Primitive Type pointer 

Raw, unsafe pointers, *const T, and *mut T.

See also the std::ptr module.

Working with raw pointers in Rust is uncommon, typically limited to a few patterns. Raw pointers can be out-of-bounds, unaligned, or null. However, when loading from or storing to a raw pointer, it must be valid for the given access and aligned. When using a field expression, tuple index expression, or array/slice index expression on a raw pointer, it follows the rules of in-bounds pointer arithmetic.

Storing through a raw pointer using *ptr = data calls drop on the old value, so write must be used if the type has drop glue and memory is not already initialized - otherwise drop would be called on the uninitialized memory.

Use the null and null_mut functions to create null pointers, and the is_null method of the *const T and *mut T types to check for null. The *const T and *mut T types also define the offset method, for pointer math.

Common ways to create raw pointers

1. Coerce a reference (&T) or mutable reference (&mut T).

let my_num: i32 = 10;
let my_num_ptr: *const i32 = &my_num;
let mut my_speed: i32 = 88;
let my_speed_ptr: *mut i32 = &mut my_speed;

To get a pointer to a boxed value, dereference the box:

let my_num: Box<i32> = Box::new(10);
let my_num_ptr: *const i32 = &*my_num;
let mut my_speed: Box<i32> = Box::new(88);
let my_speed_ptr: *mut i32 = &mut *my_speed;

This does not take ownership of the original allocation and requires no resource management later, but you must not use the pointer after its lifetime.

2. Consume a box (Box<T>).

The into_raw function consumes a box and returns the raw pointer. It doesn’t destroy T or deallocate any memory.

let my_speed: Box<i32> = Box::new(88);
let my_speed: *mut i32 = Box::into_raw(my_speed);

// By taking ownership of the original `Box<T>` though
// we are obligated to put it together later to be destroyed.
unsafe {
    drop(Box::from_raw(my_speed));
}

Note that here the call to drop is for clarity - it indicates that we are done with the given value and it should be destroyed.

3. Create it using &raw

Instead of coercing a reference to a raw pointer, you can use the raw borrow operators &raw const (for *const T) and &raw mut (for *mut T). These operators allow you to create raw pointers to fields to which you cannot create a reference (without causing undefined behavior), such as an unaligned field. This might be necessary if packed structs or uninitialized memory is involved.

#[derive(Debug, Default, Copy, Clone)]
#[repr(C, packed)]
struct S {
    aligned: u8,
    unaligned: u32,
}
let s = S::default();
let p = &raw const s.unaligned; // not allowed with coercion

4. Get it from C.

#[allow(unused_extern_crates)]
extern crate libc;

unsafe {
    let my_num: *mut i32 = libc::malloc(size_of::<i32>()) as *mut i32;
    if my_num.is_null() {
        panic!("failed to allocate memory");
    }
    libc::free(my_num as *mut core::ffi::c_void);
}

Usually you wouldn’t literally use malloc and free from Rust, but C APIs hand out a lot of pointers generally, so are a common source of raw pointers in Rust.

Implementations

impl<T: PointeeSized> *const T

pub const fn is_null(self) -> bool

Returns true if the pointer is null.

Note that unsized types have many possible null pointers, as only the raw data pointer is considered, not their length, vtable, etc. Therefore, two pointers that are null may still not compare equal to each other.

Panics during const evaluation

If this method is used during const evaluation, and self is a pointer that is offset beyond the bounds of the memory it initially pointed to, then there might not be enough information to determine whether the pointer is null. This is because the absolute address in memory is not known at compile time. If the nullness of the pointer cannot be determined, this method will panic.

In-bounds pointers are never null, so the method will never panic for such pointers.

Examples

let s: &str = "Follow the rabbit";
let ptr: *const u8 = s.as_ptr();
assert!(!ptr.is_null());

pub const fn cast<U>(self) -> *const U

Casts to a pointer of another type.

pub fn try_cast_aligned<U>(self) -> Option<*const U>

🔬This is a nightly-only experimental API. (pointer_try_cast_aligned #141221)

Try to cast to a pointer of another type by checking alignment.

If the pointer is properly aligned to the target type, it will be cast to the target type. Otherwise, None is returned.

Examples

#![feature(pointer_try_cast_aligned)]

let x = 0u64;

let aligned: *const u64 = &x;
let unaligned = unsafe { aligned.byte_add(1) };

assert!(aligned.try_cast_aligned::<u32>().is_some());
assert!(unaligned.try_cast_aligned::<u32>().is_none());

pub const fn with_metadata_of<U>(self, meta: *const U) -> *const U

where U: PointeeSized,

🔬This is a nightly-only experimental API. (set_ptr_value #75091)

Uses the address value in a new pointer of another type.

This operation will ignore the address part of its meta operand and discard existing metadata of self. For pointers to a sized types (thin pointers), this has the same effect as a simple cast. For pointers to an unsized type (fat pointers) this recombines the address with new metadata such as slice lengths or dyn-vtable.

The resulting pointer will have provenance of self. This operation is semantically the same as creating a new pointer with the data pointer value of self but the metadata of meta, being fat or thin depending on the meta operand.

Examples

This function is primarily useful for enabling pointer arithmetic on potentially fat pointers. The pointer is cast to a sized pointee to utilize offset operations and then recombined with its own original metadata.

#![feature(set_ptr_value)]
let arr: [i32; 3] = [1, 2, 3];
let mut ptr = arr.as_ptr() as *const dyn Debug;
let thin = ptr as *const u8;
unsafe {
    ptr = thin.add(8).with_metadata_of(ptr);
    println!("{:?}", &*ptr); // will print "3"
}

Incorrect usage

The provenance from pointers is not combined. The result must only be used to refer to the address allowed by self.

#![feature(set_ptr_value)]
let x = 0u32;
let y = 1u32;

let x = (&x) as *const u32;
let y = (&y) as *const u32;

let offset = (x as usize - y as usize) / 4;
let bad = x.wrapping_add(offset).with_metadata_of(y);

// This dereference is UB. The pointer only has provenance for `x` but points to `y`.
println!("{:?}", unsafe { &*bad });

pub fn addr(self) -> usize

Gets the “address” portion of the pointer.

This is similar to self as usize, except that the provenance of the pointer is discarded and not exposed. This means that casting the returned address back to a pointer yields a pointer without provenance, which is undefined behavior to dereference. To properly restore the lost information and obtain a dereferenceable pointer, use [with_addr][pointer::with_addr] or [map_addr][pointer::map_addr].

If using those APIs is not possible because there is no way to preserve a pointer with the required provenance, then Strict Provenance might not be for you. Use pointer-integer casts or [expose_provenance][pointer::expose_provenance] and [with_exposed_provenance][with_exposed_provenance] instead. However, note that this makes your code less portable and less amenable to tools that check for compliance with the Rust memory model.

On most platforms this will produce a value with the same bytes as the original pointer, because all the bytes are dedicated to describing the address. Platforms which need to store additional information in the pointer may perform a change of representation to produce a value containing only the address portion of the pointer. What that means is up to the platform to define.

This is a Strict Provenance API.

pub const unsafe fn offset(self, count: isize) -> *const T

where T: Sized,

Adds a signed offset to a pointer.

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

Safety

If any of the following conditions are violated, the result is Undefined Behavior:

• The offset in bytes, count * size_of::<T>(), computed on mathematical integers (without “wrapping around”), must fit in an isize.

• If the computed offset is non-zero, then self must be derived from a pointer to some allocation, and the entire memory range between self and the result must be in bounds of that allocation. In particular, this range must not “wrap around” the edge of the address space. Note that “range” here refers to a half-open range as usual in Rust, i.e., self..result for non-negative offsets and result..self for negative offsets.

Allocations can never be larger than isize::MAX bytes, so if the computed offset stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. This implies, for instance, that vec.as_ptr().add(vec.len()) (for vec: Vec<T>) is always safe.

Consider using wrapping_offset instead if these constraints are difficult to satisfy. The only advantage of this method is that it enables more aggressive compiler optimizations.

Examples

let s: &str = "123";
let ptr: *const u8 = s.as_ptr();

unsafe {
    assert_eq!(*ptr.offset(1) as char, '2');
    assert_eq!(*ptr.offset(2) as char, '3');
}

pub const unsafe fn offset_from_unsigned(self, origin: *const T) -> usize

where T: Sized,

Calculates the distance between two pointers within the same allocation, where it’s known that self is equal to or greater than origin. The returned value is in units of T: the distance in bytes is divided by size_of::<T>().

This computes the same value that offset_from would compute, but with the added precondition that the offset is guaranteed to be non-negative. This method is equivalent to usize::try_from(self.offset_from(origin)).unwrap_unchecked(), but it provides slightly more information to the optimizer, which can sometimes allow it to optimize slightly better with some backends.

This method can be thought of as recovering the count that was passed to add (or, with the parameters in the other order, to sub). The following are all equivalent, assuming that their safety preconditions are met:

ptr.offset_from_unsigned(origin) == count
origin.add(count) == ptr
ptr.sub(count) == origin

Safety

• The distance between the pointers must be non-negative (self >= origin)

• All the safety conditions of offset_from apply to this method as well; see it for the full details.

Importantly, despite the return type of this method being able to represent a larger offset, it’s still not permitted to pass pointers which differ by more than isize::MAX bytes. As such, the result of this method will always be less than or equal to isize::MAX as usize.

Panics

This function panics if T is a Zero-Sized Type (“ZST”).

Examples

let a = [0; 5];
let ptr1: *const i32 = &a[1];
let ptr2: *const i32 = &a[3];
unsafe {
    assert_eq!(ptr2.offset_from_unsigned(ptr1), 2);
    assert_eq!(ptr1.add(2), ptr2);
    assert_eq!(ptr2.sub(2), ptr1);
    assert_eq!(ptr2.offset_from_unsigned(ptr2), 0);
}

// This would be incorrect, as the pointers are not correctly ordered:
// ptr1.offset_from_unsigned(ptr2)

pub const fn guaranteed_eq(self, other: *const T) -> Option<bool>

where T: Sized,

🔬This is a nightly-only experimental API. (const_raw_ptr_comparison #53020)

Returns whether two pointers are guaranteed to be equal.

At runtime this function behaves like Some(self == other). However, in some contexts (e.g., compile-time evaluation), it is not always possible to determine equality of two pointers, so this function may spuriously return None for pointers that later actually turn out to have its equality known. But when it returns Some, the pointers’ equality is guaranteed to be known.

The return value may change from Some to None and vice versa depending on the compiler version and unsafe code must not rely on the result of this function for soundness. It is suggested to only use this function for performance optimizations where spurious None return values by this function do not affect the outcome, but just the performance. The consequences of using this method to make runtime and compile-time code behave differently have not been explored. This method should not be used to introduce such differences, and it should also not be stabilized before we have a better understanding of this issue.

pub const unsafe fn add(self, count: usize) -> Self

where T: Sized,

Adds an unsigned offset to a pointer.

This can only move the pointer forward (or not move it). If you need to move forward or backward depending on the value, then you might want offset instead which takes a signed offset.

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

Safety

If any of the following conditions are violated, the result is Undefined Behavior:

• The offset in bytes, count * size_of::<T>(), computed on mathematical integers (without “wrapping around”), must fit in an isize.

• If the computed offset is non-zero, then self must be derived from a pointer to some allocation, and the entire memory range between self and the result must be in bounds of that allocation. In particular, this range must not “wrap around” the edge of the address space.

Allocations can never be larger than isize::MAX bytes, so if the computed offset stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. This implies, for instance, that vec.as_ptr().add(vec.len()) (for vec: Vec<T>) is always safe.

Consider using wrapping_add instead if these constraints are difficult to satisfy. The only advantage of this method is that it enables more aggressive compiler optimizations.

Examples

let s: &str = "123";
let ptr: *const u8 = s.as_ptr();

unsafe {
    assert_eq!(*ptr.add(1), b'2');
    assert_eq!(*ptr.add(2), b'3');
}

pub const unsafe fn byte_add(self, count: usize) -> Self

Adds an unsigned offset in bytes to a pointer.

count is in units of bytes.

This is purely a convenience for casting to a u8 pointer and using add on it. See that method for documentation and safety requirements.

For non-Sized pointees this operation changes only the data pointer, leaving the metadata untouched.

pub const unsafe fn read(self) -> T

where T: Sized,

Reads the value from self without moving it. This leaves the memory in self unchanged.

See ptr::read for safety concerns and examples.

pub fn align_offset(self, align: usize) -> usize

where T: Sized,

Computes the offset that needs to be applied to the pointer in order to make it aligned to align.

If it is not possible to align the pointer, the implementation returns usize::MAX.

The offset is expressed in number of T elements, and not bytes. The value returned can be used with the wrapping_add method.

There are no guarantees whatsoever that offsetting the pointer will not overflow or go beyond the allocation that the pointer points into. It is up to the caller to ensure that the returned offset is correct in all terms other than alignment.

Panics

The function panics if align is not a power-of-two.

Examples

Accessing adjacent u8 as u16

let x = [5_u8, 6, 7, 8, 9];
let ptr = x.as_ptr();
let offset = ptr.align_offset(align_of::<u16>());

if offset < x.len() - 1 {
    let u16_ptr = ptr.add(offset).cast::<u16>();
    assert!(*u16_ptr == u16::from_ne_bytes([5, 6]) || *u16_ptr == u16::from_ne_bytes([6, 7]));
} else {
    // while the pointer can be aligned via `offset`, it would point
    // outside the allocation
}

pub fn is_aligned_to(self, align: usize) -> bool

🔬This is a nightly-only experimental API. (pointer_is_aligned_to #96284)

Returns whether the pointer is aligned to align.

For non-Sized pointees this operation considers only the data pointer, ignoring the metadata.

Panics

The function panics if align is not a power-of-two (this includes 0).

Examples

#![feature(pointer_is_aligned_to)]

// On some platforms, the alignment of i32 is less than 4.
#[repr(align(4))]
struct AlignedI32(i32);

let data = AlignedI32(42);
let ptr = &data as *const AlignedI32;

assert!(ptr.is_aligned_to(1));
assert!(ptr.is_aligned_to(2));
assert!(ptr.is_aligned_to(4));

assert!(ptr.wrapping_byte_add(2).is_aligned_to(2));
assert!(!ptr.wrapping_byte_add(2).is_aligned_to(4));

assert_ne!(ptr.is_aligned_to(8), ptr.wrapping_add(1).is_aligned_to(8));

impl<T> *const [T]

pub const fn len(self) -> usize

Returns the length of a raw slice.

The returned value is the number of elements, not the number of bytes.

This function is safe, even when the raw slice cannot be cast to a slice reference because the pointer is null or unaligned.

Examples

use std::ptr;

let slice: *const [i8] = ptr::slice_from_raw_parts(ptr::null(), 3);
assert_eq!(slice.len(), 3);

pub const fn is_empty(self) -> bool

Returns true if the raw slice has a length of 0.

Examples

use std::ptr;

let slice: *const [i8] = ptr::slice_from_raw_parts(ptr::null(), 3);
assert!(!slice.is_empty());

pub const fn as_ptr(self) -> *const T

🔬This is a nightly-only experimental API. (slice_ptr_get #74265)

Returns a raw pointer to the slice’s buffer.

This is equivalent to casting self to *const T, but more type-safe.

Examples

#![feature(slice_ptr_get)]
use std::ptr;

let slice: *const [i8] = ptr::slice_from_raw_parts(ptr::null(), 3);
assert_eq!(slice.as_ptr(), ptr::null());

pub const fn as_array<const N: usize>(self) -> Option<*const [T; N]>

Gets a raw pointer to the underlying array.

If N is not exactly equal to the length of self, then this method returns None.

impl<T> *const T

pub const fn cast_array<const N: usize>(self) -> *const [T; N]

🔬This is a nightly-only experimental API. (ptr_cast_array #144514)

Casts from a pointer-to-T to a pointer-to-[T; N].

impl<T: PointeeSized> *mut T

pub const fn is_null(self) -> bool

Returns true if the pointer is null.

Note that unsized types have many possible null pointers, as only the raw data pointer is considered, not their length, vtable, etc. Therefore, two pointers that are null may still not compare equal to each other.

Panics during const evaluation

If this method is used during const evaluation, and self is a pointer that is offset beyond the bounds of the memory it initially pointed to, then there might not be enough information to determine whether the pointer is null. This is because the absolute address in memory is not known at compile time. If the nullness of the pointer cannot be determined, this method will panic.

In-bounds pointers are never null, so the method will never panic for such pointers.

Examples

let mut s = [1, 2, 3];
let ptr: *mut u32 = s.as_mut_ptr();
assert!(!ptr.is_null());

pub const fn cast<U>(self) -> *mut U

Casts to a pointer of another type.

pub const fn cast_const(self) -> *const T

Changes constness without changing the type.

This is a bit safer than as because it wouldn’t silently change the type if the code is refactored.

While not strictly required (*mut T coerces to *const T), this is provided for symmetry with cast_mut on *const T and may have documentation value if used instead of implicit coercion.

pub fn addr(self) -> usize

Gets the “address” portion of the pointer.

This is similar to self as usize, except that the provenance of the pointer is discarded and not exposed. This means that casting the returned address back to a pointer yields a pointer without provenance, which is undefined behavior to dereference. To properly restore the lost information and obtain a dereferenceable pointer, use [with_addr][pointer::with_addr] or [map_addr][pointer::map_addr].

If using those APIs is not possible because there is no way to preserve a pointer with the required provenance, then Strict Provenance might not be for you. Use pointer-integer casts or [expose_provenance][pointer::expose_provenance] and [with_exposed_provenance][with_exposed_provenance] instead. However, note that this makes your code less portable and less amenable to tools that check for compliance with the Rust memory model.

On most platforms this will produce a value with the same bytes as the original pointer, because all the bytes are dedicated to describing the address. Platforms which need to store additional information in the pointer may perform a change of representation to produce a value containing only the address portion of the pointer. What that means is up to the platform to define.

This is a Strict Provenance API.

pub const unsafe fn offset(self, count: isize) -> *mut T

where T: Sized,

Adds a signed offset to a pointer.

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

Safety

If any of the following conditions are violated, the result is Undefined Behavior:

• The offset in bytes, count * size_of::<T>(), computed on mathematical integers (without “wrapping around”), must fit in an isize.

• If the computed offset is non-zero, then self must be derived from a pointer to some allocation, and the entire memory range between self and the result must be in bounds of that allocation. In particular, this range must not “wrap around” the edge of the address space. Note that “range” here refers to a half-open range as usual in Rust, i.e., self..result for non-negative offsets and result..self for negative offsets.

Allocations can never be larger than isize::MAX bytes, so if the computed offset stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. This implies, for instance, that vec.as_ptr().add(vec.len()) (for vec: Vec<T>) is always safe.

Consider using wrapping_offset instead if these constraints are difficult to satisfy. The only advantage of this method is that it enables more aggressive compiler optimizations.

Examples

let mut s = [1, 2, 3];
let ptr: *mut u32 = s.as_mut_ptr();

unsafe {
    assert_eq!(2, *ptr.offset(1));
    assert_eq!(3, *ptr.offset(2));
}

pub const fn wrapping_offset(self, count: isize) -> *mut T

where T: Sized,

Adds a signed offset to a pointer using wrapping arithmetic.

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

Safety

This operation itself is always safe, but using the resulting pointer is not.

The resulting pointer “remembers” the allocation that self points to (this is called “Provenance”). The pointer must not be used to read or write other allocations.

In other words, let z = x.wrapping_offset((y as isize) - (x as isize)) does not make z the same as y even if we assume T has size 1 and there is no overflow: z is still attached to the object x is attached to, and dereferencing it is Undefined Behavior unless x and y point into the same allocation.

Compared to offset, this method basically delays the requirement of staying within the same allocation: offset is immediate Undefined Behavior when crossing object boundaries; wrapping_offset produces a pointer but still leads to Undefined Behavior if a pointer is dereferenced when it is out-of-bounds of the object it is attached to. offset can be optimized better and is thus preferable in performance-sensitive code.

The delayed check only considers the value of the pointer that was dereferenced, not the intermediate values used during the computation of the final result. For example, x.wrapping_offset(o).wrapping_offset(o.wrapping_neg()) is always the same as x. In other words, leaving the allocation and then re-entering it later is permitted.

Examples

// Iterate using a raw pointer in increments of two elements
let mut data = [1u8, 2, 3, 4, 5];
let mut ptr: *mut u8 = data.as_mut_ptr();
let step = 2;
let end_rounded_up = ptr.wrapping_offset(6);

while ptr != end_rounded_up {
    unsafe {
        *ptr = 0;
    }
    ptr = ptr.wrapping_offset(step);
}
assert_eq!(&data, &[0, 2, 0, 4, 0]);

pub const unsafe fn as_mut<'a>(self) -> Option<&'a mut T>

Returns None if the pointer is null, or else returns a unique reference to the value wrapped in Some. If the value may be uninitialized, as_uninit_mut must be used instead.

For the shared counterpart see as_ref.

Safety

When calling this method, you have to ensure that either the pointer is null or the pointer is convertible to a reference.

Panics during const evaluation

This method will panic during const evaluation if the pointer cannot be determined to be null or not. See is_null for more information.

Examples

let mut s = [1, 2, 3];
let ptr: *mut u32 = s.as_mut_ptr();
let first_value = unsafe { ptr.as_mut().unwrap() };
*first_value = 4;
println!("{s:?}"); // It'll print: "[4, 2, 3]".

Null-unchecked version

If you are sure the pointer can never be null and are looking for some kind of as_mut_unchecked that returns the &mut T instead of Option<&mut T>, know that you can dereference the pointer directly.

let mut s = [1, 2, 3];
let ptr: *mut u32 = s.as_mut_ptr();
let first_value = unsafe { &mut *ptr };
*first_value = 4;
println!("{s:?}"); // It'll print: "[4, 2, 3]".

pub const unsafe fn offset_from_unsigned(self, origin: *const T) -> usize

where T: Sized,

Calculates the distance between two pointers within the same allocation, where it’s known that self is equal to or greater than origin. The returned value is in units of T: the distance in bytes is divided by size_of::<T>().

This computes the same value that offset_from would compute, but with the added precondition that the offset is guaranteed to be non-negative. This method is equivalent to usize::try_from(self.offset_from(origin)).unwrap_unchecked(), but it provides slightly more information to the optimizer, which can sometimes allow it to optimize slightly better with some backends.

This method can be thought of as recovering the count that was passed to add (or, with the parameters in the other order, to sub). The following are all equivalent, assuming that their safety preconditions are met:

ptr.offset_from_unsigned(origin) == count
origin.add(count) == ptr
ptr.sub(count) == origin

Safety

• The distance between the pointers must be non-negative (self >= origin)

• All the safety conditions of offset_from apply to this method as well; see it for the full details.

Importantly, despite the return type of this method being able to represent a larger offset, it’s still not permitted to pass pointers which differ by more than isize::MAX bytes. As such, the result of this method will always be less than or equal to isize::MAX as usize.

Panics

This function panics if T is a Zero-Sized Type (“ZST”).

Examples

let mut a = [0; 5];
let p: *mut i32 = a.as_mut_ptr();
unsafe {
    let ptr1: *mut i32 = p.add(1);
    let ptr2: *mut i32 = p.add(3);

    assert_eq!(ptr2.offset_from_unsigned(ptr1), 2);
    assert_eq!(ptr1.add(2), ptr2);
    assert_eq!(ptr2.sub(2), ptr1);
    assert_eq!(ptr2.offset_from_unsigned(ptr2), 0);
}

// This would be incorrect, as the pointers are not correctly ordered:
// ptr1.offset_from(ptr2)

pub const unsafe fn add(self, count: usize) -> Self

where T: Sized,

Adds an unsigned offset to a pointer.

This can only move the pointer forward (or not move it). If you need to move forward or backward depending on the value, then you might want offset instead which takes a signed offset.

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

Safety

If any of the following conditions are violated, the result is Undefined Behavior:

• The offset in bytes, count * size_of::<T>(), computed on mathematical integers (without “wrapping around”), must fit in an isize.

• If the computed offset is non-zero, then self must be derived from a pointer to some allocation, and the entire memory range between self and the result must be in bounds of that allocation. In particular, this range must not “wrap around” the edge of the address space.

Allocations can never be larger than isize::MAX bytes, so if the computed offset stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. This implies, for instance, that vec.as_ptr().add(vec.len()) (for vec: Vec<T>) is always safe.

Consider using wrapping_add instead if these constraints are difficult to satisfy. The only advantage of this method is that it enables more aggressive compiler optimizations.

Examples

let mut s: String = "123".to_string();
let ptr: *mut u8 = s.as_mut_ptr();

unsafe {
    assert_eq!('2', *ptr.add(1) as char);
    assert_eq!('3', *ptr.add(2) as char);
}

pub const unsafe fn sub(self, count: usize) -> Self

where T: Sized,

Subtracts an unsigned offset from a pointer.

This can only move the pointer backward (or not move it). If you need to move forward or backward depending on the value, then you might want offset instead which takes a signed offset.

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

Safety

If any of the following conditions are violated, the result is Undefined Behavior:

• The offset in bytes, count * size_of::<T>(), computed on mathematical integers (without “wrapping around”), must fit in an isize.

• If the computed offset is non-zero, then self must be derived from a pointer to some allocation, and the entire memory range between self and the result must be in bounds of that allocation. In particular, this range must not “wrap around” the edge of the address space.

Allocations can never be larger than isize::MAX bytes, so if the computed offset stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. This implies, for instance, that vec.as_ptr().add(vec.len()) (for vec: Vec<T>) is always safe.

Consider using wrapping_sub instead if these constraints are difficult to satisfy. The only advantage of this method is that it enables more aggressive compiler optimizations.

Examples

let s: &str = "123";

unsafe {
    let end: *const u8 = s.as_ptr().add(3);
    assert_eq!('3', *end.sub(1) as char);
    assert_eq!('2', *end.sub(2) as char);
}

pub const fn wrapping_add(self, count: usize) -> Self

where T: Sized,

Adds an unsigned offset to a pointer using wrapping arithmetic.

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

Safety

This operation itself is always safe, but using the resulting pointer is not.

The resulting pointer “remembers” the allocation that self points to; it must not be used to read or write other allocations.

In other words, let z = x.wrapping_add((y as usize) - (x as usize)) does not make z the same as y even if we assume T has size 1 and there is no overflow: z is still attached to the object x is attached to, and dereferencing it is Undefined Behavior unless x and y point into the same allocation.

Compared to add, this method basically delays the requirement of staying within the same allocation: add is immediate Undefined Behavior when crossing object boundaries; wrapping_add produces a pointer but still leads to Undefined Behavior if a pointer is dereferenced when it is out-of-bounds of the object it is attached to. add can be optimized better and is thus preferable in performance-sensitive code.

The delayed check only considers the value of the pointer that was dereferenced, not the intermediate values used during the computation of the final result. For example, x.wrapping_add(o).wrapping_sub(o) is always the same as x. In other words, leaving the allocation and then re-entering it later is permitted.

Examples

// Iterate using a raw pointer in increments of two elements
let data = [1u8, 2, 3, 4, 5];
let mut ptr: *const u8 = data.as_ptr();
let step = 2;
let end_rounded_up = ptr.wrapping_add(6);

// This loop prints "1, 3, 5, "
while ptr != end_rounded_up {
    unsafe {
        print!("{}, ", *ptr);
    }
    ptr = ptr.wrapping_add(step);
}

pub const unsafe fn read(self) -> T

where T: Sized,

Reads the value from self without moving it. This leaves the memory in self unchanged.

See ptr::read for safety concerns and examples.

pub const unsafe fn write(self, val: T)

where T: Sized,

Overwrites a memory location with the given value without reading or dropping the old value.

See ptr::write for safety concerns and examples.

pub const unsafe fn write_bytes(self, val: u8, count: usize)

where T: Sized,

Invokes memset on the specified pointer, setting count * size_of::<T>() bytes of memory starting at self to val.

See ptr::write_bytes for safety concerns and examples.

pub const unsafe fn replace(self, src: T) -> T

where T: Sized,

Replaces the value at self with src, returning the old value, without dropping either.

See ptr::replace for safety concerns and examples.

impl<T> *mut [T]

pub const fn len(self) -> usize

Returns the length of a raw slice.

The returned value is the number of elements, not the number of bytes.

This function is safe, even when the raw slice cannot be cast to a slice reference because the pointer is null or unaligned.

Examples

use std::ptr;

let slice: *mut [i8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 3);
assert_eq!(slice.len(), 3);

pub const fn is_empty(self) -> bool

Returns true if the raw slice has a length of 0.

Examples

use std::ptr;

let slice: *mut [i8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 3);
assert!(!slice.is_empty());

pub const fn as_mut_array<const N: usize>(self) -> Option<*mut [T; N]>

Gets a raw, mutable pointer to the underlying array.

If N is not exactly equal to the length of self, then this method returns None.

pub unsafe fn split_at_mut(self, mid: usize) -> (*mut [T], *mut [T])

🔬This is a nightly-only experimental API. (raw_slice_split #95595)

Divides one mutable raw slice into two at an index.

The first will contain all indices from [0, mid) (excluding the index mid itself) and the second will contain all indices from [mid, len) (excluding the index len itself).

Panics

Panics if mid > len.

Safety

mid must be in-bounds of the underlying allocation. Which means self must be dereferenceable and span a single allocation that is at least mid * size_of::<T>() bytes long. Not upholding these requirements is undefined behavior even if the resulting pointers are not used.

Since len being in-bounds it is not a safety invariant of *mut [T] the safety requirements of this method are the same as for split_at_mut_unchecked. The explicit bounds check is only as useful as len is correct.

Examples

#![feature(raw_slice_split)]
#![feature(slice_ptr_get)]

let mut v = [1, 0, 3, 0, 5, 6];
let ptr = &mut v as *mut [_];
unsafe {
    let (left, right) = ptr.split_at_mut(2);
    assert_eq!(&*left, [1, 0]);
    assert_eq!(&*right, [3, 0, 5, 6]);
}

pub unsafe fn split_at_mut_unchecked(self, mid: usize) -> (*mut [T], *mut [T])

🔬This is a nightly-only experimental API. (raw_slice_split #95595)

Divides one mutable raw slice into two at an index, without doing bounds checking.

The first will contain all indices from [0, mid) (excluding the index mid itself) and the second will contain all indices from [mid, len) (excluding the index len itself).

Safety

mid must be in-bounds of the underlying allocation. Which means self must be dereferenceable and span a single allocation that is at least mid * size_of::<T>() bytes long. Not upholding these requirements is undefined behavior even if the resulting pointers are not used.

Examples

#![feature(raw_slice_split)]

let mut v = [1, 0, 3, 0, 5, 6];
// scoped to restrict the lifetime of the borrows
unsafe {
    let ptr = &mut v as *mut [_];
    let (left, right) = ptr.split_at_mut_unchecked(2);
    assert_eq!(&*left, [1, 0]);
    assert_eq!(&*right, [3, 0, 5, 6]);
    (&mut *left)[1] = 2;
    (&mut *right)[1] = 4;
}
assert_eq!(v, [1, 2, 3, 4, 5, 6]);

pub const fn as_mut_ptr(self) -> *mut T

🔬This is a nightly-only experimental API. (slice_ptr_get #74265)

Returns a raw pointer to the slice’s buffer.

This is equivalent to casting self to *mut T, but more type-safe.

Examples

#![feature(slice_ptr_get)]
use std::ptr;

let slice: *mut [i8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 3);
assert_eq!(slice.as_mut_ptr(), ptr::null_mut());

impl<T> *mut T

pub const fn cast_array<const N: usize>(self) -> *mut [T; N]

🔬This is a nightly-only experimental API. (ptr_cast_array #144514)

Casts from a pointer-to-T to a pointer-to-[T; N].

Trait Implementations

impl<T: PointeeSized> Clone for *const T

fn clone(&self) -> Self

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

where Self:,

Performs copy-assignment from source.

impl<T: PointeeSized> Clone for *mut T

fn clone(&self) -> Self

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

where Self:,

Performs copy-assignment from source.

impl<T: PointeeSized> Ord for *const T

Pointer comparison is by address, as produced by the [<*const T>::addr](pointer::addr) method.

fn cmp(&self, other: &*const T) -> Ordering

This method returns an Ordering between self and other.

fn max(self, other: Self) -> Self

where Self: Sized,

Compares and returns the maximum of two values.

fn min(self, other: Self) -> Self

where Self: Sized,

Compares and returns the minimum of two values.

fn clamp(self, min: Self, max: Self) -> Self

where Self: Sized,

Restrict a value to a certain interval.

impl<T: PointeeSized> PartialEq for *const T

Pointer equality is by address, as produced by the <*const T>::addr method.

fn eq(&self, other: &*const T) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl<T: PointeeSized> PartialEq for *mut T

Pointer equality is by address, as produced by the <*mut T>::addr method.

fn eq(&self, other: &*mut T) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl<T: PointeeSized> PartialOrd for *const T

Pointer comparison is by address, as produced by the [<*const T>::addr](pointer::addr) method.

fn partial_cmp(&self, other: &*const T) -> Option<Ordering>

This method returns an ordering between self and other values if one exists.

fn lt(&self, other: &*const T) -> bool

Tests less than (for self and other) and is used by the < operator.

fn le(&self, other: &*const T) -> bool

Tests less than or equal to (for self and other) and is used by the <= operator.

fn gt(&self, other: &*const T) -> bool

Tests greater than (for self and other) and is used by the > operator.

fn ge(&self, other: &*const T) -> bool

Tests greater than or equal to (for self and other) and is used by the >= operator.

impl<'a, T: PointeeSized + Unsize<U>, U: PointeeSized> CoerceUnsized<*const U> for &'a T

impl<'a, T: PointeeSized + Unsize<U>, U: PointeeSized> CoerceUnsized<*const U> for &'a mut T

impl<T: PointeeSized + Unsize<U>, U: PointeeSized> CoerceUnsized<*const U> for *const T

impl<T: PointeeSized + Unsize<U>, U: PointeeSized> CoerceUnsized<*const U> for *mut T

impl<'a, T: PointeeSized + Unsize<U>, U: PointeeSized> CoerceUnsized<*mut U> for &'a mut T

impl<T: PointeeSized + Unsize<U>, U: PointeeSized> CoerceUnsized<*mut U> for *mut T

impl<T: PointeeSized> Copy for *const T

impl<T: PointeeSized> Copy for *mut T

impl<T: PointeeSized + Unsize<U>, U: PointeeSized> DispatchFromDyn<*const U> for *const T

impl<T: PointeeSized + Unsize<U>, U: PointeeSized> DispatchFromDyn<*mut U> for *mut T

impl<T: PointeeSized> Eq for *const T

Pointer equality is an equivalence relation.

impl<T: PointeeSized> Eq for *mut T

Pointer equality is an equivalence relation.

impl<T: PointeeSized> Freeze for *const T

impl<T: PointeeSized> Freeze for *mut T

impl<T: PointeeSized> !Send for *const T

impl<T: PointeeSized> !Send for *mut T