1 //! Shareable mutable containers.
3 //! Rust memory safety is based on this rule: Given an object `T`, it is only possible to
4 //! have one of the following:
6 //! - Having several immutable references (`&T`) to the object (also known as **aliasing**).
7 //! - Having one mutable reference (`&mut T`) to the object (also known as **mutability**).
9 //! This is enforced by the Rust compiler. However, there are situations where this rule is not
10 //! flexible enough. Sometimes it is required to have multiple references to an object and yet
13 //! Shareable mutable containers exist to permit mutability in a controlled manner, even in the
14 //! presence of aliasing. Both `Cell<T>` and `RefCell<T>` allow doing this in a single-threaded
15 //! way. However, neither `Cell<T>` nor `RefCell<T>` are thread safe (they do not implement
16 //! `Sync`). If you need to do aliasing and mutation between multiple threads it is possible to
17 //! use [`Mutex`](../../std/sync/struct.Mutex.html),
18 //! [`RwLock`](../../std/sync/struct.RwLock.html) or
19 //! [`atomic`](../../core/sync/atomic/index.html) types.
21 //! Values of the `Cell<T>` and `RefCell<T>` types may be mutated through shared references (i.e.
22 //! the common `&T` type), whereas most Rust types can only be mutated through unique (`&mut T`)
23 //! references. We say that `Cell<T>` and `RefCell<T>` provide 'interior mutability', in contrast
24 //! with typical Rust types that exhibit 'inherited mutability'.
26 //! Cell types come in two flavors: `Cell<T>` and `RefCell<T>`. `Cell<T>` implements interior
27 //! mutability by moving values in and out of the `Cell<T>`. To use references instead of values,
28 //! one must use the `RefCell<T>` type, acquiring a write lock before mutating. `Cell<T>` provides
29 //! methods to retrieve and change the current interior value:
31 //! - For types that implement `Copy`, the `get` method retrieves the current interior value.
32 //! - For types that implement `Default`, the `take` method replaces the current interior value
33 //! with `Default::default()` and returns the replaced value.
34 //! - For all types, the `replace` method replaces the current interior value and returns the
35 //! replaced value and the `into_inner` method consumes the `Cell<T>` and returns the interior
36 //! value. Additionally, the `set` method replaces the interior value, dropping the replaced
39 //! `RefCell<T>` uses Rust's lifetimes to implement 'dynamic borrowing', a process whereby one can
40 //! claim temporary, exclusive, mutable access to the inner value. Borrows for `RefCell<T>`s are
41 //! tracked 'at runtime', unlike Rust's native reference types which are entirely tracked
42 //! statically, at compile time. Because `RefCell<T>` borrows are dynamic it is possible to attempt
43 //! to borrow a value that is already mutably borrowed; when this happens it results in thread
46 //! # When to choose interior mutability
48 //! The more common inherited mutability, where one must have unique access to mutate a value, is
49 //! one of the key language elements that enables Rust to reason strongly about pointer aliasing,
50 //! statically preventing crash bugs. Because of that, inherited mutability is preferred, and
51 //! interior mutability is something of a last resort. Since cell types enable mutation where it
52 //! would otherwise be disallowed though, there are occasions when interior mutability might be
53 //! appropriate, or even *must* be used, e.g.
55 //! * Introducing mutability 'inside' of something immutable
56 //! * Implementation details of logically-immutable methods.
57 //! * Mutating implementations of `Clone`.
59 //! ## Introducing mutability 'inside' of something immutable
61 //! Many shared smart pointer types, including `Rc<T>` and `Arc<T>`, provide containers that can be
62 //! cloned and shared between multiple parties. Because the contained values may be
63 //! multiply-aliased, they can only be borrowed with `&`, not `&mut`. Without cells it would be
64 //! impossible to mutate data inside of these smart pointers at all.
66 //! It's very common then to put a `RefCell<T>` inside shared pointer types to reintroduce
70 //! use std::cell::{RefCell, RefMut};
71 //! use std::collections::HashMap;
75 //! let shared_map: Rc<RefCell<_>> = Rc::new(RefCell::new(HashMap::new()));
76 //! // Create a new block to limit the scope of the dynamic borrow
78 //! let mut map: RefMut<_> = shared_map.borrow_mut();
79 //! map.insert("africa", 92388);
80 //! map.insert("kyoto", 11837);
81 //! map.insert("piccadilly", 11826);
82 //! map.insert("marbles", 38);
85 //! // Note that if we had not let the previous borrow of the cache fall out
86 //! // of scope then the subsequent borrow would cause a dynamic thread panic.
87 //! // This is the major hazard of using `RefCell`.
88 //! let total: i32 = shared_map.borrow().values().sum();
89 //! println!("{}", total);
93 //! Note that this example uses `Rc<T>` and not `Arc<T>`. `RefCell<T>`s are for single-threaded
94 //! scenarios. Consider using `RwLock<T>` or `Mutex<T>` if you need shared mutability in a
95 //! multi-threaded situation.
97 //! ## Implementation details of logically-immutable methods
99 //! Occasionally it may be desirable not to expose in an API that there is mutation happening
100 //! "under the hood". This may be because logically the operation is immutable, but e.g., caching
101 //! forces the implementation to perform mutation; or because you must employ mutation to implement
102 //! a trait method that was originally defined to take `&self`.
105 //! # #![allow(dead_code)]
106 //! use std::cell::RefCell;
109 //! edges: Vec<(i32, i32)>,
110 //! span_tree_cache: RefCell<Option<Vec<(i32, i32)>>>
114 //! fn minimum_spanning_tree(&self) -> Vec<(i32, i32)> {
115 //! self.span_tree_cache.borrow_mut()
116 //! .get_or_insert_with(|| self.calc_span_tree())
120 //! fn calc_span_tree(&self) -> Vec<(i32, i32)> {
121 //! // Expensive computation goes here
127 //! ## Mutating implementations of `Clone`
129 //! This is simply a special - but common - case of the previous: hiding mutability for operations
130 //! that appear to be immutable. The `clone` method is expected to not change the source value, and
131 //! is declared to take `&self`, not `&mut self`. Therefore, any mutation that happens in the
132 //! `clone` method must use cell types. For example, `Rc<T>` maintains its reference counts within a
136 //! use std::cell::Cell;
137 //! use std::ptr::NonNull;
138 //! use std::process::abort;
139 //! use std::marker::PhantomData;
141 //! struct Rc<T: ?Sized> {
142 //! ptr: NonNull<RcBox<T>>,
143 //! phantom: PhantomData<RcBox<T>>,
146 //! struct RcBox<T: ?Sized> {
147 //! strong: Cell<usize>,
148 //! refcount: Cell<usize>,
152 //! impl<T: ?Sized> Clone for Rc<T> {
153 //! fn clone(&self) -> Rc<T> {
154 //! self.inc_strong();
157 //! phantom: PhantomData,
162 //! trait RcBoxPtr<T: ?Sized> {
164 //! fn inner(&self) -> &RcBox<T>;
166 //! fn strong(&self) -> usize {
167 //! self.inner().strong.get()
170 //! fn inc_strong(&self) {
173 //! .set(self.strong()
175 //! .unwrap_or_else(|| abort() ));
179 //! impl<T: ?Sized> RcBoxPtr<T> for Rc<T> {
180 //! fn inner(&self) -> &RcBox<T> {
182 //! self.ptr.as_ref()
189 #![stable(feature = "rust1", since = "1.0.0")]
191 use crate::cmp
::Ordering
;
192 use crate::fmt
::{self, Debug, Display}
;
193 use crate::marker
::Unsize
;
195 use crate::ops
::{CoerceUnsized, Deref, DerefMut}
;
198 /// A mutable memory location.
202 /// In this example, you can see that `Cell<T>` enables mutation inside an
203 /// immutable struct. In other words, it enables "interior mutability".
206 /// use std::cell::Cell;
208 /// struct SomeStruct {
209 /// regular_field: u8,
210 /// special_field: Cell<u8>,
213 /// let my_struct = SomeStruct {
214 /// regular_field: 0,
215 /// special_field: Cell::new(1),
218 /// let new_value = 100;
220 /// // ERROR: `my_struct` is immutable
221 /// // my_struct.regular_field = new_value;
223 /// // WORKS: although `my_struct` is immutable, `special_field` is a `Cell`,
224 /// // which can always be mutated
225 /// my_struct.special_field.set(new_value);
226 /// assert_eq!(my_struct.special_field.get(), new_value);
229 /// See the [module-level documentation](index.html) for more.
230 #[stable(feature = "rust1", since = "1.0.0")]
232 pub struct Cell
<T
: ?Sized
> {
233 value
: UnsafeCell
<T
>,
236 #[stable(feature = "rust1", since = "1.0.0")]
237 unsafe impl<T
: ?Sized
> Send
for Cell
<T
> where T
: Send {}
239 #[stable(feature = "rust1", since = "1.0.0")]
240 impl<T
: ?Sized
> !Sync
for Cell
<T
> {}
242 #[stable(feature = "rust1", since = "1.0.0")]
243 impl<T
: Copy
> Clone
for Cell
<T
> {
245 fn clone(&self) -> Cell
<T
> {
246 Cell
::new(self.get())
250 #[stable(feature = "rust1", since = "1.0.0")]
251 impl<T
: Default
> Default
for Cell
<T
> {
252 /// Creates a `Cell<T>`, with the `Default` value for T.
254 fn default() -> Cell
<T
> {
255 Cell
::new(Default
::default())
259 #[stable(feature = "rust1", since = "1.0.0")]
260 impl<T
: PartialEq
+ Copy
> PartialEq
for Cell
<T
> {
262 fn eq(&self, other
: &Cell
<T
>) -> bool
{
263 self.get() == other
.get()
267 #[stable(feature = "cell_eq", since = "1.2.0")]
268 impl<T
: Eq
+ Copy
> Eq
for Cell
<T
> {}
270 #[stable(feature = "cell_ord", since = "1.10.0")]
271 impl<T
: PartialOrd
+ Copy
> PartialOrd
for Cell
<T
> {
273 fn partial_cmp(&self, other
: &Cell
<T
>) -> Option
<Ordering
> {
274 self.get().partial_cmp(&other
.get())
278 fn lt(&self, other
: &Cell
<T
>) -> bool
{
279 self.get() < other
.get()
283 fn le(&self, other
: &Cell
<T
>) -> bool
{
284 self.get() <= other
.get()
288 fn gt(&self, other
: &Cell
<T
>) -> bool
{
289 self.get() > other
.get()
293 fn ge(&self, other
: &Cell
<T
>) -> bool
{
294 self.get() >= other
.get()
298 #[stable(feature = "cell_ord", since = "1.10.0")]
299 impl<T
: Ord
+ Copy
> Ord
for Cell
<T
> {
301 fn cmp(&self, other
: &Cell
<T
>) -> Ordering
{
302 self.get().cmp(&other
.get())
306 #[stable(feature = "cell_from", since = "1.12.0")]
307 impl<T
> From
<T
> for Cell
<T
> {
308 fn from(t
: T
) -> Cell
<T
> {
314 /// Creates a new `Cell` containing the given value.
319 /// use std::cell::Cell;
321 /// let c = Cell::new(5);
323 #[stable(feature = "rust1", since = "1.0.0")]
324 #[rustc_const_stable(feature = "const_cell_new", since = "1.32.0")]
326 pub const fn new(value
: T
) -> Cell
<T
> {
327 Cell { value: UnsafeCell::new(value) }
330 /// Sets the contained value.
335 /// use std::cell::Cell;
337 /// let c = Cell::new(5);
342 #[stable(feature = "rust1", since = "1.0.0")]
343 pub fn set(&self, val
: T
) {
344 let old
= self.replace(val
);
348 /// Swaps the values of two Cells.
349 /// Difference with `std::mem::swap` is that this function doesn't require `&mut` reference.
354 /// use std::cell::Cell;
356 /// let c1 = Cell::new(5i32);
357 /// let c2 = Cell::new(10i32);
359 /// assert_eq!(10, c1.get());
360 /// assert_eq!(5, c2.get());
363 #[stable(feature = "move_cell", since = "1.17.0")]
364 pub fn swap(&self, other
: &Self) {
365 if ptr
::eq(self, other
) {
368 // SAFETY: This can be risky if called from separate threads, but `Cell`
369 // is `!Sync` so this won't happen. This also won't invalidate any
370 // pointers since `Cell` makes sure nothing else will be pointing into
371 // either of these `Cell`s.
373 ptr
::swap(self.value
.get(), other
.value
.get());
377 /// Replaces the contained value, and returns it.
382 /// use std::cell::Cell;
384 /// let cell = Cell::new(5);
385 /// assert_eq!(cell.get(), 5);
386 /// assert_eq!(cell.replace(10), 5);
387 /// assert_eq!(cell.get(), 10);
389 #[stable(feature = "move_cell", since = "1.17.0")]
390 pub fn replace(&self, val
: T
) -> T
{
391 // SAFETY: This can cause data races if called from a separate thread,
392 // but `Cell` is `!Sync` so this won't happen.
393 mem
::replace(unsafe { &mut *self.value.get() }
, val
)
396 /// Unwraps the value.
401 /// use std::cell::Cell;
403 /// let c = Cell::new(5);
404 /// let five = c.into_inner();
406 /// assert_eq!(five, 5);
408 #[stable(feature = "move_cell", since = "1.17.0")]
409 pub fn into_inner(self) -> T
{
410 self.value
.into_inner()
414 impl<T
: Copy
> Cell
<T
> {
415 /// Returns a copy of the contained value.
420 /// use std::cell::Cell;
422 /// let c = Cell::new(5);
424 /// let five = c.get();
427 #[stable(feature = "rust1", since = "1.0.0")]
428 pub fn get(&self) -> T
{
429 // SAFETY: This can cause data races if called from a separate thread,
430 // but `Cell` is `!Sync` so this won't happen.
431 unsafe { *self.value.get() }
434 /// Updates the contained value using a function and returns the new value.
439 /// #![feature(cell_update)]
441 /// use std::cell::Cell;
443 /// let c = Cell::new(5);
444 /// let new = c.update(|x| x + 1);
446 /// assert_eq!(new, 6);
447 /// assert_eq!(c.get(), 6);
450 #[unstable(feature = "cell_update", issue = "50186")]
451 pub fn update
<F
>(&self, f
: F
) -> T
455 let old
= self.get();
462 impl<T
: ?Sized
> Cell
<T
> {
463 /// Returns a raw pointer to the underlying data in this cell.
468 /// use std::cell::Cell;
470 /// let c = Cell::new(5);
472 /// let ptr = c.as_ptr();
475 #[stable(feature = "cell_as_ptr", since = "1.12.0")]
476 #[rustc_const_stable(feature = "const_cell_as_ptr", since = "1.32.0")]
477 pub const fn as_ptr(&self) -> *mut T
{
481 /// Returns a mutable reference to the underlying data.
483 /// This call borrows `Cell` mutably (at compile-time) which guarantees
484 /// that we possess the only reference.
489 /// use std::cell::Cell;
491 /// let mut c = Cell::new(5);
492 /// *c.get_mut() += 1;
494 /// assert_eq!(c.get(), 6);
497 #[stable(feature = "cell_get_mut", since = "1.11.0")]
498 pub fn get_mut(&mut self) -> &mut T
{
502 /// Returns a `&Cell<T>` from a `&mut T`
507 /// use std::cell::Cell;
509 /// let slice: &mut [i32] = &mut [1, 2, 3];
510 /// let cell_slice: &Cell<[i32]> = Cell::from_mut(slice);
511 /// let slice_cell: &[Cell<i32>] = cell_slice.as_slice_of_cells();
513 /// assert_eq!(slice_cell.len(), 3);
516 #[stable(feature = "as_cell", since = "1.37.0")]
517 pub fn from_mut(t
: &mut T
) -> &Cell
<T
> {
518 // SAFETY: `&mut` ensures unique access.
519 unsafe { &*(t as *mut T as *const Cell<T>) }
523 impl<T
: Default
> Cell
<T
> {
524 /// Takes the value of the cell, leaving `Default::default()` in its place.
529 /// use std::cell::Cell;
531 /// let c = Cell::new(5);
532 /// let five = c.take();
534 /// assert_eq!(five, 5);
535 /// assert_eq!(c.into_inner(), 0);
537 #[stable(feature = "move_cell", since = "1.17.0")]
538 pub fn take(&self) -> T
{
539 self.replace(Default
::default())
543 #[unstable(feature = "coerce_unsized", issue = "27732")]
544 impl<T
: CoerceUnsized
<U
>, U
> CoerceUnsized
<Cell
<U
>> for Cell
<T
> {}
547 /// Returns a `&[Cell<T>]` from a `&Cell<[T]>`
552 /// use std::cell::Cell;
554 /// let slice: &mut [i32] = &mut [1, 2, 3];
555 /// let cell_slice: &Cell<[i32]> = Cell::from_mut(slice);
556 /// let slice_cell: &[Cell<i32>] = cell_slice.as_slice_of_cells();
558 /// assert_eq!(slice_cell.len(), 3);
560 #[stable(feature = "as_cell", since = "1.37.0")]
561 pub fn as_slice_of_cells(&self) -> &[Cell
<T
>] {
562 // SAFETY: `Cell<T>` has the same memory layout as `T`.
563 unsafe { &*(self as *const Cell<[T]> as *const [Cell<T>]) }
567 /// A mutable memory location with dynamically checked borrow rules
569 /// See the [module-level documentation](index.html) for more.
570 #[stable(feature = "rust1", since = "1.0.0")]
571 pub struct RefCell
<T
: ?Sized
> {
572 borrow
: Cell
<BorrowFlag
>,
573 value
: UnsafeCell
<T
>,
576 /// An error returned by [`RefCell::try_borrow`](struct.RefCell.html#method.try_borrow).
577 #[stable(feature = "try_borrow", since = "1.13.0")]
578 pub struct BorrowError
{
582 #[stable(feature = "try_borrow", since = "1.13.0")]
583 impl Debug
for BorrowError
{
584 fn fmt(&self, f
: &mut fmt
::Formatter
<'_
>) -> fmt
::Result
{
585 f
.debug_struct("BorrowError").finish()
589 #[stable(feature = "try_borrow", since = "1.13.0")]
590 impl Display
for BorrowError
{
591 fn fmt(&self, f
: &mut fmt
::Formatter
<'_
>) -> fmt
::Result
{
592 Display
::fmt("already mutably borrowed", f
)
596 /// An error returned by [`RefCell::try_borrow_mut`](struct.RefCell.html#method.try_borrow_mut).
597 #[stable(feature = "try_borrow", since = "1.13.0")]
598 pub struct BorrowMutError
{
602 #[stable(feature = "try_borrow", since = "1.13.0")]
603 impl Debug
for BorrowMutError
{
604 fn fmt(&self, f
: &mut fmt
::Formatter
<'_
>) -> fmt
::Result
{
605 f
.debug_struct("BorrowMutError").finish()
609 #[stable(feature = "try_borrow", since = "1.13.0")]
610 impl Display
for BorrowMutError
{
611 fn fmt(&self, f
: &mut fmt
::Formatter
<'_
>) -> fmt
::Result
{
612 Display
::fmt("already borrowed", f
)
616 // Positive values represent the number of `Ref` active. Negative values
617 // represent the number of `RefMut` active. Multiple `RefMut`s can only be
618 // active at a time if they refer to distinct, nonoverlapping components of a
619 // `RefCell` (e.g., different ranges of a slice).
621 // `Ref` and `RefMut` are both two words in size, and so there will likely never
622 // be enough `Ref`s or `RefMut`s in existence to overflow half of the `usize`
623 // range. Thus, a `BorrowFlag` will probably never overflow or underflow.
624 // However, this is not a guarantee, as a pathological program could repeatedly
625 // create and then mem::forget `Ref`s or `RefMut`s. Thus, all code must
626 // explicitly check for overflow and underflow in order to avoid unsafety, or at
627 // least behave correctly in the event that overflow or underflow happens (e.g.,
628 // see BorrowRef::new).
629 type BorrowFlag
= isize;
630 const UNUSED
: BorrowFlag
= 0;
633 fn is_writing(x
: BorrowFlag
) -> bool
{
638 fn is_reading(x
: BorrowFlag
) -> bool
{
643 /// Creates a new `RefCell` containing `value`.
648 /// use std::cell::RefCell;
650 /// let c = RefCell::new(5);
652 #[stable(feature = "rust1", since = "1.0.0")]
653 #[rustc_const_stable(feature = "const_refcell_new", since = "1.32.0")]
655 pub const fn new(value
: T
) -> RefCell
<T
> {
656 RefCell { value: UnsafeCell::new(value), borrow: Cell::new(UNUSED) }
659 /// Consumes the `RefCell`, returning the wrapped value.
664 /// use std::cell::RefCell;
666 /// let c = RefCell::new(5);
668 /// let five = c.into_inner();
670 #[stable(feature = "rust1", since = "1.0.0")]
672 pub fn into_inner(self) -> T
{
673 // Since this function takes `self` (the `RefCell`) by value, the
674 // compiler statically verifies that it is not currently borrowed.
675 // Therefore the following assertion is just a `debug_assert!`.
676 debug_assert
!(self.borrow
.get() == UNUSED
);
677 self.value
.into_inner()
680 /// Replaces the wrapped value with a new one, returning the old value,
681 /// without deinitializing either one.
683 /// This function corresponds to [`std::mem::replace`](../mem/fn.replace.html).
687 /// Panics if the value is currently borrowed.
692 /// use std::cell::RefCell;
693 /// let cell = RefCell::new(5);
694 /// let old_value = cell.replace(6);
695 /// assert_eq!(old_value, 5);
696 /// assert_eq!(cell, RefCell::new(6));
699 #[stable(feature = "refcell_replace", since = "1.24.0")]
701 pub fn replace(&self, t
: T
) -> T
{
702 mem
::replace(&mut *self.borrow_mut(), t
)
705 /// Replaces the wrapped value with a new one computed from `f`, returning
706 /// the old value, without deinitializing either one.
710 /// Panics if the value is currently borrowed.
715 /// use std::cell::RefCell;
716 /// let cell = RefCell::new(5);
717 /// let old_value = cell.replace_with(|&mut old| old + 1);
718 /// assert_eq!(old_value, 5);
719 /// assert_eq!(cell, RefCell::new(6));
722 #[stable(feature = "refcell_replace_swap", since = "1.35.0")]
724 pub fn replace_with
<F
: FnOnce(&mut T
) -> T
>(&self, f
: F
) -> T
{
725 let mut_borrow
= &mut *self.borrow_mut();
726 let replacement
= f(mut_borrow
);
727 mem
::replace(mut_borrow
, replacement
)
730 /// Swaps the wrapped value of `self` with the wrapped value of `other`,
731 /// without deinitializing either one.
733 /// This function corresponds to [`std::mem::swap`](../mem/fn.swap.html).
737 /// Panics if the value in either `RefCell` is currently borrowed.
742 /// use std::cell::RefCell;
743 /// let c = RefCell::new(5);
744 /// let d = RefCell::new(6);
746 /// assert_eq!(c, RefCell::new(6));
747 /// assert_eq!(d, RefCell::new(5));
750 #[stable(feature = "refcell_swap", since = "1.24.0")]
751 pub fn swap(&self, other
: &Self) {
752 mem
::swap(&mut *self.borrow_mut(), &mut *other
.borrow_mut())
756 impl<T
: ?Sized
> RefCell
<T
> {
757 /// Immutably borrows the wrapped value.
759 /// The borrow lasts until the returned `Ref` exits scope. Multiple
760 /// immutable borrows can be taken out at the same time.
764 /// Panics if the value is currently mutably borrowed. For a non-panicking variant, use
765 /// [`try_borrow`](#method.try_borrow).
770 /// use std::cell::RefCell;
772 /// let c = RefCell::new(5);
774 /// let borrowed_five = c.borrow();
775 /// let borrowed_five2 = c.borrow();
778 /// An example of panic:
781 /// use std::cell::RefCell;
783 /// let c = RefCell::new(5);
785 /// let m = c.borrow_mut();
786 /// let b = c.borrow(); // this causes a panic
788 #[stable(feature = "rust1", since = "1.0.0")]
791 pub fn borrow(&self) -> Ref
<'_
, T
> {
792 self.try_borrow().expect("already mutably borrowed")
795 /// Immutably borrows the wrapped value, returning an error if the value is currently mutably
798 /// The borrow lasts until the returned `Ref` exits scope. Multiple immutable borrows can be
799 /// taken out at the same time.
801 /// This is the non-panicking variant of [`borrow`](#method.borrow).
806 /// use std::cell::RefCell;
808 /// let c = RefCell::new(5);
811 /// let m = c.borrow_mut();
812 /// assert!(c.try_borrow().is_err());
816 /// let m = c.borrow();
817 /// assert!(c.try_borrow().is_ok());
820 #[stable(feature = "try_borrow", since = "1.13.0")]
822 pub fn try_borrow(&self) -> Result
<Ref
<'_
, T
>, BorrowError
> {
823 match BorrowRef
::new(&self.borrow
) {
824 // SAFETY: `BorrowRef` ensures that there is only immutable access
825 // to the value while borrowed.
826 Some(b
) => Ok(Ref { value: unsafe { &*self.value.get() }
, borrow
: b
}),
827 None
=> Err(BorrowError { _private: () }
),
831 /// Mutably borrows the wrapped value.
833 /// The borrow lasts until the returned `RefMut` or all `RefMut`s derived
834 /// from it exit scope. The value cannot be borrowed while this borrow is
839 /// Panics if the value is currently borrowed. For a non-panicking variant, use
840 /// [`try_borrow_mut`](#method.try_borrow_mut).
845 /// use std::cell::RefCell;
847 /// let c = RefCell::new("hello".to_owned());
849 /// *c.borrow_mut() = "bonjour".to_owned();
851 /// assert_eq!(&*c.borrow(), "bonjour");
854 /// An example of panic:
857 /// use std::cell::RefCell;
859 /// let c = RefCell::new(5);
860 /// let m = c.borrow();
862 /// let b = c.borrow_mut(); // this causes a panic
864 #[stable(feature = "rust1", since = "1.0.0")]
867 pub fn borrow_mut(&self) -> RefMut
<'_
, T
> {
868 self.try_borrow_mut().expect("already borrowed")
871 /// Mutably borrows the wrapped value, returning an error if the value is currently borrowed.
873 /// The borrow lasts until the returned `RefMut` or all `RefMut`s derived
874 /// from it exit scope. The value cannot be borrowed while this borrow is
877 /// This is the non-panicking variant of [`borrow_mut`](#method.borrow_mut).
882 /// use std::cell::RefCell;
884 /// let c = RefCell::new(5);
887 /// let m = c.borrow();
888 /// assert!(c.try_borrow_mut().is_err());
891 /// assert!(c.try_borrow_mut().is_ok());
893 #[stable(feature = "try_borrow", since = "1.13.0")]
895 pub fn try_borrow_mut(&self) -> Result
<RefMut
<'_
, T
>, BorrowMutError
> {
896 match BorrowRefMut
::new(&self.borrow
) {
897 // SAFETY: `BorrowRef` guarantees unique access.
898 Some(b
) => Ok(RefMut { value: unsafe { &mut *self.value.get() }
, borrow
: b
}),
899 None
=> Err(BorrowMutError { _private: () }
),
903 /// Returns a raw pointer to the underlying data in this cell.
908 /// use std::cell::RefCell;
910 /// let c = RefCell::new(5);
912 /// let ptr = c.as_ptr();
915 #[stable(feature = "cell_as_ptr", since = "1.12.0")]
916 pub fn as_ptr(&self) -> *mut T
{
920 /// Returns a mutable reference to the underlying data.
922 /// This call borrows `RefCell` mutably (at compile-time) so there is no
923 /// need for dynamic checks.
925 /// However be cautious: this method expects `self` to be mutable, which is
926 /// generally not the case when using a `RefCell`. Take a look at the
927 /// [`borrow_mut`] method instead if `self` isn't mutable.
929 /// Also, please be aware that this method is only for special circumstances and is usually
930 /// not what you want. In case of doubt, use [`borrow_mut`] instead.
932 /// [`borrow_mut`]: #method.borrow_mut
937 /// use std::cell::RefCell;
939 /// let mut c = RefCell::new(5);
940 /// *c.get_mut() += 1;
942 /// assert_eq!(c, RefCell::new(6));
945 #[stable(feature = "cell_get_mut", since = "1.11.0")]
946 pub fn get_mut(&mut self) -> &mut T
{
950 /// Undo the effect of leaked guards on the borrow state of the `RefCell`.
952 /// This call is similar to [`get_mut`] but more specialized. It borrows `RefCell` mutably to
953 /// ensure no borrows exist and then resets the state tracking shared borrows. This is relevant
954 /// if some `Ref` or `RefMut` borrows have been leaked.
956 /// [`get_mut`]: #method.get_mut
961 /// #![feature(cell_leak)]
962 /// use std::cell::RefCell;
964 /// let mut c = RefCell::new(0);
965 /// std::mem::forget(c.borrow_mut());
967 /// assert!(c.try_borrow().is_err());
969 /// assert!(c.try_borrow().is_ok());
971 #[unstable(feature = "cell_leak", issue = "69099")]
972 pub fn undo_leak(&mut self) -> &mut T
{
973 *self.borrow
.get_mut() = UNUSED
;
977 /// Immutably borrows the wrapped value, returning an error if the value is
978 /// currently mutably borrowed.
982 /// Unlike `RefCell::borrow`, this method is unsafe because it does not
983 /// return a `Ref`, thus leaving the borrow flag untouched. Mutably
984 /// borrowing the `RefCell` while the reference returned by this method
985 /// is alive is undefined behaviour.
990 /// use std::cell::RefCell;
992 /// let c = RefCell::new(5);
995 /// let m = c.borrow_mut();
996 /// assert!(unsafe { c.try_borrow_unguarded() }.is_err());
1000 /// let m = c.borrow();
1001 /// assert!(unsafe { c.try_borrow_unguarded() }.is_ok());
1004 #[stable(feature = "borrow_state", since = "1.37.0")]
1006 pub unsafe fn try_borrow_unguarded(&self) -> Result
<&T
, BorrowError
> {
1007 if !is_writing(self.borrow
.get()) {
1008 // SAFETY: We check that nobody is actively writing now, but it is
1009 // the caller's responsibility to ensure that nobody writes until
1010 // the returned reference is no longer in use.
1011 // Also, `self.value.get()` refers to the value owned by `self`
1012 // and is thus guaranteed to be valid for the lifetime of `self`.
1013 Ok(unsafe { &*self.value.get() }
)
1015 Err(BorrowError { _private: () }
)
1020 impl<T
: Default
> RefCell
<T
> {
1021 /// Takes the wrapped value, leaving `Default::default()` in its place.
1025 /// Panics if the value is currently borrowed.
1030 /// #![feature(refcell_take)]
1031 /// use std::cell::RefCell;
1033 /// let c = RefCell::new(5);
1034 /// let five = c.take();
1036 /// assert_eq!(five, 5);
1037 /// assert_eq!(c.into_inner(), 0);
1039 #[unstable(feature = "refcell_take", issue = "71395")]
1040 pub fn take(&self) -> T
{
1041 self.replace(Default
::default())
1045 #[stable(feature = "rust1", since = "1.0.0")]
1046 unsafe impl<T
: ?Sized
> Send
for RefCell
<T
> where T
: Send {}
1048 #[stable(feature = "rust1", since = "1.0.0")]
1049 impl<T
: ?Sized
> !Sync
for RefCell
<T
> {}
1051 #[stable(feature = "rust1", since = "1.0.0")]
1052 impl<T
: Clone
> Clone
for RefCell
<T
> {
1055 /// Panics if the value is currently mutably borrowed.
1058 fn clone(&self) -> RefCell
<T
> {
1059 RefCell
::new(self.borrow().clone())
1063 #[stable(feature = "rust1", since = "1.0.0")]
1064 impl<T
: Default
> Default
for RefCell
<T
> {
1065 /// Creates a `RefCell<T>`, with the `Default` value for T.
1067 fn default() -> RefCell
<T
> {
1068 RefCell
::new(Default
::default())
1072 #[stable(feature = "rust1", since = "1.0.0")]
1073 impl<T
: ?Sized
+ PartialEq
> PartialEq
for RefCell
<T
> {
1076 /// Panics if the value in either `RefCell` is currently borrowed.
1078 fn eq(&self, other
: &RefCell
<T
>) -> bool
{
1079 *self.borrow() == *other
.borrow()
1083 #[stable(feature = "cell_eq", since = "1.2.0")]
1084 impl<T
: ?Sized
+ Eq
> Eq
for RefCell
<T
> {}
1086 #[stable(feature = "cell_ord", since = "1.10.0")]
1087 impl<T
: ?Sized
+ PartialOrd
> PartialOrd
for RefCell
<T
> {
1090 /// Panics if the value in either `RefCell` is currently borrowed.
1092 fn partial_cmp(&self, other
: &RefCell
<T
>) -> Option
<Ordering
> {
1093 self.borrow().partial_cmp(&*other
.borrow())
1098 /// Panics if the value in either `RefCell` is currently borrowed.
1100 fn lt(&self, other
: &RefCell
<T
>) -> bool
{
1101 *self.borrow() < *other
.borrow()
1106 /// Panics if the value in either `RefCell` is currently borrowed.
1108 fn le(&self, other
: &RefCell
<T
>) -> bool
{
1109 *self.borrow() <= *other
.borrow()
1114 /// Panics if the value in either `RefCell` is currently borrowed.
1116 fn gt(&self, other
: &RefCell
<T
>) -> bool
{
1117 *self.borrow() > *other
.borrow()
1122 /// Panics if the value in either `RefCell` is currently borrowed.
1124 fn ge(&self, other
: &RefCell
<T
>) -> bool
{
1125 *self.borrow() >= *other
.borrow()
1129 #[stable(feature = "cell_ord", since = "1.10.0")]
1130 impl<T
: ?Sized
+ Ord
> Ord
for RefCell
<T
> {
1133 /// Panics if the value in either `RefCell` is currently borrowed.
1135 fn cmp(&self, other
: &RefCell
<T
>) -> Ordering
{
1136 self.borrow().cmp(&*other
.borrow())
1140 #[stable(feature = "cell_from", since = "1.12.0")]
1141 impl<T
> From
<T
> for RefCell
<T
> {
1142 fn from(t
: T
) -> RefCell
<T
> {
1147 #[unstable(feature = "coerce_unsized", issue = "27732")]
1148 impl<T
: CoerceUnsized
<U
>, U
> CoerceUnsized
<RefCell
<U
>> for RefCell
<T
> {}
1150 struct BorrowRef
<'b
> {
1151 borrow
: &'b Cell
<BorrowFlag
>,
1154 impl<'b
> BorrowRef
<'b
> {
1156 fn new(borrow
: &'b Cell
<BorrowFlag
>) -> Option
<BorrowRef
<'b
>> {
1157 let b
= borrow
.get().wrapping_add(1);
1159 // Incrementing borrow can result in a non-reading value (<= 0) in these cases:
1160 // 1. It was < 0, i.e. there are writing borrows, so we can't allow a read borrow
1161 // due to Rust's reference aliasing rules
1162 // 2. It was isize::MAX (the max amount of reading borrows) and it overflowed
1163 // into isize::MIN (the max amount of writing borrows) so we can't allow
1164 // an additional read borrow because isize can't represent so many read borrows
1165 // (this can only happen if you mem::forget more than a small constant amount of
1166 // `Ref`s, which is not good practice)
1169 // Incrementing borrow can result in a reading value (> 0) in these cases:
1170 // 1. It was = 0, i.e. it wasn't borrowed, and we are taking the first read borrow
1171 // 2. It was > 0 and < isize::MAX, i.e. there were read borrows, and isize
1172 // is large enough to represent having one more read borrow
1174 Some(BorrowRef { borrow }
)
1179 impl Drop
for BorrowRef
<'_
> {
1181 fn drop(&mut self) {
1182 let borrow
= self.borrow
.get();
1183 debug_assert
!(is_reading(borrow
));
1184 self.borrow
.set(borrow
- 1);
1188 impl Clone
for BorrowRef
<'_
> {
1190 fn clone(&self) -> Self {
1191 // Since this Ref exists, we know the borrow flag
1192 // is a reading borrow.
1193 let borrow
= self.borrow
.get();
1194 debug_assert
!(is_reading(borrow
));
1195 // Prevent the borrow counter from overflowing into
1196 // a writing borrow.
1197 assert
!(borrow
!= isize::MAX
);
1198 self.borrow
.set(borrow
+ 1);
1199 BorrowRef { borrow: self.borrow }
1203 /// Wraps a borrowed reference to a value in a `RefCell` box.
1204 /// A wrapper type for an immutably borrowed value from a `RefCell<T>`.
1206 /// See the [module-level documentation](index.html) for more.
1207 #[stable(feature = "rust1", since = "1.0.0")]
1208 pub struct Ref
<'b
, T
: ?Sized
+ 'b
> {
1210 borrow
: BorrowRef
<'b
>,
1213 #[stable(feature = "rust1", since = "1.0.0")]
1214 impl<T
: ?Sized
> Deref
for Ref
<'_
, T
> {
1218 fn deref(&self) -> &T
{
1223 impl<'b
, T
: ?Sized
> Ref
<'b
, T
> {
1226 /// The `RefCell` is already immutably borrowed, so this cannot fail.
1228 /// This is an associated function that needs to be used as
1229 /// `Ref::clone(...)`. A `Clone` implementation or a method would interfere
1230 /// with the widespread use of `r.borrow().clone()` to clone the contents of
1232 #[stable(feature = "cell_extras", since = "1.15.0")]
1234 pub fn clone(orig
: &Ref
<'b
, T
>) -> Ref
<'b
, T
> {
1235 Ref { value: orig.value, borrow: orig.borrow.clone() }
1238 /// Makes a new `Ref` for a component of the borrowed data.
1240 /// The `RefCell` is already immutably borrowed, so this cannot fail.
1242 /// This is an associated function that needs to be used as `Ref::map(...)`.
1243 /// A method would interfere with methods of the same name on the contents
1244 /// of a `RefCell` used through `Deref`.
1249 /// use std::cell::{RefCell, Ref};
1251 /// let c = RefCell::new((5, 'b'));
1252 /// let b1: Ref<(u32, char)> = c.borrow();
1253 /// let b2: Ref<u32> = Ref::map(b1, |t| &t.0);
1254 /// assert_eq!(*b2, 5)
1256 #[stable(feature = "cell_map", since = "1.8.0")]
1258 pub fn map
<U
: ?Sized
, F
>(orig
: Ref
<'b
, T
>, f
: F
) -> Ref
<'b
, U
>
1260 F
: FnOnce(&T
) -> &U
,
1262 Ref { value: f(orig.value), borrow: orig.borrow }
1265 /// Splits a `Ref` into multiple `Ref`s for different components of the
1268 /// The `RefCell` is already immutably borrowed, so this cannot fail.
1270 /// This is an associated function that needs to be used as
1271 /// `Ref::map_split(...)`. A method would interfere with methods of the same
1272 /// name on the contents of a `RefCell` used through `Deref`.
1277 /// use std::cell::{Ref, RefCell};
1279 /// let cell = RefCell::new([1, 2, 3, 4]);
1280 /// let borrow = cell.borrow();
1281 /// let (begin, end) = Ref::map_split(borrow, |slice| slice.split_at(2));
1282 /// assert_eq!(*begin, [1, 2]);
1283 /// assert_eq!(*end, [3, 4]);
1285 #[stable(feature = "refcell_map_split", since = "1.35.0")]
1287 pub fn map_split
<U
: ?Sized
, V
: ?Sized
, F
>(orig
: Ref
<'b
, T
>, f
: F
) -> (Ref
<'b
, U
>, Ref
<'b
, V
>)
1289 F
: FnOnce(&T
) -> (&U
, &V
),
1291 let (a
, b
) = f(orig
.value
);
1292 let borrow
= orig
.borrow
.clone();
1293 (Ref { value: a, borrow }
, Ref { value: b, borrow: orig.borrow }
)
1296 /// Convert into a reference to the underlying data.
1298 /// The underlying `RefCell` can never be mutably borrowed from again and will always appear
1299 /// already immutably borrowed. It is not a good idea to leak more than a constant number of
1300 /// references. The `RefCell` can be immutably borrowed again if only a smaller number of leaks
1301 /// have occurred in total.
1303 /// This is an associated function that needs to be used as
1304 /// `Ref::leak(...)`. A method would interfere with methods of the
1305 /// same name on the contents of a `RefCell` used through `Deref`.
1310 /// #![feature(cell_leak)]
1311 /// use std::cell::{RefCell, Ref};
1312 /// let cell = RefCell::new(0);
1314 /// let value = Ref::leak(cell.borrow());
1315 /// assert_eq!(*value, 0);
1317 /// assert!(cell.try_borrow().is_ok());
1318 /// assert!(cell.try_borrow_mut().is_err());
1320 #[unstable(feature = "cell_leak", issue = "69099")]
1321 pub fn leak(orig
: Ref
<'b
, T
>) -> &'b T
{
1322 // By forgetting this Ref we ensure that the borrow counter in the RefCell can't go back to
1323 // UNUSED within the lifetime `'b`. Resetting the reference tracking state would require a
1324 // unique reference to the borrowed RefCell. No further mutable references can be created
1325 // from the original cell.
1326 mem
::forget(orig
.borrow
);
1331 #[unstable(feature = "coerce_unsized", issue = "27732")]
1332 impl<'b
, T
: ?Sized
+ Unsize
<U
>, U
: ?Sized
> CoerceUnsized
<Ref
<'b
, U
>> for Ref
<'b
, T
> {}
1334 #[stable(feature = "std_guard_impls", since = "1.20.0")]
1335 impl<T
: ?Sized
+ fmt
::Display
> fmt
::Display
for Ref
<'_
, T
> {
1336 fn fmt(&self, f
: &mut fmt
::Formatter
<'_
>) -> fmt
::Result
{
1341 impl<'b
, T
: ?Sized
> RefMut
<'b
, T
> {
1342 /// Makes a new `RefMut` for a component of the borrowed data, e.g., an enum
1345 /// The `RefCell` is already mutably borrowed, so this cannot fail.
1347 /// This is an associated function that needs to be used as
1348 /// `RefMut::map(...)`. A method would interfere with methods of the same
1349 /// name on the contents of a `RefCell` used through `Deref`.
1354 /// use std::cell::{RefCell, RefMut};
1356 /// let c = RefCell::new((5, 'b'));
1358 /// let b1: RefMut<(u32, char)> = c.borrow_mut();
1359 /// let mut b2: RefMut<u32> = RefMut::map(b1, |t| &mut t.0);
1360 /// assert_eq!(*b2, 5);
1363 /// assert_eq!(*c.borrow(), (42, 'b'));
1365 #[stable(feature = "cell_map", since = "1.8.0")]
1367 pub fn map
<U
: ?Sized
, F
>(orig
: RefMut
<'b
, T
>, f
: F
) -> RefMut
<'b
, U
>
1369 F
: FnOnce(&mut T
) -> &mut U
,
1371 // FIXME(nll-rfc#40): fix borrow-check
1372 let RefMut { value, borrow }
= orig
;
1373 RefMut { value: f(value), borrow }
1376 /// Splits a `RefMut` into multiple `RefMut`s for different components of the
1379 /// The underlying `RefCell` will remain mutably borrowed until both
1380 /// returned `RefMut`s go out of scope.
1382 /// The `RefCell` is already mutably borrowed, so this cannot fail.
1384 /// This is an associated function that needs to be used as
1385 /// `RefMut::map_split(...)`. A method would interfere with methods of the
1386 /// same name on the contents of a `RefCell` used through `Deref`.
1391 /// use std::cell::{RefCell, RefMut};
1393 /// let cell = RefCell::new([1, 2, 3, 4]);
1394 /// let borrow = cell.borrow_mut();
1395 /// let (mut begin, mut end) = RefMut::map_split(borrow, |slice| slice.split_at_mut(2));
1396 /// assert_eq!(*begin, [1, 2]);
1397 /// assert_eq!(*end, [3, 4]);
1398 /// begin.copy_from_slice(&[4, 3]);
1399 /// end.copy_from_slice(&[2, 1]);
1401 #[stable(feature = "refcell_map_split", since = "1.35.0")]
1403 pub fn map_split
<U
: ?Sized
, V
: ?Sized
, F
>(
1404 orig
: RefMut
<'b
, T
>,
1406 ) -> (RefMut
<'b
, U
>, RefMut
<'b
, V
>)
1408 F
: FnOnce(&mut T
) -> (&mut U
, &mut V
),
1410 let (a
, b
) = f(orig
.value
);
1411 let borrow
= orig
.borrow
.clone();
1412 (RefMut { value: a, borrow }
, RefMut { value: b, borrow: orig.borrow }
)
1415 /// Convert into a mutable reference to the underlying data.
1417 /// The underlying `RefCell` can not be borrowed from again and will always appear already
1418 /// mutably borrowed, making the returned reference the only to the interior.
1420 /// This is an associated function that needs to be used as
1421 /// `RefMut::leak(...)`. A method would interfere with methods of the
1422 /// same name on the contents of a `RefCell` used through `Deref`.
1427 /// #![feature(cell_leak)]
1428 /// use std::cell::{RefCell, RefMut};
1429 /// let cell = RefCell::new(0);
1431 /// let value = RefMut::leak(cell.borrow_mut());
1432 /// assert_eq!(*value, 0);
1435 /// assert!(cell.try_borrow_mut().is_err());
1437 #[unstable(feature = "cell_leak", issue = "69099")]
1438 pub fn leak(orig
: RefMut
<'b
, T
>) -> &'b
mut T
{
1439 // By forgetting this BorrowRefMut we ensure that the borrow counter in the RefCell can't
1440 // go back to UNUSED within the lifetime `'b`. Resetting the reference tracking state would
1441 // require a unique reference to the borrowed RefCell. No further references can be created
1442 // from the original cell within that lifetime, making the current borrow the only
1443 // reference for the remaining lifetime.
1444 mem
::forget(orig
.borrow
);
1449 struct BorrowRefMut
<'b
> {
1450 borrow
: &'b Cell
<BorrowFlag
>,
1453 impl Drop
for BorrowRefMut
<'_
> {
1455 fn drop(&mut self) {
1456 let borrow
= self.borrow
.get();
1457 debug_assert
!(is_writing(borrow
));
1458 self.borrow
.set(borrow
+ 1);
1462 impl<'b
> BorrowRefMut
<'b
> {
1464 fn new(borrow
: &'b Cell
<BorrowFlag
>) -> Option
<BorrowRefMut
<'b
>> {
1465 // NOTE: Unlike BorrowRefMut::clone, new is called to create the initial
1466 // mutable reference, and so there must currently be no existing
1467 // references. Thus, while clone increments the mutable refcount, here
1468 // we explicitly only allow going from UNUSED to UNUSED - 1.
1469 match borrow
.get() {
1471 borrow
.set(UNUSED
- 1);
1472 Some(BorrowRefMut { borrow }
)
1478 // Clones a `BorrowRefMut`.
1480 // This is only valid if each `BorrowRefMut` is used to track a mutable
1481 // reference to a distinct, nonoverlapping range of the original object.
1482 // This isn't in a Clone impl so that code doesn't call this implicitly.
1484 fn clone(&self) -> BorrowRefMut
<'b
> {
1485 let borrow
= self.borrow
.get();
1486 debug_assert
!(is_writing(borrow
));
1487 // Prevent the borrow counter from underflowing.
1488 assert
!(borrow
!= isize::MIN
);
1489 self.borrow
.set(borrow
- 1);
1490 BorrowRefMut { borrow: self.borrow }
1494 /// A wrapper type for a mutably borrowed value from a `RefCell<T>`.
1496 /// See the [module-level documentation](index.html) for more.
1497 #[stable(feature = "rust1", since = "1.0.0")]
1498 pub struct RefMut
<'b
, T
: ?Sized
+ 'b
> {
1500 borrow
: BorrowRefMut
<'b
>,
1503 #[stable(feature = "rust1", since = "1.0.0")]
1504 impl<T
: ?Sized
> Deref
for RefMut
<'_
, T
> {
1508 fn deref(&self) -> &T
{
1513 #[stable(feature = "rust1", since = "1.0.0")]
1514 impl<T
: ?Sized
> DerefMut
for RefMut
<'_
, T
> {
1516 fn deref_mut(&mut self) -> &mut T
{
1521 #[unstable(feature = "coerce_unsized", issue = "27732")]
1522 impl<'b
, T
: ?Sized
+ Unsize
<U
>, U
: ?Sized
> CoerceUnsized
<RefMut
<'b
, U
>> for RefMut
<'b
, T
> {}
1524 #[stable(feature = "std_guard_impls", since = "1.20.0")]
1525 impl<T
: ?Sized
+ fmt
::Display
> fmt
::Display
for RefMut
<'_
, T
> {
1526 fn fmt(&self, f
: &mut fmt
::Formatter
<'_
>) -> fmt
::Result
{
1531 /// The core primitive for interior mutability in Rust.
1533 /// `UnsafeCell<T>` is a type that wraps some `T` and indicates unsafe interior operations on the
1534 /// wrapped type. Types with an `UnsafeCell<T>` field are considered to have an 'unsafe interior'.
1535 /// The `UnsafeCell<T>` type is the only legal way to obtain aliasable data that is considered
1536 /// mutable. In general, transmuting an `&T` type into an `&mut T` is considered undefined behavior.
1538 /// If you have a reference `&SomeStruct`, then normally in Rust all fields of `SomeStruct` are
1539 /// immutable. The compiler makes optimizations based on the knowledge that `&T` is not mutably
1540 /// aliased or mutated, and that `&mut T` is unique. `UnsafeCell<T>` is the only core language
1541 /// feature to work around the restriction that `&T` may not be mutated. All other types that
1542 /// allow internal mutability, such as `Cell<T>` and `RefCell<T>`, use `UnsafeCell` to wrap their
1543 /// internal data. There is *no* legal way to obtain aliasing `&mut`, not even with `UnsafeCell<T>`.
1545 /// The `UnsafeCell` API itself is technically very simple: [`.get()`] gives you a raw pointer
1546 /// `*mut T` to its contents. It is up to _you_ as the abstraction designer to use that raw pointer
1549 /// [`.get()`]: `UnsafeCell::get`
1551 /// The precise Rust aliasing rules are somewhat in flux, but the main points are not contentious:
1553 /// - If you create a safe reference with lifetime `'a` (either a `&T` or `&mut T`
1554 /// reference) that is accessible by safe code (for example, because you returned it),
1555 /// then you must not access the data in any way that contradicts that reference for the
1556 /// remainder of `'a`. For example, this means that if you take the `*mut T` from an
1557 /// `UnsafeCell<T>` and cast it to an `&T`, then the data in `T` must remain immutable
1558 /// (modulo any `UnsafeCell` data found within `T`, of course) until that reference's
1559 /// lifetime expires. Similarly, if you create a `&mut T` reference that is released to
1560 /// safe code, then you must not access the data within the `UnsafeCell` until that
1561 /// reference expires.
1563 /// - At all times, you must avoid data races. If multiple threads have access to
1564 /// the same `UnsafeCell`, then any writes must have a proper happens-before relation to all other
1565 /// accesses (or use atomics).
1567 /// To assist with proper design, the following scenarios are explicitly declared legal
1568 /// for single-threaded code:
1570 /// 1. A `&T` reference can be released to safe code and there it can co-exist with other `&T`
1571 /// references, but not with a `&mut T`
1573 /// 2. A `&mut T` reference may be released to safe code provided neither other `&mut T` nor `&T`
1574 /// co-exist with it. A `&mut T` must always be unique.
1576 /// Note that whilst mutating the contents of an `&UnsafeCell<T>` (even while other
1577 /// `&UnsafeCell<T>` references alias the cell) is
1578 /// ok (provided you enforce the above invariants some other way), it is still undefined behavior
1579 /// to have multiple `&mut UnsafeCell<T>` aliases. That is, `UnsafeCell` is a wrapper
1580 /// designed to have a special interaction with _shared_ accesses (_i.e._, through an
1581 /// `&UnsafeCell<_>` reference); there is no magic whatsoever when dealing with _exclusive_
1582 /// accesses (_e.g._, through an `&mut UnsafeCell<_>`): neither the cell nor the wrapped value
1583 /// may be aliased for the duration of that `&mut` borrow.
1584 /// This is showcased by the [`.get_mut()`] accessor, which is a non-`unsafe` getter that yields
1587 /// [`.get_mut()`]: `UnsafeCell::get_mut`
1591 /// Here is an example showcasing how to soundly mutate the contents of an `UnsafeCell<_>` despite
1592 /// there being multiple references aliasing the cell:
1595 /// use std::cell::UnsafeCell;
1597 /// let x: UnsafeCell<i32> = 42.into();
1598 /// // Get multiple / concurrent / shared references to the same `x`.
1599 /// let (p1, p2): (&UnsafeCell<i32>, &UnsafeCell<i32>) = (&x, &x);
1602 /// // SAFETY: within this scope there are no other references to `x`'s contents,
1603 /// // so ours is effectively unique.
1604 /// let p1_exclusive: &mut i32 = &mut *p1.get(); // -- borrow --+
1605 /// *p1_exclusive += 27; // |
1606 /// } // <---------- cannot go beyond this point -------------------+
1609 /// // SAFETY: within this scope nobody expects to have exclusive access to `x`'s contents,
1610 /// // so we can have multiple shared accesses concurrently.
1611 /// let p2_shared: &i32 = &*p2.get();
1612 /// assert_eq!(*p2_shared, 42 + 27);
1613 /// let p1_shared: &i32 = &*p1.get();
1614 /// assert_eq!(*p1_shared, *p2_shared);
1618 /// The following example showcases the fact that exclusive access to an `UnsafeCell<T>`
1619 /// implies exclusive access to its `T`:
1622 /// #![feature(unsafe_cell_get_mut)]
1623 /// #![forbid(unsafe_code)] // with exclusive accesses,
1624 /// // `UnsafeCell` is a transparent no-op wrapper,
1625 /// // so no need for `unsafe` here.
1626 /// use std::cell::UnsafeCell;
1628 /// let mut x: UnsafeCell<i32> = 42.into();
1630 /// // Get a compile-time-checked unique reference to `x`.
1631 /// let p_unique: &mut UnsafeCell<i32> = &mut x;
1632 /// // With an exclusive reference, we can mutate the contents for free.
1633 /// *p_unique.get_mut() = 0;
1634 /// // Or, equivalently:
1635 /// x = UnsafeCell::new(0);
1637 /// // When we own the value, we can extract the contents for free.
1638 /// let contents: i32 = x.into_inner();
1639 /// assert_eq!(contents, 0);
1641 #[lang = "unsafe_cell"]
1642 #[stable(feature = "rust1", since = "1.0.0")]
1643 #[repr(transparent)]
1644 #[repr(no_niche)] // rust-lang/rust#68303.
1645 pub struct UnsafeCell
<T
: ?Sized
> {
1649 #[stable(feature = "rust1", since = "1.0.0")]
1650 impl<T
: ?Sized
> !Sync
for UnsafeCell
<T
> {}
1652 impl<T
> UnsafeCell
<T
> {
1653 /// Constructs a new instance of `UnsafeCell` which will wrap the specified
1656 /// All access to the inner value through methods is `unsafe`.
1661 /// use std::cell::UnsafeCell;
1663 /// let uc = UnsafeCell::new(5);
1665 #[stable(feature = "rust1", since = "1.0.0")]
1666 #[rustc_const_stable(feature = "const_unsafe_cell_new", since = "1.32.0")]
1668 pub const fn new(value
: T
) -> UnsafeCell
<T
> {
1669 UnsafeCell { value }
1672 /// Unwraps the value.
1677 /// use std::cell::UnsafeCell;
1679 /// let uc = UnsafeCell::new(5);
1681 /// let five = uc.into_inner();
1684 #[stable(feature = "rust1", since = "1.0.0")]
1685 pub fn into_inner(self) -> T
{
1690 impl<T
: ?Sized
> UnsafeCell
<T
> {
1691 /// Gets a mutable pointer to the wrapped value.
1693 /// This can be cast to a pointer of any kind.
1694 /// Ensure that the access is unique (no active references, mutable or not)
1695 /// when casting to `&mut T`, and ensure that there are no mutations
1696 /// or mutable aliases going on when casting to `&T`
1701 /// use std::cell::UnsafeCell;
1703 /// let uc = UnsafeCell::new(5);
1705 /// let five = uc.get();
1708 #[stable(feature = "rust1", since = "1.0.0")]
1709 #[rustc_const_stable(feature = "const_unsafecell_get", since = "1.32.0")]
1710 pub const fn get(&self) -> *mut T
{
1711 // We can just cast the pointer from `UnsafeCell<T>` to `T` because of
1712 // #[repr(transparent)]. This exploits libstd's special status, there is
1713 // no guarantee for user code that this will work in future versions of the compiler!
1714 self as *const UnsafeCell
<T
> as *const T
as *mut T
1717 /// Returns a mutable reference to the underlying data.
1719 /// This call borrows the `UnsafeCell` mutably (at compile-time) which
1720 /// guarantees that we possess the only reference.
1725 /// #![feature(unsafe_cell_get_mut)]
1726 /// use std::cell::UnsafeCell;
1728 /// let mut c = UnsafeCell::new(5);
1729 /// *c.get_mut() += 1;
1731 /// assert_eq!(*c.get_mut(), 6);
1734 #[unstable(feature = "unsafe_cell_get_mut", issue = "76943")]
1735 pub fn get_mut(&mut self) -> &mut T
{
1736 // SAFETY: (outer) `&mut` guarantees unique access.
1737 unsafe { &mut *self.get() }
1740 /// Gets a mutable pointer to the wrapped value.
1741 /// The difference to [`get`] is that this function accepts a raw pointer,
1742 /// which is useful to avoid the creation of temporary references.
1744 /// The result can be cast to a pointer of any kind.
1745 /// Ensure that the access is unique (no active references, mutable or not)
1746 /// when casting to `&mut T`, and ensure that there are no mutations
1747 /// or mutable aliases going on when casting to `&T`.
1749 /// [`get`]: #method.get
1753 /// Gradual initialization of an `UnsafeCell` requires `raw_get`, as
1754 /// calling `get` would require creating a reference to uninitialized data:
1757 /// #![feature(unsafe_cell_raw_get)]
1758 /// use std::cell::UnsafeCell;
1759 /// use std::mem::MaybeUninit;
1761 /// let m = MaybeUninit::<UnsafeCell<i32>>::uninit();
1762 /// unsafe { UnsafeCell::raw_get(m.as_ptr()).write(5); }
1763 /// let uc = unsafe { m.assume_init() };
1765 /// assert_eq!(uc.into_inner(), 5);
1768 #[unstable(feature = "unsafe_cell_raw_get", issue = "66358")]
1769 pub const fn raw_get(this
: *const Self) -> *mut T
{
1770 // We can just cast the pointer from `UnsafeCell<T>` to `T` because of
1771 // #[repr(transparent)]. This exploits libstd's special status, there is
1772 // no guarantee for user code that this will work in future versions of the compiler!
1773 this
as *const T
as *mut T
1777 #[stable(feature = "unsafe_cell_default", since = "1.10.0")]
1778 impl<T
: Default
> Default
for UnsafeCell
<T
> {
1779 /// Creates an `UnsafeCell`, with the `Default` value for T.
1780 fn default() -> UnsafeCell
<T
> {
1781 UnsafeCell
::new(Default
::default())
1785 #[stable(feature = "cell_from", since = "1.12.0")]
1786 impl<T
> From
<T
> for UnsafeCell
<T
> {
1787 fn from(t
: T
) -> UnsafeCell
<T
> {
1792 #[unstable(feature = "coerce_unsized", issue = "27732")]
1793 impl<T
: CoerceUnsized
<U
>, U
> CoerceUnsized
<UnsafeCell
<U
>> for UnsafeCell
<T
> {}
1796 fn assert_coerce_unsized(a
: UnsafeCell
<&i32>, b
: Cell
<&i32>, c
: RefCell
<&i32>) {
1797 let _
: UnsafeCell
<&dyn Send
> = a
;
1798 let _
: Cell
<&dyn Send
> = b
;
1799 let _
: RefCell
<&dyn Send
> = c
;