1 //! Manually manage memory through raw pointers.
3 //! *[See also the pointer primitive types](../../std/primitive.pointer.html).*
7 //! Many functions in this module take raw pointers as arguments and read from
8 //! or write to them. For this to be safe, these pointers must be *valid*.
9 //! Whether a pointer is valid depends on the operation it is used for
10 //! (read or write), and the extent of the memory that is accessed (i.e.,
11 //! how many bytes are read/written). Most functions use `*mut T` and `*const T`
12 //! to access only a single value, in which case the documentation omits the size
13 //! and implicitly assumes it to be `size_of::<T>()` bytes.
15 //! The precise rules for validity are not determined yet. The guarantees that are
16 //! provided at this point are very minimal:
18 //! * A [null] pointer is *never* valid, not even for accesses of [size zero][zst].
19 //! * All pointers (except for the null pointer) are valid for all operations of
21 //! * All accesses performed by functions in this module are *non-atomic* in the sense
22 //! of [atomic operations] used to synchronize between threads. This means it is
23 //! undefined behavior to perform two concurrent accesses to the same location from different
24 //! threads unless both accesses only read from memory. Notice that this explicitly
25 //! includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
26 //! be used for inter-thread synchronization.
27 //! * The result of casting a reference to a pointer is valid for as long as the
28 //! underlying object is live and no reference (just raw pointers) is used to
29 //! access the same memory.
31 //! These axioms, along with careful use of [`offset`] for pointer arithmetic,
32 //! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
33 //! will be provided eventually, as the [aliasing] rules are being determined. For more
34 //! information, see the [book] as well as the section in the reference devoted
35 //! to [undefined behavior][ub].
39 //! Valid raw pointers as defined above are not necessarily properly aligned (where
40 //! "proper" alignment is defined by the pointee type, i.e., `*const T` must be
41 //! aligned to `mem::align_of::<T>()`). However, most functions require their
42 //! arguments to be properly aligned, and will explicitly state
43 //! this requirement in their documentation. Notable exceptions to this are
44 //! [`read_unaligned`] and [`write_unaligned`].
46 //! When a function requires proper alignment, it does so even if the access
47 //! has size 0, i.e., even if memory is not actually touched. Consider using
48 //! [`NonNull::dangling`] in such cases.
50 //! [aliasing]: ../../nomicon/aliasing.html
51 //! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
52 //! [ub]: ../../reference/behavior-considered-undefined.html
53 //! [null]: ./fn.null.html
54 //! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
55 //! [atomic operations]: ../../std/sync/atomic/index.html
56 //! [`copy`]: ../../std/ptr/fn.copy.html
57 //! [`offset`]: ../../std/primitive.pointer.html#method.offset
58 //! [`read_unaligned`]: ./fn.read_unaligned.html
59 //! [`write_unaligned`]: ./fn.write_unaligned.html
60 //! [`read_volatile`]: ./fn.read_volatile.html
61 //! [`write_volatile`]: ./fn.write_volatile.html
62 //! [`NonNull::dangling`]: ./struct.NonNull.html#method.dangling
64 #![stable(feature = "rust1", since = "1.0.0")]
66 use crate::intrinsics;
69 use crate::mem::{self, MaybeUninit};
70 use crate::cmp::Ordering::{self, Less, Equal, Greater};
72 #[stable(feature = "rust1", since = "1.0.0")]
73 pub use crate::intrinsics::copy_nonoverlapping;
75 #[stable(feature = "rust1", since = "1.0.0")]
76 pub use crate::intrinsics::copy;
78 #[stable(feature = "rust1", since = "1.0.0")]
79 pub use crate::intrinsics::write_bytes;
82 #[stable(feature = "nonnull", since = "1.25.0")]
83 pub use non_null::NonNull;
86 #[unstable(feature = "ptr_internals", issue = "0")]
87 pub use unique::Unique;
89 /// Executes the destructor (if any) of the pointed-to value.
91 /// This is semantically equivalent to calling [`ptr::read`] and discarding
92 /// the result, but has the following advantages:
94 /// * It is *required* to use `drop_in_place` to drop unsized types like
95 /// trait objects, because they can't be read out onto the stack and
98 /// * It is friendlier to the optimizer to do this over [`ptr::read`] when
99 /// dropping manually allocated memory (e.g., when writing Box/Rc/Vec),
100 /// as the compiler doesn't need to prove that it's sound to elide the
103 /// Unaligned values cannot be dropped in place, they must be copied to an aligned
104 /// location first using [`ptr::read_unaligned`].
106 /// [`ptr::read`]: ../ptr/fn.read.html
107 /// [`ptr::read_unaligned`]: ../ptr/fn.read_unaligned.html
111 /// Behavior is undefined if any of the following conditions are violated:
113 /// * `to_drop` must be [valid] for reads.
115 /// * `to_drop` must be properly aligned.
117 /// Additionally, if `T` is not [`Copy`], using the pointed-to value after
118 /// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop =
119 /// foo` counts as a use because it will cause the value to be dropped
120 /// again. [`write`] can be used to overwrite data without causing it to be
123 /// Note that even if `T` has size `0`, the pointer must be non-NULL and properly aligned.
125 /// [valid]: ../ptr/index.html#safety
126 /// [`Copy`]: ../marker/trait.Copy.html
127 /// [`write`]: ../ptr/fn.write.html
131 /// Manually remove the last item from a vector:
137 /// let last = Rc::new(1);
138 /// let weak = Rc::downgrade(&last);
140 /// let mut v = vec![Rc::new(0), last];
143 /// // Get a raw pointer to the last element in `v`.
144 /// let ptr = &mut v[1] as *mut _;
145 /// // Shorten `v` to prevent the last item from being dropped. We do that first,
146 /// // to prevent issues if the `drop_in_place` below panics.
148 /// // Without a call `drop_in_place`, the last item would never be dropped,
149 /// // and the memory it manages would be leaked.
150 /// ptr::drop_in_place(ptr);
153 /// assert_eq!(v, &[0.into()]);
155 /// // Ensure that the last item was dropped.
156 /// assert!(weak.upgrade().is_none());
159 /// Notice that the compiler performs this copy automatically when dropping packed structs,
160 /// i.e., you do not usually have to worry about such issues unless you call `drop_in_place`
162 #[stable(feature = "drop_in_place", since = "1.8.0")]
164 pub unsafe fn drop_in_place<T: ?Sized>(to_drop: *mut T) {
165 real_drop_in_place(&mut *to_drop)
168 // The real `drop_in_place` -- the one that gets called implicitly when variables go
169 // out of scope -- should have a safe reference and not a raw pointer as argument
170 // type. When we drop a local variable, we access it with a pointer that behaves
171 // like a safe reference; transmuting that to a raw pointer does not mean we can
172 // actually access it with raw pointers.
173 #[lang = "drop_in_place"]
174 #[allow(unconditional_recursion)]
175 unsafe fn real_drop_in_place<T: ?Sized>(to_drop: &mut T) {
176 // Code here does not matter - this is replaced by the
177 // real drop glue by the compiler.
178 real_drop_in_place(to_drop)
181 /// Creates a null raw pointer.
188 /// let p: *const i32 = ptr::null();
189 /// assert!(p.is_null());
192 #[stable(feature = "rust1", since = "1.0.0")]
194 pub const fn null<T>() -> *const T { 0 as *const T }
196 /// Creates a null mutable raw pointer.
203 /// let p: *mut i32 = ptr::null_mut();
204 /// assert!(p.is_null());
207 #[stable(feature = "rust1", since = "1.0.0")]
209 pub const fn null_mut<T>() -> *mut T { 0 as *mut T }
212 pub(crate) union Repr<T> {
213 pub(crate) rust: *const [T],
215 pub(crate) raw: FatPtr<T>,
219 pub(crate) struct FatPtr<T> {
221 pub(crate) len: usize,
224 /// Forms a slice from a pointer and a length.
226 /// The `len` argument is the number of **elements**, not the number of bytes.
231 /// #![feature(slice_from_raw_parts)]
234 /// // create a slice pointer when starting out with a pointer to the first element
235 /// let mut x = [5, 6, 7];
236 /// let ptr = &mut x[0] as *mut _;
237 /// let slice = ptr::slice_from_raw_parts_mut(ptr, 3);
238 /// assert_eq!(unsafe { &*slice }[2], 7);
241 #[unstable(feature = "slice_from_raw_parts", reason = "recently added", issue = "36925")]
242 pub fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
243 unsafe { Repr { raw: FatPtr { data, len } }.rust }
246 /// Performs the same functionality as [`from_raw_parts`], except that a
247 /// mutable slice is returned.
249 /// See the documentation of [`from_raw_parts`] for more details.
251 /// [`from_raw_parts`]: ../../std/slice/fn.from_raw_parts.html
253 #[unstable(feature = "slice_from_raw_parts", reason = "recently added", issue = "36925")]
254 pub fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
255 unsafe { Repr { raw: FatPtr { data, len } }.rust_mut }
258 /// Swaps the values at two mutable locations of the same type, without
259 /// deinitializing either.
261 /// But for the following two exceptions, this function is semantically
262 /// equivalent to [`mem::swap`]:
264 /// * It operates on raw pointers instead of references. When references are
265 /// available, [`mem::swap`] should be preferred.
267 /// * The two pointed-to values may overlap. If the values do overlap, then the
268 /// overlapping region of memory from `x` will be used. This is demonstrated
269 /// in the second example below.
271 /// [`mem::swap`]: ../mem/fn.swap.html
275 /// Behavior is undefined if any of the following conditions are violated:
277 /// * Both `x` and `y` must be [valid] for reads and writes.
279 /// * Both `x` and `y` must be properly aligned.
281 /// Note that even if `T` has size `0`, the pointers must be non-NULL and properly aligned.
283 /// [valid]: ../ptr/index.html#safety
287 /// Swapping two non-overlapping regions:
292 /// let mut array = [0, 1, 2, 3];
294 /// let x = array[0..].as_mut_ptr() as *mut [u32; 2]; // this is `array[0..2]`
295 /// let y = array[2..].as_mut_ptr() as *mut [u32; 2]; // this is `array[2..4]`
299 /// assert_eq!([2, 3, 0, 1], array);
303 /// Swapping two overlapping regions:
308 /// let mut array = [0, 1, 2, 3];
310 /// let x = array[0..].as_mut_ptr() as *mut [u32; 3]; // this is `array[0..3]`
311 /// let y = array[1..].as_mut_ptr() as *mut [u32; 3]; // this is `array[1..4]`
315 /// // The indices `1..3` of the slice overlap between `x` and `y`.
316 /// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
317 /// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
318 /// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
319 /// // This implementation is defined to make the latter choice.
320 /// assert_eq!([1, 0, 1, 2], array);
324 #[stable(feature = "rust1", since = "1.0.0")]
325 pub unsafe fn swap<T>(x: *mut T, y: *mut T) {
326 // Give ourselves some scratch space to work with.
327 // We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
328 let mut tmp = MaybeUninit::<T>::uninit();
331 copy_nonoverlapping(x, tmp.as_mut_ptr(), 1);
332 copy(y, x, 1); // `x` and `y` may overlap
333 copy_nonoverlapping(tmp.as_ptr(), y, 1);
336 /// Swaps `count * size_of::<T>()` bytes between the two regions of memory
337 /// beginning at `x` and `y`. The two regions must *not* overlap.
341 /// Behavior is undefined if any of the following conditions are violated:
343 /// * Both `x` and `y` must be [valid] for reads and writes of `count *
344 /// size_of::<T>()` bytes.
346 /// * Both `x` and `y` must be properly aligned.
348 /// * The region of memory beginning at `x` with a size of `count *
349 /// size_of::<T>()` bytes must *not* overlap with the region of memory
350 /// beginning at `y` with the same size.
352 /// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`,
353 /// the pointers must be non-NULL and properly aligned.
355 /// [valid]: ../ptr/index.html#safety
364 /// let mut x = [1, 2, 3, 4];
365 /// let mut y = [7, 8, 9];
368 /// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2);
371 /// assert_eq!(x, [7, 8, 3, 4]);
372 /// assert_eq!(y, [1, 2, 9]);
375 #[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
376 pub unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
377 let x = x as *mut u8;
378 let y = y as *mut u8;
379 let len = mem::size_of::<T>() * count;
380 swap_nonoverlapping_bytes(x, y, len)
384 pub(crate) unsafe fn swap_nonoverlapping_one<T>(x: *mut T, y: *mut T) {
385 // For types smaller than the block optimization below,
386 // just swap directly to avoid pessimizing codegen.
387 if mem::size_of::<T>() < 32 {
389 copy_nonoverlapping(y, x, 1);
392 swap_nonoverlapping(x, y, 1);
397 unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, len: usize) {
398 // The approach here is to utilize simd to swap x & y efficiently. Testing reveals
399 // that swapping either 32 bytes or 64 bytes at a time is most efficient for Intel
400 // Haswell E processors. LLVM is more able to optimize if we give a struct a
401 // #[repr(simd)], even if we don't actually use this struct directly.
403 // FIXME repr(simd) broken on emscripten and redox
404 #[cfg_attr(not(any(target_os = "emscripten", target_os = "redox")), repr(simd))]
405 struct Block(u64, u64, u64, u64);
406 struct UnalignedBlock(u64, u64, u64, u64);
408 let block_size = mem::size_of::<Block>();
410 // Loop through x & y, copying them `Block` at a time
411 // The optimizer should unroll the loop fully for most types
412 // N.B. We can't use a for loop as the `range` impl calls `mem::swap` recursively
414 while i + block_size <= len {
415 // Create some uninitialized memory as scratch space
416 // Declaring `t` here avoids aligning the stack when this loop is unused
417 let mut t = mem::MaybeUninit::<Block>::uninit();
418 let t = t.as_mut_ptr() as *mut u8;
422 // Swap a block of bytes of x & y, using t as a temporary buffer
423 // This should be optimized into efficient SIMD operations where available
424 copy_nonoverlapping(x, t, block_size);
425 copy_nonoverlapping(y, x, block_size);
426 copy_nonoverlapping(t, y, block_size);
431 // Swap any remaining bytes
432 let mut t = mem::MaybeUninit::<UnalignedBlock>::uninit();
435 let t = t.as_mut_ptr() as *mut u8;
439 copy_nonoverlapping(x, t, rem);
440 copy_nonoverlapping(y, x, rem);
441 copy_nonoverlapping(t, y, rem);
445 /// Moves `src` into the pointed `dst`, returning the previous `dst` value.
447 /// Neither value is dropped.
449 /// This function is semantically equivalent to [`mem::replace`] except that it
450 /// operates on raw pointers instead of references. When references are
451 /// available, [`mem::replace`] should be preferred.
453 /// [`mem::replace`]: ../mem/fn.replace.html
457 /// Behavior is undefined if any of the following conditions are violated:
459 /// * `dst` must be [valid] for writes.
461 /// * `dst` must be properly aligned.
463 /// Note that even if `T` has size `0`, the pointer must be non-NULL and properly aligned.
465 /// [valid]: ../ptr/index.html#safety
472 /// let mut rust = vec!['b', 'u', 's', 't'];
474 /// // `mem::replace` would have the same effect without requiring the unsafe
477 /// ptr::replace(&mut rust[0], 'r')
480 /// assert_eq!(b, 'b');
481 /// assert_eq!(rust, &['r', 'u', 's', 't']);
484 #[stable(feature = "rust1", since = "1.0.0")]
485 pub unsafe fn replace<T>(dst: *mut T, mut src: T) -> T {
486 mem::swap(&mut *dst, &mut src); // cannot overlap
490 /// Reads the value from `src` without moving it. This leaves the
491 /// memory in `src` unchanged.
495 /// Behavior is undefined if any of the following conditions are violated:
497 /// * `src` must be [valid] for reads.
499 /// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the
502 /// Note that even if `T` has size `0`, the pointer must be non-NULL and properly aligned.
510 /// let y = &x as *const i32;
513 /// assert_eq!(std::ptr::read(y), 12);
517 /// Manually implement [`mem::swap`]:
522 /// fn swap<T>(a: &mut T, b: &mut T) {
524 /// // Create a bitwise copy of the value at `a` in `tmp`.
525 /// let tmp = ptr::read(a);
527 /// // Exiting at this point (either by explicitly returning or by
528 /// // calling a function which panics) would cause the value in `tmp` to
529 /// // be dropped while the same value is still referenced by `a`. This
530 /// // could trigger undefined behavior if `T` is not `Copy`.
532 /// // Create a bitwise copy of the value at `b` in `a`.
533 /// // This is safe because mutable references cannot alias.
534 /// ptr::copy_nonoverlapping(b, a, 1);
536 /// // As above, exiting here could trigger undefined behavior because
537 /// // the same value is referenced by `a` and `b`.
539 /// // Move `tmp` into `b`.
540 /// ptr::write(b, tmp);
542 /// // `tmp` has been moved (`write` takes ownership of its second argument),
543 /// // so nothing is dropped implicitly here.
547 /// let mut foo = "foo".to_owned();
548 /// let mut bar = "bar".to_owned();
550 /// swap(&mut foo, &mut bar);
552 /// assert_eq!(foo, "bar");
553 /// assert_eq!(bar, "foo");
556 /// ## Ownership of the Returned Value
558 /// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
559 /// If `T` is not [`Copy`], using both the returned value and the value at
560 /// `*src` can violate memory safety. Note that assigning to `*src` counts as a
561 /// use because it will attempt to drop the value at `*src`.
563 /// [`write`] can be used to overwrite data without causing it to be dropped.
568 /// let mut s = String::from("foo");
570 /// // `s2` now points to the same underlying memory as `s`.
571 /// let mut s2: String = ptr::read(&s);
573 /// assert_eq!(s2, "foo");
575 /// // Assigning to `s2` causes its original value to be dropped. Beyond
576 /// // this point, `s` must no longer be used, as the underlying memory has
578 /// s2 = String::default();
579 /// assert_eq!(s2, "");
581 /// // Assigning to `s` would cause the old value to be dropped again,
582 /// // resulting in undefined behavior.
583 /// // s = String::from("bar"); // ERROR
585 /// // `ptr::write` can be used to overwrite a value without dropping it.
586 /// ptr::write(&mut s, String::from("bar"));
589 /// assert_eq!(s, "bar");
592 /// [`mem::swap`]: ../mem/fn.swap.html
593 /// [valid]: ../ptr/index.html#safety
594 /// [`Copy`]: ../marker/trait.Copy.html
595 /// [`read_unaligned`]: ./fn.read_unaligned.html
596 /// [`write`]: ./fn.write.html
598 #[stable(feature = "rust1", since = "1.0.0")]
599 pub unsafe fn read<T>(src: *const T) -> T {
600 let mut tmp = MaybeUninit::<T>::uninit();
601 copy_nonoverlapping(src, tmp.as_mut_ptr(), 1);
605 /// Reads the value from `src` without moving it. This leaves the
606 /// memory in `src` unchanged.
608 /// Unlike [`read`], `read_unaligned` works with unaligned pointers.
612 /// Behavior is undefined if any of the following conditions are violated:
614 /// * `src` must be [valid] for reads.
616 /// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
617 /// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
618 /// value and the value at `*src` can [violate memory safety][read-ownership].
620 /// Note that even if `T` has size `0`, the pointer must be non-NULL.
622 /// [`Copy`]: ../marker/trait.Copy.html
623 /// [`read`]: ./fn.read.html
624 /// [`write_unaligned`]: ./fn.write_unaligned.html
625 /// [read-ownership]: ./fn.read.html#ownership-of-the-returned-value
626 /// [valid]: ../ptr/index.html#safety
628 /// ## On `packed` structs
630 /// It is currently impossible to create raw pointers to unaligned fields
631 /// of a packed struct.
633 /// Attempting to create a raw pointer to an `unaligned` struct field with
634 /// an expression such as `&packed.unaligned as *const FieldType` creates an
635 /// intermediate unaligned reference before converting that to a raw pointer.
636 /// That this reference is temporary and immediately cast is inconsequential
637 /// as the compiler always expects references to be properly aligned.
638 /// As a result, using `&packed.unaligned as *const FieldType` causes immediate
639 /// *undefined behavior* in your program.
641 /// An example of what not to do and how this relates to `read_unaligned` is:
644 /// #[repr(packed, C)]
650 /// let packed = Packed {
652 /// unaligned: 0x01020304,
656 /// // Here we attempt to take the address of a 32-bit integer which is not aligned.
658 /// // A temporary unaligned reference is created here which results in
659 /// // undefined behavior regardless of whether the reference is used or not.
660 /// &packed.unaligned
661 /// // Casting to a raw pointer doesn't help; the mistake already happened.
664 /// let v = std::ptr::read_unaligned(unaligned);
670 /// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
671 // FIXME: Update docs based on outcome of RFC #2582 and friends.
675 /// Read an usize value from a byte buffer:
680 /// fn read_usize(x: &[u8]) -> usize {
681 /// assert!(x.len() >= mem::size_of::<usize>());
683 /// let ptr = x.as_ptr() as *const usize;
685 /// unsafe { ptr.read_unaligned() }
689 #[stable(feature = "ptr_unaligned", since = "1.17.0")]
690 pub unsafe fn read_unaligned<T>(src: *const T) -> T {
691 let mut tmp = MaybeUninit::<T>::uninit();
692 copy_nonoverlapping(src as *const u8,
693 tmp.as_mut_ptr() as *mut u8,
694 mem::size_of::<T>());
698 /// Overwrites a memory location with the given value without reading or
699 /// dropping the old value.
701 /// `write` does not drop the contents of `dst`. This is safe, but it could leak
702 /// allocations or resources, so care should be taken not to overwrite an object
703 /// that should be dropped.
705 /// Additionally, it does not drop `src`. Semantically, `src` is moved into the
706 /// location pointed to by `dst`.
708 /// This is appropriate for initializing uninitialized memory, or overwriting
709 /// memory that has previously been [`read`] from.
711 /// [`read`]: ./fn.read.html
715 /// Behavior is undefined if any of the following conditions are violated:
717 /// * `dst` must be [valid] for writes.
719 /// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the
722 /// Note that even if `T` has size `0`, the pointer must be non-NULL and properly aligned.
724 /// [valid]: ../ptr/index.html#safety
725 /// [`write_unaligned`]: ./fn.write_unaligned.html
733 /// let y = &mut x as *mut i32;
737 /// std::ptr::write(y, z);
738 /// assert_eq!(std::ptr::read(y), 12);
742 /// Manually implement [`mem::swap`]:
747 /// fn swap<T>(a: &mut T, b: &mut T) {
749 /// // Create a bitwise copy of the value at `a` in `tmp`.
750 /// let tmp = ptr::read(a);
752 /// // Exiting at this point (either by explicitly returning or by
753 /// // calling a function which panics) would cause the value in `tmp` to
754 /// // be dropped while the same value is still referenced by `a`. This
755 /// // could trigger undefined behavior if `T` is not `Copy`.
757 /// // Create a bitwise copy of the value at `b` in `a`.
758 /// // This is safe because mutable references cannot alias.
759 /// ptr::copy_nonoverlapping(b, a, 1);
761 /// // As above, exiting here could trigger undefined behavior because
762 /// // the same value is referenced by `a` and `b`.
764 /// // Move `tmp` into `b`.
765 /// ptr::write(b, tmp);
767 /// // `tmp` has been moved (`write` takes ownership of its second argument),
768 /// // so nothing is dropped implicitly here.
772 /// let mut foo = "foo".to_owned();
773 /// let mut bar = "bar".to_owned();
775 /// swap(&mut foo, &mut bar);
777 /// assert_eq!(foo, "bar");
778 /// assert_eq!(bar, "foo");
781 /// [`mem::swap`]: ../mem/fn.swap.html
783 #[stable(feature = "rust1", since = "1.0.0")]
784 pub unsafe fn write<T>(dst: *mut T, src: T) {
785 intrinsics::move_val_init(&mut *dst, src)
788 /// Overwrites a memory location with the given value without reading or
789 /// dropping the old value.
791 /// Unlike [`write`], the pointer may be unaligned.
793 /// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
794 /// could leak allocations or resources, so care should be taken not to overwrite
795 /// an object that should be dropped.
797 /// Additionally, it does not drop `src`. Semantically, `src` is moved into the
798 /// location pointed to by `dst`.
800 /// This is appropriate for initializing uninitialized memory, or overwriting
801 /// memory that has previously been read with [`read_unaligned`].
803 /// [`write`]: ./fn.write.html
804 /// [`read_unaligned`]: ./fn.read_unaligned.html
808 /// Behavior is undefined if any of the following conditions are violated:
810 /// * `dst` must be [valid] for writes.
812 /// Note that even if `T` has size `0`, the pointer must be non-NULL.
814 /// [valid]: ../ptr/index.html#safety
816 /// ## On `packed` structs
818 /// It is currently impossible to create raw pointers to unaligned fields
819 /// of a packed struct.
821 /// Attempting to create a raw pointer to an `unaligned` struct field with
822 /// an expression such as `&packed.unaligned as *const FieldType` creates an
823 /// intermediate unaligned reference before converting that to a raw pointer.
824 /// That this reference is temporary and immediately cast is inconsequential
825 /// as the compiler always expects references to be properly aligned.
826 /// As a result, using `&packed.unaligned as *const FieldType` causes immediate
827 /// *undefined behavior* in your program.
829 /// An example of what not to do and how this relates to `write_unaligned` is:
832 /// #[repr(packed, C)]
838 /// let v = 0x01020304;
839 /// let mut packed: Packed = unsafe { std::mem::zeroed() };
842 /// // Here we attempt to take the address of a 32-bit integer which is not aligned.
844 /// // A temporary unaligned reference is created here which results in
845 /// // undefined behavior regardless of whether the reference is used or not.
846 /// &mut packed.unaligned
847 /// // Casting to a raw pointer doesn't help; the mistake already happened.
850 /// std::ptr::write_unaligned(unaligned, v);
856 /// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
857 // FIXME: Update docs based on outcome of RFC #2582 and friends.
861 /// Write an usize value to a byte buffer:
866 /// fn write_usize(x: &mut [u8], val: usize) {
867 /// assert!(x.len() >= mem::size_of::<usize>());
869 /// let ptr = x.as_mut_ptr() as *mut usize;
871 /// unsafe { ptr.write_unaligned(val) }
875 #[stable(feature = "ptr_unaligned", since = "1.17.0")]
876 pub unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
877 copy_nonoverlapping(&src as *const T as *const u8,
879 mem::size_of::<T>());
883 /// Performs a volatile read of the value from `src` without moving it. This
884 /// leaves the memory in `src` unchanged.
886 /// Volatile operations are intended to act on I/O memory, and are guaranteed
887 /// to not be elided or reordered by the compiler across other volatile
890 /// [`write_volatile`]: ./fn.write_volatile.html
894 /// Rust does not currently have a rigorously and formally defined memory model,
895 /// so the precise semantics of what "volatile" means here is subject to change
896 /// over time. That being said, the semantics will almost always end up pretty
897 /// similar to [C11's definition of volatile][c11].
899 /// The compiler shouldn't change the relative order or number of volatile
900 /// memory operations. However, volatile memory operations on zero-sized types
901 /// (e.g., if a zero-sized type is passed to `read_volatile`) are noops
902 /// and may be ignored.
904 /// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
908 /// Behavior is undefined if any of the following conditions are violated:
910 /// * `src` must be [valid] for reads.
912 /// * `src` must be properly aligned.
914 /// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of
915 /// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
916 /// value and the value at `*src` can [violate memory safety][read-ownership].
917 /// However, storing non-[`Copy`] types in volatile memory is almost certainly
920 /// Note that even if `T` has size `0`, the pointer must be non-NULL and properly aligned.
922 /// [valid]: ../ptr/index.html#safety
923 /// [`Copy`]: ../marker/trait.Copy.html
924 /// [`read`]: ./fn.read.html
925 /// [read-ownership]: ./fn.read.html#ownership-of-the-returned-value
927 /// Just like in C, whether an operation is volatile has no bearing whatsoever
928 /// on questions involving concurrent access from multiple threads. Volatile
929 /// accesses behave exactly like non-atomic accesses in that regard. In particular,
930 /// a race between a `read_volatile` and any write operation to the same location
931 /// is undefined behavior.
939 /// let y = &x as *const i32;
942 /// assert_eq!(std::ptr::read_volatile(y), 12);
946 #[stable(feature = "volatile", since = "1.9.0")]
947 pub unsafe fn read_volatile<T>(src: *const T) -> T {
948 intrinsics::volatile_load(src)
951 /// Performs a volatile write of a memory location with the given value without
952 /// reading or dropping the old value.
954 /// Volatile operations are intended to act on I/O memory, and are guaranteed
955 /// to not be elided or reordered by the compiler across other volatile
958 /// `write_volatile` does not drop the contents of `dst`. This is safe, but it
959 /// could leak allocations or resources, so care should be taken not to overwrite
960 /// an object that should be dropped.
962 /// Additionally, it does not drop `src`. Semantically, `src` is moved into the
963 /// location pointed to by `dst`.
965 /// [`read_volatile`]: ./fn.read_volatile.html
969 /// Rust does not currently have a rigorously and formally defined memory model,
970 /// so the precise semantics of what "volatile" means here is subject to change
971 /// over time. That being said, the semantics will almost always end up pretty
972 /// similar to [C11's definition of volatile][c11].
974 /// The compiler shouldn't change the relative order or number of volatile
975 /// memory operations. However, volatile memory operations on zero-sized types
976 /// (e.g., if a zero-sized type is passed to `write_volatile`) are noops
977 /// and may be ignored.
979 /// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
983 /// Behavior is undefined if any of the following conditions are violated:
985 /// * `dst` must be [valid] for writes.
987 /// * `dst` must be properly aligned.
989 /// Note that even if `T` has size `0`, the pointer must be non-NULL and properly aligned.
991 /// [valid]: ../ptr/index.html#safety
993 /// Just like in C, whether an operation is volatile has no bearing whatsoever
994 /// on questions involving concurrent access from multiple threads. Volatile
995 /// accesses behave exactly like non-atomic accesses in that regard. In particular,
996 /// a race between a `write_volatile` and any other operation (reading or writing)
997 /// on the same location is undefined behavior.
1005 /// let y = &mut x as *mut i32;
1009 /// std::ptr::write_volatile(y, z);
1010 /// assert_eq!(std::ptr::read_volatile(y), 12);
1014 #[stable(feature = "volatile", since = "1.9.0")]
1015 pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
1016 intrinsics::volatile_store(dst, src);
1019 #[lang = "const_ptr"]
1020 impl<T: ?Sized> *const T {
1021 /// Returns `true` if the pointer is null.
1023 /// Note that unsized types have many possible null pointers, as only the
1024 /// raw data pointer is considered, not their length, vtable, etc.
1025 /// Therefore, two pointers that are null may still not compare equal to
1033 /// let s: &str = "Follow the rabbit";
1034 /// let ptr: *const u8 = s.as_ptr();
1035 /// assert!(!ptr.is_null());
1037 #[stable(feature = "rust1", since = "1.0.0")]
1039 pub fn is_null(self) -> bool {
1040 // Compare via a cast to a thin pointer, so fat pointers are only
1041 // considering their "data" part for null-ness.
1042 (self as *const u8) == null()
1045 /// Cast to a pointer to a different type
1046 #[stable(feature = "ptr_cast", since = "1.38.0")]
1048 pub const fn cast<U>(self) -> *const U {
1052 /// Returns `None` if the pointer is null, or else returns a reference to
1053 /// the value wrapped in `Some`.
1057 /// While this method and its mutable counterpart are useful for
1058 /// null-safety, it is important to note that this is still an unsafe
1059 /// operation because the returned value could be pointing to invalid
1062 /// When calling this method, you have to ensure that if the pointer is
1063 /// non-NULL, then it is properly aligned, dereferencable (for the whole
1064 /// size of `T`) and points to an initialized instance of `T`. This applies
1065 /// even if the result of this method is unused!
1066 /// (The part about being initialized is not yet fully decided, but until
1067 /// it is, the only safe approach is to ensure that they are indeed initialized.)
1069 /// Additionally, the lifetime `'a` returned is arbitrarily chosen and does
1070 /// not necessarily reflect the actual lifetime of the data. It is up to the
1071 /// caller to ensure that for the duration of this lifetime, the memory this
1072 /// pointer points to does not get written to outside of `UnsafeCell<U>`.
1079 /// let ptr: *const u8 = &10u8 as *const u8;
1082 /// if let Some(val_back) = ptr.as_ref() {
1083 /// println!("We got back the value: {}!", val_back);
1088 /// # Null-unchecked version
1090 /// If you are sure the pointer can never be null and are looking for some kind of
1091 /// `as_ref_unchecked` that returns the `&T` instead of `Option<&T>`, know that you can
1092 /// dereference the pointer directly.
1095 /// let ptr: *const u8 = &10u8 as *const u8;
1098 /// let val_back = &*ptr;
1099 /// println!("We got back the value: {}!", val_back);
1102 #[stable(feature = "ptr_as_ref", since = "1.9.0")]
1104 pub unsafe fn as_ref<'a>(self) -> Option<&'a T> {
1112 /// Calculates the offset from a pointer.
1114 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
1115 /// offset of `3 * size_of::<T>()` bytes.
1119 /// If any of the following conditions are violated, the result is Undefined
1122 /// * Both the starting and resulting pointer must be either in bounds or one
1123 /// byte past the end of the same allocated object. Note that in Rust,
1124 /// every (stack-allocated) variable is considered a separate allocated object.
1126 /// * The computed offset, **in bytes**, cannot overflow an `isize`.
1128 /// * The offset being in bounds cannot rely on "wrapping around" the address
1129 /// space. That is, the infinite-precision sum, **in bytes** must fit in a usize.
1131 /// The compiler and standard library generally tries to ensure allocations
1132 /// never reach a size where an offset is a concern. For instance, `Vec`
1133 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
1134 /// `vec.as_ptr().add(vec.len())` is always safe.
1136 /// Most platforms fundamentally can't even construct such an allocation.
1137 /// For instance, no known 64-bit platform can ever serve a request
1138 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
1139 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
1140 /// more than `isize::MAX` bytes with things like Physical Address
1141 /// Extension. As such, memory acquired directly from allocators or memory
1142 /// mapped files *may* be too large to handle with this function.
1144 /// Consider using `wrapping_offset` instead if these constraints are
1145 /// difficult to satisfy. The only advantage of this method is that it
1146 /// enables more aggressive compiler optimizations.
1153 /// let s: &str = "123";
1154 /// let ptr: *const u8 = s.as_ptr();
1157 /// println!("{}", *ptr.offset(1) as char);
1158 /// println!("{}", *ptr.offset(2) as char);
1161 #[stable(feature = "rust1", since = "1.0.0")]
1163 pub unsafe fn offset(self, count: isize) -> *const T where T: Sized {
1164 intrinsics::offset(self, count)
1167 /// Calculates the offset from a pointer using wrapping arithmetic.
1169 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
1170 /// offset of `3 * size_of::<T>()` bytes.
1174 /// The resulting pointer does not need to be in bounds, but it is
1175 /// potentially hazardous to dereference (which requires `unsafe`).
1176 /// In particular, the resulting pointer may *not* be used to access a
1177 /// different allocated object than the one `self` points to. In other
1178 /// words, `x.wrapping_offset(y.wrapping_offset_from(x))` is
1179 /// *not* the same as `y`, and dereferencing it is undefined behavior
1180 /// unless `x` and `y` point into the same allocated object.
1182 /// Always use `.offset(count)` instead when possible, because `offset`
1183 /// allows the compiler to optimize better. If you need to cross object
1184 /// boundaries, cast the pointer to an integer and do the arithmetic there.
1191 /// // Iterate using a raw pointer in increments of two elements
1192 /// let data = [1u8, 2, 3, 4, 5];
1193 /// let mut ptr: *const u8 = data.as_ptr();
1195 /// let end_rounded_up = ptr.wrapping_offset(6);
1197 /// // This loop prints "1, 3, 5, "
1198 /// while ptr != end_rounded_up {
1200 /// print!("{}, ", *ptr);
1202 /// ptr = ptr.wrapping_offset(step);
1205 #[stable(feature = "ptr_wrapping_offset", since = "1.16.0")]
1207 pub fn wrapping_offset(self, count: isize) -> *const T where T: Sized {
1209 intrinsics::arith_offset(self, count)
1213 /// Calculates the distance between two pointers. The returned value is in
1214 /// units of T: the distance in bytes is divided by `mem::size_of::<T>()`.
1216 /// This function is the inverse of [`offset`].
1218 /// [`offset`]: #method.offset
1219 /// [`wrapping_offset_from`]: #method.wrapping_offset_from
1223 /// If any of the following conditions are violated, the result is Undefined
1226 /// * Both the starting and other pointer must be either in bounds or one
1227 /// byte past the end of the same allocated object. Note that in Rust,
1228 /// every (stack-allocated) variable is considered a separate allocated object.
1230 /// * The distance between the pointers, **in bytes**, cannot overflow an `isize`.
1232 /// * The distance between the pointers, in bytes, must be an exact multiple
1233 /// of the size of `T`.
1235 /// * The distance being in bounds cannot rely on "wrapping around" the address space.
1237 /// The compiler and standard library generally try to ensure allocations
1238 /// never reach a size where an offset is a concern. For instance, `Vec`
1239 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
1240 /// `ptr_into_vec.offset_from(vec.as_ptr())` is always safe.
1242 /// Most platforms fundamentally can't even construct such an allocation.
1243 /// For instance, no known 64-bit platform can ever serve a request
1244 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
1245 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
1246 /// more than `isize::MAX` bytes with things like Physical Address
1247 /// Extension. As such, memory acquired directly from allocators or memory
1248 /// mapped files *may* be too large to handle with this function.
1250 /// Consider using [`wrapping_offset_from`] instead if these constraints are
1251 /// difficult to satisfy. The only advantage of this method is that it
1252 /// enables more aggressive compiler optimizations.
1256 /// This function panics if `T` is a Zero-Sized Type ("ZST").
1263 /// #![feature(ptr_offset_from)]
1266 /// let ptr1: *const i32 = &a[1];
1267 /// let ptr2: *const i32 = &a[3];
1269 /// assert_eq!(ptr2.offset_from(ptr1), 2);
1270 /// assert_eq!(ptr1.offset_from(ptr2), -2);
1271 /// assert_eq!(ptr1.offset(2), ptr2);
1272 /// assert_eq!(ptr2.offset(-2), ptr1);
1275 #[unstable(feature = "ptr_offset_from", issue = "41079")]
1277 pub unsafe fn offset_from(self, origin: *const T) -> isize where T: Sized {
1278 let pointee_size = mem::size_of::<T>();
1279 assert!(0 < pointee_size && pointee_size <= isize::max_value() as usize);
1281 // This is the same sequence that Clang emits for pointer subtraction.
1282 // It can be neither `nsw` nor `nuw` because the input is treated as
1283 // unsigned but then the output is treated as signed, so neither works.
1284 let d = isize::wrapping_sub(self as _, origin as _);
1285 intrinsics::exact_div(d, pointee_size as _)
1288 /// Calculates the distance between two pointers. The returned value is in
1289 /// units of T: the distance in bytes is divided by `mem::size_of::<T>()`.
1291 /// If the address different between the two pointers is not a multiple of
1292 /// `mem::size_of::<T>()` then the result of the division is rounded towards
1295 /// Though this method is safe for any two pointers, note that its result
1296 /// will be mostly useless if the two pointers aren't into the same allocated
1297 /// object, for example if they point to two different local variables.
1301 /// This function panics if `T` is a zero-sized type.
1308 /// #![feature(ptr_wrapping_offset_from)]
1311 /// let ptr1: *const i32 = &a[1];
1312 /// let ptr2: *const i32 = &a[3];
1313 /// assert_eq!(ptr2.wrapping_offset_from(ptr1), 2);
1314 /// assert_eq!(ptr1.wrapping_offset_from(ptr2), -2);
1315 /// assert_eq!(ptr1.wrapping_offset(2), ptr2);
1316 /// assert_eq!(ptr2.wrapping_offset(-2), ptr1);
1318 /// let ptr1: *const i32 = 3 as _;
1319 /// let ptr2: *const i32 = 13 as _;
1320 /// assert_eq!(ptr2.wrapping_offset_from(ptr1), 2);
1322 #[unstable(feature = "ptr_wrapping_offset_from", issue = "41079")]
1324 pub fn wrapping_offset_from(self, origin: *const T) -> isize where T: Sized {
1325 let pointee_size = mem::size_of::<T>();
1326 assert!(0 < pointee_size && pointee_size <= isize::max_value() as usize);
1328 let d = isize::wrapping_sub(self as _, origin as _);
1329 d.wrapping_div(pointee_size as _)
1332 /// Calculates the offset from a pointer (convenience for `.offset(count as isize)`).
1334 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
1335 /// offset of `3 * size_of::<T>()` bytes.
1339 /// If any of the following conditions are violated, the result is Undefined
1342 /// * Both the starting and resulting pointer must be either in bounds or one
1343 /// byte past the end of the same allocated object. Note that in Rust,
1344 /// every (stack-allocated) variable is considered a separate allocated object.
1346 /// * The computed offset, **in bytes**, cannot overflow an `isize`.
1348 /// * The offset being in bounds cannot rely on "wrapping around" the address
1349 /// space. That is, the infinite-precision sum must fit in a `usize`.
1351 /// The compiler and standard library generally tries to ensure allocations
1352 /// never reach a size where an offset is a concern. For instance, `Vec`
1353 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
1354 /// `vec.as_ptr().add(vec.len())` is always safe.
1356 /// Most platforms fundamentally can't even construct such an allocation.
1357 /// For instance, no known 64-bit platform can ever serve a request
1358 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
1359 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
1360 /// more than `isize::MAX` bytes with things like Physical Address
1361 /// Extension. As such, memory acquired directly from allocators or memory
1362 /// mapped files *may* be too large to handle with this function.
1364 /// Consider using `wrapping_offset` instead if these constraints are
1365 /// difficult to satisfy. The only advantage of this method is that it
1366 /// enables more aggressive compiler optimizations.
1373 /// let s: &str = "123";
1374 /// let ptr: *const u8 = s.as_ptr();
1377 /// println!("{}", *ptr.add(1) as char);
1378 /// println!("{}", *ptr.add(2) as char);
1381 #[stable(feature = "pointer_methods", since = "1.26.0")]
1383 pub unsafe fn add(self, count: usize) -> Self
1386 self.offset(count as isize)
1389 /// Calculates the offset from a pointer (convenience for
1390 /// `.offset((count as isize).wrapping_neg())`).
1392 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
1393 /// offset of `3 * size_of::<T>()` bytes.
1397 /// If any of the following conditions are violated, the result is Undefined
1400 /// * Both the starting and resulting pointer must be either in bounds or one
1401 /// byte past the end of the same allocated object. Note that in Rust,
1402 /// every (stack-allocated) variable is considered a separate allocated object.
1404 /// * The computed offset cannot exceed `isize::MAX` **bytes**.
1406 /// * The offset being in bounds cannot rely on "wrapping around" the address
1407 /// space. That is, the infinite-precision sum must fit in a usize.
1409 /// The compiler and standard library generally tries to ensure allocations
1410 /// never reach a size where an offset is a concern. For instance, `Vec`
1411 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
1412 /// `vec.as_ptr().add(vec.len()).sub(vec.len())` is always safe.
1414 /// Most platforms fundamentally can't even construct such an allocation.
1415 /// For instance, no known 64-bit platform can ever serve a request
1416 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
1417 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
1418 /// more than `isize::MAX` bytes with things like Physical Address
1419 /// Extension. As such, memory acquired directly from allocators or memory
1420 /// mapped files *may* be too large to handle with this function.
1422 /// Consider using `wrapping_offset` instead if these constraints are
1423 /// difficult to satisfy. The only advantage of this method is that it
1424 /// enables more aggressive compiler optimizations.
1431 /// let s: &str = "123";
1434 /// let end: *const u8 = s.as_ptr().add(3);
1435 /// println!("{}", *end.sub(1) as char);
1436 /// println!("{}", *end.sub(2) as char);
1439 #[stable(feature = "pointer_methods", since = "1.26.0")]
1441 pub unsafe fn sub(self, count: usize) -> Self
1444 self.offset((count as isize).wrapping_neg())
1447 /// Calculates the offset from a pointer using wrapping arithmetic.
1448 /// (convenience for `.wrapping_offset(count as isize)`)
1450 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
1451 /// offset of `3 * size_of::<T>()` bytes.
1455 /// The resulting pointer does not need to be in bounds, but it is
1456 /// potentially hazardous to dereference (which requires `unsafe`).
1458 /// Always use `.add(count)` instead when possible, because `add`
1459 /// allows the compiler to optimize better.
1466 /// // Iterate using a raw pointer in increments of two elements
1467 /// let data = [1u8, 2, 3, 4, 5];
1468 /// let mut ptr: *const u8 = data.as_ptr();
1470 /// let end_rounded_up = ptr.wrapping_add(6);
1472 /// // This loop prints "1, 3, 5, "
1473 /// while ptr != end_rounded_up {
1475 /// print!("{}, ", *ptr);
1477 /// ptr = ptr.wrapping_add(step);
1480 #[stable(feature = "pointer_methods", since = "1.26.0")]
1482 pub fn wrapping_add(self, count: usize) -> Self
1485 self.wrapping_offset(count as isize)
1488 /// Calculates the offset from a pointer using wrapping arithmetic.
1489 /// (convenience for `.wrapping_offset((count as isize).wrapping_sub())`)
1491 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
1492 /// offset of `3 * size_of::<T>()` bytes.
1496 /// The resulting pointer does not need to be in bounds, but it is
1497 /// potentially hazardous to dereference (which requires `unsafe`).
1499 /// Always use `.sub(count)` instead when possible, because `sub`
1500 /// allows the compiler to optimize better.
1507 /// // Iterate using a raw pointer in increments of two elements (backwards)
1508 /// let data = [1u8, 2, 3, 4, 5];
1509 /// let mut ptr: *const u8 = data.as_ptr();
1510 /// let start_rounded_down = ptr.wrapping_sub(2);
1511 /// ptr = ptr.wrapping_add(4);
1513 /// // This loop prints "5, 3, 1, "
1514 /// while ptr != start_rounded_down {
1516 /// print!("{}, ", *ptr);
1518 /// ptr = ptr.wrapping_sub(step);
1521 #[stable(feature = "pointer_methods", since = "1.26.0")]
1523 pub fn wrapping_sub(self, count: usize) -> Self
1526 self.wrapping_offset((count as isize).wrapping_neg())
1529 /// Reads the value from `self` without moving it. This leaves the
1530 /// memory in `self` unchanged.
1532 /// See [`ptr::read`] for safety concerns and examples.
1534 /// [`ptr::read`]: ./ptr/fn.read.html
1535 #[stable(feature = "pointer_methods", since = "1.26.0")]
1537 pub unsafe fn read(self) -> T
1543 /// Performs a volatile read of the value from `self` without moving it. This
1544 /// leaves the memory in `self` unchanged.
1546 /// Volatile operations are intended to act on I/O memory, and are guaranteed
1547 /// to not be elided or reordered by the compiler across other volatile
1550 /// See [`ptr::read_volatile`] for safety concerns and examples.
1552 /// [`ptr::read_volatile`]: ./ptr/fn.read_volatile.html
1553 #[stable(feature = "pointer_methods", since = "1.26.0")]
1555 pub unsafe fn read_volatile(self) -> T
1561 /// Reads the value from `self` without moving it. This leaves the
1562 /// memory in `self` unchanged.
1564 /// Unlike `read`, the pointer may be unaligned.
1566 /// See [`ptr::read_unaligned`] for safety concerns and examples.
1568 /// [`ptr::read_unaligned`]: ./ptr/fn.read_unaligned.html
1569 #[stable(feature = "pointer_methods", since = "1.26.0")]
1571 pub unsafe fn read_unaligned(self) -> T
1574 read_unaligned(self)
1577 /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
1578 /// and destination may overlap.
1580 /// NOTE: this has the *same* argument order as [`ptr::copy`].
1582 /// See [`ptr::copy`] for safety concerns and examples.
1584 /// [`ptr::copy`]: ./ptr/fn.copy.html
1585 #[stable(feature = "pointer_methods", since = "1.26.0")]
1587 pub unsafe fn copy_to(self, dest: *mut T, count: usize)
1590 copy(self, dest, count)
1593 /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
1594 /// and destination may *not* overlap.
1596 /// NOTE: this has the *same* argument order as [`ptr::copy_nonoverlapping`].
1598 /// See [`ptr::copy_nonoverlapping`] for safety concerns and examples.
1600 /// [`ptr::copy_nonoverlapping`]: ./ptr/fn.copy_nonoverlapping.html
1601 #[stable(feature = "pointer_methods", since = "1.26.0")]
1603 pub unsafe fn copy_to_nonoverlapping(self, dest: *mut T, count: usize)
1606 copy_nonoverlapping(self, dest, count)
1609 /// Computes the offset that needs to be applied to the pointer in order to make it aligned to
1612 /// If it is not possible to align the pointer, the implementation returns
1613 /// `usize::max_value()`.
1615 /// The offset is expressed in number of `T` elements, and not bytes. The value returned can be
1616 /// used with the `add` method.
1618 /// There are no guarantees whatsoever that offsetting the pointer will not overflow or go
1619 /// beyond the allocation that the pointer points into. It is up to the caller to ensure that
1620 /// the returned offset is correct in all terms other than alignment.
1624 /// The function panics if `align` is not a power-of-two.
1628 /// Accessing adjacent `u8` as `u16`
1631 /// # fn foo(n: usize) {
1632 /// # use std::mem::align_of;
1634 /// let x = [5u8, 6u8, 7u8, 8u8, 9u8];
1635 /// let ptr = &x[n] as *const u8;
1636 /// let offset = ptr.align_offset(align_of::<u16>());
1637 /// if offset < x.len() - n - 1 {
1638 /// let u16_ptr = ptr.add(offset) as *const u16;
1639 /// assert_ne!(*u16_ptr, 500);
1641 /// // while the pointer can be aligned via `offset`, it would point
1642 /// // outside the allocation
1646 #[stable(feature = "align_offset", since = "1.36.0")]
1647 pub fn align_offset(self, align: usize) -> usize where T: Sized {
1648 if !align.is_power_of_two() {
1649 panic!("align_offset: align is not a power-of-two");
1652 align_offset(self, align)
1659 impl<T: ?Sized> *mut T {
1660 /// Returns `true` if the pointer is null.
1662 /// Note that unsized types have many possible null pointers, as only the
1663 /// raw data pointer is considered, not their length, vtable, etc.
1664 /// Therefore, two pointers that are null may still not compare equal to
1672 /// let mut s = [1, 2, 3];
1673 /// let ptr: *mut u32 = s.as_mut_ptr();
1674 /// assert!(!ptr.is_null());
1676 #[stable(feature = "rust1", since = "1.0.0")]
1678 pub fn is_null(self) -> bool {
1679 // Compare via a cast to a thin pointer, so fat pointers are only
1680 // considering their "data" part for null-ness.
1681 (self as *mut u8) == null_mut()
1684 /// Cast to a pointer to a different type
1685 #[stable(feature = "ptr_cast", since = "1.38.0")]
1687 pub const fn cast<U>(self) -> *mut U {
1691 /// Returns `None` if the pointer is null, or else returns a reference to
1692 /// the value wrapped in `Some`.
1696 /// While this method and its mutable counterpart are useful for
1697 /// null-safety, it is important to note that this is still an unsafe
1698 /// operation because the returned value could be pointing to invalid
1701 /// When calling this method, you have to ensure that if the pointer is
1702 /// non-NULL, then it is properly aligned, dereferencable (for the whole
1703 /// size of `T`) and points to an initialized instance of `T`. This applies
1704 /// even if the result of this method is unused!
1705 /// (The part about being initialized is not yet fully decided, but until
1706 /// it is, the only safe approach is to ensure that they are indeed initialized.)
1708 /// Additionally, the lifetime `'a` returned is arbitrarily chosen and does
1709 /// not necessarily reflect the actual lifetime of the data. It is up to the
1710 /// caller to ensure that for the duration of this lifetime, the memory this
1711 /// pointer points to does not get written to outside of `UnsafeCell<U>`.
1718 /// let ptr: *mut u8 = &mut 10u8 as *mut u8;
1721 /// if let Some(val_back) = ptr.as_ref() {
1722 /// println!("We got back the value: {}!", val_back);
1727 /// # Null-unchecked version
1729 /// If you are sure the pointer can never be null and are looking for some kind of
1730 /// `as_ref_unchecked` that returns the `&T` instead of `Option<&T>`, know that you can
1731 /// dereference the pointer directly.
1734 /// let ptr: *mut u8 = &mut 10u8 as *mut u8;
1737 /// let val_back = &*ptr;
1738 /// println!("We got back the value: {}!", val_back);
1741 #[stable(feature = "ptr_as_ref", since = "1.9.0")]
1743 pub unsafe fn as_ref<'a>(self) -> Option<&'a T> {
1751 /// Calculates the offset from a pointer.
1753 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
1754 /// offset of `3 * size_of::<T>()` bytes.
1758 /// If any of the following conditions are violated, the result is Undefined
1761 /// * Both the starting and resulting pointer must be either in bounds or one
1762 /// byte past the end of the same allocated object. Note that in Rust,
1763 /// every (stack-allocated) variable is considered a separate allocated object.
1765 /// * The computed offset, **in bytes**, cannot overflow an `isize`.
1767 /// * The offset being in bounds cannot rely on "wrapping around" the address
1768 /// space. That is, the infinite-precision sum, **in bytes** must fit in a usize.
1770 /// The compiler and standard library generally tries to ensure allocations
1771 /// never reach a size where an offset is a concern. For instance, `Vec`
1772 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
1773 /// `vec.as_ptr().add(vec.len())` is always safe.
1775 /// Most platforms fundamentally can't even construct such an allocation.
1776 /// For instance, no known 64-bit platform can ever serve a request
1777 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
1778 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
1779 /// more than `isize::MAX` bytes with things like Physical Address
1780 /// Extension. As such, memory acquired directly from allocators or memory
1781 /// mapped files *may* be too large to handle with this function.
1783 /// Consider using `wrapping_offset` instead if these constraints are
1784 /// difficult to satisfy. The only advantage of this method is that it
1785 /// enables more aggressive compiler optimizations.
1792 /// let mut s = [1, 2, 3];
1793 /// let ptr: *mut u32 = s.as_mut_ptr();
1796 /// println!("{}", *ptr.offset(1));
1797 /// println!("{}", *ptr.offset(2));
1800 #[stable(feature = "rust1", since = "1.0.0")]
1802 pub unsafe fn offset(self, count: isize) -> *mut T where T: Sized {
1803 intrinsics::offset(self, count) as *mut T
1806 /// Calculates the offset from a pointer using wrapping arithmetic.
1807 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
1808 /// offset of `3 * size_of::<T>()` bytes.
1812 /// The resulting pointer does not need to be in bounds, but it is
1813 /// potentially hazardous to dereference (which requires `unsafe`).
1814 /// In particular, the resulting pointer may *not* be used to access a
1815 /// different allocated object than the one `self` points to. In other
1816 /// words, `x.wrapping_offset(y.wrapping_offset_from(x))` is
1817 /// *not* the same as `y`, and dereferencing it is undefined behavior
1818 /// unless `x` and `y` point into the same allocated object.
1820 /// Always use `.offset(count)` instead when possible, because `offset`
1821 /// allows the compiler to optimize better. If you need to cross object
1822 /// boundaries, cast the pointer to an integer and do the arithmetic there.
1829 /// // Iterate using a raw pointer in increments of two elements
1830 /// let mut data = [1u8, 2, 3, 4, 5];
1831 /// let mut ptr: *mut u8 = data.as_mut_ptr();
1833 /// let end_rounded_up = ptr.wrapping_offset(6);
1835 /// while ptr != end_rounded_up {
1839 /// ptr = ptr.wrapping_offset(step);
1841 /// assert_eq!(&data, &[0, 2, 0, 4, 0]);
1843 #[stable(feature = "ptr_wrapping_offset", since = "1.16.0")]
1845 pub fn wrapping_offset(self, count: isize) -> *mut T where T: Sized {
1847 intrinsics::arith_offset(self, count) as *mut T
1851 /// Returns `None` if the pointer is null, or else returns a mutable
1852 /// reference to the value wrapped in `Some`.
1856 /// As with [`as_ref`], this is unsafe because it cannot verify the validity
1857 /// of the returned pointer, nor can it ensure that the lifetime `'a`
1858 /// returned is indeed a valid lifetime for the contained data.
1860 /// When calling this method, you have to ensure that if the pointer is
1861 /// non-NULL, then it is properly aligned, dereferencable (for the whole
1862 /// size of `T`) and points to an initialized instance of `T`. This applies
1863 /// even if the result of this method is unused!
1864 /// (The part about being initialized is not yet fully decided, but until
1865 /// it is the only safe approach is to ensure that they are indeed initialized.)
1867 /// Additionally, the lifetime `'a` returned is arbitrarily chosen and does
1868 /// not necessarily reflect the actual lifetime of the data. It is up to the
1869 /// caller to ensure that for the duration of this lifetime, the memory this
1870 /// pointer points to does not get accessed through any other pointer.
1872 /// [`as_ref`]: #method.as_ref
1879 /// let mut s = [1, 2, 3];
1880 /// let ptr: *mut u32 = s.as_mut_ptr();
1881 /// let first_value = unsafe { ptr.as_mut().unwrap() };
1882 /// *first_value = 4;
1883 /// println!("{:?}", s); // It'll print: "[4, 2, 3]".
1885 #[stable(feature = "ptr_as_ref", since = "1.9.0")]
1887 pub unsafe fn as_mut<'a>(self) -> Option<&'a mut T> {
1895 /// Calculates the distance between two pointers. The returned value is in
1896 /// units of T: the distance in bytes is divided by `mem::size_of::<T>()`.
1898 /// This function is the inverse of [`offset`].
1900 /// [`offset`]: #method.offset-1
1901 /// [`wrapping_offset_from`]: #method.wrapping_offset_from-1
1905 /// If any of the following conditions are violated, the result is Undefined
1908 /// * Both the starting and other pointer must be either in bounds or one
1909 /// byte past the end of the same allocated object. Note that in Rust,
1910 /// every (stack-allocated) variable is considered a separate allocated object.
1912 /// * The distance between the pointers, **in bytes**, cannot overflow an `isize`.
1914 /// * The distance between the pointers, in bytes, must be an exact multiple
1915 /// of the size of `T`.
1917 /// * The distance being in bounds cannot rely on "wrapping around" the address space.
1919 /// The compiler and standard library generally try to ensure allocations
1920 /// never reach a size where an offset is a concern. For instance, `Vec`
1921 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
1922 /// `ptr_into_vec.offset_from(vec.as_ptr())` is always safe.
1924 /// Most platforms fundamentally can't even construct such an allocation.
1925 /// For instance, no known 64-bit platform can ever serve a request
1926 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
1927 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
1928 /// more than `isize::MAX` bytes with things like Physical Address
1929 /// Extension. As such, memory acquired directly from allocators or memory
1930 /// mapped files *may* be too large to handle with this function.
1932 /// Consider using [`wrapping_offset_from`] instead if these constraints are
1933 /// difficult to satisfy. The only advantage of this method is that it
1934 /// enables more aggressive compiler optimizations.
1938 /// This function panics if `T` is a Zero-Sized Type ("ZST").
1945 /// #![feature(ptr_offset_from)]
1947 /// let mut a = [0; 5];
1948 /// let ptr1: *mut i32 = &mut a[1];
1949 /// let ptr2: *mut i32 = &mut a[3];
1951 /// assert_eq!(ptr2.offset_from(ptr1), 2);
1952 /// assert_eq!(ptr1.offset_from(ptr2), -2);
1953 /// assert_eq!(ptr1.offset(2), ptr2);
1954 /// assert_eq!(ptr2.offset(-2), ptr1);
1957 #[unstable(feature = "ptr_offset_from", issue = "41079")]
1959 pub unsafe fn offset_from(self, origin: *const T) -> isize where T: Sized {
1960 (self as *const T).offset_from(origin)
1963 /// Calculates the distance between two pointers. The returned value is in
1964 /// units of T: the distance in bytes is divided by `mem::size_of::<T>()`.
1966 /// If the address different between the two pointers is not a multiple of
1967 /// `mem::size_of::<T>()` then the result of the division is rounded towards
1970 /// Though this method is safe for any two pointers, note that its result
1971 /// will be mostly useless if the two pointers aren't into the same allocated
1972 /// object, for example if they point to two different local variables.
1976 /// This function panics if `T` is a zero-sized type.
1983 /// #![feature(ptr_wrapping_offset_from)]
1985 /// let mut a = [0; 5];
1986 /// let ptr1: *mut i32 = &mut a[1];
1987 /// let ptr2: *mut i32 = &mut a[3];
1988 /// assert_eq!(ptr2.wrapping_offset_from(ptr1), 2);
1989 /// assert_eq!(ptr1.wrapping_offset_from(ptr2), -2);
1990 /// assert_eq!(ptr1.wrapping_offset(2), ptr2);
1991 /// assert_eq!(ptr2.wrapping_offset(-2), ptr1);
1993 /// let ptr1: *mut i32 = 3 as _;
1994 /// let ptr2: *mut i32 = 13 as _;
1995 /// assert_eq!(ptr2.wrapping_offset_from(ptr1), 2);
1997 #[unstable(feature = "ptr_wrapping_offset_from", issue = "41079")]
1999 pub fn wrapping_offset_from(self, origin: *const T) -> isize where T: Sized {
2000 (self as *const T).wrapping_offset_from(origin)
2003 /// Calculates the offset from a pointer (convenience for `.offset(count as isize)`).
2005 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
2006 /// offset of `3 * size_of::<T>()` bytes.
2010 /// If any of the following conditions are violated, the result is Undefined
2013 /// * Both the starting and resulting pointer must be either in bounds or one
2014 /// byte past the end of the same allocated object. Note that in Rust,
2015 /// every (stack-allocated) variable is considered a separate allocated object.
2017 /// * The computed offset, **in bytes**, cannot overflow an `isize`.
2019 /// * The offset being in bounds cannot rely on "wrapping around" the address
2020 /// space. That is, the infinite-precision sum must fit in a `usize`.
2022 /// The compiler and standard library generally tries to ensure allocations
2023 /// never reach a size where an offset is a concern. For instance, `Vec`
2024 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
2025 /// `vec.as_ptr().add(vec.len())` is always safe.
2027 /// Most platforms fundamentally can't even construct such an allocation.
2028 /// For instance, no known 64-bit platform can ever serve a request
2029 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
2030 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
2031 /// more than `isize::MAX` bytes with things like Physical Address
2032 /// Extension. As such, memory acquired directly from allocators or memory
2033 /// mapped files *may* be too large to handle with this function.
2035 /// Consider using `wrapping_offset` instead if these constraints are
2036 /// difficult to satisfy. The only advantage of this method is that it
2037 /// enables more aggressive compiler optimizations.
2044 /// let s: &str = "123";
2045 /// let ptr: *const u8 = s.as_ptr();
2048 /// println!("{}", *ptr.add(1) as char);
2049 /// println!("{}", *ptr.add(2) as char);
2052 #[stable(feature = "pointer_methods", since = "1.26.0")]
2054 pub unsafe fn add(self, count: usize) -> Self
2057 self.offset(count as isize)
2060 /// Calculates the offset from a pointer (convenience for
2061 /// `.offset((count as isize).wrapping_neg())`).
2063 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
2064 /// offset of `3 * size_of::<T>()` bytes.
2068 /// If any of the following conditions are violated, the result is Undefined
2071 /// * Both the starting and resulting pointer must be either in bounds or one
2072 /// byte past the end of the same allocated object. Note that in Rust,
2073 /// every (stack-allocated) variable is considered a separate allocated object.
2075 /// * The computed offset cannot exceed `isize::MAX` **bytes**.
2077 /// * The offset being in bounds cannot rely on "wrapping around" the address
2078 /// space. That is, the infinite-precision sum must fit in a usize.
2080 /// The compiler and standard library generally tries to ensure allocations
2081 /// never reach a size where an offset is a concern. For instance, `Vec`
2082 /// and `Box` ensure they never allocate more than `isize::MAX` bytes, so
2083 /// `vec.as_ptr().add(vec.len()).sub(vec.len())` is always safe.
2085 /// Most platforms fundamentally can't even construct such an allocation.
2086 /// For instance, no known 64-bit platform can ever serve a request
2087 /// for 2<sup>63</sup> bytes due to page-table limitations or splitting the address space.
2088 /// However, some 32-bit and 16-bit platforms may successfully serve a request for
2089 /// more than `isize::MAX` bytes with things like Physical Address
2090 /// Extension. As such, memory acquired directly from allocators or memory
2091 /// mapped files *may* be too large to handle with this function.
2093 /// Consider using `wrapping_offset` instead if these constraints are
2094 /// difficult to satisfy. The only advantage of this method is that it
2095 /// enables more aggressive compiler optimizations.
2102 /// let s: &str = "123";
2105 /// let end: *const u8 = s.as_ptr().add(3);
2106 /// println!("{}", *end.sub(1) as char);
2107 /// println!("{}", *end.sub(2) as char);
2110 #[stable(feature = "pointer_methods", since = "1.26.0")]
2112 pub unsafe fn sub(self, count: usize) -> Self
2115 self.offset((count as isize).wrapping_neg())
2118 /// Calculates the offset from a pointer using wrapping arithmetic.
2119 /// (convenience for `.wrapping_offset(count as isize)`)
2121 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
2122 /// offset of `3 * size_of::<T>()` bytes.
2126 /// The resulting pointer does not need to be in bounds, but it is
2127 /// potentially hazardous to dereference (which requires `unsafe`).
2129 /// Always use `.add(count)` instead when possible, because `add`
2130 /// allows the compiler to optimize better.
2137 /// // Iterate using a raw pointer in increments of two elements
2138 /// let data = [1u8, 2, 3, 4, 5];
2139 /// let mut ptr: *const u8 = data.as_ptr();
2141 /// let end_rounded_up = ptr.wrapping_add(6);
2143 /// // This loop prints "1, 3, 5, "
2144 /// while ptr != end_rounded_up {
2146 /// print!("{}, ", *ptr);
2148 /// ptr = ptr.wrapping_add(step);
2151 #[stable(feature = "pointer_methods", since = "1.26.0")]
2153 pub fn wrapping_add(self, count: usize) -> Self
2156 self.wrapping_offset(count as isize)
2159 /// Calculates the offset from a pointer using wrapping arithmetic.
2160 /// (convenience for `.wrapping_offset((count as isize).wrapping_sub())`)
2162 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
2163 /// offset of `3 * size_of::<T>()` bytes.
2167 /// The resulting pointer does not need to be in bounds, but it is
2168 /// potentially hazardous to dereference (which requires `unsafe`).
2170 /// Always use `.sub(count)` instead when possible, because `sub`
2171 /// allows the compiler to optimize better.
2178 /// // Iterate using a raw pointer in increments of two elements (backwards)
2179 /// let data = [1u8, 2, 3, 4, 5];
2180 /// let mut ptr: *const u8 = data.as_ptr();
2181 /// let start_rounded_down = ptr.wrapping_sub(2);
2182 /// ptr = ptr.wrapping_add(4);
2184 /// // This loop prints "5, 3, 1, "
2185 /// while ptr != start_rounded_down {
2187 /// print!("{}, ", *ptr);
2189 /// ptr = ptr.wrapping_sub(step);
2192 #[stable(feature = "pointer_methods", since = "1.26.0")]
2194 pub fn wrapping_sub(self, count: usize) -> Self
2197 self.wrapping_offset((count as isize).wrapping_neg())
2200 /// Reads the value from `self` without moving it. This leaves the
2201 /// memory in `self` unchanged.
2203 /// See [`ptr::read`] for safety concerns and examples.
2205 /// [`ptr::read`]: ./ptr/fn.read.html
2206 #[stable(feature = "pointer_methods", since = "1.26.0")]
2208 pub unsafe fn read(self) -> T
2214 /// Performs a volatile read of the value from `self` without moving it. This
2215 /// leaves the memory in `self` unchanged.
2217 /// Volatile operations are intended to act on I/O memory, and are guaranteed
2218 /// to not be elided or reordered by the compiler across other volatile
2221 /// See [`ptr::read_volatile`] for safety concerns and examples.
2223 /// [`ptr::read_volatile`]: ./ptr/fn.read_volatile.html
2224 #[stable(feature = "pointer_methods", since = "1.26.0")]
2226 pub unsafe fn read_volatile(self) -> T
2232 /// Reads the value from `self` without moving it. This leaves the
2233 /// memory in `self` unchanged.
2235 /// Unlike `read`, the pointer may be unaligned.
2237 /// See [`ptr::read_unaligned`] for safety concerns and examples.
2239 /// [`ptr::read_unaligned`]: ./ptr/fn.read_unaligned.html
2240 #[stable(feature = "pointer_methods", since = "1.26.0")]
2242 pub unsafe fn read_unaligned(self) -> T
2245 read_unaligned(self)
2248 /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
2249 /// and destination may overlap.
2251 /// NOTE: this has the *same* argument order as [`ptr::copy`].
2253 /// See [`ptr::copy`] for safety concerns and examples.
2255 /// [`ptr::copy`]: ./ptr/fn.copy.html
2256 #[stable(feature = "pointer_methods", since = "1.26.0")]
2258 pub unsafe fn copy_to(self, dest: *mut T, count: usize)
2261 copy(self, dest, count)
2264 /// Copies `count * size_of<T>` bytes from `self` to `dest`. The source
2265 /// and destination may *not* overlap.
2267 /// NOTE: this has the *same* argument order as [`ptr::copy_nonoverlapping`].
2269 /// See [`ptr::copy_nonoverlapping`] for safety concerns and examples.
2271 /// [`ptr::copy_nonoverlapping`]: ./ptr/fn.copy_nonoverlapping.html
2272 #[stable(feature = "pointer_methods", since = "1.26.0")]
2274 pub unsafe fn copy_to_nonoverlapping(self, dest: *mut T, count: usize)
2277 copy_nonoverlapping(self, dest, count)
2280 /// Copies `count * size_of<T>` bytes from `src` to `self`. The source
2281 /// and destination may overlap.
2283 /// NOTE: this has the *opposite* argument order of [`ptr::copy`].
2285 /// See [`ptr::copy`] for safety concerns and examples.
2287 /// [`ptr::copy`]: ./ptr/fn.copy.html
2288 #[stable(feature = "pointer_methods", since = "1.26.0")]
2290 pub unsafe fn copy_from(self, src: *const T, count: usize)
2293 copy(src, self, count)
2296 /// Copies `count * size_of<T>` bytes from `src` to `self`. The source
2297 /// and destination may *not* overlap.
2299 /// NOTE: this has the *opposite* argument order of [`ptr::copy_nonoverlapping`].
2301 /// See [`ptr::copy_nonoverlapping`] for safety concerns and examples.
2303 /// [`ptr::copy_nonoverlapping`]: ./ptr/fn.copy_nonoverlapping.html
2304 #[stable(feature = "pointer_methods", since = "1.26.0")]
2306 pub unsafe fn copy_from_nonoverlapping(self, src: *const T, count: usize)
2309 copy_nonoverlapping(src, self, count)
2312 /// Executes the destructor (if any) of the pointed-to value.
2314 /// See [`ptr::drop_in_place`] for safety concerns and examples.
2316 /// [`ptr::drop_in_place`]: ./ptr/fn.drop_in_place.html
2317 #[stable(feature = "pointer_methods", since = "1.26.0")]
2319 pub unsafe fn drop_in_place(self) {
2323 /// Overwrites a memory location with the given value without reading or
2324 /// dropping the old value.
2326 /// See [`ptr::write`] for safety concerns and examples.
2328 /// [`ptr::write`]: ./ptr/fn.write.html
2329 #[stable(feature = "pointer_methods", since = "1.26.0")]
2331 pub unsafe fn write(self, val: T)
2337 /// Invokes memset on the specified pointer, setting `count * size_of::<T>()`
2338 /// bytes of memory starting at `self` to `val`.
2340 /// See [`ptr::write_bytes`] for safety concerns and examples.
2342 /// [`ptr::write_bytes`]: ./ptr/fn.write_bytes.html
2343 #[stable(feature = "pointer_methods", since = "1.26.0")]
2345 pub unsafe fn write_bytes(self, val: u8, count: usize)
2348 write_bytes(self, val, count)
2351 /// Performs a volatile write of a memory location with the given value without
2352 /// reading or dropping the old value.
2354 /// Volatile operations are intended to act on I/O memory, and are guaranteed
2355 /// to not be elided or reordered by the compiler across other volatile
2358 /// See [`ptr::write_volatile`] for safety concerns and examples.
2360 /// [`ptr::write_volatile`]: ./ptr/fn.write_volatile.html
2361 #[stable(feature = "pointer_methods", since = "1.26.0")]
2363 pub unsafe fn write_volatile(self, val: T)
2366 write_volatile(self, val)
2369 /// Overwrites a memory location with the given value without reading or
2370 /// dropping the old value.
2372 /// Unlike `write`, the pointer may be unaligned.
2374 /// See [`ptr::write_unaligned`] for safety concerns and examples.
2376 /// [`ptr::write_unaligned`]: ./ptr/fn.write_unaligned.html
2377 #[stable(feature = "pointer_methods", since = "1.26.0")]
2379 pub unsafe fn write_unaligned(self, val: T)
2382 write_unaligned(self, val)
2385 /// Replaces the value at `self` with `src`, returning the old
2386 /// value, without dropping either.
2388 /// See [`ptr::replace`] for safety concerns and examples.
2390 /// [`ptr::replace`]: ./ptr/fn.replace.html
2391 #[stable(feature = "pointer_methods", since = "1.26.0")]
2393 pub unsafe fn replace(self, src: T) -> T
2399 /// Swaps the values at two mutable locations of the same type, without
2400 /// deinitializing either. They may overlap, unlike `mem::swap` which is
2401 /// otherwise equivalent.
2403 /// See [`ptr::swap`] for safety concerns and examples.
2405 /// [`ptr::swap`]: ./ptr/fn.swap.html
2406 #[stable(feature = "pointer_methods", since = "1.26.0")]
2408 pub unsafe fn swap(self, with: *mut T)
2414 /// Computes the offset that needs to be applied to the pointer in order to make it aligned to
2417 /// If it is not possible to align the pointer, the implementation returns
2418 /// `usize::max_value()`.
2420 /// The offset is expressed in number of `T` elements, and not bytes. The value returned can be
2421 /// used with the `add` method.
2423 /// There are no guarantees whatsoever that offsetting the pointer will not overflow or go
2424 /// beyond the allocation that the pointer points into. It is up to the caller to ensure that
2425 /// the returned offset is correct in all terms other than alignment.
2429 /// The function panics if `align` is not a power-of-two.
2433 /// Accessing adjacent `u8` as `u16`
2436 /// # fn foo(n: usize) {
2437 /// # use std::mem::align_of;
2439 /// let x = [5u8, 6u8, 7u8, 8u8, 9u8];
2440 /// let ptr = &x[n] as *const u8;
2441 /// let offset = ptr.align_offset(align_of::<u16>());
2442 /// if offset < x.len() - n - 1 {
2443 /// let u16_ptr = ptr.add(offset) as *const u16;
2444 /// assert_ne!(*u16_ptr, 500);
2446 /// // while the pointer can be aligned via `offset`, it would point
2447 /// // outside the allocation
2451 #[stable(feature = "align_offset", since = "1.36.0")]
2452 pub fn align_offset(self, align: usize) -> usize where T: Sized {
2453 if !align.is_power_of_two() {
2454 panic!("align_offset: align is not a power-of-two");
2457 align_offset(self, align)
2462 /// Align pointer `p`.
2464 /// Calculate offset (in terms of elements of `stride` stride) that has to be applied
2465 /// to pointer `p` so that pointer `p` would get aligned to `a`.
2467 /// Note: This implementation has been carefully tailored to not panic. It is UB for this to panic.
2468 /// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
2471 /// If we ever decide to make it possible to call the intrinsic with `a` that is not a
2472 /// power-of-two, it will probably be more prudent to just change to a naive implementation rather
2473 /// than trying to adapt this to accommodate that change.
2475 /// Any questions go to @nagisa.
2476 #[lang="align_offset"]
2477 pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
2478 /// Calculate multiplicative modular inverse of `x` modulo `m`.
2480 /// This implementation is tailored for align_offset and has following preconditions:
2482 /// * `m` is a power-of-two;
2483 /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead)
2485 /// Implementation of this function shall not panic. Ever.
2487 fn mod_inv(x: usize, m: usize) -> usize {
2488 /// Multiplicative modular inverse table modulo 2⁴ = 16.
2490 /// Note, that this table does not contain values where inverse does not exist (i.e., for
2491 /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
2492 const INV_TABLE_MOD_16: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15];
2493 /// Modulo for which the `INV_TABLE_MOD_16` is intended.
2494 const INV_TABLE_MOD: usize = 16;
2496 const INV_TABLE_MOD_SQUARED: usize = INV_TABLE_MOD * INV_TABLE_MOD;
2498 let table_inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - 1)) >> 1] as usize;
2499 if m <= INV_TABLE_MOD {
2500 table_inverse & (m - 1)
2502 // We iterate "up" using the following formula:
2504 // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
2506 // until 2²ⁿ ≥ m. Then we can reduce to our desired `m` by taking the result `mod m`.
2507 let mut inverse = table_inverse;
2508 let mut going_mod = INV_TABLE_MOD_SQUARED;
2510 // y = y * (2 - xy) mod n
2512 // Note, that we use wrapping operations here intentionally – the original formula
2513 // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
2514 // usize::max_value()` instead, because we take the result `mod n` at the end
2516 inverse = inverse.wrapping_mul(
2517 2usize.wrapping_sub(x.wrapping_mul(inverse))
2518 ) & (going_mod - 1);
2520 return inverse & (m - 1);
2522 going_mod = going_mod.wrapping_mul(going_mod);
2527 let stride = mem::size_of::<T>();
2528 let a_minus_one = a.wrapping_sub(1);
2529 let pmoda = p as usize & a_minus_one;
2532 // Already aligned. Yay!
2537 return if stride == 0 {
2538 // If the pointer is not aligned, and the element is zero-sized, then no amount of
2539 // elements will ever align the pointer.
2542 a.wrapping_sub(pmoda)
2546 let smoda = stride & a_minus_one;
2547 // a is power-of-two so cannot be 0. stride = 0 is handled above.
2548 let gcdpow = intrinsics::cttz_nonzero(stride).min(intrinsics::cttz_nonzero(a));
2549 let gcd = 1usize << gcdpow;
2551 if p as usize & (gcd - 1) == 0 {
2552 // This branch solves for the following linear congruence equation:
2554 // $$ p + so ≡ 0 mod a $$
2556 // $p$ here is the pointer value, $s$ – stride of `T`, $o$ offset in `T`s, and $a$ – the
2557 // requested alignment.
2560 // o = (a - (p mod a))/g * ((s/g)⁻¹ mod a)
2562 // The first term is “the relative alignment of p to a”, the second term is “how does
2563 // incrementing p by s bytes change the relative alignment of p”. Division by `g` is
2564 // necessary to make this equation well formed if $a$ and $s$ are not co-prime.
2566 // Furthermore, the result produced by this solution is not “minimal”, so it is necessary
2567 // to take the result $o mod lcm(s, a)$. We can replace $lcm(s, a)$ with just a $a / g$.
2568 let j = a.wrapping_sub(pmoda) >> gcdpow;
2569 let k = smoda >> gcdpow;
2570 return intrinsics::unchecked_rem(j.wrapping_mul(mod_inv(k, a)), a >> gcdpow);
2573 // Cannot be aligned at all.
2579 // Equality for pointers
2580 #[stable(feature = "rust1", since = "1.0.0")]
2581 impl<T: ?Sized> PartialEq for *const T {
2583 fn eq(&self, other: &*const T) -> bool { *self == *other }
2586 #[stable(feature = "rust1", since = "1.0.0")]
2587 impl<T: ?Sized> Eq for *const T {}
2589 #[stable(feature = "rust1", since = "1.0.0")]
2590 impl<T: ?Sized> PartialEq for *mut T {
2592 fn eq(&self, other: &*mut T) -> bool { *self == *other }
2595 #[stable(feature = "rust1", since = "1.0.0")]
2596 impl<T: ?Sized> Eq for *mut T {}
2598 /// Compares raw pointers for equality.
2600 /// This is the same as using the `==` operator, but less generic:
2601 /// the arguments have to be `*const T` raw pointers,
2602 /// not anything that implements `PartialEq`.
2604 /// This can be used to compare `&T` references (which coerce to `*const T` implicitly)
2605 /// by their address rather than comparing the values they point to
2606 /// (which is what the `PartialEq for &T` implementation does).
2614 /// let other_five = 5;
2615 /// let five_ref = &five;
2616 /// let same_five_ref = &five;
2617 /// let other_five_ref = &other_five;
2619 /// assert!(five_ref == same_five_ref);
2620 /// assert!(ptr::eq(five_ref, same_five_ref));
2622 /// assert!(five_ref == other_five_ref);
2623 /// assert!(!ptr::eq(five_ref, other_five_ref));
2626 /// Slices are also compared by their length (fat pointers):
2629 /// let a = [1, 2, 3];
2630 /// assert!(std::ptr::eq(&a[..3], &a[..3]));
2631 /// assert!(!std::ptr::eq(&a[..2], &a[..3]));
2632 /// assert!(!std::ptr::eq(&a[0..2], &a[1..3]));
2635 /// Traits are also compared by their implementation:
2638 /// #[repr(transparent)]
2639 /// struct Wrapper { member: i32 }
2642 /// impl Trait for Wrapper {}
2643 /// impl Trait for i32 {}
2646 /// let wrapper = Wrapper { member: 10 };
2648 /// // Pointers have equal addresses.
2649 /// assert!(std::ptr::eq(
2650 /// &wrapper as *const Wrapper as *const u8,
2651 /// &wrapper.member as *const i32 as *const u8
2654 /// // Objects have equal addresses, but `Trait` has different implementations.
2655 /// assert!(!std::ptr::eq(
2656 /// &wrapper as &dyn Trait,
2657 /// &wrapper.member as &dyn Trait,
2659 /// assert!(!std::ptr::eq(
2660 /// &wrapper as &dyn Trait as *const dyn Trait,
2661 /// &wrapper.member as &dyn Trait as *const dyn Trait,
2664 /// // Converting the reference to a `*const u8` compares by address.
2665 /// assert!(std::ptr::eq(
2666 /// &wrapper as &dyn Trait as *const dyn Trait as *const u8,
2667 /// &wrapper.member as &dyn Trait as *const dyn Trait as *const u8,
2671 #[stable(feature = "ptr_eq", since = "1.17.0")]
2673 pub fn eq<T: ?Sized>(a: *const T, b: *const T) -> bool {
2677 /// Hash a raw pointer.
2679 /// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly)
2680 /// by its address rather than the value it points to
2681 /// (which is what the `Hash for &T` implementation does).
2686 /// use std::collections::hash_map::DefaultHasher;
2687 /// use std::hash::{Hash, Hasher};
2691 /// let five_ref = &five;
2693 /// let mut hasher = DefaultHasher::new();
2694 /// ptr::hash(five_ref, &mut hasher);
2695 /// let actual = hasher.finish();
2697 /// let mut hasher = DefaultHasher::new();
2698 /// (five_ref as *const i32).hash(&mut hasher);
2699 /// let expected = hasher.finish();
2701 /// assert_eq!(actual, expected);
2703 #[stable(feature = "ptr_hash", since = "1.35.0")]
2704 pub fn hash<T: ?Sized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2705 use crate::hash::Hash;
2709 // Impls for function pointers
2710 macro_rules! fnptr_impls_safety_abi {
2711 ($FnTy: ty, $($Arg: ident),*) => {
2712 #[stable(feature = "fnptr_impls", since = "1.4.0")]
2713 impl<Ret, $($Arg),*> PartialEq for $FnTy {
2715 fn eq(&self, other: &Self) -> bool {
2716 *self as usize == *other as usize
2720 #[stable(feature = "fnptr_impls", since = "1.4.0")]
2721 impl<Ret, $($Arg),*> Eq for $FnTy {}
2723 #[stable(feature = "fnptr_impls", since = "1.4.0")]
2724 impl<Ret, $($Arg),*> PartialOrd for $FnTy {
2726 fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2727 (*self as usize).partial_cmp(&(*other as usize))
2731 #[stable(feature = "fnptr_impls", since = "1.4.0")]
2732 impl<Ret, $($Arg),*> Ord for $FnTy {
2734 fn cmp(&self, other: &Self) -> Ordering {
2735 (*self as usize).cmp(&(*other as usize))
2739 #[stable(feature = "fnptr_impls", since = "1.4.0")]
2740 impl<Ret, $($Arg),*> hash::Hash for $FnTy {
2741 fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2742 state.write_usize(*self as usize)
2746 #[stable(feature = "fnptr_impls", since = "1.4.0")]
2747 impl<Ret, $($Arg),*> fmt::Pointer for $FnTy {
2748 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2749 fmt::Pointer::fmt(&(*self as *const ()), f)
2753 #[stable(feature = "fnptr_impls", since = "1.4.0")]
2754 impl<Ret, $($Arg),*> fmt::Debug for $FnTy {
2755 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2756 fmt::Pointer::fmt(&(*self as *const ()), f)
2762 macro_rules! fnptr_impls_args {
2763 ($($Arg: ident),+) => {
2764 fnptr_impls_safety_abi! { extern "Rust" fn($($Arg),+) -> Ret, $($Arg),+ }
2765 fnptr_impls_safety_abi! { extern "C" fn($($Arg),+) -> Ret, $($Arg),+ }
2766 fnptr_impls_safety_abi! { extern "C" fn($($Arg),+ , ...) -> Ret, $($Arg),+ }
2767 fnptr_impls_safety_abi! { unsafe extern "Rust" fn($($Arg),+) -> Ret, $($Arg),+ }
2768 fnptr_impls_safety_abi! { unsafe extern "C" fn($($Arg),+) -> Ret, $($Arg),+ }
2769 fnptr_impls_safety_abi! { unsafe extern "C" fn($($Arg),+ , ...) -> Ret, $($Arg),+ }
2772 // No variadic functions with 0 parameters
2773 fnptr_impls_safety_abi! { extern "Rust" fn() -> Ret, }
2774 fnptr_impls_safety_abi! { extern "C" fn() -> Ret, }
2775 fnptr_impls_safety_abi! { unsafe extern "Rust" fn() -> Ret, }
2776 fnptr_impls_safety_abi! { unsafe extern "C" fn() -> Ret, }
2780 fnptr_impls_args! { }
2781 fnptr_impls_args! { A }
2782 fnptr_impls_args! { A, B }
2783 fnptr_impls_args! { A, B, C }
2784 fnptr_impls_args! { A, B, C, D }
2785 fnptr_impls_args! { A, B, C, D, E }
2786 fnptr_impls_args! { A, B, C, D, E, F }
2787 fnptr_impls_args! { A, B, C, D, E, F, G }
2788 fnptr_impls_args! { A, B, C, D, E, F, G, H }
2789 fnptr_impls_args! { A, B, C, D, E, F, G, H, I }
2790 fnptr_impls_args! { A, B, C, D, E, F, G, H, I, J }
2791 fnptr_impls_args! { A, B, C, D, E, F, G, H, I, J, K }
2792 fnptr_impls_args! { A, B, C, D, E, F, G, H, I, J, K, L }
2794 // Comparison for pointers
2795 #[stable(feature = "rust1", since = "1.0.0")]
2796 impl<T: ?Sized> Ord for *const T {
2798 fn cmp(&self, other: &*const T) -> Ordering {
2801 } else if self == other {
2809 #[stable(feature = "rust1", since = "1.0.0")]
2810 impl<T: ?Sized> PartialOrd for *const T {
2812 fn partial_cmp(&self, other: &*const T) -> Option<Ordering> {
2813 Some(self.cmp(other))
2817 fn lt(&self, other: &*const T) -> bool { *self < *other }
2820 fn le(&self, other: &*const T) -> bool { *self <= *other }
2823 fn gt(&self, other: &*const T) -> bool { *self > *other }
2826 fn ge(&self, other: &*const T) -> bool { *self >= *other }
2829 #[stable(feature = "rust1", since = "1.0.0")]
2830 impl<T: ?Sized> Ord for *mut T {
2832 fn cmp(&self, other: &*mut T) -> Ordering {
2835 } else if self == other {
2843 #[stable(feature = "rust1", since = "1.0.0")]
2844 impl<T: ?Sized> PartialOrd for *mut T {
2846 fn partial_cmp(&self, other: &*mut T) -> Option<Ordering> {
2847 Some(self.cmp(other))
2851 fn lt(&self, other: &*mut T) -> bool { *self < *other }
2854 fn le(&self, other: &*mut T) -> bool { *self <= *other }
2857 fn gt(&self, other: &*mut T) -> bool { *self > *other }
2860 fn ge(&self, other: &*mut T) -> bool { *self >= *other }
projects / rust.git / blob