core/ptr/mod.rs
1//! Manually manage memory through raw pointers.
2//!
3//! *[See also the pointer primitive types](pointer).*
4//!
5//! # Safety
6//!
7//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8//! this to be safe, these pointers must be *valid* for the given access. Whether a pointer is valid
9//! depends on the operation it is used for (read or write), and the extent of the memory that is
10//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `*mut T`
12//! and `*const T` to access only a single value, in which case the documentation omits the size and
13//! implicitly assumes it to be `size_of::<T>()` bytes.
14//!
15//! The precise rules for validity are not determined yet. The guarantees that are
16//! provided at this point are very minimal:
17//!
18//! * For memory accesses of [size zero][zst], *every* pointer is valid, including the [null]
19//! pointer. The following points are only concerned with non-zero-sized accesses.
20//! * A [null] pointer is *never* valid.
21//! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be
22//! *dereferenceable*. The [provenance] of the pointer is used to determine which [allocation]
23//! it is derived from; a pointer is dereferenceable if the memory range of the given size
24//! starting at the pointer is entirely contained within the bounds of that allocation. Note
25//! that in Rust, every (stack-allocated) variable is considered a separate allocation.
26//! * All accesses performed by functions in this module are *non-atomic* in the sense
27//! of [atomic operations] used to synchronize between threads. This means it is
28//! undefined behavior to perform two concurrent accesses to the same location from different
29//! threads unless both accesses only read from memory. Notice that this explicitly
30//! includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
31//! be used for inter-thread synchronization.
32//! * The result of casting a reference to a pointer is valid for as long as the
33//! underlying allocation is live and no reference (just raw pointers) is used to
34//! access the same memory. That is, reference and pointer accesses cannot be
35//! interleaved.
36//!
37//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
38//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
39//! will be provided eventually, as the [aliasing] rules are being determined. For more
40//! information, see the [book] as well as the section in the reference devoted
41//! to [undefined behavior][ub].
42//!
43//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
44//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
45//! [`NonNull::dangling`] are all dangling.
46//!
47//! ## Alignment
48//!
49//! Valid raw pointers as defined above are not necessarily properly aligned (where
50//! "proper" alignment is defined by the pointee type, i.e., `*const T` must be
51//! aligned to `align_of::<T>()`). However, most functions require their
52//! arguments to be properly aligned, and will explicitly state
53//! this requirement in their documentation. Notable exceptions to this are
54//! [`read_unaligned`] and [`write_unaligned`].
55//!
56//! When a function requires proper alignment, it does so even if the access
57//! has size 0, i.e., even if memory is not actually touched. Consider using
58//! [`NonNull::dangling`] in such cases.
59//!
60//! ## Pointer to reference conversion
61//!
62//! When converting a pointer to a reference (e.g. via `&*ptr` or `&mut *ptr`),
63//! there are several rules that must be followed:
64//!
65//! * The pointer must be properly aligned.
66//!
67//! * It must be non-null.
68//!
69//! * It must be "dereferenceable" in the sense defined above.
70//!
71//! * The pointer must point to a [valid value] of type `T`.
72//!
73//! * You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we
74//! only give a rough overview here. The rules also depend on whether a mutable or a shared
75//! reference is being created.
76//! * When creating a mutable reference, then while this reference exists, the memory it points to
77//! must not get accessed (read or written) through any other pointer or reference not derived
78//! from this reference.
79//! * When creating a shared reference, then while this reference exists, the memory it points to
80//! must not get mutated (except inside `UnsafeCell`).
81//!
82//! If a pointer follows all of these rules, it is said to be
83//! *convertible to a (mutable or shared) reference*.
84// ^ we use this term instead of saying that the produced reference must
85// be valid, as the validity of a reference is easily confused for the
86// validity of the thing it refers to, and while the two concepts are
87// closely related, they are not identical.
88//!
89//! These rules apply even if the result is unused!
90//! (The part about being initialized is not yet fully decided, but until
91//! it is, the only safe approach is to ensure that they are indeed initialized.)
92//!
93//! An example of the implications of the above rules is that an expression such
94//! as `unsafe { &*(0 as *const u8) }` is Immediate Undefined Behavior.
95//!
96//! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values
97//!
98//! ## Allocation
99//!
100//! <a id="allocated-object"></a> <!-- keep old URLs working -->
101//!
102//! An *allocation* is a subset of program memory which is addressable
103//! from Rust, and within which pointer arithmetic is possible. Examples of
104//! allocations include heap allocations, stack-allocated variables,
105//! statics, and consts. The safety preconditions of some Rust operations -
106//! such as `offset` and field projections (`expr.field`) - are defined in
107//! terms of the allocations on which they operate.
108//!
109//! An allocation has a base address, a size, and a set of memory
110//! addresses. It is possible for an allocation to have zero size, but
111//! such an allocation will still have a base address. The base address
112//! of an allocation is not necessarily unique. While it is currently the
113//! case that an allocation always has a set of memory addresses which is
114//! fully contiguous (i.e., has no "holes"), there is no guarantee that this
115//! will not change in the future.
116//!
117//! For any allocation with `base` address, `size`, and a set of
118//! `addresses`, the following are guaranteed:
119//! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base +
120//! size)` (note that this requires `a < base + size`, not `a <= base + size`)
121//! - `base` is not equal to [`null()`] (i.e., the address with the numerical
122//! value 0)
123//! - `base + size <= usize::MAX`
124//! - `size <= isize::MAX`
125//!
126//! As a consequence of these guarantees, given any address `a` within the set
127//! of addresses of an allocation:
128//! - It is guaranteed that `a - base` does not overflow `isize`
129//! - It is guaranteed that `a - base` is non-negative
130//! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within
131//! the allocation), `base + o` will not wrap around the address space (in
132//! other words, will not overflow `usize`)
133//!
134//! [`null()`]: null
135//!
136//! # Provenance
137//!
138//! Pointers are not *simply* an "integer" or "address". For instance, it's uncontroversial
139//! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky"
140//! and the freed memory gets reallocated before your read/write (in fact this is the
141//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
142//! As another example, consider that [`wrapping_offset`] is documented to "remember"
143//! the allocation that the original pointer points to, even if it is offset far
144//! outside the memory range occupied by that allocation.
145//! To rationalize claims like this, pointers need to somehow be *more* than just their addresses:
146//! they must have **provenance**.
147//!
148//! A pointer value in Rust semantically contains the following information:
149//!
150//! * The **address** it points to, which can be represented by a `usize`.
151//! * The **provenance** it has, defining the memory it has permission to access. Provenance can be
152//! absent, in which case the pointer does not have permission to access any memory.
153//!
154//! The exact structure of provenance is not yet specified, but the permission defined by a
155//! pointer's provenance have a *spatial* component, a *temporal* component, and a *mutability*
156//! component:
157//!
158//! * Spatial: The set of memory addresses that the pointer is allowed to access.
159//! * Temporal: The timespan during which the pointer is allowed to access those memory addresses.
160//! * Mutability: Whether the pointer may only access the memory for reads, or also access it for
161//! writes. Note that this can interact with the other components, e.g. a pointer might permit
162//! mutation only for a subset of addresses, or only for a subset of its maximal timespan.
163//!
164//! When an [allocation] is created, it has a unique Original Pointer. For alloc
165//! APIs this is literally the pointer the call returns, and for local variables and statics,
166//! this is the name of the variable/static. (This is mildly overloading the term "pointer"
167//! for the sake of brevity/exposition.)
168//!
169//! The Original Pointer for an allocation has provenance that constrains the *spatial*
170//! permissions of this pointer to the memory range of the allocation, and the *temporal*
171//! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all
172//! pointers transitively derived from the Original Pointer through operations like [`offset`],
173//! borrowing, and pointer casts. Some operations may *shrink* the permissions of the derived
174//! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a
175//! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can
176//! shrink the temporal component of provenance). However, no operation can ever *grow* the
177//! permissions of the derived provenance: even if you "know" there is a larger allocation, you
178//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two
179//! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
180//!
181//! A reference to a place always has provenance over at least the memory that place occupies.
182//! A reference to a slice always has provenance over at least the range that slice describes.
183//! Whether and when exactly the provenance of a reference gets "shrunk" to *exactly* fit
184//! the memory it points to is not yet determined.
185//!
186//! A *shared* reference only ever has provenance that permits reading from memory,
187//! and never permits writes, except inside [`UnsafeCell`].
188//!
189//! Provenance can affect whether a program has undefined behavior:
190//!
191//! * It is undefined behavior to access memory through a pointer that does not have provenance over
192//! that memory. Note that a pointer "at the end" of its provenance is not actually outside its
193//! provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any
194//! provenance since they access an empty range of memory.
195//!
196//! * It is undefined behavior to [`offset`] a pointer across a memory range that is not contained
197//! in the allocation it is derived from, or to [`offset_from`] two pointers not derived
198//! from the same allocation. Provenance is used to say what exactly "derived from" even
199//! means: the lineage of a pointer is traced back to the Original Pointer it descends from, and
200//! that identifies the relevant allocation. In particular, it's always UB to offset a
201//! pointer derived from something that is now deallocated, except if the offset is 0.
202//!
203//! But it *is* still sound to:
204//!
205//! * Create a pointer without provenance from just an address (see [`without_provenance`]). Such a
206//! pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
207//! useful for sentinel values like `null` *or* to represent a tagged pointer that will never be
208//! dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
209//! fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
210//! offset, read, write, etc).
211//!
212//! * Forge an allocation of size zero at any sufficiently aligned non-null address.
213//! i.e. the usual "ZSTs are fake, do what you want" rules apply.
214//!
215//! * [`wrapping_offset`] a pointer outside its provenance. This includes pointers
216//! which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks.
217//!
218//! * Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses
219//! *are* just integers, so there is always a coherent answer, even if the pointers are dangling
220//! or from different provenances. Note that if you get "lucky" and notice that a pointer at the
221//! end of one allocation is the "same" address as the start of another allocation,
222//! anything you do with that fact is *probably* going to be gibberish. The scope of that
223//! gibberish is kept under control by the fact that the two pointers *still* aren't allowed to
224//! access the other's allocation (bytes), because they still have different provenance.
225//!
226//! Note that the full definition of provenance in Rust is not decided yet, as this interacts
227//! with the as-yet undecided [aliasing] rules.
228//!
229//! ## Pointers Vs Integers
230//!
231//! From this discussion, it becomes very clear that a `usize` *cannot* accurately represent a pointer,
232//! and converting from a pointer to a `usize` is generally an operation which *only* extracts the
233//! address. Converting this address back into pointer requires somehow answering the question:
234//! which provenance should the resulting pointer have?
235//!
236//! Rust provides two ways of dealing with this situation: *Strict Provenance* and *Exposed Provenance*.
237//!
238//! Note that a pointer *can* represent a `usize` (via [`without_provenance`]), so the right type to
239//! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a
240//! pointer type.
241//!
242//! ## Strict Provenance
243//!
244//! "Strict Provenance" refers to a set of APIs designed to make working with provenance more
245//! explicit. They are intended as substitutes for casting a pointer to an integer and back.
246//!
247//! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of
248//! that operation. This benefits compiler optimizations, and it is pretty much a requirement for
249//! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer
250//! misuse.
251//!
252//! The key insight to making programming without integer-to-pointer casts *at all* viable is the
253//! [`with_addr`] method:
254//!
255//! ```text
256//! /// Creates a new pointer with the given address.
257//! ///
258//! /// This performs the same operation as an `addr as ptr` cast, but copies
259//! /// the *provenance* of `self` to the new pointer.
260//! /// This allows us to dynamically preserve and propagate this important
261//! /// information in a way that is otherwise impossible with a unary cast.
262//! ///
263//! /// This is equivalent to using `wrapping_offset` to offset `self` to the
264//! /// given address, and therefore has all the same capabilities and restrictions.
265//! pub fn with_addr(self, addr: usize) -> Self;
266//! ```
267//!
268//! So you're still able to drop down to the address representation and do whatever
269//! clever bit tricks you want *as long as* you're able to keep around a pointer
270//! into the allocation you care about that can "reconstitute" the provenance.
271//! Usually this is very easy, because you only are taking a pointer, messing with the address,
272//! and then immediately converting back to a pointer. To make this use case more ergonomic,
273//! we provide the [`map_addr`] method.
274//!
275//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
276//! [`addr`] method which promises that the returned address is not part of a
277//! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer
278//! casts to help you audit if your code conforms to strict provenance.
279//!
280//! ### Using Strict Provenance
281//!
282//! Most code needs no changes to conform to strict provenance, as the only really concerning
283//! operation is casts from `usize` to a pointer. For code which *does* cast a `usize` to a pointer,
284//! the scope of the change depends on exactly what you're doing.
285//!
286//! In general, you just need to make sure that if you want to convert a `usize` address to a
287//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
288//! that has sufficient provenance to perform that read/write itself. In this way all of your
289//! casts from an address to a pointer are essentially just applying offsets/indexing.
290//!
291//! This is generally trivial to do for simple cases like tagged pointers *as long as you
292//! represent the tagged pointer as an actual pointer and not a `usize`*. For instance:
293//!
294//! ```
295//! unsafe {
296//! // A flag we want to pack into our pointer
297//! static HAS_DATA: usize = 0x1;
298//! static FLAG_MASK: usize = !HAS_DATA;
299//!
300//! // Our value, which must have enough alignment to have spare least-significant-bits.
301//! let my_precious_data: u32 = 17;
302//! assert!(align_of::<u32>() > 1);
303//!
304//! // Create a tagged pointer
305//! let ptr = &my_precious_data as *const u32;
306//! let tagged = ptr.map_addr(|addr| addr | HAS_DATA);
307//!
308//! // Check the flag:
309//! if tagged.addr() & HAS_DATA != 0 {
310//! // Untag and read the pointer
311//! let data = *tagged.map_addr(|addr| addr & FLAG_MASK);
312//! assert_eq!(data, 17);
313//! } else {
314//! unreachable!()
315//! }
316//! }
317//! ```
318//!
319//! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should
320//! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers,
321//! we would like to know why, and what needs to be done to fix it.)
322//!
323//! Situations where a valid pointer *must* be created from just an address, such as baremetal code
324//! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict
325//! provenance APIs and should use [exposed provenance](#exposed-provenance).
326//!
327//! ## Exposed Provenance
328//!
329//! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs.
330//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
331//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
332//! Integer-to-pointer casts do not (currently) have such a clear specification.
333//!
334//! However, there exist situations where integer-to-pointer casts cannot be avoided, or
335//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
336//! that `usize` can capture all the information that makes up a pointer.
337//! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without
338//! anywhere to obtain proper provenance from.
339//!
340//! Rust's model for dealing with integer-to-pointer casts is called *Exposed Provenance*. However,
341//! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and
342//! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for
343//! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide
344//! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not
345//! work (well) with tools like [Miri] and [CHERI].
346//!
347//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
348//! which are equivalent to `as` casts between pointers and integers.
349//! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the
350//! pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists
351//! for the purpose of specifying Rust but is not materialized in actual executions, except in
352//! tools like [Miri].)
353//! Memory which is outside the control of the Rust abstract machine (MMIO registers, for example)
354//! is always considered to be exposed, so long as this memory is disjoint from memory that will
355//! be used by the abstract machine such as the stack, heap, and statics.
356//! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously
357//! 'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so
358//! unlike in [`with_addr`] there is no indication of what the correct provenance for the returned
359//! pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously
360//! specify! The compiler will do its best to pick the right provenance for you, but currently we
361//! cannot provide any guarantees about which provenance the resulting pointer will have. Only one
362//! thing is clear: if there is *no* previously 'exposed' provenance that justifies the way the
363//! returned pointer will be used, the program has undefined behavior.
364//!
365//! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding
366//! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding
367//! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be
368//! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this
369//! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the
370//! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of
371//! integer-to-pointer casts.
372//!
373//! [aliasing]: ../../nomicon/aliasing.html
374//! [allocation]: #allocation
375//! [provenance]: #provenance
376//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
377//! [ub]: ../../reference/behavior-considered-undefined.html
378//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
379//! [atomic operations]: crate::sync::atomic
380//! [`offset`]: pointer::offset
381//! [`offset_from`]: pointer::offset_from
382//! [`wrapping_offset`]: pointer::wrapping_offset
383//! [`with_addr`]: pointer::with_addr
384//! [`map_addr`]: pointer::map_addr
385//! [`addr`]: pointer::addr
386//! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize
387//! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr
388//! [`expose_provenance`]: pointer::expose_provenance
389//! [`with_exposed_provenance`]: with_exposed_provenance
390//! [Miri]: https://github.com/rust-lang/miri
391//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
392//! [Strict Provenance]: #strict-provenance
393//! [`UnsafeCell`]: core::cell::UnsafeCell
394
395#![stable(feature = "rust1", since = "1.0.0")]
396// There are many unsafe functions taking pointers that don't dereference them.
397#![allow(clippy::not_unsafe_ptr_arg_deref)]
398
399#[cfg(not(feature = "ferrocene_certified"))]
400use crate::cmp::Ordering;
401#[cfg(not(feature = "ferrocene_certified"))]
402use crate::intrinsics::const_eval_select;
403#[cfg(not(feature = "ferrocene_certified"))]
404use crate::marker::{FnPtr, PointeeSized};
405#[cfg(not(feature = "ferrocene_certified"))]
406use crate::mem::{self, MaybeUninit, SizedTypeProperties};
407#[cfg(not(feature = "ferrocene_certified"))]
408use crate::num::NonZero;
409#[cfg(not(feature = "ferrocene_certified"))]
410use crate::{fmt, hash, intrinsics, ub_checks};
411#[cfg(feature = "ferrocene_certified")]
412use crate::{
413 intrinsics,
414 marker::PointeeSized,
415 mem::{self, SizedTypeProperties},
416 ub_checks,
417};
418
419mod alignment;
420#[unstable(feature = "ptr_alignment_type", issue = "102070")]
421pub use alignment::Alignment;
422
423mod metadata;
424#[unstable(feature = "ptr_metadata", issue = "81513")]
425#[cfg(not(feature = "ferrocene_certified"))]
426pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata};
427#[unstable(feature = "ptr_metadata", issue = "81513")]
428#[cfg(feature = "ferrocene_certified")]
429pub use metadata::{Pointee, Thin, from_raw_parts, from_raw_parts_mut};
430
431mod non_null;
432#[stable(feature = "nonnull", since = "1.25.0")]
433pub use non_null::NonNull;
434
435#[cfg(not(feature = "ferrocene_certified"))]
436mod unique;
437#[unstable(feature = "ptr_internals", issue = "none")]
438#[cfg(not(feature = "ferrocene_certified"))]
439pub use unique::Unique;
440
441mod const_ptr;
442mod mut_ptr;
443
444// Some functions are defined here because they accidentally got made
445// available in this module on stable. See <https://github.com/rust-lang/rust/issues/15702>.
446// (`transmute` also falls into this category, but it cannot be wrapped due to the
447// check that `T` and `U` have the same size.)
448
449/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
450/// and destination must *not* overlap.
451///
452/// For regions of memory which might overlap, use [`copy`] instead.
453///
454/// `copy_nonoverlapping` is semantically equivalent to C's [`memcpy`], but
455/// with the source and destination arguments swapped,
456/// and `count` counting the number of `T`s instead of bytes.
457///
458/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
459/// requirements of `T`. The initialization state is preserved exactly.
460///
461/// [`memcpy`]: https://en.cppreference.com/w/c/string/byte/memcpy
462///
463/// # Safety
464///
465/// Behavior is undefined if any of the following conditions are violated:
466///
467/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
468///
469/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
470///
471/// * Both `src` and `dst` must be properly aligned.
472///
473/// * The region of memory beginning at `src` with a size of `count *
474/// size_of::<T>()` bytes must *not* overlap with the region of memory
475/// beginning at `dst` with the same size.
476///
477/// Like [`read`], `copy_nonoverlapping` creates a bitwise copy of `T`, regardless of
478/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using *both* the values
479/// in the region beginning at `*src` and the region beginning at `*dst` can
480/// [violate memory safety][read-ownership].
481///
482/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
483/// `0`, the pointers must be properly aligned.
484///
485/// [`read`]: crate::ptr::read
486/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
487/// [valid]: crate::ptr#safety
488///
489/// # Examples
490///
491/// Manually implement [`Vec::append`]:
492///
493/// ```
494/// use std::ptr;
495///
496/// /// Moves all the elements of `src` into `dst`, leaving `src` empty.
497/// fn append<T>(dst: &mut Vec<T>, src: &mut Vec<T>) {
498/// let src_len = src.len();
499/// let dst_len = dst.len();
500///
501/// // Ensure that `dst` has enough capacity to hold all of `src`.
502/// dst.reserve(src_len);
503///
504/// unsafe {
505/// // The call to add is always safe because `Vec` will never
506/// // allocate more than `isize::MAX` bytes.
507/// let dst_ptr = dst.as_mut_ptr().add(dst_len);
508/// let src_ptr = src.as_ptr();
509///
510/// // Truncate `src` without dropping its contents. We do this first,
511/// // to avoid problems in case something further down panics.
512/// src.set_len(0);
513///
514/// // The two regions cannot overlap because mutable references do
515/// // not alias, and two different vectors cannot own the same
516/// // memory.
517/// ptr::copy_nonoverlapping(src_ptr, dst_ptr, src_len);
518///
519/// // Notify `dst` that it now holds the contents of `src`.
520/// dst.set_len(dst_len + src_len);
521/// }
522/// }
523///
524/// let mut a = vec!['r'];
525/// let mut b = vec!['u', 's', 't'];
526///
527/// append(&mut a, &mut b);
528///
529/// assert_eq!(a, &['r', 'u', 's', 't']);
530/// assert!(b.is_empty());
531/// ```
532///
533/// [`Vec::append`]: ../../std/vec/struct.Vec.html#method.append
534#[doc(alias = "memcpy")]
535#[stable(feature = "rust1", since = "1.0.0")]
536#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
537#[inline(always)]
538#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
539#[rustc_diagnostic_item = "ptr_copy_nonoverlapping"]
540#[cfg(not(feature = "ferrocene_certified"))]
541pub const unsafe fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: usize) {
542 ub_checks::assert_unsafe_precondition!(
543 check_language_ub,
544 "ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null \
545 and the specified memory ranges do not overlap",
546 (
547 src: *const () = src as *const (),
548 dst: *mut () = dst as *mut (),
549 size: usize = size_of::<T>(),
550 align: usize = align_of::<T>(),
551 count: usize = count,
552 ) => {
553 let zero_size = count == 0 || size == 0;
554 ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
555 && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
556 && ub_checks::maybe_is_nonoverlapping(src, dst, size, count)
557 }
558 );
559
560 // SAFETY: the safety contract for `copy_nonoverlapping` must be
561 // upheld by the caller.
562 unsafe { crate::intrinsics::copy_nonoverlapping(src, dst, count) }
563}
564
565/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
566/// and destination may overlap.
567///
568/// If the source and destination will *never* overlap,
569/// [`copy_nonoverlapping`] can be used instead.
570///
571/// `copy` is semantically equivalent to C's [`memmove`], but
572/// with the source and destination arguments swapped,
573/// and `count` counting the number of `T`s instead of bytes.
574/// Copying takes place as if the bytes were copied from `src`
575/// to a temporary array and then copied from the array to `dst`.
576///
577/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
578/// requirements of `T`. The initialization state is preserved exactly.
579///
580/// [`memmove`]: https://en.cppreference.com/w/c/string/byte/memmove
581///
582/// # Safety
583///
584/// Behavior is undefined if any of the following conditions are violated:
585///
586/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
587///
588/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes, and must remain valid even
589/// when `src` is read for `count * size_of::<T>()` bytes. (This means if the memory ranges
590/// overlap, the `dst` pointer must not be invalidated by `src` reads.)
591///
592/// * Both `src` and `dst` must be properly aligned.
593///
594/// Like [`read`], `copy` creates a bitwise copy of `T`, regardless of
595/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the values
596/// in the region beginning at `*src` and the region beginning at `*dst` can
597/// [violate memory safety][read-ownership].
598///
599/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
600/// `0`, the pointers must be properly aligned.
601///
602/// [`read`]: crate::ptr::read
603/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
604/// [valid]: crate::ptr#safety
605///
606/// # Examples
607///
608/// Efficiently create a Rust vector from an unsafe buffer:
609///
610/// ```
611/// use std::ptr;
612///
613/// /// # Safety
614/// ///
615/// /// * `ptr` must be correctly aligned for its type and non-zero.
616/// /// * `ptr` must be valid for reads of `elts` contiguous elements of type `T`.
617/// /// * Those elements must not be used after calling this function unless `T: Copy`.
618/// # #[allow(dead_code)]
619/// unsafe fn from_buf_raw<T>(ptr: *const T, elts: usize) -> Vec<T> {
620/// let mut dst = Vec::with_capacity(elts);
621///
622/// // SAFETY: Our precondition ensures the source is aligned and valid,
623/// // and `Vec::with_capacity` ensures that we have usable space to write them.
624/// unsafe { ptr::copy(ptr, dst.as_mut_ptr(), elts); }
625///
626/// // SAFETY: We created it with this much capacity earlier,
627/// // and the previous `copy` has initialized these elements.
628/// unsafe { dst.set_len(elts); }
629/// dst
630/// }
631/// ```
632#[doc(alias = "memmove")]
633#[stable(feature = "rust1", since = "1.0.0")]
634#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
635#[inline(always)]
636#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
637#[rustc_diagnostic_item = "ptr_copy"]
638#[cfg(not(feature = "ferrocene_certified"))]
639pub const unsafe fn copy<T>(src: *const T, dst: *mut T, count: usize) {
640 // SAFETY: the safety contract for `copy` must be upheld by the caller.
641 unsafe {
642 ub_checks::assert_unsafe_precondition!(
643 check_language_ub,
644 "ptr::copy requires that both pointer arguments are aligned and non-null",
645 (
646 src: *const () = src as *const (),
647 dst: *mut () = dst as *mut (),
648 align: usize = align_of::<T>(),
649 zero_size: bool = T::IS_ZST || count == 0,
650 ) =>
651 ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
652 && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
653 );
654 crate::intrinsics::copy(src, dst, count)
655 }
656}
657
658/// Sets `count * size_of::<T>()` bytes of memory starting at `dst` to
659/// `val`.
660///
661/// `write_bytes` is similar to C's [`memset`], but sets `count *
662/// size_of::<T>()` bytes to `val`.
663///
664/// [`memset`]: https://en.cppreference.com/w/c/string/byte/memset
665///
666/// # Safety
667///
668/// Behavior is undefined if any of the following conditions are violated:
669///
670/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
671///
672/// * `dst` must be properly aligned.
673///
674/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
675/// `0`, the pointer must be properly aligned.
676///
677/// Additionally, note that changing `*dst` in this way can easily lead to undefined behavior (UB)
678/// later if the written bytes are not a valid representation of some `T`. For instance, the
679/// following is an **incorrect** use of this function:
680///
681/// ```rust,no_run
682/// unsafe {
683/// let mut value: u8 = 0;
684/// let ptr: *mut bool = &mut value as *mut u8 as *mut bool;
685/// let _bool = ptr.read(); // This is fine, `ptr` points to a valid `bool`.
686/// ptr.write_bytes(42u8, 1); // This function itself does not cause UB...
687/// let _bool = ptr.read(); // ...but it makes this operation UB! ⚠️
688/// }
689/// ```
690///
691/// [valid]: crate::ptr#safety
692///
693/// # Examples
694///
695/// Basic usage:
696///
697/// ```
698/// use std::ptr;
699///
700/// let mut vec = vec![0u32; 4];
701/// unsafe {
702/// let vec_ptr = vec.as_mut_ptr();
703/// ptr::write_bytes(vec_ptr, 0xfe, 2);
704/// }
705/// assert_eq!(vec, [0xfefefefe, 0xfefefefe, 0, 0]);
706/// ```
707#[doc(alias = "memset")]
708#[stable(feature = "rust1", since = "1.0.0")]
709#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
710#[inline(always)]
711#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
712#[rustc_diagnostic_item = "ptr_write_bytes"]
713#[cfg(not(feature = "ferrocene_certified"))]
714pub const unsafe fn write_bytes<T>(dst: *mut T, val: u8, count: usize) {
715 // SAFETY: the safety contract for `write_bytes` must be upheld by the caller.
716 unsafe {
717 ub_checks::assert_unsafe_precondition!(
718 check_language_ub,
719 "ptr::write_bytes requires that the destination pointer is aligned and non-null",
720 (
721 addr: *const () = dst as *const (),
722 align: usize = align_of::<T>(),
723 zero_size: bool = T::IS_ZST || count == 0,
724 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, zero_size)
725 );
726 crate::intrinsics::write_bytes(dst, val, count)
727 }
728}
729
730/// Executes the destructor (if any) of the pointed-to value.
731///
732/// This is almost the same as calling [`ptr::read`] and discarding
733/// the result, but has the following advantages:
734// FIXME: say something more useful than "almost the same"?
735// There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a
736// `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place`
737// only requires that `*to_drop` be "valid for dropping" and we have not defined what that means. In
738// Miri it currently (May 2024) requires nothing at all for types without drop glue.
739///
740/// * It is *required* to use `drop_in_place` to drop unsized types like
741/// trait objects, because they can't be read out onto the stack and
742/// dropped normally.
743///
744/// * It is friendlier to the optimizer to do this over [`ptr::read`] when
745/// dropping manually allocated memory (e.g., in the implementations of
746/// `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
747/// sound to elide the copy.
748///
749/// * It can be used to drop [pinned] data when `T` is not `repr(packed)`
750/// (pinned data must not be moved before it is dropped).
751///
752/// Unaligned values cannot be dropped in place, they must be copied to an aligned
753/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
754/// done automatically by the compiler. This means the fields of packed structs
755/// are not dropped in-place.
756///
757/// [`ptr::read`]: self::read
758/// [`ptr::read_unaligned`]: self::read_unaligned
759/// [pinned]: crate::pin
760///
761/// # Safety
762///
763/// Behavior is undefined if any of the following conditions are violated:
764///
765/// * `to_drop` must be [valid] for both reads and writes.
766///
767/// * `to_drop` must be properly aligned, even if `T` has size 0.
768///
769/// * `to_drop` must be nonnull, even if `T` has size 0.
770///
771/// * The value `to_drop` points to must be valid for dropping, which may mean
772/// it must uphold additional invariants. These invariants depend on the type
773/// of the value being dropped. For instance, when dropping a Box, the box's
774/// pointer to the heap must be valid.
775///
776/// * While `drop_in_place` is executing, the only way to access parts of
777/// `to_drop` is through the `&mut self` references supplied to the
778/// `Drop::drop` methods that `drop_in_place` invokes.
779///
780/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
781/// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
782/// foo` counts as a use because it will cause the value to be dropped
783/// again. [`write()`] can be used to overwrite data without causing it to be
784/// dropped.
785///
786/// [valid]: self#safety
787///
788/// # Examples
789///
790/// Manually remove the last item from a vector:
791///
792/// ```
793/// use std::ptr;
794/// use std::rc::Rc;
795///
796/// let last = Rc::new(1);
797/// let weak = Rc::downgrade(&last);
798///
799/// let mut v = vec![Rc::new(0), last];
800///
801/// unsafe {
802/// // Get a raw pointer to the last element in `v`.
803/// let ptr = &mut v[1] as *mut _;
804/// // Shorten `v` to prevent the last item from being dropped. We do that first,
805/// // to prevent issues if the `drop_in_place` below panics.
806/// v.set_len(1);
807/// // Without a call `drop_in_place`, the last item would never be dropped,
808/// // and the memory it manages would be leaked.
809/// ptr::drop_in_place(ptr);
810/// }
811///
812/// assert_eq!(v, &[0.into()]);
813///
814/// // Ensure that the last item was dropped.
815/// assert!(weak.upgrade().is_none());
816/// ```
817#[stable(feature = "drop_in_place", since = "1.8.0")]
818#[lang = "drop_in_place"]
819#[allow(unconditional_recursion)]
820#[rustc_diagnostic_item = "ptr_drop_in_place"]
821#[cfg(not(feature = "ferrocene_certified"))]
822pub unsafe fn drop_in_place<T: PointeeSized>(to_drop: *mut T) {
823 // Code here does not matter - this is replaced by the
824 // real drop glue by the compiler.
825
826 // SAFETY: see comment above
827 unsafe { drop_in_place(to_drop) }
828}
829
830/// Creates a null raw pointer.
831///
832/// This function is equivalent to zero-initializing the pointer:
833/// `MaybeUninit::<*const T>::zeroed().assume_init()`.
834/// The resulting pointer has the address 0.
835///
836/// # Examples
837///
838/// ```
839/// use std::ptr;
840///
841/// let p: *const i32 = ptr::null();
842/// assert!(p.is_null());
843/// assert_eq!(p as usize, 0); // this pointer has the address 0
844/// ```
845#[inline(always)]
846#[must_use]
847#[stable(feature = "rust1", since = "1.0.0")]
848#[rustc_promotable]
849#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
850#[rustc_diagnostic_item = "ptr_null"]
851pub const fn null<T: PointeeSized + Thin>() -> *const T {
852 from_raw_parts(without_provenance::<()>(0), ())
853}
854
855/// Creates a null mutable raw pointer.
856///
857/// This function is equivalent to zero-initializing the pointer:
858/// `MaybeUninit::<*mut T>::zeroed().assume_init()`.
859/// The resulting pointer has the address 0.
860///
861/// # Examples
862///
863/// ```
864/// use std::ptr;
865///
866/// let p: *mut i32 = ptr::null_mut();
867/// assert!(p.is_null());
868/// assert_eq!(p as usize, 0); // this pointer has the address 0
869/// ```
870#[inline(always)]
871#[must_use]
872#[stable(feature = "rust1", since = "1.0.0")]
873#[rustc_promotable]
874#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
875#[rustc_diagnostic_item = "ptr_null_mut"]
876pub const fn null_mut<T: PointeeSized + Thin>() -> *mut T {
877 from_raw_parts_mut(without_provenance_mut::<()>(0), ())
878}
879
880/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
881///
882/// This is equivalent to `ptr::null().with_addr(addr)`.
883///
884/// Without provenance, this pointer is not associated with any actual allocation. Such a
885/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
886/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
887/// little more than a `usize` address in disguise.
888///
889/// This is different from `addr as *const T`, which creates a pointer that picks up a previously
890/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
891///
892/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
893#[inline(always)]
894#[must_use]
895#[stable(feature = "strict_provenance", since = "1.84.0")]
896#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
897pub const fn without_provenance<T>(addr: usize) -> *const T {
898 without_provenance_mut(addr)
899}
900
901/// Creates a new pointer that is dangling, but non-null and well-aligned.
902///
903/// This is useful for initializing types which lazily allocate, like
904/// `Vec::new` does.
905///
906/// Note that the pointer value may potentially represent a valid pointer to
907/// a `T`, which means this must not be used as a "not yet initialized"
908/// sentinel value. Types that lazily allocate must track initialization by
909/// some other means.
910#[inline(always)]
911#[must_use]
912#[stable(feature = "strict_provenance", since = "1.84.0")]
913#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
914#[cfg(not(feature = "ferrocene_certified"))]
915pub const fn dangling<T>() -> *const T {
916 dangling_mut()
917}
918
919/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
920///
921/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
922///
923/// Without provenance, this pointer is not associated with any actual allocation. Such a
924/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
925/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
926/// little more than a `usize` address in disguise.
927///
928/// This is different from `addr as *mut T`, which creates a pointer that picks up a previously
929/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
930///
931/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
932#[inline(always)]
933#[must_use]
934#[stable(feature = "strict_provenance", since = "1.84.0")]
935#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
936pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
937 // An int-to-pointer transmute currently has exactly the intended semantics: it creates a
938 // pointer without provenance. Note that this is *not* a stable guarantee about transmute
939 // semantics, it relies on sysroot crates having special status.
940 // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
941 // pointer).
942 unsafe { mem::transmute(addr) }
943}
944
945/// Creates a new pointer that is dangling, but non-null and well-aligned.
946///
947/// This is useful for initializing types which lazily allocate, like
948/// `Vec::new` does.
949///
950/// Note that the pointer value may potentially represent a valid pointer to
951/// a `T`, which means this must not be used as a "not yet initialized"
952/// sentinel value. Types that lazily allocate must track initialization by
953/// some other means.
954#[inline(always)]
955#[must_use]
956#[stable(feature = "strict_provenance", since = "1.84.0")]
957#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
958#[cfg(not(feature = "ferrocene_certified"))]
959pub const fn dangling_mut<T>() -> *mut T {
960 NonNull::dangling().as_ptr()
961}
962
963/// Converts an address back to a pointer, picking up some previously 'exposed'
964/// [provenance][crate::ptr#provenance].
965///
966/// This is fully equivalent to `addr as *const T`. The provenance of the returned pointer is that
967/// of *some* pointer that was previously exposed by passing it to
968/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
969/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
970/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
971/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
972///
973/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
974/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
975/// guarantees about which provenance the resulting pointer will have -- and therefore there
976/// is no definite specification for which memory the resulting pointer may access.
977///
978/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
979/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
980/// pointers and references that have been invalidated due to aliasing accesses cannot be used
981/// anymore, even if they have been exposed!
982///
983/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
984/// stay conformant with the Rust memory model. It is recommended to use [Strict
985/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
986/// possible.
987///
988/// On most platforms this will produce a value with the same bytes as the address. Platforms
989/// which need to store additional information in a pointer may not support this operation,
990/// since it is generally not possible to actually *compute* which provenance the returned
991/// pointer has to pick up.
992///
993/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
994#[must_use]
995#[inline(always)]
996#[stable(feature = "exposed_provenance", since = "1.84.0")]
997#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
998#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
999#[cfg(not(feature = "ferrocene_certified"))]
1000pub fn with_exposed_provenance<T>(addr: usize) -> *const T {
1001 addr as *const T
1002}
1003
1004/// Converts an address back to a mutable pointer, picking up some previously 'exposed'
1005/// [provenance][crate::ptr#provenance].
1006///
1007/// This is fully equivalent to `addr as *mut T`. The provenance of the returned pointer is that
1008/// of *some* pointer that was previously exposed by passing it to
1009/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
1010/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
1011/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
1012/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
1013///
1014/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
1015/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
1016/// guarantees about which provenance the resulting pointer will have -- and therefore there
1017/// is no definite specification for which memory the resulting pointer may access.
1018///
1019/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
1020/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
1021/// pointers and references that have been invalidated due to aliasing accesses cannot be used
1022/// anymore, even if they have been exposed!
1023///
1024/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
1025/// stay conformant with the Rust memory model. It is recommended to use [Strict
1026/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
1027/// possible.
1028///
1029/// On most platforms this will produce a value with the same bytes as the address. Platforms
1030/// which need to store additional information in a pointer may not support this operation,
1031/// since it is generally not possible to actually *compute* which provenance the returned
1032/// pointer has to pick up.
1033///
1034/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
1035#[must_use]
1036#[inline(always)]
1037#[stable(feature = "exposed_provenance", since = "1.84.0")]
1038#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1039#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
1040#[cfg(not(feature = "ferrocene_certified"))]
1041pub fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
1042 addr as *mut T
1043}
1044
1045/// Converts a reference to a raw pointer.
1046///
1047/// For `r: &T`, `from_ref(r)` is equivalent to `r as *const T` (except for the caveat noted below),
1048/// but is a bit safer since it will never silently change type or mutability, in particular if the
1049/// code is refactored.
1050///
1051/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1052/// will end up dangling.
1053///
1054/// The caller must also ensure that the memory the pointer (non-transitively) points to is never
1055/// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If
1056/// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m:
1057/// &mut T` into `*const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be
1058/// used for mutation.
1059///
1060/// ## Interaction with lifetime extension
1061///
1062/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1063/// tail expressions. This code is valid, albeit in a non-obvious way:
1064/// ```rust
1065/// # type T = i32;
1066/// # fn foo() -> T { 42 }
1067/// // The temporary holding the return value of `foo` has its lifetime extended,
1068/// // because the surrounding expression involves no function call.
1069/// let p = &foo() as *const T;
1070/// unsafe { p.read() };
1071/// ```
1072/// Naively replacing the cast with `from_ref` is not valid:
1073/// ```rust,no_run
1074/// # use std::ptr;
1075/// # type T = i32;
1076/// # fn foo() -> T { 42 }
1077/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1078/// // because the surrounding expression involves a function call.
1079/// let p = ptr::from_ref(&foo());
1080/// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️
1081/// ```
1082/// The recommended way to write this code is to avoid relying on lifetime extension
1083/// when raw pointers are involved:
1084/// ```rust
1085/// # use std::ptr;
1086/// # type T = i32;
1087/// # fn foo() -> T { 42 }
1088/// let x = foo();
1089/// let p = ptr::from_ref(&x);
1090/// unsafe { p.read() };
1091/// ```
1092#[inline(always)]
1093#[must_use]
1094#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1095#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1096#[rustc_never_returns_null_ptr]
1097#[rustc_diagnostic_item = "ptr_from_ref"]
1098#[cfg(not(feature = "ferrocene_certified"))]
1099pub const fn from_ref<T: PointeeSized>(r: &T) -> *const T {
1100 r
1101}
1102
1103/// Converts a mutable reference to a raw pointer.
1104///
1105/// For `r: &mut T`, `from_mut(r)` is equivalent to `r as *mut T` (except for the caveat noted
1106/// below), but is a bit safer since it will never silently change type or mutability, in particular
1107/// if the code is refactored.
1108///
1109/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1110/// will end up dangling.
1111///
1112/// ## Interaction with lifetime extension
1113///
1114/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1115/// tail expressions. This code is valid, albeit in a non-obvious way:
1116/// ```rust
1117/// # type T = i32;
1118/// # fn foo() -> T { 42 }
1119/// // The temporary holding the return value of `foo` has its lifetime extended,
1120/// // because the surrounding expression involves no function call.
1121/// let p = &mut foo() as *mut T;
1122/// unsafe { p.write(T::default()) };
1123/// ```
1124/// Naively replacing the cast with `from_mut` is not valid:
1125/// ```rust,no_run
1126/// # use std::ptr;
1127/// # type T = i32;
1128/// # fn foo() -> T { 42 }
1129/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1130/// // because the surrounding expression involves a function call.
1131/// let p = ptr::from_mut(&mut foo());
1132/// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️
1133/// ```
1134/// The recommended way to write this code is to avoid relying on lifetime extension
1135/// when raw pointers are involved:
1136/// ```rust
1137/// # use std::ptr;
1138/// # type T = i32;
1139/// # fn foo() -> T { 42 }
1140/// let mut x = foo();
1141/// let p = ptr::from_mut(&mut x);
1142/// unsafe { p.write(T::default()) };
1143/// ```
1144#[inline(always)]
1145#[must_use]
1146#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1147#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1148#[rustc_never_returns_null_ptr]
1149#[cfg(not(feature = "ferrocene_certified"))]
1150pub const fn from_mut<T: PointeeSized>(r: &mut T) -> *mut T {
1151 r
1152}
1153
1154/// Forms a raw slice from a pointer and a length.
1155///
1156/// The `len` argument is the number of **elements**, not the number of bytes.
1157///
1158/// This function is safe, but actually using the return value is unsafe.
1159/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
1160///
1161/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
1162///
1163/// # Examples
1164///
1165/// ```rust
1166/// use std::ptr;
1167///
1168/// // create a slice pointer when starting out with a pointer to the first element
1169/// let x = [5, 6, 7];
1170/// let raw_pointer = x.as_ptr();
1171/// let slice = ptr::slice_from_raw_parts(raw_pointer, 3);
1172/// assert_eq!(unsafe { &*slice }[2], 7);
1173/// ```
1174///
1175/// You must ensure that the pointer is valid and not null before dereferencing
1176/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1177///
1178/// ```rust,should_panic
1179/// use std::ptr;
1180/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), 0);
1181/// unsafe {
1182/// danger.as_ref().expect("references must not be null");
1183/// }
1184/// ```
1185#[inline]
1186#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1187#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
1188#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
1189#[cfg(not(feature = "ferrocene_certified"))]
1190pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
1191 from_raw_parts(data, len)
1192}
1193
1194/// Forms a raw mutable slice from a pointer and a length.
1195///
1196/// The `len` argument is the number of **elements**, not the number of bytes.
1197///
1198/// Performs the same functionality as [`slice_from_raw_parts`], except that a
1199/// raw mutable slice is returned, as opposed to a raw immutable slice.
1200///
1201/// This function is safe, but actually using the return value is unsafe.
1202/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
1203///
1204/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
1205///
1206/// # Examples
1207///
1208/// ```rust
1209/// use std::ptr;
1210///
1211/// let x = &mut [5, 6, 7];
1212/// let raw_pointer = x.as_mut_ptr();
1213/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, 3);
1214///
1215/// unsafe {
1216/// (*slice)[2] = 99; // assign a value at an index in the slice
1217/// };
1218///
1219/// assert_eq!(unsafe { &*slice }[2], 99);
1220/// ```
1221///
1222/// You must ensure that the pointer is valid and not null before dereferencing
1223/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1224///
1225/// ```rust,should_panic
1226/// use std::ptr;
1227/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 0);
1228/// unsafe {
1229/// danger.as_mut().expect("references must not be null");
1230/// }
1231/// ```
1232#[inline]
1233#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1234#[rustc_const_stable(feature = "const_slice_from_raw_parts_mut", since = "1.83.0")]
1235#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
1236#[cfg(not(feature = "ferrocene_certified"))]
1237pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
1238 from_raw_parts_mut(data, len)
1239}
1240
1241/// Swaps the values at two mutable locations of the same type, without
1242/// deinitializing either.
1243///
1244/// But for the following exceptions, this function is semantically
1245/// equivalent to [`mem::swap`]:
1246///
1247/// * It operates on raw pointers instead of references. When references are
1248/// available, [`mem::swap`] should be preferred.
1249///
1250/// * The two pointed-to values may overlap. If the values do overlap, then the
1251/// overlapping region of memory from `x` will be used. This is demonstrated
1252/// in the second example below.
1253///
1254/// * The operation is "untyped" in the sense that data may be uninitialized or otherwise violate
1255/// the requirements of `T`. The initialization state is preserved exactly.
1256///
1257/// # Safety
1258///
1259/// Behavior is undefined if any of the following conditions are violated:
1260///
1261/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the
1262/// other pointer is written. (This means if the memory ranges overlap, the two pointers must not
1263/// be subject to aliasing restrictions relative to each other.)
1264///
1265/// * Both `x` and `y` must be properly aligned.
1266///
1267/// Note that even if `T` has size `0`, the pointers must be properly aligned.
1268///
1269/// [valid]: self#safety
1270///
1271/// # Examples
1272///
1273/// Swapping two non-overlapping regions:
1274///
1275/// ```
1276/// use std::ptr;
1277///
1278/// let mut array = [0, 1, 2, 3];
1279///
1280/// let (x, y) = array.split_at_mut(2);
1281/// let x = x.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[0..2]`
1282/// let y = y.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[2..4]`
1283///
1284/// unsafe {
1285/// ptr::swap(x, y);
1286/// assert_eq!([2, 3, 0, 1], array);
1287/// }
1288/// ```
1289///
1290/// Swapping two overlapping regions:
1291///
1292/// ```
1293/// use std::ptr;
1294///
1295/// let mut array: [i32; 4] = [0, 1, 2, 3];
1296///
1297/// let array_ptr: *mut i32 = array.as_mut_ptr();
1298///
1299/// let x = array_ptr as *mut [i32; 3]; // this is `array[0..3]`
1300/// let y = unsafe { array_ptr.add(1) } as *mut [i32; 3]; // this is `array[1..4]`
1301///
1302/// unsafe {
1303/// ptr::swap(x, y);
1304/// // The indices `1..3` of the slice overlap between `x` and `y`.
1305/// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
1306/// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
1307/// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
1308/// // This implementation is defined to make the latter choice.
1309/// assert_eq!([1, 0, 1, 2], array);
1310/// }
1311/// ```
1312#[inline]
1313#[stable(feature = "rust1", since = "1.0.0")]
1314#[rustc_const_stable(feature = "const_swap", since = "1.85.0")]
1315#[rustc_diagnostic_item = "ptr_swap"]
1316#[cfg(not(feature = "ferrocene_certified"))]
1317pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
1318 // Give ourselves some scratch space to work with.
1319 // We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
1320 let mut tmp = MaybeUninit::<T>::uninit();
1321
1322 // Perform the swap
1323 // SAFETY: the caller must guarantee that `x` and `y` are
1324 // valid for writes and properly aligned. `tmp` cannot be
1325 // overlapping either `x` or `y` because `tmp` was just allocated
1326 // on the stack as a separate allocation.
1327 unsafe {
1328 copy_nonoverlapping(x, tmp.as_mut_ptr(), 1);
1329 copy(y, x, 1); // `x` and `y` may overlap
1330 copy_nonoverlapping(tmp.as_ptr(), y, 1);
1331 }
1332}
1333
1334/// Swaps `count * size_of::<T>()` bytes between the two regions of memory
1335/// beginning at `x` and `y`. The two regions must *not* overlap.
1336///
1337/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
1338/// requirements of `T`. The initialization state is preserved exactly.
1339///
1340/// # Safety
1341///
1342/// Behavior is undefined if any of the following conditions are violated:
1343///
1344/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
1345/// size_of::<T>()` bytes.
1346///
1347/// * Both `x` and `y` must be properly aligned.
1348///
1349/// * The region of memory beginning at `x` with a size of `count *
1350/// size_of::<T>()` bytes must *not* overlap with the region of memory
1351/// beginning at `y` with the same size.
1352///
1353/// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`,
1354/// the pointers must be properly aligned.
1355///
1356/// [valid]: self#safety
1357///
1358/// # Examples
1359///
1360/// Basic usage:
1361///
1362/// ```
1363/// use std::ptr;
1364///
1365/// let mut x = [1, 2, 3, 4];
1366/// let mut y = [7, 8, 9];
1367///
1368/// unsafe {
1369/// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2);
1370/// }
1371///
1372/// assert_eq!(x, [7, 8, 3, 4]);
1373/// assert_eq!(y, [1, 2, 9]);
1374/// ```
1375///
1376/// # Const evaluation limitations
1377///
1378/// If this function is invoked during const-evaluation, the current implementation has a small (and
1379/// rarely relevant) limitation: if `count` is at least 2 and the data pointed to by `x` or `y`
1380/// contains a pointer that crosses the boundary of two `T`-sized chunks of memory, the function may
1381/// fail to evaluate (similar to a panic during const-evaluation). This behavior may change in the
1382/// future.
1383///
1384/// The limitation is illustrated by the following example:
1385///
1386/// ```
1387/// use std::mem::size_of;
1388/// use std::ptr;
1389///
1390/// const { unsafe {
1391/// const PTR_SIZE: usize = size_of::<*const i32>();
1392/// let mut data1 = [0u8; PTR_SIZE];
1393/// let mut data2 = [0u8; PTR_SIZE];
1394/// // Store a pointer in `data1`.
1395/// data1.as_mut_ptr().cast::<*const i32>().write_unaligned(&42);
1396/// // Swap the contents of `data1` and `data2` by swapping `PTR_SIZE` many `u8`-sized chunks.
1397/// // This call will fail, because the pointer in `data1` crosses the boundary
1398/// // between several of the 1-byte chunks that are being swapped here.
1399/// //ptr::swap_nonoverlapping(data1.as_mut_ptr(), data2.as_mut_ptr(), PTR_SIZE);
1400/// // Swap the contents of `data1` and `data2` by swapping a single chunk of size
1401/// // `[u8; PTR_SIZE]`. That works, as there is no pointer crossing the boundary between
1402/// // two chunks.
1403/// ptr::swap_nonoverlapping(&mut data1, &mut data2, 1);
1404/// // Read the pointer from `data2` and dereference it.
1405/// let ptr = data2.as_ptr().cast::<*const i32>().read_unaligned();
1406/// assert!(*ptr == 42);
1407/// } }
1408/// ```
1409#[inline]
1410#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
1411#[rustc_const_stable(feature = "const_swap_nonoverlapping", since = "1.88.0")]
1412#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1413#[rustc_allow_const_fn_unstable(const_eval_select)] // both implementations behave the same
1414#[track_caller]
1415#[cfg(not(feature = "ferrocene_certified"))]
1416pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1417 ub_checks::assert_unsafe_precondition!(
1418 check_library_ub,
1419 "ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1420 and the specified memory ranges do not overlap",
1421 (
1422 x: *mut () = x as *mut (),
1423 y: *mut () = y as *mut (),
1424 size: usize = size_of::<T>(),
1425 align: usize = align_of::<T>(),
1426 count: usize = count,
1427 ) => {
1428 let zero_size = size == 0 || count == 0;
1429 ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size)
1430 && ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size)
1431 && ub_checks::maybe_is_nonoverlapping(x, y, size, count)
1432 }
1433 );
1434
1435 const_eval_select!(
1436 @capture[T] { x: *mut T, y: *mut T, count: usize }:
1437 if const {
1438 // At compile-time we want to always copy this in chunks of `T`, to ensure that if there
1439 // are pointers inside `T` we will copy them in one go rather than trying to copy a part
1440 // of a pointer (which would not work).
1441 // SAFETY: Same preconditions as this function
1442 unsafe { swap_nonoverlapping_const(x, y, count) }
1443 } else {
1444 // Going though a slice here helps codegen know the size fits in `isize`
1445 let slice = slice_from_raw_parts_mut(x, count);
1446 // SAFETY: This is all readable from the pointer, meaning it's one
1447 // allocation, and thus cannot be more than isize::MAX bytes.
1448 let bytes = unsafe { mem::size_of_val_raw::<[T]>(slice) };
1449 if let Some(bytes) = NonZero::new(bytes) {
1450 // SAFETY: These are the same ranges, just expressed in a different
1451 // type, so they're still non-overlapping.
1452 unsafe { swap_nonoverlapping_bytes(x.cast(), y.cast(), bytes) };
1453 }
1454 }
1455 )
1456}
1457
1458/// Same behavior and safety conditions as [`swap_nonoverlapping`]
1459#[inline]
1460#[cfg(not(feature = "ferrocene_certified"))]
1461const unsafe fn swap_nonoverlapping_const<T>(x: *mut T, y: *mut T, count: usize) {
1462 let mut i = 0;
1463 while i < count {
1464 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1465 let x = unsafe { x.add(i) };
1466 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1467 // and it's distinct from `x` since the ranges are non-overlapping
1468 let y = unsafe { y.add(i) };
1469
1470 // SAFETY: we're only ever given pointers that are valid to read/write,
1471 // including being aligned, and nothing here panics so it's drop-safe.
1472 unsafe {
1473 // Note that it's critical that these use `copy_nonoverlapping`,
1474 // rather than `read`/`write`, to avoid #134713 if T has padding.
1475 let mut temp = MaybeUninit::<T>::uninit();
1476 copy_nonoverlapping(x, temp.as_mut_ptr(), 1);
1477 copy_nonoverlapping(y, x, 1);
1478 copy_nonoverlapping(temp.as_ptr(), y, 1);
1479 }
1480
1481 i += 1;
1482 }
1483}
1484
1485// Don't let MIR inline this, because we really want it to keep its noalias metadata
1486#[rustc_no_mir_inline]
1487#[inline]
1488#[cfg(not(feature = "ferrocene_certified"))]
1489fn swap_chunk<const N: usize>(x: &mut MaybeUninit<[u8; N]>, y: &mut MaybeUninit<[u8; N]>) {
1490 let a = *x;
1491 let b = *y;
1492 *x = b;
1493 *y = a;
1494}
1495
1496#[inline]
1497#[cfg(not(feature = "ferrocene_certified"))]
1498unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1499 // Same as `swap_nonoverlapping::<[u8; N]>`.
1500 unsafe fn swap_nonoverlapping_chunks<const N: usize>(
1501 x: *mut MaybeUninit<[u8; N]>,
1502 y: *mut MaybeUninit<[u8; N]>,
1503 chunks: NonZero<usize>,
1504 ) {
1505 let chunks = chunks.get();
1506 for i in 0..chunks {
1507 // SAFETY: i is in [0, chunks) so the adds and dereferences are in-bounds.
1508 unsafe { swap_chunk(&mut *x.add(i), &mut *y.add(i)) };
1509 }
1510 }
1511
1512 // Same as `swap_nonoverlapping_bytes`, but accepts at most 1+2+4=7 bytes
1513 #[inline]
1514 unsafe fn swap_nonoverlapping_short(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1515 // Tail handling for auto-vectorized code sometimes has element-at-a-time behaviour,
1516 // see <https://github.com/rust-lang/rust/issues/134946>.
1517 // By swapping as different sizes, rather than as a loop over bytes,
1518 // we make sure not to end up with, say, seven byte-at-a-time copies.
1519
1520 let bytes = bytes.get();
1521 let mut i = 0;
1522 macro_rules! swap_prefix {
1523 ($($n:literal)+) => {$(
1524 if (bytes & $n) != 0 {
1525 // SAFETY: `i` can only have the same bits set as those in bytes,
1526 // so these `add`s are in-bounds of `bytes`. But the bit for
1527 // `$n` hasn't been set yet, so the `$n` bytes that `swap_chunk`
1528 // will read and write are within the usable range.
1529 unsafe { swap_chunk::<$n>(&mut*x.add(i).cast(), &mut*y.add(i).cast()) };
1530 i |= $n;
1531 }
1532 )+};
1533 }
1534 swap_prefix!(4 2 1);
1535 debug_assert_eq!(i, bytes);
1536 }
1537
1538 const CHUNK_SIZE: usize = size_of::<*const ()>();
1539 let bytes = bytes.get();
1540
1541 let chunks = bytes / CHUNK_SIZE;
1542 let tail = bytes % CHUNK_SIZE;
1543 if let Some(chunks) = NonZero::new(chunks) {
1544 // SAFETY: this is bytes/CHUNK_SIZE*CHUNK_SIZE bytes, which is <= bytes,
1545 // so it's within the range of our non-overlapping bytes.
1546 unsafe { swap_nonoverlapping_chunks::<CHUNK_SIZE>(x.cast(), y.cast(), chunks) };
1547 }
1548 if let Some(tail) = NonZero::new(tail) {
1549 const { assert!(CHUNK_SIZE <= 8) };
1550 let delta = chunks * CHUNK_SIZE;
1551 // SAFETY: the tail length is below CHUNK SIZE because of the remainder,
1552 // and CHUNK_SIZE is at most 8 by the const assert, so tail <= 7
1553 unsafe { swap_nonoverlapping_short(x.add(delta), y.add(delta), tail) };
1554 }
1555}
1556
1557/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1558///
1559/// Neither value is dropped.
1560///
1561/// This function is semantically equivalent to [`mem::replace`] except that it
1562/// operates on raw pointers instead of references. When references are
1563/// available, [`mem::replace`] should be preferred.
1564///
1565/// # Safety
1566///
1567/// Behavior is undefined if any of the following conditions are violated:
1568///
1569/// * `dst` must be [valid] for both reads and writes.
1570///
1571/// * `dst` must be properly aligned.
1572///
1573/// * `dst` must point to a properly initialized value of type `T`.
1574///
1575/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1576///
1577/// [valid]: self#safety
1578///
1579/// # Examples
1580///
1581/// ```
1582/// use std::ptr;
1583///
1584/// let mut rust = vec!['b', 'u', 's', 't'];
1585///
1586/// // `mem::replace` would have the same effect without requiring the unsafe
1587/// // block.
1588/// let b = unsafe {
1589/// ptr::replace(&mut rust[0], 'r')
1590/// };
1591///
1592/// assert_eq!(b, 'b');
1593/// assert_eq!(rust, &['r', 'u', 's', 't']);
1594/// ```
1595#[inline]
1596#[stable(feature = "rust1", since = "1.0.0")]
1597#[rustc_const_stable(feature = "const_replace", since = "1.83.0")]
1598#[rustc_diagnostic_item = "ptr_replace"]
1599#[track_caller]
1600#[cfg(not(feature = "ferrocene_certified"))]
1601pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1602 // SAFETY: the caller must guarantee that `dst` is valid to be
1603 // cast to a mutable reference (valid for writes, aligned, initialized),
1604 // and cannot overlap `src` since `dst` must point to a distinct
1605 // allocation.
1606 unsafe {
1607 ub_checks::assert_unsafe_precondition!(
1608 check_language_ub,
1609 "ptr::replace requires that the pointer argument is aligned and non-null",
1610 (
1611 addr: *const () = dst as *const (),
1612 align: usize = align_of::<T>(),
1613 is_zst: bool = T::IS_ZST,
1614 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1615 );
1616 mem::replace(&mut *dst, src)
1617 }
1618}
1619
1620/// Reads the value from `src` without moving it. This leaves the
1621/// memory in `src` unchanged.
1622///
1623/// # Safety
1624///
1625/// Behavior is undefined if any of the following conditions are violated:
1626///
1627/// * `src` must be [valid] for reads.
1628///
1629/// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
1630/// case.
1631///
1632/// * `src` must point to a properly initialized value of type `T`.
1633///
1634/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1635///
1636/// # Examples
1637///
1638/// Basic usage:
1639///
1640/// ```
1641/// let x = 12;
1642/// let y = &x as *const i32;
1643///
1644/// unsafe {
1645/// assert_eq!(std::ptr::read(y), 12);
1646/// }
1647/// ```
1648///
1649/// Manually implement [`mem::swap`]:
1650///
1651/// ```
1652/// use std::ptr;
1653///
1654/// fn swap<T>(a: &mut T, b: &mut T) {
1655/// unsafe {
1656/// // Create a bitwise copy of the value at `a` in `tmp`.
1657/// let tmp = ptr::read(a);
1658///
1659/// // Exiting at this point (either by explicitly returning or by
1660/// // calling a function which panics) would cause the value in `tmp` to
1661/// // be dropped while the same value is still referenced by `a`. This
1662/// // could trigger undefined behavior if `T` is not `Copy`.
1663///
1664/// // Create a bitwise copy of the value at `b` in `a`.
1665/// // This is safe because mutable references cannot alias.
1666/// ptr::copy_nonoverlapping(b, a, 1);
1667///
1668/// // As above, exiting here could trigger undefined behavior because
1669/// // the same value is referenced by `a` and `b`.
1670///
1671/// // Move `tmp` into `b`.
1672/// ptr::write(b, tmp);
1673///
1674/// // `tmp` has been moved (`write` takes ownership of its second argument),
1675/// // so nothing is dropped implicitly here.
1676/// }
1677/// }
1678///
1679/// let mut foo = "foo".to_owned();
1680/// let mut bar = "bar".to_owned();
1681///
1682/// swap(&mut foo, &mut bar);
1683///
1684/// assert_eq!(foo, "bar");
1685/// assert_eq!(bar, "foo");
1686/// ```
1687///
1688/// ## Ownership of the Returned Value
1689///
1690/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1691/// If `T` is not [`Copy`], using both the returned value and the value at
1692/// `*src` can violate memory safety. Note that assigning to `*src` counts as a
1693/// use because it will attempt to drop the value at `*src`.
1694///
1695/// [`write()`] can be used to overwrite data without causing it to be dropped.
1696///
1697/// ```
1698/// use std::ptr;
1699///
1700/// let mut s = String::from("foo");
1701/// unsafe {
1702/// // `s2` now points to the same underlying memory as `s`.
1703/// let mut s2: String = ptr::read(&s);
1704///
1705/// assert_eq!(s2, "foo");
1706///
1707/// // Assigning to `s2` causes its original value to be dropped. Beyond
1708/// // this point, `s` must no longer be used, as the underlying memory has
1709/// // been freed.
1710/// s2 = String::default();
1711/// assert_eq!(s2, "");
1712///
1713/// // Assigning to `s` would cause the old value to be dropped again,
1714/// // resulting in undefined behavior.
1715/// // s = String::from("bar"); // ERROR
1716///
1717/// // `ptr::write` can be used to overwrite a value without dropping it.
1718/// ptr::write(&mut s, String::from("bar"));
1719/// }
1720///
1721/// assert_eq!(s, "bar");
1722/// ```
1723///
1724/// [valid]: self#safety
1725#[inline]
1726#[stable(feature = "rust1", since = "1.0.0")]
1727#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1728#[track_caller]
1729#[rustc_diagnostic_item = "ptr_read"]
1730pub const unsafe fn read<T>(src: *const T) -> T {
1731 // It would be semantically correct to implement this via `copy_nonoverlapping`
1732 // and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1733 // provides enough information to know that this is a typed operation.
1734
1735 // However, as of March 2023 the compiler was not capable of taking advantage
1736 // of that information. Thus, the implementation here switched to an intrinsic,
1737 // which lowers to `_0 = *src` in MIR, to address a few issues:
1738 //
1739 // - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1740 // turning the untyped copy into a typed load. As such, the generated
1741 // `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1742 // `!nonnull`, and `!noundef`, resulting in poorer optimization.
1743 // - Going through the extra local resulted in multiple extra copies, even
1744 // in optimized MIR. (Ignoring StorageLive/Dead, the intrinsic is one
1745 // MIR statement, while the previous implementation was eight.) LLVM
1746 // could sometimes optimize them away, but because `read` is at the core
1747 // of so many things, not having them in the first place improves what we
1748 // hand off to the backend. For example, `mem::replace::<Big>` previously
1749 // emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1750 // - In general, this approach keeps us from getting any more bugs (like
1751 // #106369) that boil down to "`read(p)` is worse than `*p`", as this
1752 // makes them look identical to the backend (or other MIR consumers).
1753 //
1754 // Future enhancements to MIR optimizations might well allow this to return
1755 // to the previous implementation, rather than using an intrinsic.
1756
1757 // SAFETY: the caller must guarantee that `src` is valid for reads.
1758 unsafe {
1759 #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1760 ub_checks::assert_unsafe_precondition!(
1761 check_language_ub,
1762 "ptr::read requires that the pointer argument is aligned and non-null",
1763 (
1764 addr: *const () = src as *const (),
1765 align: usize = align_of::<T>(),
1766 is_zst: bool = T::IS_ZST,
1767 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1768 );
1769 crate::intrinsics::read_via_copy(src)
1770 }
1771}
1772
1773/// Reads the value from `src` without moving it. This leaves the
1774/// memory in `src` unchanged.
1775///
1776/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1777///
1778/// # Safety
1779///
1780/// Behavior is undefined if any of the following conditions are violated:
1781///
1782/// * `src` must be [valid] for reads.
1783///
1784/// * `src` must point to a properly initialized value of type `T`.
1785///
1786/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1787/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1788/// value and the value at `*src` can [violate memory safety][read-ownership].
1789///
1790/// [read-ownership]: read#ownership-of-the-returned-value
1791/// [valid]: self#safety
1792///
1793/// ## On `packed` structs
1794///
1795/// Attempting to create a raw pointer to an `unaligned` struct field with
1796/// an expression such as `&packed.unaligned as *const FieldType` creates an
1797/// intermediate unaligned reference before converting that to a raw pointer.
1798/// That this reference is temporary and immediately cast is inconsequential
1799/// as the compiler always expects references to be properly aligned.
1800/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1801/// *undefined behavior* in your program.
1802///
1803/// Instead you must use the `&raw const` syntax to create the pointer.
1804/// You may use that constructed pointer together with this function.
1805///
1806/// An example of what not to do and how this relates to `read_unaligned` is:
1807///
1808/// ```
1809/// #[repr(packed, C)]
1810/// struct Packed {
1811/// _padding: u8,
1812/// unaligned: u32,
1813/// }
1814///
1815/// let packed = Packed {
1816/// _padding: 0x00,
1817/// unaligned: 0x01020304,
1818/// };
1819///
1820/// // Take the address of a 32-bit integer which is not aligned.
1821/// // In contrast to `&packed.unaligned as *const _`, this has no undefined behavior.
1822/// let unaligned = &raw const packed.unaligned;
1823///
1824/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1825/// assert_eq!(v, 0x01020304);
1826/// ```
1827///
1828/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1829///
1830/// # Examples
1831///
1832/// Read a `usize` value from a byte buffer:
1833///
1834/// ```
1835/// fn read_usize(x: &[u8]) -> usize {
1836/// assert!(x.len() >= size_of::<usize>());
1837///
1838/// let ptr = x.as_ptr() as *const usize;
1839///
1840/// unsafe { ptr.read_unaligned() }
1841/// }
1842/// ```
1843#[inline]
1844#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1845#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1846#[track_caller]
1847#[rustc_diagnostic_item = "ptr_read_unaligned"]
1848#[cfg(not(feature = "ferrocene_certified"))]
1849pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1850 let mut tmp = MaybeUninit::<T>::uninit();
1851 // SAFETY: the caller must guarantee that `src` is valid for reads.
1852 // `src` cannot overlap `tmp` because `tmp` was just allocated on
1853 // the stack as a separate allocation.
1854 //
1855 // Also, since we just wrote a valid value into `tmp`, it is guaranteed
1856 // to be properly initialized.
1857 unsafe {
1858 copy_nonoverlapping(src as *const u8, tmp.as_mut_ptr() as *mut u8, size_of::<T>());
1859 tmp.assume_init()
1860 }
1861}
1862
1863/// Overwrites a memory location with the given value without reading or
1864/// dropping the old value.
1865///
1866/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1867/// allocations or resources, so care should be taken not to overwrite an object
1868/// that should be dropped.
1869///
1870/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1871/// location pointed to by `dst`.
1872///
1873/// This is appropriate for initializing uninitialized memory, or overwriting
1874/// memory that has previously been [`read`] from.
1875///
1876/// # Safety
1877///
1878/// Behavior is undefined if any of the following conditions are violated:
1879///
1880/// * `dst` must be [valid] for writes.
1881///
1882/// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the
1883/// case.
1884///
1885/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1886///
1887/// [valid]: self#safety
1888///
1889/// # Examples
1890///
1891/// Basic usage:
1892///
1893/// ```
1894/// let mut x = 0;
1895/// let y = &mut x as *mut i32;
1896/// let z = 12;
1897///
1898/// unsafe {
1899/// std::ptr::write(y, z);
1900/// assert_eq!(std::ptr::read(y), 12);
1901/// }
1902/// ```
1903///
1904/// Manually implement [`mem::swap`]:
1905///
1906/// ```
1907/// use std::ptr;
1908///
1909/// fn swap<T>(a: &mut T, b: &mut T) {
1910/// unsafe {
1911/// // Create a bitwise copy of the value at `a` in `tmp`.
1912/// let tmp = ptr::read(a);
1913///
1914/// // Exiting at this point (either by explicitly returning or by
1915/// // calling a function which panics) would cause the value in `tmp` to
1916/// // be dropped while the same value is still referenced by `a`. This
1917/// // could trigger undefined behavior if `T` is not `Copy`.
1918///
1919/// // Create a bitwise copy of the value at `b` in `a`.
1920/// // This is safe because mutable references cannot alias.
1921/// ptr::copy_nonoverlapping(b, a, 1);
1922///
1923/// // As above, exiting here could trigger undefined behavior because
1924/// // the same value is referenced by `a` and `b`.
1925///
1926/// // Move `tmp` into `b`.
1927/// ptr::write(b, tmp);
1928///
1929/// // `tmp` has been moved (`write` takes ownership of its second argument),
1930/// // so nothing is dropped implicitly here.
1931/// }
1932/// }
1933///
1934/// let mut foo = "foo".to_owned();
1935/// let mut bar = "bar".to_owned();
1936///
1937/// swap(&mut foo, &mut bar);
1938///
1939/// assert_eq!(foo, "bar");
1940/// assert_eq!(bar, "foo");
1941/// ```
1942#[inline]
1943#[stable(feature = "rust1", since = "1.0.0")]
1944#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1945#[rustc_diagnostic_item = "ptr_write"]
1946#[track_caller]
1947pub const unsafe fn write<T>(dst: *mut T, src: T) {
1948 // Semantically, it would be fine for this to be implemented as a
1949 // `copy_nonoverlapping` and appropriate drop suppression of `src`.
1950
1951 // However, implementing via that currently produces more MIR than is ideal.
1952 // Using an intrinsic keeps it down to just the simple `*dst = move src` in
1953 // MIR (11 statements shorter, at the time of writing), and also allows
1954 // `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1955
1956 // SAFETY: the caller must guarantee that `dst` is valid for writes.
1957 // `dst` cannot overlap `src` because the caller has mutable access
1958 // to `dst` while `src` is owned by this function.
1959 unsafe {
1960 #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1961 ub_checks::assert_unsafe_precondition!(
1962 check_language_ub,
1963 "ptr::write requires that the pointer argument is aligned and non-null",
1964 (
1965 addr: *mut () = dst as *mut (),
1966 align: usize = align_of::<T>(),
1967 is_zst: bool = T::IS_ZST,
1968 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1969 );
1970 intrinsics::write_via_move(dst, src)
1971 }
1972}
1973
1974/// Overwrites a memory location with the given value without reading or
1975/// dropping the old value.
1976///
1977/// Unlike [`write()`], the pointer may be unaligned.
1978///
1979/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1980/// could leak allocations or resources, so care should be taken not to overwrite
1981/// an object that should be dropped.
1982///
1983/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1984/// location pointed to by `dst`.
1985///
1986/// This is appropriate for initializing uninitialized memory, or overwriting
1987/// memory that has previously been read with [`read_unaligned`].
1988///
1989/// # Safety
1990///
1991/// Behavior is undefined if any of the following conditions are violated:
1992///
1993/// * `dst` must be [valid] for writes.
1994///
1995/// [valid]: self#safety
1996///
1997/// ## On `packed` structs
1998///
1999/// Attempting to create a raw pointer to an `unaligned` struct field with
2000/// an expression such as `&packed.unaligned as *const FieldType` creates an
2001/// intermediate unaligned reference before converting that to a raw pointer.
2002/// That this reference is temporary and immediately cast is inconsequential
2003/// as the compiler always expects references to be properly aligned.
2004/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
2005/// *undefined behavior* in your program.
2006///
2007/// Instead, you must use the `&raw mut` syntax to create the pointer.
2008/// You may use that constructed pointer together with this function.
2009///
2010/// An example of how to do it and how this relates to `write_unaligned` is:
2011///
2012/// ```
2013/// #[repr(packed, C)]
2014/// struct Packed {
2015/// _padding: u8,
2016/// unaligned: u32,
2017/// }
2018///
2019/// let mut packed: Packed = unsafe { std::mem::zeroed() };
2020///
2021/// // Take the address of a 32-bit integer which is not aligned.
2022/// // In contrast to `&packed.unaligned as *mut _`, this has no undefined behavior.
2023/// let unaligned = &raw mut packed.unaligned;
2024///
2025/// unsafe { std::ptr::write_unaligned(unaligned, 42) };
2026///
2027/// assert_eq!({packed.unaligned}, 42); // `{...}` forces copying the field instead of creating a reference.
2028/// ```
2029///
2030/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
2031/// (as can be seen in the `assert_eq!` above).
2032///
2033/// # Examples
2034///
2035/// Write a `usize` value to a byte buffer:
2036///
2037/// ```
2038/// fn write_usize(x: &mut [u8], val: usize) {
2039/// assert!(x.len() >= size_of::<usize>());
2040///
2041/// let ptr = x.as_mut_ptr() as *mut usize;
2042///
2043/// unsafe { ptr.write_unaligned(val) }
2044/// }
2045/// ```
2046#[inline]
2047#[stable(feature = "ptr_unaligned", since = "1.17.0")]
2048#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
2049#[rustc_diagnostic_item = "ptr_write_unaligned"]
2050#[track_caller]
2051#[cfg(not(feature = "ferrocene_certified"))]
2052pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
2053 // SAFETY: the caller must guarantee that `dst` is valid for writes.
2054 // `dst` cannot overlap `src` because the caller has mutable access
2055 // to `dst` while `src` is owned by this function.
2056 unsafe {
2057 copy_nonoverlapping((&raw const src) as *const u8, dst as *mut u8, size_of::<T>());
2058 // We are calling the intrinsic directly to avoid function calls in the generated code.
2059 intrinsics::forget(src);
2060 }
2061}
2062
2063/// Performs a volatile read of the value from `src` without moving it. This
2064/// leaves the memory in `src` unchanged.
2065///
2066/// Volatile operations are intended to act on I/O memory, and are guaranteed
2067/// to not be elided or reordered by the compiler across other volatile
2068/// operations.
2069///
2070/// # Notes
2071///
2072/// Rust does not currently have a rigorously and formally defined memory model,
2073/// so the precise semantics of what "volatile" means here is subject to change
2074/// over time. That being said, the semantics will almost always end up pretty
2075/// similar to [C11's definition of volatile][c11].
2076///
2077/// The compiler shouldn't change the relative order or number of volatile
2078/// memory operations. However, volatile memory operations on zero-sized types
2079/// (e.g., if a zero-sized type is passed to `read_volatile`) are noops
2080/// and may be ignored.
2081///
2082/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
2083///
2084/// # Safety
2085///
2086/// Behavior is undefined if any of the following conditions are violated:
2087///
2088/// * `src` must be [valid] for reads.
2089///
2090/// * `src` must be properly aligned.
2091///
2092/// * `src` must point to a properly initialized value of type `T`.
2093///
2094/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of
2095/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
2096/// value and the value at `*src` can [violate memory safety][read-ownership].
2097/// However, storing non-[`Copy`] types in volatile memory is almost certainly
2098/// incorrect.
2099///
2100/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2101///
2102/// [valid]: self#safety
2103/// [read-ownership]: read#ownership-of-the-returned-value
2104///
2105/// Just like in C, whether an operation is volatile has no bearing whatsoever
2106/// on questions involving concurrent access from multiple threads. Volatile
2107/// accesses behave exactly like non-atomic accesses in that regard. In particular,
2108/// a race between a `read_volatile` and any write operation to the same location
2109/// is undefined behavior.
2110///
2111/// # Examples
2112///
2113/// Basic usage:
2114///
2115/// ```
2116/// let x = 12;
2117/// let y = &x as *const i32;
2118///
2119/// unsafe {
2120/// assert_eq!(std::ptr::read_volatile(y), 12);
2121/// }
2122/// ```
2123#[inline]
2124#[stable(feature = "volatile", since = "1.9.0")]
2125#[track_caller]
2126#[rustc_diagnostic_item = "ptr_read_volatile"]
2127#[cfg(not(feature = "ferrocene_certified"))]
2128pub unsafe fn read_volatile<T>(src: *const T) -> T {
2129 // SAFETY: the caller must uphold the safety contract for `volatile_load`.
2130 unsafe {
2131 ub_checks::assert_unsafe_precondition!(
2132 check_language_ub,
2133 "ptr::read_volatile requires that the pointer argument is aligned and non-null",
2134 (
2135 addr: *const () = src as *const (),
2136 align: usize = align_of::<T>(),
2137 is_zst: bool = T::IS_ZST,
2138 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
2139 );
2140 intrinsics::volatile_load(src)
2141 }
2142}
2143
2144/// Performs a volatile write of a memory location with the given value without
2145/// reading or dropping the old value.
2146///
2147/// Volatile operations are intended to act on I/O memory, and are guaranteed
2148/// to not be elided or reordered by the compiler across other volatile
2149/// operations.
2150///
2151/// `write_volatile` does not drop the contents of `dst`. This is safe, but it
2152/// could leak allocations or resources, so care should be taken not to overwrite
2153/// an object that should be dropped.
2154///
2155/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
2156/// location pointed to by `dst`.
2157///
2158/// # Notes
2159///
2160/// Rust does not currently have a rigorously and formally defined memory model,
2161/// so the precise semantics of what "volatile" means here is subject to change
2162/// over time. That being said, the semantics will almost always end up pretty
2163/// similar to [C11's definition of volatile][c11].
2164///
2165/// The compiler shouldn't change the relative order or number of volatile
2166/// memory operations. However, volatile memory operations on zero-sized types
2167/// (e.g., if a zero-sized type is passed to `write_volatile`) are noops
2168/// and may be ignored.
2169///
2170/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
2171///
2172/// # Safety
2173///
2174/// Behavior is undefined if any of the following conditions are violated:
2175///
2176/// * `dst` must be [valid] for writes.
2177///
2178/// * `dst` must be properly aligned.
2179///
2180/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2181///
2182/// [valid]: self#safety
2183///
2184/// Just like in C, whether an operation is volatile has no bearing whatsoever
2185/// on questions involving concurrent access from multiple threads. Volatile
2186/// accesses behave exactly like non-atomic accesses in that regard. In particular,
2187/// a race between a `write_volatile` and any other operation (reading or writing)
2188/// on the same location is undefined behavior.
2189///
2190/// # Examples
2191///
2192/// Basic usage:
2193///
2194/// ```
2195/// let mut x = 0;
2196/// let y = &mut x as *mut i32;
2197/// let z = 12;
2198///
2199/// unsafe {
2200/// std::ptr::write_volatile(y, z);
2201/// assert_eq!(std::ptr::read_volatile(y), 12);
2202/// }
2203/// ```
2204#[inline]
2205#[stable(feature = "volatile", since = "1.9.0")]
2206#[rustc_diagnostic_item = "ptr_write_volatile"]
2207#[track_caller]
2208#[cfg(not(feature = "ferrocene_certified"))]
2209pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
2210 // SAFETY: the caller must uphold the safety contract for `volatile_store`.
2211 unsafe {
2212 ub_checks::assert_unsafe_precondition!(
2213 check_language_ub,
2214 "ptr::write_volatile requires that the pointer argument is aligned and non-null",
2215 (
2216 addr: *mut () = dst as *mut (),
2217 align: usize = align_of::<T>(),
2218 is_zst: bool = T::IS_ZST,
2219 ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
2220 );
2221 intrinsics::volatile_store(dst, src);
2222 }
2223}
2224
2225/// Align pointer `p`.
2226///
2227/// Calculate offset (in terms of elements of `size_of::<T>()` stride) that has to be applied
2228/// to pointer `p` so that pointer `p` would get aligned to `a`.
2229///
2230/// # Safety
2231/// `a` must be a power of two.
2232///
2233/// # Notes
2234/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
2235/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
2236/// constants.
2237///
2238/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
2239/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
2240/// than trying to adapt this to accommodate that change.
2241///
2242/// Any questions go to @nagisa.
2243#[allow(ptr_to_integer_transmute_in_consts)]
2244#[cfg(not(feature = "ferrocene_certified"))]
2245pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
2246 // FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
2247 // 1, where the method versions of these operations are not inlined.
2248 use intrinsics::{
2249 assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl,
2250 unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub,
2251 };
2252
2253 /// Calculate multiplicative modular inverse of `x` modulo `m`.
2254 ///
2255 /// This implementation is tailored for `align_offset` and has following preconditions:
2256 ///
2257 /// * `m` is a power-of-two;
2258 /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead)
2259 ///
2260 /// Implementation of this function shall not panic. Ever.
2261 #[inline]
2262 const unsafe fn mod_inv(x: usize, m: usize) -> usize {
2263 /// Multiplicative modular inverse table modulo 2⁴ = 16.
2264 ///
2265 /// Note, that this table does not contain values where inverse does not exist (i.e., for
2266 /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
2267 const INV_TABLE_MOD_16: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15];
2268 /// Modulo for which the `INV_TABLE_MOD_16` is intended.
2269 const INV_TABLE_MOD: usize = 16;
2270
2271 // SAFETY: `m` is required to be a power-of-two, hence non-zero.
2272 let m_minus_one = unsafe { unchecked_sub(m, 1) };
2273 let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - 1)) >> 1] as usize;
2274 let mut mod_gate = INV_TABLE_MOD;
2275 // We iterate "up" using the following formula:
2276 //
2277 // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
2278 //
2279 // This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
2280 // finally reduce the computation to our desired `m` by taking `inverse mod m`.
2281 //
2282 // This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
2283 // will always finish in at most 4 iterations.
2284 loop {
2285 // y = y * (2 - xy) mod n
2286 //
2287 // Note, that we use wrapping operations here intentionally – the original formula
2288 // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
2289 // usize::MAX` instead, because we take the result `mod n` at the end
2290 // anyway.
2291 if mod_gate >= m {
2292 break;
2293 }
2294 inverse = wrapping_mul(inverse, wrapping_sub(2usize, wrapping_mul(x, inverse)));
2295 let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
2296 if overflow {
2297 break;
2298 }
2299 mod_gate = new_gate;
2300 }
2301 inverse & m_minus_one
2302 }
2303
2304 let stride = size_of::<T>();
2305
2306 let addr: usize = p.addr();
2307
2308 // SAFETY: `a` is a power-of-two, therefore non-zero.
2309 let a_minus_one = unsafe { unchecked_sub(a, 1) };
2310
2311 if stride == 0 {
2312 // SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
2313 // stay the same, so no offset will be able to align the pointer unless it is already
2314 // aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
2315 let p_mod_a = addr & a_minus_one;
2316 return if p_mod_a == 0 { 0 } else { usize::MAX };
2317 }
2318
2319 // SAFETY: `stride == 0` case has been handled by the special case above.
2320 let a_mod_stride = unsafe { unchecked_rem(a, stride) };
2321 if a_mod_stride == 0 {
2322 // SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
2323 // pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
2324 // offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
2325 // offset will be able to produce a `p` aligned to the specified `a`.
2326 //
2327 // The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
2328 // like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
2329 // redistributes operations around the load-bearing, but pessimizing `and` instruction
2330 // sufficiently for LLVM to be able to utilize the various optimizations it knows about.
2331 //
2332 // LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
2333 // at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
2334 // in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
2335 // computation produces.
2336
2337 let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(0, a);
2338 let byte_offset = wrapping_sub(aligned_address, addr);
2339 // FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
2340 // SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
2341 // the value by more than `a-1`, so even though the intermediate values might have
2342 // wrapped, the byte_offset is always in `[0, a)`.
2343 unsafe { assume(byte_offset < a) };
2344
2345 // SAFETY: `stride == 0` case has been handled by the special case above.
2346 let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
2347
2348 return if addr_mod_stride == 0 {
2349 // SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
2350 // addr has been verified to be aligned to the original type’s alignment requirements.
2351 unsafe { exact_div(byte_offset, stride) }
2352 } else {
2353 usize::MAX
2354 };
2355 }
2356
2357 // GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
2358 // misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
2359 // advantage of, etc. This case produces machine code that isn’t particularly high quality,
2360 // compared to the special cases above. The code produced here is still within the realm of
2361 // miracles, given the situations this case has to deal with.
2362
2363 // SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
2364 // FIXME(const-hack) replace with min
2365 let gcdpow = unsafe {
2366 let x = cttz_nonzero(stride);
2367 let y = cttz_nonzero(a);
2368 if x < y { x } else { y }
2369 };
2370 // SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`.
2371 let gcd = unsafe { unchecked_shl(1usize, gcdpow) };
2372 // SAFETY: gcd is always greater or equal to 1.
2373 if addr & unsafe { unchecked_sub(gcd, 1) } == 0 {
2374 // This branch solves for the following linear congruence equation:
2375 //
2376 // ` p + so = 0 mod a `
2377 //
2378 // `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
2379 // requested alignment.
2380 //
2381 // With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
2382 // `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
2383 //
2384 // ` p' + s'o = 0 mod a' `
2385 // ` o = (a' - (p' mod a')) * (s'^-1 mod a') `
2386 //
2387 // The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
2388 // second term is "how does incrementing `p` by `s` bytes change the relative alignment of
2389 // `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
2390 // formed if `a` and `s` are not co-prime.
2391 //
2392 // Furthermore, the result produced by this solution is not "minimal", so it is necessary
2393 // to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
2394
2395 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2396 // `a`.
2397 let a2 = unsafe { unchecked_shr(a, gcdpow) };
2398 // SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
2399 // in `a` (of which it has exactly one).
2400 let a2minus1 = unsafe { unchecked_sub(a2, 1) };
2401 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2402 // `a`.
2403 let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
2404 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2405 // `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
2406 // always be strictly greater than `(p % a) >> gcdpow`.
2407 let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
2408 // SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
2409 // because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
2410 return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
2411 }
2412
2413 // Cannot be aligned at all.
2414 usize::MAX
2415}
2416
2417/// Compares raw pointers for equality.
2418///
2419/// This is the same as using the `==` operator, but less generic:
2420/// the arguments have to be `*const T` raw pointers,
2421/// not anything that implements `PartialEq`.
2422///
2423/// This can be used to compare `&T` references (which coerce to `*const T` implicitly)
2424/// by their address rather than comparing the values they point to
2425/// (which is what the `PartialEq for &T` implementation does).
2426///
2427/// When comparing wide pointers, both the address and the metadata are tested for equality.
2428/// However, note that comparing trait object pointers (`*const dyn Trait`) is unreliable: pointers
2429/// to values of the same underlying type can compare inequal (because vtables are duplicated in
2430/// multiple codegen units), and pointers to values of *different* underlying type can compare equal
2431/// (since identical vtables can be deduplicated within a codegen unit).
2432///
2433/// # Examples
2434///
2435/// ```
2436/// use std::ptr;
2437///
2438/// let five = 5;
2439/// let other_five = 5;
2440/// let five_ref = &five;
2441/// let same_five_ref = &five;
2442/// let other_five_ref = &other_five;
2443///
2444/// assert!(five_ref == same_five_ref);
2445/// assert!(ptr::eq(five_ref, same_five_ref));
2446///
2447/// assert!(five_ref == other_five_ref);
2448/// assert!(!ptr::eq(five_ref, other_five_ref));
2449/// ```
2450///
2451/// Slices are also compared by their length (fat pointers):
2452///
2453/// ```
2454/// let a = [1, 2, 3];
2455/// assert!(std::ptr::eq(&a[..3], &a[..3]));
2456/// assert!(!std::ptr::eq(&a[..2], &a[..3]));
2457/// assert!(!std::ptr::eq(&a[0..2], &a[1..3]));
2458/// ```
2459#[stable(feature = "ptr_eq", since = "1.17.0")]
2460#[inline(always)]
2461#[must_use = "pointer comparison produces a value"]
2462#[rustc_diagnostic_item = "ptr_eq"]
2463#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2464#[cfg(not(feature = "ferrocene_certified"))]
2465pub fn eq<T: PointeeSized>(a: *const T, b: *const T) -> bool {
2466 a == b
2467}
2468
2469/// Compares the *addresses* of the two pointers for equality,
2470/// ignoring any metadata in fat pointers.
2471///
2472/// If the arguments are thin pointers of the same type,
2473/// then this is the same as [`eq`].
2474///
2475/// # Examples
2476///
2477/// ```
2478/// use std::ptr;
2479///
2480/// let whole: &[i32; 3] = &[1, 2, 3];
2481/// let first: &i32 = &whole[0];
2482///
2483/// assert!(ptr::addr_eq(whole, first));
2484/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2485/// ```
2486#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2487#[inline(always)]
2488#[must_use = "pointer comparison produces a value"]
2489#[cfg(not(feature = "ferrocene_certified"))]
2490pub fn addr_eq<T: PointeeSized, U: PointeeSized>(p: *const T, q: *const U) -> bool {
2491 (p as *const ()) == (q as *const ())
2492}
2493
2494/// Compares the *addresses* of the two function pointers for equality.
2495///
2496/// This is the same as `f == g`, but using this function makes clear that the potentially
2497/// surprising semantics of function pointer comparison are involved.
2498///
2499/// There are **very few guarantees** about how functions are compiled and they have no intrinsic
2500/// “identity”; in particular, this comparison:
2501///
2502/// * May return `true` unexpectedly, in cases where functions are equivalent.
2503///
2504/// For example, the following program is likely (but not guaranteed) to print `(true, true)`
2505/// when compiled with optimization:
2506///
2507/// ```
2508/// let f: fn(i32) -> i32 = |x| x;
2509/// let g: fn(i32) -> i32 = |x| x + 0; // different closure, different body
2510/// let h: fn(u32) -> u32 = |x| x + 0; // different signature too
2511/// dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal
2512/// ```
2513///
2514/// * May return `false` in any case.
2515///
2516/// This is particularly likely with generic functions but may happen with any function.
2517/// (From an implementation perspective, this is possible because functions may sometimes be
2518/// processed more than once by the compiler, resulting in duplicate machine code.)
2519///
2520/// Despite these false positives and false negatives, this comparison can still be useful.
2521/// Specifically, if
2522///
2523/// * `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and
2524/// * `ptr::fn_addr_eq(f, g)` returns true,
2525///
2526/// then calling `f` and calling `g` will be equivalent.
2527///
2528///
2529/// # Examples
2530///
2531/// ```
2532/// use std::ptr;
2533///
2534/// fn a() { println!("a"); }
2535/// fn b() { println!("b"); }
2536/// assert!(!ptr::fn_addr_eq(a as fn(), b as fn()));
2537/// ```
2538///
2539/// [subtype]: https://doc.rust-lang.org/reference/subtyping.html
2540#[stable(feature = "ptr_fn_addr_eq", since = "1.85.0")]
2541#[inline(always)]
2542#[must_use = "function pointer comparison produces a value"]
2543#[cfg(not(feature = "ferrocene_certified"))]
2544pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool {
2545 f.addr() == g.addr()
2546}
2547
2548/// Hash a raw pointer.
2549///
2550/// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly)
2551/// by its address rather than the value it points to
2552/// (which is what the `Hash for &T` implementation does).
2553///
2554/// # Examples
2555///
2556/// ```
2557/// use std::hash::{DefaultHasher, Hash, Hasher};
2558/// use std::ptr;
2559///
2560/// let five = 5;
2561/// let five_ref = &five;
2562///
2563/// let mut hasher = DefaultHasher::new();
2564/// ptr::hash(five_ref, &mut hasher);
2565/// let actual = hasher.finish();
2566///
2567/// let mut hasher = DefaultHasher::new();
2568/// (five_ref as *const i32).hash(&mut hasher);
2569/// let expected = hasher.finish();
2570///
2571/// assert_eq!(actual, expected);
2572/// ```
2573#[stable(feature = "ptr_hash", since = "1.35.0")]
2574#[cfg(not(feature = "ferrocene_certified"))]
2575pub fn hash<T: PointeeSized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2576 use crate::hash::Hash;
2577 hashee.hash(into);
2578}
2579
2580#[stable(feature = "fnptr_impls", since = "1.4.0")]
2581#[cfg(not(feature = "ferrocene_certified"))]
2582impl<F: FnPtr> PartialEq for F {
2583 #[inline]
2584 fn eq(&self, other: &Self) -> bool {
2585 self.addr() == other.addr()
2586 }
2587}
2588#[stable(feature = "fnptr_impls", since = "1.4.0")]
2589#[cfg(not(feature = "ferrocene_certified"))]
2590impl<F: FnPtr> Eq for F {}
2591
2592#[stable(feature = "fnptr_impls", since = "1.4.0")]
2593#[cfg(not(feature = "ferrocene_certified"))]
2594impl<F: FnPtr> PartialOrd for F {
2595 #[inline]
2596 fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2597 self.addr().partial_cmp(&other.addr())
2598 }
2599}
2600#[stable(feature = "fnptr_impls", since = "1.4.0")]
2601#[cfg(not(feature = "ferrocene_certified"))]
2602impl<F: FnPtr> Ord for F {
2603 #[inline]
2604 fn cmp(&self, other: &Self) -> Ordering {
2605 self.addr().cmp(&other.addr())
2606 }
2607}
2608
2609#[stable(feature = "fnptr_impls", since = "1.4.0")]
2610#[cfg(not(feature = "ferrocene_certified"))]
2611impl<F: FnPtr> hash::Hash for F {
2612 fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2613 state.write_usize(self.addr() as _)
2614 }
2615}
2616
2617#[stable(feature = "fnptr_impls", since = "1.4.0")]
2618#[cfg(not(feature = "ferrocene_certified"))]
2619impl<F: FnPtr> fmt::Pointer for F {
2620 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2621 fmt::pointer_fmt_inner(self.addr() as _, f)
2622 }
2623}
2624
2625#[stable(feature = "fnptr_impls", since = "1.4.0")]
2626#[cfg(not(feature = "ferrocene_certified"))]
2627impl<F: FnPtr> fmt::Debug for F {
2628 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2629 fmt::pointer_fmt_inner(self.addr() as _, f)
2630 }
2631}
2632
2633/// Creates a `const` raw pointer to a place, without creating an intermediate reference.
2634///
2635/// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is *soft-deprecated*;
2636/// use `&raw const` instead.
2637///
2638/// It is still an open question under which conditions writing through an `addr_of!`-created
2639/// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the
2640/// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is
2641/// based on a reference, local variable, or `static`, then until all details are decided, the same
2642/// rules as for shared references apply: it is UB to write through a pointer created with this
2643/// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`])
2644/// to create a raw pointer that definitely permits mutation.
2645///
2646/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2647/// and points to initialized data. For cases where those requirements do not hold,
2648/// raw pointers should be used instead. However, `&expr as *const _` creates a reference
2649/// before casting it to a raw pointer, and that reference is subject to the same rules
2650/// as all other references. This macro can create a raw pointer *without* creating
2651/// a reference first.
2652///
2653/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2654/// Doing that with `addr_of` would not make much sense since one could only
2655/// read the data, and that would be Undefined Behavior.
2656///
2657/// # Safety
2658///
2659/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2660/// place or requires the place to be dereferenceable. This means that `addr_of!((*ptr).field)`
2661/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2662/// However, `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2663///
2664/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2665/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2666/// `Index::index`, respectively. The statements above only apply when no such coercions are
2667/// applied.
2668///
2669/// [`offset`]: pointer::offset
2670///
2671/// # Example
2672///
2673/// **Correct usage: Creating a pointer to unaligned data**
2674///
2675/// ```
2676/// use std::ptr;
2677///
2678/// #[repr(packed)]
2679/// struct Packed {
2680/// f1: u8,
2681/// f2: u16,
2682/// }
2683///
2684/// let packed = Packed { f1: 1, f2: 2 };
2685/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2686/// let raw_f2 = ptr::addr_of!(packed.f2);
2687/// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2);
2688/// ```
2689///
2690/// **Incorrect usage: Out-of-bounds fields projection**
2691///
2692/// ```rust,no_run
2693/// use std::ptr;
2694///
2695/// #[repr(C)]
2696/// struct MyStruct {
2697/// field1: i32,
2698/// field2: i32,
2699/// }
2700///
2701/// let ptr: *const MyStruct = ptr::null();
2702/// let fieldptr = unsafe { ptr::addr_of!((*ptr).field2) }; // Undefined Behavior ⚠️
2703/// ```
2704///
2705/// The field projection `.field2` would offset the pointer by 4 bytes,
2706/// but the pointer is not in-bounds of an allocation for 4 bytes,
2707/// so this offset is Undefined Behavior.
2708/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2709/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2710/// no difference whether the pointer is null or dangling.)
2711#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2712#[rustc_macro_transparency = "semitransparent"]
2713#[cfg(not(feature = "ferrocene_certified"))]
2714pub macro addr_of($place:expr) {
2715 &raw const $place
2716}
2717
2718/// Creates a `mut` raw pointer to a place, without creating an intermediate reference.
2719///
2720/// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is *soft-deprecated*;
2721/// use `&raw mut` instead.
2722///
2723/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2724/// and points to initialized data. For cases where those requirements do not hold,
2725/// raw pointers should be used instead. However, `&mut expr as *mut _` creates a reference
2726/// before casting it to a raw pointer, and that reference is subject to the same rules
2727/// as all other references. This macro can create a raw pointer *without* creating
2728/// a reference first.
2729///
2730/// # Safety
2731///
2732/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2733/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((*ptr).field)`
2734/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2735/// However, `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2736///
2737/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2738/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2739/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2740/// applied.
2741///
2742/// [`offset`]: pointer::offset
2743///
2744/// # Examples
2745///
2746/// **Correct usage: Creating a pointer to unaligned data**
2747///
2748/// ```
2749/// use std::ptr;
2750///
2751/// #[repr(packed)]
2752/// struct Packed {
2753/// f1: u8,
2754/// f2: u16,
2755/// }
2756///
2757/// let mut packed = Packed { f1: 1, f2: 2 };
2758/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2759/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2760/// unsafe { raw_f2.write_unaligned(42); }
2761/// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference.
2762/// ```
2763///
2764/// **Correct usage: Creating a pointer to uninitialized data**
2765///
2766/// ```rust
2767/// use std::{ptr, mem::MaybeUninit};
2768///
2769/// struct Demo {
2770/// field: bool,
2771/// }
2772///
2773/// let mut uninit = MaybeUninit::<Demo>::uninit();
2774/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2775/// // and thus be Undefined Behavior!
2776/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2777/// unsafe { f1_ptr.write(true); }
2778/// let init = unsafe { uninit.assume_init() };
2779/// ```
2780///
2781/// **Incorrect usage: Out-of-bounds fields projection**
2782///
2783/// ```rust,no_run
2784/// use std::ptr;
2785///
2786/// #[repr(C)]
2787/// struct MyStruct {
2788/// field1: i32,
2789/// field2: i32,
2790/// }
2791///
2792/// let ptr: *mut MyStruct = ptr::null_mut();
2793/// let fieldptr = unsafe { ptr::addr_of_mut!((*ptr).field2) }; // Undefined Behavior ⚠️
2794/// ```
2795///
2796/// The field projection `.field2` would offset the pointer by 4 bytes,
2797/// but the pointer is not in-bounds of an allocation for 4 bytes,
2798/// so this offset is Undefined Behavior.
2799/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2800/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2801/// makes no difference whether the pointer is null or dangling.)
2802#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2803#[rustc_macro_transparency = "semitransparent"]
2804#[cfg(not(feature = "ferrocene_certified"))]
2805pub macro addr_of_mut($place:expr) {
2806 &raw mut $place
2807}