which provenance the returned
1004/// pointer has to pick up.
1005///
1006/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
1007#[must_use]
1008#[inline(always)]
1009#[stable(feature = "exposed_provenance", since = "1.84.0")]
1010#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1011#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
1012pub fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
1013    addr as *mut T
1014}
1015
1016/// Converts a reference to a raw pointer.
1017///
1018/// For `r: &T`, `from_ref(r)` is equivalent to `r as *const T` (except for the caveat noted below),
1019/// but is a bit safer since it will never silently change type or mutability, in particular if the
1020/// code is refactored.
1021///
1022/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1023/// will end up dangling.
1024///
1025/// The caller must also ensure that the memory the pointer (non-transitively) points to is never
1026/// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If
1027/// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m:
1028/// &mut T` into `*const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be
1029/// used for mutation.
1030///
1031/// ## Interaction with lifetime extension
1032///
1033/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1034/// tail expressions. This code is valid, albeit in a non-obvious way:
1035/// ```rust
1036/// # type T = i32;
1037/// # fn foo() -> T { 42 }
1038/// // The temporary holding the return value of `foo` has its lifetime extended,
1039/// // because the surrounding expression involves no function call.
1040/// let p = &foo() as *const T;
1041/// unsafe { p.read() };
1042/// ```
1043/// Naively replacing the cast with `from_ref` is not valid:
1044/// ```rust,no_run
1045/// # use std::ptr;
1046/// # type T = i32;
1047/// # fn foo() -> T { 42 }
1048/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1049/// // because the surrounding expression involves a function call.
1050/// let p = ptr::from_ref(&foo());
1051/// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️
1052/// ```
1053/// The recommended way to write this code is to avoid relying on lifetime extension
1054/// when raw pointers are involved:
1055/// ```rust
1056/// # use std::ptr;
1057/// # type T = i32;
1058/// # fn foo() -> T { 42 }
1059/// let x = foo();
1060/// let p = ptr::from_ref(&x);
1061/// unsafe { p.read() };
1062/// ```
1063#[inline(always)]
1064#[must_use]
1065#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1066#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1067#[rustc_never_returns_null_ptr]
1068#[rustc_diagnostic_item = "ptr_from_ref"]
1069pub const fn from_ref<T: ?Sized>(r: &T) -> *const T {
1070    r
1071}
1072
1073/// Converts a mutable reference to a raw pointer.
1074///
1075/// For `r: &mut T`, `from_mut(r)` is equivalent to `r as *mut T` (except for the caveat noted
1076/// below), but is a bit safer since it will never silently change type or mutability, in particular
1077/// if the code is refactored.
1078///
1079/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1080/// will end up dangling.
1081///
1082/// ## Interaction with lifetime extension
1083///
1084/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1085/// tail expressions. This code is valid, albeit in a non-obvious way:
1086/// ```rust
1087/// # type T = i32;
1088/// # fn foo() -> T { 42 }
1089/// // The temporary holding the return value of `foo` has its lifetime extended,
1090/// // because the surrounding expression involves no function call.
1091/// let p = &mut foo() as *mut T;
1092/// unsafe { p.write(T::default()) };
1093/// ```
1094/// Naively replacing the cast with `from_mut` is not valid:
1095/// ```rust,no_run
1096/// # use std::ptr;
1097/// # type T = i32;
1098/// # fn foo() -> T { 42 }
1099/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1100/// // because the surrounding expression involves a function call.
1101/// let p = ptr::from_mut(&mut foo());
1102/// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️
1103/// ```
1104/// The recommended way to write this code is to avoid relying on lifetime extension
1105/// when raw pointers are involved:
1106/// ```rust
1107/// # use std::ptr;
1108/// # type T = i32;
1109/// # fn foo() -> T { 42 }
1110/// let mut x = foo();
1111/// let p = ptr::from_mut(&mut x);
1112/// unsafe { p.write(T::default()) };
1113/// ```
1114#[inline(always)]
1115#[must_use]
1116#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1117#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1118#[rustc_never_returns_null_ptr]
1119pub const fn from_mut<T: ?Sized>(r: &mut T) -> *mut T {
1120    r
1121}
1122
1123/// Forms a raw slice from a pointer and a length.
1124///
1125/// The `len` argument is the number of **elements**, not the number of bytes.
1126///
1127/// This function is safe, but actually using the return value is unsafe.
1128/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
1129///
1130/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
1131///
1132/// # Examples
1133///
1134/// ```rust
1135/// use std::ptr;
1136///
1137/// // create a slice pointer when starting out with a pointer to the first element
1138/// let x = [5, 6, 7];
1139/// let raw_pointer = x.as_ptr();
1140/// let slice = ptr::slice_from_raw_parts(raw_pointer, 3);
1141/// assert_eq!(unsafe { &*slice }[2], 7);
1142/// ```
1143///
1144/// You must ensure that the pointer is valid and not null before dereferencing
1145/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1146///
1147/// ```rust,should_panic
1148/// use std::ptr;
1149/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), 0);
1150/// unsafe {
1151///     danger.as_ref().expect("references must not be null");
1152/// }
1153/// ```
1154#[inline]
1155#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1156#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
1157#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
1158pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
1159    from_raw_parts(data, len)
1160}
1161
1162/// Forms a raw mutable slice from a pointer and a length.
1163///
1164/// The `len` argument is the number of **elements**, not the number of bytes.
1165///
1166/// Performs the same functionality as [`slice_from_raw_parts`], except that a
1167/// raw mutable slice is returned, as opposed to a raw immutable slice.
1168///
1169/// This function is safe, but actually using the return value is unsafe.
1170/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
1171///
1172/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
1173///
1174/// # Examples
1175///
1176/// ```rust
1177/// use std::ptr;
1178///
1179/// let x = &mut [5, 6, 7];
1180/// let raw_pointer = x.as_mut_ptr();
1181/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, 3);
1182///
1183/// unsafe {
1184///     (*slice)[2] = 99; // assign a value at an index in the slice
1185/// };
1186///
1187/// assert_eq!(unsafe { &*slice }[2], 99);
1188/// ```
1189///
1190/// You must ensure that the pointer is valid and not null before dereferencing
1191/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1192///
1193/// ```rust,should_panic
1194/// use std::ptr;
1195/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 0);
1196/// unsafe {
1197///     danger.as_mut().expect("references must not be null");
1198/// }
1199/// ```
1200#[inline]
1201#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1202#[rustc_const_stable(feature = "const_slice_from_raw_parts_mut", since = "1.83.0")]
1203#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
1204pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
1205    from_raw_parts_mut(data, len)
1206}
1207
1208/// Swaps the values at two mutable locations of the same type, without
1209/// deinitializing either.
1210///
1211/// But for the following exceptions, this function is semantically
1212/// equivalent to [`mem::swap`]:
1213///
1214/// * It operates on raw pointers instead of references. When references are
1215///   available, [`mem::swap`] should be preferred.
1216///
1217/// * The two pointed-to values may overlap. If the values do overlap, then the
1218///   overlapping region of memory from `x` will be used. This is demonstrated
1219///   in the second example below.
1220///
1221/// * The operation is "untyped" in the sense that data may be uninitialized or otherwise violate
1222///   the requirements of `T`. The initialization state is preserved exactly.
1223///
1224/// # Safety
1225///
1226/// Behavior is undefined if any of the following conditions are violated:
1227///
1228/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the
1229///   other pointer is written. (This means if the memory ranges overlap, the two pointers must not
1230///   be subject to aliasing restrictions relative to each other.)
1231///
1232/// * Both `x` and `y` must be properly aligned.
1233///
1234/// Note that even if `T` has size `0`, the pointers must be properly aligned.
1235///
1236/// [valid]: self#safety
1237///
1238/// # Examples
1239///
1240/// Swapping two non-overlapping regions:
1241///
1242/// ```
1243/// use std::ptr;
1244///
1245/// let mut array = [0, 1, 2, 3];
1246///
1247/// let (x, y) = array.split_at_mut(2);
1248/// let x = x.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[0..2]`
1249/// let y = y.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[2..4]`
1250///
1251/// unsafe {
1252///     ptr::swap(x, y);
1253///     assert_eq!([2, 3, 0, 1], array);
1254/// }
1255/// ```
1256///
1257/// Swapping two overlapping regions:
1258///
1259/// ```
1260/// use std::ptr;
1261///
1262/// let mut array: [i32; 4] = [0, 1, 2, 3];
1263///
1264/// let array_ptr: *mut i32 = array.as_mut_ptr();
1265///
1266/// let x = array_ptr as *mut [i32; 3]; // this is `array[0..3]`
1267/// let y = unsafe { array_ptr.add(1) } as *mut [i32; 3]; // this is `array[1..4]`
1268///
1269/// unsafe {
1270///     ptr::swap(x, y);
1271///     // The indices `1..3` of the slice overlap between `x` and `y`.
1272///     // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
1273///     // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
1274///     // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
1275///     // This implementation is defined to make the latter choice.
1276///     assert_eq!([1, 0, 1, 2], array);
1277/// }
1278/// ```
1279#[inline]
1280#[stable(feature = "rust1", since = "1.0.0")]
1281#[rustc_const_stable(feature = "const_swap", since = "1.85.0")]
1282#[rustc_diagnostic_item = "ptr_swap"]
1283pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
1284    // Give ourselves some scratch space to work with.
1285    // We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
1286    let mut tmp = MaybeUninit::<T>::uninit();
1287
1288    // Perform the swap
1289    // SAFETY: the caller must guarantee that `x` and `y` are
1290    // valid for writes and properly aligned. `tmp` cannot be
1291    // overlapping either `x` or `y` because `tmp` was just allocated
1292    // on the stack as a separate allocated object.
1293    unsafe {
1294        copy_nonoverlapping(x, tmp.as_mut_ptr(), 1);
1295        copy(y, x, 1); // `x` and `y` may overlap
1296        copy_nonoverlapping(tmp.as_ptr(), y, 1);
1297    }
1298}
1299
1300/// Swaps `count * size_of::<T>()` bytes between the two regions of memory
1301/// beginning at `x` and `y`. The two regions must *not* overlap.
1302///
1303/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
1304/// requirements of `T`. The initialization state is preserved exactly.
1305///
1306/// # Safety
1307///
1308/// Behavior is undefined if any of the following conditions are violated:
1309///
1310/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
1311///   size_of::<T>()` bytes.
1312///
1313/// * Both `x` and `y` must be properly aligned.
1314///
1315/// * The region of memory beginning at `x` with a size of `count *
1316///   size_of::<T>()` bytes must *not* overlap with the region of memory
1317///   beginning at `y` with the same size.
1318///
1319/// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`,
1320/// the pointers must be properly aligned.
1321///
1322/// [valid]: self#safety
1323///
1324/// # Examples
1325///
1326/// Basic usage:
1327///
1328/// ```
1329/// use std::ptr;
1330///
1331/// let mut x = [1, 2, 3, 4];
1332/// let mut y = [7, 8, 9];
1333///
1334/// unsafe {
1335///     ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2);
1336/// }
1337///
1338/// assert_eq!(x, [7, 8, 3, 4]);
1339/// assert_eq!(y, [1, 2, 9]);
1340/// ```
1341///
1342/// # Const evaluation limitations
1343///
1344/// If this function is invoked during const-evaluation, the current implementation has a small (and
1345/// rarely relevant) limitation: if `count` is at least 2 and the data pointed to by `x` or `y`
1346/// contains a pointer that crosses the boundary of two `T`-sized chunks of memory, the function may
1347/// fail to evaluate (similar to a panic during const-evaluation). This behavior may change in the
1348/// future.
1349///
1350/// The limitation is illustrated by the following example:
1351///
1352/// ```
1353/// use std::mem::size_of;
1354/// use std::ptr;
1355///
1356/// const { unsafe {
1357///     const PTR_SIZE: usize = size_of::<*const i32>();
1358///     let mut data1 = [0u8; PTR_SIZE];
1359///     let mut data2 = [0u8; PTR_SIZE];
1360///     // Store a pointer in `data1`.
1361///     data1.as_mut_ptr().cast::<*const i32>().write_unaligned(&42);
1362///     // Swap the contents of `data1` and `data2` by swapping `PTR_SIZE` many `u8`-sized chunks.
1363///     // This call will fail, because the pointer in `data1` crosses the boundary
1364///     // between several of the 1-byte chunks that are being swapped here.
1365///     //ptr::swap_nonoverlapping(data1.as_mut_ptr(), data2.as_mut_ptr(), PTR_SIZE);
1366///     // Swap the contents of `data1` and `data2` by swapping a single chunk of size
1367///     // `[u8; PTR_SIZE]`. That works, as there is no pointer crossing the boundary between
1368///     // two chunks.
1369///     ptr::swap_nonoverlapping(&mut data1, &mut data2, 1);
1370///     // Read the pointer from `data2` and dereference it.
1371///     let ptr = data2.as_ptr().cast::<*const i32>().read_unaligned();
1372///     assert!(*ptr == 42);
1373/// } }
1374/// ```
1375#[inline]
1376#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
1377#[rustc_const_stable(feature = "const_swap_nonoverlapping", since = "1.88.0")]
1378#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1379#[rustc_allow_const_fn_unstable(const_eval_select)] // both implementations behave the same
1380pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1381    ub_checks::assert_unsafe_precondition!(
1382        check_library_ub,
1383        "ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1384        and the specified memory ranges do not overlap",
1385        (
1386            x: *mut () = x as *mut (),
1387            y: *mut () = y as *mut (),
1388            size: usize = size_of::<T>(),
1389            align: usize = align_of::<T>(),
1390            count: usize = count,
1391        ) => {
1392            let zero_size = size == 0 || count == 0;
1393            ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size)
1394                && ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size)
1395                && ub_checks::maybe_is_nonoverlapping(x, y, size, count)
1396        }
1397    );
1398
1399    const_eval_select!(
1400        @capture[T] { x: *mut T, y: *mut T, count: usize }:
1401        if const {
1402            // At compile-time we want to always copy this in chunks of `T`, to ensure that if there
1403            // are pointers inside `T` we will copy them in one go rather than trying to copy a part
1404            // of a pointer (which would not work).
1405            // SAFETY: Same preconditions as this function
1406            unsafe { swap_nonoverlapping_const(x, y, count) }
1407        } else {
1408            // Going though a slice here helps codegen know the size fits in `isize`
1409            let slice = slice_from_raw_parts_mut(x, count);
1410            // SAFETY: This is all readable from the pointer, meaning it's one
1411            // allocated object, and thus cannot be more than isize::MAX bytes.
1412            let bytes = unsafe { mem::size_of_val_raw::<[T]>(slice) };
1413            if let Some(bytes) = NonZero::new(bytes) {
1414                // SAFETY: These are the same ranges, just expressed in a different
1415                // type, so they're still non-overlapping.
1416                unsafe { swap_nonoverlapping_bytes(x.cast(), y.cast(), bytes) };
1417            }
1418        }
1419    )
1420}
1421
1422/// Same behavior and safety conditions as [`swap_nonoverlapping`]
1423#[inline]
1424const unsafe fn swap_nonoverlapping_const<T>(x: *mut T, y: *mut T, count: usize) {
1425    let mut i = 0;
1426    while i < count {
1427        // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1428        let x = unsafe { x.add(i) };
1429        // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1430        // and it's distinct from `x` since the ranges are non-overlapping
1431        let y = unsafe { y.add(i) };
1432
1433        // SAFETY: we're only ever given pointers that are valid to read/write,
1434        // including being aligned, and nothing here panics so it's drop-safe.
1435        unsafe {
1436            // Note that it's critical that these use `copy_nonoverlapping`,
1437            // rather than `read`/`write`, to avoid #134713 if T has padding.
1438            let mut temp = MaybeUninit::<T>::uninit();
1439            copy_nonoverlapping(x, temp.as_mut_ptr(), 1);
1440            copy_nonoverlapping(y, x, 1);
1441            copy_nonoverlapping(temp.as_ptr(), y, 1);
1442        }
1443
1444        i += 1;
1445    }
1446}
1447
1448// Don't let MIR inline this, because we really want it to keep its noalias metadata
1449#[rustc_no_mir_inline]
1450#[inline]
1451fn swap_chunk<const N: usize>(x: &mut MaybeUninit<[u8; N]>, y: &mut MaybeUninit<[u8; N]>) {
1452    let a = *x;
1453    let b = *y;
1454    *x = b;
1455    *y = a;
1456}
1457
1458#[inline]
1459unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1460    // Same as `swap_nonoverlapping::<[u8; N]>`.
1461    unsafe fn swap_nonoverlapping_chunks<const N: usize>(
1462        x: *mut MaybeUninit<[u8; N]>,
1463        y: *mut MaybeUninit<[u8; N]>,
1464        chunks: NonZero<usize>,
1465    ) {
1466        let chunks = chunks.get();
1467        for i in 0..chunks {
1468            // SAFETY: i is in [0, chunks) so the adds and dereferences are in-bounds.
1469            unsafe { swap_chunk(&mut *x.add(i), &mut *y.add(i)) };
1470        }
1471    }
1472
1473    // Same as `swap_nonoverlapping_bytes`, but accepts at most 1+2+4=7 bytes
1474    #[inline]
1475    unsafe fn swap_nonoverlapping_short(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1476        // Tail handling for auto-vectorized code sometimes has element-at-a-time behaviour,
1477        // see <https://github.com/rust-lang/rust/issues/134946>.
1478        // By swapping as different sizes, rather than as a loop over bytes,
1479        // we make sure not to end up with, say, seven byte-at-a-time copies.
1480
1481        let bytes = bytes.get();
1482        let mut i = 0;
1483        macro_rules! swap_prefix {
1484            ($($n:literal)+) => {$(
1485                if (bytes & $n) != 0 {
1486                    // SAFETY: `i` can only have the same bits set as those in bytes,
1487                    // so these `add`s are in-bounds of `bytes`.  But the bit for
1488                    // `$n` hasn't been set yet, so the `$n` bytes that `swap_chunk`
1489                    // will read and write are within the usable range.
1490                    unsafe { swap_chunk::<$n>(&mut*x.add(i).cast(), &mut*y.add(i).cast()) };
1491                    i |= $n;
1492                }
1493            )+};
1494        }
1495        swap_prefix!(4 2 1);
1496        debug_assert_eq!(i, bytes);
1497    }
1498
1499    const CHUNK_SIZE: usize = size_of::<*const ()>();
1500    let bytes = bytes.get();
1501
1502    let chunks = bytes / CHUNK_SIZE;
1503    let tail = bytes % CHUNK_SIZE;
1504    if let Some(chunks) = NonZero::new(chunks) {
1505        // SAFETY: this is bytes/CHUNK_SIZE*CHUNK_SIZE bytes, which is <= bytes,
1506        // so it's within the range of our non-overlapping bytes.
1507        unsafe { swap_nonoverlapping_chunks::<CHUNK_SIZE>(x.cast(), y.cast(), chunks) };
1508    }
1509    if let Some(tail) = NonZero::new(tail) {
1510        const { assert!(CHUNK_SIZE <= 8) };
1511        let delta = chunks * CHUNK_SIZE;
1512        // SAFETY: the tail length is below CHUNK SIZE because of the remainder,
1513        // and CHUNK_SIZE is at most 8 by the const assert, so tail <= 7
1514        unsafe { swap_nonoverlapping_short(x.add(delta), y.add(delta), tail) };
1515    }
1516}
1517
1518/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1519///
1520/// Neither value is dropped.
1521///
1522/// This function is semantically equivalent to [`mem::replace`] except that it
1523/// operates on raw pointers instead of references. When references are
1524/// available, [`mem::replace`] should be preferred.
1525///
1526/// # Safety
1527///
1528/// Behavior is undefined if any of the following conditions are violated:
1529///
1530/// * `dst` must be [valid] for both reads and writes.
1531///
1532/// * `dst` must be properly aligned.
1533///
1534/// * `dst` must point to a properly initialized value of type `T`.
1535///
1536/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1537///
1538/// [valid]: self#safety
1539///
1540/// # Examples
1541///
1542/// ```
1543/// use std::ptr;
1544///
1545/// let mut rust = vec!['b', 'u', 's', 't'];
1546///
1547/// // `mem::replace` would have the same effect without requiring the unsafe
1548/// // block.
1549/// let b = unsafe {
1550///     ptr::replace(&mut rust[0], 'r')
1551/// };
1552///
1553/// assert_eq!(b, 'b');
1554/// assert_eq!(rust, &['r', 'u', 's', 't']);
1555/// ```
1556#[inline]
1557#[stable(feature = "rust1", since = "1.0.0")]
1558#[rustc_const_stable(feature = "const_replace", since = "1.83.0")]
1559#[rustc_diagnostic_item = "ptr_replace"]
1560pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1561    // SAFETY: the caller must guarantee that `dst` is valid to be
1562    // cast to a mutable reference (valid for writes, aligned, initialized),
1563    // and cannot overlap `src` since `dst` must point to a distinct
1564    // allocated object.
1565    unsafe {
1566        ub_checks::assert_unsafe_precondition!(
1567            check_language_ub,
1568            "ptr::replace requires that the pointer argument is aligned and non-null",
1569            (
1570                addr: *const () = dst as *const (),
1571                align: usize = align_of::<T>(),
1572                is_zst: bool = T::IS_ZST,
1573            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1574        );
1575        mem::replace(&mut *dst, src)
1576    }
1577}
1578
1579/// Reads the value from `src` without moving it. This leaves the
1580/// memory in `src` unchanged.
1581///
1582/// # Safety
1583///
1584/// Behavior is undefined if any of the following conditions are violated:
1585///
1586/// * `src` must be [valid] for reads.
1587///
1588/// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
1589///   case.
1590///
1591/// * `src` must point to a properly initialized value of type `T`.
1592///
1593/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1594///
1595/// # Examples
1596///
1597/// Basic usage:
1598///
1599/// ```
1600/// let x = 12;
1601/// let y = &x as *const i32;
1602///
1603/// unsafe {
1604///     assert_eq!(std::ptr::read(y), 12);
1605/// }
1606/// ```
1607///
1608/// Manually implement [`mem::swap`]:
1609///
1610/// ```
1611/// use std::ptr;
1612///
1613/// fn swap<T>(a: &mut T, b: &mut T) {
1614///     unsafe {
1615///         // Create a bitwise copy of the value at `a` in `tmp`.
1616///         let tmp = ptr::read(a);
1617///
1618///         // Exiting at this point (either by explicitly returning or by
1619///         // calling a function which panics) would cause the value in `tmp` to
1620///         // be dropped while the same value is still referenced by `a`. This
1621///         // could trigger undefined behavior if `T` is not `Copy`.
1622///
1623///         // Create a bitwise copy of the value at `b` in `a`.
1624///         // This is safe because mutable references cannot alias.
1625///         ptr::copy_nonoverlapping(b, a, 1);
1626///
1627///         // As above, exiting here could trigger undefined behavior because
1628///         // the same value is referenced by `a` and `b`.
1629///
1630///         // Move `tmp` into `b`.
1631///         ptr::write(b, tmp);
1632///
1633///         // `tmp` has been moved (`write` takes ownership of its second argument),
1634///         // so nothing is dropped implicitly here.
1635///     }
1636/// }
1637///
1638/// let mut foo = "foo".to_owned();
1639/// let mut bar = "bar".to_owned();
1640///
1641/// swap(&mut foo, &mut bar);
1642///
1643/// assert_eq!(foo, "bar");
1644/// assert_eq!(bar, "foo");
1645/// ```
1646///
1647/// ## Ownership of the Returned Value
1648///
1649/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1650/// If `T` is not [`Copy`], using both the returned value and the value at
1651/// `*src` can violate memory safety. Note that assigning to `*src` counts as a
1652/// use because it will attempt to drop the value at `*src`.
1653///
1654/// [`write()`] can be used to overwrite data without causing it to be dropped.
1655///
1656/// ```
1657/// use std::ptr;
1658///
1659/// let mut s = String::from("foo");
1660/// unsafe {
1661///     // `s2` now points to the same underlying memory as `s`.
1662///     let mut s2: String = ptr::read(&s);
1663///
1664///     assert_eq!(s2, "foo");
1665///
1666///     // Assigning to `s2` causes its original value to be dropped. Beyond
1667///     // this point, `s` must no longer be used, as the underlying memory has
1668///     // been freed.
1669///     s2 = String::default();
1670///     assert_eq!(s2, "");
1671///
1672///     // Assigning to `s` would cause the old value to be dropped again,
1673///     // resulting in undefined behavior.
1674///     // s = String::from("bar"); // ERROR
1675///
1676///     // `ptr::write` can be used to overwrite a value without dropping it.
1677///     ptr::write(&mut s, String::from("bar"));
1678/// }
1679///
1680/// assert_eq!(s, "bar");
1681/// ```
1682///
1683/// [valid]: self#safety
1684#[inline]
1685#[stable(feature = "rust1", since = "1.0.0")]
1686#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1687#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1688#[rustc_diagnostic_item = "ptr_read"]
1689pub const unsafe fn read<T>(src: *const T) -> T {
1690    // It would be semantically correct to implement this via `copy_nonoverlapping`
1691    // and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1692    // provides enough information to know that this is a typed operation.
1693
1694    // However, as of March 2023 the compiler was not capable of taking advantage
1695    // of that information. Thus, the implementation here switched to an intrinsic,
1696    // which lowers to `_0 = *src` in MIR, to address a few issues:
1697    //
1698    // - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1699    //   turning the untyped copy into a typed load. As such, the generated
1700    //   `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1701    //   `!nonnull`, and `!noundef`, resulting in poorer optimization.
1702    // - Going through the extra local resulted in multiple extra copies, even
1703    //   in optimized MIR.  (Ignoring StorageLive/Dead, the intrinsic is one
1704    //   MIR statement, while the previous implementation was eight.)  LLVM
1705    //   could sometimes optimize them away, but because `read` is at the core
1706    //   of so many things, not having them in the first place improves what we
1707    //   hand off to the backend.  For example, `mem::replace::<Big>` previously
1708    //   emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1709    // - In general, this approach keeps us from getting any more bugs (like
1710    //   #106369) that boil down to "`read(p)` is worse than `*p`", as this
1711    //   makes them look identical to the backend (or other MIR consumers).
1712    //
1713    // Future enhancements to MIR optimizations might well allow this to return
1714    // to the previous implementation, rather than using an intrinsic.
1715
1716    // SAFETY: the caller must guarantee that `src` is valid for reads.
1717    unsafe {
1718        #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1719        ub_checks::assert_unsafe_precondition!(
1720            check_language_ub,
1721            "ptr::read requires that the pointer argument is aligned and non-null",
1722            (
1723                addr: *const () = src as *const (),
1724                align: usize = align_of::<T>(),
1725                is_zst: bool = T::IS_ZST,
1726            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1727        );
1728        crate::intrinsics::read_via_copy(src)
1729    }
1730}
1731
1732/// Reads the value from `src` without moving it. This leaves the
1733/// memory in `src` unchanged.
1734///
1735/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1736///
1737/// # Safety
1738///
1739/// Behavior is undefined if any of the following conditions are violated:
1740///
1741/// * `src` must be [valid] for reads.
1742///
1743/// * `src` must point to a properly initialized value of type `T`.
1744///
1745/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1746/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1747/// value and the value at `*src` can [violate memory safety][read-ownership].
1748///
1749/// [read-ownership]: read#ownership-of-the-returned-value
1750/// [valid]: self#safety
1751///
1752/// ## On `packed` structs
1753///
1754/// Attempting to create a raw pointer to an `unaligned` struct field with
1755/// an expression such as `&packed.unaligned as *const FieldType` creates an
1756/// intermediate unaligned reference before converting that to a raw pointer.
1757/// That this reference is temporary and immediately cast is inconsequential
1758/// as the compiler always expects references to be properly aligned.
1759/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1760/// *undefined behavior* in your program.
1761///
1762/// Instead you must use the `&raw const` syntax to create the pointer.
1763/// You may use that constructed pointer together with this function.
1764///
1765/// An example of what not to do and how this relates to `read_unaligned` is:
1766///
1767/// ```
1768/// #[repr(packed, C)]
1769/// struct Packed {
1770///     _padding: u8,
1771///     unaligned: u32,
1772/// }
1773///
1774/// let packed = Packed {
1775///     _padding: 0x00,
1776///     unaligned: 0x01020304,
1777/// };
1778///
1779/// // Take the address of a 32-bit integer which is not aligned.
1780/// // In contrast to `&packed.unaligned as *const _`, this has no undefined behavior.
1781/// let unaligned = &raw const packed.unaligned;
1782///
1783/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1784/// assert_eq!(v, 0x01020304);
1785/// ```
1786///
1787/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1788///
1789/// # Examples
1790///
1791/// Read a `usize` value from a byte buffer:
1792///
1793/// ```
1794/// fn read_usize(x: &[u8]) -> usize {
1795///     assert!(x.len() >= size_of::<usize>());
1796///
1797///     let ptr = x.as_ptr() as *const usize;
1798///
1799///     unsafe { ptr.read_unaligned() }
1800/// }
1801/// ```
1802#[inline]
1803#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1804#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1805#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1806#[rustc_diagnostic_item = "ptr_read_unaligned"]
1807pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1808    let mut tmp = MaybeUninit::<T>::uninit();
1809    // SAFETY: the caller must guarantee that `src` is valid for reads.
1810    // `src` cannot overlap `tmp` because `tmp` was just allocated on
1811    // the stack as a separate allocated object.
1812    //
1813    // Also, since we just wrote a valid value into `tmp`, it is guaranteed
1814    // to be properly initialized.
1815    unsafe {
1816        copy_nonoverlapping(src as *const u8, tmp.as_mut_ptr() as *mut u8, size_of::<T>());
1817        tmp.assume_init()
1818    }
1819}
1820
1821/// Overwrites a memory location with the given value without reading or
1822/// dropping the old value.
1823///
1824/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1825/// allocations or resources, so care should be taken not to overwrite an object
1826/// that should be dropped.
1827///
1828/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1829/// location pointed to by `dst`.
1830///
1831/// This is appropriate for initializing uninitialized memory, or overwriting
1832/// memory that has previously been [`read`] from.
1833///
1834/// # Safety
1835///
1836/// Behavior is undefined if any of the following conditions are violated:
1837///
1838/// * `dst` must be [valid] for writes.
1839///
1840/// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the
1841///   case.
1842///
1843/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1844///
1845/// [valid]: self#safety
1846///
1847/// # Examples
1848///
1849/// Basic usage:
1850///
1851/// ```
1852/// let mut x = 0;
1853/// let y = &mut x as *mut i32;
1854/// let z = 12;
1855///
1856/// unsafe {
1857///     std::ptr::write(y, z);
1858///     assert_eq!(std::ptr::read(y), 12);
1859/// }
1860/// ```
1861///
1862/// Manually implement [`mem::swap`]:
1863///
1864/// ```
1865/// use std::ptr;
1866///
1867/// fn swap<T>(a: &mut T, b: &mut T) {
1868///     unsafe {
1869///         // Create a bitwise copy of the value at `a` in `tmp`.
1870///         let tmp = ptr::read(a);
1871///
1872///         // Exiting at this point (either by explicitly returning or by
1873///         // calling a function which panics) would cause the value in `tmp` to
1874///         // be dropped while the same value is still referenced by `a`. This
1875///         // could trigger undefined behavior if `T` is not `Copy`.
1876///
1877///         // Create a bitwise copy of the value at `b` in `a`.
1878///         // This is safe because mutable references cannot alias.
1879///         ptr::copy_nonoverlapping(b, a, 1);
1880///
1881///         // As above, exiting here could trigger undefined behavior because
1882///         // the same value is referenced by `a` and `b`.
1883///
1884///         // Move `tmp` into `b`.
1885///         ptr::write(b, tmp);
1886///
1887///         // `tmp` has been moved (`write` takes ownership of its second argument),
1888///         // so nothing is dropped implicitly here.
1889///     }
1890/// }
1891///
1892/// let mut foo = "foo".to_owned();
1893/// let mut bar = "bar".to_owned();
1894///
1895/// swap(&mut foo, &mut bar);
1896///
1897/// assert_eq!(foo, "bar");
1898/// assert_eq!(bar, "foo");
1899/// ```
1900#[inline]
1901#[stable(feature = "rust1", since = "1.0.0")]
1902#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1903#[rustc_diagnostic_item = "ptr_write"]
1904#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1905pub const unsafe fn write<T>(dst: *mut T, src: T) {
1906    // Semantically, it would be fine for this to be implemented as a
1907    // `copy_nonoverlapping` and appropriate drop suppression of `src`.
1908
1909    // However, implementing via that currently produces more MIR than is ideal.
1910    // Using an intrinsic keeps it down to just the simple `*dst = move src` in
1911    // MIR (11 statements shorter, at the time of writing), and also allows
1912    // `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1913
1914    // SAFETY: the caller must guarantee that `dst` is valid for writes.
1915    // `dst` cannot overlap `src` because the caller has mutable access
1916    // to `dst` while `src` is owned by this function.
1917    unsafe {
1918        #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1919        ub_checks::assert_unsafe_precondition!(
1920            check_language_ub,
1921            "ptr::write requires that the pointer argument is aligned and non-null",
1922            (
1923                addr: *mut () = dst as *mut (),
1924                align: usize = align_of::<T>(),
1925                is_zst: bool = T::IS_ZST,
1926            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1927        );
1928        intrinsics::write_via_move(dst, src)
1929    }
1930}
1931
1932/// Overwrites a memory location with the given value without reading or
1933/// dropping the old value.
1934///
1935/// Unlike [`write()`], the pointer may be unaligned.
1936///
1937/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1938/// could leak allocations or resources, so care should be taken not to overwrite
1939/// an object that should be dropped.
1940///
1941/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1942/// location pointed to by `dst`.
1943///
1944/// This is appropriate for initializing uninitialized memory, or overwriting
1945/// memory that has previously been read with [`read_unaligned`].
1946///
1947/// # Safety
1948///
1949/// Behavior is undefined if any of the following conditions are violated:
1950///
1951/// * `dst` must be [valid] for writes.
1952///
1953/// [valid]: self#safety
1954///
1955/// ## On `packed` structs
1956///
1957/// Attempting to create a raw pointer to an `unaligned` struct field with
1958/// an expression such as `&packed.unaligned as *const FieldType` creates an
1959/// intermediate unaligned reference before converting that to a raw pointer.
1960/// That this reference is temporary and immediately cast is inconsequential
1961/// as the compiler always expects references to be properly aligned.
1962/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1963/// *undefined behavior* in your program.
1964///
1965/// Instead, you must use the `&raw mut` syntax to create the pointer.
1966/// You may use that constructed pointer together with this function.
1967///
1968/// An example of how to do it and how this relates to `write_unaligned` is:
1969///
1970/// ```
1971/// #[repr(packed, C)]
1972/// struct Packed {
1973///     _padding: u8,
1974///     unaligned: u32,
1975/// }
1976///
1977/// let mut packed: Packed = unsafe { std::mem::zeroed() };
1978///
1979/// // Take the address of a 32-bit integer which is not aligned.
1980/// // In contrast to `&packed.unaligned as *mut _`, this has no undefined behavior.
1981/// let unaligned = &raw mut packed.unaligned;
1982///
1983/// unsafe { std::ptr::write_unaligned(unaligned, 42) };
1984///
1985/// assert_eq!({packed.unaligned}, 42); // `{...}` forces copying the field instead of creating a reference.
1986/// ```
1987///
1988/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
1989/// (as can be seen in the `assert_eq!` above).
1990///
1991/// # Examples
1992///
1993/// Write a `usize` value to a byte buffer:
1994///
1995/// ```
1996/// fn write_usize(x: &mut [u8], val: usize) {
1997///     assert!(x.len() >= size_of::<usize>());
1998///
1999///     let ptr = x.as_mut_ptr() as *mut usize;
2000///
2001///     unsafe { ptr.write_unaligned(val) }
2002/// }
2003/// ```
2004#[inline]
2005#[stable(feature = "ptr_unaligned", since = "1.17.0")]
2006#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
2007#[rustc_diagnostic_item = "ptr_write_unaligned"]
2008#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
2009pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
2010    // SAFETY: the caller must guarantee that `dst` is valid for writes.
2011    // `dst` cannot overlap `src` because the caller has mutable access
2012    // to `dst` while `src` is owned by this function.
2013    unsafe {
2014        copy_nonoverlapping((&raw const src) as *const u8, dst as *mut u8, size_of::<T>());
2015        // We are calling the intrinsic directly to avoid function calls in the generated code.
2016        intrinsics::forget(src);
2017    }
2018}
2019
2020/// Performs a volatile read of the value from `src` without moving it. This
2021/// leaves the memory in `src` unchanged.
2022///
2023/// Volatile operations are intended to act on I/O memory, and are guaranteed
2024/// to not be elided or reordered by the compiler across other volatile
2025/// operations.
2026///
2027/// # Notes
2028///
2029/// Rust does not currently have a rigorously and formally defined memory model,
2030/// so the precise semantics of what "volatile" means here is subject to change
2031/// over time. That being said, the semantics will almost always end up pretty
2032/// similar to [C11's definition of volatile][c11].
2033///
2034/// The compiler shouldn't change the relative order or number of volatile
2035/// memory operations. However, volatile memory operations on zero-sized types
2036/// (e.g., if a zero-sized type is passed to `read_volatile`) are noops
2037/// and may be ignored.
2038///
2039/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
2040///
2041/// # Safety
2042///
2043/// Behavior is undefined if any of the following conditions are violated:
2044///
2045/// * `src` must be [valid] for reads.
2046///
2047/// * `src` must be properly aligned.
2048///
2049/// * `src` must point to a properly initialized value of type `T`.
2050///
2051/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of
2052/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
2053/// value and the value at `*src` can [violate memory safety][read-ownership].
2054/// However, storing non-[`Copy`] types in volatile memory is almost certainly
2055/// incorrect.
2056///
2057/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2058///
2059/// [valid]: self#safety
2060/// [read-ownership]: read#ownership-of-the-returned-value
2061///
2062/// Just like in C, whether an operation is volatile has no bearing whatsoever
2063/// on questions involving concurrent access from multiple threads. Volatile
2064/// accesses behave exactly like non-atomic accesses in that regard. In particular,
2065/// a race between a `read_volatile` and any write operation to the same location
2066/// is undefined behavior.
2067///
2068/// # Examples
2069///
2070/// Basic usage:
2071///
2072/// ```
2073/// let x = 12;
2074/// let y = &x as *const i32;
2075///
2076/// unsafe {
2077///     assert_eq!(std::ptr::read_volatile(y), 12);
2078/// }
2079/// ```
2080#[inline]
2081#[stable(feature = "volatile", since = "1.9.0")]
2082#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
2083#[rustc_diagnostic_item = "ptr_read_volatile"]
2084pub unsafe fn read_volatile<T>(src: *const T) -> T {
2085    // SAFETY: the caller must uphold the safety contract for `volatile_load`.
2086    unsafe {
2087        ub_checks::assert_unsafe_precondition!(
2088            check_language_ub,
2089            "ptr::read_volatile requires that the pointer argument is aligned and non-null",
2090            (
2091                addr: *const () = src as *const (),
2092                align: usize = align_of::<T>(),
2093                is_zst: bool = T::IS_ZST,
2094            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
2095        );
2096        intrinsics::volatile_load(src)
2097    }
2098}
2099
2100/// Performs a volatile write of a memory location with the given value without
2101/// reading or dropping the old value.
2102///
2103/// Volatile operations are intended to act on I/O memory, and are guaranteed
2104/// to not be elided or reordered by the compiler across other volatile
2105/// operations.
2106///
2107/// `write_volatile` does not drop the contents of `dst`. This is safe, but it
2108/// could leak allocations or resources, so care should be taken not to overwrite
2109/// an object that should be dropped.
2110///
2111/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
2112/// location pointed to by `dst`.
2113///
2114/// # Notes
2115///
2116/// Rust does not currently have a rigorously and formally defined memory model,
2117/// so the precise semantics of what "volatile" means here is subject to change
2118/// over time. That being said, the semantics will almost always end up pretty
2119/// similar to [C11's definition of volatile][c11].
2120///
2121/// The compiler shouldn't change the relative order or number of volatile
2122/// memory operations. However, volatile memory operations on zero-sized types
2123/// (e.g., if a zero-sized type is passed to `write_volatile`) are noops
2124/// and may be ignored.
2125///
2126/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
2127///
2128/// # Safety
2129///
2130/// Behavior is undefined if any of the following conditions are violated:
2131///
2132/// * `dst` must be [valid] for writes.
2133///
2134/// * `dst` must be properly aligned.
2135///
2136/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2137///
2138/// [valid]: self#safety
2139///
2140/// Just like in C, whether an operation is volatile has no bearing whatsoever
2141/// on questions involving concurrent access from multiple threads. Volatile
2142/// accesses behave exactly like non-atomic accesses in that regard. In particular,
2143/// a race between a `write_volatile` and any other operation (reading or writing)
2144/// on the same location is undefined behavior.
2145///
2146/// # Examples
2147///
2148/// Basic usage:
2149///
2150/// ```
2151/// let mut x = 0;
2152/// let y = &mut x as *mut i32;
2153/// let z = 12;
2154///
2155/// unsafe {
2156///     std::ptr::write_volatile(y, z);
2157///     assert_eq!(std::ptr::read_volatile(y), 12);
2158/// }
2159/// ```
2160#[inline]
2161#[stable(feature = "volatile", since = "1.9.0")]
2162#[rustc_diagnostic_item = "ptr_write_volatile"]
2163#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
2164pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
2165    // SAFETY: the caller must uphold the safety contract for `volatile_store`.
2166    unsafe {
2167        ub_checks::assert_unsafe_precondition!(
2168            check_language_ub,
2169            "ptr::write_volatile requires that the pointer argument is aligned and non-null",
2170            (
2171                addr: *mut () = dst as *mut (),
2172                align: usize = align_of::<T>(),
2173                is_zst: bool = T::IS_ZST,
2174            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
2175        );
2176        intrinsics::volatile_store(dst, src);
2177    }
2178}
2179
2180/// Align pointer `p`.
2181///
2182/// Calculate offset (in terms of elements of `size_of::<T>()` stride) that has to be applied
2183/// to pointer `p` so that pointer `p` would get aligned to `a`.
2184///
2185/// # Safety
2186/// `a` must be a power of two.
2187///
2188/// # Notes
2189/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
2190/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
2191/// constants.
2192///
2193/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
2194/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
2195/// than trying to adapt this to accommodate that change.
2196///
2197/// Any questions go to @nagisa.
2198#[allow(ptr_to_integer_transmute_in_consts)]
2199pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
2200    // FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
2201    // 1, where the method versions of these operations are not inlined.
2202    use intrinsics::{
2203        assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl,
2204        unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub,
2205    };
2206
2207    /// Calculate multiplicative modular inverse of `x` modulo `m`.
2208    ///
2209    /// This implementation is tailored for `align_offset` and has following preconditions:
2210    ///
2211    /// * `m` is a power-of-two;
2212    /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead)
2213    ///
2214    /// Implementation of this function shall not panic. Ever.
2215    #[inline]
2216    const unsafe fn mod_inv(x: usize, m: usize) -> usize {
2217        /// Multiplicative modular inverse table modulo 2⁴ = 16.
2218        ///
2219        /// Note, that this table does not contain values where inverse does not exist (i.e., for
2220        /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
2221        const INV_TABLE_MOD_16: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15];
2222        /// Modulo for which the `INV_TABLE_MOD_16` is intended.
2223        const INV_TABLE_MOD: usize = 16;
2224
2225        // SAFETY: `m` is required to be a power-of-two, hence non-zero.
2226        let m_minus_one = unsafe { unchecked_sub(m, 1) };
2227        let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - 1)) >> 1] as usize;
2228        let mut mod_gate = INV_TABLE_MOD;
2229        // We iterate "up" using the following formula:
2230        //
2231        // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
2232        //
2233        // This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
2234        // finally reduce the computation to our desired `m` by taking `inverse mod m`.
2235        //
2236        // This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
2237        // will always finish in at most 4 iterations.
2238        loop {
2239            // y = y * (2 - xy) mod n
2240            //
2241            // Note, that we use wrapping operations here intentionally – the original formula
2242            // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
2243            // usize::MAX` instead, because we take the result `mod n` at the end
2244            // anyway.
2245            if mod_gate >= m {
2246                break;
2247            }
2248            inverse = wrapping_mul(inverse, wrapping_sub(2usize, wrapping_mul(x, inverse)));
2249            let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
2250            if overflow {
2251                break;
2252            }
2253            mod_gate = new_gate;
2254        }
2255        inverse & m_minus_one
2256    }
2257
2258    let stride = size_of::<T>();
2259
2260    let addr: usize = p.addr();
2261
2262    // SAFETY: `a` is a power-of-two, therefore non-zero.
2263    let a_minus_one = unsafe { unchecked_sub(a, 1) };
2264
2265    if stride == 0 {
2266        // SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
2267        // stay the same, so no offset will be able to align the pointer unless it is already
2268        // aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
2269        let p_mod_a = addr & a_minus_one;
2270        return if p_mod_a == 0 { 0 } else { usize::MAX };
2271    }
2272
2273    // SAFETY: `stride == 0` case has been handled by the special case above.
2274    let a_mod_stride = unsafe { unchecked_rem(a, stride) };
2275    if a_mod_stride == 0 {
2276        // SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
2277        // pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
2278        // offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
2279        // offset will be able to produce a `p` aligned to the specified `a`.
2280        //
2281        // The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
2282        // like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
2283        // redistributes operations around the load-bearing, but pessimizing `and` instruction
2284        // sufficiently for LLVM to be able to utilize the various optimizations it knows about.
2285        //
2286        // LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
2287        // at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
2288        // in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
2289        // computation produces.
2290
2291        let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(0, a);
2292        let byte_offset = wrapping_sub(aligned_address, addr);
2293        // FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
2294        // SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
2295        // the value by more than `a-1`, so even though the intermediate values might have
2296        // wrapped, the byte_offset is always in `[0, a)`.
2297        unsafe { assume(byte_offset < a) };
2298
2299        // SAFETY: `stride == 0` case has been handled by the special case above.
2300        let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
2301
2302        return if addr_mod_stride == 0 {
2303            // SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
2304            // addr has been verified to be aligned to the original type’s alignment requirements.
2305            unsafe { exact_div(byte_offset, stride) }
2306        } else {
2307            usize::MAX
2308        };
2309    }
2310
2311    // GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
2312    // misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
2313    // advantage of, etc. This case produces machine code that isn’t particularly high quality,
2314    // compared to the special cases above. The code produced here is still within the realm of
2315    // miracles, given the situations this case has to deal with.
2316
2317    // SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
2318    // FIXME(const-hack) replace with min
2319    let gcdpow = unsafe {
2320        let x = cttz_nonzero(stride);
2321        let y = cttz_nonzero(a);
2322        if x < y { x } else { y }
2323    };
2324    // SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`.
2325    let gcd = unsafe { unchecked_shl(1usize, gcdpow) };
2326    // SAFETY: gcd is always greater or equal to 1.
2327    if addr & unsafe { unchecked_sub(gcd, 1) } == 0 {
2328        // This branch solves for the following linear congruence equation:
2329        //
2330        // ` p + so = 0 mod a `
2331        //
2332        // `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
2333        // requested alignment.
2334        //
2335        // With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
2336        // `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
2337        //
2338        // ` p' + s'o = 0 mod a' `
2339        // ` o = (a' - (p' mod a')) * (s'^-1 mod a') `
2340        //
2341        // The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
2342        // second term is "how does incrementing `p` by `s` bytes change the relative alignment of
2343        // `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
2344        // formed if `a` and `s` are not co-prime.
2345        //
2346        // Furthermore, the result produced by this solution is not "minimal", so it is necessary
2347        // to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
2348
2349        // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2350        // `a`.
2351        let a2 = unsafe { unchecked_shr(a, gcdpow) };
2352        // SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
2353        // in `a` (of which it has exactly one).
2354        let a2minus1 = unsafe { unchecked_sub(a2, 1) };
2355        // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2356        // `a`.
2357        let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
2358        // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2359        // `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
2360        // always be strictly greater than `(p % a) >> gcdpow`.
2361        let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
2362        // SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
2363        // because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
2364        return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
2365    }
2366
2367    // Cannot be aligned at all.
2368    usize::MAX
2369}
2370
2371/// Compares raw pointers for equality.
2372///
2373/// This is the same as using the `==` operator, but less generic:
2374/// the arguments have to be `*const T` raw pointers,
2375/// not anything that implements `PartialEq`.
2376///
2377/// This can be used to compare `&T` references (which coerce to `*const T` implicitly)
2378/// by their address rather than comparing the values they point to
2379/// (which is what the `PartialEq for &T` implementation does).
2380///
2381/// When comparing wide pointers, both the address and the metadata are tested for equality.
2382/// However, note that comparing trait object pointers (`*const dyn Trait`) is unreliable: pointers
2383/// to values of the same underlying type can compare inequal (because vtables are duplicated in
2384/// multiple codegen units), and pointers to values of *different* underlying type can compare equal
2385/// (since identical vtables can be deduplicated within a codegen unit).
2386///
2387/// # Examples
2388///
2389/// ```
2390/// use std::ptr;
2391///
2392/// let five = 5;
2393/// let other_five = 5;
2394/// let five_ref = &five;
2395/// let same_five_ref = &five;
2396/// let other_five_ref = &other_five;
2397///
2398/// assert!(five_ref == same_five_ref);
2399/// assert!(ptr::eq(five_ref, same_five_ref));
2400///
2401/// assert!(five_ref == other_five_ref);
2402/// assert!(!ptr::eq(five_ref, other_five_ref));
2403/// ```
2404///
2405/// Slices are also compared by their length (fat pointers):
2406///
2407/// ```
2408/// let a = [1, 2, 3];
2409/// assert!(std::ptr::eq(&a[..3], &a[..3]));
2410/// assert!(!std::ptr::eq(&a[..2], &a[..3]));
2411/// assert!(!std::ptr::eq(&a[0..2], &a[1..3]));
2412/// ```
2413#[stable(feature = "ptr_eq", since = "1.17.0")]
2414#[inline(always)]
2415#[must_use = "pointer comparison produces a value"]
2416#[rustc_diagnostic_item = "ptr_eq"]
2417#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2418pub fn eq<T: ?Sized>(a: *const T, b: *const T) -> bool {
2419    a == b
2420}
2421
2422/// Compares the *addresses* of the two pointers for equality,
2423/// ignoring any metadata in fat pointers.
2424///
2425/// If the arguments are thin pointers of the same type,
2426/// then this is the same as [`eq`].
2427///
2428/// # Examples
2429///
2430/// ```
2431/// use std::ptr;
2432///
2433/// let whole: &[i32; 3] = &[1, 2, 3];
2434/// let first: &i32 = &whole[0];
2435///
2436/// assert!(ptr::addr_eq(whole, first));
2437/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2438/// ```
2439#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2440#[inline(always)]
2441#[must_use = "pointer comparison produces a value"]
2442pub fn addr_eq<T: ?Sized, U: ?Sized>(p: *const T, q: *const U) -> bool {
2443    (p as *const ()) == (q as *const ())
2444}
2445
2446/// Compares the *addresses* of the two function pointers for equality.
2447///
2448/// This is the same as `f == g`, but using this function makes clear that the potentially
2449/// surprising semantics of function pointer comparison are involved.
2450///
2451/// There are **very few guarantees** about how functions are compiled and they have no intrinsic
2452/// “identity”; in particular, this comparison:
2453///
2454/// * May return `true` unexpectedly, in cases where functions are equivalent.
2455///
2456///   For example, the following program is likely (but not guaranteed) to print `(true, true)`
2457///   when compiled with optimization:
2458///
2459///   ```
2460///   let f: fn(i32) -> i32 = |x| x;
2461///   let g: fn(i32) -> i32 = |x| x + 0;  // different closure, different body
2462///   let h: fn(u32) -> u32 = |x| x + 0;  // different signature too
2463///   dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal
2464///   ```
2465///
2466/// * May return `false` in any case.
2467///
2468///   This is particularly likely with generic functions but may happen with any function.
2469///   (From an implementation perspective, this is possible because functions may sometimes be
2470///   processed more than once by the compiler, resulting in duplicate machine code.)
2471///
2472/// Despite these false positives and false negatives, this comparison can still be useful.
2473/// Specifically, if
2474///
2475/// * `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and
2476/// * `ptr::fn_addr_eq(f, g)` returns true,
2477///
2478/// then calling `f` and calling `g` will be equivalent.
2479///
2480///
2481/// # Examples
2482///
2483/// ```
2484/// use std::ptr;
2485///
2486/// fn a() { println!("a"); }
2487/// fn b() { println!("b"); }
2488/// assert!(!ptr::fn_addr_eq(a as fn(), b as fn()));
2489/// ```
2490///
2491/// [subtype]: https://doc.rust-lang.org/reference/subtyping.html
2492#[stable(feature = "ptr_fn_addr_eq", since = "1.85.0")]
2493#[inline(always)]
2494#[must_use = "function pointer comparison produces a value"]
2495pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool {
2496    f.addr() == g.addr()
2497}
2498
2499/// Hash a raw pointer.
2500///
2501/// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly)
2502/// by its address rather than the value it points to
2503/// (which is what the `Hash for &T` implementation does).
2504///
2505/// # Examples
2506///
2507/// ```
2508/// use std::hash::{DefaultHasher, Hash, Hasher};
2509/// use std::ptr;
2510///
2511/// let five = 5;
2512/// let five_ref = &five;
2513///
2514/// let mut hasher = DefaultHasher::new();
2515/// ptr::hash(five_ref, &mut hasher);
2516/// let actual = hasher.finish();
2517///
2518/// let mut hasher = DefaultHasher::new();
2519/// (five_ref as *const i32).hash(&mut hasher);
2520/// let expected = hasher.finish();
2521///
2522/// assert_eq!(actual, expected);
2523/// ```
2524#[stable(feature = "ptr_hash", since = "1.35.0")]
2525pub fn hash<T: ?Sized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2526    use crate::hash::Hash;
2527    hashee.hash(into);
2528}
2529
2530#[stable(feature = "fnptr_impls", since = "1.4.0")]
2531impl<F: FnPtr> PartialEq for F {
2532    #[inline]
2533    fn eq(&self, other: &Self) -> bool {
2534        self.addr() == other.addr()
2535    }
2536}
2537#[stable(feature = "fnptr_impls", since = "1.4.0")]
2538impl<F: FnPtr> Eq for F {}
2539
2540#[stable(feature = "fnptr_impls", since = "1.4.0")]
2541impl<F: FnPtr> PartialOrd for F {
2542    #[inline]
2543    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2544        self.addr().partial_cmp(&other.addr())
2545    }
2546}
2547#[stable(feature = "fnptr_impls", since = "1.4.0")]
2548impl<F: FnPtr> Ord for F {
2549    #[inline]
2550    fn cmp(&self, other: &Self) -> Ordering {
2551        self.addr().cmp(&other.addr())
2552    }
2553}
2554
2555#[stable(feature = "fnptr_impls", since = "1.4.0")]
2556impl<F: FnPtr> hash::Hash for F {
2557    fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2558        state.write_usize(self.addr() as _)
2559    }
2560}
2561
2562#[stable(feature = "fnptr_impls", since = "1.4.0")]
2563impl<F: FnPtr> fmt::Pointer for F {
2564    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2565        fmt::pointer_fmt_inner(self.addr() as _, f)
2566    }
2567}
2568
2569#[stable(feature = "fnptr_impls", since = "1.4.0")]
2570impl<F: FnPtr> fmt::Debug for F {
2571    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2572        fmt::pointer_fmt_inner(self.addr() as _, f)
2573    }
2574}
2575
2576/// Creates a `const` raw pointer to a place, without creating an intermediate reference.
2577///
2578/// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is *soft-deprecated*;
2579/// use `&raw const` instead.
2580///
2581/// It is still an open question under which conditions writing through an `addr_of!`-created
2582/// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the
2583/// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is
2584/// based on a reference, local variable, or `static`, then until all details are decided, the same
2585/// rules as for shared references apply: it is UB to write through a pointer created with this
2586/// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`])
2587/// to create a raw pointer that definitely permits mutation.
2588///
2589/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2590/// and points to initialized data. For cases where those requirements do not hold,
2591/// raw pointers should be used instead. However, `&expr as *const _` creates a reference
2592/// before casting it to a raw pointer, and that reference is subject to the same rules
2593/// as all other references. This macro can create a raw pointer *without* creating
2594/// a reference first.
2595///
2596/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2597/// Doing that with `addr_of` would not make much sense since one could only
2598/// read the data, and that would be Undefined Behavior.
2599///
2600/// # Safety
2601///
2602/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2603/// place or requires the place to be dereferenceable. This means that `addr_of!((*ptr).field)`
2604/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2605/// However, `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2606///
2607/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2608/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2609/// `Index::index`, respectively. The statements above only apply when no such coercions are
2610/// applied.
2611///
2612/// [`offset`]: pointer::offset
2613///
2614/// # Example
2615///
2616/// **Correct usage: Creating a pointer to unaligned data**
2617///
2618/// ```
2619/// use std::ptr;
2620///
2621/// #[repr(packed)]
2622/// struct Packed {
2623///     f1: u8,
2624///     f2: u16,
2625/// }
2626///
2627/// let packed = Packed { f1: 1, f2: 2 };
2628/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2629/// let raw_f2 = ptr::addr_of!(packed.f2);
2630/// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2);
2631/// ```
2632///
2633/// **Incorrect usage: Out-of-bounds fields projection**
2634///
2635/// ```rust,no_run
2636/// use std::ptr;
2637///
2638/// #[repr(C)]
2639/// struct MyStruct {
2640///     field1: i32,
2641///     field2: i32,
2642/// }
2643///
2644/// let ptr: *const MyStruct = ptr::null();
2645/// let fieldptr = unsafe { ptr::addr_of!((*ptr).field2) }; // Undefined Behavior ⚠️
2646/// ```
2647///
2648/// The field projection `.field2` would offset the pointer by 4 bytes,
2649/// but the pointer is not in-bounds of an allocation for 4 bytes,
2650/// so this offset is Undefined Behavior.
2651/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2652/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2653/// no difference whether the pointer is null or dangling.)
2654#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2655#[rustc_macro_transparency = "semitransparent"]
2656pub macro addr_of($place:expr) {
2657    &raw const $place
2658}
2659
2660/// Creates a `mut` raw pointer to a place, without creating an intermediate reference.
2661///
2662/// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is *soft-deprecated*;
2663/// use `&raw mut` instead.
2664///
2665/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2666/// and points to initialized data. For cases where those requirements do not hold,
2667/// raw pointers should be used instead. However, `&mut expr as *mut _` creates a reference
2668/// before casting it to a raw pointer, and that reference is subject to the same rules
2669/// as all other references. This macro can create a raw pointer *without* creating
2670/// a reference first.
2671///
2672/// # Safety
2673///
2674/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2675/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((*ptr).field)`
2676/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2677/// However, `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2678///
2679/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2680/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2681/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2682/// applied.
2683///
2684/// [`offset`]: pointer::offset
2685///
2686/// # Examples
2687///
2688/// **Correct usage: Creating a pointer to unaligned data**
2689///
2690/// ```
2691/// use std::ptr;
2692///
2693/// #[repr(packed)]
2694/// struct Packed {
2695///     f1: u8,
2696///     f2: u16,
2697/// }
2698///
2699/// let mut packed = Packed { f1: 1, f2: 2 };
2700/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2701/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2702/// unsafe { raw_f2.write_unaligned(42); }
2703/// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference.
2704/// ```
2705///
2706/// **Correct usage: Creating a pointer to uninitialized data**
2707///
2708/// ```rust
2709/// use std::{ptr, mem::MaybeUninit};
2710///
2711/// struct Demo {
2712///     field: bool,
2713/// }
2714///
2715/// let mut uninit = MaybeUninit::<Demo>::uninit();
2716/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2717/// // and thus be Undefined Behavior!
2718/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2719/// unsafe { f1_ptr.write(true); }
2720/// let init = unsafe { uninit.assume_init() };
2721/// ```
2722///
2723/// **Incorrect usage: Out-of-bounds fields projection**
2724///
2725/// ```rust,no_run
2726/// use std::ptr;
2727///
2728/// #[repr(C)]
2729/// struct MyStruct {
2730///     field1: i32,
2731///     field2: i32,
2732/// }
2733///
2734/// let ptr: *mut MyStruct = ptr::null_mut();
2735/// let fieldptr = unsafe { ptr::addr_of_mut!((*ptr).field2) }; // Undefined Behavior ⚠️
2736/// ```
2737///
2738/// The field projection `.field2` would offset the pointer by 4 bytes,
2739/// but the pointer is not in-bounds of an allocation for 4 bytes,
2740/// so this offset is Undefined Behavior.
2741/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2742/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2743/// makes no difference whether the pointer is null or dangling.)
2744#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2745#[rustc_macro_transparency = "semitransparent"]
2746pub macro addr_of_mut($place:expr) {
2747    &raw mut $place
2748}