2 use crate::cmp::Ordering::{self, Equal, Greater, Less};
5 use crate::slice::{self, SliceIndex};
8 impl<T: ?Sized> *const T {
9 /// Returns `true` if the pointer is null.
11 /// Note that unsized types have many possible null pointers, as only the
12 /// raw data pointer is considered, not their length, vtable, etc.
13 /// Therefore, two pointers that are null may still not compare equal to
16 /// ## Behavior during const evaluation
18 /// When this function is used during const evaluation, it may return `false` for pointers
19 /// that turn out to be null at runtime. Specifically, when a pointer to some memory
20 /// is offset beyond its bounds in such a way that the resulting pointer is null,
21 /// the function will still return `false`. There is no way for CTFE to know
22 /// the absolute position of that memory, so we cannot tell if the pointer is
30 /// let s: &str = "Follow the rabbit";
31 /// let ptr: *const u8 = s.as_ptr();
32 /// assert!(!ptr.is_null());
34 #[stable(feature = "rust1", since = "1.0.0")]
35 #[rustc_const_unstable(feature = "const_ptr_is_null", issue = "74939")]
37 pub const fn is_null(self) -> bool {
38 // Compare via a cast to a thin pointer, so fat pointers are only
39 // considering their "data" part for null-ness.
40 (self as *const u8).guaranteed_eq(null())
43 /// Casts to a pointer of another type.
44 #[stable(feature = "ptr_cast", since = "1.38.0")]
45 #[rustc_const_stable(feature = "const_ptr_cast", since = "1.38.0")]
47 pub const fn cast<U>(self) -> *const U {
51 /// Returns `None` if the pointer is null, or else returns a shared reference to
52 /// the value wrapped in `Some`. If the value may be uninitialized, [`as_uninit_ref`]
53 /// must be used instead.
55 /// [`as_uninit_ref`]: #method.as_uninit_ref
59 /// When calling this method, you have to ensure that *either* the pointer is NULL *or*
60 /// all of the following is true:
62 /// * The pointer must be properly aligned.
64 /// * It must be "dereferencable" in the sense defined in [the module documentation].
66 /// * The pointer must point to an initialized instance of `T`.
68 /// * You must enforce Rust's aliasing rules, since the returned lifetime `'a` is
69 /// arbitrarily chosen and does not necessarily reflect the actual lifetime of the data.
70 /// In particular, for the duration of this lifetime, the memory the pointer points to must
71 /// not get mutated (except inside `UnsafeCell`).
73 /// This applies even if the result of this method is unused!
74 /// (The part about being initialized is not yet fully decided, but until
75 /// it is, the only safe approach is to ensure that they are indeed initialized.)
77 /// [the module documentation]: crate::ptr#safety
84 /// let ptr: *const u8 = &10u8 as *const u8;
87 /// if let Some(val_back) = ptr.as_ref() {
88 /// println!("We got back the value: {}!", val_back);
93 /// # Null-unchecked version
95 /// If you are sure the pointer can never be null and are looking for some kind of
96 /// `as_ref_unchecked` that returns the `&T` instead of `Option<&T>`, know that you can
97 /// dereference the pointer directly.
100 /// let ptr: *const u8 = &10u8 as *const u8;
103 /// let val_back = &*ptr;
104 /// println!("We got back the value: {}!", val_back);
107 #[stable(feature = "ptr_as_ref", since = "1.9.0")]
109 pub unsafe fn as_ref<'a>(self) -> Option<&'a T> {
110 // SAFETY: the caller must guarantee that `self` is valid
111 // for a reference if it isn't null.
112 if self.is_null() { None } else { unsafe { Some(&*self) } }
115 /// Returns `None` if the pointer is null, or else returns a shared reference to
116 /// the value wrapped in `Some`. In contrast to [`as_ref`], this does not require
117 /// that the value has to be initialized.
119 /// [`as_ref`]: #method.as_ref
123 /// When calling this method, you have to ensure that *either* the pointer is NULL *or*
124 /// all of the following is true:
126 /// * The pointer must be properly aligned.
128 /// * It must be "dereferencable" in the sense defined in [the module documentation].
130 /// * You must enforce Rust's aliasing rules, since the returned lifetime `'a` is
131 /// arbitrarily chosen and does not necessarily reflect the actual lifetime of the data.
132 /// In particular, for the duration of this lifetime, the memory the pointer points to must
133 /// not get mutated (except inside `UnsafeCell`).
135 /// This applies even if the result of this method is unused!
137 /// [the module documentation]: crate::ptr#safety
144 /// #![feature(ptr_as_uninit)]
146 /// let ptr: *const u8 = &10u8 as *const u8;
149 /// if let Some(val_back) = ptr.as_uninit_ref() {
150 /// println!("We got back the value: {}!", val_back.assume_init());
155 #[unstable(feature = "ptr_as_uninit", issue = "75402")]
156 pub unsafe fn as_uninit_ref<'a>(self) -> Option<&'a MaybeUninit<T>>
160 // SAFETY: the caller must guarantee that `self` meets all the
161 // requirements for a reference.
162 if self.is_null() { None } else { Some(unsafe { &*(self as *const MaybeUninit<T>) }) }
165 /// Calculates the offset from a pointer.
167 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
168 /// offset of `3 * size_of::<T>()` bytes.
172 /// If any of the following conditions are violated, the result is Undefined
175 /// * Both the starting and resulting pointer must be either in bounds or one
176 /// byte past the end of the same allocated object. Note that in Rust,
177 /// every (stack-allocated) variable is considered a separate allocated object.
179 /// * The computed offset, **in bytes**, cannot overflow an `isize`.
181 /// * The offset being in bounds cannot rely on "wrapping around" the address
182 /// space. That is, the infinite-precision sum, **in bytes** must fit in a usize.
184 /// The compiler and standard library generally tries to ensure allocations
185 /// never reach a size where an offset is a concern. For instance, `Vec`
186 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
187 /// `vec.as_ptr().add(vec.len())` is always safe.
189 /// Most platforms fundamentally can't even construct such an allocation.
190 /// For instance, no known 64-bit platform can ever serve a request
191 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
192 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
193 /// more than `isize::MAX` bytes with things like Physical Address
194 /// Extension. As such, memory acquired directly from allocators or memory
195 /// mapped files *may* be too large to handle with this function.
197 /// Consider using [`wrapping_offset`] instead if these constraints are
198 /// difficult to satisfy. The only advantage of this method is that it
199 /// enables more aggressive compiler optimizations.
201 /// [`wrapping_offset`]: #method.wrapping_offset
208 /// let s: &str = "123";
209 /// let ptr: *const u8 = s.as_ptr();
212 /// println!("{}", *ptr.offset(1) as char);
213 /// println!("{}", *ptr.offset(2) as char);
216 #[stable(feature = "rust1", since = "1.0.0")]
217 #[must_use = "returns a new pointer rather than modifying its argument"]
218 #[rustc_const_unstable(feature = "const_ptr_offset", issue = "71499")]
220 pub const unsafe fn offset(self, count: isize) -> *const T
224 // SAFETY: the caller must uphold the safety contract for `offset`.
225 unsafe { intrinsics::offset(self, count) }
228 /// Calculates the offset from a pointer using wrapping arithmetic.
230 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
231 /// offset of `3 * size_of::<T>()` bytes.
235 /// The resulting pointer does not need to be in bounds, but it is
236 /// potentially hazardous to dereference (which requires `unsafe`).
238 /// In particular, the resulting pointer remains attached to the same allocated
239 /// object that `self` points to. It may *not* be used to access a
240 /// different allocated object. Note that in Rust,
241 /// every (stack-allocated) variable is considered a separate allocated object.
243 /// In other words, `x.wrapping_offset(y.wrapping_offset_from(x))` is
244 /// *not* the same as `y`, and dereferencing it is undefined behavior
245 /// unless `x` and `y` point into the same allocated object.
247 /// Compared to [`offset`], this method basically delays the requirement of staying
248 /// within the same allocated object: [`offset`] is immediate Undefined Behavior when
249 /// crossing object boundaries; `wrapping_offset` produces a pointer but still leads
250 /// to Undefined Behavior if that pointer is dereferenced. [`offset`] can be optimized
251 /// better and is thus preferable in performance-sensitive code.
253 /// If you need to cross object boundaries, cast the pointer to an integer and
254 /// do the arithmetic there.
256 /// [`offset`]: #method.offset
263 /// // Iterate using a raw pointer in increments of two elements
264 /// let data = [1u8, 2, 3, 4, 5];
265 /// let mut ptr: *const u8 = data.as_ptr();
267 /// let end_rounded_up = ptr.wrapping_offset(6);
269 /// // This loop prints "1, 3, 5, "
270 /// while ptr != end_rounded_up {
272 /// print!("{}, ", *ptr);
274 /// ptr = ptr.wrapping_offset(step);
277 #[stable(feature = "ptr_wrapping_offset", since = "1.16.0")]
278 #[must_use = "returns a new pointer rather than modifying its argument"]
279 #[rustc_const_unstable(feature = "const_ptr_offset", issue = "71499")]
281 pub const fn wrapping_offset(self, count: isize) -> *const T
285 // SAFETY: the `arith_offset` intrinsic has no prerequisites to be called.
286 unsafe { intrinsics::arith_offset(self, count) }
289 /// Calculates the distance between two pointers. The returned value is in
290 /// units of T: the distance in bytes is divided by `mem::size_of::<T>()`.
292 /// This function is the inverse of [`offset`].
294 /// [`offset`]: #method.offset
295 /// [`wrapping_offset_from`]: #method.wrapping_offset_from
299 /// If any of the following conditions are violated, the result is Undefined
302 /// * Both the starting and other pointer must be either in bounds or one
303 /// byte past the end of the same allocated object. Note that in Rust,
304 /// every (stack-allocated) variable is considered a separate allocated object.
306 /// * The distance between the pointers, **in bytes**, cannot overflow an `isize`.
308 /// * The distance between the pointers, in bytes, must be an exact multiple
309 /// of the size of `T`.
311 /// * The distance being in bounds cannot rely on "wrapping around" the address space.
313 /// The compiler and standard library generally try to ensure allocations
314 /// never reach a size where an offset is a concern. For instance, `Vec`
315 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
316 /// `ptr_into_vec.offset_from(vec.as_ptr())` is always safe.
318 /// Most platforms fundamentally can't even construct such an allocation.
319 /// For instance, no known 64-bit platform can ever serve a request
320 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
321 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
322 /// more than `isize::MAX` bytes with things like Physical Address
323 /// Extension. As such, memory acquired directly from allocators or memory
324 /// mapped files *may* be too large to handle with this function.
326 /// Consider using [`wrapping_offset_from`] instead if these constraints are
327 /// difficult to satisfy. The only advantage of this method is that it
328 /// enables more aggressive compiler optimizations.
332 /// This function panics if `T` is a Zero-Sized Type ("ZST").
339 /// #![feature(ptr_offset_from)]
342 /// let ptr1: *const i32 = &a[1];
343 /// let ptr2: *const i32 = &a[3];
345 /// assert_eq!(ptr2.offset_from(ptr1), 2);
346 /// assert_eq!(ptr1.offset_from(ptr2), -2);
347 /// assert_eq!(ptr1.offset(2), ptr2);
348 /// assert_eq!(ptr2.offset(-2), ptr1);
351 #[unstable(feature = "ptr_offset_from", issue = "41079")]
352 #[rustc_const_unstable(feature = "const_ptr_offset_from", issue = "41079")]
354 pub const unsafe fn offset_from(self, origin: *const T) -> isize
358 let pointee_size = mem::size_of::<T>();
359 assert!(0 < pointee_size && pointee_size <= isize::MAX as usize);
360 // SAFETY: the caller must uphold the safety contract for `ptr_offset_from`.
361 unsafe { intrinsics::ptr_offset_from(self, origin) }
364 /// Returns whether two pointers are guaranteed to be equal.
366 /// At runtime this function behaves like `self == other`.
367 /// However, in some contexts (e.g., compile-time evaluation),
368 /// it is not always possible to determine equality of two pointers, so this function may
369 /// spuriously return `false` for pointers that later actually turn out to be equal.
370 /// But when it returns `true`, the pointers are guaranteed to be equal.
372 /// This function is the mirror of [`guaranteed_ne`], but not its inverse. There are pointer
373 /// comparisons for which both functions return `false`.
375 /// [`guaranteed_ne`]: #method.guaranteed_ne
377 /// The return value may change depending on the compiler version and unsafe code may not
378 /// rely on the result of this function for soundness. It is suggested to only use this function
379 /// for performance optimizations where spurious `false` return values by this function do not
380 /// affect the outcome, but just the performance.
381 /// The consequences of using this method to make runtime and compile-time code behave
382 /// differently have not been explored. This method should not be used to introduce such
383 /// differences, and it should also not be stabilized before we have a better understanding
385 #[unstable(feature = "const_raw_ptr_comparison", issue = "53020")]
386 #[rustc_const_unstable(feature = "const_raw_ptr_comparison", issue = "53020")]
388 pub const fn guaranteed_eq(self, other: *const T) -> bool
392 intrinsics::ptr_guaranteed_eq(self, other)
395 /// Returns whether two pointers are guaranteed to be unequal.
397 /// At runtime this function behaves like `self != other`.
398 /// However, in some contexts (e.g., compile-time evaluation),
399 /// it is not always possible to determine the inequality of two pointers, so this function may
400 /// spuriously return `false` for pointers that later actually turn out to be unequal.
401 /// But when it returns `true`, the pointers are guaranteed to be unequal.
403 /// This function is the mirror of [`guaranteed_eq`], but not its inverse. There are pointer
404 /// comparisons for which both functions return `false`.
406 /// [`guaranteed_eq`]: #method.guaranteed_eq
408 /// The return value may change depending on the compiler version and unsafe code may not
409 /// rely on the result of this function for soundness. It is suggested to only use this function
410 /// for performance optimizations where spurious `false` return values by this function do not
411 /// affect the outcome, but just the performance.
412 /// The consequences of using this method to make runtime and compile-time code behave
413 /// differently have not been explored. This method should not be used to introduce such
414 /// differences, and it should also not be stabilized before we have a better understanding
416 #[unstable(feature = "const_raw_ptr_comparison", issue = "53020")]
417 #[rustc_const_unstable(feature = "const_raw_ptr_comparison", issue = "53020")]
419 pub const fn guaranteed_ne(self, other: *const T) -> bool
423 intrinsics::ptr_guaranteed_ne(self, other)
426 /// Calculates the distance between two pointers. The returned value is in
427 /// units of T: the distance in bytes is divided by `mem::size_of::<T>()`.
429 /// If the address different between the two pointers is not a multiple of
430 /// `mem::size_of::<T>()` then the result of the division is rounded towards
433 /// Though this method is safe for any two pointers, note that its result
434 /// will be mostly useless if the two pointers aren't into the same allocated
435 /// object, for example if they point to two different local variables.
439 /// This function panics if `T` is a zero-sized type.
446 /// #![feature(ptr_wrapping_offset_from)]
449 /// let ptr1: *const i32 = &a[1];
450 /// let ptr2: *const i32 = &a[3];
451 /// assert_eq!(ptr2.wrapping_offset_from(ptr1), 2);
452 /// assert_eq!(ptr1.wrapping_offset_from(ptr2), -2);
453 /// assert_eq!(ptr1.wrapping_offset(2), ptr2);
454 /// assert_eq!(ptr2.wrapping_offset(-2), ptr1);
456 /// let ptr1: *const i32 = 3 as _;
457 /// let ptr2: *const i32 = 13 as _;
458 /// assert_eq!(ptr2.wrapping_offset_from(ptr1), 2);
460 #[unstable(feature = "ptr_wrapping_offset_from", issue = "41079")]
463 reason = "Pointer distances across allocation \
464 boundaries are not typically meaningful. \
465 Use integer subtraction if you really need this."
468 pub fn wrapping_offset_from(self, origin: *const T) -> isize
472 let pointee_size = mem::size_of::<T>();
473 assert!(0 < pointee_size && pointee_size <= isize::MAX as usize);
475 let d = isize::wrapping_sub(self as _, origin as _);
476 d.wrapping_div(pointee_size as _)
479 /// Calculates the offset from a pointer (convenience for `.offset(count as isize)`).
481 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
482 /// offset of `3 * size_of::<T>()` bytes.
486 /// If any of the following conditions are violated, the result is Undefined
489 /// * Both the starting and resulting pointer must be either in bounds or one
490 /// byte past the end of the same allocated object. Note that in Rust,
491 /// every (stack-allocated) variable is considered a separate allocated object.
493 /// * The computed offset, **in bytes**, cannot overflow an `isize`.
495 /// * The offset being in bounds cannot rely on "wrapping around" the address
496 /// space. That is, the infinite-precision sum must fit in a `usize`.
498 /// The compiler and standard library generally tries to ensure allocations
499 /// never reach a size where an offset is a concern. For instance, `Vec`
500 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
501 /// `vec.as_ptr().add(vec.len())` is always safe.
503 /// Most platforms fundamentally can't even construct such an allocation.
504 /// For instance, no known 64-bit platform can ever serve a request
505 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
506 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
507 /// more than `isize::MAX` bytes with things like Physical Address
508 /// Extension. As such, memory acquired directly from allocators or memory
509 /// mapped files *may* be too large to handle with this function.
511 /// Consider using [`wrapping_add`] instead if these constraints are
512 /// difficult to satisfy. The only advantage of this method is that it
513 /// enables more aggressive compiler optimizations.
515 /// [`wrapping_add`]: #method.wrapping_add
522 /// let s: &str = "123";
523 /// let ptr: *const u8 = s.as_ptr();
526 /// println!("{}", *ptr.add(1) as char);
527 /// println!("{}", *ptr.add(2) as char);
530 #[stable(feature = "pointer_methods", since = "1.26.0")]
531 #[must_use = "returns a new pointer rather than modifying its argument"]
532 #[rustc_const_unstable(feature = "const_ptr_offset", issue = "71499")]
534 pub const unsafe fn add(self, count: usize) -> Self
538 // SAFETY: the caller must uphold the safety contract for `offset`.
539 unsafe { self.offset(count as isize) }
542 /// Calculates the offset from a pointer (convenience for
543 /// `.offset((count as isize).wrapping_neg())`).
545 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
546 /// offset of `3 * size_of::<T>()` bytes.
550 /// If any of the following conditions are violated, the result is Undefined
553 /// * Both the starting and resulting pointer must be either in bounds or one
554 /// byte past the end of the same allocated object. Note that in Rust,
555 /// every (stack-allocated) variable is considered a separate allocated object.
557 /// * The computed offset cannot exceed `isize::MAX` **bytes**.
559 /// * The offset being in bounds cannot rely on "wrapping around" the address
560 /// space. That is, the infinite-precision sum must fit in a usize.
562 /// The compiler and standard library generally tries to ensure allocations
563 /// never reach a size where an offset is a concern. For instance, `Vec`
564 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
565 /// `vec.as_ptr().add(vec.len()).sub(vec.len())` is always safe.
567 /// Most platforms fundamentally can't even construct such an allocation.
568 /// For instance, no known 64-bit platform can ever serve a request
569 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
570 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
571 /// more than `isize::MAX` bytes with things like Physical Address
572 /// Extension. As such, memory acquired directly from allocators or memory
573 /// mapped files *may* be too large to handle with this function.
575 /// Consider using [`wrapping_sub`] instead if these constraints are
576 /// difficult to satisfy. The only advantage of this method is that it
577 /// enables more aggressive compiler optimizations.
579 /// [`wrapping_sub`]: #method.wrapping_sub
586 /// let s: &str = "123";
589 /// let end: *const u8 = s.as_ptr().add(3);
590 /// println!("{}", *end.sub(1) as char);
591 /// println!("{}", *end.sub(2) as char);
594 #[stable(feature = "pointer_methods", since = "1.26.0")]
595 #[must_use = "returns a new pointer rather than modifying its argument"]
596 #[rustc_const_unstable(feature = "const_ptr_offset", issue = "71499")]
598 pub const unsafe fn sub(self, count: usize) -> Self
602 // SAFETY: the caller must uphold the safety contract for `offset`.
603 unsafe { self.offset((count as isize).wrapping_neg()) }
606 /// Calculates the offset from a pointer using wrapping arithmetic.
607 /// (convenience for `.wrapping_offset(count as isize)`)
609 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
610 /// offset of `3 * size_of::<T>()` bytes.
614 /// The resulting pointer does not need to be in bounds, but it is
615 /// potentially hazardous to dereference (which requires `unsafe`).
617 /// In particular, the resulting pointer remains attached to the same allocated
618 /// object that `self` points to. It may *not* be used to access a
619 /// different allocated object. Note that in Rust,
620 /// every (stack-allocated) variable is considered a separate allocated object.
622 /// Compared to [`add`], this method basically delays the requirement of staying
623 /// within the same allocated object: [`add`] is immediate Undefined Behavior when
624 /// crossing object boundaries; `wrapping_add` produces a pointer but still leads
625 /// to Undefined Behavior if that pointer is dereferenced. [`add`] can be optimized
626 /// better and is thus preferable in performance-sensitive code.
628 /// If you need to cross object boundaries, cast the pointer to an integer and
629 /// do the arithmetic there.
631 /// [`add`]: #method.add
638 /// // Iterate using a raw pointer in increments of two elements
639 /// let data = [1u8, 2, 3, 4, 5];
640 /// let mut ptr: *const u8 = data.as_ptr();
642 /// let end_rounded_up = ptr.wrapping_add(6);
644 /// // This loop prints "1, 3, 5, "
645 /// while ptr != end_rounded_up {
647 /// print!("{}, ", *ptr);
649 /// ptr = ptr.wrapping_add(step);
652 #[stable(feature = "pointer_methods", since = "1.26.0")]
653 #[must_use = "returns a new pointer rather than modifying its argument"]
654 #[rustc_const_unstable(feature = "const_ptr_offset", issue = "71499")]
656 pub const fn wrapping_add(self, count: usize) -> Self
660 self.wrapping_offset(count as isize)
663 /// Calculates the offset from a pointer using wrapping arithmetic.
664 /// (convenience for `.wrapping_offset((count as isize).wrapping_sub())`)
666 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
667 /// offset of `3 * size_of::<T>()` bytes.
671 /// The resulting pointer does not need to be in bounds, but it is
672 /// potentially hazardous to dereference (which requires `unsafe`).
674 /// In particular, the resulting pointer remains attached to the same allocated
675 /// object that `self` points to. It may *not* be used to access a
676 /// different allocated object. Note that in Rust,
677 /// every (stack-allocated) variable is considered a separate allocated object.
679 /// Compared to [`sub`], this method basically delays the requirement of staying
680 /// within the same allocated object: [`sub`] is immediate Undefined Behavior when
681 /// crossing object boundaries; `wrapping_sub` produces a pointer but still leads
682 /// to Undefined Behavior if that pointer is dereferenced. [`sub`] can be optimized
683 /// better and is thus preferable in performance-sensitive code.
685 /// If you need to cross object boundaries, cast the pointer to an integer and
686 /// do the arithmetic there.
688 /// [`sub`]: #method.sub
695 /// // Iterate using a raw pointer in increments of two elements (backwards)
696 /// let data = [1u8, 2, 3, 4, 5];
697 /// let mut ptr: *const u8 = data.as_ptr();
698 /// let start_rounded_down = ptr.wrapping_sub(2);
699 /// ptr = ptr.wrapping_add(4);
701 /// // This loop prints "5, 3, 1, "
702 /// while ptr != start_rounded_down {
704 /// print!("{}, ", *ptr);
706 /// ptr = ptr.wrapping_sub(step);
709 #[stable(feature = "pointer_methods", since = "1.26.0")]
710 #[must_use = "returns a new pointer rather than modifying its argument"]
711 #[rustc_const_unstable(feature = "const_ptr_offset", issue = "71499")]
713 pub const fn wrapping_sub(self, count: usize) -> Self
717 self.wrapping_offset((count as isize).wrapping_neg())
720 /// Sets the pointer value to `ptr`.
722 /// In case `self` is a (fat) pointer to an unsized type, this operation
723 /// will only affect the pointer part, whereas for (thin) pointers to
724 /// sized types, this has the same effect as a simple assignment.
726 /// The resulting pointer will have provenance of `val`, i.e., for a fat
727 /// pointer, this operation is semantically the same as creating a new
728 /// fat pointer with the data pointer value of `val` but the metadata of
733 /// This function is primarily useful for allowing byte-wise pointer
734 /// arithmetic on potentially fat pointers:
737 /// #![feature(set_ptr_value)]
738 /// # use core::fmt::Debug;
739 /// let arr: [i32; 3] = [1, 2, 3];
740 /// let mut ptr = &arr[0] as *const dyn Debug;
741 /// let thin = ptr as *const u8;
743 /// ptr = ptr.set_ptr_value(thin.add(8));
744 /// # assert_eq!(*(ptr as *const i32), 3);
745 /// println!("{:?}", &*ptr); // will print "3"
748 #[unstable(feature = "set_ptr_value", issue = "75091")]
749 #[must_use = "returns a new pointer rather than modifying its argument"]
751 pub fn set_ptr_value(mut self, val: *const u8) -> Self {
752 let thin = &mut self as *mut *const T as *mut *const u8;
753 // SAFETY: In case of a thin pointer, this operations is identical
754 // to a simple assignment. In case of a fat pointer, with the current
755 // fat pointer layout implementation, the first field of such a
756 // pointer is always the data pointer, which is likewise assigned.
757 unsafe { *thin = val };
761 /// Reads the value from `self` without moving it. This leaves the
762 /// memory in `self` unchanged.
764 /// See [`ptr::read`] for safety concerns and examples.
766 /// [`ptr::read`]: ./ptr/fn.read.html
767 #[stable(feature = "pointer_methods", since = "1.26.0")]
769 pub unsafe fn read(self) -> T
773 // SAFETY: the caller must uphold the safety contract for `read`.
774 unsafe { read(self) }
777 /// Performs a volatile read of the value from `self` without moving it. This
778 /// leaves the memory in `self` unchanged.
780 /// Volatile operations are intended to act on I/O memory, and are guaranteed
781 /// to not be elided or reordered by the compiler across other volatile
784 /// See [`ptr::read_volatile`] for safety concerns and examples.
786 /// [`ptr::read_volatile`]: ./ptr/fn.read_volatile.html
787 #[stable(feature = "pointer_methods", since = "1.26.0")]
789 pub unsafe fn read_volatile(self) -> T
793 // SAFETY: the caller must uphold the safety contract for `read_volatile`.
794 unsafe { read_volatile(self) }
797 /// Reads the value from `self` without moving it. This leaves the
798 /// memory in `self` unchanged.
800 /// Unlike `read`, the pointer may be unaligned.
802 /// See [`ptr::read_unaligned`] for safety concerns and examples.
804 /// [`ptr::read_unaligned`]: ./ptr/fn.read_unaligned.html
805 #[stable(feature = "pointer_methods", since = "1.26.0")]
807 pub unsafe fn read_unaligned(self) -> T
811 // SAFETY: the caller must uphold the safety contract for `read_unaligned`.
812 unsafe { read_unaligned(self) }
815 /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
816 /// and destination may overlap.
818 /// NOTE: this has the *same* argument order as [`ptr::copy`].
820 /// See [`ptr::copy`] for safety concerns and examples.
822 /// [`ptr::copy`]: ./ptr/fn.copy.html
823 #[stable(feature = "pointer_methods", since = "1.26.0")]
825 pub unsafe fn copy_to(self, dest: *mut T, count: usize)
829 // SAFETY: the caller must uphold the safety contract for `copy`.
830 unsafe { copy(self, dest, count) }
833 /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
834 /// and destination may *not* overlap.
836 /// NOTE: this has the *same* argument order as [`ptr::copy_nonoverlapping`].
838 /// See [`ptr::copy_nonoverlapping`] for safety concerns and examples.
840 /// [`ptr::copy_nonoverlapping`]: ./ptr/fn.copy_nonoverlapping.html
841 #[stable(feature = "pointer_methods", since = "1.26.0")]
843 pub unsafe fn copy_to_nonoverlapping(self, dest: *mut T, count: usize)
847 // SAFETY: the caller must uphold the safety contract for `copy_nonoverlapping`.
848 unsafe { copy_nonoverlapping(self, dest, count) }
851 /// Computes the offset that needs to be applied to the pointer in order to make it aligned to
854 /// If it is not possible to align the pointer, the implementation returns
855 /// `usize::MAX`. It is permissible for the implementation to *always*
856 /// return `usize::MAX`. Only your algorithm's performance can depend
857 /// on getting a usable offset here, not its correctness.
859 /// The offset is expressed in number of `T` elements, and not bytes. The value returned can be
860 /// used with the `wrapping_add` method.
862 /// There are no guarantees whatsoever that offsetting the pointer will not overflow or go
863 /// beyond the allocation that the pointer points into. It is up to the caller to ensure that
864 /// the returned offset is correct in all terms other than alignment.
868 /// The function panics if `align` is not a power-of-two.
872 /// Accessing adjacent `u8` as `u16`
875 /// # fn foo(n: usize) {
876 /// # use std::mem::align_of;
878 /// let x = [5u8, 6u8, 7u8, 8u8, 9u8];
879 /// let ptr = &x[n] as *const u8;
880 /// let offset = ptr.align_offset(align_of::<u16>());
881 /// if offset < x.len() - n - 1 {
882 /// let u16_ptr = ptr.add(offset) as *const u16;
883 /// assert_ne!(*u16_ptr, 500);
885 /// // while the pointer can be aligned via `offset`, it would point
886 /// // outside the allocation
890 #[stable(feature = "align_offset", since = "1.36.0")]
891 pub fn align_offset(self, align: usize) -> usize
895 if !align.is_power_of_two() {
896 panic!("align_offset: align is not a power-of-two");
898 // SAFETY: `align` has been checked to be a power of 2 above
899 unsafe { align_offset(self, align) }
903 #[lang = "const_slice_ptr"]
905 /// Returns the length of a raw slice.
907 /// The returned value is the number of **elements**, not the number of bytes.
909 /// This function is safe, even when the raw slice cannot be cast to a slice
910 /// reference because the pointer is null or unaligned.
915 /// #![feature(slice_ptr_len)]
919 /// let slice: *const [i8] = ptr::slice_from_raw_parts(ptr::null(), 3);
920 /// assert_eq!(slice.len(), 3);
923 #[unstable(feature = "slice_ptr_len", issue = "71146")]
924 #[rustc_const_unstable(feature = "const_slice_ptr_len", issue = "71146")]
925 pub const fn len(self) -> usize {
926 // SAFETY: this is safe because `*const [T]` and `FatPtr<T>` have the same layout.
927 // Only `std` can make this guarantee.
928 unsafe { Repr { rust: self }.raw }.len
931 /// Returns a raw pointer to the slice's buffer.
933 /// This is equivalent to casting `self` to `*const T`, but more type-safe.
938 /// #![feature(slice_ptr_get)]
941 /// let slice: *const [i8] = ptr::slice_from_raw_parts(ptr::null(), 3);
942 /// assert_eq!(slice.as_ptr(), 0 as *const i8);
945 #[unstable(feature = "slice_ptr_get", issue = "74265")]
946 #[rustc_const_unstable(feature = "slice_ptr_get", issue = "74265")]
947 pub const fn as_ptr(self) -> *const T {
951 /// Returns a raw pointer to an element or subslice, without doing bounds
954 /// Calling this method with an out-of-bounds index or when `self` is not dereferencable
955 /// is *[undefined behavior]* even if the resulting pointer is not used.
957 /// [undefined behavior]: https://doc.rust-lang.org/reference/behavior-considered-undefined.html
962 /// #![feature(slice_ptr_get)]
964 /// let x = &[1, 2, 4] as *const [i32];
967 /// assert_eq!(x.get_unchecked(1), x.as_ptr().add(1));
970 #[unstable(feature = "slice_ptr_get", issue = "74265")]
972 pub unsafe fn get_unchecked<I>(self, index: I) -> *const I::Output
976 // SAFETY: the caller ensures that `self` is dereferencable and `index` in-bounds.
977 unsafe { index.get_unchecked(self) }
980 /// Returns `None` if the pointer is null, or else returns a shared slice to
981 /// the value wrapped in `Some`. In contrast to [`as_ref`], this does not require
982 /// that the value has to be initialized.
984 /// [`as_ref`]: #method.as_ref
988 /// When calling this method, you have to ensure that *either* the pointer is NULL *or*
989 /// all of the following is true:
991 /// * The pointer must be [valid] for reads for `ptr.len() * mem::size_of::<T>()` many bytes,
992 /// and it must be properly aligned. This means in particular:
994 /// * The entire memory range of this slice must be contained within a single allocated object!
995 /// Slices can never span across multiple allocated objects.
997 /// * The pointer must be aligned even for zero-length slices. One
998 /// reason for this is that enum layout optimizations may rely on references
999 /// (including slices of any length) being aligned and non-null to distinguish
1000 /// them from other data. You can obtain a pointer that is usable as `data`
1001 /// for zero-length slices using [`NonNull::dangling()`].
1003 /// * The total size `ptr.len() * mem::size_of::<T>()` of the slice must be no larger than `isize::MAX`.
1004 /// See the safety documentation of [`pointer::offset`].
1006 /// * You must enforce Rust's aliasing rules, since the returned lifetime `'a` is
1007 /// arbitrarily chosen and does not necessarily reflect the actual lifetime of the data.
1008 /// In particular, for the duration of this lifetime, the memory the pointer points to must
1009 /// not get mutated (except inside `UnsafeCell`).
1011 /// This applies even if the result of this method is unused!
1013 /// See also [`slice::from_raw_parts`][].
1015 /// [valid]: crate::ptr#safety
1016 /// [`NonNull::dangling()`]: NonNull::dangling
1017 /// [`pointer::offset`]: ../std/primitive.pointer.html#method.offset
1019 #[unstable(feature = "ptr_as_uninit", issue = "75402")]
1020 pub unsafe fn as_uninit_slice<'a>(self) -> Option<&'a [MaybeUninit<T>]> {
1024 // SAFETY: the caller must uphold the safety contract for `as_uninit_slice`.
1025 Some(unsafe { slice::from_raw_parts(self as *const MaybeUninit<T>, self.len()) })
1030 // Equality for pointers
1031 #[stable(feature = "rust1", since = "1.0.0")]
1032 impl<T: ?Sized> PartialEq for *const T {
1034 fn eq(&self, other: &*const T) -> bool {
1039 #[stable(feature = "rust1", since = "1.0.0")]
1040 impl<T: ?Sized> Eq for *const T {}
1042 // Comparison for pointers
1043 #[stable(feature = "rust1", since = "1.0.0")]
1044 impl<T: ?Sized> Ord for *const T {
1046 fn cmp(&self, other: &*const T) -> Ordering {
1049 } else if self == other {
1057 #[stable(feature = "rust1", since = "1.0.0")]
1058 impl<T: ?Sized> PartialOrd for *const T {
1060 fn partial_cmp(&self, other: &*const T) -> Option<Ordering> {
1061 Some(self.cmp(other))
1065 fn lt(&self, other: &*const T) -> bool {
1070 fn le(&self, other: &*const T) -> bool {
1075 fn gt(&self, other: &*const T) -> bool {
1080 fn ge(&self, other: &*const T) -> bool {