1 //! Manually manage memory through raw pointers.
3 //! *[See also the pointer primitive types](pointer).*
7 //! Many functions in this module take raw pointers as arguments and read from
8 //! or write to them. For this to be safe, these pointers must be *valid*.
9 //! Whether a pointer is valid depends on the operation it is used for
10 //! (read or write), and the extent of the memory that is accessed (i.e.,
11 //! how many bytes are read/written). Most functions use `*mut T` and `*const T`
12 //! to access only a single value, in which case the documentation omits the size
13 //! and implicitly assumes it to be `size_of::<T>()` bytes.
15 //! The precise rules for validity are not determined yet. The guarantees that are
16 //! provided at this point are very minimal:
18 //! * A [null] pointer is *never* valid, not even for accesses of [size zero][zst].
19 //! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer
20 //! be *dereferenceable*: the memory range of the given size starting at the pointer must all be
21 //! within the bounds of a single allocated object. Note that in Rust,
22 //! every (stack-allocated) variable is considered a separate allocated object.
23 //! * Even for operations of [size zero][zst], the pointer must not be pointing to deallocated
24 //! memory, i.e., deallocation makes pointers invalid even for zero-sized operations. However,
25 //! casting any non-zero integer *literal* to a pointer is valid for zero-sized accesses, even if
26 //! some memory happens to exist at that address and gets deallocated. This corresponds to writing
27 //! your own allocator: allocating zero-sized objects is not very hard. The canonical way to
28 //! obtain a pointer that is valid for zero-sized accesses is [`NonNull::dangling`].
29 //FIXME: mention `ptr::invalid` above, once it is stable.
30 //! * All accesses performed by functions in this module are *non-atomic* in the sense
31 //! of [atomic operations] used to synchronize between threads. This means it is
32 //! undefined behavior to perform two concurrent accesses to the same location from different
33 //! threads unless both accesses only read from memory. Notice that this explicitly
34 //! includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
35 //! be used for inter-thread synchronization.
36 //! * The result of casting a reference to a pointer is valid for as long as the
37 //! underlying object is live and no reference (just raw pointers) is used to
38 //! access the same memory.
40 //! These axioms, along with careful use of [`offset`] for pointer arithmetic,
41 //! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
42 //! will be provided eventually, as the [aliasing] rules are being determined. For more
43 //! information, see the [book] as well as the section in the reference devoted
44 //! to [undefined behavior][ub].
48 //! Valid raw pointers as defined above are not necessarily properly aligned (where
49 //! "proper" alignment is defined by the pointee type, i.e., `*const T` must be
50 //! aligned to `mem::align_of::<T>()`). However, most functions require their
51 //! arguments to be properly aligned, and will explicitly state
52 //! this requirement in their documentation. Notable exceptions to this are
53 //! [`read_unaligned`] and [`write_unaligned`].
55 //! When a function requires proper alignment, it does so even if the access
56 //! has size 0, i.e., even if memory is not actually touched. Consider using
57 //! [`NonNull::dangling`] in such cases.
59 //! ## Allocated object
61 //! For several operations, such as [`offset`] or field projections (`expr.field`), the notion of an
62 //! "allocated object" becomes relevant. An allocated object is a contiguous region of memory.
63 //! Common examples of allocated objects include stack-allocated variables (each variable is a
64 //! separate allocated object), heap allocations (each allocation created by the global allocator is
65 //! a separate allocated object), and `static` variables.
68 //! # Strict Provenance
70 //! **The following text is non-normative, insufficiently formal, and is an extremely strict
71 //! interpretation of provenance. It's ok if your code doesn't strictly conform to it.**
73 //! [Strict Provenance][] is an experimental set of APIs that help tools that try
74 //! to validate the memory-safety of your program's execution. Notably this includes [Miri][]
75 //! and [CHERI][], which can detect when you access out of bounds memory or otherwise violate
76 //! Rust's memory model.
78 //! Provenance must exist in some form for any programming
79 //! language compiled for modern computer architectures, but specifying a model for provenance
80 //! in a way that is useful to both compilers and programmers is an ongoing challenge.
81 //! The [Strict Provenance][] experiment seeks to explore the question: *what if we just said you
82 //! couldn't do all the nasty operations that make provenance so messy?*
84 //! What APIs would have to be removed? What APIs would have to be added? How much would code
85 //! have to change, and is it worse or better now? Would any patterns become truly inexpressible?
86 //! Could we carve out special exceptions for those patterns? Should we?
88 //! A secondary goal of this project is to see if we can disambiguate the many functions of
89 //! pointer<->integer casts enough for the definition of `usize` to be loosened so that it
90 //! isn't *pointer*-sized but address-space/offset/allocation-sized (we'll probably continue
91 //! to conflate these notions). This would potentially make it possible to more efficiently
92 //! target platforms where pointers are larger than offsets, such as CHERI and maybe some
93 //! segmented architecures.
97 //! **This section is *non-normative* and is part of the [Strict Provenance][] experiment.**
99 //! Pointers are not *simply* an "integer" or "address". For instance, it's uncontroversial
100 //! to say that a Use After Free is clearly Undefined Behaviour, even if you "get lucky"
101 //! and the freed memory gets reallocated before your read/write (in fact this is the
102 //! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
103 //! To rationalize this claim, pointers need to somehow be *more* than just their addresses:
104 //! they must have provenance.
106 //! When an allocation is created, that allocation has a unique Original Pointer. For alloc
107 //! APIs this is literally the pointer the call returns, and for local variables and statics,
108 //! this is the name of the variable/static. This is mildly overloading the term "pointer"
109 //! for the sake of brevity/exposition.
111 //! The Original Pointer for an allocation is guaranteed to have unique access to the entire
112 //! allocation and *only* that allocation. In this sense, an allocation can be thought of
113 //! as a "sandbox" that cannot be broken into or out of. *Provenance* is the permission
114 //! to access an allocation's sandbox and has both a *spatial* and *temporal* component:
116 //! * Spatial: A range of bytes that the pointer is allowed to access.
117 //! * Temporal: The lifetime (of the allocation) that access to these bytes is tied to.
119 //! Spatial provenance makes sure you don't go beyond your sandbox, while temporal provenance
120 //! makes sure that you can't "get lucky" after your permission to access some memory
121 //! has been revoked (either through deallocations or borrows expiring).
123 //! Provenance is implicitly shared with all pointers transitively derived from
124 //! The Original Pointer through operations like [`offset`], borrowing, and pointer casts.
125 //! Some operations may *shrink* the derived provenance, limiting how much memory it can
126 //! access or how long it's valid for (i.e. borrowing a subfield and subslicing).
128 //! Shrinking provenance cannot be undone: even if you "know" there is a larger allocation, you
129 //! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine"
130 //! two contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
132 //! A reference to a value always has provenance over exactly the memory that field occupies.
133 //! A reference to a slice always has provenance over exactly the range that slice describes.
135 //! If an allocation is deallocated, all pointers with provenance to that allocation become
136 //! invalidated, and effectively lose their provenance.
138 //! The strict provenance experiment is mostly only interested in exploring stricter *spatial*
139 //! provenance. In this sense it can be thought of as a subset of the more ambitious and
140 //! formal [Stacked Borrows][] research project, which is what tools like [Miri][] are based on.
141 //! In particular, Stacked Borrows is necessary to properly describe what borrows are allowed
142 //! to do and when they become invalidated. This necessarily involves much more complex
143 //! *temporal* reasoning than simply identifying allocations. Adjusting APIs and code
144 //! for the strict provenance experiment will also greatly help Stacked Borrows.
147 //! ## Pointer Vs Addresses
149 //! **This section is *non-normative* and is part of the [Strict Provenance][] experiment.**
151 //! One of the largest historical issues with trying to define provenance is that programmers
152 //! freely convert between pointers and integers. Once you allow for this, it generally becomes
153 //! impossible to accurately track and preserve provenance information, and you need to appeal
154 //! to very complex and unreliable heuristics. But of course, converting between pointers and
155 //! integers is very useful, so what can we do?
157 //! Also did you know WASM is actually a "Harvard Architecture"? As in function pointers are
158 //! handled completely differently from data pointers? And we kind of just shipped Rust on WASM
159 //! without really addressing the fact that we let you freely convert between function pointers
160 //! and data pointers, because it mostly Just Works? Let's just put that on the "pointer casts
161 //! are dubious" pile.
163 //! Strict Provenance attempts to square these circles by decoupling Rust's traditional conflation
164 //! of pointers and `usize` (and `isize`), and defining a pointer to semantically contain the
165 //! following information:
167 //! * The **address-space** it is part of (e.g. "data" vs "code" in WASM).
168 //! * The **address** it points to, which can be represented by a `usize`.
169 //! * The **provenance** it has, defining the memory it has permission to access.
171 //! Under Strict Provenance, a usize *cannot* accurately represent a pointer, and converting from
172 //! a pointer to a usize is generally an operation which *only* extracts the address. It is
173 //! therefore *impossible* to construct a valid pointer from a usize because there is no way
174 //! to restore the address-space and provenance. In other words, pointer-integer-pointer
175 //! roundtrips are not possible (in the sense that the resulting pointer is not dereferencable).
177 //! The key insight to making this model *at all* viable is the [`with_addr`][] method:
180 //! /// Creates a new pointer with the given address.
182 //! /// This performs the same operation as an `addr as ptr` cast, but copies
183 //! /// the *address-space* and *provenance* of `self` to the new pointer.
184 //! /// This allows us to dynamically preserve and propagate this important
185 //! /// information in a way that is otherwise impossible with a unary cast.
187 //! /// This is equivalent to using `wrapping_offset` to offset `self` to the
188 //! /// given address, and therefore has all the same capabilities and restrictions.
189 //! pub fn with_addr(self, addr: usize) -> Self;
192 //! So you're still able to drop down to the address representation and do whatever
193 //! clever bit tricks you want *as long as* you're able to keep around a pointer
194 //! into the allocation you care about that can "reconstitute" the other parts of the pointer.
195 //! Usually this is very easy, because you only are taking a pointer, messing with the address,
196 //! and then immediately converting back to a pointer. To make this use case more ergonomic,
197 //! we provide the [`map_addr`][] method.
199 //! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
200 //! [`addr`][] method which promises that the returned address is not part of a
201 //! pointer-usize-pointer roundtrip. In the future we may provide a lint for pointer<->integer
202 //! casts to help you audit if your code conforms to strict provenance.
205 //! ## Using Strict Provenance
207 //! Most code needs no changes to conform to strict provenance, as the only really concerning
208 //! operation that *wasn't* obviously already Undefined Behaviour is casts from usize to a
209 //! pointer. For code which *does* cast a usize to a pointer, the scope of the change depends
210 //! on exactly what you're doing.
212 //! In general you just need to make sure that if you want to convert a usize address to a
213 //! pointer and then use that pointer to read/write memory, you need to keep around a pointer
214 //! that has sufficient provenance to perform that read/write itself. In this way all of your
215 //! casts from an address to a pointer are essentially just applying offsets/indexing.
217 //! This is generally trivial to do for simple cases like tagged pointers *as long as you
218 //! represent the tagged pointer as an actual pointer and not a usize*. For instance:
221 //! #![feature(strict_provenance)]
224 //! // A flag we want to pack into our pointer
225 //! static HAS_DATA: usize = 0x1;
226 //! static FLAG_MASK: usize = !HAS_DATA;
228 //! // Our value, which must have enough alignment to have spare least-significant-bits.
229 //! let my_precious_data: u32 = 17;
230 //! assert!(core::mem::align_of::<u32>() > 1);
232 //! // Create a tagged pointer
233 //! let ptr = &my_precious_data as *const u32;
234 //! let tagged = ptr.map_addr(|addr| addr | HAS_DATA);
236 //! // Check the flag:
237 //! if tagged.addr() & HAS_DATA != 0 {
238 //! // Untag and read the pointer
239 //! let data = *tagged.map_addr(|addr| addr & FLAG_MASK);
240 //! assert_eq!(data, 17);
247 //! (Yes, if you've been using AtomicUsize for pointers in concurrent datastructures, you should
248 //! be using AtomicPtr instead. If that messes up the way you atomically manipulate pointers,
249 //! we would like to know why, and what needs to be done to fix it.)
251 //! Something more complicated and just generally *evil* like an XOR-List requires more significant
252 //! changes like allocating all nodes in a pre-allocated Vec or Arena and using a pointer
253 //! to the whole allocation to reconstitute the XORed addresses.
255 //! Situations where a valid pointer *must* be created from just an address, such as baremetal code
256 //! accessing a memory-mapped interface at a fixed address, are an open question on how to support.
257 //! These situations *will* still be allowed, but we might require some kind of "I know what I'm
258 //! doing" annotation to explain the situation to the compiler. It's also possible they need no
259 //! special attention at all, because they're generally accessing memory outside the scope of
260 //! "the abstract machine", or already using "I know what I'm doing" annotations like "volatile".
262 //! Under [Strict Provenance] it is Undefined Behaviour to:
264 //! * Access memory through a pointer that does not have provenance over that memory.
266 //! * [`offset`] a pointer to or from an address it doesn't have provenance over.
267 //! This means it's always UB to offset a pointer derived from something deallocated,
268 //! even if the offset is 0. Note that a pointer "one past the end" of its provenance
269 //! is not actually outside its provenance, it just has 0 bytes it can load/store.
271 //! But it *is* still sound to:
273 //! * Create an invalid pointer from just an address (see [`ptr::invalid`][]). This can
274 //! be used for sentinel values like `null` *or* to represent a tagged pointer that will
275 //! never be dereferencable. In general, it is always sound for an integer to pretend
276 //! to be a pointer "for fun" as long as you don't use operations on it which require
277 //! it to be valid (offset, read, write, etc).
279 //! * Forge an allocation of size zero at any sufficiently aligned non-null address.
280 //! i.e. the usual "ZSTs are fake, do what you want" rules apply *but* this only applies
281 //! for actual forgery (integers cast to pointers). If you borrow some struct's field
282 //! that *happens* to be zero-sized, the resulting pointer will have provenance tied to
283 //! that allocation and it will still get invalidated if the allocation gets deallocated.
284 //! In the future we may introduce an API to make such a forged allocation explicit.
286 //! * [`wrapping_offset`][] a pointer outside its provenance. This includes invalid pointers
287 //! which have "no" provenance. Unfortunately there may be practical limits on this for a
288 //! particular platform, and it's an open question as to how to specify this (if at all).
289 //! Notably, [CHERI][] relies on a compression scheme that can't handle a
290 //! pointer getting offset "too far" out of bounds. If this happens, the address
291 //! returned by `addr` will be the value you expect, but the provenance will get invalidated
292 //! and using it to read/write will fault. The details of this are architecture-specific
293 //! and based on alignment, but the buffer on either side of the pointer's range is pretty
294 //! generous (think kilobytes, not bytes).
296 //! * Compare arbitrary pointers by address. Addresses *are* just integers and so there is
297 //! always a coherent answer, even if the pointers are invalid or from different
298 //! address-spaces/provenances. Of course, comparing addresses from different address-spaces
299 //! is generally going to be *meaningless*, but so is comparing Kilograms to Meters, and Rust
300 //! doesn't prevent that either. Similarly, if you get "lucky" and notice that a pointer
301 //! one-past-the-end is the "same" address as the start of an unrelated allocation, anything
302 //! you do with that fact is *probably* going to be gibberish. The scope of that gibberish
303 //! is kept under control by the fact that the two pointers *still* aren't allowed to access
304 //! the other's allocation (bytes), because they still have different provenance.
306 //! * Perform pointer tagging tricks. This falls out of [`wrapping_offset`] but is worth
307 //! mentioning in more detail because of the limitations of [CHERI][]. Low-bit tagging
308 //! is very robust, and often doesn't even go out of bounds because types ensure
309 //! size >= align (and over-aligning actually gives CHERI more flexibility). Anything
310 //! more complex than this rapidly enters "extremely platform-specific" territory as
311 //! certain things may or may not be allowed based on specific supported operations.
312 //! For instance, ARM explicitly supports high-bit tagging, and so CHERI on ARM inherits
313 //! that and should support it.
315 //! ## Pointer-usize-pointer roundtrips and 'exposed' provenance
317 //! **This section is *non-normative* and is part of the [Strict Provenance] experiment.**
319 //! As discussed above, pointer-usize-pointer roundtrips are not possible under [Strict Provenance].
320 //! However, there exists legacy Rust code that is full of such roundtrips, and legacy platform APIs
321 //! regularly assume that `usize` can capture all the information that makes up a pointer. There
322 //! also might be code that cannot be ported to Strict Provenance (which is something we would [like
323 //! to hear about][Strict Provenance]).
325 //! For situations like this, there is a fallback plan, a way to 'opt out' of Strict Provenance.
326 //! However, note that this makes your code a lot harder to specify, and the code will not work
327 //! (well) with tools like [Miri] and [CHERI].
329 //! This fallback plan is provided by the [`expose_addr`] and [`from_exposed_addr`] methods (which
330 //! are equivalent to `as` casts between pointers and integers). [`expose_addr`] is a lot like
331 //! [`addr`], but additionally adds the provenance of the pointer to a global list of 'exposed'
332 //! provenances. (This list is purely conceptual, it exists for the purpose of specifying Rust but
333 //! is not materialized in actual executions, except in tools like [Miri].) [`from_exposed_addr`]
334 //! can be used to construct a pointer with one of these previously 'exposed' provenances.
335 //! [`from_exposed_addr`] takes only `addr: usize` as arguments, so unlike in [`with_addr`] there is
336 //! no indication of what the correct provenance for the returned pointer is -- and that is exactly
337 //! what makes pointer-usize-pointer roundtrips so tricky to rigorously specify! There is no
338 //! algorithm that decides which provenance will be used. You can think of this as "guessing" the
339 //! right provenance, and the guess will be "maximally in your favor", in the sense that if there is
340 //! any way to avoid undefined behavior, then that is the guess that will be taken. However, if
341 //! there is *no* previously 'exposed' provenance that justifies the way the returned pointer will
342 //! be used, the program has undefined behavior.
344 //! Using [`expose_addr`] or [`from_exposed_addr`] (or the equivalent `as` casts) means that code is
345 //! *not* following Strict Provenance rules. The goal of the Strict Provenance experiment is to
346 //! determine whether it is possible to use Rust without [`expose_addr`] and [`from_exposed_addr`].
347 //! If this is successful, it would be a major win for avoiding specification complexity and to
348 //! facilitate adoption of tools like [CHERI] and [Miri] that can be a big help in increasing the
349 //! confidence in (unsafe) Rust code.
351 //! [aliasing]: ../../nomicon/aliasing.html
352 //! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
353 //! [ub]: ../../reference/behavior-considered-undefined.html
354 //! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
355 //! [atomic operations]: crate::sync::atomic
356 //! [`offset`]: pointer::offset
357 //! [`wrapping_offset`]: pointer::wrapping_offset
358 //! [`with_addr`]: pointer::with_addr
359 //! [`map_addr`]: pointer::map_addr
360 //! [`addr`]: pointer::addr
361 //! [`ptr::invalid`]: core::ptr::invalid
362 //! [`expose_addr`]: pointer::expose_addr
363 //! [`from_exposed_addr`]: from_exposed_addr
364 //! [Miri]: https://github.com/rust-lang/miri
365 //! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
366 //! [Strict Provenance]: https://github.com/rust-lang/rust/issues/95228
367 //! [Stacked Borrows]: https://plv.mpi-sws.org/rustbelt/stacked-borrows/
369 #![stable(feature = "rust1", since = "1.0.0")]
371 use crate::cmp
::Ordering
;
374 use crate::intrinsics
::{
375 self, assert_unsafe_precondition
, is_aligned_and_not_null
, is_nonoverlapping
,
378 use crate::mem
::{self, MaybeUninit}
;
380 #[stable(feature = "rust1", since = "1.0.0")]
382 pub use crate::intrinsics
::copy_nonoverlapping
;
384 #[stable(feature = "rust1", since = "1.0.0")]
386 pub use crate::intrinsics
::copy
;
388 #[stable(feature = "rust1", since = "1.0.0")]
390 pub use crate::intrinsics
::write_bytes
;
393 pub(crate) use metadata
::PtrRepr
;
394 #[unstable(feature = "ptr_metadata", issue = "81513")]
395 pub use metadata
::{from_raw_parts, from_raw_parts_mut, metadata, DynMetadata, Pointee, Thin}
;
398 #[stable(feature = "nonnull", since = "1.25.0")]
399 pub use non_null
::NonNull
;
402 #[unstable(feature = "ptr_internals", issue = "none")]
403 pub use unique
::Unique
;
408 /// Executes the destructor (if any) of the pointed-to value.
410 /// This is semantically equivalent to calling [`ptr::read`] and discarding
411 /// the result, but has the following advantages:
413 /// * It is *required* to use `drop_in_place` to drop unsized types like
414 /// trait objects, because they can't be read out onto the stack and
415 /// dropped normally.
417 /// * It is friendlier to the optimizer to do this over [`ptr::read`] when
418 /// dropping manually allocated memory (e.g., in the implementations of
419 /// `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
420 /// sound to elide the copy.
422 /// * It can be used to drop [pinned] data when `T` is not `repr(packed)`
423 /// (pinned data must not be moved before it is dropped).
425 /// Unaligned values cannot be dropped in place, they must be copied to an aligned
426 /// location first using [`ptr::read_unaligned`]. For packed structs, this move is
427 /// done automatically by the compiler. This means the fields of packed structs
428 /// are not dropped in-place.
430 /// [`ptr::read`]: self::read
431 /// [`ptr::read_unaligned`]: self::read_unaligned
432 /// [pinned]: crate::pin
436 /// Behavior is undefined if any of the following conditions are violated:
438 /// * `to_drop` must be [valid] for both reads and writes.
440 /// * `to_drop` must be properly aligned.
442 /// * The value `to_drop` points to must be valid for dropping, which may mean it must uphold
443 /// additional invariants - this is type-dependent.
445 /// Additionally, if `T` is not [`Copy`], using the pointed-to value after
446 /// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
447 /// foo` counts as a use because it will cause the value to be dropped
448 /// again. [`write()`] can be used to overwrite data without causing it to be
451 /// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
453 /// [valid]: self#safety
457 /// Manually remove the last item from a vector:
463 /// let last = Rc::new(1);
464 /// let weak = Rc::downgrade(&last);
466 /// let mut v = vec![Rc::new(0), last];
469 /// // Get a raw pointer to the last element in `v`.
470 /// let ptr = &mut v[1] as *mut _;
471 /// // Shorten `v` to prevent the last item from being dropped. We do that first,
472 /// // to prevent issues if the `drop_in_place` below panics.
474 /// // Without a call `drop_in_place`, the last item would never be dropped,
475 /// // and the memory it manages would be leaked.
476 /// ptr::drop_in_place(ptr);
479 /// assert_eq!(v, &[0.into()]);
481 /// // Ensure that the last item was dropped.
482 /// assert!(weak.upgrade().is_none());
484 #[stable(feature = "drop_in_place", since = "1.8.0")]
485 #[lang = "drop_in_place"]
486 #[allow(unconditional_recursion)]
487 pub unsafe fn drop_in_place
<T
: ?Sized
>(to_drop
: *mut T
) {
488 // Code here does not matter - this is replaced by the
489 // real drop glue by the compiler.
491 // SAFETY: see comment above
492 unsafe { drop_in_place(to_drop) }
495 /// Creates a null raw pointer.
502 /// let p: *const i32 = ptr::null();
503 /// assert!(p.is_null());
507 #[stable(feature = "rust1", since = "1.0.0")]
509 #[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
510 #[rustc_diagnostic_item = "ptr_null"]
512 pub const fn null
<T
>() -> *const T
{
516 /// Creates a null raw pointer.
523 /// let p: *const i32 = ptr::null();
524 /// assert!(p.is_null());
528 #[stable(feature = "rust1", since = "1.0.0")]
530 #[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
531 #[rustc_allow_const_fn_unstable(ptr_metadata)]
532 #[rustc_diagnostic_item = "ptr_null"]
533 #[cfg(not(bootstrap))]
534 pub const fn null
<T
: ?Sized
+ Thin
>() -> *const T
{
535 from_raw_parts(invalid(0), ())
538 /// Creates a null mutable raw pointer.
545 /// let p: *mut i32 = ptr::null_mut();
546 /// assert!(p.is_null());
550 #[stable(feature = "rust1", since = "1.0.0")]
552 #[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
553 #[rustc_diagnostic_item = "ptr_null_mut"]
555 pub const fn null_mut
<T
>() -> *mut T
{
559 /// Creates an invalid pointer with the given address.
561 /// This is different from `addr as *const T`, which creates a pointer that picks up a previously
562 /// exposed provenance. See [`from_exposed_addr`] for more details on that operation.
564 /// The module's top-level documentation discusses the precise meaning of an "invalid"
565 /// pointer but essentially this expresses that the pointer is not associated
566 /// with any actual allocation and is little more than a usize address in disguise.
568 /// This pointer will have no provenance associated with it and is therefore
569 /// UB to read/write/offset. This mostly exists to facilitate things
570 /// like `ptr::null` and `NonNull::dangling` which make invalid pointers.
572 /// (Standard "Zero-Sized-Types get to cheat and lie" caveats apply, although it
573 /// may be desirable to give them their own API just to make that 100% clear.)
575 /// This API and its claimed semantics are part of the Strict Provenance experiment,
576 /// see the [module documentation][crate::ptr] for details.
579 #[rustc_const_stable(feature = "stable_things_using_strict_provenance", since = "1.61.0")]
580 #[unstable(feature = "strict_provenance", issue = "95228")]
581 pub const fn invalid
<T
>(addr
: usize) -> *const T
{
582 // FIXME(strict_provenance_magic): I am magic and should be a compiler intrinsic.
583 // We use transmute rather than a cast so tools like Miri can tell that this
584 // is *not* the same as from_exposed_addr.
585 // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
587 unsafe { mem::transmute(addr) }
590 /// Creates an invalid mutable pointer with the given address.
592 /// This is different from `addr as *mut T`, which creates a pointer that picks up a previously
593 /// exposed provenance. See [`from_exposed_addr_mut`] for more details on that operation.
595 /// The module's top-level documentation discusses the precise meaning of an "invalid"
596 /// pointer but essentially this expresses that the pointer is not associated
597 /// with any actual allocation and is little more than a usize address in disguise.
599 /// This pointer will have no provenance associated with it and is therefore
600 /// UB to read/write/offset. This mostly exists to facilitate things
601 /// like `ptr::null` and `NonNull::dangling` which make invalid pointers.
603 /// (Standard "Zero-Sized-Types get to cheat and lie" caveats apply, although it
604 /// may be desirable to give them their own API just to make that 100% clear.)
606 /// This API and its claimed semantics are part of the Strict Provenance experiment,
607 /// see the [module documentation][crate::ptr] for details.
610 #[rustc_const_stable(feature = "stable_things_using_strict_provenance", since = "1.61.0")]
611 #[unstable(feature = "strict_provenance", issue = "95228")]
612 pub const fn invalid_mut
<T
>(addr
: usize) -> *mut T
{
613 // FIXME(strict_provenance_magic): I am magic and should be a compiler intrinsic.
614 // We use transmute rather than a cast so tools like Miri can tell that this
615 // is *not* the same as from_exposed_addr.
616 // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
618 unsafe { mem::transmute(addr) }
621 /// Convert an address back to a pointer, picking up a previously 'exposed' provenance.
623 /// This is equivalent to `addr as *const T`. The provenance of the returned pointer is that of *any*
624 /// pointer that was previously passed to [`expose_addr`][pointer::expose_addr] or a `ptr as usize`
625 /// cast. If there is no previously 'exposed' provenance that justifies the way this pointer will be
626 /// used, the program has undefined behavior. Note that there is no algorithm that decides which
627 /// provenance will be used. You can think of this as "guessing" the right provenance, and the guess
628 /// will be "maximally in your favor", in the sense that if there is any way to avoid undefined
629 /// behavior, then that is the guess that will be taken.
631 /// On platforms with multiple address spaces, it is your responsibility to ensure that the
632 /// address makes sense in the address space that this pointer will be used with.
634 /// Using this method means that code is *not* following strict provenance rules. "Guessing" a
635 /// suitable provenance complicates specification and reasoning and may not be supported by
636 /// tools that help you to stay conformant with the Rust memory model, so it is recommended to
637 /// use [`with_addr`][pointer::with_addr] wherever possible.
639 /// On most platforms this will produce a value with the same bytes as the address. Platforms
640 /// which need to store additional information in a pointer may not support this operation,
641 /// since it is generally not possible to actually *compute* which provenance the returned
642 /// pointer has to pick up.
644 /// This API and its claimed semantics are part of the Strict Provenance experiment, see the
645 /// [module documentation][crate::ptr] for details.
648 #[unstable(feature = "strict_provenance", issue = "95228")]
649 pub fn from_exposed_addr
<T
>(addr
: usize) -> *const T
653 // FIXME(strict_provenance_magic): I am magic and should be a compiler intrinsic.
657 /// Convert an address back to a mutable pointer, picking up a previously 'exposed' provenance.
659 /// This is equivalent to `addr as *mut T`. The provenance of the returned pointer is that of *any*
660 /// pointer that was previously passed to [`expose_addr`][pointer::expose_addr] or a `ptr as usize`
661 /// cast. If there is no previously 'exposed' provenance that justifies the way this pointer will be
662 /// used, the program has undefined behavior. Note that there is no algorithm that decides which
663 /// provenance will be used. You can think of this as "guessing" the right provenance, and the guess
664 /// will be "maximally in your favor", in the sense that if there is any way to avoid undefined
665 /// behavior, then that is the guess that will be taken.
667 /// On platforms with multiple address spaces, it is your responsibility to ensure that the
668 /// address makes sense in the address space that this pointer will be used with.
670 /// Using this method means that code is *not* following strict provenance rules. "Guessing" a
671 /// suitable provenance complicates specification and reasoning and may not be supported by
672 /// tools that help you to stay conformant with the Rust memory model, so it is recommended to
673 /// use [`with_addr`][pointer::with_addr] wherever possible.
675 /// On most platforms this will produce a value with the same bytes as the address. Platforms
676 /// which need to store additional information in a pointer may not support this operation,
677 /// since it is generally not possible to actually *compute* which provenance the returned
678 /// pointer has to pick up.
680 /// This API and its claimed semantics are part of the Strict Provenance experiment, see the
681 /// [module documentation][crate::ptr] for details.
684 #[unstable(feature = "strict_provenance", issue = "95228")]
685 pub fn from_exposed_addr_mut
<T
>(addr
: usize) -> *mut T
689 // FIXME(strict_provenance_magic): I am magic and should be a compiler intrinsic.
693 /// Creates a null mutable raw pointer.
700 /// let p: *mut i32 = ptr::null_mut();
701 /// assert!(p.is_null());
705 #[stable(feature = "rust1", since = "1.0.0")]
707 #[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
708 #[rustc_allow_const_fn_unstable(ptr_metadata)]
709 #[rustc_diagnostic_item = "ptr_null_mut"]
710 #[cfg(not(bootstrap))]
711 pub const fn null_mut
<T
: ?Sized
+ Thin
>() -> *mut T
{
712 from_raw_parts_mut(invalid_mut(0), ())
715 /// Forms a raw slice from a pointer and a length.
717 /// The `len` argument is the number of **elements**, not the number of bytes.
719 /// This function is safe, but actually using the return value is unsafe.
720 /// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
722 /// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
729 /// // create a slice pointer when starting out with a pointer to the first element
730 /// let x = [5, 6, 7];
731 /// let raw_pointer = x.as_ptr();
732 /// let slice = ptr::slice_from_raw_parts(raw_pointer, 3);
733 /// assert_eq!(unsafe { &*slice }[2], 7);
736 #[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
737 #[rustc_const_unstable(feature = "const_slice_from_raw_parts", issue = "67456")]
738 pub const fn slice_from_raw_parts
<T
>(data
: *const T
, len
: usize) -> *const [T
] {
739 from_raw_parts(data
.cast(), len
)
742 /// Performs the same functionality as [`slice_from_raw_parts`], except that a
743 /// raw mutable slice is returned, as opposed to a raw immutable slice.
745 /// See the documentation of [`slice_from_raw_parts`] for more details.
747 /// This function is safe, but actually using the return value is unsafe.
748 /// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
750 /// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
757 /// let x = &mut [5, 6, 7];
758 /// let raw_pointer = x.as_mut_ptr();
759 /// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, 3);
762 /// (*slice)[2] = 99; // assign a value at an index in the slice
765 /// assert_eq!(unsafe { &*slice }[2], 99);
768 #[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
769 #[rustc_const_unstable(feature = "const_slice_from_raw_parts", issue = "67456")]
770 pub const fn slice_from_raw_parts_mut
<T
>(data
: *mut T
, len
: usize) -> *mut [T
] {
771 from_raw_parts_mut(data
.cast(), len
)
774 /// Swaps the values at two mutable locations of the same type, without
775 /// deinitializing either.
777 /// But for the following two exceptions, this function is semantically
778 /// equivalent to [`mem::swap`]:
780 /// * It operates on raw pointers instead of references. When references are
781 /// available, [`mem::swap`] should be preferred.
783 /// * The two pointed-to values may overlap. If the values do overlap, then the
784 /// overlapping region of memory from `x` will be used. This is demonstrated
785 /// in the second example below.
789 /// Behavior is undefined if any of the following conditions are violated:
791 /// * Both `x` and `y` must be [valid] for both reads and writes.
793 /// * Both `x` and `y` must be properly aligned.
795 /// Note that even if `T` has size `0`, the pointers must be non-null and properly aligned.
797 /// [valid]: self#safety
801 /// Swapping two non-overlapping regions:
806 /// let mut array = [0, 1, 2, 3];
808 /// let (x, y) = array.split_at_mut(2);
809 /// let x = x.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[0..2]`
810 /// let y = y.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[2..4]`
814 /// assert_eq!([2, 3, 0, 1], array);
818 /// Swapping two overlapping regions:
823 /// let mut array: [i32; 4] = [0, 1, 2, 3];
825 /// let array_ptr: *mut i32 = array.as_mut_ptr();
827 /// let x = array_ptr as *mut [i32; 3]; // this is `array[0..3]`
828 /// let y = unsafe { array_ptr.add(1) } as *mut [i32; 3]; // this is `array[1..4]`
832 /// // The indices `1..3` of the slice overlap between `x` and `y`.
833 /// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
834 /// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
835 /// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
836 /// // This implementation is defined to make the latter choice.
837 /// assert_eq!([1, 0, 1, 2], array);
841 #[stable(feature = "rust1", since = "1.0.0")]
842 #[rustc_const_unstable(feature = "const_swap", issue = "83163")]
843 pub const unsafe fn swap
<T
>(x
: *mut T
, y
: *mut T
) {
844 // Give ourselves some scratch space to work with.
845 // We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
846 let mut tmp
= MaybeUninit
::<T
>::uninit();
849 // SAFETY: the caller must guarantee that `x` and `y` are
850 // valid for writes and properly aligned. `tmp` cannot be
851 // overlapping either `x` or `y` because `tmp` was just allocated
852 // on the stack as a separate allocated object.
854 copy_nonoverlapping(x
, tmp
.as_mut_ptr(), 1);
855 copy(y
, x
, 1); // `x` and `y` may overlap
856 copy_nonoverlapping(tmp
.as_ptr(), y
, 1);
860 /// Swaps `count * size_of::<T>()` bytes between the two regions of memory
861 /// beginning at `x` and `y`. The two regions must *not* overlap.
865 /// Behavior is undefined if any of the following conditions are violated:
867 /// * Both `x` and `y` must be [valid] for both reads and writes of `count *
868 /// size_of::<T>()` bytes.
870 /// * Both `x` and `y` must be properly aligned.
872 /// * The region of memory beginning at `x` with a size of `count *
873 /// size_of::<T>()` bytes must *not* overlap with the region of memory
874 /// beginning at `y` with the same size.
876 /// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`,
877 /// the pointers must be non-null and properly aligned.
879 /// [valid]: self#safety
888 /// let mut x = [1, 2, 3, 4];
889 /// let mut y = [7, 8, 9];
892 /// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2);
895 /// assert_eq!(x, [7, 8, 3, 4]);
896 /// assert_eq!(y, [1, 2, 9]);
899 #[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
900 #[rustc_const_unstable(feature = "const_swap", issue = "83163")]
901 pub const unsafe fn swap_nonoverlapping
<T
>(x
: *mut T
, y
: *mut T
, count
: usize) {
903 macro_rules
! attempt_swap_as_chunks
{
905 if mem
::align_of
::<T
>() >= mem
::align_of
::<$ChunkTy
>()
906 && mem
::size_of
::<T
>() % mem
::size_of
::<$ChunkTy
>() == 0
908 let x
: *mut MaybeUninit
<$ChunkTy
> = x
.cast();
909 let y
: *mut MaybeUninit
<$ChunkTy
> = y
.cast();
910 let count
= count
* (mem
::size_of
::<T
>() / mem
::size_of
::<$ChunkTy
>());
911 // SAFETY: these are the same bytes that the caller promised were
912 // ok, just typed as `MaybeUninit<ChunkTy>`s instead of as `T`s.
913 // The `if` condition above ensures that we're not violating
914 // alignment requirements, and that the division is exact so
915 // that we don't lose any bytes off the end.
916 return unsafe { swap_nonoverlapping_simple(x, y, count) }
;
921 // SAFETY: the caller must guarantee that `x` and `y` are
922 // valid for writes and properly aligned.
924 assert_unsafe_precondition
!(
925 is_aligned_and_not_null(x
)
926 && is_aligned_and_not_null(y
)
927 && is_nonoverlapping(x
, y
, count
)
931 // NOTE(scottmcm) Miri is disabled here as reading in smaller units is a
932 // pessimization for it. Also, if the type contains any unaligned pointers,
933 // copying those over multiple reads is difficult to support.
936 // Split up the slice into small power-of-two-sized chunks that LLVM is able
937 // to vectorize (unless it's a special type with more-than-pointer alignment,
938 // because we don't want to pessimize things like slices of SIMD vectors.)
939 if mem
::align_of
::<T
>() <= mem
::size_of
::<usize>()
940 && (!mem
::size_of
::<T
>().is_power_of_two()
941 || mem
::size_of
::<T
>() > mem
::size_of
::<usize>() * 2)
943 attempt_swap_as_chunks
!(usize);
944 attempt_swap_as_chunks
!(u8);
948 // SAFETY: Same preconditions as this function
949 unsafe { swap_nonoverlapping_simple(x, y, count) }
952 /// Same behaviour and safety conditions as [`swap_nonoverlapping`]
954 /// LLVM can vectorize this (at least it can for the power-of-two-sized types
955 /// `swap_nonoverlapping` tries to use) so no need to manually SIMD it.
957 #[rustc_const_unstable(feature = "const_swap", issue = "83163")]
958 const unsafe fn swap_nonoverlapping_simple
<T
>(x
: *mut T
, y
: *mut T
, count
: usize) {
962 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
963 unsafe { &mut *x.add(i) }
;
965 // SAFETY: By precondition, `i` is in-bounds because it's below `n`
966 // and it's distinct from `x` since the ranges are non-overlapping
967 unsafe { &mut *y.add(i) }
;
968 mem
::swap_simple(x
, y
);
974 /// Moves `src` into the pointed `dst`, returning the previous `dst` value.
976 /// Neither value is dropped.
978 /// This function is semantically equivalent to [`mem::replace`] except that it
979 /// operates on raw pointers instead of references. When references are
980 /// available, [`mem::replace`] should be preferred.
984 /// Behavior is undefined if any of the following conditions are violated:
986 /// * `dst` must be [valid] for both reads and writes.
988 /// * `dst` must be properly aligned.
990 /// * `dst` must point to a properly initialized value of type `T`.
992 /// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
994 /// [valid]: self#safety
1001 /// let mut rust = vec!['b', 'u', 's', 't'];
1003 /// // `mem::replace` would have the same effect without requiring the unsafe
1005 /// let b = unsafe {
1006 /// ptr::replace(&mut rust[0], 'r')
1009 /// assert_eq!(b, 'b');
1010 /// assert_eq!(rust, &['r', 'u', 's', 't']);
1013 #[stable(feature = "rust1", since = "1.0.0")]
1014 #[rustc_const_unstable(feature = "const_replace", issue = "83164")]
1015 pub const unsafe fn replace
<T
>(dst
: *mut T
, mut src
: T
) -> T
{
1016 // SAFETY: the caller must guarantee that `dst` is valid to be
1017 // cast to a mutable reference (valid for writes, aligned, initialized),
1018 // and cannot overlap `src` since `dst` must point to a distinct
1019 // allocated object.
1021 assert_unsafe_precondition
!(is_aligned_and_not_null(dst
));
1022 mem
::swap(&mut *dst
, &mut src
); // cannot overlap
1027 /// Reads the value from `src` without moving it. This leaves the
1028 /// memory in `src` unchanged.
1032 /// Behavior is undefined if any of the following conditions are violated:
1034 /// * `src` must be [valid] for reads.
1036 /// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
1039 /// * `src` must point to a properly initialized value of type `T`.
1041 /// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
1049 /// let y = &x as *const i32;
1052 /// assert_eq!(std::ptr::read(y), 12);
1056 /// Manually implement [`mem::swap`]:
1061 /// fn swap<T>(a: &mut T, b: &mut T) {
1063 /// // Create a bitwise copy of the value at `a` in `tmp`.
1064 /// let tmp = ptr::read(a);
1066 /// // Exiting at this point (either by explicitly returning or by
1067 /// // calling a function which panics) would cause the value in `tmp` to
1068 /// // be dropped while the same value is still referenced by `a`. This
1069 /// // could trigger undefined behavior if `T` is not `Copy`.
1071 /// // Create a bitwise copy of the value at `b` in `a`.
1072 /// // This is safe because mutable references cannot alias.
1073 /// ptr::copy_nonoverlapping(b, a, 1);
1075 /// // As above, exiting here could trigger undefined behavior because
1076 /// // the same value is referenced by `a` and `b`.
1078 /// // Move `tmp` into `b`.
1079 /// ptr::write(b, tmp);
1081 /// // `tmp` has been moved (`write` takes ownership of its second argument),
1082 /// // so nothing is dropped implicitly here.
1086 /// let mut foo = "foo".to_owned();
1087 /// let mut bar = "bar".to_owned();
1089 /// swap(&mut foo, &mut bar);
1091 /// assert_eq!(foo, "bar");
1092 /// assert_eq!(bar, "foo");
1095 /// ## Ownership of the Returned Value
1097 /// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1098 /// If `T` is not [`Copy`], using both the returned value and the value at
1099 /// `*src` can violate memory safety. Note that assigning to `*src` counts as a
1100 /// use because it will attempt to drop the value at `*src`.
1102 /// [`write()`] can be used to overwrite data without causing it to be dropped.
1107 /// let mut s = String::from("foo");
1109 /// // `s2` now points to the same underlying memory as `s`.
1110 /// let mut s2: String = ptr::read(&s);
1112 /// assert_eq!(s2, "foo");
1114 /// // Assigning to `s2` causes its original value to be dropped. Beyond
1115 /// // this point, `s` must no longer be used, as the underlying memory has
1117 /// s2 = String::default();
1118 /// assert_eq!(s2, "");
1120 /// // Assigning to `s` would cause the old value to be dropped again,
1121 /// // resulting in undefined behavior.
1122 /// // s = String::from("bar"); // ERROR
1124 /// // `ptr::write` can be used to overwrite a value without dropping it.
1125 /// ptr::write(&mut s, String::from("bar"));
1128 /// assert_eq!(s, "bar");
1131 /// [valid]: self#safety
1133 #[stable(feature = "rust1", since = "1.0.0")]
1134 #[rustc_const_unstable(feature = "const_ptr_read", issue = "80377")]
1135 pub const unsafe fn read
<T
>(src
: *const T
) -> T
{
1136 // We are calling the intrinsics directly to avoid function calls in the generated code
1137 // as `intrinsics::copy_nonoverlapping` is a wrapper function.
1138 extern "rust-intrinsic" {
1139 #[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.63.0")]
1140 fn copy_nonoverlapping
<T
>(src
: *const T
, dst
: *mut T
, count
: usize);
1143 let mut tmp
= MaybeUninit
::<T
>::uninit();
1144 // SAFETY: the caller must guarantee that `src` is valid for reads.
1145 // `src` cannot overlap `tmp` because `tmp` was just allocated on
1146 // the stack as a separate allocated object.
1148 // Also, since we just wrote a valid value into `tmp`, it is guaranteed
1149 // to be properly initialized.
1151 copy_nonoverlapping(src
, tmp
.as_mut_ptr(), 1);
1156 /// Reads the value from `src` without moving it. This leaves the
1157 /// memory in `src` unchanged.
1159 /// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1163 /// Behavior is undefined if any of the following conditions are violated:
1165 /// * `src` must be [valid] for reads.
1167 /// * `src` must point to a properly initialized value of type `T`.
1169 /// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1170 /// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1171 /// value and the value at `*src` can [violate memory safety][read-ownership].
1173 /// Note that even if `T` has size `0`, the pointer must be non-null.
1175 /// [read-ownership]: read#ownership-of-the-returned-value
1176 /// [valid]: self#safety
1178 /// ## On `packed` structs
1180 /// Attempting to create a raw pointer to an `unaligned` struct field with
1181 /// an expression such as `&packed.unaligned as *const FieldType` creates an
1182 /// intermediate unaligned reference before converting that to a raw pointer.
1183 /// That this reference is temporary and immediately cast is inconsequential
1184 /// as the compiler always expects references to be properly aligned.
1185 /// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1186 /// *undefined behavior* in your program.
1188 /// Instead you must use the [`ptr::addr_of!`](addr_of) macro to
1189 /// create the pointer. You may use that returned pointer together with this
1192 /// An example of what not to do and how this relates to `read_unaligned` is:
1195 /// #[repr(packed, C)]
1201 /// let packed = Packed {
1203 /// unaligned: 0x01020304,
1206 /// // Take the address of a 32-bit integer which is not aligned.
1207 /// // In contrast to `&packed.unaligned as *const _`, this has no undefined behavior.
1208 /// let unaligned = std::ptr::addr_of!(packed.unaligned);
1210 /// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1211 /// assert_eq!(v, 0x01020304);
1214 /// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1218 /// Read a usize value from a byte buffer:
1223 /// fn read_usize(x: &[u8]) -> usize {
1224 /// assert!(x.len() >= mem::size_of::<usize>());
1226 /// let ptr = x.as_ptr() as *const usize;
1228 /// unsafe { ptr.read_unaligned() }
1232 #[stable(feature = "ptr_unaligned", since = "1.17.0")]
1233 #[rustc_const_unstable(feature = "const_ptr_read", issue = "80377")]
1234 pub const unsafe fn read_unaligned
<T
>(src
: *const T
) -> T
{
1235 let mut tmp
= MaybeUninit
::<T
>::uninit();
1236 // SAFETY: the caller must guarantee that `src` is valid for reads.
1237 // `src` cannot overlap `tmp` because `tmp` was just allocated on
1238 // the stack as a separate allocated object.
1240 // Also, since we just wrote a valid value into `tmp`, it is guaranteed
1241 // to be properly initialized.
1243 copy_nonoverlapping(src
as *const u8, tmp
.as_mut_ptr() as *mut u8, mem
::size_of
::<T
>());
1248 /// Overwrites a memory location with the given value without reading or
1249 /// dropping the old value.
1251 /// `write` does not drop the contents of `dst`. This is safe, but it could leak
1252 /// allocations or resources, so care should be taken not to overwrite an object
1253 /// that should be dropped.
1255 /// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1256 /// location pointed to by `dst`.
1258 /// This is appropriate for initializing uninitialized memory, or overwriting
1259 /// memory that has previously been [`read`] from.
1263 /// Behavior is undefined if any of the following conditions are violated:
1265 /// * `dst` must be [valid] for writes.
1267 /// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the
1270 /// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
1272 /// [valid]: self#safety
1280 /// let y = &mut x as *mut i32;
1284 /// std::ptr::write(y, z);
1285 /// assert_eq!(std::ptr::read(y), 12);
1289 /// Manually implement [`mem::swap`]:
1294 /// fn swap<T>(a: &mut T, b: &mut T) {
1296 /// // Create a bitwise copy of the value at `a` in `tmp`.
1297 /// let tmp = ptr::read(a);
1299 /// // Exiting at this point (either by explicitly returning or by
1300 /// // calling a function which panics) would cause the value in `tmp` to
1301 /// // be dropped while the same value is still referenced by `a`. This
1302 /// // could trigger undefined behavior if `T` is not `Copy`.
1304 /// // Create a bitwise copy of the value at `b` in `a`.
1305 /// // This is safe because mutable references cannot alias.
1306 /// ptr::copy_nonoverlapping(b, a, 1);
1308 /// // As above, exiting here could trigger undefined behavior because
1309 /// // the same value is referenced by `a` and `b`.
1311 /// // Move `tmp` into `b`.
1312 /// ptr::write(b, tmp);
1314 /// // `tmp` has been moved (`write` takes ownership of its second argument),
1315 /// // so nothing is dropped implicitly here.
1319 /// let mut foo = "foo".to_owned();
1320 /// let mut bar = "bar".to_owned();
1322 /// swap(&mut foo, &mut bar);
1324 /// assert_eq!(foo, "bar");
1325 /// assert_eq!(bar, "foo");
1328 #[stable(feature = "rust1", since = "1.0.0")]
1329 #[rustc_const_unstable(feature = "const_ptr_write", issue = "86302")]
1330 pub const unsafe fn write
<T
>(dst
: *mut T
, src
: T
) {
1331 // We are calling the intrinsics directly to avoid function calls in the generated code
1332 // as `intrinsics::copy_nonoverlapping` is a wrapper function.
1333 extern "rust-intrinsic" {
1334 #[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.63.0")]
1335 fn copy_nonoverlapping
<T
>(src
: *const T
, dst
: *mut T
, count
: usize);
1338 // SAFETY: the caller must guarantee that `dst` is valid for writes.
1339 // `dst` cannot overlap `src` because the caller has mutable access
1340 // to `dst` while `src` is owned by this function.
1342 copy_nonoverlapping(&src
as *const T
, dst
, 1);
1343 intrinsics
::forget(src
);
1347 /// Overwrites a memory location with the given value without reading or
1348 /// dropping the old value.
1350 /// Unlike [`write()`], the pointer may be unaligned.
1352 /// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1353 /// could leak allocations or resources, so care should be taken not to overwrite
1354 /// an object that should be dropped.
1356 /// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1357 /// location pointed to by `dst`.
1359 /// This is appropriate for initializing uninitialized memory, or overwriting
1360 /// memory that has previously been read with [`read_unaligned`].
1364 /// Behavior is undefined if any of the following conditions are violated:
1366 /// * `dst` must be [valid] for writes.
1368 /// Note that even if `T` has size `0`, the pointer must be non-null.
1370 /// [valid]: self#safety
1372 /// ## On `packed` structs
1374 /// Attempting to create a raw pointer to an `unaligned` struct field with
1375 /// an expression such as `&packed.unaligned as *const FieldType` creates an
1376 /// intermediate unaligned reference before converting that to a raw pointer.
1377 /// That this reference is temporary and immediately cast is inconsequential
1378 /// as the compiler always expects references to be properly aligned.
1379 /// As a result, using `&packed.unaligned as *const FieldType` causes immediate
1380 /// *undefined behavior* in your program.
1382 /// Instead you must use the [`ptr::addr_of_mut!`](addr_of_mut)
1383 /// macro to create the pointer. You may use that returned pointer together with
1386 /// An example of how to do it and how this relates to `write_unaligned` is:
1389 /// #[repr(packed, C)]
1395 /// let mut packed: Packed = unsafe { std::mem::zeroed() };
1397 /// // Take the address of a 32-bit integer which is not aligned.
1398 /// // In contrast to `&packed.unaligned as *mut _`, this has no undefined behavior.
1399 /// let unaligned = std::ptr::addr_of_mut!(packed.unaligned);
1401 /// unsafe { std::ptr::write_unaligned(unaligned, 42) };
1403 /// assert_eq!({packed.unaligned}, 42); // `{...}` forces copying the field instead of creating a reference.
1406 /// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
1407 /// (as can be seen in the `assert_eq!` above).
1411 /// Write a usize value to a byte buffer:
1416 /// fn write_usize(x: &mut [u8], val: usize) {
1417 /// assert!(x.len() >= mem::size_of::<usize>());
1419 /// let ptr = x.as_mut_ptr() as *mut usize;
1421 /// unsafe { ptr.write_unaligned(val) }
1425 #[stable(feature = "ptr_unaligned", since = "1.17.0")]
1426 #[rustc_const_unstable(feature = "const_ptr_write", issue = "86302")]
1427 pub const unsafe fn write_unaligned
<T
>(dst
: *mut T
, src
: T
) {
1428 // SAFETY: the caller must guarantee that `dst` is valid for writes.
1429 // `dst` cannot overlap `src` because the caller has mutable access
1430 // to `dst` while `src` is owned by this function.
1432 copy_nonoverlapping(&src
as *const T
as *const u8, dst
as *mut u8, mem
::size_of
::<T
>());
1433 // We are calling the intrinsic directly to avoid function calls in the generated code.
1434 intrinsics
::forget(src
);
1438 /// Performs a volatile read of the value from `src` without moving it. This
1439 /// leaves the memory in `src` unchanged.
1441 /// Volatile operations are intended to act on I/O memory, and are guaranteed
1442 /// to not be elided or reordered by the compiler across other volatile
1447 /// Rust does not currently have a rigorously and formally defined memory model,
1448 /// so the precise semantics of what "volatile" means here is subject to change
1449 /// over time. That being said, the semantics will almost always end up pretty
1450 /// similar to [C11's definition of volatile][c11].
1452 /// The compiler shouldn't change the relative order or number of volatile
1453 /// memory operations. However, volatile memory operations on zero-sized types
1454 /// (e.g., if a zero-sized type is passed to `read_volatile`) are noops
1455 /// and may be ignored.
1457 /// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
1461 /// Behavior is undefined if any of the following conditions are violated:
1463 /// * `src` must be [valid] for reads.
1465 /// * `src` must be properly aligned.
1467 /// * `src` must point to a properly initialized value of type `T`.
1469 /// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of
1470 /// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1471 /// value and the value at `*src` can [violate memory safety][read-ownership].
1472 /// However, storing non-[`Copy`] types in volatile memory is almost certainly
1475 /// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
1477 /// [valid]: self#safety
1478 /// [read-ownership]: read#ownership-of-the-returned-value
1480 /// Just like in C, whether an operation is volatile has no bearing whatsoever
1481 /// on questions involving concurrent access from multiple threads. Volatile
1482 /// accesses behave exactly like non-atomic accesses in that regard. In particular,
1483 /// a race between a `read_volatile` and any write operation to the same location
1484 /// is undefined behavior.
1492 /// let y = &x as *const i32;
1495 /// assert_eq!(std::ptr::read_volatile(y), 12);
1499 #[stable(feature = "volatile", since = "1.9.0")]
1500 pub unsafe fn read_volatile
<T
>(src
: *const T
) -> T
{
1501 // SAFETY: the caller must uphold the safety contract for `volatile_load`.
1503 assert_unsafe_precondition
!(is_aligned_and_not_null(src
));
1504 intrinsics
::volatile_load(src
)
1508 /// Performs a volatile write of a memory location with the given value without
1509 /// reading or dropping the old value.
1511 /// Volatile operations are intended to act on I/O memory, and are guaranteed
1512 /// to not be elided or reordered by the compiler across other volatile
1515 /// `write_volatile` does not drop the contents of `dst`. This is safe, but it
1516 /// could leak allocations or resources, so care should be taken not to overwrite
1517 /// an object that should be dropped.
1519 /// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1520 /// location pointed to by `dst`.
1524 /// Rust does not currently have a rigorously and formally defined memory model,
1525 /// so the precise semantics of what "volatile" means here is subject to change
1526 /// over time. That being said, the semantics will almost always end up pretty
1527 /// similar to [C11's definition of volatile][c11].
1529 /// The compiler shouldn't change the relative order or number of volatile
1530 /// memory operations. However, volatile memory operations on zero-sized types
1531 /// (e.g., if a zero-sized type is passed to `write_volatile`) are noops
1532 /// and may be ignored.
1534 /// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
1538 /// Behavior is undefined if any of the following conditions are violated:
1540 /// * `dst` must be [valid] for writes.
1542 /// * `dst` must be properly aligned.
1544 /// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
1546 /// [valid]: self#safety
1548 /// Just like in C, whether an operation is volatile has no bearing whatsoever
1549 /// on questions involving concurrent access from multiple threads. Volatile
1550 /// accesses behave exactly like non-atomic accesses in that regard. In particular,
1551 /// a race between a `write_volatile` and any other operation (reading or writing)
1552 /// on the same location is undefined behavior.
1560 /// let y = &mut x as *mut i32;
1564 /// std::ptr::write_volatile(y, z);
1565 /// assert_eq!(std::ptr::read_volatile(y), 12);
1569 #[stable(feature = "volatile", since = "1.9.0")]
1570 pub unsafe fn write_volatile
<T
>(dst
: *mut T
, src
: T
) {
1571 // SAFETY: the caller must uphold the safety contract for `volatile_store`.
1573 assert_unsafe_precondition
!(is_aligned_and_not_null(dst
));
1574 intrinsics
::volatile_store(dst
, src
);
1578 /// Align pointer `p`.
1580 /// Calculate offset (in terms of elements of `stride` stride) that has to be applied
1581 /// to pointer `p` so that pointer `p` would get aligned to `a`.
1583 /// Note: This implementation has been carefully tailored to not panic. It is UB for this to panic.
1584 /// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
1587 /// If we ever decide to make it possible to call the intrinsic with `a` that is not a
1588 /// power-of-two, it will probably be more prudent to just change to a naive implementation rather
1589 /// than trying to adapt this to accommodate that change.
1591 /// Any questions go to @nagisa.
1592 #[lang = "align_offset"]
1593 pub(crate) unsafe fn align_offset
<T
: Sized
>(p
: *const T
, a
: usize) -> usize {
1594 // FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
1595 // 1, where the method versions of these operations are not inlined.
1597 unchecked_shl
, unchecked_shr
, unchecked_sub
, wrapping_add
, wrapping_mul
, wrapping_sub
,
1600 let addr
= p
.addr();
1602 /// Calculate multiplicative modular inverse of `x` modulo `m`.
1604 /// This implementation is tailored for `align_offset` and has following preconditions:
1606 /// * `m` is a power-of-two;
1607 /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead)
1609 /// Implementation of this function shall not panic. Ever.
1611 unsafe fn mod_inv(x
: usize, m
: usize) -> usize {
1612 /// Multiplicative modular inverse table modulo 2⁴ = 16.
1614 /// Note, that this table does not contain values where inverse does not exist (i.e., for
1615 /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
1616 const INV_TABLE_MOD_16
: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15];
1617 /// Modulo for which the `INV_TABLE_MOD_16` is intended.
1618 const INV_TABLE_MOD
: usize = 16;
1620 const INV_TABLE_MOD_SQUARED
: usize = INV_TABLE_MOD
* INV_TABLE_MOD
;
1622 let table_inverse
= INV_TABLE_MOD_16
[(x
& (INV_TABLE_MOD
- 1)) >> 1] as usize;
1623 // SAFETY: `m` is required to be a power-of-two, hence non-zero.
1624 let m_minus_one
= unsafe { unchecked_sub(m, 1) }
;
1625 if m
<= INV_TABLE_MOD
{
1626 table_inverse
& m_minus_one
1628 // We iterate "up" using the following formula:
1630 // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
1632 // until 2²ⁿ ≥ m. Then we can reduce to our desired `m` by taking the result `mod m`.
1633 let mut inverse
= table_inverse
;
1634 let mut going_mod
= INV_TABLE_MOD_SQUARED
;
1636 // y = y * (2 - xy) mod n
1638 // Note, that we use wrapping operations here intentionally – the original formula
1639 // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
1640 // usize::MAX` instead, because we take the result `mod n` at the end
1642 inverse
= wrapping_mul(inverse
, wrapping_sub(2usize
, wrapping_mul(x
, inverse
)));
1644 return inverse
& m_minus_one
;
1646 going_mod
= wrapping_mul(going_mod
, going_mod
);
1651 let stride
= mem
::size_of
::<T
>();
1652 // SAFETY: `a` is a power-of-two, therefore non-zero.
1653 let a_minus_one
= unsafe { unchecked_sub(a, 1) }
;
1655 // `stride == 1` case can be computed more simply through `-p (mod a)`, but doing so
1656 // inhibits LLVM's ability to select instructions like `lea`. Instead we compute
1658 // round_up_to_next_alignment(p, a) - p
1660 // which distributes operations around the load-bearing, but pessimizing `and` sufficiently
1661 // for LLVM to be able to utilize the various optimizations it knows about.
1662 return wrapping_sub(wrapping_add(addr
, a_minus_one
) & wrapping_sub(0, a
), addr
);
1665 let pmoda
= addr
& a_minus_one
;
1667 // Already aligned. Yay!
1669 } else if stride
== 0 {
1670 // If the pointer is not aligned, and the element is zero-sized, then no amount of
1671 // elements will ever align the pointer.
1675 let smoda
= stride
& a_minus_one
;
1676 // SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
1677 let gcdpow
= unsafe { intrinsics::cttz_nonzero(stride).min(intrinsics::cttz_nonzero(a)) }
;
1678 // SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a usize.
1679 let gcd
= unsafe { unchecked_shl(1usize, gcdpow) }
;
1681 // SAFETY: gcd is always greater or equal to 1.
1682 if addr
& unsafe { unchecked_sub(gcd, 1) }
== 0 {
1683 // This branch solves for the following linear congruence equation:
1685 // ` p + so = 0 mod a `
1687 // `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
1688 // requested alignment.
1690 // With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
1691 // `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
1693 // ` p' + s'o = 0 mod a' `
1694 // ` o = (a' - (p' mod a')) * (s'^-1 mod a') `
1696 // The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the second
1697 // term is "how does incrementing `p` by `s` bytes change the relative alignment of `p`" (again
1699 // Division by `g` is necessary to make the inverse well formed if `a` and `s` are not
1702 // Furthermore, the result produced by this solution is not "minimal", so it is necessary
1703 // to take the result `o mod lcm(s, a)`. We can replace `lcm(s, a)` with just a `a'`.
1705 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
1707 let a2
= unsafe { unchecked_shr(a, gcdpow) }
;
1708 // SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
1709 // in `a` (of which it has exactly one).
1710 let a2minus1
= unsafe { unchecked_sub(a2, 1) }
;
1711 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
1713 let s2
= unsafe { unchecked_shr(smoda, gcdpow) }
;
1714 // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
1715 // `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
1716 // always be strictly greater than `(p % a) >> gcdpow`.
1717 let minusp2
= unsafe { unchecked_sub(a2, unchecked_shr(pmoda, gcdpow)) }
;
1718 // SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
1719 // because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
1720 return wrapping_mul(minusp2
, unsafe { mod_inv(s2, a2) }
) & a2minus1
;
1723 // Cannot be aligned at all.
1727 /// Compares raw pointers for equality.
1729 /// This is the same as using the `==` operator, but less generic:
1730 /// the arguments have to be `*const T` raw pointers,
1731 /// not anything that implements `PartialEq`.
1733 /// This can be used to compare `&T` references (which coerce to `*const T` implicitly)
1734 /// by their address rather than comparing the values they point to
1735 /// (which is what the `PartialEq for &T` implementation does).
1743 /// let other_five = 5;
1744 /// let five_ref = &five;
1745 /// let same_five_ref = &five;
1746 /// let other_five_ref = &other_five;
1748 /// assert!(five_ref == same_five_ref);
1749 /// assert!(ptr::eq(five_ref, same_five_ref));
1751 /// assert!(five_ref == other_five_ref);
1752 /// assert!(!ptr::eq(five_ref, other_five_ref));
1755 /// Slices are also compared by their length (fat pointers):
1758 /// let a = [1, 2, 3];
1759 /// assert!(std::ptr::eq(&a[..3], &a[..3]));
1760 /// assert!(!std::ptr::eq(&a[..2], &a[..3]));
1761 /// assert!(!std::ptr::eq(&a[0..2], &a[1..3]));
1764 /// Traits are also compared by their implementation:
1767 /// #[repr(transparent)]
1768 /// struct Wrapper { member: i32 }
1771 /// impl Trait for Wrapper {}
1772 /// impl Trait for i32 {}
1774 /// let wrapper = Wrapper { member: 10 };
1776 /// // Pointers have equal addresses.
1777 /// assert!(std::ptr::eq(
1778 /// &wrapper as *const Wrapper as *const u8,
1779 /// &wrapper.member as *const i32 as *const u8
1782 /// // Objects have equal addresses, but `Trait` has different implementations.
1783 /// assert!(!std::ptr::eq(
1784 /// &wrapper as &dyn Trait,
1785 /// &wrapper.member as &dyn Trait,
1787 /// assert!(!std::ptr::eq(
1788 /// &wrapper as &dyn Trait as *const dyn Trait,
1789 /// &wrapper.member as &dyn Trait as *const dyn Trait,
1792 /// // Converting the reference to a `*const u8` compares by address.
1793 /// assert!(std::ptr::eq(
1794 /// &wrapper as &dyn Trait as *const dyn Trait as *const u8,
1795 /// &wrapper.member as &dyn Trait as *const dyn Trait as *const u8,
1798 #[stable(feature = "ptr_eq", since = "1.17.0")]
1800 pub fn eq
<T
: ?Sized
>(a
: *const T
, b
: *const T
) -> bool
{
1804 /// Hash a raw pointer.
1806 /// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly)
1807 /// by its address rather than the value it points to
1808 /// (which is what the `Hash for &T` implementation does).
1813 /// use std::collections::hash_map::DefaultHasher;
1814 /// use std::hash::{Hash, Hasher};
1818 /// let five_ref = &five;
1820 /// let mut hasher = DefaultHasher::new();
1821 /// ptr::hash(five_ref, &mut hasher);
1822 /// let actual = hasher.finish();
1824 /// let mut hasher = DefaultHasher::new();
1825 /// (five_ref as *const i32).hash(&mut hasher);
1826 /// let expected = hasher.finish();
1828 /// assert_eq!(actual, expected);
1830 #[stable(feature = "ptr_hash", since = "1.35.0")]
1831 pub fn hash
<T
: ?Sized
, S
: hash
::Hasher
>(hashee
: *const T
, into
: &mut S
) {
1832 use crate::hash
::Hash
;
1836 // FIXME(strict_provenance_magic): function pointers have buggy codegen that
1837 // necessitates casting to a usize to get the backend to do the right thing.
1838 // for now I will break AVR to silence *a billion* lints. We should probably
1839 // have a proper "opaque function pointer type" to handle this kind of thing.
1841 // Impls for function pointers
1842 macro_rules
! fnptr_impls_safety_abi
{
1843 ($FnTy
: ty
, $
($Arg
: ident
),*) => {
1844 #[stable(feature = "fnptr_impls", since = "1.4.0")]
1845 impl<Ret
, $
($Arg
),*> PartialEq
for $FnTy
{
1847 fn eq(&self, other
: &Self) -> bool
{
1848 *self as usize == *other
as usize
1852 #[stable(feature = "fnptr_impls", since = "1.4.0")]
1853 impl<Ret
, $
($Arg
),*> Eq
for $FnTy {}
1855 #[stable(feature = "fnptr_impls", since = "1.4.0")]
1856 impl<Ret
, $
($Arg
),*> PartialOrd
for $FnTy
{
1858 fn partial_cmp(&self, other
: &Self) -> Option
<Ordering
> {
1859 (*self as usize).partial_cmp(&(*other
as usize))
1863 #[stable(feature = "fnptr_impls", since = "1.4.0")]
1864 impl<Ret
, $
($Arg
),*> Ord
for $FnTy
{
1866 fn cmp(&self, other
: &Self) -> Ordering
{
1867 (*self as usize).cmp(&(*other
as usize))
1871 #[stable(feature = "fnptr_impls", since = "1.4.0")]
1872 impl<Ret
, $
($Arg
),*> hash
::Hash
for $FnTy
{
1873 fn hash
<HH
: hash
::Hasher
>(&self, state
: &mut HH
) {
1874 state
.write_usize(*self as usize)
1878 #[stable(feature = "fnptr_impls", since = "1.4.0")]
1879 impl<Ret
, $
($Arg
),*> fmt
::Pointer
for $FnTy
{
1880 fn fmt(&self, f
: &mut fmt
::Formatter
<'_
>) -> fmt
::Result
{
1881 fmt
::pointer_fmt_inner(*self as usize, f
)
1885 #[stable(feature = "fnptr_impls", since = "1.4.0")]
1886 impl<Ret
, $
($Arg
),*> fmt
::Debug
for $FnTy
{
1887 fn fmt(&self, f
: &mut fmt
::Formatter
<'_
>) -> fmt
::Result
{
1888 fmt
::pointer_fmt_inner(*self as usize, f
)
1894 macro_rules
! fnptr_impls_args
{
1895 ($
($Arg
: ident
),+) => {
1896 fnptr_impls_safety_abi
! { extern "Rust" fn($($Arg),+) -> Ret, $($Arg),+ }
1897 fnptr_impls_safety_abi
! { extern "C" fn($($Arg),+) -> Ret, $($Arg),+ }
1898 fnptr_impls_safety_abi
! { extern "C" fn($($Arg),+ , ...) -> Ret, $($Arg),+ }
1899 fnptr_impls_safety_abi
! { unsafe extern "Rust" fn($($Arg),+) -> Ret, $($Arg),+ }
1900 fnptr_impls_safety_abi
! { unsafe extern "C" fn($($Arg),+) -> Ret, $($Arg),+ }
1901 fnptr_impls_safety_abi
! { unsafe extern "C" fn($($Arg),+ , ...) -> Ret, $($Arg),+ }
1904 // No variadic functions with 0 parameters
1905 fnptr_impls_safety_abi
! { extern "Rust" fn() -> Ret, }
1906 fnptr_impls_safety_abi
! { extern "C" fn() -> Ret, }
1907 fnptr_impls_safety_abi
! { unsafe extern "Rust" fn() -> Ret, }
1908 fnptr_impls_safety_abi
! { unsafe extern "C" fn() -> Ret, }
1912 fnptr_impls_args
! {}
1913 fnptr_impls_args
! { A }
1914 fnptr_impls_args
! { A, B }
1915 fnptr_impls_args
! { A, B, C }
1916 fnptr_impls_args
! { A, B, C, D }
1917 fnptr_impls_args
! { A, B, C, D, E }
1918 fnptr_impls_args
! { A, B, C, D, E, F }
1919 fnptr_impls_args
! { A, B, C, D, E, F, G }
1920 fnptr_impls_args
! { A, B, C, D, E, F, G, H }
1921 fnptr_impls_args
! { A, B, C, D, E, F, G, H, I }
1922 fnptr_impls_args
! { A, B, C, D, E, F, G, H, I, J }
1923 fnptr_impls_args
! { A, B, C, D, E, F, G, H, I, J, K }
1924 fnptr_impls_args
! { A, B, C, D, E, F, G, H, I, J, K, L }
1926 /// Create a `const` raw pointer to a place, without creating an intermediate reference.
1928 /// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
1929 /// and points to initialized data. For cases where those requirements do not hold,
1930 /// raw pointers should be used instead. However, `&expr as *const _` creates a reference
1931 /// before casting it to a raw pointer, and that reference is subject to the same rules
1932 /// as all other references. This macro can create a raw pointer *without* creating
1933 /// a reference first.
1935 /// Note, however, that the `expr` in `addr_of!(expr)` is still subject to all
1936 /// the usual rules. In particular, `addr_of!(*ptr::null())` is Undefined
1937 /// Behavior because it dereferences a null pointer.
1950 /// let packed = Packed { f1: 1, f2: 2 };
1951 /// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
1952 /// let raw_f2 = ptr::addr_of!(packed.f2);
1953 /// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2);
1956 /// See [`addr_of_mut`] for how to create a pointer to unininitialized data.
1957 /// Doing that with `addr_of` would not make much sense since one could only
1958 /// read the data, and that would be Undefined Behavior.
1959 #[stable(feature = "raw_ref_macros", since = "1.51.0")]
1960 #[rustc_macro_transparency = "semitransparent"]
1961 #[allow_internal_unstable(raw_ref_op)]
1962 pub macro addr_of($place
:expr
) {
1966 /// Create a `mut` raw pointer to a place, without creating an intermediate reference.
1968 /// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
1969 /// and points to initialized data. For cases where those requirements do not hold,
1970 /// raw pointers should be used instead. However, `&mut expr as *mut _` creates a reference
1971 /// before casting it to a raw pointer, and that reference is subject to the same rules
1972 /// as all other references. This macro can create a raw pointer *without* creating
1973 /// a reference first.
1975 /// Note, however, that the `expr` in `addr_of_mut!(expr)` is still subject to all
1976 /// the usual rules. In particular, `addr_of_mut!(*ptr::null_mut())` is Undefined
1977 /// Behavior because it dereferences a null pointer.
1981 /// **Creating a pointer to unaligned data:**
1992 /// let mut packed = Packed { f1: 1, f2: 2 };
1993 /// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
1994 /// let raw_f2 = ptr::addr_of_mut!(packed.f2);
1995 /// unsafe { raw_f2.write_unaligned(42); }
1996 /// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference.
1999 /// **Creating a pointer to uninitialized data:**
2002 /// use std::{ptr, mem::MaybeUninit};
2008 /// let mut uninit = MaybeUninit::<Demo>::uninit();
2009 /// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2010 /// // and thus be Undefined Behavior!
2011 /// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2012 /// unsafe { f1_ptr.write(true); }
2013 /// let init = unsafe { uninit.assume_init() };
2015 #[stable(feature = "raw_ref_macros", since = "1.51.0")]
2016 #[rustc_macro_transparency = "semitransparent"]
2017 #[allow_internal_unstable(raw_ref_op)]
2018 pub macro addr_of_mut($place
:expr
) {