core/ptr/
mod.rs

1//! Manually manage memory through raw pointers.
2//!
3//! *[See also the pointer primitive types](pointer).*
4//!
5//! # Safety
6//!
7//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8//! this to be safe, these pointers must be *valid* for the given access. Whether a pointer is valid
9//! depends on the operation it is used for (read or write), and the extent of the memory that is
10//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `*mut T`
12//! and `*const T` to access only a single value, in which case the documentation omits the size and
13//! implicitly assumes it to be `size_of::<T>()` bytes.
14//!
15//! The precise rules for validity are not determined yet. The guarantees that are
16//! provided at this point are very minimal:
17//!
18//! * For memory accesses of [size zero][zst], *every* pointer is valid, including the [null]
19//!   pointer. The following points are only concerned with non-zero-sized accesses.
20//! * A [null] pointer is *never* valid.
21//! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be
22//!   *dereferenceable*. The [provenance] of the pointer is used to determine which [allocation]
23//!   it is derived from; a pointer is dereferenceable if the memory range of the given size
24//!   starting at the pointer is entirely contained within the bounds of that allocation. Note
25//!   that in Rust, every (stack-allocated) variable is considered a separate allocation.
26//! * All accesses performed by functions in this module are *non-atomic* in the sense
27//!   of [atomic operations] used to synchronize between threads. This means it is
28//!   undefined behavior to perform two concurrent accesses to the same location from different
29//!   threads unless both accesses only read from memory. Notice that this explicitly
30//!   includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
31//!   be used for inter-thread synchronization, regardless of whether they are acting on
32//!   Rust memory or not.
33//! * The result of casting a reference to a pointer is valid for as long as the
34//!   underlying allocation is live and no reference (just raw pointers) is used to
35//!   access the same memory. That is, reference and pointer accesses cannot be
36//!   interleaved.
37//!
38//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
39//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
40//! will be provided eventually, as the [aliasing] rules are being determined. For more
41//! information, see the [book] as well as the section in the reference devoted
42//! to [undefined behavior][ub].
43//!
44//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
45//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
46//! [`NonNull::dangling`] are all dangling.
47//!
48//! ## Alignment
49//!
50//! Valid raw pointers as defined above are not necessarily properly aligned (where
51//! "proper" alignment is defined by the pointee type, i.e., `*const T` must be
52//! aligned to `align_of::<T>()`). However, most functions require their
53//! arguments to be properly aligned, and will explicitly state
54//! this requirement in their documentation. Notable exceptions to this are
55//! [`read_unaligned`] and [`write_unaligned`].
56//!
57//! When a function requires proper alignment, it does so even if the access
58//! has size 0, i.e., even if memory is not actually touched. Consider using
59//! [`NonNull::dangling`] in such cases.
60//!
61//! ## Pointer to reference conversion
62//!
63//! When converting a pointer to a reference (e.g. via `&*ptr` or `&mut *ptr`),
64//! there are several rules that must be followed:
65//!
66//! * The pointer must be properly aligned.
67//!
68//! * It must be non-null.
69//!
70//! * It must be "dereferenceable" in the sense defined above.
71//!
72//! * The pointer must point to a [valid value] of type `T`.
73//!
74//! * You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we
75//!   only give a rough overview here. The rules also depend on whether a mutable or a shared
76//!   reference is being created.
77//!   * When creating a mutable reference, then while this reference exists, the memory it points to
78//!     must not get accessed (read or written) through any other pointer or reference not derived
79//!     from this reference.
80//!   * When creating a shared reference, then while this reference exists, the memory it points to
81//!     must not get mutated (except inside `UnsafeCell`).
82//!
83//! If a pointer follows all of these rules, it is said to be
84//! *convertible to a (mutable or shared) reference*.
85// ^ we use this term instead of saying that the produced reference must
86// be valid, as the validity of a reference is easily confused for the
87// validity of the thing it refers to, and while the two concepts are
88// closely related, they are not identical.
89//!
90//! These rules apply even if the result is unused!
91//! (The part about being initialized is not yet fully decided, but until
92//! it is, the only safe approach is to ensure that they are indeed initialized.)
93//!
94//! An example of the implications of the above rules is that an expression such
95//! as `unsafe { &*(0 as *const u8) }` is Immediate Undefined Behavior.
96//!
97//! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values
98//!
99//! ## Allocation
100//!
101//! <a id="allocated-object"></a> <!-- keep old URLs working -->
102//!
103//! An *allocation* is a subset of program memory which is addressable
104//! from Rust, and within which pointer arithmetic is possible. Examples of
105//! allocations include heap allocations, stack-allocated variables,
106//! statics, and consts. The safety preconditions of some Rust operations -
107//! such as `offset` and field projections (`expr.field`) - are defined in
108//! terms of the allocations on which they operate.
109//!
110//! An allocation has a base address, a size, and a set of memory
111//! addresses. It is possible for an allocation to have zero size, but
112//! such an allocation will still have a base address. The base address
113//! of an allocation is not necessarily unique. While it is currently the
114//! case that an allocation always has a set of memory addresses which is
115//! fully contiguous (i.e., has no "holes"), there is no guarantee that this
116//! will not change in the future.
117//!
118//! Allocations must behave like "normal" memory: in particular, reads must not have
119//! side-effects, and writes must become visible to other threads using the usual synchronization
120//! primitives.
121//!
122//! For any allocation with `base` address, `size`, and a set of
123//! `addresses`, the following are guaranteed:
124//! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base +
125//!   size)` (note that this requires `a < base + size`, not `a <= base + size`)
126//! - `base` is not equal to [`null()`] (i.e., the address with the numerical
127//!   value 0)
128//! - `base + size <= usize::MAX`
129//! - `size <= isize::MAX`
130//!
131//! As a consequence of these guarantees, given any address `a` within the set
132//! of addresses of an allocation:
133//! - It is guaranteed that `a - base` does not overflow `isize`
134//! - It is guaranteed that `a - base` is non-negative
135//! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within
136//!   the allocation), `base + o` will not wrap around the address space (in
137//!   other words, will not overflow `usize`)
138//!
139//! [`null()`]: null
140//!
141//! # Provenance
142//!
143//! Pointers are not *simply* an "integer" or "address". For instance, it's uncontroversial
144//! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky"
145//! and the freed memory gets reallocated before your read/write (in fact this is the
146//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
147//! As another example, consider that [`wrapping_offset`] is documented to "remember"
148//! the allocation that the original pointer points to, even if it is offset far
149//! outside the memory range occupied by that allocation.
150//! To rationalize claims like this, pointers need to somehow be *more* than just their addresses:
151//! they must have **provenance**.
152//!
153//! A pointer value in Rust semantically contains the following information:
154//!
155//! * The **address** it points to, which can be represented by a `usize`.
156//! * The **provenance** it has, defining the memory it has permission to access. Provenance can be
157//!   absent, in which case the pointer does not have permission to access any memory.
158//!
159//! The exact structure of provenance is not yet specified, but the permission defined by a
160//! pointer's provenance have a *spatial* component, a *temporal* component, and a *mutability*
161//! component:
162//!
163//! * Spatial: The set of memory addresses that the pointer is allowed to access.
164//! * Temporal: The timespan during which the pointer is allowed to access those memory addresses.
165//! * Mutability: Whether the pointer may only access the memory for reads, or also access it for
166//!   writes. Note that this can interact with the other components, e.g. a pointer might permit
167//!   mutation only for a subset of addresses, or only for a subset of its maximal timespan.
168//!
169//! When an [allocation] is created, it has a unique Original Pointer. For alloc
170//! APIs this is literally the pointer the call returns, and for local variables and statics,
171//! this is the name of the variable/static. (This is mildly overloading the term "pointer"
172//! for the sake of brevity/exposition.)
173//!
174//! The Original Pointer for an allocation has provenance that constrains the *spatial*
175//! permissions of this pointer to the memory range of the allocation, and the *temporal*
176//! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all
177//! pointers transitively derived from the Original Pointer through operations like [`offset`],
178//! borrowing, and pointer casts. Some operations may *shrink* the permissions of the derived
179//! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a
180//! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can
181//! shrink the temporal component of provenance). However, no operation can ever *grow* the
182//! permissions of the derived provenance: even if you "know" there is a larger allocation, you
183//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two
184//! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
185//!
186//! A reference to a place always has provenance over at least the memory that place occupies.
187//! A reference to a slice always has provenance over at least the range that slice describes.
188//! Whether and when exactly the provenance of a reference gets "shrunk" to *exactly* fit
189//! the memory it points to is not yet determined.
190//!
191//! A *shared* reference only ever has provenance that permits reading from memory,
192//! and never permits writes, except inside [`UnsafeCell`].
193//!
194//! Provenance can affect whether a program has undefined behavior:
195//!
196//! * It is undefined behavior to access memory through a pointer that does not have provenance over
197//!   that memory. Note that a pointer "at the end" of its provenance is not actually outside its
198//!   provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any
199//!   provenance since they access an empty range of memory.
200//!
201//! * It is undefined behavior to [`offset`] a pointer across a memory range that is not contained
202//!   in the allocation it is derived from, or to [`offset_from`] two pointers not derived
203//!   from the same allocation. Provenance is used to say what exactly "derived from" even
204//!   means: the lineage of a pointer is traced back to the Original Pointer it descends from, and
205//!   that identifies the relevant allocation. In particular, it's always UB to offset a
206//!   pointer derived from something that is now deallocated, except if the offset is 0.
207//!
208//! But it *is* still sound to:
209//!
210//! * Create a pointer without provenance from just an address (see [`without_provenance`]). Such a
211//!   pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
212//!   useful for sentinel values like `null` *or* to represent a tagged pointer that will never be
213//!   dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
214//!   fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
215//!   offset, read, write, etc).
216//!
217//! * Forge an allocation of size zero at any sufficiently aligned non-null address.
218//!   i.e. the usual "ZSTs are fake, do what you want" rules apply.
219//!
220//! * [`wrapping_offset`] a pointer outside its provenance. This includes pointers
221//!   which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks.
222//!
223//! * Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses
224//!   *are* just integers, so there is always a coherent answer, even if the pointers are dangling
225//!   or from different provenances. Note that if you get "lucky" and notice that a pointer at the
226//!   end of one allocation is the "same" address as the start of another allocation,
227//!   anything you do with that fact is *probably* going to be gibberish. The scope of that
228//!   gibberish is kept under control by the fact that the two pointers *still* aren't allowed to
229//!   access the other's allocation (bytes), because they still have different provenance.
230//!
231//! Note that the full definition of provenance in Rust is not decided yet, as this interacts
232//! with the as-yet undecided [aliasing] rules.
233//!
234//! ## Pointers Vs Integers
235//!
236//! From this discussion, it becomes very clear that a `usize` *cannot* accurately represent a pointer,
237//! and converting from a pointer to a `usize` is generally an operation which *only* extracts the
238//! address. Converting this address back into pointer requires somehow answering the question:
239//! which provenance should the resulting pointer have?
240//!
241//! Rust provides two ways of dealing with this situation: *Strict Provenance* and *Exposed Provenance*.
242//!
243//! Note that a pointer *can* represent a `usize` (via [`without_provenance`]), so the right type to
244//! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a
245//! pointer type.
246//!
247//! ## Strict Provenance
248//!
249//! "Strict Provenance" refers to a set of APIs designed to make working with provenance more
250//! explicit. They are intended as substitutes for casting a pointer to an integer and back.
251//!
252//! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of
253//! that operation. This benefits compiler optimizations, and it is pretty much a requirement for
254//! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer
255//! misuse.
256//!
257//! The key insight to making programming without integer-to-pointer casts *at all* viable is the
258//! [`with_addr`] method:
259//!
260//! ```text
261//!     /// Creates a new pointer with the given address.
262//!     ///
263//!     /// This performs the same operation as an `addr as ptr` cast, but copies
264//!     /// the *provenance* of `self` to the new pointer.
265//!     /// This allows us to dynamically preserve and propagate this important
266//!     /// information in a way that is otherwise impossible with a unary cast.
267//!     ///
268//!     /// This is equivalent to using `wrapping_offset` to offset `self` to the
269//!     /// given address, and therefore has all the same capabilities and restrictions.
270//!     pub fn with_addr(self, addr: usize) -> Self;
271//! ```
272//!
273//! So you're still able to drop down to the address representation and do whatever
274//! clever bit tricks you want *as long as* you're able to keep around a pointer
275//! into the allocation you care about that can "reconstitute" the provenance.
276//! Usually this is very easy, because you only are taking a pointer, messing with the address,
277//! and then immediately converting back to a pointer. To make this use case more ergonomic,
278//! we provide the [`map_addr`] method.
279//!
280//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
281//! [`addr`] method which promises that the returned address is not part of a
282//! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer
283//! casts to help you audit if your code conforms to strict provenance.
284//!
285//! ### Using Strict Provenance
286//!
287//! Most code needs no changes to conform to strict provenance, as the only really concerning
288//! operation is casts from `usize` to a pointer. For code which *does* cast a `usize` to a pointer,
289//! the scope of the change depends on exactly what you're doing.
290//!
291//! In general, you just need to make sure that if you want to convert a `usize` address to a
292//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
293//! that has sufficient provenance to perform that read/write itself. In this way all of your
294//! casts from an address to a pointer are essentially just applying offsets/indexing.
295//!
296//! This is generally trivial to do for simple cases like tagged pointers *as long as you
297//! represent the tagged pointer as an actual pointer and not a `usize`*. For instance:
298//!
299//! ```
300//! unsafe {
301//!     // A flag we want to pack into our pointer
302//!     static HAS_DATA: usize = 0x1;
303//!     static FLAG_MASK: usize = !HAS_DATA;
304//!
305//!     // Our value, which must have enough alignment to have spare least-significant-bits.
306//!     let my_precious_data: u32 = 17;
307//!     assert!(align_of::<u32>() > 1);
308//!
309//!     // Create a tagged pointer
310//!     let ptr = &my_precious_data as *const u32;
311//!     let tagged = ptr.map_addr(|addr| addr | HAS_DATA);
312//!
313//!     // Check the flag:
314//!     if tagged.addr() & HAS_DATA != 0 {
315//!         // Untag and read the pointer
316//!         let data = *tagged.map_addr(|addr| addr & FLAG_MASK);
317//!         assert_eq!(data, 17);
318//!     } else {
319//!         unreachable!()
320//!     }
321//! }
322//! ```
323//!
324//! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should
325//! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers,
326//! we would like to know why, and what needs to be done to fix it.)
327//!
328//! Situations where a valid pointer *must* be created from just an address, such as baremetal code
329//! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict
330//! provenance APIs and should use [exposed provenance](#exposed-provenance).
331//!
332//! ## Exposed Provenance
333//!
334//! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs.
335//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
336//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
337//! Integer-to-pointer casts do not (currently) have such a clear specification.
338//!
339//! However, there exist situations where integer-to-pointer casts cannot be avoided, or
340//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
341//! that `usize` can capture all the information that makes up a pointer.
342//! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without
343//! anywhere to obtain proper provenance from.
344//!
345//! Rust's model for dealing with integer-to-pointer casts is called *Exposed Provenance*. However,
346//! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and
347//! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for
348//! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide
349//! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not
350//! work (well) with tools like [Miri] and [CHERI].
351//!
352//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
353//! which are equivalent to `as` casts between pointers and integers.
354//! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the
355//!   pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists
356//!   for the purpose of specifying Rust but is not materialized in actual executions, except in
357//!   tools like [Miri].)
358//!   Memory which is outside the control of the Rust abstract machine (MMIO registers, for example)
359//!   is always considered to be exposed, so long as this memory is disjoint from memory that will
360//!   be used by the abstract machine such as the stack, heap, and statics.
361//! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously
362//!   'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so
363//!   unlike in [`with_addr`] there is no indication of what the correct provenance for the returned
364//!   pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously
365//!   specify! The compiler will do its best to pick the right provenance for you, but currently we
366//!   cannot provide any guarantees about which provenance the resulting pointer will have. Only one
367//!   thing is clear: if there is *no* previously 'exposed' provenance that justifies the way the
368//!   returned pointer will be used, the program has undefined behavior.
369//!
370//! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding
371//! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding
372//! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be
373//! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this
374//! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the
375//! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of
376//! integer-to-pointer casts.
377//!
378//! [aliasing]: ../../nomicon/aliasing.html
379//! [allocation]: #allocation
380//! [provenance]: #provenance
381//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
382//! [ub]: ../../reference/behavior-considered-undefined.html
383//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
384//! [atomic operations]: crate::sync::atomic
385//! [`offset`]: pointer::offset
386//! [`offset_from`]: pointer::offset_from
387//! [`wrapping_offset`]: pointer::wrapping_offset
388//! [`with_addr`]: pointer::with_addr
389//! [`map_addr`]: pointer::map_addr
390//! [`addr`]: pointer::addr
391//! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize
392//! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr
393//! [`expose_provenance`]: pointer::expose_provenance
394//! [`with_exposed_provenance`]: with_exposed_provenance
395//! [Miri]: https://github.com/rust-lang/miri
396//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
397//! [Strict Provenance]: #strict-provenance
398//! [`UnsafeCell`]: core::cell::UnsafeCell
399
400#![stable(feature = "rust1", since = "1.0.0")]
401// There are many unsafe functions taking pointers that don't dereference them.
402#![allow(clippy::not_unsafe_ptr_arg_deref)]
403
404#[cfg(not(feature = "ferrocene_certified"))]
405use crate::cmp::Ordering;
406#[cfg(not(feature = "ferrocene_certified"))]
407use crate::intrinsics::const_eval_select;
408#[cfg(not(feature = "ferrocene_certified"))]
409use crate::marker::{FnPtr, PointeeSized};
410#[cfg(not(feature = "ferrocene_certified"))]
411use crate::mem::{self, MaybeUninit, SizedTypeProperties};
412#[cfg(not(feature = "ferrocene_certified"))]
413use crate::num::NonZero;
414#[cfg(not(feature = "ferrocene_certified"))]
415use crate::{fmt, hash, intrinsics, ub_checks};
416#[cfg(feature = "ferrocene_certified")]
417use crate::{intrinsics, marker::PointeeSized, mem};
418#[cfg(all(debug_assertions, feature = "ferrocene_certified"))]
419use crate::{mem::SizedTypeProperties, ub_checks};
420
421mod alignment;
422#[unstable(feature = "ptr_alignment_type", issue = "102070")]
423pub use alignment::Alignment;
424
425mod metadata;
426#[unstable(feature = "ptr_metadata", issue = "81513")]
427#[cfg(not(feature = "ferrocene_certified"))]
428pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata};
429#[unstable(feature = "ptr_metadata", issue = "81513")]
430#[cfg(feature = "ferrocene_certified")]
431pub use metadata::{Pointee, Thin, from_raw_parts, from_raw_parts_mut};
432
433mod non_null;
434#[stable(feature = "nonnull", since = "1.25.0")]
435pub use non_null::NonNull;
436
437#[cfg(not(feature = "ferrocene_certified"))]
438mod unique;
439#[unstable(feature = "ptr_internals", issue = "none")]
440#[cfg(not(feature = "ferrocene_certified"))]
441pub use unique::Unique;
442
443mod const_ptr;
444mod mut_ptr;
445
446// Some functions are defined here because they accidentally got made
447// available in this module on stable. See <https://github.com/rust-lang/rust/issues/15702>.
448// (`transmute` also falls into this category, but it cannot be wrapped due to the
449// check that `T` and `U` have the same size.)
450
451/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
452/// and destination must *not* overlap.
453///
454/// For regions of memory which might overlap, use [`copy`] instead.
455///
456/// `copy_nonoverlapping` is semantically equivalent to C's [`memcpy`], but
457/// with the source and destination arguments swapped,
458/// and `count` counting the number of `T`s instead of bytes.
459///
460/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
461/// requirements of `T`. The initialization state is preserved exactly.
462///
463/// [`memcpy`]: https://en.cppreference.com/w/c/string/byte/memcpy
464///
465/// # Safety
466///
467/// Behavior is undefined if any of the following conditions are violated:
468///
469/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
470///
471/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
472///
473/// * Both `src` and `dst` must be properly aligned.
474///
475/// * The region of memory beginning at `src` with a size of `count *
476///   size_of::<T>()` bytes must *not* overlap with the region of memory
477///   beginning at `dst` with the same size.
478///
479/// Like [`read`], `copy_nonoverlapping` creates a bitwise copy of `T`, regardless of
480/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using *both* the values
481/// in the region beginning at `*src` and the region beginning at `*dst` can
482/// [violate memory safety][read-ownership].
483///
484/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
485/// `0`, the pointers must be properly aligned.
486///
487/// [`read`]: crate::ptr::read
488/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
489/// [valid]: crate::ptr#safety
490///
491/// # Examples
492///
493/// Manually implement [`Vec::append`]:
494///
495/// ```
496/// use std::ptr;
497///
498/// /// Moves all the elements of `src` into `dst`, leaving `src` empty.
499/// fn append<T>(dst: &mut Vec<T>, src: &mut Vec<T>) {
500///     let src_len = src.len();
501///     let dst_len = dst.len();
502///
503///     // Ensure that `dst` has enough capacity to hold all of `src`.
504///     dst.reserve(src_len);
505///
506///     unsafe {
507///         // The call to add is always safe because `Vec` will never
508///         // allocate more than `isize::MAX` bytes.
509///         let dst_ptr = dst.as_mut_ptr().add(dst_len);
510///         let src_ptr = src.as_ptr();
511///
512///         // Truncate `src` without dropping its contents. We do this first,
513///         // to avoid problems in case something further down panics.
514///         src.set_len(0);
515///
516///         // The two regions cannot overlap because mutable references do
517///         // not alias, and two different vectors cannot own the same
518///         // memory.
519///         ptr::copy_nonoverlapping(src_ptr, dst_ptr, src_len);
520///
521///         // Notify `dst` that it now holds the contents of `src`.
522///         dst.set_len(dst_len + src_len);
523///     }
524/// }
525///
526/// let mut a = vec!['r'];
527/// let mut b = vec!['u', 's', 't'];
528///
529/// append(&mut a, &mut b);
530///
531/// assert_eq!(a, &['r', 'u', 's', 't']);
532/// assert!(b.is_empty());
533/// ```
534///
535/// [`Vec::append`]: ../../std/vec/struct.Vec.html#method.append
536#[doc(alias = "memcpy")]
537#[stable(feature = "rust1", since = "1.0.0")]
538#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
539#[inline(always)]
540#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
541#[rustc_diagnostic_item = "ptr_copy_nonoverlapping"]
542#[cfg(not(feature = "ferrocene_certified"))]
543pub const unsafe fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: usize) {
544    ub_checks::assert_unsafe_precondition!(
545        check_language_ub,
546        "ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null \
547        and the specified memory ranges do not overlap",
548        (
549            src: *const () = src as *const (),
550            dst: *mut () = dst as *mut (),
551            size: usize = size_of::<T>(),
552            align: usize = align_of::<T>(),
553            count: usize = count,
554        ) => {
555            let zero_size = count == 0 || size == 0;
556            ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
557                && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
558                && ub_checks::maybe_is_nonoverlapping(src, dst, size, count)
559        }
560    );
561
562    // SAFETY: the safety contract for `copy_nonoverlapping` must be
563    // upheld by the caller.
564    unsafe { crate::intrinsics::copy_nonoverlapping(src, dst, count) }
565}
566
567/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
568/// and destination may overlap.
569///
570/// If the source and destination will *never* overlap,
571/// [`copy_nonoverlapping`] can be used instead.
572///
573/// `copy` is semantically equivalent to C's [`memmove`], but
574/// with the source and destination arguments swapped,
575/// and `count` counting the number of `T`s instead of bytes.
576/// Copying takes place as if the bytes were copied from `src`
577/// to a temporary array and then copied from the array to `dst`.
578///
579/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
580/// requirements of `T`. The initialization state is preserved exactly.
581///
582/// [`memmove`]: https://en.cppreference.com/w/c/string/byte/memmove
583///
584/// # Safety
585///
586/// Behavior is undefined if any of the following conditions are violated:
587///
588/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
589///
590/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes, and must remain valid even
591///   when `src` is read for `count * size_of::<T>()` bytes. (This means if the memory ranges
592///   overlap, the `dst` pointer must not be invalidated by `src` reads.)
593///
594/// * Both `src` and `dst` must be properly aligned.
595///
596/// Like [`read`], `copy` creates a bitwise copy of `T`, regardless of
597/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the values
598/// in the region beginning at `*src` and the region beginning at `*dst` can
599/// [violate memory safety][read-ownership].
600///
601/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
602/// `0`, the pointers must be properly aligned.
603///
604/// [`read`]: crate::ptr::read
605/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
606/// [valid]: crate::ptr#safety
607///
608/// # Examples
609///
610/// Efficiently create a Rust vector from an unsafe buffer:
611///
612/// ```
613/// use std::ptr;
614///
615/// /// # Safety
616/// ///
617/// /// * `ptr` must be correctly aligned for its type and non-zero.
618/// /// * `ptr` must be valid for reads of `elts` contiguous elements of type `T`.
619/// /// * Those elements must not be used after calling this function unless `T: Copy`.
620/// # #[allow(dead_code)]
621/// unsafe fn from_buf_raw<T>(ptr: *const T, elts: usize) -> Vec<T> {
622///     let mut dst = Vec::with_capacity(elts);
623///
624///     // SAFETY: Our precondition ensures the source is aligned and valid,
625///     // and `Vec::with_capacity` ensures that we have usable space to write them.
626///     unsafe { ptr::copy(ptr, dst.as_mut_ptr(), elts); }
627///
628///     // SAFETY: We created it with this much capacity earlier,
629///     // and the previous `copy` has initialized these elements.
630///     unsafe { dst.set_len(elts); }
631///     dst
632/// }
633/// ```
634#[doc(alias = "memmove")]
635#[stable(feature = "rust1", since = "1.0.0")]
636#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
637#[inline(always)]
638#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
639#[rustc_diagnostic_item = "ptr_copy"]
640#[cfg(not(feature = "ferrocene_certified"))]
641pub const unsafe fn copy<T>(src: *const T, dst: *mut T, count: usize) {
642    // SAFETY: the safety contract for `copy` must be upheld by the caller.
643    unsafe {
644        ub_checks::assert_unsafe_precondition!(
645            check_language_ub,
646            "ptr::copy requires that both pointer arguments are aligned and non-null",
647            (
648                src: *const () = src as *const (),
649                dst: *mut () = dst as *mut (),
650                align: usize = align_of::<T>(),
651                zero_size: bool = T::IS_ZST || count == 0,
652            ) =>
653            ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
654                && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
655        );
656        crate::intrinsics::copy(src, dst, count)
657    }
658}
659
660/// Sets `count * size_of::<T>()` bytes of memory starting at `dst` to
661/// `val`.
662///
663/// `write_bytes` is similar to C's [`memset`], but sets `count *
664/// size_of::<T>()` bytes to `val`.
665///
666/// [`memset`]: https://en.cppreference.com/w/c/string/byte/memset
667///
668/// # Safety
669///
670/// Behavior is undefined if any of the following conditions are violated:
671///
672/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
673///
674/// * `dst` must be properly aligned.
675///
676/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
677/// `0`, the pointer must be properly aligned.
678///
679/// Additionally, note that changing `*dst` in this way can easily lead to undefined behavior (UB)
680/// later if the written bytes are not a valid representation of some `T`. For instance, the
681/// following is an **incorrect** use of this function:
682///
683/// ```rust,no_run
684/// unsafe {
685///     let mut value: u8 = 0;
686///     let ptr: *mut bool = &mut value as *mut u8 as *mut bool;
687///     let _bool = ptr.read(); // This is fine, `ptr` points to a valid `bool`.
688///     ptr.write_bytes(42u8, 1); // This function itself does not cause UB...
689///     let _bool = ptr.read(); // ...but it makes this operation UB! ⚠️
690/// }
691/// ```
692///
693/// [valid]: crate::ptr#safety
694///
695/// # Examples
696///
697/// Basic usage:
698///
699/// ```
700/// use std::ptr;
701///
702/// let mut vec = vec![0u32; 4];
703/// unsafe {
704///     let vec_ptr = vec.as_mut_ptr();
705///     ptr::write_bytes(vec_ptr, 0xfe, 2);
706/// }
707/// assert_eq!(vec, [0xfefefefe, 0xfefefefe, 0, 0]);
708/// ```
709#[doc(alias = "memset")]
710#[stable(feature = "rust1", since = "1.0.0")]
711#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
712#[inline(always)]
713#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
714#[rustc_diagnostic_item = "ptr_write_bytes"]
715#[cfg(not(feature = "ferrocene_certified"))]
716pub const unsafe fn write_bytes<T>(dst: *mut T, val: u8, count: usize) {
717    // SAFETY: the safety contract for `write_bytes` must be upheld by the caller.
718    unsafe {
719        ub_checks::assert_unsafe_precondition!(
720            check_language_ub,
721            "ptr::write_bytes requires that the destination pointer is aligned and non-null",
722            (
723                addr: *const () = dst as *const (),
724                align: usize = align_of::<T>(),
725                zero_size: bool = T::IS_ZST || count == 0,
726            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, zero_size)
727        );
728        crate::intrinsics::write_bytes(dst, val, count)
729    }
730}
731
732/// Executes the destructor (if any) of the pointed-to value.
733///
734/// This is almost the same as calling [`ptr::read`] and discarding
735/// the result, but has the following advantages:
736// FIXME: say something more useful than "almost the same"?
737// There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a
738// `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place`
739// only requires that `*to_drop` be "valid for dropping" and we have not defined what that means. In
740// Miri it currently (May 2024) requires nothing at all for types without drop glue.
741///
742/// * It is *required* to use `drop_in_place` to drop unsized types like
743///   trait objects, because they can't be read out onto the stack and
744///   dropped normally.
745///
746/// * It is friendlier to the optimizer to do this over [`ptr::read`] when
747///   dropping manually allocated memory (e.g., in the implementations of
748///   `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
749///   sound to elide the copy.
750///
751/// * It can be used to drop [pinned] data when `T` is not `repr(packed)`
752///   (pinned data must not be moved before it is dropped).
753///
754/// Unaligned values cannot be dropped in place, they must be copied to an aligned
755/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
756/// done automatically by the compiler. This means the fields of packed structs
757/// are not dropped in-place.
758///
759/// [`ptr::read`]: self::read
760/// [`ptr::read_unaligned`]: self::read_unaligned
761/// [pinned]: crate::pin
762///
763/// # Safety
764///
765/// Behavior is undefined if any of the following conditions are violated:
766///
767/// * `to_drop` must be [valid] for both reads and writes.
768///
769/// * `to_drop` must be properly aligned, even if `T` has size 0.
770///
771/// * `to_drop` must be nonnull, even if `T` has size 0.
772///
773/// * The value `to_drop` points to must be valid for dropping, which may mean
774///   it must uphold additional invariants. These invariants depend on the type
775///   of the value being dropped. For instance, when dropping a Box, the box's
776///   pointer to the heap must be valid.
777///
778/// * While `drop_in_place` is executing, the only way to access parts of
779///   `to_drop` is through the `&mut self` references supplied to the
780///   `Drop::drop` methods that `drop_in_place` invokes.
781///
782/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
783/// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
784/// foo` counts as a use because it will cause the value to be dropped
785/// again. [`write()`] can be used to overwrite data without causing it to be
786/// dropped.
787///
788/// [valid]: self#safety
789///
790/// # Examples
791///
792/// Manually remove the last item from a vector:
793///
794/// ```
795/// use std::ptr;
796/// use std::rc::Rc;
797///
798/// let last = Rc::new(1);
799/// let weak = Rc::downgrade(&last);
800///
801/// let mut v = vec![Rc::new(0), last];
802///
803/// unsafe {
804///     // Get a raw pointer to the last element in `v`.
805///     let ptr = &mut v[1] as *mut _;
806///     // Shorten `v` to prevent the last item from being dropped. We do that first,
807///     // to prevent issues if the `drop_in_place` below panics.
808///     v.set_len(1);
809///     // Without a call `drop_in_place`, the last item would never be dropped,
810///     // and the memory it manages would be leaked.
811///     ptr::drop_in_place(ptr);
812/// }
813///
814/// assert_eq!(v, &[0.into()]);
815///
816/// // Ensure that the last item was dropped.
817/// assert!(weak.upgrade().is_none());
818/// ```
819#[stable(feature = "drop_in_place", since = "1.8.0")]
820#[lang = "drop_in_place"]
821#[allow(unconditional_recursion)]
822#[rustc_diagnostic_item = "ptr_drop_in_place"]
823#[cfg(not(feature = "ferrocene_certified"))]
824pub unsafe fn drop_in_place<T: PointeeSized>(to_drop: *mut T) {
825    // Code here does not matter - this is replaced by the
826    // real drop glue by the compiler.
827
828    // SAFETY: see comment above
829    unsafe { drop_in_place(to_drop) }
830}
831
832/// Creates a null raw pointer.
833///
834/// This function is equivalent to zero-initializing the pointer:
835/// `MaybeUninit::<*const T>::zeroed().assume_init()`.
836/// The resulting pointer has the address 0.
837///
838/// # Examples
839///
840/// ```
841/// use std::ptr;
842///
843/// let p: *const i32 = ptr::null();
844/// assert!(p.is_null());
845/// assert_eq!(p as usize, 0); // this pointer has the address 0
846/// ```
847#[inline(always)]
848#[must_use]
849#[stable(feature = "rust1", since = "1.0.0")]
850#[rustc_promotable]
851#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
852#[rustc_diagnostic_item = "ptr_null"]
853pub const fn null<T: PointeeSized + Thin>() -> *const T {
854    from_raw_parts(without_provenance::<()>(0), ())
855}
856
857/// Creates a null mutable raw pointer.
858///
859/// This function is equivalent to zero-initializing the pointer:
860/// `MaybeUninit::<*mut T>::zeroed().assume_init()`.
861/// The resulting pointer has the address 0.
862///
863/// # Examples
864///
865/// ```
866/// use std::ptr;
867///
868/// let p: *mut i32 = ptr::null_mut();
869/// assert!(p.is_null());
870/// assert_eq!(p as usize, 0); // this pointer has the address 0
871/// ```
872#[inline(always)]
873#[must_use]
874#[stable(feature = "rust1", since = "1.0.0")]
875#[rustc_promotable]
876#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
877#[rustc_diagnostic_item = "ptr_null_mut"]
878pub const fn null_mut<T: PointeeSized + Thin>() -> *mut T {
879    from_raw_parts_mut(without_provenance_mut::<()>(0), ())
880}
881
882/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
883///
884/// This is equivalent to `ptr::null().with_addr(addr)`.
885///
886/// Without provenance, this pointer is not associated with any actual allocation. Such a
887/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
888/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
889/// little more than a `usize` address in disguise.
890///
891/// This is different from `addr as *const T`, which creates a pointer that picks up a previously
892/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
893///
894/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
895#[inline(always)]
896#[must_use]
897#[stable(feature = "strict_provenance", since = "1.84.0")]
898#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
899pub const fn without_provenance<T>(addr: usize) -> *const T {
900    without_provenance_mut(addr)
901}
902
903/// Creates a new pointer that is dangling, but non-null and well-aligned.
904///
905/// This is useful for initializing types which lazily allocate, like
906/// `Vec::new` does.
907///
908/// Note that the address of the returned pointer may potentially
909/// be that of a valid pointer, which means this must not be used
910/// as a "not yet initialized" sentinel value.
911/// Types that lazily allocate must track initialization by some other means.
912#[inline(always)]
913#[must_use]
914#[stable(feature = "strict_provenance", since = "1.84.0")]
915#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
916#[cfg(not(feature = "ferrocene_certified"))]
917pub const fn dangling<T>() -> *const T {
918    dangling_mut()
919}
920
921/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
922///
923/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
924///
925/// Without provenance, this pointer is not associated with any actual allocation. Such a
926/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
927/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
928/// little more than a `usize` address in disguise.
929///
930/// This is different from `addr as *mut T`, which creates a pointer that picks up a previously
931/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
932///
933/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
934#[inline(always)]
935#[must_use]
936#[stable(feature = "strict_provenance", since = "1.84.0")]
937#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
938#[allow(integer_to_ptr_transmutes)] // Expected semantics here.
939pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
940    // An int-to-pointer transmute currently has exactly the intended semantics: it creates a
941    // pointer without provenance. Note that this is *not* a stable guarantee about transmute
942    // semantics, it relies on sysroot crates having special status.
943    // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
944    // pointer).
945    unsafe { mem::transmute(addr) }
946}
947
948/// Creates a new pointer that is dangling, but non-null and well-aligned.
949///
950/// This is useful for initializing types which lazily allocate, like
951/// `Vec::new` does.
952///
953/// Note that the address of the returned pointer may potentially
954/// be that of a valid pointer, which means this must not be used
955/// as a "not yet initialized" sentinel value.
956/// Types that lazily allocate must track initialization by some other means.
957#[inline(always)]
958#[must_use]
959#[stable(feature = "strict_provenance", since = "1.84.0")]
960#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
961#[cfg(not(feature = "ferrocene_certified"))]
962pub const fn dangling_mut<T>() -> *mut T {
963    NonNull::dangling().as_ptr()
964}
965
966/// Converts an address back to a pointer, picking up some previously 'exposed'
967/// [provenance][crate::ptr#provenance].
968///
969/// This is fully equivalent to `addr as *const T`. The provenance of the returned pointer is that
970/// of *some* pointer that was previously exposed by passing it to
971/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
972/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
973/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
974/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
975///
976/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
977/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
978/// guarantees about which provenance the resulting pointer will have -- and therefore there
979/// is no definite specification for which memory the resulting pointer may access.
980///
981/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
982/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
983/// pointers and references that have been invalidated due to aliasing accesses cannot be used
984/// anymore, even if they have been exposed!
985///
986/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
987/// stay conformant with the Rust memory model. It is recommended to use [Strict
988/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
989/// possible.
990///
991/// On most platforms this will produce a value with the same bytes as the address. Platforms
992/// which need to store additional information in a pointer may not support this operation,
993/// since it is generally not possible to actually *compute* which provenance the returned
994/// pointer has to pick up.
995///
996/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
997#[must_use]
998#[inline(always)]
999#[stable(feature = "exposed_provenance", since = "1.84.0")]
1000#[rustc_const_stable(feature = "const_exposed_provenance", since = "CURRENT_RUSTC_VERSION")]
1001#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1002#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
1003#[cfg(not(feature = "ferrocene_certified"))]
1004pub const fn with_exposed_provenance<T>(addr: usize) -> *const T {
1005    addr as *const T
1006}
1007
1008/// Converts an address back to a mutable pointer, picking up some previously 'exposed'
1009/// [provenance][crate::ptr#provenance].
1010///
1011/// This is fully equivalent to `addr as *mut T`. The provenance of the returned pointer is that
1012/// of *some* pointer that was previously exposed by passing it to
1013/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
1014/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
1015/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
1016/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
1017///
1018/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
1019/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
1020/// guarantees about which provenance the resulting pointer will have -- and therefore there
1021/// is no definite specification for which memory the resulting pointer may access.
1022///
1023/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
1024/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
1025/// pointers and references that have been invalidated due to aliasing accesses cannot be used
1026/// anymore, even if they have been exposed!
1027///
1028/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
1029/// stay conformant with the Rust memory model. It is recommended to use [Strict
1030/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
1031/// possible.
1032///
1033/// On most platforms this will produce a value with the same bytes as the address. Platforms
1034/// which need to store additional information in a pointer may not support this operation,
1035/// since it is generally not possible to actually *compute* which provenance the returned
1036/// pointer has to pick up.
1037///
1038/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
1039#[must_use]
1040#[inline(always)]
1041#[stable(feature = "exposed_provenance", since = "1.84.0")]
1042#[rustc_const_stable(feature = "const_exposed_provenance", since = "CURRENT_RUSTC_VERSION")]
1043#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1044#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
1045#[cfg(not(feature = "ferrocene_certified"))]
1046pub const fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
1047    addr as *mut T
1048}
1049
1050/// Converts a reference to a raw pointer.
1051///
1052/// For `r: &T`, `from_ref(r)` is equivalent to `r as *const T` (except for the caveat noted below),
1053/// but is a bit safer since it will never silently change type or mutability, in particular if the
1054/// code is refactored.
1055///
1056/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1057/// will end up dangling.
1058///
1059/// The caller must also ensure that the memory the pointer (non-transitively) points to is never
1060/// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If
1061/// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m:
1062/// &mut T` into `*const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be
1063/// used for mutation.
1064///
1065/// ## Interaction with lifetime extension
1066///
1067/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1068/// tail expressions. This code is valid, albeit in a non-obvious way:
1069/// ```rust
1070/// # type T = i32;
1071/// # fn foo() -> T { 42 }
1072/// // The temporary holding the return value of `foo` has its lifetime extended,
1073/// // because the surrounding expression involves no function call.
1074/// let p = &foo() as *const T;
1075/// unsafe { p.read() };
1076/// ```
1077/// Naively replacing the cast with `from_ref` is not valid:
1078/// ```rust,no_run
1079/// # use std::ptr;
1080/// # type T = i32;
1081/// # fn foo() -> T { 42 }
1082/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1083/// // because the surrounding expression involves a function call.
1084/// let p = ptr::from_ref(&foo());
1085/// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️
1086/// ```
1087/// The recommended way to write this code is to avoid relying on lifetime extension
1088/// when raw pointers are involved:
1089/// ```rust
1090/// # use std::ptr;
1091/// # type T = i32;
1092/// # fn foo() -> T { 42 }
1093/// let x = foo();
1094/// let p = ptr::from_ref(&x);
1095/// unsafe { p.read() };
1096/// ```
1097#[inline(always)]
1098#[must_use]
1099#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1100#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1101#[rustc_never_returns_null_ptr]
1102#[rustc_diagnostic_item = "ptr_from_ref"]
1103#[cfg(not(feature = "ferrocene_certified"))]
1104pub const fn from_ref<T: PointeeSized>(r: &T) -> *const T {
1105    r
1106}
1107
1108/// Converts a mutable reference to a raw pointer.
1109///
1110/// For `r: &mut T`, `from_mut(r)` is equivalent to `r as *mut T` (except for the caveat noted
1111/// below), but is a bit safer since it will never silently change type or mutability, in particular
1112/// if the code is refactored.
1113///
1114/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1115/// will end up dangling.
1116///
1117/// ## Interaction with lifetime extension
1118///
1119/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1120/// tail expressions. This code is valid, albeit in a non-obvious way:
1121/// ```rust
1122/// # type T = i32;
1123/// # fn foo() -> T { 42 }
1124/// // The temporary holding the return value of `foo` has its lifetime extended,
1125/// // because the surrounding expression involves no function call.
1126/// let p = &mut foo() as *mut T;
1127/// unsafe { p.write(T::default()) };
1128/// ```
1129/// Naively replacing the cast with `from_mut` is not valid:
1130/// ```rust,no_run
1131/// # use std::ptr;
1132/// # type T = i32;
1133/// # fn foo() -> T { 42 }
1134/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1135/// // because the surrounding expression involves a function call.
1136/// let p = ptr::from_mut(&mut foo());
1137/// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️
1138/// ```
1139/// The recommended way to write this code is to avoid relying on lifetime extension
1140/// when raw pointers are involved:
1141/// ```rust
1142/// # use std::ptr;
1143/// # type T = i32;
1144/// # fn foo() -> T { 42 }
1145/// let mut x = foo();
1146/// let p = ptr::from_mut(&mut x);
1147/// unsafe { p.write(T::default()) };
1148/// ```
1149#[inline(always)]
1150#[must_use]
1151#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1152#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1153#[rustc_never_returns_null_ptr]
1154#[cfg(not(feature = "ferrocene_certified"))]
1155pub const fn from_mut<T: PointeeSized>(r: &mut T) -> *mut T {
1156    r
1157}
1158
1159/// Forms a raw slice from a pointer and a length.
1160///
1161/// The `len` argument is the number of **elements**, not the number of bytes.
1162///
1163/// This function is safe, but actually using the return value is unsafe.
1164/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
1165///
1166/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
1167///
1168/// # Examples
1169///
1170/// ```rust
1171/// use std::ptr;
1172///
1173/// // create a slice pointer when starting out with a pointer to the first element
1174/// let x = [5, 6, 7];
1175/// let raw_pointer = x.as_ptr();
1176/// let slice = ptr::slice_from_raw_parts(raw_pointer, 3);
1177/// assert_eq!(unsafe { &*slice }[2], 7);
1178/// ```
1179///
1180/// You must ensure that the pointer is valid and not null before dereferencing
1181/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1182///
1183/// ```rust,should_panic
1184/// use std::ptr;
1185/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), 0);
1186/// unsafe {
1187///     danger.as_ref().expect("references must not be null");
1188/// }
1189/// ```
1190#[inline]
1191#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1192#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
1193#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
1194#[cfg(not(feature = "ferrocene_certified"))]
1195pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
1196    from_raw_parts(data, len)
1197}
1198
1199/// Forms a raw mutable slice from a pointer and a length.
1200///
1201/// The `len` argument is the number of **elements**, not the number of bytes.
1202///
1203/// Performs the same functionality as [`slice_from_raw_parts`], except that a
1204/// raw mutable slice is returned, as opposed to a raw immutable slice.
1205///
1206/// This function is safe, but actually using the return value is unsafe.
1207/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
1208///
1209/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
1210///
1211/// # Examples
1212///
1213/// ```rust
1214/// use std::ptr;
1215///
1216/// let x = &mut [5, 6, 7];
1217/// let raw_pointer = x.as_mut_ptr();
1218/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, 3);
1219///
1220/// unsafe {
1221///     (*slice)[2] = 99; // assign a value at an index in the slice
1222/// };
1223///
1224/// assert_eq!(unsafe { &*slice }[2], 99);
1225/// ```
1226///
1227/// You must ensure that the pointer is valid and not null before dereferencing
1228/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1229///
1230/// ```rust,should_panic
1231/// use std::ptr;
1232/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 0);
1233/// unsafe {
1234///     danger.as_mut().expect("references must not be null");
1235/// }
1236/// ```
1237#[inline]
1238#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1239#[rustc_const_stable(feature = "const_slice_from_raw_parts_mut", since = "1.83.0")]
1240#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
1241#[cfg(not(feature = "ferrocene_certified"))]
1242pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
1243    from_raw_parts_mut(data, len)
1244}
1245
1246/// Swaps the values at two mutable locations of the same type, without
1247/// deinitializing either.
1248///
1249/// But for the following exceptions, this function is semantically
1250/// equivalent to [`mem::swap`]:
1251///
1252/// * It operates on raw pointers instead of references. When references are
1253///   available, [`mem::swap`] should be preferred.
1254///
1255/// * The two pointed-to values may overlap. If the values do overlap, then the
1256///   overlapping region of memory from `x` will be used. This is demonstrated
1257///   in the second example below.
1258///
1259/// * The operation is "untyped" in the sense that data may be uninitialized or otherwise violate
1260///   the requirements of `T`. The initialization state is preserved exactly.
1261///
1262/// # Safety
1263///
1264/// Behavior is undefined if any of the following conditions are violated:
1265///
1266/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the
1267///   other pointer is written. (This means if the memory ranges overlap, the two pointers must not
1268///   be subject to aliasing restrictions relative to each other.)
1269///
1270/// * Both `x` and `y` must be properly aligned.
1271///
1272/// Note that even if `T` has size `0`, the pointers must be properly aligned.
1273///
1274/// [valid]: self#safety
1275///
1276/// # Examples
1277///
1278/// Swapping two non-overlapping regions:
1279///
1280/// ```
1281/// use std::ptr;
1282///
1283/// let mut array = [0, 1, 2, 3];
1284///
1285/// let (x, y) = array.split_at_mut(2);
1286/// let x = x.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[0..2]`
1287/// let y = y.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[2..4]`
1288///
1289/// unsafe {
1290///     ptr::swap(x, y);
1291///     assert_eq!([2, 3, 0, 1], array);
1292/// }
1293/// ```
1294///
1295/// Swapping two overlapping regions:
1296///
1297/// ```
1298/// use std::ptr;
1299///
1300/// let mut array: [i32; 4] = [0, 1, 2, 3];
1301///
1302/// let array_ptr: *mut i32 = array.as_mut_ptr();
1303///
1304/// let x = array_ptr as *mut [i32; 3]; // this is `array[0..3]`
1305/// let y = unsafe { array_ptr.add(1) } as *mut [i32; 3]; // this is `array[1..4]`
1306///
1307/// unsafe {
1308///     ptr::swap(x, y);
1309///     // The indices `1..3` of the slice overlap between `x` and `y`.
1310///     // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
1311///     // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
1312///     // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
1313///     // This implementation is defined to make the latter choice.
1314///     assert_eq!([1, 0, 1, 2], array);
1315/// }
1316/// ```
1317#[inline]
1318#[stable(feature = "rust1", since = "1.0.0")]
1319#[rustc_const_stable(feature = "const_swap", since = "1.85.0")]
1320#[rustc_diagnostic_item = "ptr_swap"]
1321#[cfg(not(feature = "ferrocene_certified"))]
1322pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
1323    // Give ourselves some scratch space to work with.
1324    // We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
1325    let mut tmp = MaybeUninit::<T>::uninit();
1326
1327    // Perform the swap
1328    // SAFETY: the caller must guarantee that `x` and `y` are
1329    // valid for writes and properly aligned. `tmp` cannot be
1330    // overlapping either `x` or `y` because `tmp` was just allocated
1331    // on the stack as a separate allocation.
1332    unsafe {
1333        copy_nonoverlapping(x, tmp.as_mut_ptr(), 1);
1334        copy(y, x, 1); // `x` and `y` may overlap
1335        copy_nonoverlapping(tmp.as_ptr(), y, 1);
1336    }
1337}
1338
1339/// Swaps `count * size_of::<T>()` bytes between the two regions of memory
1340/// beginning at `x` and `y`. The two regions must *not* overlap.
1341///
1342/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
1343/// requirements of `T`. The initialization state is preserved exactly.
1344///
1345/// # Safety
1346///
1347/// Behavior is undefined if any of the following conditions are violated:
1348///
1349/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
1350///   size_of::<T>()` bytes.
1351///
1352/// * Both `x` and `y` must be properly aligned.
1353///
1354/// * The region of memory beginning at `x` with a size of `count *
1355///   size_of::<T>()` bytes must *not* overlap with the region of memory
1356///   beginning at `y` with the same size.
1357///
1358/// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`,
1359/// the pointers must be properly aligned.
1360///
1361/// [valid]: self#safety
1362///
1363/// # Examples
1364///
1365/// Basic usage:
1366///
1367/// ```
1368/// use std::ptr;
1369///
1370/// let mut x = [1, 2, 3, 4];
1371/// let mut y = [7, 8, 9];
1372///
1373/// unsafe {
1374///     ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2);
1375/// }
1376///
1377/// assert_eq!(x, [7, 8, 3, 4]);
1378/// assert_eq!(y, [1, 2, 9]);
1379/// ```
1380///
1381/// # Const evaluation limitations
1382///
1383/// If this function is invoked during const-evaluation, the current implementation has a small (and
1384/// rarely relevant) limitation: if `count` is at least 2 and the data pointed to by `x` or `y`
1385/// contains a pointer that crosses the boundary of two `T`-sized chunks of memory, the function may
1386/// fail to evaluate (similar to a panic during const-evaluation). This behavior may change in the
1387/// future.
1388///
1389/// The limitation is illustrated by the following example:
1390///
1391/// ```
1392/// use std::mem::size_of;
1393/// use std::ptr;
1394///
1395/// const { unsafe {
1396///     const PTR_SIZE: usize = size_of::<*const i32>();
1397///     let mut data1 = [0u8; PTR_SIZE];
1398///     let mut data2 = [0u8; PTR_SIZE];
1399///     // Store a pointer in `data1`.
1400///     data1.as_mut_ptr().cast::<*const i32>().write_unaligned(&42);
1401///     // Swap the contents of `data1` and `data2` by swapping `PTR_SIZE` many `u8`-sized chunks.
1402///     // This call will fail, because the pointer in `data1` crosses the boundary
1403///     // between several of the 1-byte chunks that are being swapped here.
1404///     //ptr::swap_nonoverlapping(data1.as_mut_ptr(), data2.as_mut_ptr(), PTR_SIZE);
1405///     // Swap the contents of `data1` and `data2` by swapping a single chunk of size
1406///     // `[u8; PTR_SIZE]`. That works, as there is no pointer crossing the boundary between
1407///     // two chunks.
1408///     ptr::swap_nonoverlapping(&mut data1, &mut data2, 1);
1409///     // Read the pointer from `data2` and dereference it.
1410///     let ptr = data2.as_ptr().cast::<*const i32>().read_unaligned();
1411///     assert!(*ptr == 42);
1412/// } }
1413/// ```
1414#[inline]
1415#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
1416#[rustc_const_stable(feature = "const_swap_nonoverlapping", since = "1.88.0")]
1417#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1418#[rustc_allow_const_fn_unstable(const_eval_select)] // both implementations behave the same
1419#[track_caller]
1420#[cfg(not(feature = "ferrocene_certified"))]
1421pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1422    ub_checks::assert_unsafe_precondition!(
1423        check_library_ub,
1424        "ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1425        and the specified memory ranges do not overlap",
1426        (
1427            x: *mut () = x as *mut (),
1428            y: *mut () = y as *mut (),
1429            size: usize = size_of::<T>(),
1430            align: usize = align_of::<T>(),
1431            count: usize = count,
1432        ) => {
1433            let zero_size = size == 0 || count == 0;
1434            ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size)
1435                && ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size)
1436                && ub_checks::maybe_is_nonoverlapping(x, y, size, count)
1437        }
1438    );
1439
1440    const_eval_select!(
1441        @capture[T] { x: *mut T, y: *mut T, count: usize }:
1442        if const {
1443            // At compile-time we want to always copy this in chunks of `T`, to ensure that if there
1444            // are pointers inside `T` we will copy them in one go rather than trying to copy a part
1445            // of a pointer (which would not work).
1446            // SAFETY: Same preconditions as this function
1447            unsafe { swap_nonoverlapping_const(x, y, count) }
1448        } else {
1449            // Going though a slice here helps codegen know the size fits in `isize`
1450            let slice = slice_from_raw_parts_mut(x, count);
1451            // SAFETY: This is all readable from the pointer, meaning it's one
1452            // allocation, and thus cannot be more than isize::MAX bytes.
1453            let bytes = unsafe { mem::size_of_val_raw::<[T]>(slice) };
1454            if let Some(bytes) = NonZero::new(bytes) {
1455                // SAFETY: These are the same ranges, just expressed in a different
1456                // type, so they're still non-overlapping.
1457                unsafe { swap_nonoverlapping_bytes(x.cast(), y.cast(), bytes) };
1458            }
1459        }
1460    )
1461}
1462
1463/// Same behavior and safety conditions as [`swap_nonoverlapping`]
1464#[inline]
1465#[cfg(not(feature = "ferrocene_certified"))]
1466const unsafe fn swap_nonoverlapping_const<T>(x: *mut T, y: *mut T, count: usize) {
1467    let mut i = 0;
1468    while i < count {
1469        // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1470        let x = unsafe { x.add(i) };
1471        // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1472        // and it's distinct from `x` since the ranges are non-overlapping
1473        let y = unsafe { y.add(i) };
1474
1475        // SAFETY: we're only ever given pointers that are valid to read/write,
1476        // including being aligned, and nothing here panics so it's drop-safe.
1477        unsafe {
1478            // Note that it's critical that these use `copy_nonoverlapping`,
1479            // rather than `read`/`write`, to avoid #134713 if T has padding.
1480            let mut temp = MaybeUninit::<T>::uninit();
1481            copy_nonoverlapping(x, temp.as_mut_ptr(), 1);
1482            copy_nonoverlapping(y, x, 1);
1483            copy_nonoverlapping(temp.as_ptr(), y, 1);
1484        }
1485
1486        i += 1;
1487    }
1488}
1489
1490// Don't let MIR inline this, because we really want it to keep its noalias metadata
1491#[rustc_no_mir_inline]
1492#[inline]
1493#[cfg(not(feature = "ferrocene_certified"))]
1494fn swap_chunk<const N: usize>(x: &mut MaybeUninit<[u8; N]>, y: &mut MaybeUninit<[u8; N]>) {
1495    let a = *x;
1496    let b = *y;
1497    *x = b;
1498    *y = a;
1499}
1500
1501#[inline]
1502#[cfg(not(feature = "ferrocene_certified"))]
1503unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1504    // Same as `swap_nonoverlapping::<[u8; N]>`.
1505    unsafe fn swap_nonoverlapping_chunks<const N: usize>(
1506        x: *mut MaybeUninit<[u8; N]>,
1507        y: *mut MaybeUninit<[u8; N]>,
1508        chunks: NonZero<usize>,
1509    ) {
1510        let chunks = chunks.get();
1511        for i in 0..chunks {
1512            // SAFETY: i is in [0, chunks) so the adds and dereferences are in-bounds.
1513            unsafe { swap_chunk(&mut *x.add(i), &mut *y.add(i)) };
1514        }
1515    }
1516
1517    // Same as `swap_nonoverlapping_bytes`, but accepts at most 1+2+4=7 bytes
1518    #[inline]
1519    unsafe fn swap_nonoverlapping_short(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1520        // Tail handling for auto-vectorized code sometimes has element-at-a-time behaviour,
1521        // see <https://github.com/rust-lang/rust/issues/134946>.
1522        // By swapping as different sizes, rather than as a loop over bytes,
1523        // we make sure not to end up with, say, seven byte-at-a-time copies.
1524
1525        let bytes = bytes.get();
1526        let mut i = 0;
1527        macro_rules! swap_prefix {
1528            ($($n:literal)+) => {$(
1529                if (bytes & $n) != 0 {
1530                    // SAFETY: `i` can only have the same bits set as those in bytes,
1531                    // so these `add`s are in-bounds of `bytes`.  But the bit for
1532                    // `$n` hasn't been set yet, so the `$n` bytes that `swap_chunk`
1533                    // will read and write are within the usable range.
1534                    unsafe { swap_chunk::<$n>(&mut*x.add(i).cast(), &mut*y.add(i).cast()) };
1535                    i |= $n;
1536                }
1537            )+};
1538        }
1539        swap_prefix!(4 2 1);
1540        debug_assert_eq!(i, bytes);
1541    }
1542
1543    const CHUNK_SIZE: usize = size_of::<*const ()>();
1544    let bytes = bytes.get();
1545
1546    let chunks = bytes / CHUNK_SIZE;
1547    let tail = bytes % CHUNK_SIZE;
1548    if let Some(chunks) = NonZero::new(chunks) {
1549        // SAFETY: this is bytes/CHUNK_SIZE*CHUNK_SIZE bytes, which is <= bytes,
1550        // so it's within the range of our non-overlapping bytes.
1551        unsafe { swap_nonoverlapping_chunks::<CHUNK_SIZE>(x.cast(), y.cast(), chunks) };
1552    }
1553    if let Some(tail) = NonZero::new(tail) {
1554        const { assert!(CHUNK_SIZE <= 8) };
1555        let delta = chunks * CHUNK_SIZE;
1556        // SAFETY: the tail length is below CHUNK SIZE because of the remainder,
1557        // and CHUNK_SIZE is at most 8 by the const assert, so tail <= 7
1558        unsafe { swap_nonoverlapping_short(x.add(delta), y.add(delta), tail) };
1559    }
1560}
1561
1562/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1563///
1564/// Neither value is dropped.
1565///
1566/// This function is semantically equivalent to [`mem::replace`] except that it
1567/// operates on raw pointers instead of references. When references are
1568/// available, [`mem::replace`] should be preferred.
1569///
1570/// # Safety
1571///
1572/// Behavior is undefined if any of the following conditions are violated:
1573///
1574/// * `dst` must be [valid] for both reads and writes.
1575///
1576/// * `dst` must be properly aligned.
1577///
1578/// * `dst` must point to a properly initialized value of type `T`.
1579///
1580/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1581///
1582/// [valid]: self#safety
1583///
1584/// # Examples
1585///
1586/// ```
1587/// use std::ptr;
1588///
1589/// let mut rust = vec!['b', 'u', 's', 't'];
1590///
1591/// // `mem::replace` would have the same effect without requiring the unsafe
1592/// // block.
1593/// let b = unsafe {
1594///     ptr::replace(&mut rust[0], 'r')
1595/// };
1596///
1597/// assert_eq!(b, 'b');
1598/// assert_eq!(rust, &['r', 'u', 's', 't']);
1599/// ```
1600#[inline]
1601#[stable(feature = "rust1", since = "1.0.0")]
1602#[rustc_const_stable(feature = "const_replace", since = "1.83.0")]
1603#[rustc_diagnostic_item = "ptr_replace"]
1604#[track_caller]
1605#[cfg(not(feature = "ferrocene_certified"))]
1606pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1607    // SAFETY: the caller must guarantee that `dst` is valid to be
1608    // cast to a mutable reference (valid for writes, aligned, initialized),
1609    // and cannot overlap `src` since `dst` must point to a distinct
1610    // allocation.
1611    unsafe {
1612        ub_checks::assert_unsafe_precondition!(
1613            check_language_ub,
1614            "ptr::replace requires that the pointer argument is aligned and non-null",
1615            (
1616                addr: *const () = dst as *const (),
1617                align: usize = align_of::<T>(),
1618                is_zst: bool = T::IS_ZST,
1619            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1620        );
1621        mem::replace(&mut *dst, src)
1622    }
1623}
1624
1625/// Reads the value from `src` without moving it. This leaves the
1626/// memory in `src` unchanged.
1627///
1628/// # Safety
1629///
1630/// Behavior is undefined if any of the following conditions are violated:
1631///
1632/// * `src` must be [valid] for reads.
1633///
1634/// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
1635///   case.
1636///
1637/// * `src` must point to a properly initialized value of type `T`.
1638///
1639/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1640///
1641/// # Examples
1642///
1643/// Basic usage:
1644///
1645/// ```
1646/// let x = 12;
1647/// let y = &x as *const i32;
1648///
1649/// unsafe {
1650///     assert_eq!(std::ptr::read(y), 12);
1651/// }
1652/// ```
1653///
1654/// Manually implement [`mem::swap`]:
1655///
1656/// ```
1657/// use std::ptr;
1658///
1659/// fn swap<T>(a: &mut T, b: &mut T) {
1660///     unsafe {
1661///         // Create a bitwise copy of the value at `a` in `tmp`.
1662///         let tmp = ptr::read(a);
1663///
1664///         // Exiting at this point (either by explicitly returning or by
1665///         // calling a function which panics) would cause the value in `tmp` to
1666///         // be dropped while the same value is still referenced by `a`. This
1667///         // could trigger undefined behavior if `T` is not `Copy`.
1668///
1669///         // Create a bitwise copy of the value at `b` in `a`.
1670///         // This is safe because mutable references cannot alias.
1671///         ptr::copy_nonoverlapping(b, a, 1);
1672///
1673///         // As above, exiting here could trigger undefined behavior because
1674///         // the same value is referenced by `a` and `b`.
1675///
1676///         // Move `tmp` into `b`.
1677///         ptr::write(b, tmp);
1678///
1679///         // `tmp` has been moved (`write` takes ownership of its second argument),
1680///         // so nothing is dropped implicitly here.
1681///     }
1682/// }
1683///
1684/// let mut foo = "foo".to_owned();
1685/// let mut bar = "bar".to_owned();
1686///
1687/// swap(&mut foo, &mut bar);
1688///
1689/// assert_eq!(foo, "bar");
1690/// assert_eq!(bar, "foo");
1691/// ```
1692///
1693/// ## Ownership of the Returned Value
1694///
1695/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1696/// If `T` is not [`Copy`], using both the returned value and the value at
1697/// `*src` can violate memory safety. Note that assigning to `*src` counts as a
1698/// use because it will attempt to drop the value at `*src`.
1699///
1700/// [`write()`] can be used to overwrite data without causing it to be dropped.
1701///
1702/// ```
1703/// use std::ptr;
1704///
1705/// let mut s = String::from("foo");
1706/// unsafe {
1707///     // `s2` now points to the same underlying memory as `s`.
1708///     let mut s2: String = ptr::read(&s);
1709///
1710///     assert_eq!(s2, "foo");
1711///
1712///     // Assigning to `s2` causes its original value to be dropped. Beyond
1713///     // this point, `s` must no longer be used, as the underlying memory has
1714///     // been freed.
1715///     s2 = String::default();
1716///     assert_eq!(s2, "");
1717///
1718///     // Assigning to `s` would cause the old value to be dropped again,
1719///     // resulting in undefined behavior.
1720///     // s = String::from("bar"); // ERROR
1721///
1722///     // `ptr::write` can be used to overwrite a value without dropping it.
1723///     ptr::write(&mut s, String::from("bar"));
1724/// }
1725///
1726/// assert_eq!(s, "bar");
1727/// ```
1728///
1729/// [valid]: self#safety
1730#[inline]
1731#[stable(feature = "rust1", since = "1.0.0")]
1732#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1733#[track_caller]
1734#[rustc_diagnostic_item = "ptr_read"]
1735pub const unsafe fn read<T>(src: *const T) -> T {
1736    // It would be semantically correct to implement this via `copy_nonoverlapping`
1737    // and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1738    // provides enough information to know that this is a typed operation.
1739
1740    // However, as of March 2023 the compiler was not capable of taking advantage
1741    // of that information. Thus, the implementation here switched to an intrinsic,
1742    // which lowers to `_0 = *src` in MIR, to address a few issues:
1743    //
1744    // - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1745    //   turning the untyped copy into a typed load. As such, the generated
1746    //   `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1747    //   `!nonnull`, and `!noundef`, resulting in poorer optimization.
1748    // - Going through the extra local resulted in multiple extra copies, even
1749    //   in optimized MIR.  (Ignoring StorageLive/Dead, the intrinsic is one
1750    //   MIR statement, while the previous implementation was eight.)  LLVM
1751    //   could sometimes optimize them away, but because `read` is at the core
1752    //   of so many things, not having them in the first place improves what we
1753    //   hand off to the backend.  For example, `mem::replace::<Big>` previously
1754    //   emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1755    // - In general, this approach keeps us from getting any more bugs (like
1756    //   #106369) that boil down to "`read(p)` is worse than `*p`", as this
1757    //   makes them look identical to the backend (or other MIR consumers).
1758    //
1759    // Future enhancements to MIR optimizations might well allow this to return
1760    // to the previous implementation, rather than using an intrinsic.
1761
1762    // SAFETY: the caller must guarantee that `src` is valid for reads.
1763    unsafe {
1764        #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1765        ub_checks::assert_unsafe_precondition!(
1766            check_language_ub,
1767            "ptr::read requires that the pointer argument is aligned and non-null",
1768            (
1769                addr: *const () = src as *const (),
1770                align: usize = align_of::<T>(),
1771                is_zst: bool = T::IS_ZST,
1772            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1773        );
1774        crate::intrinsics::read_via_copy(src)
1775    }
1776}
1777
1778/// Reads the value from `src` without moving it. This leaves the
1779/// memory in `src` unchanged.
1780///
1781/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1782///
1783/// # Safety
1784///
1785/// Behavior is undefined if any of the following conditions are violated:
1786///
1787/// * `src` must be [valid] for reads.
1788///
1789/// * `src` must point to a properly initialized value of type `T`.
1790///
1791/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1792/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1793/// value and the value at `*src` can [violate memory safety][read-ownership].
1794///
1795/// [read-ownership]: read#ownership-of-the-returned-value
1796/// [valid]: self#safety
1797///
1798/// ## On `packed` structs
1799///
1800/// Attempting to create a raw pointer to an `unaligned` struct field with
1801/// an expression such as `&packed.unaligned as *const FieldType` creates an
1802/// intermediate unaligned reference before converting that to a raw pointer.
1803/// That this reference is temporary and immediately cast is inconsequential
1804/// as the compiler always expects references to be properly aligned.
1805/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1806/// *undefined behavior* in your program.
1807///
1808/// Instead you must use the `&raw const` syntax to create the pointer.
1809/// You may use that constructed pointer together with this function.
1810///
1811/// An example of what not to do and how this relates to `read_unaligned` is:
1812///
1813/// ```
1814/// #[repr(packed, C)]
1815/// struct Packed {
1816///     _padding: u8,
1817///     unaligned: u32,
1818/// }
1819///
1820/// let packed = Packed {
1821///     _padding: 0x00,
1822///     unaligned: 0x01020304,
1823/// };
1824///
1825/// // Take the address of a 32-bit integer which is not aligned.
1826/// // In contrast to `&packed.unaligned as *const _`, this has no undefined behavior.
1827/// let unaligned = &raw const packed.unaligned;
1828///
1829/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1830/// assert_eq!(v, 0x01020304);
1831/// ```
1832///
1833/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1834///
1835/// # Examples
1836///
1837/// Read a `usize` value from a byte buffer:
1838///
1839/// ```
1840/// fn read_usize(x: &[u8]) -> usize {
1841///     assert!(x.len() >= size_of::<usize>());
1842///
1843///     let ptr = x.as_ptr() as *const usize;
1844///
1845///     unsafe { ptr.read_unaligned() }
1846/// }
1847/// ```
1848#[inline]
1849#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1850#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1851#[track_caller]
1852#[rustc_diagnostic_item = "ptr_read_unaligned"]
1853#[cfg(not(feature = "ferrocene_certified"))]
1854pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1855    let mut tmp = MaybeUninit::<T>::uninit();
1856    // SAFETY: the caller must guarantee that `src` is valid for reads.
1857    // `src` cannot overlap `tmp` because `tmp` was just allocated on
1858    // the stack as a separate allocation.
1859    //
1860    // Also, since we just wrote a valid value into `tmp`, it is guaranteed
1861    // to be properly initialized.
1862    unsafe {
1863        copy_nonoverlapping(src as *const u8, tmp.as_mut_ptr() as *mut u8, size_of::<T>());
1864        tmp.assume_init()
1865    }
1866}
1867
1868/// Overwrites a memory location with the given value without reading or
1869/// dropping the old value.
1870///
1871/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1872/// allocations or resources, so care should be taken not to overwrite an object
1873/// that should be dropped.
1874///
1875/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1876/// location pointed to by `dst`.
1877///
1878/// This is appropriate for initializing uninitialized memory, or overwriting
1879/// memory that has previously been [`read`] from.
1880///
1881/// # Safety
1882///
1883/// Behavior is undefined if any of the following conditions are violated:
1884///
1885/// * `dst` must be [valid] for writes.
1886///
1887/// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the
1888///   case.
1889///
1890/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1891///
1892/// [valid]: self#safety
1893///
1894/// # Examples
1895///
1896/// Basic usage:
1897///
1898/// ```
1899/// let mut x = 0;
1900/// let y = &mut x as *mut i32;
1901/// let z = 12;
1902///
1903/// unsafe {
1904///     std::ptr::write(y, z);
1905///     assert_eq!(std::ptr::read(y), 12);
1906/// }
1907/// ```
1908///
1909/// Manually implement [`mem::swap`]:
1910///
1911/// ```
1912/// use std::ptr;
1913///
1914/// fn swap<T>(a: &mut T, b: &mut T) {
1915///     unsafe {
1916///         // Create a bitwise copy of the value at `a` in `tmp`.
1917///         let tmp = ptr::read(a);
1918///
1919///         // Exiting at this point (either by explicitly returning or by
1920///         // calling a function which panics) would cause the value in `tmp` to
1921///         // be dropped while the same value is still referenced by `a`. This
1922///         // could trigger undefined behavior if `T` is not `Copy`.
1923///
1924///         // Create a bitwise copy of the value at `b` in `a`.
1925///         // This is safe because mutable references cannot alias.
1926///         ptr::copy_nonoverlapping(b, a, 1);
1927///
1928///         // As above, exiting here could trigger undefined behavior because
1929///         // the same value is referenced by `a` and `b`.
1930///
1931///         // Move `tmp` into `b`.
1932///         ptr::write(b, tmp);
1933///
1934///         // `tmp` has been moved (`write` takes ownership of its second argument),
1935///         // so nothing is dropped implicitly here.
1936///     }
1937/// }
1938///
1939/// let mut foo = "foo".to_owned();
1940/// let mut bar = "bar".to_owned();
1941///
1942/// swap(&mut foo, &mut bar);
1943///
1944/// assert_eq!(foo, "bar");
1945/// assert_eq!(bar, "foo");
1946/// ```
1947#[inline]
1948#[stable(feature = "rust1", since = "1.0.0")]
1949#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1950#[rustc_diagnostic_item = "ptr_write"]
1951#[track_caller]
1952pub const unsafe fn write<T>(dst: *mut T, src: T) {
1953    // Semantically, it would be fine for this to be implemented as a
1954    // `copy_nonoverlapping` and appropriate drop suppression of `src`.
1955
1956    // However, implementing via that currently produces more MIR than is ideal.
1957    // Using an intrinsic keeps it down to just the simple `*dst = move src` in
1958    // MIR (11 statements shorter, at the time of writing), and also allows
1959    // `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1960
1961    // SAFETY: the caller must guarantee that `dst` is valid for writes.
1962    // `dst` cannot overlap `src` because the caller has mutable access
1963    // to `dst` while `src` is owned by this function.
1964    unsafe {
1965        #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1966        ub_checks::assert_unsafe_precondition!(
1967            check_language_ub,
1968            "ptr::write requires that the pointer argument is aligned and non-null",
1969            (
1970                addr: *mut () = dst as *mut (),
1971                align: usize = align_of::<T>(),
1972                is_zst: bool = T::IS_ZST,
1973            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1974        );
1975        intrinsics::write_via_move(dst, src)
1976    }
1977}
1978
1979/// Overwrites a memory location with the given value without reading or
1980/// dropping the old value.
1981///
1982/// Unlike [`write()`], the pointer may be unaligned.
1983///
1984/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1985/// could leak allocations or resources, so care should be taken not to overwrite
1986/// an object that should be dropped.
1987///
1988/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1989/// location pointed to by `dst`.
1990///
1991/// This is appropriate for initializing uninitialized memory, or overwriting
1992/// memory that has previously been read with [`read_unaligned`].
1993///
1994/// # Safety
1995///
1996/// Behavior is undefined if any of the following conditions are violated:
1997///
1998/// * `dst` must be [valid] for writes.
1999///
2000/// [valid]: self#safety
2001///
2002/// ## On `packed` structs
2003///
2004/// Attempting to create a raw pointer to an `unaligned` struct field with
2005/// an expression such as `&packed.unaligned as *const FieldType` creates an
2006/// intermediate unaligned reference before converting that to a raw pointer.
2007/// That this reference is temporary and immediately cast is inconsequential
2008/// as the compiler always expects references to be properly aligned.
2009/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
2010/// *undefined behavior* in your program.
2011///
2012/// Instead, you must use the `&raw mut` syntax to create the pointer.
2013/// You may use that constructed pointer together with this function.
2014///
2015/// An example of how to do it and how this relates to `write_unaligned` is:
2016///
2017/// ```
2018/// #[repr(packed, C)]
2019/// struct Packed {
2020///     _padding: u8,
2021///     unaligned: u32,
2022/// }
2023///
2024/// let mut packed: Packed = unsafe { std::mem::zeroed() };
2025///
2026/// // Take the address of a 32-bit integer which is not aligned.
2027/// // In contrast to `&packed.unaligned as *mut _`, this has no undefined behavior.
2028/// let unaligned = &raw mut packed.unaligned;
2029///
2030/// unsafe { std::ptr::write_unaligned(unaligned, 42) };
2031///
2032/// assert_eq!({packed.unaligned}, 42); // `{...}` forces copying the field instead of creating a reference.
2033/// ```
2034///
2035/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
2036/// (as can be seen in the `assert_eq!` above).
2037///
2038/// # Examples
2039///
2040/// Write a `usize` value to a byte buffer:
2041///
2042/// ```
2043/// fn write_usize(x: &mut [u8], val: usize) {
2044///     assert!(x.len() >= size_of::<usize>());
2045///
2046///     let ptr = x.as_mut_ptr() as *mut usize;
2047///
2048///     unsafe { ptr.write_unaligned(val) }
2049/// }
2050/// ```
2051#[inline]
2052#[stable(feature = "ptr_unaligned", since = "1.17.0")]
2053#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
2054#[rustc_diagnostic_item = "ptr_write_unaligned"]
2055#[track_caller]
2056#[cfg(not(feature = "ferrocene_certified"))]
2057pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
2058    // SAFETY: the caller must guarantee that `dst` is valid for writes.
2059    // `dst` cannot overlap `src` because the caller has mutable access
2060    // to `dst` while `src` is owned by this function.
2061    unsafe {
2062        copy_nonoverlapping((&raw const src) as *const u8, dst as *mut u8, size_of::<T>());
2063        // We are calling the intrinsic directly to avoid function calls in the generated code.
2064        intrinsics::forget(src);
2065    }
2066}
2067
2068/// Performs a volatile read of the value from `src` without moving it.
2069///
2070/// Volatile operations are intended to act on I/O memory. As such, they are considered externally
2071/// observable events (just like syscalls, but less opaque), and are guaranteed to not be elided or
2072/// reordered by the compiler across other externally observable events. With this in mind, there
2073/// are two cases of usage that need to be distinguished:
2074///
2075/// - When a volatile operation is used for memory inside an [allocation], it behaves exactly like
2076///   [`read`], except for the additional guarantee that it won't be elided or reordered (see
2077///   above). This implies that the operation will actually access memory and not e.g. be lowered to
2078///   reusing data from a previous read. Other than that, all the usual rules for memory accesses
2079///   apply (including provenance).  In particular, just like in C, whether an operation is volatile
2080///   has no bearing whatsoever on questions involving concurrent accesses from multiple threads.
2081///   Volatile accesses behave exactly like non-atomic accesses in that regard.
2082///
2083/// - Volatile operations, however, may also be used to access memory that is _outside_ of any Rust
2084///   allocation. In this use-case, the pointer does *not* have to be [valid] for reads. This is
2085///   typically used for CPU and peripheral registers that must be accessed via an I/O memory
2086///   mapping, most commonly at fixed addresses reserved by the hardware. These often have special
2087///   semantics associated to their manipulation, and cannot be used as general purpose memory.
2088///   Here, any address value is possible, including 0 and [`usize::MAX`], so long as the semantics
2089///   of such a read are well-defined by the target hardware. The provenance of the pointer is
2090///   irrelevant, and it can be created with [`without_provenance`]. The access must not trap. It
2091///   can cause side-effects, but those must not affect Rust-allocated memory in any way. This
2092///   access is still not considered [atomic], and as such it cannot be used for inter-thread
2093///   synchronization.
2094///
2095/// Note that volatile memory operations where T is a zero-sized type are noops and may be ignored.
2096///
2097/// [allocation]: crate::ptr#allocated-object
2098/// [atomic]: crate::sync::atomic#memory-model-for-atomic-accesses
2099///
2100/// # Safety
2101///
2102/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of whether `T` is
2103/// [`Copy`]. If `T` is not [`Copy`], using both the returned value and the value at `*src` can
2104/// [violate memory safety][read-ownership]. However, storing non-[`Copy`] types in volatile memory
2105/// is almost certainly incorrect.
2106///
2107/// Behavior is undefined if any of the following conditions are violated:
2108///
2109/// * `src` must be either [valid] for reads, or it must point to memory outside of all Rust
2110///   allocations and reading from that memory must:
2111///   - not trap, and
2112///   - not cause any memory inside a Rust allocation to be modified.
2113///
2114/// * `src` must be properly aligned.
2115///
2116/// * Reading from `src` must produce a properly initialized value of type `T`.
2117///
2118/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2119///
2120/// [valid]: self#safety
2121/// [read-ownership]: read#ownership-of-the-returned-value
2122///
2123/// # Examples
2124///
2125/// Basic usage:
2126///
2127/// ```
2128/// let x = 12;
2129/// let y = &x as *const i32;
2130///
2131/// unsafe {
2132///     assert_eq!(std::ptr::read_volatile(y), 12);
2133/// }
2134/// ```
2135#[inline]
2136#[stable(feature = "volatile", since = "1.9.0")]
2137#[track_caller]
2138#[rustc_diagnostic_item = "ptr_read_volatile"]
2139#[cfg(not(feature = "ferrocene_certified"))]
2140pub unsafe fn read_volatile<T>(src: *const T) -> T {
2141    // SAFETY: the caller must uphold the safety contract for `volatile_load`.
2142    unsafe {
2143        ub_checks::assert_unsafe_precondition!(
2144            check_language_ub,
2145            "ptr::read_volatile requires that the pointer argument is aligned",
2146            (
2147                addr: *const () = src as *const (),
2148                align: usize = align_of::<T>(),
2149            ) => ub_checks::maybe_is_aligned(addr, align)
2150        );
2151        intrinsics::volatile_load(src)
2152    }
2153}
2154
2155/// Performs a volatile write of a memory location with the given value without reading or dropping
2156/// the old value.
2157///
2158/// Volatile operations are intended to act on I/O memory. As such, they are considered externally
2159/// observable events (just like syscalls), and are guaranteed to not be elided or reordered by the
2160/// compiler across other externally observable events. With this in mind, there are two cases of
2161/// usage that need to be distinguished:
2162///
2163/// - When a volatile operation is used for memory inside an [allocation], it behaves exactly like
2164///   [`write`][write()], except for the additional guarantee that it won't be elided or reordered
2165///   (see above). This implies that the operation will actually access memory and not e.g. be
2166///   lowered to a register access. Other than that, all the usual rules for memory accesses apply
2167///   (including provenance). In particular, just like in C, whether an operation is volatile has no
2168///   bearing whatsoever on questions involving concurrent access from multiple threads. Volatile
2169///   accesses behave exactly like non-atomic accesses in that regard.
2170///
2171/// - Volatile operations, however, may also be used to access memory that is _outside_ of any Rust
2172///   allocation. In this use-case, the pointer does *not* have to be [valid] for writes. This is
2173///   typically used for CPU and peripheral registers that must be accessed via an I/O memory
2174///   mapping, most commonly at fixed addresses reserved by the hardware. These often have special
2175///   semantics associated to their manipulation, and cannot be used as general purpose memory.
2176///   Here, any address value is possible, including 0 and [`usize::MAX`], so long as the semantics
2177///   of such a write are well-defined by the target hardware. The provenance of the pointer is
2178///   irrelevant, and it can be created with [`without_provenance`]. The access must not trap. It
2179///   can cause side-effects, but those must not affect Rust-allocated memory in any way. This
2180///   access is still not considered [atomic], and as such it cannot be used for inter-thread
2181///   synchronization.
2182///
2183/// Note that volatile memory operations on zero-sized types (e.g., if a zero-sized type is passed
2184/// to `write_volatile`) are noops and may be ignored.
2185///
2186/// `write_volatile` does not drop the contents of `dst`. This is safe, but it could leak
2187/// allocations or resources, so care should be taken not to overwrite an object that should be
2188/// dropped when operating on Rust memory. Additionally, it does not drop `src`. Semantically, `src`
2189/// is moved into the location pointed to by `dst`.
2190///
2191/// [allocation]: crate::ptr#allocated-object
2192/// [atomic]: crate::sync::atomic#memory-model-for-atomic-accesses
2193///
2194/// # Safety
2195///
2196/// Behavior is undefined if any of the following conditions are violated:
2197///
2198/// * `dst` must be either [valid] for writes, or it must point to memory outside of all Rust
2199///   allocations and writing to that memory must:
2200///   - not trap, and
2201///   - not cause any memory inside a Rust allocation to be modified.
2202///
2203/// * `dst` must be properly aligned.
2204///
2205/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2206///
2207/// [valid]: self#safety
2208///
2209/// # Examples
2210///
2211/// Basic usage:
2212///
2213/// ```
2214/// let mut x = 0;
2215/// let y = &mut x as *mut i32;
2216/// let z = 12;
2217///
2218/// unsafe {
2219///     std::ptr::write_volatile(y, z);
2220///     assert_eq!(std::ptr::read_volatile(y), 12);
2221/// }
2222/// ```
2223#[inline]
2224#[stable(feature = "volatile", since = "1.9.0")]
2225#[rustc_diagnostic_item = "ptr_write_volatile"]
2226#[track_caller]
2227#[cfg(not(feature = "ferrocene_certified"))]
2228pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
2229    // SAFETY: the caller must uphold the safety contract for `volatile_store`.
2230    unsafe {
2231        ub_checks::assert_unsafe_precondition!(
2232            check_language_ub,
2233            "ptr::write_volatile requires that the pointer argument is aligned",
2234            (
2235                addr: *mut () = dst as *mut (),
2236                align: usize = align_of::<T>(),
2237            ) => ub_checks::maybe_is_aligned(addr, align)
2238        );
2239        intrinsics::volatile_store(dst, src);
2240    }
2241}
2242
2243/// Calculate an element-offset that increases a pointer's alignment.
2244///
2245/// Calculate an element-offset (not byte-offset) that when added to a given pointer `p`, increases `p`'s alignment to at least the given alignment `a`.
2246///
2247/// # Safety
2248/// `a` must be a power of two.
2249///
2250/// # Notes
2251/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
2252/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
2253/// constants.
2254///
2255/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
2256/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
2257/// than trying to adapt this to accommodate that change.
2258///
2259/// Any questions go to @nagisa.
2260#[allow(ptr_to_integer_transmute_in_consts)]
2261#[cfg(not(feature = "ferrocene_certified"))]
2262pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
2263    // FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
2264    // 1, where the method versions of these operations are not inlined.
2265    use intrinsics::{
2266        assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl,
2267        unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub,
2268    };
2269
2270    /// Calculate multiplicative modular inverse of `x` modulo `m`.
2271    ///
2272    /// This implementation is tailored for `align_offset` and has following preconditions:
2273    ///
2274    /// * `m` is a power-of-two;
2275    /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead)
2276    ///
2277    /// Implementation of this function shall not panic. Ever.
2278    #[inline]
2279    const unsafe fn mod_inv(x: usize, m: usize) -> usize {
2280        /// Multiplicative modular inverse table modulo 2⁴ = 16.
2281        ///
2282        /// Note, that this table does not contain values where inverse does not exist (i.e., for
2283        /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
2284        const INV_TABLE_MOD_16: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15];
2285        /// Modulo for which the `INV_TABLE_MOD_16` is intended.
2286        const INV_TABLE_MOD: usize = 16;
2287
2288        // SAFETY: `m` is required to be a power-of-two, hence non-zero.
2289        let m_minus_one = unsafe { unchecked_sub(m, 1) };
2290        let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - 1)) >> 1] as usize;
2291        let mut mod_gate = INV_TABLE_MOD;
2292        // We iterate "up" using the following formula:
2293        //
2294        // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
2295        //
2296        // This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
2297        // finally reduce the computation to our desired `m` by taking `inverse mod m`.
2298        //
2299        // This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
2300        // will always finish in at most 4 iterations.
2301        loop {
2302            // y = y * (2 - xy) mod n
2303            //
2304            // Note, that we use wrapping operations here intentionally – the original formula
2305            // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
2306            // usize::MAX` instead, because we take the result `mod n` at the end
2307            // anyway.
2308            if mod_gate >= m {
2309                break;
2310            }
2311            inverse = wrapping_mul(inverse, wrapping_sub(2usize, wrapping_mul(x, inverse)));
2312            let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
2313            if overflow {
2314                break;
2315            }
2316            mod_gate = new_gate;
2317        }
2318        inverse & m_minus_one
2319    }
2320
2321    let stride = size_of::<T>();
2322
2323    let addr: usize = p.addr();
2324
2325    // SAFETY: `a` is a power-of-two, therefore non-zero.
2326    let a_minus_one = unsafe { unchecked_sub(a, 1) };
2327
2328    if stride == 0 {
2329        // SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
2330        // stay the same, so no offset will be able to align the pointer unless it is already
2331        // aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
2332        let p_mod_a = addr & a_minus_one;
2333        return if p_mod_a == 0 { 0 } else { usize::MAX };
2334    }
2335
2336    // SAFETY: `stride == 0` case has been handled by the special case above.
2337    let a_mod_stride = unsafe { unchecked_rem(a, stride) };
2338    if a_mod_stride == 0 {
2339        // SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
2340        // pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
2341        // offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
2342        // offset will be able to produce a `p` aligned to the specified `a`.
2343        //
2344        // The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
2345        // like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
2346        // redistributes operations around the load-bearing, but pessimizing `and` instruction
2347        // sufficiently for LLVM to be able to utilize the various optimizations it knows about.
2348        //
2349        // LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
2350        // at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
2351        // in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
2352        // computation produces.
2353
2354        let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(0, a);
2355        let byte_offset = wrapping_sub(aligned_address, addr);
2356        // FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
2357        // SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
2358        // the value by more than `a-1`, so even though the intermediate values might have
2359        // wrapped, the byte_offset is always in `[0, a)`.
2360        unsafe { assume(byte_offset < a) };
2361
2362        // SAFETY: `stride == 0` case has been handled by the special case above.
2363        let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
2364
2365        return if addr_mod_stride == 0 {
2366            // SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
2367            // addr has been verified to be aligned to the original type’s alignment requirements.
2368            unsafe { exact_div(byte_offset, stride) }
2369        } else {
2370            usize::MAX
2371        };
2372    }
2373
2374    // GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
2375    // misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
2376    // advantage of, etc. This case produces machine code that isn’t particularly high quality,
2377    // compared to the special cases above. The code produced here is still within the realm of
2378    // miracles, given the situations this case has to deal with.
2379
2380    // SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
2381    // FIXME(const-hack) replace with min
2382    let gcdpow = unsafe {
2383        let x = cttz_nonzero(stride);
2384        let y = cttz_nonzero(a);
2385        if x < y { x } else { y }
2386    };
2387    // SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`.
2388    let gcd = unsafe { unchecked_shl(1usize, gcdpow) };
2389    // SAFETY: gcd is always greater or equal to 1.
2390    if addr & unsafe { unchecked_sub(gcd, 1) } == 0 {
2391        // This branch solves for the following linear congruence equation:
2392        //
2393        // ` p + so = 0 mod a `
2394        //
2395        // `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
2396        // requested alignment.
2397        //
2398        // With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
2399        // `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
2400        //
2401        // ` p' + s'o = 0 mod a' `
2402        // ` o = (a' - (p' mod a')) * (s'^-1 mod a') `
2403        //
2404        // The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
2405        // second term is "how does incrementing `p` by `s` bytes change the relative alignment of
2406        // `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
2407        // formed if `a` and `s` are not co-prime.
2408        //
2409        // Furthermore, the result produced by this solution is not "minimal", so it is necessary
2410        // to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
2411
2412        // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2413        // `a`.
2414        let a2 = unsafe { unchecked_shr(a, gcdpow) };
2415        // SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
2416        // in `a` (of which it has exactly one).
2417        let a2minus1 = unsafe { unchecked_sub(a2, 1) };
2418        // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2419        // `a`.
2420        let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
2421        // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2422        // `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
2423        // always be strictly greater than `(p % a) >> gcdpow`.
2424        let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
2425        // SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
2426        // because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
2427        return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
2428    }
2429
2430    // Cannot be aligned at all.
2431    usize::MAX
2432}
2433
2434/// Compares raw pointers for equality.
2435///
2436/// This is the same as using the `==` operator, but less generic:
2437/// the arguments have to be `*const T` raw pointers,
2438/// not anything that implements `PartialEq`.
2439///
2440/// This can be used to compare `&T` references (which coerce to `*const T` implicitly)
2441/// by their address rather than comparing the values they point to
2442/// (which is what the `PartialEq for &T` implementation does).
2443///
2444/// When comparing wide pointers, both the address and the metadata are tested for equality.
2445/// However, note that comparing trait object pointers (`*const dyn Trait`) is unreliable: pointers
2446/// to values of the same underlying type can compare inequal (because vtables are duplicated in
2447/// multiple codegen units), and pointers to values of *different* underlying type can compare equal
2448/// (since identical vtables can be deduplicated within a codegen unit).
2449///
2450/// # Examples
2451///
2452/// ```
2453/// use std::ptr;
2454///
2455/// let five = 5;
2456/// let other_five = 5;
2457/// let five_ref = &five;
2458/// let same_five_ref = &five;
2459/// let other_five_ref = &other_five;
2460///
2461/// assert!(five_ref == same_five_ref);
2462/// assert!(ptr::eq(five_ref, same_five_ref));
2463///
2464/// assert!(five_ref == other_five_ref);
2465/// assert!(!ptr::eq(five_ref, other_five_ref));
2466/// ```
2467///
2468/// Slices are also compared by their length (fat pointers):
2469///
2470/// ```
2471/// let a = [1, 2, 3];
2472/// assert!(std::ptr::eq(&a[..3], &a[..3]));
2473/// assert!(!std::ptr::eq(&a[..2], &a[..3]));
2474/// assert!(!std::ptr::eq(&a[0..2], &a[1..3]));
2475/// ```
2476#[stable(feature = "ptr_eq", since = "1.17.0")]
2477#[inline(always)]
2478#[must_use = "pointer comparison produces a value"]
2479#[rustc_diagnostic_item = "ptr_eq"]
2480#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2481#[cfg(not(feature = "ferrocene_certified"))]
2482pub fn eq<T: PointeeSized>(a: *const T, b: *const T) -> bool {
2483    a == b
2484}
2485
2486/// Compares the *addresses* of the two pointers for equality,
2487/// ignoring any metadata in fat pointers.
2488///
2489/// If the arguments are thin pointers of the same type,
2490/// then this is the same as [`eq`].
2491///
2492/// # Examples
2493///
2494/// ```
2495/// use std::ptr;
2496///
2497/// let whole: &[i32; 3] = &[1, 2, 3];
2498/// let first: &i32 = &whole[0];
2499///
2500/// assert!(ptr::addr_eq(whole, first));
2501/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2502/// ```
2503#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2504#[inline(always)]
2505#[must_use = "pointer comparison produces a value"]
2506#[cfg(not(feature = "ferrocene_certified"))]
2507pub fn addr_eq<T: PointeeSized, U: PointeeSized>(p: *const T, q: *const U) -> bool {
2508    (p as *const ()) == (q as *const ())
2509}
2510
2511/// Compares the *addresses* of the two function pointers for equality.
2512///
2513/// This is the same as `f == g`, but using this function makes clear that the potentially
2514/// surprising semantics of function pointer comparison are involved.
2515///
2516/// There are **very few guarantees** about how functions are compiled and they have no intrinsic
2517/// “identity”; in particular, this comparison:
2518///
2519/// * May return `true` unexpectedly, in cases where functions are equivalent.
2520///
2521///   For example, the following program is likely (but not guaranteed) to print `(true, true)`
2522///   when compiled with optimization:
2523///
2524///   ```
2525///   let f: fn(i32) -> i32 = |x| x;
2526///   let g: fn(i32) -> i32 = |x| x + 0;  // different closure, different body
2527///   let h: fn(u32) -> u32 = |x| x + 0;  // different signature too
2528///   dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal
2529///   ```
2530///
2531/// * May return `false` in any case.
2532///
2533///   This is particularly likely with generic functions but may happen with any function.
2534///   (From an implementation perspective, this is possible because functions may sometimes be
2535///   processed more than once by the compiler, resulting in duplicate machine code.)
2536///
2537/// Despite these false positives and false negatives, this comparison can still be useful.
2538/// Specifically, if
2539///
2540/// * `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and
2541/// * `ptr::fn_addr_eq(f, g)` returns true,
2542///
2543/// then calling `f` and calling `g` will be equivalent.
2544///
2545///
2546/// # Examples
2547///
2548/// ```
2549/// use std::ptr;
2550///
2551/// fn a() { println!("a"); }
2552/// fn b() { println!("b"); }
2553/// assert!(!ptr::fn_addr_eq(a as fn(), b as fn()));
2554/// ```
2555///
2556/// [subtype]: https://doc.rust-lang.org/reference/subtyping.html
2557#[stable(feature = "ptr_fn_addr_eq", since = "1.85.0")]
2558#[inline(always)]
2559#[must_use = "function pointer comparison produces a value"]
2560#[cfg(not(feature = "ferrocene_certified"))]
2561pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool {
2562    f.addr() == g.addr()
2563}
2564
2565/// Hash a raw pointer.
2566///
2567/// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly)
2568/// by its address rather than the value it points to
2569/// (which is what the `Hash for &T` implementation does).
2570///
2571/// # Examples
2572///
2573/// ```
2574/// use std::hash::{DefaultHasher, Hash, Hasher};
2575/// use std::ptr;
2576///
2577/// let five = 5;
2578/// let five_ref = &five;
2579///
2580/// let mut hasher = DefaultHasher::new();
2581/// ptr::hash(five_ref, &mut hasher);
2582/// let actual = hasher.finish();
2583///
2584/// let mut hasher = DefaultHasher::new();
2585/// (five_ref as *const i32).hash(&mut hasher);
2586/// let expected = hasher.finish();
2587///
2588/// assert_eq!(actual, expected);
2589/// ```
2590#[stable(feature = "ptr_hash", since = "1.35.0")]
2591#[cfg(not(feature = "ferrocene_certified"))]
2592pub fn hash<T: PointeeSized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2593    use crate::hash::Hash;
2594    hashee.hash(into);
2595}
2596
2597#[stable(feature = "fnptr_impls", since = "1.4.0")]
2598#[cfg(not(feature = "ferrocene_certified"))]
2599impl<F: FnPtr> PartialEq for F {
2600    #[inline]
2601    fn eq(&self, other: &Self) -> bool {
2602        self.addr() == other.addr()
2603    }
2604}
2605#[stable(feature = "fnptr_impls", since = "1.4.0")]
2606#[cfg(not(feature = "ferrocene_certified"))]
2607impl<F: FnPtr> Eq for F {}
2608
2609#[stable(feature = "fnptr_impls", since = "1.4.0")]
2610#[cfg(not(feature = "ferrocene_certified"))]
2611impl<F: FnPtr> PartialOrd for F {
2612    #[inline]
2613    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2614        self.addr().partial_cmp(&other.addr())
2615    }
2616}
2617#[stable(feature = "fnptr_impls", since = "1.4.0")]
2618#[cfg(not(feature = "ferrocene_certified"))]
2619impl<F: FnPtr> Ord for F {
2620    #[inline]
2621    fn cmp(&self, other: &Self) -> Ordering {
2622        self.addr().cmp(&other.addr())
2623    }
2624}
2625
2626#[stable(feature = "fnptr_impls", since = "1.4.0")]
2627#[cfg(not(feature = "ferrocene_certified"))]
2628impl<F: FnPtr> hash::Hash for F {
2629    fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2630        state.write_usize(self.addr() as _)
2631    }
2632}
2633
2634#[stable(feature = "fnptr_impls", since = "1.4.0")]
2635#[cfg(not(feature = "ferrocene_certified"))]
2636impl<F: FnPtr> fmt::Pointer for F {
2637    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2638        fmt::pointer_fmt_inner(self.addr() as _, f)
2639    }
2640}
2641
2642#[stable(feature = "fnptr_impls", since = "1.4.0")]
2643#[cfg(not(feature = "ferrocene_certified"))]
2644impl<F: FnPtr> fmt::Debug for F {
2645    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2646        fmt::pointer_fmt_inner(self.addr() as _, f)
2647    }
2648}
2649
2650/// Creates a `const` raw pointer to a place, without creating an intermediate reference.
2651///
2652/// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is *soft-deprecated*;
2653/// use `&raw const` instead.
2654///
2655/// It is still an open question under which conditions writing through an `addr_of!`-created
2656/// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the
2657/// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is
2658/// based on a reference, local variable, or `static`, then until all details are decided, the same
2659/// rules as for shared references apply: it is UB to write through a pointer created with this
2660/// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`])
2661/// to create a raw pointer that definitely permits mutation.
2662///
2663/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2664/// and points to initialized data. For cases where those requirements do not hold,
2665/// raw pointers should be used instead. However, `&expr as *const _` creates a reference
2666/// before casting it to a raw pointer, and that reference is subject to the same rules
2667/// as all other references. This macro can create a raw pointer *without* creating
2668/// a reference first.
2669///
2670/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2671/// Doing that with `addr_of` would not make much sense since one could only
2672/// read the data, and that would be Undefined Behavior.
2673///
2674/// # Safety
2675///
2676/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2677/// place or requires the place to be dereferenceable. This means that `addr_of!((*ptr).field)`
2678/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2679/// However, `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2680///
2681/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2682/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2683/// `Index::index`, respectively. The statements above only apply when no such coercions are
2684/// applied.
2685///
2686/// [`offset`]: pointer::offset
2687///
2688/// # Example
2689///
2690/// **Correct usage: Creating a pointer to unaligned data**
2691///
2692/// ```
2693/// use std::ptr;
2694///
2695/// #[repr(packed)]
2696/// struct Packed {
2697///     f1: u8,
2698///     f2: u16,
2699/// }
2700///
2701/// let packed = Packed { f1: 1, f2: 2 };
2702/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2703/// let raw_f2 = ptr::addr_of!(packed.f2);
2704/// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2);
2705/// ```
2706///
2707/// **Incorrect usage: Out-of-bounds fields projection**
2708///
2709/// ```rust,no_run
2710/// use std::ptr;
2711///
2712/// #[repr(C)]
2713/// struct MyStruct {
2714///     field1: i32,
2715///     field2: i32,
2716/// }
2717///
2718/// let ptr: *const MyStruct = ptr::null();
2719/// let fieldptr = unsafe { ptr::addr_of!((*ptr).field2) }; // Undefined Behavior ⚠️
2720/// ```
2721///
2722/// The field projection `.field2` would offset the pointer by 4 bytes,
2723/// but the pointer is not in-bounds of an allocation for 4 bytes,
2724/// so this offset is Undefined Behavior.
2725/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2726/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2727/// no difference whether the pointer is null or dangling.)
2728#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2729#[rustc_macro_transparency = "semitransparent"]
2730#[cfg(not(feature = "ferrocene_certified"))]
2731pub macro addr_of($place:expr) {
2732    &raw const $place
2733}
2734
2735/// Creates a `mut` raw pointer to a place, without creating an intermediate reference.
2736///
2737/// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is *soft-deprecated*;
2738/// use `&raw mut` instead.
2739///
2740/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2741/// and points to initialized data. For cases where those requirements do not hold,
2742/// raw pointers should be used instead. However, `&mut expr as *mut _` creates a reference
2743/// before casting it to a raw pointer, and that reference is subject to the same rules
2744/// as all other references. This macro can create a raw pointer *without* creating
2745/// a reference first.
2746///
2747/// # Safety
2748///
2749/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2750/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((*ptr).field)`
2751/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2752/// However, `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2753///
2754/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2755/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2756/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2757/// applied.
2758///
2759/// [`offset`]: pointer::offset
2760///
2761/// # Examples
2762///
2763/// **Correct usage: Creating a pointer to unaligned data**
2764///
2765/// ```
2766/// use std::ptr;
2767///
2768/// #[repr(packed)]
2769/// struct Packed {
2770///     f1: u8,
2771///     f2: u16,
2772/// }
2773///
2774/// let mut packed = Packed { f1: 1, f2: 2 };
2775/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2776/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2777/// unsafe { raw_f2.write_unaligned(42); }
2778/// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference.
2779/// ```
2780///
2781/// **Correct usage: Creating a pointer to uninitialized data**
2782///
2783/// ```rust
2784/// use std::{ptr, mem::MaybeUninit};
2785///
2786/// struct Demo {
2787///     field: bool,
2788/// }
2789///
2790/// let mut uninit = MaybeUninit::<Demo>::uninit();
2791/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2792/// // and thus be Undefined Behavior!
2793/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2794/// unsafe { f1_ptr.write(true); }
2795/// let init = unsafe { uninit.assume_init() };
2796/// ```
2797///
2798/// **Incorrect usage: Out-of-bounds fields projection**
2799///
2800/// ```rust,no_run
2801/// use std::ptr;
2802///
2803/// #[repr(C)]
2804/// struct MyStruct {
2805///     field1: i32,
2806///     field2: i32,
2807/// }
2808///
2809/// let ptr: *mut MyStruct = ptr::null_mut();
2810/// let fieldptr = unsafe { ptr::addr_of_mut!((*ptr).field2) }; // Undefined Behavior ⚠️
2811/// ```
2812///
2813/// The field projection `.field2` would offset the pointer by 4 bytes,
2814/// but the pointer is not in-bounds of an allocation for 4 bytes,
2815/// so this offset is Undefined Behavior.
2816/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2817/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2818/// makes no difference whether the pointer is null or dangling.)
2819#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2820#[rustc_macro_transparency = "semitransparent"]
2821#[cfg(not(feature = "ferrocene_certified"))]
2822pub macro addr_of_mut($place:expr) {
2823    &raw mut $place
2824}