core/ptr/mod.rs
1//! Manually manage memory through raw pointers.
2//!
3//! *[See also the pointer primitive types](pointer).*
4//!
5//! # Safety
6//!
7//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8//! this to be safe, these pointers must be *valid* for the given access. Whether a pointer is valid
9//! depends on the operation it is used for (read or write), and the extent of the memory that is
10//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `*mut T`
12//! and `*const T` to access only a single value, in which case the documentation omits the size and
13//! implicitly assumes it to be `size_of::<T>()` bytes.
14//!
15//! The precise rules for validity are not determined yet. The guarantees that are
16//! provided at this point are very minimal:
17//!
18//! * For memory accesses of [size zero][zst], *every* pointer is valid, including the [null]
19//! pointer. The following points are only concerned with non-zero-sized accesses.
20//! * A [null] pointer is *never* valid.
21//! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be
22//! *dereferenceable*. The [provenance] of the pointer is used to determine which [allocation]
23//! it is derived from; a pointer is dereferenceable if the memory range of the given size
24//! starting at the pointer is entirely contained within the bounds of that allocation. Note
25//! that in Rust, every (stack-allocated) variable is considered a separate allocation.
26//! * All accesses performed by functions in this module are *non-atomic* in the sense
27//! of [atomic operations] used to synchronize between threads. This means it is
28//! undefined behavior to perform two concurrent accesses to the same location from different
29//! threads unless both accesses only read from memory. Notice that this explicitly
30//! includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
31//! be used for inter-thread synchronization, regardless of whether they are acting on
32//! Rust memory or not.
33//! * The result of casting a reference to a pointer is valid for as long as the
34//! underlying allocation is live and no reference (just raw pointers) is used to
35//! access the same memory. That is, reference and pointer accesses cannot be
36//! interleaved.
37//!
38//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
39//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
40//! will be provided eventually, as the [aliasing] rules are being determined. For more
41//! information, see the [book] as well as the section in the reference devoted
42//! to [undefined behavior][ub].
43//!
44//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
45//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
46//! [`NonNull::dangling`] are all dangling.
47//!
48//! ## Alignment
49//!
50//! Valid raw pointers as defined above are not necessarily properly aligned (where
51//! "proper" alignment is defined by the pointee type, i.e., `*const T` must be
52//! aligned to `align_of::<T>()`). However, most functions require their
53//! arguments to be properly aligned, and will explicitly state
54//! this requirement in their documentation. Notable exceptions to this are
55//! [`read_unaligned`] and [`write_unaligned`].
56//!
57//! When a function requires proper alignment, it does so even if the access
58//! has size 0, i.e., even if memory is not actually touched. Consider using
59//! [`NonNull::dangling`] in such cases.
60//!
61//! ## Pointer to reference conversion
62//!
63//! When converting a pointer to a reference (e.g. via `&*ptr` or `&mut *ptr`),
64//! there are several rules that must be followed:
65//!
66//! * The pointer must be properly aligned.
67//!
68//! * It must be non-null.
69//!
70//! * It must be "dereferenceable" in the sense defined above.
71//!
72//! * The pointer must point to a [valid value] of type `T`.
73//!
74//! * You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we
75//! only give a rough overview here. The rules also depend on whether a mutable or a shared
76//! reference is being created.
77//! * When creating a mutable reference, then while this reference exists, the memory it points to
78//! must not get accessed (read or written) through any other pointer or reference not derived
79//! from this reference.
80//! * When creating a shared reference, then while this reference exists, the memory it points to
81//! must not get mutated (except inside `UnsafeCell`).
82//!
83//! If a pointer follows all of these rules, it is said to be
84//! *convertible to a (mutable or shared) reference*.
85// ^ we use this term instead of saying that the produced reference must
86// be valid, as the validity of a reference is easily confused for the
87// validity of the thing it refers to, and while the two concepts are
88// closely related, they are not identical.
89//!
90//! These rules apply even if the result is unused!
91//! (The part about being initialized is not yet fully decided, but until
92//! it is, the only safe approach is to ensure that they are indeed initialized.)
93//!
94//! An example of the implications of the above rules is that an expression such
95//! as `unsafe { &*(0 as *const u8) }` is Immediate Undefined Behavior.
96//!
97//! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values
98//!
99//! ## Allocation
100//!
101//! <a id="allocated-object"></a> <!-- keep old URLs working -->
102//!
103//! An *allocation* is a subset of program memory which is addressable
104//! from Rust, and within which pointer arithmetic is possible. Examples of
105//! allocations include heap allocations, stack-allocated variables,
106//! statics, and consts. The safety preconditions of some Rust operations -
107//! such as `offset` and field projections (`expr.field`) - are defined in
108//! terms of the allocations on which they operate.
109//!
110//! An allocation has a base address, a size, and a set of memory
111//! addresses. It is possible for an allocation to have zero size, but
112//! such an allocation will still have a base address. The base address
113//! of an allocation is not necessarily unique. While it is currently the
114//! case that an allocation always has a set of memory addresses which is
115//! fully contiguous (i.e., has no "holes"), there is no guarantee that this
116//! will not change in the future.
117//!
118//! Allocations must behave like "normal" memory: in particular, reads must not have
119//! side-effects, and writes must become visible to other threads using the usual synchronization
120//! primitives.
121//!
122//! For any allocation with `base` address, `size`, and a set of
123//! `addresses`, the following are guaranteed:
124//! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base +
125//! size)` (note that this requires `a < base + size`, not `a <= base + size`)
126//! - `base` is not equal to [`null()`] (i.e., the address with the numerical
127//! value 0)
128//! - `base + size <= usize::MAX`
129//! - `size <= isize::MAX`
130//!
131//! As a consequence of these guarantees, given any address `a` within the set
132//! of addresses of an allocation:
133//! - It is guaranteed that `a - base` does not overflow `isize`
134//! - It is guaranteed that `a - base` is non-negative
135//! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within
136//! the allocation), `base + o` will not wrap around the address space (in
137//! other words, will not overflow `usize`)
138//!
139//! [`null()`]: null
140//!
141//! # Provenance
142//!
143//! Pointers are not *simply* an "integer" or "address". For instance, it's uncontroversial
144//! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky"
145//! and the freed memory gets reallocated before your read/write (in fact this is the
146//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
147//! As another example, consider that [`wrapping_offset`] is documented to "remember"
148//! the allocation that the original pointer points to, even if it is offset far
149//! outside the memory range occupied by that allocation.
150//! To rationalize claims like this, pointers need to somehow be *more* than just their addresses:
151//! they must have **provenance**.
152//!
153//! A pointer value in Rust semantically contains the following information:
154//!
155//! * The **address** it points to, which can be represented by a `usize`.
156//! * The **provenance** it has, defining the memory it has permission to access. Provenance can be
157//! absent, in which case the pointer does not have permission to access any memory.
158//!
159//! The exact structure of provenance is not yet specified, but the permission defined by a
160//! pointer's provenance have a *spatial* component, a *temporal* component, and a *mutability*
161//! component:
162//!
163//! * Spatial: The set of memory addresses that the pointer is allowed to access.
164//! * Temporal: The timespan during which the pointer is allowed to access those memory addresses.
165//! * Mutability: Whether the pointer may only access the memory for reads, or also access it for
166//! writes. Note that this can interact with the other components, e.g. a pointer might permit
167//! mutation only for a subset of addresses, or only for a subset of its maximal timespan.
168//!
169//! When an [allocation] is created, it has a unique Original Pointer. For alloc
170//! APIs this is literally the pointer the call returns, and for local variables and statics,
171//! this is the name of the variable/static. (This is mildly overloading the term "pointer"
172//! for the sake of brevity/exposition.)
173//!
174//! The Original Pointer for an allocation has provenance that constrains the *spatial*
175//! permissions of this pointer to the memory range of the allocation, and the *temporal*
176//! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all
177//! pointers transitively derived from the Original Pointer through operations like [`offset`],
178//! borrowing, and pointer casts. Some operations may *shrink* the permissions of the derived
179//! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a
180//! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can
181//! shrink the temporal component of provenance). However, no operation can ever *grow* the
182//! permissions of the derived provenance: even if you "know" there is a larger allocation, you
183//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two
184//! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
185//!
186//! A reference to a place always has provenance over at least the memory that place occupies.
187//! A reference to a slice always has provenance over at least the range that slice describes.
188//! Whether and when exactly the provenance of a reference gets "shrunk" to *exactly* fit
189//! the memory it points to is not yet determined.
190//!
191//! A *shared* reference only ever has provenance that permits reading from memory,
192//! and never permits writes, except inside [`UnsafeCell`].
193//!
194//! Provenance can affect whether a program has undefined behavior:
195//!
196//! * It is undefined behavior to access memory through a pointer that does not have provenance over
197//! that memory. Note that a pointer "at the end" of its provenance is not actually outside its
198//! provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any
199//! provenance since they access an empty range of memory.
200//!
201//! * It is undefined behavior to [`offset`] a pointer across a memory range that is not contained
202//! in the allocation it is derived from, or to [`offset_from`] two pointers not derived
203//! from the same allocation. Provenance is used to say what exactly "derived from" even
204//! means: the lineage of a pointer is traced back to the Original Pointer it descends from, and
205//! that identifies the relevant allocation. In particular, it's always UB to offset a
206//! pointer derived from something that is now deallocated, except if the offset is 0.
207//!
208//! But it *is* still sound to:
209//!
210//! * Create a pointer without provenance from just an address (see [`without_provenance`]). Such a
211//! pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
212//! useful for sentinel values like `null` *or* to represent a tagged pointer that will never be
213//! dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
214//! fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
215//! offset, read, write, etc).
216//!
217//! * Forge an allocation of size zero at any sufficiently aligned non-null address.
218//! i.e. the usual "ZSTs are fake, do what you want" rules apply.
219//!
220//! * [`wrapping_offset`] a pointer outside its provenance. This includes pointers
221//! which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks.
222//!
223//! * Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses
224//! *are* just integers, so there is always a coherent answer, even if the pointers are dangling
225//! or from different provenances. Note that if you get "lucky" and notice that a pointer at the
226//! end of one allocation is the "same" address as the start of another allocation,
227//! anything you do with that fact is *probably* going to be gibberish. The scope of that
228//! gibberish is kept under control by the fact that the two pointers *still* aren't allowed to
229//! access the other's allocation (bytes), because they still have different provenance.
230//!
231//! Note that the full definition of provenance in Rust is not decided yet, as this interacts
232//! with the as-yet undecided [aliasing] rules.
233//!
234//! ## Pointers Vs Integers
235//!
236//! From this discussion, it becomes very clear that a `usize` *cannot* accurately represent a pointer,
237//! and converting from a pointer to a `usize` is generally an operation which *only* extracts the
238//! address. Converting this address back into pointer requires somehow answering the question:
239//! which provenance should the resulting pointer have?
240//!
241//! Rust provides two ways of dealing with this situation: *Strict Provenance* and *Exposed Provenance*.
242//!
243//! Note that a pointer *can* represent a `usize` (via [`without_provenance`]), so the right type to
244//! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a
245//! pointer type.
246//!
247//! ## Strict Provenance
248//!
249//! "Strict Provenance" refers to a set of APIs designed to make working with provenance more
250//! explicit. They are intended as substitutes for casting a pointer to an integer and back.
251//!
252//! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of
253//! that operation. This benefits compiler optimizations, and it is pretty much a requirement for
254//! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer
255//! misuse.
256//!
257//! The key insight to making programming without integer-to-pointer casts *at all* viable is the
258//! [`with_addr`] method:
259//!
260//! ```text
261//! /// Creates a new pointer with the given address.
262//! ///
263//! /// This performs the same operation as an `addr as ptr` cast, but copies
264//! /// the *provenance* of `self` to the new pointer.
265//! /// This allows us to dynamically preserve and propagate this important
266//! /// information in a way that is otherwise impossible with a unary cast.
267//! ///
268//! /// This is equivalent to using `wrapping_offset` to offset `self` to the
269//! /// given address, and therefore has all the same capabilities and restrictions.
270//! pub fn with_addr(self, addr: usize) -> Self;
271//! ```
272//!
273//! So you're still able to drop down to the address representation and do whatever
274//! clever bit tricks you want *as long as* you're able to keep around a pointer
275//! into the allocation you care about that can "reconstitute" the provenance.
276//! Usually this is very easy, because you only are taking a pointer, messing with the address,
277//! and then immediately converting back to a pointer. To make this use case more ergonomic,
278//! we provide the [`map_addr`] method.
279//!
280//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
281//! [`addr`] method which promises that the returned address is not part of a
282//! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer
283//! casts to help you audit if your code conforms to strict provenance.
284//!
285//! ### Using Strict Provenance
286//!
287//! Most code needs no changes to conform to strict provenance, as the only really concerning
288//! operation is casts from `usize` to a pointer. For code which *does* cast a `usize` to a pointer,
289//! the scope of the change depends on exactly what you're doing.
290//!
291//! In general, you just need to make sure that if you want to convert a `usize` address to a
292//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
293//! that has sufficient provenance to perform that read/write itself. In this way all of your
294//! casts from an address to a pointer are essentially just applying offsets/indexing.
295//!
296//! This is generally trivial to do for simple cases like tagged pointers *as long as you
297//! represent the tagged pointer as an actual pointer and not a `usize`*. For instance:
298//!
299//! ```
300//! unsafe {
301//! // A flag we want to pack into our pointer
302//! static HAS_DATA: usize = 0x1;
303//! static FLAG_MASK: usize = !HAS_DATA;
304//!
305//! // Our value, which must have enough alignment to have spare least-significant-bits.
306//! let my_precious_data: u32 = 17;
307//! assert!(align_of::<u32>() > 1);
308//!
309//! // Create a tagged pointer
310//! let ptr = &my_precious_data as *const u32;
311//! let tagged = ptr.map_addr(|addr| addr | HAS_DATA);
312//!
313//! // Check the flag:
314//! if tagged.addr() & HAS_DATA != 0 {
315//! // Untag and read the pointer
316//! let data = *tagged.map_addr(|addr| addr & FLAG_MASK);
317//! assert_eq!(data, 17);
318//! } else {
319//! unreachable!()
320//! }
321//! }
322//! ```
323//!
324//! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should
325//! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers,
326//! we would like to know why, and what needs to be done to fix it.)
327//!
328//! Situations where a valid pointer *must* be created from just an address, such as baremetal code
329//! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict
330//! provenance APIs and should use [exposed provenance](#exposed-provenance).
331//!
332//! ## Exposed Provenance
333//!
334//! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs.
335//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
336//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
337//! Integer-to-pointer casts do not (currently) have such a clear specification.
338//!
339//! However, there exist situations where integer-to-pointer casts cannot be avoided, or
340//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
341//! that `usize` can capture all the information that makes up a pointer.
342//! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without
343//! anywhere to obtain proper provenance from.
344//!
345//! Rust's model for dealing with integer-to-pointer casts is called *Exposed Provenance*. However,
346//! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and
347//! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for
348//! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide
349//! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not
350//! work (well) with tools like [Miri] and [CHERI].
351//!
352//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
353//! which are equivalent to `as` casts between pointers and integers.
354//! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the
355//! pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists
356//! for the purpose of specifying Rust but is not materialized in actual executions, except in
357//! tools like [Miri].)
358//! Memory which is outside the control of the Rust abstract machine (MMIO registers, for example)
359//! is always considered to be exposed, so long as this memory is disjoint from memory that will
360//! be used by the abstract machine such as the stack, heap, and statics.
361//! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously
362//! 'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so
363//! unlike in [`with_addr`] there is no indication of what the correct provenance for the returned
364//! pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously
365//! specify! The compiler will do its best to pick the right provenance for you, but currently we
366//! cannot provide any guarantees about which provenance the resulting pointer will have. Only one
367//! thing is clear: if there is *no* previously 'exposed' provenance that justifies the way the
368//! returned pointer will be used, the program has undefined behavior.
369//!
370//! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding
371//! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding
372//! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be
373//! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this
374//! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the
375//! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of
376//! integer-to-pointer casts.
377//!
378//! [aliasing]: ../../nomicon/aliasing.html
379//! [allocation]: #allocation
380//! [provenance]: #provenance
381//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
382//! [ub]: ../../reference/behavior-considered-undefined.html
383//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
384//! [atomic operations]: crate::sync::atomic
385//! [`offset`]: pointer::offset
386//! [`offset_from`]: pointer::offset_from
387//! [`wrapping_offset`]: pointer::wrapping_offset
388//! [`with_addr`]: pointer::with_addr
389//! [`map_addr`]: pointer::map_addr
390//! [`addr`]: pointer::addr
391//! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize
392//! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr
393//! [`expose_provenance`]: pointer::expose_provenance
394//! [`with_exposed_provenance`]: with_exposed_provenance
395//! [Miri]: https://github.com/rust-lang/miri
396//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
397//! [Strict Provenance]: #strict-provenance
398//! [`UnsafeCell`]: core::cell::UnsafeCell
399
400#![stable(feature = "rust1", since = "1.0.0")]
401// There are many unsafe functions taking pointers that don't dereference them.
402#![allow(clippy::not_unsafe_ptr_arg_deref)]
403
404#[cfg(not(feature = "ferrocene_certified"))]
405use crate::cmp::Ordering;
406#[cfg(not(feature = "ferrocene_certified"))]
407use crate::intrinsics::const_eval_select;
408#[cfg(not(feature = "ferrocene_certified"))]
409use crate::marker::{FnPtr, PointeeSized};
410#[cfg(not(feature = "ferrocene_certified"))]
411use crate::mem::{self, MaybeUninit, SizedTypeProperties};
412#[cfg(not(feature = "ferrocene_certified"))]
413use crate::num::NonZero;
414#[cfg(not(feature = "ferrocene_certified"))]
415use crate::{fmt, hash, intrinsics, ub_checks};
416#[cfg(feature = "ferrocene_certified")]
417use crate::{intrinsics, marker::PointeeSized, mem};
418#[cfg(all(debug_assertions, feature = "ferrocene_certified"))]
419use crate::{mem::SizedTypeProperties, ub_checks};
420
421mod alignment;
422#[unstable(feature = "ptr_alignment_type", issue = "102070")]
423pub use alignment::Alignment;
424
425mod metadata;
426#[unstable(feature = "ptr_metadata", issue = "81513")]
427#[cfg(not(feature = "ferrocene_certified"))]
428pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata};
429#[unstable(feature = "ptr_metadata", issue = "81513")]
430#[cfg(feature = "ferrocene_certified")]
431pub use metadata::{Pointee, Thin, from_raw_parts, from_raw_parts_mut};
432
433mod non_null;
434#[stable(feature = "nonnull", since = "1.25.0")]
435pub use non_null::NonNull;
436
437#[cfg(not(feature = "ferrocene_certified"))]
438mod unique;
439#[unstable(feature = "ptr_internals", issue = "none")]
440#[cfg(not(feature = "ferrocene_certified"))]
441pub use unique::Unique;
442
443mod const_ptr;
444mod mut_ptr;
445
446// Some functions are defined here because they accidentally got made
447// available in this module on stable. See <https://github.com/rust-lang/rust/issues/15702>.
448// (`transmute` also falls into this category, but it cannot be wrapped due to the
449// check that `T` and `U` have the same size.)
450
451/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
452/// and destination must *not* overlap.
453///
454/// For regions of memory which might overlap, use [`copy`] instead.
455///
456/// `copy_nonoverlapping` is semantically equivalent to C's [`memcpy`], but
457/// with the source and destination arguments swapped,
458/// and `count` counting the number of `T`s instead of bytes.
459///
460/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
461/// requirements of `T`. The initialization state is preserved exactly.
462///
463/// [`memcpy`]: https://en.cppreference.com/w/c/string/byte/memcpy
464///
465/// # Safety
466///
467/// Behavior is undefined if any of the following conditions are violated:
468///
469/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
470///
471/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
472///
473/// * Both `src` and `dst` must be properly aligned.
474///
475/// * The region of memory beginning at `src` with a size of `count *
476/// size_of::<T>()` bytes must *not* overlap with the region of memory
477/// beginning at `dst` with the same size.
478///
479/// Like [`read`], `copy_nonoverlapping` creates a bitwise copy of `T`, regardless of
480/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using *both* the values
481/// in the region beginning at `*src` and the region beginning at `*dst` can
482/// [violate memory safety][read-ownership].
483///
484/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
485/// `0`, the pointers must be properly aligned.
486///
487/// [`read`]: crate::ptr::read
488/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
489/// [valid]: crate::ptr#safety
490///
491/// # Examples
492///
493/// Manually implement [`Vec::append`]:
494///
495/// ```
496/// use std::ptr;
497///
498/// /// Moves all the elements of `src` into `dst`, leaving `src` empty.
499/// fn append<T>(dst: &mut Vec<T>, src: &mut Vec<T>) {
500/// let src_len = src.len();
501/// let dst_len = dst.len();
502///
503/// // Ensure that `dst` has enough capacity to hold all of `src`.
504/// dst.reserve(src_len);
505///
506/// unsafe {
507/// // The call to add is always safe because `Vec` will never
508/// // allocate more than `isize::MAX` bytes.
509/// let dst_ptr = dst.as_mut_ptr().add(dst_len);
510/// let src_ptr = src.as_ptr();
511///
512/// // Truncate `src` without dropping its contents. We do this first,
513/// // to avoid problems in case something further down panics.
514/// src.set_len(0);
515///
516/// // The two regions cannot overlap because mutable references do
517/// // not alias, and two different vectors cannot own the same
518/// // memory.
519/// ptr::copy_nonoverlapping(src_ptr, dst_ptr, src_len);
520///
521/// // Notify `dst` that it now holds the contents of `src`.
522/// dst.set_len(dst_len + src_len);
523/// }
524/// }
525///
526/// let mut a = vec!['r'];
527/// let mut b = vec!['u', 's', 't'];
528///
529/// append(&mut a, &mut b);
530///
531/// assert_eq!(a, &['r', 'u', 's', 't']);
532/// assert!(b.is_empty());
533/// ```
534///
535/// [`Vec::append`]: ../../std/vec/struct.Vec.html#method.append
536#[doc(alias = "memcpy")]
537#[stable(feature = "rust1", since = "1.0.0")]
538#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
539#[inline(always)]
540#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
541#[rustc_diagnostic_item = "ptr_copy_nonoverlapping"]
542#[cfg(not(feature = "ferrocene_certified"))]
543pub const unsafe fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: usize) {
544 ub_checks::assert_unsafe_precondition!(
545 check_language_ub,
546 "ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null \
547 and the specified memory ranges do not overlap",
548 (
549 src: *const () = src as *const (),
550 dst: *mut () = dst as *mut (),
551 size: usize = size_of::<T>(),
552 align: usize = align_of::<T>(),
553 count: usize = count,
554 ) => {
555 let zero_size = count == 0 || size == 0;
556 ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
557 && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
558 && ub_checks::maybe_is_nonoverlapping(src, dst, size, count)
559 }
560 );
561
562 // SAFETY: the safety contract for `copy_nonoverlapping` must be
563 // upheld by the caller.
564 unsafe { crate::intrinsics::copy_nonoverlapping(src, dst, count) }
565}
566
567/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
568/// and destination may overlap.
569///
570/// If the source and destination will *never* overlap,
571/// [`copy_nonoverlapping`] can be used instead.
572///
573/// `copy` is semantically equivalent to C's [`memmove`], but
574/// with the source and destination arguments swapped,
575/// and `count` counting the number of `T`s instead of bytes.
576/// Copying takes place as if the bytes were copied from `src`
577/// to a temporary array and then copied from the array to `dst`.
578///
579/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
580/// requirements of `T`. The initialization state is preserved exactly.
581///
582/// [`memmove`]: https://en.cppreference.com/w/c/string/byte/memmove
583///
584/// # Safety
585///
586/// Behavior is undefined if any of the following conditions are violated:
587///
588/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
589///
590/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes, and must remain valid even
591/// when `src` is read for `count * size_of::<T>()` bytes. (This means if the memory ranges
592/// overlap, the `dst` pointer must not be invalidated by `src` reads.)
593///
594/// * Both `src` and `dst` must be properly aligned.
595///
596/// Like [`read`], `copy` creates a bitwise copy of `T`, regardless of
597/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the values
598/// in the region beginning at `*src` and the region beginning at `*dst` can
599/// [violate memory safety][read-ownership].
600///
601/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
602/// `0`, the pointers must be properly aligned.
603///
604/// [`read`]: crate::ptr::read
605/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
606/// [valid]: crate::ptr#safety
607///
608/// # Examples
609///
610/// Efficiently create a Rust vector from an unsafe buffer:
611///
612/// ```
613/// use std::ptr;
614///
615/// /// # Safety
616/// ///
617/// /// * `ptr` must be correctly aligned for its type and non-zero.
618/// /// * `ptr` must be valid for reads of `elts` contiguous elements of type `T`.
619/// /// * Those elements must not be used after calling this function unless `T: Copy`.
620/// # #[allow(dead_code)]
621/// unsafe fn from_buf_raw<T>(ptr: *const T, elts: usize) -> Vec<T> {
622/// let mut dst = Vec::with_capacity(elts);
623///
624/// // SAFETY: Our precondition ensures the source is aligned and valid,
625/// // and `Vec::with_capacity` ensures that we have usable space to write them.
626/// unsafe { ptr::copy(ptr, dst.as_mut_ptr(), elts); }
627///
628/// // SAFETY: We created it with this much capacity earlier,
629/// // and the previous `copy` has initialized these elements.
630/// unsafe { dst.set_len(elts); }
631/// dst
632/// }
633/// ```
634#[doc(alias = "memmove")]
635#[stable(feature = "rust1", since = "1.0.0")]
636#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
637#[inline(always)]
638#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
639#[rustc_diagnostic_item = "ptr_copy"]
640#[cfg(not(feature = "ferrocene_certified"))]
641pub const unsafe fn copy<T>(src: *const T, dst: *mut T, count: usize) {
642 // SAFETY: the safety contract for `copy` must be upheld by the caller.
643 unsafe {
644 ub_checks::assert_unsafe_precondition!(
645 check_language_ub,
646 "ptr::copy requires that both pointer arguments are aligned and non-null",
647 (
648 src: *const () = src as *const (),
649 dst: *mut () = dst as *mut (),
650 align: usize = align_of::<T>(),
651 zero_size: bool = T::IS_ZST || count == 0,
652 ) =>
653 ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
654 && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
655 );
656 crate::intrinsics::copy(src, dst, count)
657 }
658}
659
660/// Sets `count * size_of::<T>()` bytes of memory starting at `dst` to
661/// `val`.
662///
663/// `write_bytes` is similar to C's [`memset`], but sets `count *
664/// size_of::<T>()` bytes to `val`.
665///
666/// [`memset`]: https://en.cppreference.com/w/c/string/byte/memset
667///
668/// # Safety
669///
670/// Behavior is undefined if any of the following conditions are violated:
671///
672/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
673///
674/// * `dst` must be properly aligned.
675///
676/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
677/// `0`, the pointer must be properly aligned.
678///
679/// Additionally, note that changing `*dst` in this way can easily lead to undefined behavior (UB)
680/// later if the written bytes are not a valid representation of some `T`. For instance, the
681/// following is an **incorrect** use of this function:
682///
683/// ```rust,no_run
684/// unsafe {
685/// let mut value: u8 = 0;
686/// let ptr: *mut bool = &mut value as *mut u8 as *mut bool;
687/// let _bool = ptr.read(); // This is fine, `ptr` points to a valid `bool`.
688/// ptr.write_bytes(42u8, 1); // This function itself does not cause UB...
689/// let _bool = ptr.read(); // ...but it makes this operation UB! ⚠️
690/// }
691/// ```
692///
693/// [valid]: crate::ptr#safety
694///
695/// # Examples
696///
697/// Basic usage:
698///
699/// ```
700/// use std::ptr;
701///
702/// let mut vec = vec![0u32; 4];
703/// unsafe {
704/// let vec_ptr = vec.as_mut_ptr();
705/// ptr::write_bytes(vec_ptr, 0xfe, 2);
706/// }
707/// assert_eq!(vec, [0xfefefefe, 0xfefefefe, 0, 0]);
708/// ```
709#[doc(alias = "memset")]
710#[stable(feature = "rust1", since = "1.0.0")]
711#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
712#[inline(always)]
713#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
714#[rustc_diagnostic_item = "ptr_write_bytes"]
715#[cfg(not(feature = "ferrocene_certified"))]
716pub const unsafe fn write_bytes<T>(dst: *mut T, val: u8, count: usize) {
717 // SAFETY: the safety contract for `write_bytes` must be upheld by the caller.
718 unsafe {
719 ub_checks::assert_unsafe_precondition!(
720 check_language_ub,
721 "ptr::write_bytes requires that the destination pointer is aligned and non-null",
722 (
723 addr: *const () = dst as *const (),
724 align: usize = align_of::<T>(),
725 zero_size: bool = T::IS_ZST || count == 0,
726 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, zero_size)
727 );
728 crate::intrinsics::write_bytes(dst, val, count)
729 }
730}
731
732/// Executes the destructor (if any) of the pointed-to value.
733///
734/// This is almost the same as calling [`ptr::read`] and discarding
735/// the result, but has the following advantages:
736// FIXME: say something more useful than "almost the same"?
737// There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a
738// `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place`
739// only requires that `*to_drop` be "valid for dropping" and we have not defined what that means. In
740// Miri it currently (May 2024) requires nothing at all for types without drop glue.
741///
742/// * It is *required* to use `drop_in_place` to drop unsized types like
743/// trait objects, because they can't be read out onto the stack and
744/// dropped normally.
745///
746/// * It is friendlier to the optimizer to do this over [`ptr::read`] when
747/// dropping manually allocated memory (e.g., in the implementations of
748/// `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
749/// sound to elide the copy.
750///
751/// * It can be used to drop [pinned] data when `T` is not `repr(packed)`
752/// (pinned data must not be moved before it is dropped).
753///
754/// Unaligned values cannot be dropped in place, they must be copied to an aligned
755/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
756/// done automatically by the compiler. This means the fields of packed structs
757/// are not dropped in-place.
758///
759/// [`ptr::read`]: self::read
760/// [`ptr::read_unaligned`]: self::read_unaligned
761/// [pinned]: crate::pin
762///
763/// # Safety
764///
765/// Behavior is undefined if any of the following conditions are violated:
766///
767/// * `to_drop` must be [valid] for both reads and writes.
768///
769/// * `to_drop` must be properly aligned, even if `T` has size 0.
770///
771/// * `to_drop` must be nonnull, even if `T` has size 0.
772///
773/// * The value `to_drop` points to must be valid for dropping, which may mean
774/// it must uphold additional invariants. These invariants depend on the type
775/// of the value being dropped. For instance, when dropping a Box, the box's
776/// pointer to the heap must be valid.
777///
778/// * While `drop_in_place` is executing, the only way to access parts of
779/// `to_drop` is through the `&mut self` references supplied to the
780/// `Drop::drop` methods that `drop_in_place` invokes.
781///
782/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
783/// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
784/// foo` counts as a use because it will cause the value to be dropped
785/// again. [`write()`] can be used to overwrite data without causing it to be
786/// dropped.
787///
788/// [valid]: self#safety
789///
790/// # Examples
791///
792/// Manually remove the last item from a vector:
793///
794/// ```
795/// use std::ptr;
796/// use std::rc::Rc;
797///
798/// let last = Rc::new(1);
799/// let weak = Rc::downgrade(&last);
800///
801/// let mut v = vec![Rc::new(0), last];
802///
803/// unsafe {
804/// // Get a raw pointer to the last element in `v`.
805/// let ptr = &mut v[1] as *mut _;
806/// // Shorten `v` to prevent the last item from being dropped. We do that first,
807/// // to prevent issues if the `drop_in_place` below panics.
808/// v.set_len(1);
809/// // Without a call `drop_in_place`, the last item would never be dropped,
810/// // and the memory it manages would be leaked.
811/// ptr::drop_in_place(ptr);
812/// }
813///
814/// assert_eq!(v, &[0.into()]);
815///
816/// // Ensure that the last item was dropped.
817/// assert!(weak.upgrade().is_none());
818/// ```
819#[stable(feature = "drop_in_place", since = "1.8.0")]
820#[lang = "drop_in_place"]
821#[allow(unconditional_recursion)]
822#[rustc_diagnostic_item = "ptr_drop_in_place"]
823#[cfg(not(feature = "ferrocene_certified"))]
824pub unsafe fn drop_in_place<T: PointeeSized>(to_drop: *mut T) {
825 // Code here does not matter - this is replaced by the
826 // real drop glue by the compiler.
827
828 // SAFETY: see comment above
829 unsafe { drop_in_place(to_drop) }
830}
831
832/// Creates a null raw pointer.
833///
834/// This function is equivalent to zero-initializing the pointer:
835/// `MaybeUninit::<*const T>::zeroed().assume_init()`.
836/// The resulting pointer has the address 0.
837///
838/// # Examples
839///
840/// ```
841/// use std::ptr;
842///
843/// let p: *const i32 = ptr::null();
844/// assert!(p.is_null());
845/// assert_eq!(p as usize, 0); // this pointer has the address 0
846/// ```
847#[inline(always)]
848#[must_use]
849#[stable(feature = "rust1", since = "1.0.0")]
850#[rustc_promotable]
851#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
852#[rustc_diagnostic_item = "ptr_null"]
853pub const fn null<T: PointeeSized + Thin>() -> *const T {
854 from_raw_parts(without_provenance::<()>(0), ())
855}
856
857/// Creates a null mutable raw pointer.
858///
859/// This function is equivalent to zero-initializing the pointer:
860/// `MaybeUninit::<*mut T>::zeroed().assume_init()`.
861/// The resulting pointer has the address 0.
862///
863/// # Examples
864///
865/// ```
866/// use std::ptr;
867///
868/// let p: *mut i32 = ptr::null_mut();
869/// assert!(p.is_null());
870/// assert_eq!(p as usize, 0); // this pointer has the address 0
871/// ```
872#[inline(always)]
873#[must_use]
874#[stable(feature = "rust1", since = "1.0.0")]
875#[rustc_promotable]
876#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
877#[rustc_diagnostic_item = "ptr_null_mut"]
878pub const fn null_mut<T: PointeeSized + Thin>() -> *mut T {
879 from_raw_parts_mut(without_provenance_mut::<()>(0), ())
880}
881
882/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
883///
884/// This is equivalent to `ptr::null().with_addr(addr)`.
885///
886/// Without provenance, this pointer is not associated with any actual allocation. Such a
887/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
888/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
889/// little more than a `usize` address in disguise.
890///
891/// This is different from `addr as *const T`, which creates a pointer that picks up a previously
892/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
893///
894/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
895#[inline(always)]
896#[must_use]
897#[stable(feature = "strict_provenance", since = "1.84.0")]
898#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
899pub const fn without_provenance<T>(addr: usize) -> *const T {
900 without_provenance_mut(addr)
901}
902
903/// Creates a new pointer that is dangling, but non-null and well-aligned.
904///
905/// This is useful for initializing types which lazily allocate, like
906/// `Vec::new` does.
907///
908/// Note that the address of the returned pointer may potentially
909/// be that of a valid pointer, which means this must not be used
910/// as a "not yet initialized" sentinel value.
911/// Types that lazily allocate must track initialization by some other means.
912#[inline(always)]
913#[must_use]
914#[stable(feature = "strict_provenance", since = "1.84.0")]
915#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
916#[cfg(not(feature = "ferrocene_certified"))]
917pub const fn dangling<T>() -> *const T {
918 dangling_mut()
919}
920
921/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
922///
923/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
924///
925/// Without provenance, this pointer is not associated with any actual allocation. Such a
926/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
927/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
928/// little more than a `usize` address in disguise.
929///
930/// This is different from `addr as *mut T`, which creates a pointer that picks up a previously
931/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
932///
933/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
934#[inline(always)]
935#[must_use]
936#[stable(feature = "strict_provenance", since = "1.84.0")]
937#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
938#[allow(integer_to_ptr_transmutes)] // Expected semantics here.
939pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
940 // An int-to-pointer transmute currently has exactly the intended semantics: it creates a
941 // pointer without provenance. Note that this is *not* a stable guarantee about transmute
942 // semantics, it relies on sysroot crates having special status.
943 // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
944 // pointer).
945 unsafe { mem::transmute(addr) }
946}
947
948/// Creates a new pointer that is dangling, but non-null and well-aligned.
949///
950/// This is useful for initializing types which lazily allocate, like
951/// `Vec::new` does.
952///
953/// Note that the address of the returned pointer may potentially
954/// be that of a valid pointer, which means this must not be used
955/// as a "not yet initialized" sentinel value.
956/// Types that lazily allocate must track initialization by some other means.
957#[inline(always)]
958#[must_use]
959#[stable(feature = "strict_provenance", since = "1.84.0")]
960#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
961#[cfg(not(feature = "ferrocene_certified"))]
962pub const fn dangling_mut<T>() -> *mut T {
963 NonNull::dangling().as_ptr()
964}
965
966/// Converts an address back to a pointer, picking up some previously 'exposed'
967/// [provenance][crate::ptr#provenance].
968///
969/// This is fully equivalent to `addr as *const T`. The provenance of the returned pointer is that
970/// of *some* pointer that was previously exposed by passing it to
971/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
972/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
973/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
974/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
975///
976/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
977/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
978/// guarantees about which provenance the resulting pointer will have -- and therefore there
979/// is no definite specification for which memory the resulting pointer may access.
980///
981/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
982/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
983/// pointers and references that have been invalidated due to aliasing accesses cannot be used
984/// anymore, even if they have been exposed!
985///
986/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
987/// stay conformant with the Rust memory model. It is recommended to use [Strict
988/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
989/// possible.
990///
991/// On most platforms this will produce a value with the same bytes as the address. Platforms
992/// which need to store additional information in a pointer may not support this operation,
993/// since it is generally not possible to actually *compute* which provenance the returned
994/// pointer has to pick up.
995///
996/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
997#[must_use]
998#[inline(always)]
999#[stable(feature = "exposed_provenance", since = "1.84.0")]
1000#[rustc_const_stable(feature = "const_exposed_provenance", since = "CURRENT_RUSTC_VERSION")]
1001#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1002#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
1003#[cfg(not(feature = "ferrocene_certified"))]
1004pub const fn with_exposed_provenance<T>(addr: usize) -> *const T {
1005 addr as *const T
1006}
1007
1008/// Converts an address back to a mutable pointer, picking up some previously 'exposed'
1009/// [provenance][crate::ptr#provenance].
1010///
1011/// This is fully equivalent to `addr as *mut T`. The provenance of the returned pointer is that
1012/// of *some* pointer that was previously exposed by passing it to
1013/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
1014/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
1015/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
1016/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
1017///
1018/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
1019/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
1020/// guarantees about which provenance the resulting pointer will have -- and therefore there
1021/// is no definite specification for which memory the resulting pointer may access.
1022///
1023/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
1024/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
1025/// pointers and references that have been invalidated due to aliasing accesses cannot be used
1026/// anymore, even if they have been exposed!
1027///
1028/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
1029/// stay conformant with the Rust memory model. It is recommended to use [Strict
1030/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
1031/// possible.
1032///
1033/// On most platforms this will produce a value with the same bytes as the address. Platforms
1034/// which need to store additional information in a pointer may not support this operation,
1035/// since it is generally not possible to actually *compute* which provenance the returned
1036/// pointer has to pick up.
1037///
1038/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
1039#[must_use]
1040#[inline(always)]
1041#[stable(feature = "exposed_provenance", since = "1.84.0")]
1042#[rustc_const_stable(feature = "const_exposed_provenance", since = "CURRENT_RUSTC_VERSION")]
1043#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1044#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
1045#[cfg(not(feature = "ferrocene_certified"))]
1046pub const fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
1047 addr as *mut T
1048}
1049
1050/// Converts a reference to a raw pointer.
1051///
1052/// For `r: &T`, `from_ref(r)` is equivalent to `r as *const T` (except for the caveat noted below),
1053/// but is a bit safer since it will never silently change type or mutability, in particular if the
1054/// code is refactored.
1055///
1056/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1057/// will end up dangling.
1058///
1059/// The caller must also ensure that the memory the pointer (non-transitively) points to is never
1060/// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If
1061/// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m:
1062/// &mut T` into `*const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be
1063/// used for mutation.
1064///
1065/// ## Interaction with lifetime extension
1066///
1067/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1068/// tail expressions. This code is valid, albeit in a non-obvious way:
1069/// ```rust
1070/// # type T = i32;
1071/// # fn foo() -> T { 42 }
1072/// // The temporary holding the return value of `foo` has its lifetime extended,
1073/// // because the surrounding expression involves no function call.
1074/// let p = &foo() as *const T;
1075/// unsafe { p.read() };
1076/// ```
1077/// Naively replacing the cast with `from_ref` is not valid:
1078/// ```rust,no_run
1079/// # use std::ptr;
1080/// # type T = i32;
1081/// # fn foo() -> T { 42 }
1082/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1083/// // because the surrounding expression involves a function call.
1084/// let p = ptr::from_ref(&foo());
1085/// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️
1086/// ```
1087/// The recommended way to write this code is to avoid relying on lifetime extension
1088/// when raw pointers are involved:
1089/// ```rust
1090/// # use std::ptr;
1091/// # type T = i32;
1092/// # fn foo() -> T { 42 }
1093/// let x = foo();
1094/// let p = ptr::from_ref(&x);
1095/// unsafe { p.read() };
1096/// ```
1097#[inline(always)]
1098#[must_use]
1099#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1100#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1101#[rustc_never_returns_null_ptr]
1102#[rustc_diagnostic_item = "ptr_from_ref"]
1103#[cfg(not(feature = "ferrocene_certified"))]
1104pub const fn from_ref<T: PointeeSized>(r: &T) -> *const T {
1105 r
1106}
1107
1108/// Converts a mutable reference to a raw pointer.
1109///
1110/// For `r: &mut T`, `from_mut(r)` is equivalent to `r as *mut T` (except for the caveat noted
1111/// below), but is a bit safer since it will never silently change type or mutability, in particular
1112/// if the code is refactored.
1113///
1114/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1115/// will end up dangling.
1116///
1117/// ## Interaction with lifetime extension
1118///
1119/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1120/// tail expressions. This code is valid, albeit in a non-obvious way:
1121/// ```rust
1122/// # type T = i32;
1123/// # fn foo() -> T { 42 }
1124/// // The temporary holding the return value of `foo` has its lifetime extended,
1125/// // because the surrounding expression involves no function call.
1126/// let p = &mut foo() as *mut T;
1127/// unsafe { p.write(T::default()) };
1128/// ```
1129/// Naively replacing the cast with `from_mut` is not valid:
1130/// ```rust,no_run
1131/// # use std::ptr;
1132/// # type T = i32;
1133/// # fn foo() -> T { 42 }
1134/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1135/// // because the surrounding expression involves a function call.
1136/// let p = ptr::from_mut(&mut foo());
1137/// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️
1138/// ```
1139/// The recommended way to write this code is to avoid relying on lifetime extension
1140/// when raw pointers are involved:
1141/// ```rust
1142/// # use std::ptr;
1143/// # type T = i32;
1144/// # fn foo() -> T { 42 }
1145/// let mut x = foo();
1146/// let p = ptr::from_mut(&mut x);
1147/// unsafe { p.write(T::default()) };
1148/// ```
1149#[inline(always)]
1150#[must_use]
1151#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1152#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1153#[rustc_never_returns_null_ptr]
1154#[cfg(not(feature = "ferrocene_certified"))]
1155pub const fn from_mut<T: PointeeSized>(r: &mut T) -> *mut T {
1156 r
1157}
1158
1159/// Forms a raw slice from a pointer and a length.
1160///
1161/// The `len` argument is the number of **elements**, not the number of bytes.
1162///
1163/// This function is safe, but actually using the return value is unsafe.
1164/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
1165///
1166/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
1167///
1168/// # Examples
1169///
1170/// ```rust
1171/// use std::ptr;
1172///
1173/// // create a slice pointer when starting out with a pointer to the first element
1174/// let x = [5, 6, 7];
1175/// let raw_pointer = x.as_ptr();
1176/// let slice = ptr::slice_from_raw_parts(raw_pointer, 3);
1177/// assert_eq!(unsafe { &*slice }[2], 7);
1178/// ```
1179///
1180/// You must ensure that the pointer is valid and not null before dereferencing
1181/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1182///
1183/// ```rust,should_panic
1184/// use std::ptr;
1185/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), 0);
1186/// unsafe {
1187/// danger.as_ref().expect("references must not be null");
1188/// }
1189/// ```
1190#[inline]
1191#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1192#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
1193#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
1194#[cfg(not(feature = "ferrocene_certified"))]
1195pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
1196 from_raw_parts(data, len)
1197}
1198
1199/// Forms a raw mutable slice from a pointer and a length.
1200///
1201/// The `len` argument is the number of **elements**, not the number of bytes.
1202///
1203/// Performs the same functionality as [`slice_from_raw_parts`], except that a
1204/// raw mutable slice is returned, as opposed to a raw immutable slice.
1205///
1206/// This function is safe, but actually using the return value is unsafe.
1207/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
1208///
1209/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
1210///
1211/// # Examples
1212///
1213/// ```rust
1214/// use std::ptr;
1215///
1216/// let x = &mut [5, 6, 7];
1217/// let raw_pointer = x.as_mut_ptr();
1218/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, 3);
1219///
1220/// unsafe {
1221/// (*slice)[2] = 99; // assign a value at an index in the slice
1222/// };
1223///
1224/// assert_eq!(unsafe { &*slice }[2], 99);
1225/// ```
1226///
1227/// You must ensure that the pointer is valid and not null before dereferencing
1228/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1229///
1230/// ```rust,should_panic
1231/// use std::ptr;
1232/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 0);
1233/// unsafe {
1234/// danger.as_mut().expect("references must not be null");
1235/// }
1236/// ```
1237#[inline]
1238#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1239#[rustc_const_stable(feature = "const_slice_from_raw_parts_mut", since = "1.83.0")]
1240#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
1241#[cfg(not(feature = "ferrocene_certified"))]
1242pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
1243 from_raw_parts_mut(data, len)
1244}
1245
1246/// Swaps the values at two mutable locations of the same type, without
1247/// deinitializing either.
1248///
1249/// But for the following exceptions, this function is semantically
1250/// equivalent to [`mem::swap`]:
1251///
1252/// * It operates on raw pointers instead of references. When references are
1253/// available, [`mem::swap`] should be preferred.
1254///
1255/// * The two pointed-to values may overlap. If the values do overlap, then the
1256/// overlapping region of memory from `x` will be used. This is demonstrated
1257/// in the second example below.
1258///
1259/// * The operation is "untyped" in the sense that data may be uninitialized or otherwise violate
1260/// the requirements of `T`. The initialization state is preserved exactly.
1261///
1262/// # Safety
1263///
1264/// Behavior is undefined if any of the following conditions are violated:
1265///
1266/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the
1267/// other pointer is written. (This means if the memory ranges overlap, the two pointers must not
1268/// be subject to aliasing restrictions relative to each other.)
1269///
1270/// * Both `x` and `y` must be properly aligned.
1271///
1272/// Note that even if `T` has size `0`, the pointers must be properly aligned.
1273///
1274/// [valid]: self#safety
1275///
1276/// # Examples
1277///
1278/// Swapping two non-overlapping regions:
1279///
1280/// ```
1281/// use std::ptr;
1282///
1283/// let mut array = [0, 1, 2, 3];
1284///
1285/// let (x, y) = array.split_at_mut(2);
1286/// let x = x.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[0..2]`
1287/// let y = y.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[2..4]`
1288///
1289/// unsafe {
1290/// ptr::swap(x, y);
1291/// assert_eq!([2, 3, 0, 1], array);
1292/// }
1293/// ```
1294///
1295/// Swapping two overlapping regions:
1296///
1297/// ```
1298/// use std::ptr;
1299///
1300/// let mut array: [i32; 4] = [0, 1, 2, 3];
1301///
1302/// let array_ptr: *mut i32 = array.as_mut_ptr();
1303///
1304/// let x = array_ptr as *mut [i32; 3]; // this is `array[0..3]`
1305/// let y = unsafe { array_ptr.add(1) } as *mut [i32; 3]; // this is `array[1..4]`
1306///
1307/// unsafe {
1308/// ptr::swap(x, y);
1309/// // The indices `1..3` of the slice overlap between `x` and `y`.
1310/// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
1311/// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
1312/// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
1313/// // This implementation is defined to make the latter choice.
1314/// assert_eq!([1, 0, 1, 2], array);
1315/// }
1316/// ```
1317#[inline]
1318#[stable(feature = "rust1", since = "1.0.0")]
1319#[rustc_const_stable(feature = "const_swap", since = "1.85.0")]
1320#[rustc_diagnostic_item = "ptr_swap"]
1321#[cfg(not(feature = "ferrocene_certified"))]
1322pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
1323 // Give ourselves some scratch space to work with.
1324 // We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
1325 let mut tmp = MaybeUninit::<T>::uninit();
1326
1327 // Perform the swap
1328 // SAFETY: the caller must guarantee that `x` and `y` are
1329 // valid for writes and properly aligned. `tmp` cannot be
1330 // overlapping either `x` or `y` because `tmp` was just allocated
1331 // on the stack as a separate allocation.
1332 unsafe {
1333 copy_nonoverlapping(x, tmp.as_mut_ptr(), 1);
1334 copy(y, x, 1); // `x` and `y` may overlap
1335 copy_nonoverlapping(tmp.as_ptr(), y, 1);
1336 }
1337}
1338
1339/// Swaps `count * size_of::<T>()` bytes between the two regions of memory
1340/// beginning at `x` and `y`. The two regions must *not* overlap.
1341///
1342/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
1343/// requirements of `T`. The initialization state is preserved exactly.
1344///
1345/// # Safety
1346///
1347/// Behavior is undefined if any of the following conditions are violated:
1348///
1349/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
1350/// size_of::<T>()` bytes.
1351///
1352/// * Both `x` and `y` must be properly aligned.
1353///
1354/// * The region of memory beginning at `x` with a size of `count *
1355/// size_of::<T>()` bytes must *not* overlap with the region of memory
1356/// beginning at `y` with the same size.
1357///
1358/// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`,
1359/// the pointers must be properly aligned.
1360///
1361/// [valid]: self#safety
1362///
1363/// # Examples
1364///
1365/// Basic usage:
1366///
1367/// ```
1368/// use std::ptr;
1369///
1370/// let mut x = [1, 2, 3, 4];
1371/// let mut y = [7, 8, 9];
1372///
1373/// unsafe {
1374/// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2);
1375/// }
1376///
1377/// assert_eq!(x, [7, 8, 3, 4]);
1378/// assert_eq!(y, [1, 2, 9]);
1379/// ```
1380///
1381/// # Const evaluation limitations
1382///
1383/// If this function is invoked during const-evaluation, the current implementation has a small (and
1384/// rarely relevant) limitation: if `count` is at least 2 and the data pointed to by `x` or `y`
1385/// contains a pointer that crosses the boundary of two `T`-sized chunks of memory, the function may
1386/// fail to evaluate (similar to a panic during const-evaluation). This behavior may change in the
1387/// future.
1388///
1389/// The limitation is illustrated by the following example:
1390///
1391/// ```
1392/// use std::mem::size_of;
1393/// use std::ptr;
1394///
1395/// const { unsafe {
1396/// const PTR_SIZE: usize = size_of::<*const i32>();
1397/// let mut data1 = [0u8; PTR_SIZE];
1398/// let mut data2 = [0u8; PTR_SIZE];
1399/// // Store a pointer in `data1`.
1400/// data1.as_mut_ptr().cast::<*const i32>().write_unaligned(&42);
1401/// // Swap the contents of `data1` and `data2` by swapping `PTR_SIZE` many `u8`-sized chunks.
1402/// // This call will fail, because the pointer in `data1` crosses the boundary
1403/// // between several of the 1-byte chunks that are being swapped here.
1404/// //ptr::swap_nonoverlapping(data1.as_mut_ptr(), data2.as_mut_ptr(), PTR_SIZE);
1405/// // Swap the contents of `data1` and `data2` by swapping a single chunk of size
1406/// // `[u8; PTR_SIZE]`. That works, as there is no pointer crossing the boundary between
1407/// // two chunks.
1408/// ptr::swap_nonoverlapping(&mut data1, &mut data2, 1);
1409/// // Read the pointer from `data2` and dereference it.
1410/// let ptr = data2.as_ptr().cast::<*const i32>().read_unaligned();
1411/// assert!(*ptr == 42);
1412/// } }
1413/// ```
1414#[inline]
1415#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
1416#[rustc_const_stable(feature = "const_swap_nonoverlapping", since = "1.88.0")]
1417#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1418#[rustc_allow_const_fn_unstable(const_eval_select)] // both implementations behave the same
1419#[track_caller]
1420#[cfg(not(feature = "ferrocene_certified"))]
1421pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1422 ub_checks::assert_unsafe_precondition!(
1423 check_library_ub,
1424 "ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1425 and the specified memory ranges do not overlap",
1426 (
1427 x: *mut () = x as *mut (),
1428 y: *mut () = y as *mut (),
1429 size: usize = size_of::<T>(),
1430 align: usize = align_of::<T>(),
1431 count: usize = count,
1432 ) => {
1433 let zero_size = size == 0 || count == 0;
1434 ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size)
1435 && ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size)
1436 && ub_checks::maybe_is_nonoverlapping(x, y, size, count)
1437 }
1438 );
1439
1440 const_eval_select!(
1441 @capture[T] { x: *mut T, y: *mut T, count: usize }:
1442 if const {
1443 // At compile-time we want to always copy this in chunks of `T`, to ensure that if there
1444 // are pointers inside `T` we will copy them in one go rather than trying to copy a part
1445 // of a pointer (which would not work).
1446 // SAFETY: Same preconditions as this function
1447 unsafe { swap_nonoverlapping_const(x, y, count) }
1448 } else {
1449 // Going though a slice here helps codegen know the size fits in `isize`
1450 let slice = slice_from_raw_parts_mut(x, count);
1451 // SAFETY: This is all readable from the pointer, meaning it's one
1452 // allocation, and thus cannot be more than isize::MAX bytes.
1453 let bytes = unsafe { mem::size_of_val_raw::<[T]>(slice) };
1454 if let Some(bytes) = NonZero::new(bytes) {
1455 // SAFETY: These are the same ranges, just expressed in a different
1456 // type, so they're still non-overlapping.
1457 unsafe { swap_nonoverlapping_bytes(x.cast(), y.cast(), bytes) };
1458 }
1459 }
1460 )
1461}
1462
1463/// Same behavior and safety conditions as [`swap_nonoverlapping`]
1464#[inline]
1465#[cfg(not(feature = "ferrocene_certified"))]
1466const unsafe fn swap_nonoverlapping_const<T>(x: *mut T, y: *mut T, count: usize) {
1467 let mut i = 0;
1468 while i < count {
1469 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1470 let x = unsafe { x.add(i) };
1471 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1472 // and it's distinct from `x` since the ranges are non-overlapping
1473 let y = unsafe { y.add(i) };
1474
1475 // SAFETY: we're only ever given pointers that are valid to read/write,
1476 // including being aligned, and nothing here panics so it's drop-safe.
1477 unsafe {
1478 // Note that it's critical that these use `copy_nonoverlapping`,
1479 // rather than `read`/`write`, to avoid #134713 if T has padding.
1480 let mut temp = MaybeUninit::<T>::uninit();
1481 copy_nonoverlapping(x, temp.as_mut_ptr(), 1);
1482 copy_nonoverlapping(y, x, 1);
1483 copy_nonoverlapping(temp.as_ptr(), y, 1);
1484 }
1485
1486 i += 1;
1487 }
1488}
1489
1490// Don't let MIR inline this, because we really want it to keep its noalias metadata
1491#[rustc_no_mir_inline]
1492#[inline]
1493#[cfg(not(feature = "ferrocene_certified"))]
1494fn swap_chunk<const N: usize>(x: &mut MaybeUninit<[u8; N]>, y: &mut MaybeUninit<[u8; N]>) {
1495 let a = *x;
1496 let b = *y;
1497 *x = b;
1498 *y = a;
1499}
1500
1501#[inline]
1502#[cfg(not(feature = "ferrocene_certified"))]
1503unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1504 // Same as `swap_nonoverlapping::<[u8; N]>`.
1505 unsafe fn swap_nonoverlapping_chunks<const N: usize>(
1506 x: *mut MaybeUninit<[u8; N]>,
1507 y: *mut MaybeUninit<[u8; N]>,
1508 chunks: NonZero<usize>,
1509 ) {
1510 let chunks = chunks.get();
1511 for i in 0..chunks {
1512 // SAFETY: i is in [0, chunks) so the adds and dereferences are in-bounds.
1513 unsafe { swap_chunk(&mut *x.add(i), &mut *y.add(i)) };
1514 }
1515 }
1516
1517 // Same as `swap_nonoverlapping_bytes`, but accepts at most 1+2+4=7 bytes
1518 #[inline]
1519 unsafe fn swap_nonoverlapping_short(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1520 // Tail handling for auto-vectorized code sometimes has element-at-a-time behaviour,
1521 // see <https://github.com/rust-lang/rust/issues/134946>.
1522 // By swapping as different sizes, rather than as a loop over bytes,
1523 // we make sure not to end up with, say, seven byte-at-a-time copies.
1524
1525 let bytes = bytes.get();
1526 let mut i = 0;
1527 macro_rules! swap_prefix {
1528 ($($n:literal)+) => {$(
1529 if (bytes & $n) != 0 {
1530 // SAFETY: `i` can only have the same bits set as those in bytes,
1531 // so these `add`s are in-bounds of `bytes`. But the bit for
1532 // `$n` hasn't been set yet, so the `$n` bytes that `swap_chunk`
1533 // will read and write are within the usable range.
1534 unsafe { swap_chunk::<$n>(&mut*x.add(i).cast(), &mut*y.add(i).cast()) };
1535 i |= $n;
1536 }
1537 )+};
1538 }
1539 swap_prefix!(4 2 1);
1540 debug_assert_eq!(i, bytes);
1541 }
1542
1543 const CHUNK_SIZE: usize = size_of::<*const ()>();
1544 let bytes = bytes.get();
1545
1546 let chunks = bytes / CHUNK_SIZE;
1547 let tail = bytes % CHUNK_SIZE;
1548 if let Some(chunks) = NonZero::new(chunks) {
1549 // SAFETY: this is bytes/CHUNK_SIZE*CHUNK_SIZE bytes, which is <= bytes,
1550 // so it's within the range of our non-overlapping bytes.
1551 unsafe { swap_nonoverlapping_chunks::<CHUNK_SIZE>(x.cast(), y.cast(), chunks) };
1552 }
1553 if let Some(tail) = NonZero::new(tail) {
1554 const { assert!(CHUNK_SIZE <= 8) };
1555 let delta = chunks * CHUNK_SIZE;
1556 // SAFETY: the tail length is below CHUNK SIZE because of the remainder,
1557 // and CHUNK_SIZE is at most 8 by the const assert, so tail <= 7
1558 unsafe { swap_nonoverlapping_short(x.add(delta), y.add(delta), tail) };
1559 }
1560}
1561
1562/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1563///
1564/// Neither value is dropped.
1565///
1566/// This function is semantically equivalent to [`mem::replace`] except that it
1567/// operates on raw pointers instead of references. When references are
1568/// available, [`mem::replace`] should be preferred.
1569///
1570/// # Safety
1571///
1572/// Behavior is undefined if any of the following conditions are violated:
1573///
1574/// * `dst` must be [valid] for both reads and writes.
1575///
1576/// * `dst` must be properly aligned.
1577///
1578/// * `dst` must point to a properly initialized value of type `T`.
1579///
1580/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1581///
1582/// [valid]: self#safety
1583///
1584/// # Examples
1585///
1586/// ```
1587/// use std::ptr;
1588///
1589/// let mut rust = vec!['b', 'u', 's', 't'];
1590///
1591/// // `mem::replace` would have the same effect without requiring the unsafe
1592/// // block.
1593/// let b = unsafe {
1594/// ptr::replace(&mut rust[0], 'r')
1595/// };
1596///
1597/// assert_eq!(b, 'b');
1598/// assert_eq!(rust, &['r', 'u', 's', 't']);
1599/// ```
1600#[inline]
1601#[stable(feature = "rust1", since = "1.0.0")]
1602#[rustc_const_stable(feature = "const_replace", since = "1.83.0")]
1603#[rustc_diagnostic_item = "ptr_replace"]
1604#[track_caller]
1605#[cfg(not(feature = "ferrocene_certified"))]
1606pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1607 // SAFETY: the caller must guarantee that `dst` is valid to be
1608 // cast to a mutable reference (valid for writes, aligned, initialized),
1609 // and cannot overlap `src` since `dst` must point to a distinct
1610 // allocation.
1611 unsafe {
1612 ub_checks::assert_unsafe_precondition!(
1613 check_language_ub,
1614 "ptr::replace requires that the pointer argument is aligned and non-null",
1615 (
1616 addr: *const () = dst as *const (),
1617 align: usize = align_of::<T>(),
1618 is_zst: bool = T::IS_ZST,
1619 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1620 );
1621 mem::replace(&mut *dst, src)
1622 }
1623}
1624
1625/// Reads the value from `src` without moving it. This leaves the
1626/// memory in `src` unchanged.
1627///
1628/// # Safety
1629///
1630/// Behavior is undefined if any of the following conditions are violated:
1631///
1632/// * `src` must be [valid] for reads.
1633///
1634/// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
1635/// case.
1636///
1637/// * `src` must point to a properly initialized value of type `T`.
1638///
1639/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1640///
1641/// # Examples
1642///
1643/// Basic usage:
1644///
1645/// ```
1646/// let x = 12;
1647/// let y = &x as *const i32;
1648///
1649/// unsafe {
1650/// assert_eq!(std::ptr::read(y), 12);
1651/// }
1652/// ```
1653///
1654/// Manually implement [`mem::swap`]:
1655///
1656/// ```
1657/// use std::ptr;
1658///
1659/// fn swap<T>(a: &mut T, b: &mut T) {
1660/// unsafe {
1661/// // Create a bitwise copy of the value at `a` in `tmp`.
1662/// let tmp = ptr::read(a);
1663///
1664/// // Exiting at this point (either by explicitly returning or by
1665/// // calling a function which panics) would cause the value in `tmp` to
1666/// // be dropped while the same value is still referenced by `a`. This
1667/// // could trigger undefined behavior if `T` is not `Copy`.
1668///
1669/// // Create a bitwise copy of the value at `b` in `a`.
1670/// // This is safe because mutable references cannot alias.
1671/// ptr::copy_nonoverlapping(b, a, 1);
1672///
1673/// // As above, exiting here could trigger undefined behavior because
1674/// // the same value is referenced by `a` and `b`.
1675///
1676/// // Move `tmp` into `b`.
1677/// ptr::write(b, tmp);
1678///
1679/// // `tmp` has been moved (`write` takes ownership of its second argument),
1680/// // so nothing is dropped implicitly here.
1681/// }
1682/// }
1683///
1684/// let mut foo = "foo".to_owned();
1685/// let mut bar = "bar".to_owned();
1686///
1687/// swap(&mut foo, &mut bar);
1688///
1689/// assert_eq!(foo, "bar");
1690/// assert_eq!(bar, "foo");
1691/// ```
1692///
1693/// ## Ownership of the Returned Value
1694///
1695/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1696/// If `T` is not [`Copy`], using both the returned value and the value at
1697/// `*src` can violate memory safety. Note that assigning to `*src` counts as a
1698/// use because it will attempt to drop the value at `*src`.
1699///
1700/// [`write()`] can be used to overwrite data without causing it to be dropped.
1701///
1702/// ```
1703/// use std::ptr;
1704///
1705/// let mut s = String::from("foo");
1706/// unsafe {
1707/// // `s2` now points to the same underlying memory as `s`.
1708/// let mut s2: String = ptr::read(&s);
1709///
1710/// assert_eq!(s2, "foo");
1711///
1712/// // Assigning to `s2` causes its original value to be dropped. Beyond
1713/// // this point, `s` must no longer be used, as the underlying memory has
1714/// // been freed.
1715/// s2 = String::default();
1716/// assert_eq!(s2, "");
1717///
1718/// // Assigning to `s` would cause the old value to be dropped again,
1719/// // resulting in undefined behavior.
1720/// // s = String::from("bar"); // ERROR
1721///
1722/// // `ptr::write` can be used to overwrite a value without dropping it.
1723/// ptr::write(&mut s, String::from("bar"));
1724/// }
1725///
1726/// assert_eq!(s, "bar");
1727/// ```
1728///
1729/// [valid]: self#safety
1730#[inline]
1731#[stable(feature = "rust1", since = "1.0.0")]
1732#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1733#[track_caller]
1734#[rustc_diagnostic_item = "ptr_read"]
1735pub const unsafe fn read<T>(src: *const T) -> T {
1736 // It would be semantically correct to implement this via `copy_nonoverlapping`
1737 // and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1738 // provides enough information to know that this is a typed operation.
1739
1740 // However, as of March 2023 the compiler was not capable of taking advantage
1741 // of that information. Thus, the implementation here switched to an intrinsic,
1742 // which lowers to `_0 = *src` in MIR, to address a few issues:
1743 //
1744 // - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1745 // turning the untyped copy into a typed load. As such, the generated
1746 // `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1747 // `!nonnull`, and `!noundef`, resulting in poorer optimization.
1748 // - Going through the extra local resulted in multiple extra copies, even
1749 // in optimized MIR. (Ignoring StorageLive/Dead, the intrinsic is one
1750 // MIR statement, while the previous implementation was eight.) LLVM
1751 // could sometimes optimize them away, but because `read` is at the core
1752 // of so many things, not having them in the first place improves what we
1753 // hand off to the backend. For example, `mem::replace::<Big>` previously
1754 // emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1755 // - In general, this approach keeps us from getting any more bugs (like
1756 // #106369) that boil down to "`read(p)` is worse than `*p`", as this
1757 // makes them look identical to the backend (or other MIR consumers).
1758 //
1759 // Future enhancements to MIR optimizations might well allow this to return
1760 // to the previous implementation, rather than using an intrinsic.
1761
1762 // SAFETY: the caller must guarantee that `src` is valid for reads.
1763 unsafe {
1764 #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1765 ub_checks::assert_unsafe_precondition!(
1766 check_language_ub,
1767 "ptr::read requires that the pointer argument is aligned and non-null",
1768 (
1769 addr: *const () = src as *const (),
1770 align: usize = align_of::<T>(),
1771 is_zst: bool = T::IS_ZST,
1772 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1773 );
1774 crate::intrinsics::read_via_copy(src)
1775 }
1776}
1777
1778/// Reads the value from `src` without moving it. This leaves the
1779/// memory in `src` unchanged.
1780///
1781/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1782///
1783/// # Safety
1784///
1785/// Behavior is undefined if any of the following conditions are violated:
1786///
1787/// * `src` must be [valid] for reads.
1788///
1789/// * `src` must point to a properly initialized value of type `T`.
1790///
1791/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1792/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1793/// value and the value at `*src` can [violate memory safety][read-ownership].
1794///
1795/// [read-ownership]: read#ownership-of-the-returned-value
1796/// [valid]: self#safety
1797///
1798/// ## On `packed` structs
1799///
1800/// Attempting to create a raw pointer to an `unaligned` struct field with
1801/// an expression such as `&packed.unaligned as *const FieldType` creates an
1802/// intermediate unaligned reference before converting that to a raw pointer.
1803/// That this reference is temporary and immediately cast is inconsequential
1804/// as the compiler always expects references to be properly aligned.
1805/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1806/// *undefined behavior* in your program.
1807///
1808/// Instead you must use the `&raw const` syntax to create the pointer.
1809/// You may use that constructed pointer together with this function.
1810///
1811/// An example of what not to do and how this relates to `read_unaligned` is:
1812///
1813/// ```
1814/// #[repr(packed, C)]
1815/// struct Packed {
1816/// _padding: u8,
1817/// unaligned: u32,
1818/// }
1819///
1820/// let packed = Packed {
1821/// _padding: 0x00,
1822/// unaligned: 0x01020304,
1823/// };
1824///
1825/// // Take the address of a 32-bit integer which is not aligned.
1826/// // In contrast to `&packed.unaligned as *const _`, this has no undefined behavior.
1827/// let unaligned = &raw const packed.unaligned;
1828///
1829/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1830/// assert_eq!(v, 0x01020304);
1831/// ```
1832///
1833/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1834///
1835/// # Examples
1836///
1837/// Read a `usize` value from a byte buffer:
1838///
1839/// ```
1840/// fn read_usize(x: &[u8]) -> usize {
1841/// assert!(x.len() >= size_of::<usize>());
1842///
1843/// let ptr = x.as_ptr() as *const usize;
1844///
1845/// unsafe { ptr.read_unaligned() }
1846/// }
1847/// ```
1848#[inline]
1849#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1850#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1851#[track_caller]
1852#[rustc_diagnostic_item = "ptr_read_unaligned"]
1853#[cfg(not(feature = "ferrocene_certified"))]
1854pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1855 let mut tmp = MaybeUninit::<T>::uninit();
1856 // SAFETY: the caller must guarantee that `src` is valid for reads.
1857 // `src` cannot overlap `tmp` because `tmp` was just allocated on
1858 // the stack as a separate allocation.
1859 //
1860 // Also, since we just wrote a valid value into `tmp`, it is guaranteed
1861 // to be properly initialized.
1862 unsafe {
1863 copy_nonoverlapping(src as *const u8, tmp.as_mut_ptr() as *mut u8, size_of::<T>());
1864 tmp.assume_init()
1865 }
1866}
1867
1868/// Overwrites a memory location with the given value without reading or
1869/// dropping the old value.
1870///
1871/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1872/// allocations or resources, so care should be taken not to overwrite an object
1873/// that should be dropped.
1874///
1875/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1876/// location pointed to by `dst`.
1877///
1878/// This is appropriate for initializing uninitialized memory, or overwriting
1879/// memory that has previously been [`read`] from.
1880///
1881/// # Safety
1882///
1883/// Behavior is undefined if any of the following conditions are violated:
1884///
1885/// * `dst` must be [valid] for writes.
1886///
1887/// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the
1888/// case.
1889///
1890/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1891///
1892/// [valid]: self#safety
1893///
1894/// # Examples
1895///
1896/// Basic usage:
1897///
1898/// ```
1899/// let mut x = 0;
1900/// let y = &mut x as *mut i32;
1901/// let z = 12;
1902///
1903/// unsafe {
1904/// std::ptr::write(y, z);
1905/// assert_eq!(std::ptr::read(y), 12);
1906/// }
1907/// ```
1908///
1909/// Manually implement [`mem::swap`]:
1910///
1911/// ```
1912/// use std::ptr;
1913///
1914/// fn swap<T>(a: &mut T, b: &mut T) {
1915/// unsafe {
1916/// // Create a bitwise copy of the value at `a` in `tmp`.
1917/// let tmp = ptr::read(a);
1918///
1919/// // Exiting at this point (either by explicitly returning or by
1920/// // calling a function which panics) would cause the value in `tmp` to
1921/// // be dropped while the same value is still referenced by `a`. This
1922/// // could trigger undefined behavior if `T` is not `Copy`.
1923///
1924/// // Create a bitwise copy of the value at `b` in `a`.
1925/// // This is safe because mutable references cannot alias.
1926/// ptr::copy_nonoverlapping(b, a, 1);
1927///
1928/// // As above, exiting here could trigger undefined behavior because
1929/// // the same value is referenced by `a` and `b`.
1930///
1931/// // Move `tmp` into `b`.
1932/// ptr::write(b, tmp);
1933///
1934/// // `tmp` has been moved (`write` takes ownership of its second argument),
1935/// // so nothing is dropped implicitly here.
1936/// }
1937/// }
1938///
1939/// let mut foo = "foo".to_owned();
1940/// let mut bar = "bar".to_owned();
1941///
1942/// swap(&mut foo, &mut bar);
1943///
1944/// assert_eq!(foo, "bar");
1945/// assert_eq!(bar, "foo");
1946/// ```
1947#[inline]
1948#[stable(feature = "rust1", since = "1.0.0")]
1949#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1950#[rustc_diagnostic_item = "ptr_write"]
1951#[track_caller]
1952pub const unsafe fn write<T>(dst: *mut T, src: T) {
1953 // Semantically, it would be fine for this to be implemented as a
1954 // `copy_nonoverlapping` and appropriate drop suppression of `src`.
1955
1956 // However, implementing via that currently produces more MIR than is ideal.
1957 // Using an intrinsic keeps it down to just the simple `*dst = move src` in
1958 // MIR (11 statements shorter, at the time of writing), and also allows
1959 // `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1960
1961 // SAFETY: the caller must guarantee that `dst` is valid for writes.
1962 // `dst` cannot overlap `src` because the caller has mutable access
1963 // to `dst` while `src` is owned by this function.
1964 unsafe {
1965 #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1966 ub_checks::assert_unsafe_precondition!(
1967 check_language_ub,
1968 "ptr::write requires that the pointer argument is aligned and non-null",
1969 (
1970 addr: *mut () = dst as *mut (),
1971 align: usize = align_of::<T>(),
1972 is_zst: bool = T::IS_ZST,
1973 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1974 );
1975 intrinsics::write_via_move(dst, src)
1976 }
1977}
1978
1979/// Overwrites a memory location with the given value without reading or
1980/// dropping the old value.
1981///
1982/// Unlike [`write()`], the pointer may be unaligned.
1983///
1984/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1985/// could leak allocations or resources, so care should be taken not to overwrite
1986/// an object that should be dropped.
1987///
1988/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1989/// location pointed to by `dst`.
1990///
1991/// This is appropriate for initializing uninitialized memory, or overwriting
1992/// memory that has previously been read with [`read_unaligned`].
1993///
1994/// # Safety
1995///
1996/// Behavior is undefined if any of the following conditions are violated:
1997///
1998/// * `dst` must be [valid] for writes.
1999///
2000/// [valid]: self#safety
2001///
2002/// ## On `packed` structs
2003///
2004/// Attempting to create a raw pointer to an `unaligned` struct field with
2005/// an expression such as `&packed.unaligned as *const FieldType` creates an
2006/// intermediate unaligned reference before converting that to a raw pointer.
2007/// That this reference is temporary and immediately cast is inconsequential
2008/// as the compiler always expects references to be properly aligned.
2009/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
2010/// *undefined behavior* in your program.
2011///
2012/// Instead, you must use the `&raw mut` syntax to create the pointer.
2013/// You may use that constructed pointer together with this function.
2014///
2015/// An example of how to do it and how this relates to `write_unaligned` is:
2016///
2017/// ```
2018/// #[repr(packed, C)]
2019/// struct Packed {
2020/// _padding: u8,
2021/// unaligned: u32,
2022/// }
2023///
2024/// let mut packed: Packed = unsafe { std::mem::zeroed() };
2025///
2026/// // Take the address of a 32-bit integer which is not aligned.
2027/// // In contrast to `&packed.unaligned as *mut _`, this has no undefined behavior.
2028/// let unaligned = &raw mut packed.unaligned;
2029///
2030/// unsafe { std::ptr::write_unaligned(unaligned, 42) };
2031///
2032/// assert_eq!({packed.unaligned}, 42); // `{...}` forces copying the field instead of creating a reference.
2033/// ```
2034///
2035/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
2036/// (as can be seen in the `assert_eq!` above).
2037///
2038/// # Examples
2039///
2040/// Write a `usize` value to a byte buffer:
2041///
2042/// ```
2043/// fn write_usize(x: &mut [u8], val: usize) {
2044/// assert!(x.len() >= size_of::<usize>());
2045///
2046/// let ptr = x.as_mut_ptr() as *mut usize;
2047///
2048/// unsafe { ptr.write_unaligned(val) }
2049/// }
2050/// ```
2051#[inline]
2052#[stable(feature = "ptr_unaligned", since = "1.17.0")]
2053#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
2054#[rustc_diagnostic_item = "ptr_write_unaligned"]
2055#[track_caller]
2056#[cfg(not(feature = "ferrocene_certified"))]
2057pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
2058 // SAFETY: the caller must guarantee that `dst` is valid for writes.
2059 // `dst` cannot overlap `src` because the caller has mutable access
2060 // to `dst` while `src` is owned by this function.
2061 unsafe {
2062 copy_nonoverlapping((&raw const src) as *const u8, dst as *mut u8, size_of::<T>());
2063 // We are calling the intrinsic directly to avoid function calls in the generated code.
2064 intrinsics::forget(src);
2065 }
2066}
2067
2068/// Performs a volatile read of the value from `src` without moving it.
2069///
2070/// Volatile operations are intended to act on I/O memory. As such, they are considered externally
2071/// observable events (just like syscalls, but less opaque), and are guaranteed to not be elided or
2072/// reordered by the compiler across other externally observable events. With this in mind, there
2073/// are two cases of usage that need to be distinguished:
2074///
2075/// - When a volatile operation is used for memory inside an [allocation], it behaves exactly like
2076/// [`read`], except for the additional guarantee that it won't be elided or reordered (see
2077/// above). This implies that the operation will actually access memory and not e.g. be lowered to
2078/// reusing data from a previous read. Other than that, all the usual rules for memory accesses
2079/// apply (including provenance). In particular, just like in C, whether an operation is volatile
2080/// has no bearing whatsoever on questions involving concurrent accesses from multiple threads.
2081/// Volatile accesses behave exactly like non-atomic accesses in that regard.
2082///
2083/// - Volatile operations, however, may also be used to access memory that is _outside_ of any Rust
2084/// allocation. In this use-case, the pointer does *not* have to be [valid] for reads. This is
2085/// typically used for CPU and peripheral registers that must be accessed via an I/O memory
2086/// mapping, most commonly at fixed addresses reserved by the hardware. These often have special
2087/// semantics associated to their manipulation, and cannot be used as general purpose memory.
2088/// Here, any address value is possible, including 0 and [`usize::MAX`], so long as the semantics
2089/// of such a read are well-defined by the target hardware. The provenance of the pointer is
2090/// irrelevant, and it can be created with [`without_provenance`]. The access must not trap. It
2091/// can cause side-effects, but those must not affect Rust-allocated memory in any way. This
2092/// access is still not considered [atomic], and as such it cannot be used for inter-thread
2093/// synchronization.
2094///
2095/// Note that volatile memory operations where T is a zero-sized type are noops and may be ignored.
2096///
2097/// [allocation]: crate::ptr#allocated-object
2098/// [atomic]: crate::sync::atomic#memory-model-for-atomic-accesses
2099///
2100/// # Safety
2101///
2102/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of whether `T` is
2103/// [`Copy`]. If `T` is not [`Copy`], using both the returned value and the value at `*src` can
2104/// [violate memory safety][read-ownership]. However, storing non-[`Copy`] types in volatile memory
2105/// is almost certainly incorrect.
2106///
2107/// Behavior is undefined if any of the following conditions are violated:
2108///
2109/// * `src` must be either [valid] for reads, or it must point to memory outside of all Rust
2110/// allocations and reading from that memory must:
2111/// - not trap, and
2112/// - not cause any memory inside a Rust allocation to be modified.
2113///
2114/// * `src` must be properly aligned.
2115///
2116/// * Reading from `src` must produce a properly initialized value of type `T`.
2117///
2118/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2119///
2120/// [valid]: self#safety
2121/// [read-ownership]: read#ownership-of-the-returned-value
2122///
2123/// # Examples
2124///
2125/// Basic usage:
2126///
2127/// ```
2128/// let x = 12;
2129/// let y = &x as *const i32;
2130///
2131/// unsafe {
2132/// assert_eq!(std::ptr::read_volatile(y), 12);
2133/// }
2134/// ```
2135#[inline]
2136#[stable(feature = "volatile", since = "1.9.0")]
2137#[track_caller]
2138#[rustc_diagnostic_item = "ptr_read_volatile"]
2139#[cfg(not(feature = "ferrocene_certified"))]
2140pub unsafe fn read_volatile<T>(src: *const T) -> T {
2141 // SAFETY: the caller must uphold the safety contract for `volatile_load`.
2142 unsafe {
2143 ub_checks::assert_unsafe_precondition!(
2144 check_language_ub,
2145 "ptr::read_volatile requires that the pointer argument is aligned",
2146 (
2147 addr: *const () = src as *const (),
2148 align: usize = align_of::<T>(),
2149 ) => ub_checks::maybe_is_aligned(addr, align)
2150 );
2151 intrinsics::volatile_load(src)
2152 }
2153}
2154
2155/// Performs a volatile write of a memory location with the given value without reading or dropping
2156/// the old value.
2157///
2158/// Volatile operations are intended to act on I/O memory. As such, they are considered externally
2159/// observable events (just like syscalls), and are guaranteed to not be elided or reordered by the
2160/// compiler across other externally observable events. With this in mind, there are two cases of
2161/// usage that need to be distinguished:
2162///
2163/// - When a volatile operation is used for memory inside an [allocation], it behaves exactly like
2164/// [`write`][write()], except for the additional guarantee that it won't be elided or reordered
2165/// (see above). This implies that the operation will actually access memory and not e.g. be
2166/// lowered to a register access. Other than that, all the usual rules for memory accesses apply
2167/// (including provenance). In particular, just like in C, whether an operation is volatile has no
2168/// bearing whatsoever on questions involving concurrent access from multiple threads. Volatile
2169/// accesses behave exactly like non-atomic accesses in that regard.
2170///
2171/// - Volatile operations, however, may also be used to access memory that is _outside_ of any Rust
2172/// allocation. In this use-case, the pointer does *not* have to be [valid] for writes. This is
2173/// typically used for CPU and peripheral registers that must be accessed via an I/O memory
2174/// mapping, most commonly at fixed addresses reserved by the hardware. These often have special
2175/// semantics associated to their manipulation, and cannot be used as general purpose memory.
2176/// Here, any address value is possible, including 0 and [`usize::MAX`], so long as the semantics
2177/// of such a write are well-defined by the target hardware. The provenance of the pointer is
2178/// irrelevant, and it can be created with [`without_provenance`]. The access must not trap. It
2179/// can cause side-effects, but those must not affect Rust-allocated memory in any way. This
2180/// access is still not considered [atomic], and as such it cannot be used for inter-thread
2181/// synchronization.
2182///
2183/// Note that volatile memory operations on zero-sized types (e.g., if a zero-sized type is passed
2184/// to `write_volatile`) are noops and may be ignored.
2185///
2186/// `write_volatile` does not drop the contents of `dst`. This is safe, but it could leak
2187/// allocations or resources, so care should be taken not to overwrite an object that should be
2188/// dropped when operating on Rust memory. Additionally, it does not drop `src`. Semantically, `src`
2189/// is moved into the location pointed to by `dst`.
2190///
2191/// [allocation]: crate::ptr#allocated-object
2192/// [atomic]: crate::sync::atomic#memory-model-for-atomic-accesses
2193///
2194/// # Safety
2195///
2196/// Behavior is undefined if any of the following conditions are violated:
2197///
2198/// * `dst` must be either [valid] for writes, or it must point to memory outside of all Rust
2199/// allocations and writing to that memory must:
2200/// - not trap, and
2201/// - not cause any memory inside a Rust allocation to be modified.
2202///
2203/// * `dst` must be properly aligned.
2204///
2205/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2206///
2207/// [valid]: self#safety
2208///
2209/// # Examples
2210///
2211/// Basic usage:
2212///
2213/// ```
2214/// let mut x = 0;
2215/// let y = &mut x as *mut i32;
2216/// let z = 12;
2217///
2218/// unsafe {
2219/// std::ptr::write_volatile(y, z);
2220/// assert_eq!(std::ptr::read_volatile(y), 12);
2221/// }
2222/// ```
2223#[inline]
2224#[stable(feature = "volatile", since = "1.9.0")]
2225#[rustc_diagnostic_item = "ptr_write_volatile"]
2226#[track_caller]
2227#[cfg(not(feature = "ferrocene_certified"))]
2228pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
2229 // SAFETY: the caller must uphold the safety contract for `volatile_store`.
2230 unsafe {
2231 ub_checks::assert_unsafe_precondition!(
2232 check_language_ub,
2233 "ptr::write_volatile requires that the pointer argument is aligned",
2234 (
2235 addr: *mut () = dst as *mut (),
2236 align: usize = align_of::<T>(),
2237 ) => ub_checks::maybe_is_aligned(addr, align)
2238 );
2239 intrinsics::volatile_store(dst, src);
2240 }
2241}
2242
2243/// Calculate an element-offset that increases a pointer's alignment.
2244///
2245/// Calculate an element-offset (not byte-offset) that when added to a given pointer `p`, increases `p`'s alignment to at least the given alignment `a`.
2246///
2247/// # Safety
2248/// `a` must be a power of two.
2249///
2250/// # Notes
2251/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
2252/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
2253/// constants.
2254///
2255/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
2256/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
2257/// than trying to adapt this to accommodate that change.
2258///
2259/// Any questions go to @nagisa.
2260#[allow(ptr_to_integer_transmute_in_consts)]
2261#[cfg(not(feature = "ferrocene_certified"))]
2262pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
2263 // FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
2264 // 1, where the method versions of these operations are not inlined.
2265 use intrinsics::{
2266 assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl,
2267 unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub,
2268 };
2269
2270 /// Calculate multiplicative modular inverse of `x` modulo `m`.
2271 ///
2272 /// This implementation is tailored for `align_offset` and has following preconditions:
2273 ///
2274 /// * `m` is a power-of-two;
2275 /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead)
2276 ///
2277 /// Implementation of this function shall not panic. Ever.
2278 #[inline]
2279 const unsafe fn mod_inv(x: usize, m: usize) -> usize {
2280 /// Multiplicative modular inverse table modulo 2⁴ = 16.
2281 ///
2282 /// Note, that this table does not contain values where inverse does not exist (i.e., for
2283 /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
2284 const INV_TABLE_MOD_16: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15];
2285 /// Modulo for which the `INV_TABLE_MOD_16` is intended.
2286 const INV_TABLE_MOD: usize = 16;
2287
2288 // SAFETY: `m` is required to be a power-of-two, hence non-zero.
2289 let m_minus_one = unsafe { unchecked_sub(m, 1) };
2290 let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - 1)) >> 1] as usize;
2291 let mut mod_gate = INV_TABLE_MOD;
2292 // We iterate "up" using the following formula:
2293 //
2294 // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
2295 //
2296 // This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
2297 // finally reduce the computation to our desired `m` by taking `inverse mod m`.
2298 //
2299 // This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
2300 // will always finish in at most 4 iterations.
2301 loop {
2302 // y = y * (2 - xy) mod n
2303 //
2304 // Note, that we use wrapping operations here intentionally – the original formula
2305 // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
2306 // usize::MAX` instead, because we take the result `mod n` at the end
2307 // anyway.
2308 if mod_gate >= m {
2309 break;
2310 }
2311 inverse = wrapping_mul(inverse, wrapping_sub(2usize, wrapping_mul(x, inverse)));
2312 let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
2313 if overflow {
2314 break;
2315 }
2316 mod_gate = new_gate;
2317 }
2318 inverse & m_minus_one
2319 }
2320
2321 let stride = size_of::<T>();
2322
2323 let addr: usize = p.addr();
2324
2325 // SAFETY: `a` is a power-of-two, therefore non-zero.
2326 let a_minus_one = unsafe { unchecked_sub(a, 1) };
2327
2328 if stride == 0 {
2329 // SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
2330 // stay the same, so no offset will be able to align the pointer unless it is already
2331 // aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
2332 let p_mod_a = addr & a_minus_one;
2333 return if p_mod_a == 0 { 0 } else { usize::MAX };
2334 }
2335
2336 // SAFETY: `stride == 0` case has been handled by the special case above.
2337 let a_mod_stride = unsafe { unchecked_rem(a, stride) };
2338 if a_mod_stride == 0 {
2339 // SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
2340 // pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
2341 // offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
2342 // offset will be able to produce a `p` aligned to the specified `a`.
2343 //
2344 // The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
2345 // like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
2346 // redistributes operations around the load-bearing, but pessimizing `and` instruction
2347 // sufficiently for LLVM to be able to utilize the various optimizations it knows about.
2348 //
2349 // LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
2350 // at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
2351 // in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
2352 // computation produces.
2353
2354 let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(0, a);
2355 let byte_offset = wrapping_sub(aligned_address, addr);
2356 // FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
2357 // SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
2358 // the value by more than `a-1`, so even though the intermediate values might have
2359 // wrapped, the byte_offset is always in `[0, a)`.
2360 unsafe { assume(byte_offset < a) };
2361
2362 // SAFETY: `stride == 0` case has been handled by the special case above.
2363 let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
2364
2365 return if addr_mod_stride == 0 {
2366 // SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
2367 // addr has been verified to be aligned to the original type’s alignment requirements.
2368 unsafe { exact_div(byte_offset, stride) }
2369 } else {
2370 usize::MAX
2371 };
2372 }
2373
2374 // GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
2375 // misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
2376 // advantage of, etc. This case produces machine code that isn’t particularly high quality,
2377 // compared to the special cases above. The code produced here is still within the realm of
2378 // miracles, given the situations this case has to deal with.
2379
2380 // SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
2381 // FIXME(const-hack) replace with min
2382 let gcdpow = unsafe {
2383 let x = cttz_nonzero(stride);
2384 let y = cttz_nonzero(a);
2385 if x < y { x } else { y }
2386 };
2387 // SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`.
2388 let gcd = unsafe { unchecked_shl(1usize, gcdpow) };
2389 // SAFETY: gcd is always greater or equal to 1.
2390 if addr & unsafe { unchecked_sub(gcd, 1) } == 0 {
2391 // This branch solves for the following linear congruence equation:
2392 //
2393 // ` p + so = 0 mod a `
2394 //
2395 // `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
2396 // requested alignment.
2397 //
2398 // With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
2399 // `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
2400 //
2401 // ` p' + s'o = 0 mod a' `
2402 // ` o = (a' - (p' mod a')) * (s'^-1 mod a') `
2403 //
2404 // The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
2405 // second term is "how does incrementing `p` by `s` bytes change the relative alignment of
2406 // `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
2407 // formed if `a` and `s` are not co-prime.
2408 //
2409 // Furthermore, the result produced by this solution is not "minimal", so it is necessary
2410 // to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
2411
2412 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2413 // `a`.
2414 let a2 = unsafe { unchecked_shr(a, gcdpow) };
2415 // SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
2416 // in `a` (of which it has exactly one).
2417 let a2minus1 = unsafe { unchecked_sub(a2, 1) };
2418 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2419 // `a`.
2420 let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
2421 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2422 // `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
2423 // always be strictly greater than `(p % a) >> gcdpow`.
2424 let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
2425 // SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
2426 // because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
2427 return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
2428 }
2429
2430 // Cannot be aligned at all.
2431 usize::MAX
2432}
2433
2434/// Compares raw pointers for equality.
2435///
2436/// This is the same as using the `==` operator, but less generic:
2437/// the arguments have to be `*const T` raw pointers,
2438/// not anything that implements `PartialEq`.
2439///
2440/// This can be used to compare `&T` references (which coerce to `*const T` implicitly)
2441/// by their address rather than comparing the values they point to
2442/// (which is what the `PartialEq for &T` implementation does).
2443///
2444/// When comparing wide pointers, both the address and the metadata are tested for equality.
2445/// However, note that comparing trait object pointers (`*const dyn Trait`) is unreliable: pointers
2446/// to values of the same underlying type can compare inequal (because vtables are duplicated in
2447/// multiple codegen units), and pointers to values of *different* underlying type can compare equal
2448/// (since identical vtables can be deduplicated within a codegen unit).
2449///
2450/// # Examples
2451///
2452/// ```
2453/// use std::ptr;
2454///
2455/// let five = 5;
2456/// let other_five = 5;
2457/// let five_ref = &five;
2458/// let same_five_ref = &five;
2459/// let other_five_ref = &other_five;
2460///
2461/// assert!(five_ref == same_five_ref);
2462/// assert!(ptr::eq(five_ref, same_five_ref));
2463///
2464/// assert!(five_ref == other_five_ref);
2465/// assert!(!ptr::eq(five_ref, other_five_ref));
2466/// ```
2467///
2468/// Slices are also compared by their length (fat pointers):
2469///
2470/// ```
2471/// let a = [1, 2, 3];
2472/// assert!(std::ptr::eq(&a[..3], &a[..3]));
2473/// assert!(!std::ptr::eq(&a[..2], &a[..3]));
2474/// assert!(!std::ptr::eq(&a[0..2], &a[1..3]));
2475/// ```
2476#[stable(feature = "ptr_eq", since = "1.17.0")]
2477#[inline(always)]
2478#[must_use = "pointer comparison produces a value"]
2479#[rustc_diagnostic_item = "ptr_eq"]
2480#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2481#[cfg(not(feature = "ferrocene_certified"))]
2482pub fn eq<T: PointeeSized>(a: *const T, b: *const T) -> bool {
2483 a == b
2484}
2485
2486/// Compares the *addresses* of the two pointers for equality,
2487/// ignoring any metadata in fat pointers.
2488///
2489/// If the arguments are thin pointers of the same type,
2490/// then this is the same as [`eq`].
2491///
2492/// # Examples
2493///
2494/// ```
2495/// use std::ptr;
2496///
2497/// let whole: &[i32; 3] = &[1, 2, 3];
2498/// let first: &i32 = &whole[0];
2499///
2500/// assert!(ptr::addr_eq(whole, first));
2501/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2502/// ```
2503#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2504#[inline(always)]
2505#[must_use = "pointer comparison produces a value"]
2506#[cfg(not(feature = "ferrocene_certified"))]
2507pub fn addr_eq<T: PointeeSized, U: PointeeSized>(p: *const T, q: *const U) -> bool {
2508 (p as *const ()) == (q as *const ())
2509}
2510
2511/// Compares the *addresses* of the two function pointers for equality.
2512///
2513/// This is the same as `f == g`, but using this function makes clear that the potentially
2514/// surprising semantics of function pointer comparison are involved.
2515///
2516/// There are **very few guarantees** about how functions are compiled and they have no intrinsic
2517/// “identity”; in particular, this comparison:
2518///
2519/// * May return `true` unexpectedly, in cases where functions are equivalent.
2520///
2521/// For example, the following program is likely (but not guaranteed) to print `(true, true)`
2522/// when compiled with optimization:
2523///
2524/// ```
2525/// let f: fn(i32) -> i32 = |x| x;
2526/// let g: fn(i32) -> i32 = |x| x + 0; // different closure, different body
2527/// let h: fn(u32) -> u32 = |x| x + 0; // different signature too
2528/// dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal
2529/// ```
2530///
2531/// * May return `false` in any case.
2532///
2533/// This is particularly likely with generic functions but may happen with any function.
2534/// (From an implementation perspective, this is possible because functions may sometimes be
2535/// processed more than once by the compiler, resulting in duplicate machine code.)
2536///
2537/// Despite these false positives and false negatives, this comparison can still be useful.
2538/// Specifically, if
2539///
2540/// * `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and
2541/// * `ptr::fn_addr_eq(f, g)` returns true,
2542///
2543/// then calling `f` and calling `g` will be equivalent.
2544///
2545///
2546/// # Examples
2547///
2548/// ```
2549/// use std::ptr;
2550///
2551/// fn a() { println!("a"); }
2552/// fn b() { println!("b"); }
2553/// assert!(!ptr::fn_addr_eq(a as fn(), b as fn()));
2554/// ```
2555///
2556/// [subtype]: https://doc.rust-lang.org/reference/subtyping.html
2557#[stable(feature = "ptr_fn_addr_eq", since = "1.85.0")]
2558#[inline(always)]
2559#[must_use = "function pointer comparison produces a value"]
2560#[cfg(not(feature = "ferrocene_certified"))]
2561pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool {
2562 f.addr() == g.addr()
2563}
2564
2565/// Hash a raw pointer.
2566///
2567/// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly)
2568/// by its address rather than the value it points to
2569/// (which is what the `Hash for &T` implementation does).
2570///
2571/// # Examples
2572///
2573/// ```
2574/// use std::hash::{DefaultHasher, Hash, Hasher};
2575/// use std::ptr;
2576///
2577/// let five = 5;
2578/// let five_ref = &five;
2579///
2580/// let mut hasher = DefaultHasher::new();
2581/// ptr::hash(five_ref, &mut hasher);
2582/// let actual = hasher.finish();
2583///
2584/// let mut hasher = DefaultHasher::new();
2585/// (five_ref as *const i32).hash(&mut hasher);
2586/// let expected = hasher.finish();
2587///
2588/// assert_eq!(actual, expected);
2589/// ```
2590#[stable(feature = "ptr_hash", since = "1.35.0")]
2591#[cfg(not(feature = "ferrocene_certified"))]
2592pub fn hash<T: PointeeSized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2593 use crate::hash::Hash;
2594 hashee.hash(into);
2595}
2596
2597#[stable(feature = "fnptr_impls", since = "1.4.0")]
2598#[cfg(not(feature = "ferrocene_certified"))]
2599impl<F: FnPtr> PartialEq for F {
2600 #[inline]
2601 fn eq(&self, other: &Self) -> bool {
2602 self.addr() == other.addr()
2603 }
2604}
2605#[stable(feature = "fnptr_impls", since = "1.4.0")]
2606#[cfg(not(feature = "ferrocene_certified"))]
2607impl<F: FnPtr> Eq for F {}
2608
2609#[stable(feature = "fnptr_impls", since = "1.4.0")]
2610#[cfg(not(feature = "ferrocene_certified"))]
2611impl<F: FnPtr> PartialOrd for F {
2612 #[inline]
2613 fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2614 self.addr().partial_cmp(&other.addr())
2615 }
2616}
2617#[stable(feature = "fnptr_impls", since = "1.4.0")]
2618#[cfg(not(feature = "ferrocene_certified"))]
2619impl<F: FnPtr> Ord for F {
2620 #[inline]
2621 fn cmp(&self, other: &Self) -> Ordering {
2622 self.addr().cmp(&other.addr())
2623 }
2624}
2625
2626#[stable(feature = "fnptr_impls", since = "1.4.0")]
2627#[cfg(not(feature = "ferrocene_certified"))]
2628impl<F: FnPtr> hash::Hash for F {
2629 fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2630 state.write_usize(self.addr() as _)
2631 }
2632}
2633
2634#[stable(feature = "fnptr_impls", since = "1.4.0")]
2635#[cfg(not(feature = "ferrocene_certified"))]
2636impl<F: FnPtr> fmt::Pointer for F {
2637 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2638 fmt::pointer_fmt_inner(self.addr() as _, f)
2639 }
2640}
2641
2642#[stable(feature = "fnptr_impls", since = "1.4.0")]
2643#[cfg(not(feature = "ferrocene_certified"))]
2644impl<F: FnPtr> fmt::Debug for F {
2645 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2646 fmt::pointer_fmt_inner(self.addr() as _, f)
2647 }
2648}
2649
2650/// Creates a `const` raw pointer to a place, without creating an intermediate reference.
2651///
2652/// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is *soft-deprecated*;
2653/// use `&raw const` instead.
2654///
2655/// It is still an open question under which conditions writing through an `addr_of!`-created
2656/// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the
2657/// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is
2658/// based on a reference, local variable, or `static`, then until all details are decided, the same
2659/// rules as for shared references apply: it is UB to write through a pointer created with this
2660/// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`])
2661/// to create a raw pointer that definitely permits mutation.
2662///
2663/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2664/// and points to initialized data. For cases where those requirements do not hold,
2665/// raw pointers should be used instead. However, `&expr as *const _` creates a reference
2666/// before casting it to a raw pointer, and that reference is subject to the same rules
2667/// as all other references. This macro can create a raw pointer *without* creating
2668/// a reference first.
2669///
2670/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2671/// Doing that with `addr_of` would not make much sense since one could only
2672/// read the data, and that would be Undefined Behavior.
2673///
2674/// # Safety
2675///
2676/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2677/// place or requires the place to be dereferenceable. This means that `addr_of!((*ptr).field)`
2678/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2679/// However, `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2680///
2681/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2682/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2683/// `Index::index`, respectively. The statements above only apply when no such coercions are
2684/// applied.
2685///
2686/// [`offset`]: pointer::offset
2687///
2688/// # Example
2689///
2690/// **Correct usage: Creating a pointer to unaligned data**
2691///
2692/// ```
2693/// use std::ptr;
2694///
2695/// #[repr(packed)]
2696/// struct Packed {
2697/// f1: u8,
2698/// f2: u16,
2699/// }
2700///
2701/// let packed = Packed { f1: 1, f2: 2 };
2702/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2703/// let raw_f2 = ptr::addr_of!(packed.f2);
2704/// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2);
2705/// ```
2706///
2707/// **Incorrect usage: Out-of-bounds fields projection**
2708///
2709/// ```rust,no_run
2710/// use std::ptr;
2711///
2712/// #[repr(C)]
2713/// struct MyStruct {
2714/// field1: i32,
2715/// field2: i32,
2716/// }
2717///
2718/// let ptr: *const MyStruct = ptr::null();
2719/// let fieldptr = unsafe { ptr::addr_of!((*ptr).field2) }; // Undefined Behavior ⚠️
2720/// ```
2721///
2722/// The field projection `.field2` would offset the pointer by 4 bytes,
2723/// but the pointer is not in-bounds of an allocation for 4 bytes,
2724/// so this offset is Undefined Behavior.
2725/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2726/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2727/// no difference whether the pointer is null or dangling.)
2728#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2729#[rustc_macro_transparency = "semitransparent"]
2730#[cfg(not(feature = "ferrocene_certified"))]
2731pub macro addr_of($place:expr) {
2732 &raw const $place
2733}
2734
2735/// Creates a `mut` raw pointer to a place, without creating an intermediate reference.
2736///
2737/// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is *soft-deprecated*;
2738/// use `&raw mut` instead.
2739///
2740/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2741/// and points to initialized data. For cases where those requirements do not hold,
2742/// raw pointers should be used instead. However, `&mut expr as *mut _` creates a reference
2743/// before casting it to a raw pointer, and that reference is subject to the same rules
2744/// as all other references. This macro can create a raw pointer *without* creating
2745/// a reference first.
2746///
2747/// # Safety
2748///
2749/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2750/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((*ptr).field)`
2751/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2752/// However, `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2753///
2754/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2755/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2756/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2757/// applied.
2758///
2759/// [`offset`]: pointer::offset
2760///
2761/// # Examples
2762///
2763/// **Correct usage: Creating a pointer to unaligned data**
2764///
2765/// ```
2766/// use std::ptr;
2767///
2768/// #[repr(packed)]
2769/// struct Packed {
2770/// f1: u8,
2771/// f2: u16,
2772/// }
2773///
2774/// let mut packed = Packed { f1: 1, f2: 2 };
2775/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2776/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2777/// unsafe { raw_f2.write_unaligned(42); }
2778/// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference.
2779/// ```
2780///
2781/// **Correct usage: Creating a pointer to uninitialized data**
2782///
2783/// ```rust
2784/// use std::{ptr, mem::MaybeUninit};
2785///
2786/// struct Demo {
2787/// field: bool,
2788/// }
2789///
2790/// let mut uninit = MaybeUninit::<Demo>::uninit();
2791/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2792/// // and thus be Undefined Behavior!
2793/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2794/// unsafe { f1_ptr.write(true); }
2795/// let init = unsafe { uninit.assume_init() };
2796/// ```
2797///
2798/// **Incorrect usage: Out-of-bounds fields projection**
2799///
2800/// ```rust,no_run
2801/// use std::ptr;
2802///
2803/// #[repr(C)]
2804/// struct MyStruct {
2805/// field1: i32,
2806/// field2: i32,
2807/// }
2808///
2809/// let ptr: *mut MyStruct = ptr::null_mut();
2810/// let fieldptr = unsafe { ptr::addr_of_mut!((*ptr).field2) }; // Undefined Behavior ⚠️
2811/// ```
2812///
2813/// The field projection `.field2` would offset the pointer by 4 bytes,
2814/// but the pointer is not in-bounds of an allocation for 4 bytes,
2815/// so this offset is Undefined Behavior.
2816/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2817/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2818/// makes no difference whether the pointer is null or dangling.)
2819#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2820#[rustc_macro_transparency = "semitransparent"]
2821#[cfg(not(feature = "ferrocene_certified"))]
2822pub macro addr_of_mut($place:expr) {
2823 &raw mut $place
2824}