core/ptr/
mod.rs

1//! Manually manage memory through raw pointers.
2//!
3//! *[See also the pointer primitive types](pointer).*
4//!
5//! # Safety
6//!
7//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8//! this to be safe, these pointers must be *valid* for the given access. Whether a pointer is valid
9//! depends on the operation it is used for (read or write), and the extent of the memory that is
10//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `*mut T`
12//! and `*const T` to access only a single value, in which case the documentation omits the size and
13//! implicitly assumes it to be `size_of::<T>()` bytes.
14//!
15//! The precise rules for validity are not determined yet. The guarantees that are
16//! provided at this point are very minimal:
17//!
18//! * For memory accesses of [size zero][zst], *every* pointer is valid, including the [null]
19//!   pointer. The following points are only concerned with non-zero-sized accesses.
20//! * A [null] pointer is *never* valid.
21//! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be
22//!   *dereferenceable*. The [provenance] of the pointer is used to determine which [allocation]
23//!   it is derived from; a pointer is dereferenceable if the memory range of the given size
24//!   starting at the pointer is entirely contained within the bounds of that allocation. Note
25//!   that in Rust, every (stack-allocated) variable is considered a separate allocation.
26//! * All accesses performed by functions in this module are *non-atomic* in the sense
27//!   of [atomic operations] used to synchronize between threads. This means it is
28//!   undefined behavior to perform two concurrent accesses to the same location from different
29//!   threads unless both accesses only read from memory. Notice that this explicitly
30//!   includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
31//!   be used for inter-thread synchronization, regardless of whether they are acting on
32//!   Rust memory or not.
33//! * The result of casting a reference to a pointer is valid for as long as the
34//!   underlying allocation is live and no reference (just raw pointers) is used to
35//!   access the same memory. That is, reference and pointer accesses cannot be
36//!   interleaved.
37//!
38//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
39//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
40//! will be provided eventually, as the [aliasing] rules are being determined. For more
41//! information, see the [book] as well as the section in the reference devoted
42//! to [undefined behavior][ub].
43//!
44//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
45//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
46//! [`NonNull::dangling`] are all dangling.
47//!
48//! ## Alignment
49//!
50//! Valid raw pointers as defined above are not necessarily properly aligned (where
51//! "proper" alignment is defined by the pointee type, i.e., `*const T` must be
52//! aligned to `align_of::<T>()`). However, most functions require their
53//! arguments to be properly aligned, and will explicitly state
54//! this requirement in their documentation. Notable exceptions to this are
55//! [`read_unaligned`] and [`write_unaligned`].
56//!
57//! When a function requires proper alignment, it does so even if the access
58//! has size 0, i.e., even if memory is not actually touched. Consider using
59//! [`NonNull::dangling`] in such cases.
60//!
61//! ## Pointer to reference conversion
62//!
63//! When converting a pointer to a reference (e.g. via `&*ptr` or `&mut *ptr`),
64//! there are several rules that must be followed:
65//!
66//! * The pointer must be properly aligned.
67//!
68//! * It must be non-null.
69//!
70//! * It must be "dereferenceable" in the sense defined above.
71//!
72//! * The pointer must point to a [valid value] of type `T`.
73//!
74//! * You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we
75//!   only give a rough overview here. The rules also depend on whether a mutable or a shared
76//!   reference is being created.
77//!   * When creating a mutable reference, then while this reference exists, the memory it points to
78//!     must not get accessed (read or written) through any other pointer or reference not derived
79//!     from this reference.
80//!   * When creating a shared reference, then while this reference exists, the memory it points to
81//!     must not get mutated (except inside `UnsafeCell`).
82//!
83//! If a pointer follows all of these rules, it is said to be
84//! *convertible to a (mutable or shared) reference*.
85// ^ we use this term instead of saying that the produced reference must
86// be valid, as the validity of a reference is easily confused for the
87// validity of the thing it refers to, and while the two concepts are
88// closely related, they are not identical.
89//!
90//! These rules apply even if the result is unused!
91//! (The part about being initialized is not yet fully decided, but until
92//! it is, the only safe approach is to ensure that they are indeed initialized.)
93//!
94//! An example of the implications of the above rules is that an expression such
95//! as `unsafe { &*(0 as *const u8) }` is Immediate Undefined Behavior.
96//!
97//! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values
98//!
99//! ## Allocation
100//!
101//! <a id="allocated-object"></a> <!-- keep old URLs working -->
102//!
103//! An *allocation* is a subset of program memory which is addressable
104//! from Rust, and within which pointer arithmetic is possible. Examples of
105//! allocations include heap allocations, stack-allocated variables,
106//! statics, and consts. The safety preconditions of some Rust operations -
107//! such as `offset` and field projections (`expr.field`) - are defined in
108//! terms of the allocations on which they operate.
109//!
110//! An allocation has a base address, a size, and a set of memory
111//! addresses. It is possible for an allocation to have zero size, but
112//! such an allocation will still have a base address. The base address
113//! of an allocation is not necessarily unique. While it is currently the
114//! case that an allocation always has a set of memory addresses which is
115//! fully contiguous (i.e., has no "holes"), there is no guarantee that this
116//! will not change in the future.
117//!
118//! Allocations must behave like "normal" memory: in particular, reads must not have
119//! side-effects, and writes must become visible to other threads using the usual synchronization
120//! primitives.
121//!
122//! For any allocation with `base` address, `size`, and a set of
123//! `addresses`, the following are guaranteed:
124//! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base +
125//!   size)` (note that this requires `a < base + size`, not `a <= base + size`)
126//! - `base` is not equal to [`null()`] (i.e., the address with the numerical
127//!   value 0)
128//! - `base + size <= usize::MAX`
129//! - `size <= isize::MAX`
130//!
131//! As a consequence of these guarantees, given any address `a` within the set
132//! of addresses of an allocation:
133//! - It is guaranteed that `a - base` does not overflow `isize`
134//! - It is guaranteed that `a - base` is non-negative
135//! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within
136//!   the allocation), `base + o` will not wrap around the address space (in
137//!   other words, will not overflow `usize`)
138//!
139//! [`null()`]: null
140//!
141//! # Provenance
142//!
143//! Pointers are not *simply* an "integer" or "address". For instance, it's uncontroversial
144//! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky"
145//! and the freed memory gets reallocated before your read/write (in fact this is the
146//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
147//! As another example, consider that [`wrapping_offset`] is documented to "remember"
148//! the allocation that the original pointer points to, even if it is offset far
149//! outside the memory range occupied by that allocation.
150//! To rationalize claims like this, pointers need to somehow be *more* than just their addresses:
151//! they must have **provenance**.
152//!
153//! A pointer value in Rust semantically contains the following information:
154//!
155//! * The **address** it points to, which can be represented by a `usize`.
156//! * The **provenance** it has, defining the memory it has permission to access. Provenance can be
157//!   absent, in which case the pointer does not have permission to access any memory.
158//!
159//! The exact structure of provenance is not yet specified, but the permission defined by a
160//! pointer's provenance have a *spatial* component, a *temporal* component, and a *mutability*
161//! component:
162//!
163//! * Spatial: The set of memory addresses that the pointer is allowed to access.
164//! * Temporal: The timespan during which the pointer is allowed to access those memory addresses.
165//! * Mutability: Whether the pointer may only access the memory for reads, or also access it for
166//!   writes. Note that this can interact with the other components, e.g. a pointer might permit
167//!   mutation only for a subset of addresses, or only for a subset of its maximal timespan.
168//!
169//! When an [allocation] is created, it has a unique Original Pointer. For alloc
170//! APIs this is literally the pointer the call returns, and for local variables and statics,
171//! this is the name of the variable/static. (This is mildly overloading the term "pointer"
172//! for the sake of brevity/exposition.)
173//!
174//! The Original Pointer for an allocation has provenance that constrains the *spatial*
175//! permissions of this pointer to the memory range of the allocation, and the *temporal*
176//! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all
177//! pointers transitively derived from the Original Pointer through operations like [`offset`],
178//! borrowing, and pointer casts. Some operations may *shrink* the permissions of the derived
179//! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a
180//! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can
181//! shrink the temporal component of provenance). However, no operation can ever *grow* the
182//! permissions of the derived provenance: even if you "know" there is a larger allocation, you
183//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two
184//! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
185//!
186//! A reference to a place always has provenance over at least the memory that place occupies.
187//! A reference to a slice always has provenance over at least the range that slice describes.
188//! Whether and when exactly the provenance of a reference gets "shrunk" to *exactly* fit
189//! the memory it points to is not yet determined.
190//!
191//! A *shared* reference only ever has provenance that permits reading from memory,
192//! and never permits writes, except inside [`UnsafeCell`].
193//!
194//! Provenance can affect whether a program has undefined behavior:
195//!
196//! * It is undefined behavior to access memory through a pointer that does not have provenance over
197//!   that memory. Note that a pointer "at the end" of its provenance is not actually outside its
198//!   provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any
199//!   provenance since they access an empty range of memory.
200//!
201//! * It is undefined behavior to [`offset`] a pointer across a memory range that is not contained
202//!   in the allocation it is derived from, or to [`offset_from`] two pointers not derived
203//!   from the same allocation. Provenance is used to say what exactly "derived from" even
204//!   means: the lineage of a pointer is traced back to the Original Pointer it descends from, and
205//!   that identifies the relevant allocation. In particular, it's always UB to offset a
206//!   pointer derived from something that is now deallocated, except if the offset is 0.
207//!
208//! But it *is* still sound to:
209//!
210//! * Create a pointer without provenance from just an address (see [`without_provenance`]). Such a
211//!   pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
212//!   useful for sentinel values like `null` *or* to represent a tagged pointer that will never be
213//!   dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
214//!   fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
215//!   offset, read, write, etc).
216//!
217//! * Forge an allocation of size zero at any sufficiently aligned non-null address.
218//!   i.e. the usual "ZSTs are fake, do what you want" rules apply.
219//!
220//! * [`wrapping_offset`] a pointer outside its provenance. This includes pointers
221//!   which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks.
222//!
223//! * Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses
224//!   *are* just integers, so there is always a coherent answer, even if the pointers are dangling
225//!   or from different provenances. Note that if you get "lucky" and notice that a pointer at the
226//!   end of one allocation is the "same" address as the start of another allocation,
227//!   anything you do with that fact is *probably* going to be gibberish. The scope of that
228//!   gibberish is kept under control by the fact that the two pointers *still* aren't allowed to
229//!   access the other's allocation (bytes), because they still have different provenance.
230//!
231//! Note that the full definition of provenance in Rust is not decided yet, as this interacts
232//! with the as-yet undecided [aliasing] rules.
233//!
234//! ## Pointers Vs Integers
235//!
236//! From this discussion, it becomes very clear that a `usize` *cannot* accurately represent a pointer,
237//! and converting from a pointer to a `usize` is generally an operation which *only* extracts the
238//! address. Converting this address back into pointer requires somehow answering the question:
239//! which provenance should the resulting pointer have?
240//!
241//! Rust provides two ways of dealing with this situation: *Strict Provenance* and *Exposed Provenance*.
242//!
243//! Note that a pointer *can* represent a `usize` (via [`without_provenance`]), so the right type to
244//! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a
245//! pointer type.
246//!
247//! ## Strict Provenance
248//!
249//! "Strict Provenance" refers to a set of APIs designed to make working with provenance more
250//! explicit. They are intended as substitutes for casting a pointer to an integer and back.
251//!
252//! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of
253//! that operation. This benefits compiler optimizations, and it is pretty much a requirement for
254//! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer
255//! misuse.
256//!
257//! The key insight to making programming without integer-to-pointer casts *at all* viable is the
258//! [`with_addr`] method:
259//!
260//! ```text
261//!     /// Creates a new pointer with the given address.
262//!     ///
263//!     /// This performs the same operation as an `addr as ptr` cast, but copies
264//!     /// the *provenance* of `self` to the new pointer.
265//!     /// This allows us to dynamically preserve and propagate this important
266//!     /// information in a way that is otherwise impossible with a unary cast.
267//!     ///
268//!     /// This is equivalent to using `wrapping_offset` to offset `self` to the
269//!     /// given address, and therefore has all the same capabilities and restrictions.
270//!     pub fn with_addr(self, addr: usize) -> Self;
271//! ```
272//!
273//! So you're still able to drop down to the address representation and do whatever
274//! clever bit tricks you want *as long as* you're able to keep around a pointer
275//! into the allocation you care about that can "reconstitute" the provenance.
276//! Usually this is very easy, because you only are taking a pointer, messing with the address,
277//! and then immediately converting back to a pointer. To make this use case more ergonomic,
278//! we provide the [`map_addr`] method.
279//!
280//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
281//! [`addr`] method which promises that the returned address is not part of a
282//! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer
283//! casts to help you audit if your code conforms to strict provenance.
284//!
285//! ### Using Strict Provenance
286//!
287//! Most code needs no changes to conform to strict provenance, as the only really concerning
288//! operation is casts from `usize` to a pointer. For code which *does* cast a `usize` to a pointer,
289//! the scope of the change depends on exactly what you're doing.
290//!
291//! In general, you just need to make sure that if you want to convert a `usize` address to a
292//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
293//! that has sufficient provenance to perform that read/write itself. In this way all of your
294//! casts from an address to a pointer are essentially just applying offsets/indexing.
295//!
296//! This is generally trivial to do for simple cases like tagged pointers *as long as you
297//! represent the tagged pointer as an actual pointer and not a `usize`*. For instance:
298//!
299//! ```
300//! unsafe {
301//!     // A flag we want to pack into our pointer
302//!     static HAS_DATA: usize = 0x1;
303//!     static FLAG_MASK: usize = !HAS_DATA;
304//!
305//!     // Our value, which must have enough alignment to have spare least-significant-bits.
306//!     let my_precious_data: u32 = 17;
307//!     assert!(align_of::<u32>() > 1);
308//!
309//!     // Create a tagged pointer
310//!     let ptr = &my_precious_data as *const u32;
311//!     let tagged = ptr.map_addr(|addr| addr | HAS_DATA);
312//!
313//!     // Check the flag:
314//!     if tagged.addr() & HAS_DATA != 0 {
315//!         // Untag and read the pointer
316//!         let data = *tagged.map_addr(|addr| addr & FLAG_MASK);
317//!         assert_eq!(data, 17);
318//!     } else {
319//!         unreachable!()
320//!     }
321//! }
322//! ```
323//!
324//! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should
325//! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers,
326//! we would like to know why, and what needs to be done to fix it.)
327//!
328//! Situations where a valid pointer *must* be created from just an address, such as baremetal code
329//! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict
330//! provenance APIs and should use [exposed provenance](#exposed-provenance).
331//!
332//! ## Exposed Provenance
333//!
334//! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs.
335//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
336//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
337//! Integer-to-pointer casts do not (currently) have such a clear specification.
338//!
339//! However, there exist situations where integer-to-pointer casts cannot be avoided, or
340//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
341//! that `usize` can capture all the information that makes up a pointer.
342//! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without
343//! anywhere to obtain proper provenance from.
344//!
345//! Rust's model for dealing with integer-to-pointer casts is called *Exposed Provenance*. However,
346//! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and
347//! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for
348//! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide
349//! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not
350//! work (well) with tools like [Miri] and [CHERI].
351//!
352//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
353//! which are equivalent to `as` casts between pointers and integers.
354//! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the
355//!   pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists
356//!   for the purpose of specifying Rust but is not materialized in actual executions, except in
357//!   tools like [Miri].)
358//!   Memory which is outside the control of the Rust abstract machine (MMIO registers, for example)
359//!   is always considered to be exposed, so long as this memory is disjoint from memory that will
360//!   be used by the abstract machine such as the stack, heap, and statics.
361//! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously
362//!   'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so
363//!   unlike in [`with_addr`] there is no indication of what the correct provenance for the returned
364//!   pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously
365//!   specify! The compiler will do its best to pick the right provenance for you, but currently we
366//!   cannot provide any guarantees about which provenance the resulting pointer will have. Only one
367//!   thing is clear: if there is *no* previously 'exposed' provenance that justifies the way the
368//!   returned pointer will be used, the program has undefined behavior.
369//!
370//! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding
371//! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding
372//! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be
373//! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this
374//! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the
375//! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of
376//! integer-to-pointer casts.
377//!
378//! [aliasing]: ../../nomicon/aliasing.html
379//! [allocation]: #allocation
380//! [provenance]: #provenance
381//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
382//! [ub]: ../../reference/behavior-considered-undefined.html
383//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
384//! [atomic operations]: crate::sync::atomic
385//! [`offset`]: pointer::offset
386//! [`offset_from`]: pointer::offset_from
387//! [`wrapping_offset`]: pointer::wrapping_offset
388//! [`with_addr`]: pointer::with_addr
389//! [`map_addr`]: pointer::map_addr
390//! [`addr`]: pointer::addr
391//! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize
392//! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr
393//! [`expose_provenance`]: pointer::expose_provenance
394//! [`with_exposed_provenance`]: with_exposed_provenance
395//! [Miri]: https://github.com/rust-lang/miri
396//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
397//! [Strict Provenance]: #strict-provenance
398//! [`UnsafeCell`]: core::cell::UnsafeCell
399
400#![stable(feature = "rust1", since = "1.0.0")]
401// There are many unsafe functions taking pointers that don't dereference them.
402#![allow(clippy::not_unsafe_ptr_arg_deref)]
403
404#[cfg(not(feature = "ferrocene_certified"))]
405use crate::cmp::Ordering;
406#[cfg(not(feature = "ferrocene_certified"))]
407use crate::intrinsics::const_eval_select;
408#[cfg(not(feature = "ferrocene_certified"))]
409use crate::marker::{FnPtr, PointeeSized};
410#[cfg(not(feature = "ferrocene_certified"))]
411use crate::mem::{self, MaybeUninit, SizedTypeProperties};
412#[cfg(not(feature = "ferrocene_certified"))]
413use crate::num::NonZero;
414#[cfg(not(feature = "ferrocene_certified"))]
415use crate::{fmt, hash, intrinsics, ub_checks};
416#[cfg(feature = "ferrocene_certified")]
417use crate::{intrinsics, marker::PointeeSized, mem};
418#[cfg(all(debug_assertions, feature = "ferrocene_certified"))]
419use crate::{mem::SizedTypeProperties, ub_checks};
420
421mod alignment;
422#[unstable(feature = "ptr_alignment_type", issue = "102070")]
423pub use alignment::Alignment;
424
425mod metadata;
426#[unstable(feature = "ptr_metadata", issue = "81513")]
427#[cfg(not(feature = "ferrocene_certified"))]
428pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata};
429#[unstable(feature = "ptr_metadata", issue = "81513")]
430#[cfg(feature = "ferrocene_certified")]
431pub use metadata::{Pointee, Thin, from_raw_parts, from_raw_parts_mut};
432
433mod non_null;
434#[stable(feature = "nonnull", since = "1.25.0")]
435pub use non_null::NonNull;
436
437#[cfg(not(feature = "ferrocene_certified"))]
438mod unique;
439#[unstable(feature = "ptr_internals", issue = "none")]
440#[cfg(not(feature = "ferrocene_certified"))]
441pub use unique::Unique;
442
443mod const_ptr;
444mod mut_ptr;
445
446// Some functions are defined here because they accidentally got made
447// available in this module on stable. See <https://github.com/rust-lang/rust/issues/15702>.
448// (`transmute` also falls into this category, but it cannot be wrapped due to the
449// check that `T` and `U` have the same size.)
450
451/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
452/// and destination must *not* overlap.
453///
454/// For regions of memory which might overlap, use [`copy`] instead.
455///
456/// `copy_nonoverlapping` is semantically equivalent to C's [`memcpy`], but
457/// with the source and destination arguments swapped,
458/// and `count` counting the number of `T`s instead of bytes.
459///
460/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
461/// requirements of `T`. The initialization state is preserved exactly.
462///
463/// [`memcpy`]: https://en.cppreference.com/w/c/string/byte/memcpy
464///
465/// # Safety
466///
467/// Behavior is undefined if any of the following conditions are violated:
468///
469/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
470///
471/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
472///
473/// * Both `src` and `dst` must be properly aligned.
474///
475/// * The region of memory beginning at `src` with a size of `count *
476///   size_of::<T>()` bytes must *not* overlap with the region of memory
477///   beginning at `dst` with the same size.
478///
479/// Like [`read`], `copy_nonoverlapping` creates a bitwise copy of `T`, regardless of
480/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using *both* the values
481/// in the region beginning at `*src` and the region beginning at `*dst` can
482/// [violate memory safety][read-ownership].
483///
484/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
485/// `0`, the pointers must be properly aligned.
486///
487/// [`read`]: crate::ptr::read
488/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
489/// [valid]: crate::ptr#safety
490///
491/// # Examples
492///
493/// Manually implement [`Vec::append`]:
494///
495/// ```
496/// use std::ptr;
497///
498/// /// Moves all the elements of `src` into `dst`, leaving `src` empty.
499/// fn append<T>(dst: &mut Vec<T>, src: &mut Vec<T>) {
500///     let src_len = src.len();
501///     let dst_len = dst.len();
502///
503///     // Ensure that `dst` has enough capacity to hold all of `src`.
504///     dst.reserve(src_len);
505///
506///     unsafe {
507///         // The call to add is always safe because `Vec` will never
508///         // allocate more than `isize::MAX` bytes.
509///         let dst_ptr = dst.as_mut_ptr().add(dst_len);
510///         let src_ptr = src.as_ptr();
511///
512///         // Truncate `src` without dropping its contents. We do this first,
513///         // to avoid problems in case something further down panics.
514///         src.set_len(0);
515///
516///         // The two regions cannot overlap because mutable references do
517///         // not alias, and two different vectors cannot own the same
518///         // memory.
519///         ptr::copy_nonoverlapping(src_ptr, dst_ptr, src_len);
520///
521///         // Notify `dst` that it now holds the contents of `src`.
522///         dst.set_len(dst_len + src_len);
523///     }
524/// }
525///
526/// let mut a = vec!['r'];
527/// let mut b = vec!['u', 's', 't'];
528///
529/// append(&mut a, &mut b);
530///
531/// assert_eq!(a, &['r', 'u', 's', 't']);
532/// assert!(b.is_empty());
533/// ```
534///
535/// [`Vec::append`]: ../../std/vec/struct.Vec.html#method.append
536#[doc(alias = "memcpy")]
537#[stable(feature = "rust1", since = "1.0.0")]
538#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
539#[inline(always)]
540#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
541#[rustc_diagnostic_item = "ptr_copy_nonoverlapping"]
542#[cfg(not(feature = "ferrocene_certified"))]
543pub const unsafe fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: usize) {
544    ub_checks::assert_unsafe_precondition!(
545        check_language_ub,
546        "ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null \
547        and the specified memory ranges do not overlap",
548        (
549            src: *const () = src as *const (),
550            dst: *mut () = dst as *mut (),
551            size: usize = size_of::<T>(),
552            align: usize = align_of::<T>(),
553            count: usize = count,
554        ) => {
555            let zero_size = count == 0 || size == 0;
556            ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
557                && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
558                && ub_checks::maybe_is_nonoverlapping(src, dst, size, count)
559        }
560    );
561
562    // SAFETY: the safety contract for `copy_nonoverlapping` must be
563    // upheld by the caller.
564    unsafe { crate::intrinsics::copy_nonoverlapping(src, dst, count) }
565}
566
567/// Copies `count * size_of::<T>()` bytes from `src` to `dst`. The source
568/// and destination may overlap.
569///
570/// If the source and destination will *never* overlap,
571/// [`copy_nonoverlapping`] can be used instead.
572///
573/// `copy` is semantically equivalent to C's [`memmove`], but
574/// with the source and destination arguments swapped,
575/// and `count` counting the number of `T`s instead of bytes.
576/// Copying takes place as if the bytes were copied from `src`
577/// to a temporary array and then copied from the array to `dst`.
578///
579/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
580/// requirements of `T`. The initialization state is preserved exactly.
581///
582/// [`memmove`]: https://en.cppreference.com/w/c/string/byte/memmove
583///
584/// # Safety
585///
586/// Behavior is undefined if any of the following conditions are violated:
587///
588/// * `src` must be [valid] for reads of `count * size_of::<T>()` bytes.
589///
590/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes, and must remain valid even
591///   when `src` is read for `count * size_of::<T>()` bytes. (This means if the memory ranges
592///   overlap, the `dst` pointer must not be invalidated by `src` reads.)
593///
594/// * Both `src` and `dst` must be properly aligned.
595///
596/// Like [`read`], `copy` creates a bitwise copy of `T`, regardless of
597/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the values
598/// in the region beginning at `*src` and the region beginning at `*dst` can
599/// [violate memory safety][read-ownership].
600///
601/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
602/// `0`, the pointers must be properly aligned.
603///
604/// [`read`]: crate::ptr::read
605/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
606/// [valid]: crate::ptr#safety
607///
608/// # Examples
609///
610/// Efficiently create a Rust vector from an unsafe buffer:
611///
612/// ```
613/// use std::ptr;
614///
615/// /// # Safety
616/// ///
617/// /// * `ptr` must be correctly aligned for its type and non-zero.
618/// /// * `ptr` must be valid for reads of `elts` contiguous elements of type `T`.
619/// /// * Those elements must not be used after calling this function unless `T: Copy`.
620/// # #[allow(dead_code)]
621/// unsafe fn from_buf_raw<T>(ptr: *const T, elts: usize) -> Vec<T> {
622///     let mut dst = Vec::with_capacity(elts);
623///
624///     // SAFETY: Our precondition ensures the source is aligned and valid,
625///     // and `Vec::with_capacity` ensures that we have usable space to write them.
626///     unsafe { ptr::copy(ptr, dst.as_mut_ptr(), elts); }
627///
628///     // SAFETY: We created it with this much capacity earlier,
629///     // and the previous `copy` has initialized these elements.
630///     unsafe { dst.set_len(elts); }
631///     dst
632/// }
633/// ```
634#[doc(alias = "memmove")]
635#[stable(feature = "rust1", since = "1.0.0")]
636#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
637#[inline(always)]
638#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
639#[rustc_diagnostic_item = "ptr_copy"]
640#[cfg(not(feature = "ferrocene_certified"))]
641pub const unsafe fn copy<T>(src: *const T, dst: *mut T, count: usize) {
642    // SAFETY: the safety contract for `copy` must be upheld by the caller.
643    unsafe {
644        ub_checks::assert_unsafe_precondition!(
645            check_language_ub,
646            "ptr::copy requires that both pointer arguments are aligned and non-null",
647            (
648                src: *const () = src as *const (),
649                dst: *mut () = dst as *mut (),
650                align: usize = align_of::<T>(),
651                zero_size: bool = T::IS_ZST || count == 0,
652            ) =>
653            ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
654                && ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
655        );
656        crate::intrinsics::copy(src, dst, count)
657    }
658}
659
660/// Sets `count * size_of::<T>()` bytes of memory starting at `dst` to
661/// `val`.
662///
663/// `write_bytes` is similar to C's [`memset`], but sets `count *
664/// size_of::<T>()` bytes to `val`.
665///
666/// [`memset`]: https://en.cppreference.com/w/c/string/byte/memset
667///
668/// # Safety
669///
670/// Behavior is undefined if any of the following conditions are violated:
671///
672/// * `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.
673///
674/// * `dst` must be properly aligned.
675///
676/// Note that even if the effectively copied size (`count * size_of::<T>()`) is
677/// `0`, the pointer must be properly aligned.
678///
679/// Additionally, note that changing `*dst` in this way can easily lead to undefined behavior (UB)
680/// later if the written bytes are not a valid representation of some `T`. For instance, the
681/// following is an **incorrect** use of this function:
682///
683/// ```rust,no_run
684/// unsafe {
685///     let mut value: u8 = 0;
686///     let ptr: *mut bool = &mut value as *mut u8 as *mut bool;
687///     let _bool = ptr.read(); // This is fine, `ptr` points to a valid `bool`.
688///     ptr.write_bytes(42u8, 1); // This function itself does not cause UB...
689///     let _bool = ptr.read(); // ...but it makes this operation UB! ⚠️
690/// }
691/// ```
692///
693/// [valid]: crate::ptr#safety
694///
695/// # Examples
696///
697/// Basic usage:
698///
699/// ```
700/// use std::ptr;
701///
702/// let mut vec = vec![0u32; 4];
703/// unsafe {
704///     let vec_ptr = vec.as_mut_ptr();
705///     ptr::write_bytes(vec_ptr, 0xfe, 2);
706/// }
707/// assert_eq!(vec, [0xfefefefe, 0xfefefefe, 0, 0]);
708/// ```
709#[doc(alias = "memset")]
710#[stable(feature = "rust1", since = "1.0.0")]
711#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
712#[inline(always)]
713#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
714#[rustc_diagnostic_item = "ptr_write_bytes"]
715#[cfg(not(feature = "ferrocene_certified"))]
716pub const unsafe fn write_bytes<T>(dst: *mut T, val: u8, count: usize) {
717    // SAFETY: the safety contract for `write_bytes` must be upheld by the caller.
718    unsafe {
719        ub_checks::assert_unsafe_precondition!(
720            check_language_ub,
721            "ptr::write_bytes requires that the destination pointer is aligned and non-null",
722            (
723                addr: *const () = dst as *const (),
724                align: usize = align_of::<T>(),
725                zero_size: bool = T::IS_ZST || count == 0,
726            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, zero_size)
727        );
728        crate::intrinsics::write_bytes(dst, val, count)
729    }
730}
731
732/// Executes the destructor (if any) of the pointed-to value.
733///
734/// This is almost the same as calling [`ptr::read`] and discarding
735/// the result, but has the following advantages:
736// FIXME: say something more useful than "almost the same"?
737// There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a
738// `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place`
739// only requires that `*to_drop` be "valid for dropping" and we have not defined what that means. In
740// Miri it currently (May 2024) requires nothing at all for types without drop glue.
741///
742/// * It is *required* to use `drop_in_place` to drop unsized types like
743///   trait objects, because they can't be read out onto the stack and
744///   dropped normally.
745///
746/// * It is friendlier to the optimizer to do this over [`ptr::read`] when
747///   dropping manually allocated memory (e.g., in the implementations of
748///   `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
749///   sound to elide the copy.
750///
751/// * It can be used to drop [pinned] data when `T` is not `repr(packed)`
752///   (pinned data must not be moved before it is dropped).
753///
754/// Unaligned values cannot be dropped in place, they must be copied to an aligned
755/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
756/// done automatically by the compiler. This means the fields of packed structs
757/// are not dropped in-place.
758///
759/// [`ptr::read`]: self::read
760/// [`ptr::read_unaligned`]: self::read_unaligned
761/// [pinned]: crate::pin
762///
763/// # Safety
764///
765/// Behavior is undefined if any of the following conditions are violated:
766///
767/// * `to_drop` must be [valid] for both reads and writes.
768///
769/// * `to_drop` must be properly aligned, even if `T` has size 0.
770///
771/// * `to_drop` must be nonnull, even if `T` has size 0.
772///
773/// * The value `to_drop` points to must be valid for dropping, which may mean
774///   it must uphold additional invariants. These invariants depend on the type
775///   of the value being dropped. For instance, when dropping a Box, the box's
776///   pointer to the heap must be valid.
777///
778/// * While `drop_in_place` is executing, the only way to access parts of
779///   `to_drop` is through the `&mut self` references supplied to the
780///   `Drop::drop` methods that `drop_in_place` invokes.
781///
782/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
783/// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
784/// foo` counts as a use because it will cause the value to be dropped
785/// again. [`write()`] can be used to overwrite data without causing it to be
786/// dropped.
787///
788/// [valid]: self#safety
789///
790/// # Examples
791///
792/// Manually remove the last item from a vector:
793///
794/// ```
795/// use std::ptr;
796/// use std::rc::Rc;
797///
798/// let last = Rc::new(1);
799/// let weak = Rc::downgrade(&last);
800///
801/// let mut v = vec![Rc::new(0), last];
802///
803/// unsafe {
804///     // Get a raw pointer to the last element in `v`.
805///     let ptr = &mut v[1] as *mut _;
806///     // Shorten `v` to prevent the last item from being dropped. We do that first,
807///     // to prevent issues if the `drop_in_place` below panics.
808///     v.set_len(1);
809///     // Without a call `drop_in_place`, the last item would never be dropped,
810///     // and the memory it manages would be leaked.
811///     ptr::drop_in_place(ptr);
812/// }
813///
814/// assert_eq!(v, &[0.into()]);
815///
816/// // Ensure that the last item was dropped.
817/// assert!(weak.upgrade().is_none());
818/// ```
819#[stable(feature = "drop_in_place", since = "1.8.0")]
820#[lang = "drop_in_place"]
821#[allow(unconditional_recursion)]
822#[rustc_diagnostic_item = "ptr_drop_in_place"]
823#[cfg(not(feature = "ferrocene_certified"))]
824pub unsafe fn drop_in_place<T: PointeeSized>(to_drop: *mut T) {
825    // Code here does not matter - this is replaced by the
826    // real drop glue by the compiler.
827
828    // SAFETY: see comment above
829    unsafe { drop_in_place(to_drop) }
830}
831
832/// Creates a null raw pointer.
833///
834/// This function is equivalent to zero-initializing the pointer:
835/// `MaybeUninit::<*const T>::zeroed().assume_init()`.
836/// The resulting pointer has the address 0.
837///
838/// # Examples
839///
840/// ```
841/// use std::ptr;
842///
843/// let p: *const i32 = ptr::null();
844/// assert!(p.is_null());
845/// assert_eq!(p as usize, 0); // this pointer has the address 0
846/// ```
847#[inline(always)]
848#[must_use]
849#[stable(feature = "rust1", since = "1.0.0")]
850#[rustc_promotable]
851#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
852#[rustc_diagnostic_item = "ptr_null"]
853pub const fn null<T: PointeeSized + Thin>() -> *const T {
854    from_raw_parts(without_provenance::<()>(0), ())
855}
856
857/// Creates a null mutable raw pointer.
858///
859/// This function is equivalent to zero-initializing the pointer:
860/// `MaybeUninit::<*mut T>::zeroed().assume_init()`.
861/// The resulting pointer has the address 0.
862///
863/// # Examples
864///
865/// ```
866/// use std::ptr;
867///
868/// let p: *mut i32 = ptr::null_mut();
869/// assert!(p.is_null());
870/// assert_eq!(p as usize, 0); // this pointer has the address 0
871/// ```
872#[inline(always)]
873#[must_use]
874#[stable(feature = "rust1", since = "1.0.0")]
875#[rustc_promotable]
876#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
877#[rustc_diagnostic_item = "ptr_null_mut"]
878pub const fn null_mut<T: PointeeSized + Thin>() -> *mut T {
879    from_raw_parts_mut(without_provenance_mut::<()>(0), ())
880}
881
882/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
883///
884/// This is equivalent to `ptr::null().with_addr(addr)`.
885///
886/// Without provenance, this pointer is not associated with any actual allocation. Such a
887/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
888/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
889/// little more than a `usize` address in disguise.
890///
891/// This is different from `addr as *const T`, which creates a pointer that picks up a previously
892/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
893///
894/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
895#[inline(always)]
896#[must_use]
897#[stable(feature = "strict_provenance", since = "1.84.0")]
898#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
899pub const fn without_provenance<T>(addr: usize) -> *const T {
900    without_provenance_mut(addr)
901}
902
903/// Creates a new pointer that is dangling, but non-null and well-aligned.
904///
905/// This is useful for initializing types which lazily allocate, like
906/// `Vec::new` does.
907///
908/// Note that the address of the returned pointer may potentially
909/// be that of a valid pointer, which means this must not be used
910/// as a "not yet initialized" sentinel value.
911/// Types that lazily allocate must track initialization by some other means.
912#[inline(always)]
913#[must_use]
914#[stable(feature = "strict_provenance", since = "1.84.0")]
915#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
916#[cfg(not(feature = "ferrocene_certified"))]
917pub const fn dangling<T>() -> *const T {
918    dangling_mut()
919}
920
921/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
922///
923/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
924///
925/// Without provenance, this pointer is not associated with any actual allocation. Such a
926/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
927/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
928/// little more than a `usize` address in disguise.
929///
930/// This is different from `addr as *mut T`, which creates a pointer that picks up a previously
931/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
932///
933/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
934#[inline(always)]
935#[must_use]
936#[stable(feature = "strict_provenance", since = "1.84.0")]
937#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
938pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
939    // An int-to-pointer transmute currently has exactly the intended semantics: it creates a
940    // pointer without provenance. Note that this is *not* a stable guarantee about transmute
941    // semantics, it relies on sysroot crates having special status.
942    // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
943    // pointer).
944    unsafe { mem::transmute(addr) }
945}
946
947/// Creates a new pointer that is dangling, but non-null and well-aligned.
948///
949/// This is useful for initializing types which lazily allocate, like
950/// `Vec::new` does.
951///
952/// Note that the address of the returned pointer may potentially
953/// be that of a valid pointer, which means this must not be used
954/// as a "not yet initialized" sentinel value.
955/// Types that lazily allocate must track initialization by some other means.
956#[inline(always)]
957#[must_use]
958#[stable(feature = "strict_provenance", since = "1.84.0")]
959#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
960#[cfg(not(feature = "ferrocene_certified"))]
961pub const fn dangling_mut<T>() -> *mut T {
962    NonNull::dangling().as_ptr()
963}
964
965/// Converts an address back to a pointer, picking up some previously 'exposed'
966/// [provenance][crate::ptr#provenance].
967///
968/// This is fully equivalent to `addr as *const T`. The provenance of the returned pointer is that
969/// of *some* pointer that was previously exposed by passing it to
970/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
971/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
972/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
973/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
974///
975/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
976/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
977/// guarantees about which provenance the resulting pointer will have -- and therefore there
978/// is no definite specification for which memory the resulting pointer may access.
979///
980/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
981/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
982/// pointers and references that have been invalidated due to aliasing accesses cannot be used
983/// anymore, even if they have been exposed!
984///
985/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
986/// stay conformant with the Rust memory model. It is recommended to use [Strict
987/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
988/// possible.
989///
990/// On most platforms this will produce a value with the same bytes as the address. Platforms
991/// which need to store additional information in a pointer may not support this operation,
992/// since it is generally not possible to actually *compute* which provenance the returned
993/// pointer has to pick up.
994///
995/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
996#[must_use]
997#[inline(always)]
998#[stable(feature = "exposed_provenance", since = "1.84.0")]
999#[rustc_const_stable(feature = "const_exposed_provenance", since = "CURRENT_RUSTC_VERSION")]
1000#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1001#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
1002#[cfg(not(feature = "ferrocene_certified"))]
1003pub const fn with_exposed_provenance<T>(addr: usize) -> *const T {
1004    addr as *const T
1005}
1006
1007/// Converts an address back to a mutable pointer, picking up some previously 'exposed'
1008/// [provenance][crate::ptr#provenance].
1009///
1010/// This is fully equivalent to `addr as *mut T`. The provenance of the returned pointer is that
1011/// of *some* pointer that was previously exposed by passing it to
1012/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
1013/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
1014/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
1015/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
1016///
1017/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
1018/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
1019/// guarantees about which provenance the resulting pointer will have -- and therefore there
1020/// is no definite specification for which memory the resulting pointer may access.
1021///
1022/// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer
1023/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
1024/// pointers and references that have been invalidated due to aliasing accesses cannot be used
1025/// anymore, even if they have been exposed!
1026///
1027/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
1028/// stay conformant with the Rust memory model. It is recommended to use [Strict
1029/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
1030/// possible.
1031///
1032/// On most platforms this will produce a value with the same bytes as the address. Platforms
1033/// which need to store additional information in a pointer may not support this operation,
1034/// since it is generally not possible to actually *compute* which provenance the returned
1035/// pointer has to pick up.
1036///
1037/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
1038#[must_use]
1039#[inline(always)]
1040#[stable(feature = "exposed_provenance", since = "1.84.0")]
1041#[rustc_const_stable(feature = "const_exposed_provenance", since = "CURRENT_RUSTC_VERSION")]
1042#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1043#[allow(fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead
1044#[cfg(not(feature = "ferrocene_certified"))]
1045pub const fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
1046    addr as *mut T
1047}
1048
1049/// Converts a reference to a raw pointer.
1050///
1051/// For `r: &T`, `from_ref(r)` is equivalent to `r as *const T` (except for the caveat noted below),
1052/// but is a bit safer since it will never silently change type or mutability, in particular if the
1053/// code is refactored.
1054///
1055/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1056/// will end up dangling.
1057///
1058/// The caller must also ensure that the memory the pointer (non-transitively) points to is never
1059/// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If
1060/// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m:
1061/// &mut T` into `*const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be
1062/// used for mutation.
1063///
1064/// ## Interaction with lifetime extension
1065///
1066/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1067/// tail expressions. This code is valid, albeit in a non-obvious way:
1068/// ```rust
1069/// # type T = i32;
1070/// # fn foo() -> T { 42 }
1071/// // The temporary holding the return value of `foo` has its lifetime extended,
1072/// // because the surrounding expression involves no function call.
1073/// let p = &foo() as *const T;
1074/// unsafe { p.read() };
1075/// ```
1076/// Naively replacing the cast with `from_ref` is not valid:
1077/// ```rust,no_run
1078/// # use std::ptr;
1079/// # type T = i32;
1080/// # fn foo() -> T { 42 }
1081/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1082/// // because the surrounding expression involves a function call.
1083/// let p = ptr::from_ref(&foo());
1084/// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️
1085/// ```
1086/// The recommended way to write this code is to avoid relying on lifetime extension
1087/// when raw pointers are involved:
1088/// ```rust
1089/// # use std::ptr;
1090/// # type T = i32;
1091/// # fn foo() -> T { 42 }
1092/// let x = foo();
1093/// let p = ptr::from_ref(&x);
1094/// unsafe { p.read() };
1095/// ```
1096#[inline(always)]
1097#[must_use]
1098#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1099#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1100#[rustc_never_returns_null_ptr]
1101#[rustc_diagnostic_item = "ptr_from_ref"]
1102#[cfg(not(feature = "ferrocene_certified"))]
1103pub const fn from_ref<T: PointeeSized>(r: &T) -> *const T {
1104    r
1105}
1106
1107/// Converts a mutable reference to a raw pointer.
1108///
1109/// For `r: &mut T`, `from_mut(r)` is equivalent to `r as *mut T` (except for the caveat noted
1110/// below), but is a bit safer since it will never silently change type or mutability, in particular
1111/// if the code is refactored.
1112///
1113/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1114/// will end up dangling.
1115///
1116/// ## Interaction with lifetime extension
1117///
1118/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1119/// tail expressions. This code is valid, albeit in a non-obvious way:
1120/// ```rust
1121/// # type T = i32;
1122/// # fn foo() -> T { 42 }
1123/// // The temporary holding the return value of `foo` has its lifetime extended,
1124/// // because the surrounding expression involves no function call.
1125/// let p = &mut foo() as *mut T;
1126/// unsafe { p.write(T::default()) };
1127/// ```
1128/// Naively replacing the cast with `from_mut` is not valid:
1129/// ```rust,no_run
1130/// # use std::ptr;
1131/// # type T = i32;
1132/// # fn foo() -> T { 42 }
1133/// // The temporary holding the return value of `foo` does *not* have its lifetime extended,
1134/// // because the surrounding expression involves a function call.
1135/// let p = ptr::from_mut(&mut foo());
1136/// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️
1137/// ```
1138/// The recommended way to write this code is to avoid relying on lifetime extension
1139/// when raw pointers are involved:
1140/// ```rust
1141/// # use std::ptr;
1142/// # type T = i32;
1143/// # fn foo() -> T { 42 }
1144/// let mut x = foo();
1145/// let p = ptr::from_mut(&mut x);
1146/// unsafe { p.write(T::default()) };
1147/// ```
1148#[inline(always)]
1149#[must_use]
1150#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1151#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1152#[rustc_never_returns_null_ptr]
1153#[cfg(not(feature = "ferrocene_certified"))]
1154pub const fn from_mut<T: PointeeSized>(r: &mut T) -> *mut T {
1155    r
1156}
1157
1158/// Forms a raw slice from a pointer and a length.
1159///
1160/// The `len` argument is the number of **elements**, not the number of bytes.
1161///
1162/// This function is safe, but actually using the return value is unsafe.
1163/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
1164///
1165/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
1166///
1167/// # Examples
1168///
1169/// ```rust
1170/// use std::ptr;
1171///
1172/// // create a slice pointer when starting out with a pointer to the first element
1173/// let x = [5, 6, 7];
1174/// let raw_pointer = x.as_ptr();
1175/// let slice = ptr::slice_from_raw_parts(raw_pointer, 3);
1176/// assert_eq!(unsafe { &*slice }[2], 7);
1177/// ```
1178///
1179/// You must ensure that the pointer is valid and not null before dereferencing
1180/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1181///
1182/// ```rust,should_panic
1183/// use std::ptr;
1184/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), 0);
1185/// unsafe {
1186///     danger.as_ref().expect("references must not be null");
1187/// }
1188/// ```
1189#[inline]
1190#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1191#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
1192#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
1193#[cfg(not(feature = "ferrocene_certified"))]
1194pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
1195    from_raw_parts(data, len)
1196}
1197
1198/// Forms a raw mutable slice from a pointer and a length.
1199///
1200/// The `len` argument is the number of **elements**, not the number of bytes.
1201///
1202/// Performs the same functionality as [`slice_from_raw_parts`], except that a
1203/// raw mutable slice is returned, as opposed to a raw immutable slice.
1204///
1205/// This function is safe, but actually using the return value is unsafe.
1206/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
1207///
1208/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
1209///
1210/// # Examples
1211///
1212/// ```rust
1213/// use std::ptr;
1214///
1215/// let x = &mut [5, 6, 7];
1216/// let raw_pointer = x.as_mut_ptr();
1217/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, 3);
1218///
1219/// unsafe {
1220///     (*slice)[2] = 99; // assign a value at an index in the slice
1221/// };
1222///
1223/// assert_eq!(unsafe { &*slice }[2], 99);
1224/// ```
1225///
1226/// You must ensure that the pointer is valid and not null before dereferencing
1227/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1228///
1229/// ```rust,should_panic
1230/// use std::ptr;
1231/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 0);
1232/// unsafe {
1233///     danger.as_mut().expect("references must not be null");
1234/// }
1235/// ```
1236#[inline]
1237#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1238#[rustc_const_stable(feature = "const_slice_from_raw_parts_mut", since = "1.83.0")]
1239#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
1240#[cfg(not(feature = "ferrocene_certified"))]
1241pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
1242    from_raw_parts_mut(data, len)
1243}
1244
1245/// Swaps the values at two mutable locations of the same type, without
1246/// deinitializing either.
1247///
1248/// But for the following exceptions, this function is semantically
1249/// equivalent to [`mem::swap`]:
1250///
1251/// * It operates on raw pointers instead of references. When references are
1252///   available, [`mem::swap`] should be preferred.
1253///
1254/// * The two pointed-to values may overlap. If the values do overlap, then the
1255///   overlapping region of memory from `x` will be used. This is demonstrated
1256///   in the second example below.
1257///
1258/// * The operation is "untyped" in the sense that data may be uninitialized or otherwise violate
1259///   the requirements of `T`. The initialization state is preserved exactly.
1260///
1261/// # Safety
1262///
1263/// Behavior is undefined if any of the following conditions are violated:
1264///
1265/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the
1266///   other pointer is written. (This means if the memory ranges overlap, the two pointers must not
1267///   be subject to aliasing restrictions relative to each other.)
1268///
1269/// * Both `x` and `y` must be properly aligned.
1270///
1271/// Note that even if `T` has size `0`, the pointers must be properly aligned.
1272///
1273/// [valid]: self#safety
1274///
1275/// # Examples
1276///
1277/// Swapping two non-overlapping regions:
1278///
1279/// ```
1280/// use std::ptr;
1281///
1282/// let mut array = [0, 1, 2, 3];
1283///
1284/// let (x, y) = array.split_at_mut(2);
1285/// let x = x.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[0..2]`
1286/// let y = y.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[2..4]`
1287///
1288/// unsafe {
1289///     ptr::swap(x, y);
1290///     assert_eq!([2, 3, 0, 1], array);
1291/// }
1292/// ```
1293///
1294/// Swapping two overlapping regions:
1295///
1296/// ```
1297/// use std::ptr;
1298///
1299/// let mut array: [i32; 4] = [0, 1, 2, 3];
1300///
1301/// let array_ptr: *mut i32 = array.as_mut_ptr();
1302///
1303/// let x = array_ptr as *mut [i32; 3]; // this is `array[0..3]`
1304/// let y = unsafe { array_ptr.add(1) } as *mut [i32; 3]; // this is `array[1..4]`
1305///
1306/// unsafe {
1307///     ptr::swap(x, y);
1308///     // The indices `1..3` of the slice overlap between `x` and `y`.
1309///     // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
1310///     // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
1311///     // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
1312///     // This implementation is defined to make the latter choice.
1313///     assert_eq!([1, 0, 1, 2], array);
1314/// }
1315/// ```
1316#[inline]
1317#[stable(feature = "rust1", since = "1.0.0")]
1318#[rustc_const_stable(feature = "const_swap", since = "1.85.0")]
1319#[rustc_diagnostic_item = "ptr_swap"]
1320#[cfg(not(feature = "ferrocene_certified"))]
1321pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
1322    // Give ourselves some scratch space to work with.
1323    // We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
1324    let mut tmp = MaybeUninit::<T>::uninit();
1325
1326    // Perform the swap
1327    // SAFETY: the caller must guarantee that `x` and `y` are
1328    // valid for writes and properly aligned. `tmp` cannot be
1329    // overlapping either `x` or `y` because `tmp` was just allocated
1330    // on the stack as a separate allocation.
1331    unsafe {
1332        copy_nonoverlapping(x, tmp.as_mut_ptr(), 1);
1333        copy(y, x, 1); // `x` and `y` may overlap
1334        copy_nonoverlapping(tmp.as_ptr(), y, 1);
1335    }
1336}
1337
1338/// Swaps `count * size_of::<T>()` bytes between the two regions of memory
1339/// beginning at `x` and `y`. The two regions must *not* overlap.
1340///
1341/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
1342/// requirements of `T`. The initialization state is preserved exactly.
1343///
1344/// # Safety
1345///
1346/// Behavior is undefined if any of the following conditions are violated:
1347///
1348/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
1349///   size_of::<T>()` bytes.
1350///
1351/// * Both `x` and `y` must be properly aligned.
1352///
1353/// * The region of memory beginning at `x` with a size of `count *
1354///   size_of::<T>()` bytes must *not* overlap with the region of memory
1355///   beginning at `y` with the same size.
1356///
1357/// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`,
1358/// the pointers must be properly aligned.
1359///
1360/// [valid]: self#safety
1361///
1362/// # Examples
1363///
1364/// Basic usage:
1365///
1366/// ```
1367/// use std::ptr;
1368///
1369/// let mut x = [1, 2, 3, 4];
1370/// let mut y = [7, 8, 9];
1371///
1372/// unsafe {
1373///     ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2);
1374/// }
1375///
1376/// assert_eq!(x, [7, 8, 3, 4]);
1377/// assert_eq!(y, [1, 2, 9]);
1378/// ```
1379#[inline]
1380#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
1381#[rustc_const_stable(feature = "const_swap_nonoverlapping", since = "1.88.0")]
1382#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1383#[rustc_allow_const_fn_unstable(const_eval_select)] // both implementations behave the same
1384#[track_caller]
1385#[cfg(not(feature = "ferrocene_certified"))]
1386pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1387    ub_checks::assert_unsafe_precondition!(
1388        check_library_ub,
1389        "ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1390        and the specified memory ranges do not overlap",
1391        (
1392            x: *mut () = x as *mut (),
1393            y: *mut () = y as *mut (),
1394            size: usize = size_of::<T>(),
1395            align: usize = align_of::<T>(),
1396            count: usize = count,
1397        ) => {
1398            let zero_size = size == 0 || count == 0;
1399            ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size)
1400                && ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size)
1401                && ub_checks::maybe_is_nonoverlapping(x, y, size, count)
1402        }
1403    );
1404
1405    const_eval_select!(
1406        @capture[T] { x: *mut T, y: *mut T, count: usize }:
1407        if const {
1408            // At compile-time we don't need all the special code below.
1409            // SAFETY: Same preconditions as this function
1410            unsafe { swap_nonoverlapping_const(x, y, count) }
1411        } else {
1412            // Going though a slice here helps codegen know the size fits in `isize`
1413            let slice = slice_from_raw_parts_mut(x, count);
1414            // SAFETY: This is all readable from the pointer, meaning it's one
1415            // allocation, and thus cannot be more than isize::MAX bytes.
1416            let bytes = unsafe { mem::size_of_val_raw::<[T]>(slice) };
1417            if let Some(bytes) = NonZero::new(bytes) {
1418                // SAFETY: These are the same ranges, just expressed in a different
1419                // type, so they're still non-overlapping.
1420                unsafe { swap_nonoverlapping_bytes(x.cast(), y.cast(), bytes) };
1421            }
1422        }
1423    )
1424}
1425
1426/// Same behavior and safety conditions as [`swap_nonoverlapping`]
1427#[inline]
1428#[cfg(not(feature = "ferrocene_certified"))]
1429const unsafe fn swap_nonoverlapping_const<T>(x: *mut T, y: *mut T, count: usize) {
1430    let mut i = 0;
1431    while i < count {
1432        // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1433        let x = unsafe { x.add(i) };
1434        // SAFETY: By precondition, `i` is in-bounds because it's below `n`
1435        // and it's distinct from `x` since the ranges are non-overlapping
1436        let y = unsafe { y.add(i) };
1437
1438        // SAFETY: we're only ever given pointers that are valid to read/write,
1439        // including being aligned, and nothing here panics so it's drop-safe.
1440        unsafe {
1441            // Note that it's critical that these use `copy_nonoverlapping`,
1442            // rather than `read`/`write`, to avoid #134713 if T has padding.
1443            let mut temp = MaybeUninit::<T>::uninit();
1444            copy_nonoverlapping(x, temp.as_mut_ptr(), 1);
1445            copy_nonoverlapping(y, x, 1);
1446            copy_nonoverlapping(temp.as_ptr(), y, 1);
1447        }
1448
1449        i += 1;
1450    }
1451}
1452
1453// Don't let MIR inline this, because we really want it to keep its noalias metadata
1454#[rustc_no_mir_inline]
1455#[inline]
1456#[cfg(not(feature = "ferrocene_certified"))]
1457fn swap_chunk<const N: usize>(x: &mut MaybeUninit<[u8; N]>, y: &mut MaybeUninit<[u8; N]>) {
1458    let a = *x;
1459    let b = *y;
1460    *x = b;
1461    *y = a;
1462}
1463
1464#[inline]
1465#[cfg(not(feature = "ferrocene_certified"))]
1466unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1467    // Same as `swap_nonoverlapping::<[u8; N]>`.
1468    unsafe fn swap_nonoverlapping_chunks<const N: usize>(
1469        x: *mut MaybeUninit<[u8; N]>,
1470        y: *mut MaybeUninit<[u8; N]>,
1471        chunks: NonZero<usize>,
1472    ) {
1473        let chunks = chunks.get();
1474        for i in 0..chunks {
1475            // SAFETY: i is in [0, chunks) so the adds and dereferences are in-bounds.
1476            unsafe { swap_chunk(&mut *x.add(i), &mut *y.add(i)) };
1477        }
1478    }
1479
1480    // Same as `swap_nonoverlapping_bytes`, but accepts at most 1+2+4=7 bytes
1481    #[inline]
1482    unsafe fn swap_nonoverlapping_short(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1483        // Tail handling for auto-vectorized code sometimes has element-at-a-time behaviour,
1484        // see <https://github.com/rust-lang/rust/issues/134946>.
1485        // By swapping as different sizes, rather than as a loop over bytes,
1486        // we make sure not to end up with, say, seven byte-at-a-time copies.
1487
1488        let bytes = bytes.get();
1489        let mut i = 0;
1490        macro_rules! swap_prefix {
1491            ($($n:literal)+) => {$(
1492                if (bytes & $n) != 0 {
1493                    // SAFETY: `i` can only have the same bits set as those in bytes,
1494                    // so these `add`s are in-bounds of `bytes`.  But the bit for
1495                    // `$n` hasn't been set yet, so the `$n` bytes that `swap_chunk`
1496                    // will read and write are within the usable range.
1497                    unsafe { swap_chunk::<$n>(&mut*x.add(i).cast(), &mut*y.add(i).cast()) };
1498                    i |= $n;
1499                }
1500            )+};
1501        }
1502        swap_prefix!(4 2 1);
1503        debug_assert_eq!(i, bytes);
1504    }
1505
1506    const CHUNK_SIZE: usize = size_of::<*const ()>();
1507    let bytes = bytes.get();
1508
1509    let chunks = bytes / CHUNK_SIZE;
1510    let tail = bytes % CHUNK_SIZE;
1511    if let Some(chunks) = NonZero::new(chunks) {
1512        // SAFETY: this is bytes/CHUNK_SIZE*CHUNK_SIZE bytes, which is <= bytes,
1513        // so it's within the range of our non-overlapping bytes.
1514        unsafe { swap_nonoverlapping_chunks::<CHUNK_SIZE>(x.cast(), y.cast(), chunks) };
1515    }
1516    if let Some(tail) = NonZero::new(tail) {
1517        const { assert!(CHUNK_SIZE <= 8) };
1518        let delta = chunks * CHUNK_SIZE;
1519        // SAFETY: the tail length is below CHUNK SIZE because of the remainder,
1520        // and CHUNK_SIZE is at most 8 by the const assert, so tail <= 7
1521        unsafe { swap_nonoverlapping_short(x.add(delta), y.add(delta), tail) };
1522    }
1523}
1524
1525/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1526///
1527/// Neither value is dropped.
1528///
1529/// This function is semantically equivalent to [`mem::replace`] except that it
1530/// operates on raw pointers instead of references. When references are
1531/// available, [`mem::replace`] should be preferred.
1532///
1533/// # Safety
1534///
1535/// Behavior is undefined if any of the following conditions are violated:
1536///
1537/// * `dst` must be [valid] for both reads and writes.
1538///
1539/// * `dst` must be properly aligned.
1540///
1541/// * `dst` must point to a properly initialized value of type `T`.
1542///
1543/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1544///
1545/// [valid]: self#safety
1546///
1547/// # Examples
1548///
1549/// ```
1550/// use std::ptr;
1551///
1552/// let mut rust = vec!['b', 'u', 's', 't'];
1553///
1554/// // `mem::replace` would have the same effect without requiring the unsafe
1555/// // block.
1556/// let b = unsafe {
1557///     ptr::replace(&mut rust[0], 'r')
1558/// };
1559///
1560/// assert_eq!(b, 'b');
1561/// assert_eq!(rust, &['r', 'u', 's', 't']);
1562/// ```
1563#[inline]
1564#[stable(feature = "rust1", since = "1.0.0")]
1565#[rustc_const_stable(feature = "const_replace", since = "1.83.0")]
1566#[rustc_diagnostic_item = "ptr_replace"]
1567#[track_caller]
1568#[cfg(not(feature = "ferrocene_certified"))]
1569pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1570    // SAFETY: the caller must guarantee that `dst` is valid to be
1571    // cast to a mutable reference (valid for writes, aligned, initialized),
1572    // and cannot overlap `src` since `dst` must point to a distinct
1573    // allocation.
1574    unsafe {
1575        ub_checks::assert_unsafe_precondition!(
1576            check_language_ub,
1577            "ptr::replace requires that the pointer argument is aligned and non-null",
1578            (
1579                addr: *const () = dst as *const (),
1580                align: usize = align_of::<T>(),
1581                is_zst: bool = T::IS_ZST,
1582            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1583        );
1584        mem::replace(&mut *dst, src)
1585    }
1586}
1587
1588/// Reads the value from `src` without moving it. This leaves the
1589/// memory in `src` unchanged.
1590///
1591/// # Safety
1592///
1593/// Behavior is undefined if any of the following conditions are violated:
1594///
1595/// * `src` must be [valid] for reads.
1596///
1597/// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
1598///   case.
1599///
1600/// * `src` must point to a properly initialized value of type `T`.
1601///
1602/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1603///
1604/// # Examples
1605///
1606/// Basic usage:
1607///
1608/// ```
1609/// let x = 12;
1610/// let y = &x as *const i32;
1611///
1612/// unsafe {
1613///     assert_eq!(std::ptr::read(y), 12);
1614/// }
1615/// ```
1616///
1617/// Manually implement [`mem::swap`]:
1618///
1619/// ```
1620/// use std::ptr;
1621///
1622/// fn swap<T>(a: &mut T, b: &mut T) {
1623///     unsafe {
1624///         // Create a bitwise copy of the value at `a` in `tmp`.
1625///         let tmp = ptr::read(a);
1626///
1627///         // Exiting at this point (either by explicitly returning or by
1628///         // calling a function which panics) would cause the value in `tmp` to
1629///         // be dropped while the same value is still referenced by `a`. This
1630///         // could trigger undefined behavior if `T` is not `Copy`.
1631///
1632///         // Create a bitwise copy of the value at `b` in `a`.
1633///         // This is safe because mutable references cannot alias.
1634///         ptr::copy_nonoverlapping(b, a, 1);
1635///
1636///         // As above, exiting here could trigger undefined behavior because
1637///         // the same value is referenced by `a` and `b`.
1638///
1639///         // Move `tmp` into `b`.
1640///         ptr::write(b, tmp);
1641///
1642///         // `tmp` has been moved (`write` takes ownership of its second argument),
1643///         // so nothing is dropped implicitly here.
1644///     }
1645/// }
1646///
1647/// let mut foo = "foo".to_owned();
1648/// let mut bar = "bar".to_owned();
1649///
1650/// swap(&mut foo, &mut bar);
1651///
1652/// assert_eq!(foo, "bar");
1653/// assert_eq!(bar, "foo");
1654/// ```
1655///
1656/// ## Ownership of the Returned Value
1657///
1658/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1659/// If `T` is not [`Copy`], using both the returned value and the value at
1660/// `*src` can violate memory safety. Note that assigning to `*src` counts as a
1661/// use because it will attempt to drop the value at `*src`.
1662///
1663/// [`write()`] can be used to overwrite data without causing it to be dropped.
1664///
1665/// ```
1666/// use std::ptr;
1667///
1668/// let mut s = String::from("foo");
1669/// unsafe {
1670///     // `s2` now points to the same underlying memory as `s`.
1671///     let mut s2: String = ptr::read(&s);
1672///
1673///     assert_eq!(s2, "foo");
1674///
1675///     // Assigning to `s2` causes its original value to be dropped. Beyond
1676///     // this point, `s` must no longer be used, as the underlying memory has
1677///     // been freed.
1678///     s2 = String::default();
1679///     assert_eq!(s2, "");
1680///
1681///     // Assigning to `s` would cause the old value to be dropped again,
1682///     // resulting in undefined behavior.
1683///     // s = String::from("bar"); // ERROR
1684///
1685///     // `ptr::write` can be used to overwrite a value without dropping it.
1686///     ptr::write(&mut s, String::from("bar"));
1687/// }
1688///
1689/// assert_eq!(s, "bar");
1690/// ```
1691///
1692/// [valid]: self#safety
1693#[inline]
1694#[stable(feature = "rust1", since = "1.0.0")]
1695#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1696#[track_caller]
1697#[rustc_diagnostic_item = "ptr_read"]
1698pub const unsafe fn read<T>(src: *const T) -> T {
1699    // It would be semantically correct to implement this via `copy_nonoverlapping`
1700    // and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1701    // provides enough information to know that this is a typed operation.
1702
1703    // However, as of March 2023 the compiler was not capable of taking advantage
1704    // of that information. Thus, the implementation here switched to an intrinsic,
1705    // which lowers to `_0 = *src` in MIR, to address a few issues:
1706    //
1707    // - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1708    //   turning the untyped copy into a typed load. As such, the generated
1709    //   `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1710    //   `!nonnull`, and `!noundef`, resulting in poorer optimization.
1711    // - Going through the extra local resulted in multiple extra copies, even
1712    //   in optimized MIR.  (Ignoring StorageLive/Dead, the intrinsic is one
1713    //   MIR statement, while the previous implementation was eight.)  LLVM
1714    //   could sometimes optimize them away, but because `read` is at the core
1715    //   of so many things, not having them in the first place improves what we
1716    //   hand off to the backend.  For example, `mem::replace::<Big>` previously
1717    //   emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1718    // - In general, this approach keeps us from getting any more bugs (like
1719    //   #106369) that boil down to "`read(p)` is worse than `*p`", as this
1720    //   makes them look identical to the backend (or other MIR consumers).
1721    //
1722    // Future enhancements to MIR optimizations might well allow this to return
1723    // to the previous implementation, rather than using an intrinsic.
1724
1725    // SAFETY: the caller must guarantee that `src` is valid for reads.
1726    unsafe {
1727        #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1728        ub_checks::assert_unsafe_precondition!(
1729            check_language_ub,
1730            "ptr::read requires that the pointer argument is aligned and non-null",
1731            (
1732                addr: *const () = src as *const (),
1733                align: usize = align_of::<T>(),
1734                is_zst: bool = T::IS_ZST,
1735            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1736        );
1737        crate::intrinsics::read_via_copy(src)
1738    }
1739}
1740
1741/// Reads the value from `src` without moving it. This leaves the
1742/// memory in `src` unchanged.
1743///
1744/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1745///
1746/// # Safety
1747///
1748/// Behavior is undefined if any of the following conditions are violated:
1749///
1750/// * `src` must be [valid] for reads.
1751///
1752/// * `src` must point to a properly initialized value of type `T`.
1753///
1754/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1755/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1756/// value and the value at `*src` can [violate memory safety][read-ownership].
1757///
1758/// [read-ownership]: read#ownership-of-the-returned-value
1759/// [valid]: self#safety
1760///
1761/// ## On `packed` structs
1762///
1763/// Attempting to create a raw pointer to an `unaligned` struct field with
1764/// an expression such as `&packed.unaligned as *const FieldType` creates an
1765/// intermediate unaligned reference before converting that to a raw pointer.
1766/// That this reference is temporary and immediately cast is inconsequential
1767/// as the compiler always expects references to be properly aligned.
1768/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1769/// *undefined behavior* in your program.
1770///
1771/// Instead you must use the `&raw const` syntax to create the pointer.
1772/// You may use that constructed pointer together with this function.
1773///
1774/// An example of what not to do and how this relates to `read_unaligned` is:
1775///
1776/// ```
1777/// #[repr(packed, C)]
1778/// struct Packed {
1779///     _padding: u8,
1780///     unaligned: u32,
1781/// }
1782///
1783/// let packed = Packed {
1784///     _padding: 0x00,
1785///     unaligned: 0x01020304,
1786/// };
1787///
1788/// // Take the address of a 32-bit integer which is not aligned.
1789/// // In contrast to `&packed.unaligned as *const _`, this has no undefined behavior.
1790/// let unaligned = &raw const packed.unaligned;
1791///
1792/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1793/// assert_eq!(v, 0x01020304);
1794/// ```
1795///
1796/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1797///
1798/// # Examples
1799///
1800/// Read a `usize` value from a byte buffer:
1801///
1802/// ```
1803/// fn read_usize(x: &[u8]) -> usize {
1804///     assert!(x.len() >= size_of::<usize>());
1805///
1806///     let ptr = x.as_ptr() as *const usize;
1807///
1808///     unsafe { ptr.read_unaligned() }
1809/// }
1810/// ```
1811#[inline]
1812#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1813#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1814#[track_caller]
1815#[rustc_diagnostic_item = "ptr_read_unaligned"]
1816#[cfg(not(feature = "ferrocene_certified"))]
1817pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1818    let mut tmp = MaybeUninit::<T>::uninit();
1819    // SAFETY: the caller must guarantee that `src` is valid for reads.
1820    // `src` cannot overlap `tmp` because `tmp` was just allocated on
1821    // the stack as a separate allocation.
1822    //
1823    // Also, since we just wrote a valid value into `tmp`, it is guaranteed
1824    // to be properly initialized.
1825    unsafe {
1826        copy_nonoverlapping(src as *const u8, tmp.as_mut_ptr() as *mut u8, size_of::<T>());
1827        tmp.assume_init()
1828    }
1829}
1830
1831/// Overwrites a memory location with the given value without reading or
1832/// dropping the old value.
1833///
1834/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1835/// allocations or resources, so care should be taken not to overwrite an object
1836/// that should be dropped.
1837///
1838/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1839/// location pointed to by `dst`.
1840///
1841/// This is appropriate for initializing uninitialized memory, or overwriting
1842/// memory that has previously been [`read`] from.
1843///
1844/// # Safety
1845///
1846/// Behavior is undefined if any of the following conditions are violated:
1847///
1848/// * `dst` must be [valid] for writes.
1849///
1850/// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the
1851///   case.
1852///
1853/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1854///
1855/// [valid]: self#safety
1856///
1857/// # Examples
1858///
1859/// Basic usage:
1860///
1861/// ```
1862/// let mut x = 0;
1863/// let y = &mut x as *mut i32;
1864/// let z = 12;
1865///
1866/// unsafe {
1867///     std::ptr::write(y, z);
1868///     assert_eq!(std::ptr::read(y), 12);
1869/// }
1870/// ```
1871///
1872/// Manually implement [`mem::swap`]:
1873///
1874/// ```
1875/// use std::ptr;
1876///
1877/// fn swap<T>(a: &mut T, b: &mut T) {
1878///     unsafe {
1879///         // Create a bitwise copy of the value at `a` in `tmp`.
1880///         let tmp = ptr::read(a);
1881///
1882///         // Exiting at this point (either by explicitly returning or by
1883///         // calling a function which panics) would cause the value in `tmp` to
1884///         // be dropped while the same value is still referenced by `a`. This
1885///         // could trigger undefined behavior if `T` is not `Copy`.
1886///
1887///         // Create a bitwise copy of the value at `b` in `a`.
1888///         // This is safe because mutable references cannot alias.
1889///         ptr::copy_nonoverlapping(b, a, 1);
1890///
1891///         // As above, exiting here could trigger undefined behavior because
1892///         // the same value is referenced by `a` and `b`.
1893///
1894///         // Move `tmp` into `b`.
1895///         ptr::write(b, tmp);
1896///
1897///         // `tmp` has been moved (`write` takes ownership of its second argument),
1898///         // so nothing is dropped implicitly here.
1899///     }
1900/// }
1901///
1902/// let mut foo = "foo".to_owned();
1903/// let mut bar = "bar".to_owned();
1904///
1905/// swap(&mut foo, &mut bar);
1906///
1907/// assert_eq!(foo, "bar");
1908/// assert_eq!(bar, "foo");
1909/// ```
1910#[inline]
1911#[stable(feature = "rust1", since = "1.0.0")]
1912#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1913#[rustc_diagnostic_item = "ptr_write"]
1914#[track_caller]
1915pub const unsafe fn write<T>(dst: *mut T, src: T) {
1916    // Semantically, it would be fine for this to be implemented as a
1917    // `copy_nonoverlapping` and appropriate drop suppression of `src`.
1918
1919    // However, implementing via that currently produces more MIR than is ideal.
1920    // Using an intrinsic keeps it down to just the simple `*dst = move src` in
1921    // MIR (11 statements shorter, at the time of writing), and also allows
1922    // `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1923
1924    // SAFETY: the caller must guarantee that `dst` is valid for writes.
1925    // `dst` cannot overlap `src` because the caller has mutable access
1926    // to `dst` while `src` is owned by this function.
1927    unsafe {
1928        #[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1929        ub_checks::assert_unsafe_precondition!(
1930            check_language_ub,
1931            "ptr::write requires that the pointer argument is aligned and non-null",
1932            (
1933                addr: *mut () = dst as *mut (),
1934                align: usize = align_of::<T>(),
1935                is_zst: bool = T::IS_ZST,
1936            ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1937        );
1938        intrinsics::write_via_move(dst, src)
1939    }
1940}
1941
1942/// Overwrites a memory location with the given value without reading or
1943/// dropping the old value.
1944///
1945/// Unlike [`write()`], the pointer may be unaligned.
1946///
1947/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1948/// could leak allocations or resources, so care should be taken not to overwrite
1949/// an object that should be dropped.
1950///
1951/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1952/// location pointed to by `dst`.
1953///
1954/// This is appropriate for initializing uninitialized memory, or overwriting
1955/// memory that has previously been read with [`read_unaligned`].
1956///
1957/// # Safety
1958///
1959/// Behavior is undefined if any of the following conditions are violated:
1960///
1961/// * `dst` must be [valid] for writes.
1962///
1963/// [valid]: self#safety
1964///
1965/// ## On `packed` structs
1966///
1967/// Attempting to create a raw pointer to an `unaligned` struct field with
1968/// an expression such as `&packed.unaligned as *const FieldType` creates an
1969/// intermediate unaligned reference before converting that to a raw pointer.
1970/// That this reference is temporary and immediately cast is inconsequential
1971/// as the compiler always expects references to be properly aligned.
1972/// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1973/// *undefined behavior* in your program.
1974///
1975/// Instead, you must use the `&raw mut` syntax to create the pointer.
1976/// You may use that constructed pointer together with this function.
1977///
1978/// An example of how to do it and how this relates to `write_unaligned` is:
1979///
1980/// ```
1981/// #[repr(packed, C)]
1982/// struct Packed {
1983///     _padding: u8,
1984///     unaligned: u32,
1985/// }
1986///
1987/// let mut packed: Packed = unsafe { std::mem::zeroed() };
1988///
1989/// // Take the address of a 32-bit integer which is not aligned.
1990/// // In contrast to `&packed.unaligned as *mut _`, this has no undefined behavior.
1991/// let unaligned = &raw mut packed.unaligned;
1992///
1993/// unsafe { std::ptr::write_unaligned(unaligned, 42) };
1994///
1995/// assert_eq!({packed.unaligned}, 42); // `{...}` forces copying the field instead of creating a reference.
1996/// ```
1997///
1998/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
1999/// (as can be seen in the `assert_eq!` above).
2000///
2001/// # Examples
2002///
2003/// Write a `usize` value to a byte buffer:
2004///
2005/// ```
2006/// fn write_usize(x: &mut [u8], val: usize) {
2007///     assert!(x.len() >= size_of::<usize>());
2008///
2009///     let ptr = x.as_mut_ptr() as *mut usize;
2010///
2011///     unsafe { ptr.write_unaligned(val) }
2012/// }
2013/// ```
2014#[inline]
2015#[stable(feature = "ptr_unaligned", since = "1.17.0")]
2016#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
2017#[rustc_diagnostic_item = "ptr_write_unaligned"]
2018#[track_caller]
2019#[cfg(not(feature = "ferrocene_certified"))]
2020pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
2021    // SAFETY: the caller must guarantee that `dst` is valid for writes.
2022    // `dst` cannot overlap `src` because the caller has mutable access
2023    // to `dst` while `src` is owned by this function.
2024    unsafe {
2025        copy_nonoverlapping((&raw const src) as *const u8, dst as *mut u8, size_of::<T>());
2026        // We are calling the intrinsic directly to avoid function calls in the generated code.
2027        intrinsics::forget(src);
2028    }
2029}
2030
2031/// Performs a volatile read of the value from `src` without moving it.
2032///
2033/// Volatile operations are intended to act on I/O memory. As such, they are considered externally
2034/// observable events (just like syscalls, but less opaque), and are guaranteed to not be elided or
2035/// reordered by the compiler across other externally observable events. With this in mind, there
2036/// are two cases of usage that need to be distinguished:
2037///
2038/// - When a volatile operation is used for memory inside an [allocation], it behaves exactly like
2039///   [`read`], except for the additional guarantee that it won't be elided or reordered (see
2040///   above). This implies that the operation will actually access memory and not e.g. be lowered to
2041///   reusing data from a previous read. Other than that, all the usual rules for memory accesses
2042///   apply (including provenance).  In particular, just like in C, whether an operation is volatile
2043///   has no bearing whatsoever on questions involving concurrent accesses from multiple threads.
2044///   Volatile accesses behave exactly like non-atomic accesses in that regard.
2045///
2046/// - Volatile operations, however, may also be used to access memory that is _outside_ of any Rust
2047///   allocation. In this use-case, the pointer does *not* have to be [valid] for reads. This is
2048///   typically used for CPU and peripheral registers that must be accessed via an I/O memory
2049///   mapping, most commonly at fixed addresses reserved by the hardware. These often have special
2050///   semantics associated to their manipulation, and cannot be used as general purpose memory.
2051///   Here, any address value is possible, including 0 and [`usize::MAX`], so long as the semantics
2052///   of such a read are well-defined by the target hardware. The provenance of the pointer is
2053///   irrelevant, and it can be created with [`without_provenance`]. The access must not trap. It
2054///   can cause side-effects, but those must not affect Rust-allocated memory in any way. This
2055///   access is still not considered [atomic], and as such it cannot be used for inter-thread
2056///   synchronization.
2057///
2058/// Note that volatile memory operations where T is a zero-sized type are noops and may be ignored.
2059///
2060/// [allocation]: crate::ptr#allocated-object
2061/// [atomic]: crate::sync::atomic#memory-model-for-atomic-accesses
2062///
2063/// # Safety
2064///
2065/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of whether `T` is
2066/// [`Copy`]. If `T` is not [`Copy`], using both the returned value and the value at `*src` can
2067/// [violate memory safety][read-ownership]. However, storing non-[`Copy`] types in volatile memory
2068/// is almost certainly incorrect.
2069///
2070/// Behavior is undefined if any of the following conditions are violated:
2071///
2072/// * `src` must be either [valid] for reads, or it must point to memory outside of all Rust
2073///   allocations and reading from that memory must:
2074///   - not trap, and
2075///   - not cause any memory inside a Rust allocation to be modified.
2076///
2077/// * `src` must be properly aligned.
2078///
2079/// * Reading from `src` must produce a properly initialized value of type `T`.
2080///
2081/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2082///
2083/// [valid]: self#safety
2084/// [read-ownership]: read#ownership-of-the-returned-value
2085///
2086/// # Examples
2087///
2088/// Basic usage:
2089///
2090/// ```
2091/// let x = 12;
2092/// let y = &x as *const i32;
2093///
2094/// unsafe {
2095///     assert_eq!(std::ptr::read_volatile(y), 12);
2096/// }
2097/// ```
2098#[inline]
2099#[stable(feature = "volatile", since = "1.9.0")]
2100#[track_caller]
2101#[rustc_diagnostic_item = "ptr_read_volatile"]
2102#[cfg(not(feature = "ferrocene_certified"))]
2103pub unsafe fn read_volatile<T>(src: *const T) -> T {
2104    // SAFETY: the caller must uphold the safety contract for `volatile_load`.
2105    unsafe {
2106        ub_checks::assert_unsafe_precondition!(
2107            check_language_ub,
2108            "ptr::read_volatile requires that the pointer argument is aligned",
2109            (
2110                addr: *const () = src as *const (),
2111                align: usize = align_of::<T>(),
2112            ) => ub_checks::maybe_is_aligned(addr, align)
2113        );
2114        intrinsics::volatile_load(src)
2115    }
2116}
2117
2118/// Performs a volatile write of a memory location with the given value without reading or dropping
2119/// the old value.
2120///
2121/// Volatile operations are intended to act on I/O memory. As such, they are considered externally
2122/// observable events (just like syscalls), and are guaranteed to not be elided or reordered by the
2123/// compiler across other externally observable events. With this in mind, there are two cases of
2124/// usage that need to be distinguished:
2125///
2126/// - When a volatile operation is used for memory inside an [allocation], it behaves exactly like
2127///   [`write`][write()], except for the additional guarantee that it won't be elided or reordered
2128///   (see above). This implies that the operation will actually access memory and not e.g. be
2129///   lowered to a register access. Other than that, all the usual rules for memory accesses apply
2130///   (including provenance). In particular, just like in C, whether an operation is volatile has no
2131///   bearing whatsoever on questions involving concurrent access from multiple threads. Volatile
2132///   accesses behave exactly like non-atomic accesses in that regard.
2133///
2134/// - Volatile operations, however, may also be used to access memory that is _outside_ of any Rust
2135///   allocation. In this use-case, the pointer does *not* have to be [valid] for writes. This is
2136///   typically used for CPU and peripheral registers that must be accessed via an I/O memory
2137///   mapping, most commonly at fixed addresses reserved by the hardware. These often have special
2138///   semantics associated to their manipulation, and cannot be used as general purpose memory.
2139///   Here, any address value is possible, including 0 and [`usize::MAX`], so long as the semantics
2140///   of such a write are well-defined by the target hardware. The provenance of the pointer is
2141///   irrelevant, and it can be created with [`without_provenance`]. The access must not trap. It
2142///   can cause side-effects, but those must not affect Rust-allocated memory in any way. This
2143///   access is still not considered [atomic], and as such it cannot be used for inter-thread
2144///   synchronization.
2145///
2146/// Note that volatile memory operations on zero-sized types (e.g., if a zero-sized type is passed
2147/// to `write_volatile`) are noops and may be ignored.
2148///
2149/// `write_volatile` does not drop the contents of `dst`. This is safe, but it could leak
2150/// allocations or resources, so care should be taken not to overwrite an object that should be
2151/// dropped when operating on Rust memory. Additionally, it does not drop `src`. Semantically, `src`
2152/// is moved into the location pointed to by `dst`.
2153///
2154/// [allocation]: crate::ptr#allocated-object
2155/// [atomic]: crate::sync::atomic#memory-model-for-atomic-accesses
2156///
2157/// # Safety
2158///
2159/// Behavior is undefined if any of the following conditions are violated:
2160///
2161/// * `dst` must be either [valid] for writes, or it must point to memory outside of all Rust
2162///   allocations and writing to that memory must:
2163///   - not trap, and
2164///   - not cause any memory inside a Rust allocation to be modified.
2165///
2166/// * `dst` must be properly aligned.
2167///
2168/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2169///
2170/// [valid]: self#safety
2171///
2172/// # Examples
2173///
2174/// Basic usage:
2175///
2176/// ```
2177/// let mut x = 0;
2178/// let y = &mut x as *mut i32;
2179/// let z = 12;
2180///
2181/// unsafe {
2182///     std::ptr::write_volatile(y, z);
2183///     assert_eq!(std::ptr::read_volatile(y), 12);
2184/// }
2185/// ```
2186#[inline]
2187#[stable(feature = "volatile", since = "1.9.0")]
2188#[rustc_diagnostic_item = "ptr_write_volatile"]
2189#[track_caller]
2190#[cfg(not(feature = "ferrocene_certified"))]
2191pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
2192    // SAFETY: the caller must uphold the safety contract for `volatile_store`.
2193    unsafe {
2194        ub_checks::assert_unsafe_precondition!(
2195            check_language_ub,
2196            "ptr::write_volatile requires that the pointer argument is aligned",
2197            (
2198                addr: *mut () = dst as *mut (),
2199                align: usize = align_of::<T>(),
2200            ) => ub_checks::maybe_is_aligned(addr, align)
2201        );
2202        intrinsics::volatile_store(dst, src);
2203    }
2204}
2205
2206/// Align pointer `p`.
2207///
2208/// Calculate offset (in terms of elements of `size_of::<T>()` stride) that has to be applied
2209/// to pointer `p` so that pointer `p` would get aligned to `a`.
2210///
2211/// # Safety
2212/// `a` must be a power of two.
2213///
2214/// # Notes
2215/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
2216/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
2217/// constants.
2218///
2219/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
2220/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
2221/// than trying to adapt this to accommodate that change.
2222///
2223/// Any questions go to @nagisa.
2224#[allow(ptr_to_integer_transmute_in_consts)]
2225#[cfg(not(feature = "ferrocene_certified"))]
2226pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
2227    // FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
2228    // 1, where the method versions of these operations are not inlined.
2229    use intrinsics::{
2230        assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl,
2231        unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub,
2232    };
2233
2234    /// Calculate multiplicative modular inverse of `x` modulo `m`.
2235    ///
2236    /// This implementation is tailored for `align_offset` and has following preconditions:
2237    ///
2238    /// * `m` is a power-of-two;
2239    /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead)
2240    ///
2241    /// Implementation of this function shall not panic. Ever.
2242    #[inline]
2243    const unsafe fn mod_inv(x: usize, m: usize) -> usize {
2244        /// Multiplicative modular inverse table modulo 2⁴ = 16.
2245        ///
2246        /// Note, that this table does not contain values where inverse does not exist (i.e., for
2247        /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
2248        const INV_TABLE_MOD_16: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15];
2249        /// Modulo for which the `INV_TABLE_MOD_16` is intended.
2250        const INV_TABLE_MOD: usize = 16;
2251
2252        // SAFETY: `m` is required to be a power-of-two, hence non-zero.
2253        let m_minus_one = unsafe { unchecked_sub(m, 1) };
2254        let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - 1)) >> 1] as usize;
2255        let mut mod_gate = INV_TABLE_MOD;
2256        // We iterate "up" using the following formula:
2257        //
2258        // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
2259        //
2260        // This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
2261        // finally reduce the computation to our desired `m` by taking `inverse mod m`.
2262        //
2263        // This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
2264        // will always finish in at most 4 iterations.
2265        loop {
2266            // y = y * (2 - xy) mod n
2267            //
2268            // Note, that we use wrapping operations here intentionally – the original formula
2269            // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
2270            // usize::MAX` instead, because we take the result `mod n` at the end
2271            // anyway.
2272            if mod_gate >= m {
2273                break;
2274            }
2275            inverse = wrapping_mul(inverse, wrapping_sub(2usize, wrapping_mul(x, inverse)));
2276            let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
2277            if overflow {
2278                break;
2279            }
2280            mod_gate = new_gate;
2281        }
2282        inverse & m_minus_one
2283    }
2284
2285    let stride = size_of::<T>();
2286
2287    let addr: usize = p.addr();
2288
2289    // SAFETY: `a` is a power-of-two, therefore non-zero.
2290    let a_minus_one = unsafe { unchecked_sub(a, 1) };
2291
2292    if stride == 0 {
2293        // SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
2294        // stay the same, so no offset will be able to align the pointer unless it is already
2295        // aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
2296        let p_mod_a = addr & a_minus_one;
2297        return if p_mod_a == 0 { 0 } else { usize::MAX };
2298    }
2299
2300    // SAFETY: `stride == 0` case has been handled by the special case above.
2301    let a_mod_stride = unsafe { unchecked_rem(a, stride) };
2302    if a_mod_stride == 0 {
2303        // SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
2304        // pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
2305        // offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
2306        // offset will be able to produce a `p` aligned to the specified `a`.
2307        //
2308        // The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
2309        // like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
2310        // redistributes operations around the load-bearing, but pessimizing `and` instruction
2311        // sufficiently for LLVM to be able to utilize the various optimizations it knows about.
2312        //
2313        // LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
2314        // at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
2315        // in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
2316        // computation produces.
2317
2318        let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(0, a);
2319        let byte_offset = wrapping_sub(aligned_address, addr);
2320        // FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
2321        // SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
2322        // the value by more than `a-1`, so even though the intermediate values might have
2323        // wrapped, the byte_offset is always in `[0, a)`.
2324        unsafe { assume(byte_offset < a) };
2325
2326        // SAFETY: `stride == 0` case has been handled by the special case above.
2327        let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
2328
2329        return if addr_mod_stride == 0 {
2330            // SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
2331            // addr has been verified to be aligned to the original type’s alignment requirements.
2332            unsafe { exact_div(byte_offset, stride) }
2333        } else {
2334            usize::MAX
2335        };
2336    }
2337
2338    // GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
2339    // misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
2340    // advantage of, etc. This case produces machine code that isn’t particularly high quality,
2341    // compared to the special cases above. The code produced here is still within the realm of
2342    // miracles, given the situations this case has to deal with.
2343
2344    // SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
2345    // FIXME(const-hack) replace with min
2346    let gcdpow = unsafe {
2347        let x = cttz_nonzero(stride);
2348        let y = cttz_nonzero(a);
2349        if x < y { x } else { y }
2350    };
2351    // SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`.
2352    let gcd = unsafe { unchecked_shl(1usize, gcdpow) };
2353    // SAFETY: gcd is always greater or equal to 1.
2354    if addr & unsafe { unchecked_sub(gcd, 1) } == 0 {
2355        // This branch solves for the following linear congruence equation:
2356        //
2357        // ` p + so = 0 mod a `
2358        //
2359        // `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
2360        // requested alignment.
2361        //
2362        // With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
2363        // `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
2364        //
2365        // ` p' + s'o = 0 mod a' `
2366        // ` o = (a' - (p' mod a')) * (s'^-1 mod a') `
2367        //
2368        // The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
2369        // second term is "how does incrementing `p` by `s` bytes change the relative alignment of
2370        // `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
2371        // formed if `a` and `s` are not co-prime.
2372        //
2373        // Furthermore, the result produced by this solution is not "minimal", so it is necessary
2374        // to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
2375
2376        // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2377        // `a`.
2378        let a2 = unsafe { unchecked_shr(a, gcdpow) };
2379        // SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
2380        // in `a` (of which it has exactly one).
2381        let a2minus1 = unsafe { unchecked_sub(a2, 1) };
2382        // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2383        // `a`.
2384        let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
2385        // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2386        // `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
2387        // always be strictly greater than `(p % a) >> gcdpow`.
2388        let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
2389        // SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
2390        // because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
2391        return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
2392    }
2393
2394    // Cannot be aligned at all.
2395    usize::MAX
2396}
2397
2398/// Compares raw pointers for equality.
2399///
2400/// This is the same as using the `==` operator, but less generic:
2401/// the arguments have to be `*const T` raw pointers,
2402/// not anything that implements `PartialEq`.
2403///
2404/// This can be used to compare `&T` references (which coerce to `*const T` implicitly)
2405/// by their address rather than comparing the values they point to
2406/// (which is what the `PartialEq for &T` implementation does).
2407///
2408/// When comparing wide pointers, both the address and the metadata are tested for equality.
2409/// However, note that comparing trait object pointers (`*const dyn Trait`) is unreliable: pointers
2410/// to values of the same underlying type can compare inequal (because vtables are duplicated in
2411/// multiple codegen units), and pointers to values of *different* underlying type can compare equal
2412/// (since identical vtables can be deduplicated within a codegen unit).
2413///
2414/// # Examples
2415///
2416/// ```
2417/// use std::ptr;
2418///
2419/// let five = 5;
2420/// let other_five = 5;
2421/// let five_ref = &five;
2422/// let same_five_ref = &five;
2423/// let other_five_ref = &other_five;
2424///
2425/// assert!(five_ref == same_five_ref);
2426/// assert!(ptr::eq(five_ref, same_five_ref));
2427///
2428/// assert!(five_ref == other_five_ref);
2429/// assert!(!ptr::eq(five_ref, other_five_ref));
2430/// ```
2431///
2432/// Slices are also compared by their length (fat pointers):
2433///
2434/// ```
2435/// let a = [1, 2, 3];
2436/// assert!(std::ptr::eq(&a[..3], &a[..3]));
2437/// assert!(!std::ptr::eq(&a[..2], &a[..3]));
2438/// assert!(!std::ptr::eq(&a[0..2], &a[1..3]));
2439/// ```
2440#[stable(feature = "ptr_eq", since = "1.17.0")]
2441#[inline(always)]
2442#[must_use = "pointer comparison produces a value"]
2443#[rustc_diagnostic_item = "ptr_eq"]
2444#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2445#[cfg(not(feature = "ferrocene_certified"))]
2446pub fn eq<T: PointeeSized>(a: *const T, b: *const T) -> bool {
2447    a == b
2448}
2449
2450/// Compares the *addresses* of the two pointers for equality,
2451/// ignoring any metadata in fat pointers.
2452///
2453/// If the arguments are thin pointers of the same type,
2454/// then this is the same as [`eq`].
2455///
2456/// # Examples
2457///
2458/// ```
2459/// use std::ptr;
2460///
2461/// let whole: &[i32; 3] = &[1, 2, 3];
2462/// let first: &i32 = &whole[0];
2463///
2464/// assert!(ptr::addr_eq(whole, first));
2465/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2466/// ```
2467#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2468#[inline(always)]
2469#[must_use = "pointer comparison produces a value"]
2470#[cfg(not(feature = "ferrocene_certified"))]
2471pub fn addr_eq<T: PointeeSized, U: PointeeSized>(p: *const T, q: *const U) -> bool {
2472    (p as *const ()) == (q as *const ())
2473}
2474
2475/// Compares the *addresses* of the two function pointers for equality.
2476///
2477/// This is the same as `f == g`, but using this function makes clear that the potentially
2478/// surprising semantics of function pointer comparison are involved.
2479///
2480/// There are **very few guarantees** about how functions are compiled and they have no intrinsic
2481/// “identity”; in particular, this comparison:
2482///
2483/// * May return `true` unexpectedly, in cases where functions are equivalent.
2484///
2485///   For example, the following program is likely (but not guaranteed) to print `(true, true)`
2486///   when compiled with optimization:
2487///
2488///   ```
2489///   let f: fn(i32) -> i32 = |x| x;
2490///   let g: fn(i32) -> i32 = |x| x + 0;  // different closure, different body
2491///   let h: fn(u32) -> u32 = |x| x + 0;  // different signature too
2492///   dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal
2493///   ```
2494///
2495/// * May return `false` in any case.
2496///
2497///   This is particularly likely with generic functions but may happen with any function.
2498///   (From an implementation perspective, this is possible because functions may sometimes be
2499///   processed more than once by the compiler, resulting in duplicate machine code.)
2500///
2501/// Despite these false positives and false negatives, this comparison can still be useful.
2502/// Specifically, if
2503///
2504/// * `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and
2505/// * `ptr::fn_addr_eq(f, g)` returns true,
2506///
2507/// then calling `f` and calling `g` will be equivalent.
2508///
2509///
2510/// # Examples
2511///
2512/// ```
2513/// use std::ptr;
2514///
2515/// fn a() { println!("a"); }
2516/// fn b() { println!("b"); }
2517/// assert!(!ptr::fn_addr_eq(a as fn(), b as fn()));
2518/// ```
2519///
2520/// [subtype]: https://doc.rust-lang.org/reference/subtyping.html
2521#[stable(feature = "ptr_fn_addr_eq", since = "1.85.0")]
2522#[inline(always)]
2523#[must_use = "function pointer comparison produces a value"]
2524#[cfg(not(feature = "ferrocene_certified"))]
2525pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool {
2526    f.addr() == g.addr()
2527}
2528
2529/// Hash a raw pointer.
2530///
2531/// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly)
2532/// by its address rather than the value it points to
2533/// (which is what the `Hash for &T` implementation does).
2534///
2535/// # Examples
2536///
2537/// ```
2538/// use std::hash::{DefaultHasher, Hash, Hasher};
2539/// use std::ptr;
2540///
2541/// let five = 5;
2542/// let five_ref = &five;
2543///
2544/// let mut hasher = DefaultHasher::new();
2545/// ptr::hash(five_ref, &mut hasher);
2546/// let actual = hasher.finish();
2547///
2548/// let mut hasher = DefaultHasher::new();
2549/// (five_ref as *const i32).hash(&mut hasher);
2550/// let expected = hasher.finish();
2551///
2552/// assert_eq!(actual, expected);
2553/// ```
2554#[stable(feature = "ptr_hash", since = "1.35.0")]
2555#[cfg(not(feature = "ferrocene_certified"))]
2556pub fn hash<T: PointeeSized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2557    use crate::hash::Hash;
2558    hashee.hash(into);
2559}
2560
2561#[stable(feature = "fnptr_impls", since = "1.4.0")]
2562#[cfg(not(feature = "ferrocene_certified"))]
2563impl<F: FnPtr> PartialEq for F {
2564    #[inline]
2565    fn eq(&self, other: &Self) -> bool {
2566        self.addr() == other.addr()
2567    }
2568}
2569#[stable(feature = "fnptr_impls", since = "1.4.0")]
2570#[cfg(not(feature = "ferrocene_certified"))]
2571impl<F: FnPtr> Eq for F {}
2572
2573#[stable(feature = "fnptr_impls", since = "1.4.0")]
2574#[cfg(not(feature = "ferrocene_certified"))]
2575impl<F: FnPtr> PartialOrd for F {
2576    #[inline]
2577    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2578        self.addr().partial_cmp(&other.addr())
2579    }
2580}
2581#[stable(feature = "fnptr_impls", since = "1.4.0")]
2582#[cfg(not(feature = "ferrocene_certified"))]
2583impl<F: FnPtr> Ord for F {
2584    #[inline]
2585    fn cmp(&self, other: &Self) -> Ordering {
2586        self.addr().cmp(&other.addr())
2587    }
2588}
2589
2590#[stable(feature = "fnptr_impls", since = "1.4.0")]
2591#[cfg(not(feature = "ferrocene_certified"))]
2592impl<F: FnPtr> hash::Hash for F {
2593    fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2594        state.write_usize(self.addr() as _)
2595    }
2596}
2597
2598#[stable(feature = "fnptr_impls", since = "1.4.0")]
2599#[cfg(not(feature = "ferrocene_certified"))]
2600impl<F: FnPtr> fmt::Pointer for F {
2601    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2602        fmt::pointer_fmt_inner(self.addr() as _, f)
2603    }
2604}
2605
2606#[stable(feature = "fnptr_impls", since = "1.4.0")]
2607#[cfg(not(feature = "ferrocene_certified"))]
2608impl<F: FnPtr> fmt::Debug for F {
2609    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2610        fmt::pointer_fmt_inner(self.addr() as _, f)
2611    }
2612}
2613
2614/// Creates a `const` raw pointer to a place, without creating an intermediate reference.
2615///
2616/// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is *soft-deprecated*;
2617/// use `&raw const` instead.
2618///
2619/// It is still an open question under which conditions writing through an `addr_of!`-created
2620/// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the
2621/// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is
2622/// based on a reference, local variable, or `static`, then until all details are decided, the same
2623/// rules as for shared references apply: it is UB to write through a pointer created with this
2624/// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`])
2625/// to create a raw pointer that definitely permits mutation.
2626///
2627/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2628/// and points to initialized data. For cases where those requirements do not hold,
2629/// raw pointers should be used instead. However, `&expr as *const _` creates a reference
2630/// before casting it to a raw pointer, and that reference is subject to the same rules
2631/// as all other references. This macro can create a raw pointer *without* creating
2632/// a reference first.
2633///
2634/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2635/// Doing that with `addr_of` would not make much sense since one could only
2636/// read the data, and that would be Undefined Behavior.
2637///
2638/// # Safety
2639///
2640/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2641/// place or requires the place to be dereferenceable. This means that `addr_of!((*ptr).field)`
2642/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2643/// However, `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2644///
2645/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2646/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2647/// `Index::index`, respectively. The statements above only apply when no such coercions are
2648/// applied.
2649///
2650/// [`offset`]: pointer::offset
2651///
2652/// # Example
2653///
2654/// **Correct usage: Creating a pointer to unaligned data**
2655///
2656/// ```
2657/// use std::ptr;
2658///
2659/// #[repr(packed)]
2660/// struct Packed {
2661///     f1: u8,
2662///     f2: u16,
2663/// }
2664///
2665/// let packed = Packed { f1: 1, f2: 2 };
2666/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2667/// let raw_f2 = ptr::addr_of!(packed.f2);
2668/// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2);
2669/// ```
2670///
2671/// **Incorrect usage: Out-of-bounds fields projection**
2672///
2673/// ```rust,no_run
2674/// use std::ptr;
2675///
2676/// #[repr(C)]
2677/// struct MyStruct {
2678///     field1: i32,
2679///     field2: i32,
2680/// }
2681///
2682/// let ptr: *const MyStruct = ptr::null();
2683/// let fieldptr = unsafe { ptr::addr_of!((*ptr).field2) }; // Undefined Behavior ⚠️
2684/// ```
2685///
2686/// The field projection `.field2` would offset the pointer by 4 bytes,
2687/// but the pointer is not in-bounds of an allocation for 4 bytes,
2688/// so this offset is Undefined Behavior.
2689/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2690/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2691/// no difference whether the pointer is null or dangling.)
2692#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2693#[rustc_macro_transparency = "semitransparent"]
2694#[cfg(not(feature = "ferrocene_certified"))]
2695pub macro addr_of($place:expr) {
2696    &raw const $place
2697}
2698
2699/// Creates a `mut` raw pointer to a place, without creating an intermediate reference.
2700///
2701/// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is *soft-deprecated*;
2702/// use `&raw mut` instead.
2703///
2704/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2705/// and points to initialized data. For cases where those requirements do not hold,
2706/// raw pointers should be used instead. However, `&mut expr as *mut _` creates a reference
2707/// before casting it to a raw pointer, and that reference is subject to the same rules
2708/// as all other references. This macro can create a raw pointer *without* creating
2709/// a reference first.
2710///
2711/// # Safety
2712///
2713/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2714/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((*ptr).field)`
2715/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2716/// However, `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.
2717///
2718/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2719/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2720/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2721/// applied.
2722///
2723/// [`offset`]: pointer::offset
2724///
2725/// # Examples
2726///
2727/// **Correct usage: Creating a pointer to unaligned data**
2728///
2729/// ```
2730/// use std::ptr;
2731///
2732/// #[repr(packed)]
2733/// struct Packed {
2734///     f1: u8,
2735///     f2: u16,
2736/// }
2737///
2738/// let mut packed = Packed { f1: 1, f2: 2 };
2739/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2740/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2741/// unsafe { raw_f2.write_unaligned(42); }
2742/// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference.
2743/// ```
2744///
2745/// **Correct usage: Creating a pointer to uninitialized data**
2746///
2747/// ```rust
2748/// use std::{ptr, mem::MaybeUninit};
2749///
2750/// struct Demo {
2751///     field: bool,
2752/// }
2753///
2754/// let mut uninit = MaybeUninit::<Demo>::uninit();
2755/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2756/// // and thus be Undefined Behavior!
2757/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2758/// unsafe { f1_ptr.write(true); }
2759/// let init = unsafe { uninit.assume_init() };
2760/// ```
2761///
2762/// **Incorrect usage: Out-of-bounds fields projection**
2763///
2764/// ```rust,no_run
2765/// use std::ptr;
2766///
2767/// #[repr(C)]
2768/// struct MyStruct {
2769///     field1: i32,
2770///     field2: i32,
2771/// }
2772///
2773/// let ptr: *mut MyStruct = ptr::null_mut();
2774/// let fieldptr = unsafe { ptr::addr_of_mut!((*ptr).field2) }; // Undefined Behavior ⚠️
2775/// ```
2776///
2777/// The field projection `.field2` would offset the pointer by 4 bytes,
2778/// but the pointer is not in-bounds of an allocation for 4 bytes,
2779/// so this offset is Undefined Behavior.
2780/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2781/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2782/// makes no difference whether the pointer is null or dangling.)
2783#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2784#[rustc_macro_transparency = "semitransparent"]
2785#[cfg(not(feature = "ferrocene_certified"))]
2786pub macro addr_of_mut($place:expr) {
2787    &raw mut $place
2788}