mod.rs source code [crates/core/src/ptr/mod.rs]

1	//! Manually manage memory through raw pointers.
2	//!
3	//! [See also the pointer primitive types](pointer).
4	//!
5	//! # Safety
6	//!
7	//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8	//! this to be safe, these pointers must be valid* for the given access. Whether a pointer is valid*
9	//! depends on the operation it is used for (read or write), and the extent of the memory that is
10	//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11	//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `mut T`*
12	//! and `const T` to access only a single value, in which case the documentation omits the size and*
13	//! implicitly assumes it to be `size_of::<T>()` bytes.
14	//!
15	//! The precise rules for validity are not determined yet. The guarantees that are
16	//! provided at this point are very minimal:
17	//!
18	//! For memory accesses of [size zero][zst], every pointer is valid, including the* [null]
19	//! pointer. The following points are only concerned with non-zero-sized accesses.
20	//! A* [null] pointer is never* valid.*
21	//! For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be*
22	//! dereferenceable. The [provenance] of the pointer is used to determine which [allocation]
23	//! it is derived from; a pointer is dereferenceable if the memory range of the given size
24	//! starting at the pointer is entirely contained within the bounds of that allocation. Note
25	//! that in Rust, every (stack-allocated) variable is considered a separate allocation.
26	//! All accesses performed by functions in this module are non-atomic in the sense*
27	//! of [atomic operations] used to synchronize between threads. This means it is
28	//! undefined behavior to perform two concurrent accesses to the same location from different
29	//! threads unless both accesses only read from memory. Notice that this explicitly
30	//! includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
31	//! be used for inter-thread synchronization.
32	//! The result of casting a reference to a pointer is valid for as long as the*
33	//! underlying allocation is live and no reference (just raw pointers) is used to
34	//! access the same memory. That is, reference and pointer accesses cannot be
35	//! interleaved.
36	//!
37	//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
38	//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
39	//! will be provided eventually, as the [aliasing] rules are being determined. For more
40	//! information, see the [book] as well as the section in the reference devoted
41	//! to [undefined behavior][ub].
42	//!
43	//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
44	//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
45	//! [`NonNull::dangling`] are all dangling.
46	//!
47	//! ## Alignment
48	//!
49	//! Valid raw pointers as defined above are not necessarily properly aligned (where
50	//! "proper" alignment is defined by the pointee type, i.e., `const T` must be*
51	//! aligned to `align_of::<T>()`). However, most functions require their
52	//! arguments to be properly aligned, and will explicitly state
53	//! this requirement in their documentation. Notable exceptions to this are
54	//! [`read_unaligned`] and [`write_unaligned`].
55	//!
56	//! When a function requires proper alignment, it does so even if the access
57	//! has size 0, i.e., even if memory is not actually touched. Consider using
58	//! [`NonNull::dangling`] in such cases.
59	//!
60	//! ## Pointer to reference conversion
61	//!
62	//! When converting a pointer to a reference (e.g. via `&ptr` or `&mut ptr`),
63	//! there are several rules that must be followed:
64	//!
65	//! The pointer must be properly aligned.*
66	//!
67	//! It must be non-null.*
68	//!
69	//! It must be "dereferenceable" in the sense defined above.*
70	//!
71	//! The pointer must point to a [valid value] of type `T`.*
72	//!
73	//! You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we*
74	//! only give a rough overview here. The rules also depend on whether a mutable or a shared
75	//! reference is being created.
76	//! When creating a mutable reference, then while this reference exists, the memory it points to*
77	//! must not get accessed (read or written) through any other pointer or reference not derived
78	//! from this reference.
79	//! When creating a shared reference, then while this reference exists, the memory it points to*
80	//! must not get mutated (except inside `UnsafeCell`).
81	//!
82	//! If a pointer follows all of these rules, it is said to be
83	//! convertible to a (mutable or shared) reference.
84	// ^ we use this term instead of saying that the produced reference must
85	// be valid, as the validity of a reference is easily confused for the
86	// validity of the thing it refers to, and while the two concepts are
87	// closely related, they are not identical.
88	//!
89	//! These rules apply even if the result is unused!
90	//! (The part about being initialized is not yet fully decided, but until
91	//! it is, the only safe approach is to ensure that they are indeed initialized.)
92	//!
93	//! An example of the implications of the above rules is that an expression such
94	//! as `unsafe { &(0 as const u8) }` is Immediate Undefined Behavior.
95	//!
96	//! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values
97	//!
98	//! ## Allocation
99	//!
100	//! <a id="allocated-object"></a> <!-- keep old URLs working -->
101	//!
102	//! An allocation* is a subset of program memory which is addressable*
103	//! from Rust, and within which pointer arithmetic is possible. Examples of
104	//! allocations include heap allocations, stack-allocated variables,
105	//! statics, and consts. The safety preconditions of some Rust operations -
106	//! such as `offset` and field projections (`expr.field`) - are defined in
107	//! terms of the allocations on which they operate.
108	//!
109	//! An allocation has a base address, a size, and a set of memory
110	//! addresses. It is possible for an allocation to have zero size, but
111	//! such an allocation will still have a base address. The base address
112	//! of an allocation is not necessarily unique. While it is currently the
113	//! case that an allocation always has a set of memory addresses which is
114	//! fully contiguous (i.e., has no "holes"), there is no guarantee that this
115	//! will not change in the future.
116	//!
117	//! For any allocation with `base` address, `size`, and a set of
118	//! `addresses`, the following are guaranteed:
119	//! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base +
120	//! size)` (note that this requires `a < base + size`, not `a <= base + size`)
121	//! - `base` is not equal to [`null()`] (i.e., the address with the numerical
122	//! value 0)
123	//! - `base + size <= usize::MAX`
124	//! - `size <= isize::MAX`
125	//!
126	//! As a consequence of these guarantees, given any address `a` within the set
127	//! of addresses of an allocation:
128	//! - It is guaranteed that `a - base` does not overflow `isize`
129	//! - It is guaranteed that `a - base` is non-negative
130	//! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within
131	//! the allocation), `base + o` will not wrap around the address space (in
132	//! other words, will not overflow `usize`)
133	//!
134	//! [`null()`]: null
135	//!
136	//! # Provenance
137	//!
138	//! Pointers are not simply* an "integer" or "address". For instance, it's uncontroversial*
139	//! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky"
140	//! and the freed memory gets reallocated before your read/write (in fact this is the
141	//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
142	//! As another example, consider that [`wrapping_offset`] is documented to "remember"
143	//! the allocation that the original pointer points to, even if it is offset far
144	//! outside the memory range occupied by that allocation.
145	//! To rationalize claims like this, pointers need to somehow be more* than just their addresses:*
146	//! they must have provenance.
147	//!
148	//! A pointer value in Rust semantically contains the following information:
149	//!
150	//! The address it points to, which can be represented by a `usize`.*
151	//! The provenance it has, defining the memory it has permission to access. Provenance can be*
152	//! absent, in which case the pointer does not have permission to access any memory.
153	//!
154	//! The exact structure of provenance is not yet specified, but the permission defined by a
155	//! pointer's provenance have a spatial component, a temporal component, and a mutability
156	//! component:
157	//!
158	//! Spatial: The set of memory addresses that the pointer is allowed to access.*
159	//! Temporal: The timespan during which the pointer is allowed to access those memory addresses.*
160	//! Mutability: Whether the pointer may only access the memory for reads, or also access it for*
161	//! writes. Note that this can interact with the other components, e.g. a pointer might permit
162	//! mutation only for a subset of addresses, or only for a subset of its maximal timespan.
163	//!
164	//! When an [allocation] is created, it has a unique Original Pointer. For alloc
165	//! APIs this is literally the pointer the call returns, and for local variables and statics,
166	//! this is the name of the variable/static. (This is mildly overloading the term "pointer"
167	//! for the sake of brevity/exposition.)
168	//!
169	//! The Original Pointer for an allocation has provenance that constrains the spatial
170	//! permissions of this pointer to the memory range of the allocation, and the temporal
171	//! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all
172	//! pointers transitively derived from the Original Pointer through operations like [`offset`],
173	//! borrowing, and pointer casts. Some operations may shrink* the permissions of the derived*
174	//! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a
175	//! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can
176	//! shrink the temporal component of provenance). However, no operation can ever grow* the*
177	//! permissions of the derived provenance: even if you "know" there is a larger allocation, you
178	//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two
179	//! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
180	//!
181	//! A reference to a place always has provenance over at least the memory that place occupies.
182	//! A reference to a slice always has provenance over at least the range that slice describes.
183	//! Whether and when exactly the provenance of a reference gets "shrunk" to exactly* fit*
184	//! the memory it points to is not yet determined.
185	//!
186	//! A shared* reference only ever has provenance that permits reading from memory,*
187	//! and never permits writes, except inside [`UnsafeCell`].
188	//!
189	//! Provenance can affect whether a program has undefined behavior:
190	//!
191	//! It is undefined behavior to access memory through a pointer that does not have provenance over*
192	//! that memory. Note that a pointer "at the end" of its provenance is not actually outside its
193	//! provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any
194	//! provenance since they access an empty range of memory.
195	//!
196	//! It is undefined behavior to [`offset`] a pointer across a memory range that is not contained*
197	//! in the allocation it is derived from, or to [`offset_from`] two pointers not derived
198	//! from the same allocation. Provenance is used to say what exactly "derived from" even
199	//! means: the lineage of a pointer is traced back to the Original Pointer it descends from, and
200	//! that identifies the relevant allocation. In particular, it's always UB to offset a
201	//! pointer derived from something that is now deallocated, except if the offset is 0.
202	//!
203	//! But it is* still sound to:*
204	//!
205	//! Create a pointer without provenance from just an address (see* [`without_provenance`]). Such a
206	//! pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
207	//! useful for sentinel values like `null` or* to represent a tagged pointer that will never be*
208	//! dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
209	//! fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
210	//! offset, read, write, etc).
211	//!
212	//! Forge an allocation of size zero at any sufficiently aligned non-null address.*
213	//! i.e. the usual "ZSTs are fake, do what you want" rules apply.
214	//!
215	//! [`wrapping_offset`] a pointer outside its provenance. This includes pointers*
216	//! which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks.
217	//!
218	//! Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses*
219	//! are* just integers, so there is always a coherent answer, even if the pointers are dangling*
220	//! or from different provenances. Note that if you get "lucky" and notice that a pointer at the
221	//! end of one allocation is the "same" address as the start of another allocation,
222	//! anything you do with that fact is probably* going to be gibberish. The scope of that*
223	//! gibberish is kept under control by the fact that the two pointers still* aren't allowed to*
224	//! access the other's allocation (bytes), because they still have different provenance.
225	//!
226	//! Note that the full definition of provenance in Rust is not decided yet, as this interacts
227	//! with the as-yet undecided [aliasing] rules.
228	//!
229	//! ## Pointers Vs Integers
230	//!
231	//! From this discussion, it becomes very clear that a `usize` cannot* accurately represent a pointer,*
232	//! and converting from a pointer to a `usize` is generally an operation which only* extracts the*
233	//! address. Converting this address back into pointer requires somehow answering the question:
234	//! which provenance should the resulting pointer have?
235	//!
236	//! Rust provides two ways of dealing with this situation: Strict Provenance* and Exposed Provenance.*
237	//!
238	//! Note that a pointer can* represent a `usize` (via* [`without_provenance`]), so the right type to
239	//! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a
240	//! pointer type.
241	//!
242	//! ## Strict Provenance
243	//!
244	//! "Strict Provenance" refers to a set of APIs designed to make working with provenance more
245	//! explicit. They are intended as substitutes for casting a pointer to an integer and back.
246	//!
247	//! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of
248	//! that operation. This benefits compiler optimizations, and it is pretty much a requirement for
249	//! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer
250	//! misuse.
251	//!
252	//! The key insight to making programming without integer-to-pointer casts at all* viable is the*
253	//! [`with_addr`] method:
254	//!
255	//! ```text
256	//! /// Creates a new pointer with the given address.
257	//! ///
258	//! /// This performs the same operation as an `addr as ptr` cast, but copies
259	//! /// the provenance* of `self` to the new pointer.*
260	//! /// This allows us to dynamically preserve and propagate this important
261	//! /// information in a way that is otherwise impossible with a unary cast.
262	//! ///
263	//! /// This is equivalent to using `wrapping_offset` to offset `self` to the
264	//! /// given address, and therefore has all the same capabilities and restrictions.
265	//! pub fn with_addr(self, addr: usize) -> Self;
266	//! ```
267	//!
268	//! So you're still able to drop down to the address representation and do whatever
269	//! clever bit tricks you want as long as* you're able to keep around a pointer*
270	//! into the allocation you care about that can "reconstitute" the provenance.
271	//! Usually this is very easy, because you only are taking a pointer, messing with the address,
272	//! and then immediately converting back to a pointer. To make this use case more ergonomic,
273	//! we provide the [`map_addr`] method.
274	//!
275	//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
276	//! [`addr`] method which promises that the returned address is not part of a
277	//! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer
278	//! casts to help you audit if your code conforms to strict provenance.
279	//!
280	//! ### Using Strict Provenance
281	//!
282	//! Most code needs no changes to conform to strict provenance, as the only really concerning
283	//! operation is casts from `usize` to a pointer. For code which does* cast a `usize` to a pointer,*
284	//! the scope of the change depends on exactly what you're doing.
285	//!
286	//! In general, you just need to make sure that if you want to convert a `usize` address to a
287	//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
288	//! that has sufficient provenance to perform that read/write itself. In this way all of your
289	//! casts from an address to a pointer are essentially just applying offsets/indexing.
290	//!
291	//! This is generally trivial to do for simple cases like tagged pointers as long as you*
292	//! represent the tagged pointer as an actual pointer and not a `usize`. For instance:*
293	//!
294	//! ```
295	//! unsafe {
296	//! // A flag we want to pack into our pointer
297	//! static HAS_DATA: usize = `0x1`;
298	//! static FLAG_MASK: usize = !HAS_DATA;
299	//!
300	//! // Our value, which must have enough alignment to have spare least-significant-bits.
301	//! let my_precious_data: u32 = `17`;
302	//! assert!(align_of::<u32>() > `1`);
303	//!
304	//! // Create a tagged pointer
305	//! let ptr = &my_precious_data as *const u32;
306	//! let tagged = ptr.map_addr(\|addr\| addr \| HAS_DATA);
307	//!
308	//! // Check the flag:
309	//! if tagged.addr() & HAS_DATA != `0` {
310	//! // Untag and read the pointer
311	//! let data = tagged.map_addr(\|addr\| addr & FLAG_MASK*);
312	//! assert_eq!(data, `17`);
313	//! } else {
314	//! unreachable!()
315	//! }
316	//! }
317	//! ```
318	//!
319	//! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should
320	//! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers,
321	//! we would like to know why, and what needs to be done to fix it.)
322	//!
323	//! Situations where a valid pointer must* be created from just an address, such as baremetal code*
324	//! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict
325	//! provenance APIs and should use [exposed provenance](#exposed-provenance).
326	//!
327	//! ## Exposed Provenance
328	//!
329	//! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs.
330	//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
331	//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
332	//! Integer-to-pointer casts do not (currently) have such a clear specification.
333	//!
334	//! However, there exist situations where integer-to-pointer casts cannot be avoided, or
335	//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
336	//! that `usize` can capture all the information that makes up a pointer.
337	//! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without
338	//! anywhere to obtain proper provenance from.
339	//!
340	//! Rust's model for dealing with integer-to-pointer casts is called Exposed Provenance. However,
341	//! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and
342	//! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for
343	//! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide
344	//! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not
345	//! work (well) with tools like [Miri] and [CHERI].
346	//!
347	//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
348	//! which are equivalent to `as` casts between pointers and integers.
349	//! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the
350	//! pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists
351	//! for the purpose of specifying Rust but is not materialized in actual executions, except in
352	//! tools like [Miri].)
353	//! Memory which is outside the control of the Rust abstract machine (MMIO registers, for example)
354	//! is always considered to be exposed, so long as this memory is disjoint from memory that will
355	//! be used by the abstract machine such as the stack, heap, and statics.
356	//! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously
357	//! 'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so
358	//! unlike in [`with_addr`] there is no indication of what the correct provenance for the returned
359	//! pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously
360	//! specify! The compiler will do its best to pick the right provenance for you, but currently we
361	//! cannot provide any guarantees about which provenance the resulting pointer will have. Only one
362	//! thing is clear: if there is no* previously 'exposed' provenance that justifies the way the*
363	//! returned pointer will be used, the program has undefined behavior.
364	//!
365	//! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding
366	//! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding
367	//! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be
368	//! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this
369	//! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the
370	//! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of
371	//! integer-to-pointer casts.
372	//!
373	//! [aliasing]: ../../nomicon/aliasing.html
374	//! [allocation]: #allocation
375	//! [provenance]: #provenance
376	//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
377	//! [ub]: ../../reference/behavior-considered-undefined.html
378	//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
379	//! [atomic operations]: crate::sync::atomic
380	//! [`offset`]: pointer::offset
381	//! [`offset_from`]: pointer::offset_from
382	//! [`wrapping_offset`]: pointer::wrapping_offset
383	//! [`with_addr`]: pointer::with_addr
384	//! [`map_addr`]: pointer::map_addr
385	//! [`addr`]: pointer::addr
386	//! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize
387	//! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr
388	//! [`expose_provenance`]: pointer::expose_provenance
389	//! [`with_exposed_provenance`]: with_exposed_provenance
390	//! [Miri]: https://github.com/rust-lang/miri
391	//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
392	//! [Strict Provenance]: #strict-provenance
393	//! [`UnsafeCell`]: core::cell::UnsafeCell
394
395	#![stable(feature = "rust1", since = "1.0.0")]
396	// There are many unsafe functions taking pointers that don't dereference them.
397	#![allow(clippy::not_unsafe_ptr_arg_deref)]
398
399	use crate::cmp::Ordering;
400	use crate::intrinsics::const_eval_select;
401	use crate::marker::FnPtr;
402	use crate::mem::{self, MaybeUninit, SizedTypeProperties};
403	use crate::num::NonZero;
404	use crate::{fmt, hash, intrinsics, ub_checks};
405
406	mod alignment;
407	#[unstable(feature = "ptr_alignment_type", issue = "102070")]
408	pub use alignment::Alignment;
409
410	mod metadata;
411	#[unstable(feature = "ptr_metadata", issue = "81513")]
412	pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata};
413
414	mod non_null;
415	#[stable(feature = "nonnull", since = "1.25.0")]
416	pub use non_null::NonNull;
417
418	mod unique;
419	#[unstable(feature = "ptr_internals", issue = "none")]
420	pub use unique::Unique;
421
422	mod const_ptr;
423	mod mut_ptr;
424
425	// Some functions are defined here because they accidentally got made
426	// available in this module on stable. See <https://github.com/rust-lang/rust/issues/15702>.
427	// (`transmute` also falls into this category, but it cannot be wrapped due to the
428	// check that `T` and `U` have the same size.)
429
430	/// Copies `count size_of::<T>()` bytes from `src` to `dst`. The source*
431	/// and destination must not* overlap.*
432	///
433	/// For regions of memory which might overlap, use [`copy`] instead.
434	///
435	/// `copy_nonoverlapping` is semantically equivalent to C's [`memcpy`], but
436	/// with the source and destination arguments swapped,
437	/// and `count` counting the number of `T`s instead of bytes.
438	///
439	/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
440	/// requirements of `T`. The initialization state is preserved exactly.
441	///
442	/// [`memcpy`]: https://en.cppreference.com/w/c/string/byte/memcpy
443	///
444	/// # Safety
445	///
446	/// Behavior is undefined if any of the following conditions are violated:
447	///
448	/// `src` must be [valid] for reads of `count * size_of::<T>()` bytes.*
449	///
450	/// `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.*
451	///
452	/// Both `src` and `dst` must be properly aligned.*
453	///
454	/// * The region of memory beginning at `src` with a size of `count *
455	/// size_of::<T>()` bytes must not* overlap with the region of memory*
456	/// beginning at `dst` with the same size.
457	///
458	/// Like [`read`], `copy_nonoverlapping` creates a bitwise copy of `T`, regardless of
459	/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both* the values*
460	/// in the region beginning at `src` and the region beginning at `dst` can
461	/// [violate memory safety][read-ownership].
462	///
463	/// Note that even if the effectively copied size (`count size_of::<T>()`) is*
464	/// `0`, the pointers must be properly aligned.
465	///
466	/// [`read`]: crate::ptr::read
467	/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
468	/// [valid]: crate::ptr#safety
469	///
470	/// # Examples
471	///
472	/// Manually implement [`Vec::append`]:
473	///
474	/// ```
475	/// use std::ptr;
476	///
477	/// /// Moves all the elements of `src` into `dst`, leaving `src` empty.
478	/// fn append<T>(dst: &mut Vec<T>, src: &mut Vec<T>) {
479	/// let src_len = src.len();
480	/// let dst_len = dst.len();
481	///
482	/// // Ensure that `dst` has enough capacity to hold all of `src`.
483	/// dst.reserve(src_len);
484	///
485	/// unsafe {
486	/// // The call to add is always safe because `Vec` will never
487	/// // allocate more than `isize::MAX` bytes.
488	/// let dst_ptr = dst.as_mut_ptr().add(dst_len);
489	/// let src_ptr = src.as_ptr();
490	///
491	/// // Truncate `src` without dropping its contents. We do this first,
492	/// // to avoid problems in case something further down panics.
493	/// src.set_len(`0`);
494	///
495	/// // The two regions cannot overlap because mutable references do
496	/// // not alias, and two different vectors cannot own the same
497	/// // memory.
498	/// ptr::copy_nonoverlapping(src_ptr, dst_ptr, src_len);
499	///
500	/// // Notify `dst` that it now holds the contents of `src`.
501	/// dst.set_len(dst_len + src_len);
502	/// }
503	/// }
504	///
505	/// let mut a = vec!['r'];
506	/// let mut b = vec!['u', 's', 't'];
507	///
508	/// append(&mut a, &mut b);
509	///
510	/// assert_eq!(a, &['r', 'u', 's', 't']);
511	/// assert!(b.is_empty());
512	/// ```
513	///
514	/// [`Vec::append`]: ../../std/vec/struct.Vec.html#method.append
515	#[doc(alias = "memcpy")]
516	#[stable(feature = "rust1", since = "1.0.0")]
517	#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
518	#[inline(always)]
519	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
520	#[rustc_diagnostic_item = "ptr_copy_nonoverlapping"]
521	pub const unsafe fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: usize) {
522	ub_checks::assert_unsafe_precondition!(
523	check_language_ub,
524	"ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null \
525	and the specified memory ranges do not overlap",
526	(
527	src: *const () = src as *const (),
528	dst: *mut () = dst as *mut (),
529	size: usize = size_of::<T>(),
530	align: usize = align_of::<T>(),
531	count: usize = count,
532	) => {
533	let zero_size = count == `0` \|\| size == `0`;
534	ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
535	&& ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
536	&& ub_checks::maybe_is_nonoverlapping(src, dst, size, count)
537	}
538	);
539
540	// SAFETY: the safety contract for `copy_nonoverlapping` must be
541	// upheld by the caller.
542	unsafe { crate::intrinsics::copy_nonoverlapping(src, dst, count) }
543	}
544
545	/// Copies `count size_of::<T>()` bytes from `src` to `dst`. The source*
546	/// and destination may overlap.
547	///
548	/// If the source and destination will never* overlap,*
549	/// [`copy_nonoverlapping`] can be used instead.
550	///
551	/// `copy` is semantically equivalent to C's [`memmove`], but
552	/// with the source and destination arguments swapped,
553	/// and `count` counting the number of `T`s instead of bytes.
554	/// Copying takes place as if the bytes were copied from `src`
555	/// to a temporary array and then copied from the array to `dst`.
556	///
557	/// The copy is "untyped" in the sense that data may be uninitialized or otherwise violate the
558	/// requirements of `T`. The initialization state is preserved exactly.
559	///
560	/// [`memmove`]: https://en.cppreference.com/w/c/string/byte/memmove
561	///
562	/// # Safety
563	///
564	/// Behavior is undefined if any of the following conditions are violated:
565	///
566	/// `src` must be [valid] for reads of `count * size_of::<T>()` bytes.*
567	///
568	/// `dst` must be [valid] for writes of `count * size_of::<T>()` bytes, and must remain valid even*
569	/// when `src` is read for `count size_of::<T>()` bytes. (This means if the memory ranges*
570	/// overlap, the `dst` pointer must not be invalidated by `src` reads.)
571	///
572	/// Both `src` and `dst` must be properly aligned.*
573	///
574	/// Like [`read`], `copy` creates a bitwise copy of `T`, regardless of
575	/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the values
576	/// in the region beginning at `src` and the region beginning at `dst` can
577	/// [violate memory safety][read-ownership].
578	///
579	/// Note that even if the effectively copied size (`count size_of::<T>()`) is*
580	/// `0`, the pointers must be properly aligned.
581	///
582	/// [`read`]: crate::ptr::read
583	/// [read-ownership]: crate::ptr::read#ownership-of-the-returned-value
584	/// [valid]: crate::ptr#safety
585	///
586	/// # Examples
587	///
588	/// Efficiently create a Rust vector from an unsafe buffer:
589	///
590	/// ```
591	/// use std::ptr;
592	///
593	/// /// # Safety
594	/// ///
595	/// /// `ptr` must be correctly aligned for its type and non-zero.*
596	/// /// `ptr` must be valid for reads of `elts` contiguous elements of type `T`.*
597	/// /// Those elements must not be used after calling this function unless `T: Copy`.*
598	/// # #[allow(dead_code)]
599	/// unsafe fn from_buf_raw<T>(ptr: *const T, elts: usize) -> Vec<T> {
600	/// let mut dst = Vec::with_capacity(elts);
601	///
602	/// // SAFETY: Our precondition ensures the source is aligned and valid,
603	/// // and `Vec::with_capacity` ensures that we have usable space to write them.
604	/// unsafe { ptr::copy(ptr, dst.as_mut_ptr(), elts); }
605	///
606	/// // SAFETY: We created it with this much capacity earlier,
607	/// // and the previous `copy` has initialized these elements.
608	/// unsafe { dst.set_len(elts); }
609	/// dst
610	/// }
611	/// ```
612	#[doc(alias = "memmove")]
613	#[stable(feature = "rust1", since = "1.0.0")]
614	#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
615	#[inline(always)]
616	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
617	#[rustc_diagnostic_item = "ptr_copy"]
618	pub const unsafe fn copy<T>(src: *const T, dst: *mut T, count: usize) {
619	// SAFETY: the safety contract for `copy` must be upheld by the caller.
620	unsafe {
621	ub_checks::assert_unsafe_precondition!(
622	check_language_ub,
623	"ptr::copy requires that both pointer arguments are aligned and non-null",
624	(
625	src: *const () = src as *const (),
626	dst: *mut () = dst as *mut (),
627	align: usize = align_of::<T>(),
628	zero_size: bool = T::IS_ZST \|\| count == `0`,
629	) =>
630	ub_checks::maybe_is_aligned_and_not_null(src, align, zero_size)
631	&& ub_checks::maybe_is_aligned_and_not_null(dst, align, zero_size)
632	);
633	crate::intrinsics::copy(src, dst, count)
634	}
635	}
636
637	/// Sets `count size_of::<T>()` bytes of memory starting at `dst` to*
638	/// `val`.
639	///
640	/// `write_bytes` is similar to C's [`memset`], but sets `count *
641	/// size_of::<T>()` bytes to `val`.
642	///
643	/// [`memset`]: https://en.cppreference.com/w/c/string/byte/memset
644	///
645	/// # Safety
646	///
647	/// Behavior is undefined if any of the following conditions are violated:
648	///
649	/// `dst` must be [valid] for writes of `count * size_of::<T>()` bytes.*
650	///
651	/// `dst` must be properly aligned.*
652	///
653	/// Note that even if the effectively copied size (`count size_of::<T>()`) is*
654	/// `0`, the pointer must be properly aligned.
655	///
656	/// Additionally, note that changing `dst` in this way can easily lead to undefined behavior (UB)*
657	/// later if the written bytes are not a valid representation of some `T`. For instance, the
658	/// following is an incorrect* use of this function:*
659	///
660	/// ```rust,no_run
661	/// unsafe {
662	/// let mut value: u8 = `0`;
663	/// let ptr: *mut bool = &mut value as *mut u8 as *mut bool;
664	/// let _bool = ptr.read(); // This is fine, `ptr` points to a valid `bool`.
665	/// ptr.write_bytes(`42u8`, `1`); // This function itself does not cause UB...
666	/// let _bool = ptr.read(); // ...but it makes this operation UB! ⚠️
667	/// }
668	/// ```
669	///
670	/// [valid]: crate::ptr#safety
671	///
672	/// # Examples
673	///
674	/// Basic usage:
675	///
676	/// ```
677	/// use std::ptr;
678	///
679	/// let mut vec = vec![`0u32`; `4`];
680	/// unsafe {
681	/// let vec_ptr = vec.as_mut_ptr();
682	/// ptr::write_bytes(vec_ptr, `0xfe`, `2`);
683	/// }
684	/// assert_eq!(vec, [`0xfefefefe`, `0xfefefefe`, `0`, `0`]);
685	/// ```
686	#[doc(alias = "memset")]
687	#[stable(feature = "rust1", since = "1.0.0")]
688	#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
689	#[inline(always)]
690	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
691	#[rustc_diagnostic_item = "ptr_write_bytes"]
692	pub const unsafe fn write_bytes<T>(dst: *mut T, val: u8, count: usize) {
693	// SAFETY: the safety contract for `write_bytes` must be upheld by the caller.
694	unsafe {
695	ub_checks::assert_unsafe_precondition!(
696	check_language_ub,
697	"ptr::write_bytes requires that the destination pointer is aligned and non-null",
698	(
699	addr: *const () = dst as *const (),
700	align: usize = align_of::<T>(),
701	zero_size: bool = T::IS_ZST \|\| count == `0`,
702	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, zero_size)
703	);
704	crate::intrinsics::write_bytes(dst, val, count)
705	}
706	}
707
708	/// Executes the destructor (if any) of the pointed-to value.
709	///
710	/// This is almost the same as calling [`ptr::read`] and discarding
711	/// the result, but has the following advantages:
712	// FIXME: say something more useful than "almost the same"?
713	// There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a
714	// `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place`
715	// only requires that `to_drop` be "valid for dropping" and we have not defined what that means. In*
716	// Miri it currently (May 2024) requires nothing at all for types without drop glue.
717	///
718	/// It is required to use `drop_in_place` to drop unsized types like*
719	/// trait objects, because they can't be read out onto the stack and
720	/// dropped normally.
721	///
722	/// It is friendlier to the optimizer to do this over* [`ptr::read`] when
723	/// dropping manually allocated memory (e.g., in the implementations of
724	/// `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
725	/// sound to elide the copy.
726	///
727	/// It can be used to drop* [pinned] data when `T` is not `repr(packed)`
728	/// (pinned data must not be moved before it is dropped).
729	///
730	/// Unaligned values cannot be dropped in place, they must be copied to an aligned
731	/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
732	/// done automatically by the compiler. This means the fields of packed structs
733	/// are not dropped in-place.
734	///
735	/// [`ptr::read`]: self::read
736	/// [`ptr::read_unaligned`]: self::read_unaligned
737	/// [pinned]: crate::pin
738	///
739	/// # Safety
740	///
741	/// Behavior is undefined if any of the following conditions are violated:
742	///
743	/// `to_drop` must be [valid] for both reads and writes.*
744	///
745	/// `to_drop` must be properly aligned, even if `T` has size 0.*
746	///
747	/// `to_drop` must be nonnull, even if `T` has size 0.*
748	///
749	/// The value `to_drop` points to must be valid for dropping, which may mean*
750	/// it must uphold additional invariants. These invariants depend on the type
751	/// of the value being dropped. For instance, when dropping a Box, the box's
752	/// pointer to the heap must be valid.
753	///
754	/// While `drop_in_place` is executing, the only way to access parts of*
755	/// `to_drop` is through the `&mut self` references supplied to the
756	/// `Drop::drop` methods that `drop_in_place` invokes.
757	///
758	/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
759	/// calling `drop_in_place` can cause undefined behavior. Note that `to_drop =*
760	/// foo` counts as a use because it will cause the value to be dropped
761	/// again. [`write()`] can be used to overwrite data without causing it to be
762	/// dropped.
763	///
764	/// [valid]: self#safety
765	///
766	/// # Examples
767	///
768	/// Manually remove the last item from a vector:
769	///
770	/// ```
771	/// use std::ptr;
772	/// use std::rc::Rc;
773	///
774	/// let last = Rc::new(`1`);
775	/// let weak = Rc::downgrade(&last);
776	///
777	/// let mut v = vec![Rc::new(`0`), last];
778	///
779	/// unsafe {
780	/// // Get a raw pointer to the last element in `v`.
781	/// let ptr = &mut v[`1`] as *mut _;
782	/// // Shorten `v` to prevent the last item from being dropped. We do that first,
783	/// // to prevent issues if the `drop_in_place` below panics.
784	/// v.set_len(`1`);
785	/// // Without a call `drop_in_place`, the last item would never be dropped,
786	/// // and the memory it manages would be leaked.
787	/// ptr::drop_in_place(ptr);
788	/// }
789	///
790	/// assert_eq!(v, &[`0`.into()]);
791	///
792	/// // Ensure that the last item was dropped.
793	/// assert!(weak.upgrade().is_none());
794	/// ```
795	#[stable(feature = "drop_in_place", since = "1.8.0")]
796	#[lang = "drop_in_place"]
797	#[allow(unconditional_recursion)]
798	#[rustc_diagnostic_item = "ptr_drop_in_place"]
799	pub unsafe fn drop_in_place<T: ?Sized>(to_drop: *mut T) {
800	// Code here does not matter - this is replaced by the
801	// real drop glue by the compiler.
802
803	// SAFETY: see comment above
804	unsafe { drop_in_place(to_drop) }
805	}
806
807	/// Creates a null raw pointer.
808	///
809	/// This function is equivalent to zero-initializing the pointer:
810	/// `MaybeUninit::<const T>::zeroed().assume_init()`.*
811	/// The resulting pointer has the address 0.
812	///
813	/// # Examples
814	///
815	/// ```
816	/// use std::ptr;
817	///
818	/// let p: *const i32 = ptr::null();
819	/// assert!(p.is_null());
820	/// assert_eq!(p as usize, `0`); // this pointer has the address 0
821	/// ```
822	#[inline(always)]
823	#[must_use]
824	#[stable(feature = "rust1", since = "1.0.0")]
825	#[rustc_promotable]
826	#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
827	#[rustc_diagnostic_item = "ptr_null"]
828	pub const fn null<T: ?Sized + Thin>() -> *const T {
829	from_raw_parts(data_pointer:without_provenance::<()>(`0`), ())
830	}
831
832	/// Creates a null mutable raw pointer.
833	///
834	/// This function is equivalent to zero-initializing the pointer:
835	/// `MaybeUninit::<mut T>::zeroed().assume_init()`.*
836	/// The resulting pointer has the address 0.
837	///
838	/// # Examples
839	///
840	/// ```
841	/// use std::ptr;
842	///
843	/// let p: *mut i32 = ptr::null_mut();
844	/// assert!(p.is_null());
845	/// assert_eq!(p as usize, `0`); // this pointer has the address 0
846	/// ```
847	#[inline(always)]
848	#[must_use]
849	#[stable(feature = "rust1", since = "1.0.0")]
850	#[rustc_promotable]
851	#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
852	#[rustc_diagnostic_item = "ptr_null_mut"]
853	pub const fn null_mut<T: ?Sized + Thin>() -> *mut T {
854	from_raw_parts_mut(data_pointer:without_provenance_mut::<()>(`0`), ())
855	}
856
857	/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
858	///
859	/// This is equivalent to `ptr::null().with_addr(addr)`.
860	///
861	/// Without provenance, this pointer is not associated with any actual allocation. Such a
862	/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
863	/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
864	/// little more than a `usize` address in disguise.
865	///
866	/// This is different from `addr as const T`, which creates a pointer that picks up a previously*
867	/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
868	///
869	/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
870	#[inline(always)]
871	#[must_use]
872	#[stable(feature = "strict_provenance", since = "1.84.0")]
873	#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
874	pub const fn without_provenance<T>(addr: usize) -> *const T {
875	without_provenance_mut(addr)
876	}
877
878	/// Creates a new pointer that is dangling, but non-null and well-aligned.
879	///
880	/// This is useful for initializing types which lazily allocate, like
881	/// `Vec::new` does.
882	///
883	/// Note that the pointer value may potentially represent a valid pointer to
884	/// a `T`, which means this must not be used as a "not yet initialized"
885	/// sentinel value. Types that lazily allocate must track initialization by
886	/// some other means.
887	#[inline(always)]
888	#[must_use]
889	#[stable(feature = "strict_provenance", since = "1.84.0")]
890	#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
891	pub const fn dangling<T>() -> *const T {
892	dangling_mut()
893	}
894
895	/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
896	///
897	/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
898	///
899	/// Without provenance, this pointer is not associated with any actual allocation. Such a
900	/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
901	/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
902	/// little more than a `usize` address in disguise.
903	///
904	/// This is different from `addr as mut T`, which creates a pointer that picks up a previously*
905	/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
906	///
907	/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
908	#[inline(always)]
909	#[must_use]
910	#[stable(feature = "strict_provenance", since = "1.84.0")]
911	#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
912	pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
913	// An int-to-pointer transmute currently has exactly the intended semantics: it creates a
914	// pointer without provenance. Note that this is not* a stable guarantee about transmute*
915	// semantics, it relies on sysroot crates having special status.
916	// SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
917	// pointer).
918	unsafe { mem::transmute(src:addr) }
919	}
920
921	/// Creates a new pointer that is dangling, but non-null and well-aligned.
922	///
923	/// This is useful for initializing types which lazily allocate, like
924	/// `Vec::new` does.
925	///
926	/// Note that the pointer value may potentially represent a valid pointer to
927	/// a `T`, which means this must not be used as a "not yet initialized"
928	/// sentinel value. Types that lazily allocate must track initialization by
929	/// some other means.
930	#[inline(always)]
931	#[must_use]
932	#[stable(feature = "strict_provenance", since = "1.84.0")]
933	#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
934	pub const fn dangling_mut<T>() -> *mut T {
935	NonNull::dangling().as_ptr()
936	}
937
938	/// Converts an address back to a pointer, picking up some previously 'exposed'
939	/// [provenance][crate::ptr#provenance].
940	///
941	/// This is fully equivalent to `addr as const T`. The provenance of the returned pointer is that*
942	/// of some* pointer that was previously exposed by passing it to*
943	/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
944	/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
945	/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
946	/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
947	///
948	/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
949	/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
950	/// guarantees about which provenance the resulting pointer will have -- and therefore there
951	/// is no definite specification for which memory the resulting pointer may access.
952	///
953	/// If there is no* previously 'exposed' provenance that justifies the way the returned pointer*
954	/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
955	/// pointers and references that have been invalidated due to aliasing accesses cannot be used
956	/// anymore, even if they have been exposed!
957	///
958	/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
959	/// stay conformant with the Rust memory model. It is recommended to use [Strict
960	/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
961	/// possible.
962	///
963	/// On most platforms this will produce a value with the same bytes as the address. Platforms
964	/// which need to store additional information in a pointer may not support this operation,
965	/// since it is generally not possible to actually compute* which provenance the returned*
966	/// pointer has to pick up.
967	///
968	/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
969	#[must_use]
970	#[inline(always)]
971	#[stable(feature = "exposed_provenance", since = "1.84.0")]
972	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
973	#[allow(fuzzy_provenance_casts)] // this is* the explicit provenance API one should use instead*
974	pub fn with_exposed_provenance<T>(addr: usize) -> *const T {
975	addr as *const T
976	}
977
978	/// Converts an address back to a mutable pointer, picking up some previously 'exposed'
979	/// [provenance][crate::ptr#provenance].
980	///
981	/// This is fully equivalent to `addr as mut T`. The provenance of the returned pointer is that*
982	/// of some* pointer that was previously exposed by passing it to*
983	/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
984	/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
985	/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
986	/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
987	///
988	/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
989	/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
990	/// guarantees about which provenance the resulting pointer will have -- and therefore there
991	/// is no definite specification for which memory the resulting pointer may access.
992	///
993	/// If there is no* previously 'exposed' provenance that justifies the way the returned pointer*
994	/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
995	/// pointers and references that have been invalidated due to aliasing accesses cannot be used
996	/// anymore, even if they have been exposed!
997	///
998	/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
999	/// stay conformant with the Rust memory model. It is recommended to use [Strict
1000	/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
1001	/// possible.
1002	///
1003	/// On most platforms this will produce a value with the same bytes as the address. Platforms
1004	/// which need to store additional information in a pointer may not support this operation,
1005	/// since it is generally not possible to actually compute* which provenance the returned*
1006	/// pointer has to pick up.
1007	///
1008	/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
1009	#[must_use]
1010	#[inline(always)]
1011	#[stable(feature = "exposed_provenance", since = "1.84.0")]
1012	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1013	#[allow(fuzzy_provenance_casts)] // this is* the explicit provenance API one should use instead*
1014	pub fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
1015	addr as *mut T
1016	}
1017
1018	/// Converts a reference to a raw pointer.
1019	///
1020	/// For `r: &T`, `from_ref(r)` is equivalent to `r as const T` (except for the caveat noted below),*
1021	/// but is a bit safer since it will never silently change type or mutability, in particular if the
1022	/// code is refactored.
1023	///
1024	/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1025	/// will end up dangling.
1026	///
1027	/// The caller must also ensure that the memory the pointer (non-transitively) points to is never
1028	/// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If
1029	/// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m:
1030	/// &mut T` into `const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be*
1031	/// used for mutation.
1032	///
1033	/// ## Interaction with lifetime extension
1034	///
1035	/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1036	/// tail expressions. This code is valid, albeit in a non-obvious way:
1037	/// ```rust
1038	/// # type T = i32;
1039	/// # fn foo() -> T { `42` }
1040	/// // The temporary holding the return value of `foo` has its lifetime extended,
1041	/// // because the surrounding expression involves no function call.
1042	/// let p = &foo() as *const T;
1043	/// unsafe { p.read() };
1044	/// ```
1045	/// Naively replacing the cast with `from_ref` is not valid:
1046	/// ```rust,no_run
1047	/// # use std::ptr;
1048	/// # type T = i32;
1049	/// # fn foo() -> T { `42` }
1050	/// // The temporary holding the return value of `foo` does not* have its lifetime extended,*
1051	/// // because the surrounding expression involves a function call.
1052	/// let p = ptr::from_ref(&foo());
1053	/// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️
1054	/// ```
1055	/// The recommended way to write this code is to avoid relying on lifetime extension
1056	/// when raw pointers are involved:
1057	/// ```rust
1058	/// # use std::ptr;
1059	/// # type T = i32;
1060	/// # fn foo() -> T { `42` }
1061	/// let x = foo();
1062	/// let p = ptr::from_ref(&x);
1063	/// unsafe { p.read() };
1064	/// ```
1065	#[inline(always)]
1066	#[must_use]
1067	#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1068	#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1069	#[rustc_never_returns_null_ptr]
1070	#[rustc_diagnostic_item = "ptr_from_ref"]
1071	pub const fn from_ref<T: ?Sized>(r: &T) -> *const T {
1072	r
1073	}
1074
1075	/// Converts a mutable reference to a raw pointer.
1076	///
1077	/// For `r: &mut T`, `from_mut(r)` is equivalent to `r as mut T` (except for the caveat noted*
1078	/// below), but is a bit safer since it will never silently change type or mutability, in particular
1079	/// if the code is refactored.
1080	///
1081	/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
1082	/// will end up dangling.
1083	///
1084	/// ## Interaction with lifetime extension
1085	///
1086	/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
1087	/// tail expressions. This code is valid, albeit in a non-obvious way:
1088	/// ```rust
1089	/// # type T = i32;
1090	/// # fn foo() -> T { `42` }
1091	/// // The temporary holding the return value of `foo` has its lifetime extended,
1092	/// // because the surrounding expression involves no function call.
1093	/// let p = &mut foo() as *mut T;
1094	/// unsafe { p.write(T::default()) };
1095	/// ```
1096	/// Naively replacing the cast with `from_mut` is not valid:
1097	/// ```rust,no_run
1098	/// # use std::ptr;
1099	/// # type T = i32;
1100	/// # fn foo() -> T { `42` }
1101	/// // The temporary holding the return value of `foo` does not* have its lifetime extended,*
1102	/// // because the surrounding expression involves a function call.
1103	/// let p = ptr::from_mut(&mut foo());
1104	/// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️
1105	/// ```
1106	/// The recommended way to write this code is to avoid relying on lifetime extension
1107	/// when raw pointers are involved:
1108	/// ```rust
1109	/// # use std::ptr;
1110	/// # type T = i32;
1111	/// # fn foo() -> T { `42` }
1112	/// let mut x = foo();
1113	/// let p = ptr::from_mut(&mut x);
1114	/// unsafe { p.write(T::default()) };
1115	/// ```
1116	#[inline(always)]
1117	#[must_use]
1118	#[stable(feature = "ptr_from_ref", since = "1.76.0")]
1119	#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
1120	#[rustc_never_returns_null_ptr]
1121	pub const fn from_mut<T: ?Sized>(r: &mut T) -> *mut T {
1122	r
1123	}
1124
1125	/// Forms a raw slice from a pointer and a length.
1126	///
1127	/// The `len` argument is the number of elements, not the number of bytes.
1128	///
1129	/// This function is safe, but actually using the return value is unsafe.
1130	/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
1131	///
1132	/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
1133	///
1134	/// # Examples
1135	///
1136	/// ```rust
1137	/// use std::ptr;
1138	///
1139	/// // create a slice pointer when starting out with a pointer to the first element
1140	/// let x = [`5`, `6`, `7`];
1141	/// let raw_pointer = x.as_ptr();
1142	/// let slice = ptr::slice_from_raw_parts(raw_pointer, `3`);
1143	/// assert_eq!(unsafe { &*slice }[`2`], `7`);
1144	/// ```
1145	///
1146	/// You must ensure that the pointer is valid and not null before dereferencing
1147	/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1148	///
1149	/// ```rust,should_panic
1150	/// use std::ptr;
1151	/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), `0`);
1152	/// unsafe {
1153	/// danger.as_ref().expect("references must not be null");
1154	/// }
1155	/// ```
1156	#[inline]
1157	#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1158	#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
1159	#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
1160	pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
1161	from_raw_parts(data, metadata:len)
1162	}
1163
1164	/// Forms a raw mutable slice from a pointer and a length.
1165	///
1166	/// The `len` argument is the number of elements, not the number of bytes.
1167	///
1168	/// Performs the same functionality as [`slice_from_raw_parts`], except that a
1169	/// raw mutable slice is returned, as opposed to a raw immutable slice.
1170	///
1171	/// This function is safe, but actually using the return value is unsafe.
1172	/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
1173	///
1174	/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
1175	///
1176	/// # Examples
1177	///
1178	/// ```rust
1179	/// use std::ptr;
1180	///
1181	/// let x = &mut [`5`, `6`, `7`];
1182	/// let raw_pointer = x.as_mut_ptr();
1183	/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, `3`);
1184	///
1185	/// unsafe {
1186	/// (slice)[`2`] = `99`; // assign a value at an index in the slice*
1187	/// };
1188	///
1189	/// assert_eq!(unsafe { &*slice }[`2`], `99`);
1190	/// ```
1191	///
1192	/// You must ensure that the pointer is valid and not null before dereferencing
1193	/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1194	///
1195	/// ```rust,should_panic
1196	/// use std::ptr;
1197	/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), `0`);
1198	/// unsafe {
1199	/// danger.as_mut().expect("references must not be null");
1200	/// }
1201	/// ```
1202	#[inline]
1203	#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
1204	#[rustc_const_stable(feature = "const_slice_from_raw_parts_mut", since = "1.83.0")]
1205	#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
1206	pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
1207	from_raw_parts_mut(data, metadata:len)
1208	}
1209
1210	/// Swaps the values at two mutable locations of the same type, without
1211	/// deinitializing either.
1212	///
1213	/// But for the following exceptions, this function is semantically
1214	/// equivalent to [`mem::swap`]:
1215	///
1216	/// It operates on raw pointers instead of references. When references are*
1217	/// available, [`mem::swap`] should be preferred.
1218	///
1219	/// The two pointed-to values may overlap. If the values do overlap, then the*
1220	/// overlapping region of memory from `x` will be used. This is demonstrated
1221	/// in the second example below.
1222	///
1223	/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate*
1224	/// the requirements of `T`. The initialization state is preserved exactly.
1225	///
1226	/// # Safety
1227	///
1228	/// Behavior is undefined if any of the following conditions are violated:
1229	///
1230	/// Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the*
1231	/// other pointer is written. (This means if the memory ranges overlap, the two pointers must not
1232	/// be subject to aliasing restrictions relative to each other.)
1233	///
1234	/// Both `x` and `y` must be properly aligned.*
1235	///
1236	/// Note that even if `T` has size `0`, the pointers must be properly aligned.
1237	///
1238	/// [valid]: self#safety
1239	///
1240	/// # Examples
1241	///
1242	/// Swapping two non-overlapping regions:
1243	///
1244	/// ```
1245	/// use std::ptr;
1246	///
1247	/// let mut array = [`0`, `1`, `2`, `3`];
1248	///
1249	/// let (x, y) = array.split_at_mut(`2`);
1250	/// let x = x.as_mut_ptr().cast::<[u32; `2`]>(); // this is `array[0..2]`
1251	/// let y = y.as_mut_ptr().cast::<[u32; `2`]>(); // this is `array[2..4]`
1252	///
1253	/// unsafe {
1254	/// ptr::swap(x, y);
1255	/// assert_eq!([`2`, `3`, `0`, `1`], array);
1256	/// }
1257	/// ```
1258	///
1259	/// Swapping two overlapping regions:
1260	///
1261	/// ```
1262	/// use std::ptr;
1263	///
1264	/// let mut array: [i32; `4`] = [`0`, `1`, `2`, `3`];
1265	///
1266	/// let array_ptr: *mut i32 = array.as_mut_ptr();
1267	///
1268	/// let x = array_ptr as *mut [i32; `3`]; // this is `array[0..3]`
1269	/// let y = unsafe { array_ptr.add(`1`) } as *mut [i32; `3`]; // this is `array[1..4]`
1270	///
1271	/// unsafe {
1272	/// ptr::swap(x, y);
1273	/// // The indices `1..3` of the slice overlap between `x` and `y`.
1274	/// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
1275	/// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
1276	/// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
1277	/// // This implementation is defined to make the latter choice.
1278	/// assert_eq!([`1`, `0`, `1`, `2`], array);
1279	/// }
1280	/// ```
1281	#[inline]
1282	#[stable(feature = "rust1", since = "1.0.0")]
1283	#[rustc_const_stable(feature = "const_swap", since = "1.85.0")]
1284	#[rustc_diagnostic_item = "ptr_swap"]
1285	pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
1286	// Give ourselves some scratch space to work with.
1287	// We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
1288	let mut tmp: MaybeUninit = MaybeUninit::<T>::uninit();
1289
1290	// Perform the swap
1291	// SAFETY: the caller must guarantee that `x` and `y` are
1292	// valid for writes and properly aligned. `tmp` cannot be
1293	// overlapping either `x` or `y` because `tmp` was just allocated
1294	// on the stack as a separate allocation.
1295	unsafe {
1296	copy_nonoverlapping(src:x, dst:tmp.as_mut_ptr(), count:`1`);
1297	copy(src:y, dst:x, count:`1`); // `x` and `y` may overlap
1298	copy_nonoverlapping(src:tmp.as_ptr(), dst:y, count:`1`);
1299	}
1300	}
1301
1302	/// Swaps `count size_of::<T>()` bytes between the two regions of memory*
1303	/// beginning at `x` and `y`. The two regions must not* overlap.*
1304	///
1305	/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
1306	/// requirements of `T`. The initialization state is preserved exactly.
1307	///
1308	/// # Safety
1309	///
1310	/// Behavior is undefined if any of the following conditions are violated:
1311	///
1312	/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
1313	/// size_of::<T>()` bytes.
1314	///
1315	/// Both `x` and `y` must be properly aligned.*
1316	///
1317	/// * The region of memory beginning at `x` with a size of `count *
1318	/// size_of::<T>()` bytes must not* overlap with the region of memory*
1319	/// beginning at `y` with the same size.
1320	///
1321	/// Note that even if the effectively copied size (`count size_of::<T>()`) is `0`,*
1322	/// the pointers must be properly aligned.
1323	///
1324	/// [valid]: self#safety
1325	///
1326	/// # Examples
1327	///
1328	/// Basic usage:
1329	///
1330	/// ```
1331	/// use std::ptr;
1332	///
1333	/// let mut x = [`1`, `2`, `3`, `4`];
1334	/// let mut y = [`7`, `8`, `9`];
1335	///
1336	/// unsafe {
1337	/// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), `2`);
1338	/// }
1339	///
1340	/// assert_eq!(x, [`7`, `8`, `3`, `4`]);
1341	/// assert_eq!(y, [`1`, `2`, `9`]);
1342	/// ```
1343	///
1344	/// # Const evaluation limitations
1345	///
1346	/// If this function is invoked during const-evaluation, the current implementation has a small (and
1347	/// rarely relevant) limitation: if `count` is at least 2 and the data pointed to by `x` or `y`
1348	/// contains a pointer that crosses the boundary of two `T`-sized chunks of memory, the function may
1349	/// fail to evaluate (similar to a panic during const-evaluation). This behavior may change in the
1350	/// future.
1351	///
1352	/// The limitation is illustrated by the following example:
1353	///
1354	/// ```
1355	/// use std::mem::size_of;
1356	/// use std::ptr;
1357	///
1358	/// const { unsafe {
1359	/// const PTR_SIZE: usize = size_of::<*const i32>();
1360	/// let mut data1 = [`0u8`; PTR_SIZE];
1361	/// let mut data2 = [`0u8`; PTR_SIZE];
1362	/// // Store a pointer in `data1`.
1363	/// data1.as_mut_ptr().cast::<*const i32>().write_unaligned(&`42`);
1364	/// // Swap the contents of `data1` and `data2` by swapping `PTR_SIZE` many `u8`-sized chunks.
1365	/// // This call will fail, because the pointer in `data1` crosses the boundary
1366	/// // between several of the 1-byte chunks that are being swapped here.
1367	/// //ptr::swap_nonoverlapping(data1.as_mut_ptr(), data2.as_mut_ptr(), PTR_SIZE);
1368	/// // Swap the contents of `data1` and `data2` by swapping a single chunk of size
1369	/// // `[u8; PTR_SIZE]`. That works, as there is no pointer crossing the boundary between
1370	/// // two chunks.
1371	/// ptr::swap_nonoverlapping(&mut data1, &mut data2, `1`);
1372	/// // Read the pointer from `data2` and dereference it.
1373	/// let ptr = data2.as_ptr().cast::<*const i32>().read_unaligned();
1374	/// assert!(*ptr == `42`);
1375	/// } }
1376	/// ```
1377	#[inline]
1378	#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
1379	#[rustc_const_stable(feature = "const_swap_nonoverlapping", since = "1.88.0")]
1380	#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1381	#[rustc_allow_const_fn_unstable(const_eval_select)] // both implementations behave the same
1382	#[track_caller]
1383	pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1384	ub_checks::assert_unsafe_precondition!(
1385	check_library_ub,
1386	"ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1387	and the specified memory ranges do not overlap",
1388	(
1389	x: *mut () = x as *mut (),
1390	y: *mut () = y as *mut (),
1391	size: usize = size_of::<T>(),
1392	align: usize = align_of::<T>(),
1393	count: usize = count,
1394	) => {
1395	let zero_size = size == `0` \|\| count == `0`;
1396	ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size)
1397	&& ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size)
1398	&& ub_checks::maybe_is_nonoverlapping(x, y, size, count)
1399	}
1400	);
1401
1402	const_eval_select!(
1403	@capture[T] { x: *mut T, y: *mut T, count: usize }:
1404	if const {
1405	// At compile-time we want to always copy this in chunks of `T`, to ensure that if there
1406	// are pointers inside `T` we will copy them in one go rather than trying to copy a part
1407	// of a pointer (which would not work).
1408	// SAFETY: Same preconditions as this function
1409	unsafe { swap_nonoverlapping_const(x, y, count) }
1410	} else {
1411	// Going though a slice here helps codegen know the size fits in `isize`
1412	let slice = slice_from_raw_parts_mut(x, count);
1413	// SAFETY: This is all readable from the pointer, meaning it's one
1414	// allocation, and thus cannot be more than isize::MAX bytes.
1415	let bytes = unsafe { mem::size_of_val_raw::<[T]>(slice) };
1416	if let Some(bytes) = NonZero::new(bytes) {
1417	// SAFETY: These are the same ranges, just expressed in a different
1418	// type, so they're still non-overlapping.
1419	unsafe { swap_nonoverlapping_bytes(x.cast(), y.cast(), bytes) };
1420	}
1421	}
1422	)
1423	}
1424
1425	/// Same behavior and safety conditions as [`swap_nonoverlapping`]
1426	#[inline]
1427	const unsafe fn swap_nonoverlapping_const<T>(x: *mut T, y: *mut T, count: usize) {
1428	let mut i: usize = `0`;
1429	while i < count {
1430	// SAFETY: By precondition, `i` is in-bounds because it's below `n`
1431	let x: mut T = unsafe* { x.add(count:i) };
1432	// SAFETY: By precondition, `i` is in-bounds because it's below `n`
1433	// and it's distinct from `x` since the ranges are non-overlapping
1434	let y: mut T = unsafe* { y.add(count:i) };
1435
1436	// SAFETY: we're only ever given pointers that are valid to read/write,
1437	// including being aligned, and nothing here panics so it's drop-safe.
1438	unsafe {
1439	// Note that it's critical that these use `copy_nonoverlapping`,
1440	// rather than `read`/`write`, to avoid #134713 if T has padding.
1441	let mut temp: MaybeUninit = MaybeUninit::<T>::uninit();
1442	copy_nonoverlapping(src:x, dst:temp.as_mut_ptr(), count:`1`);
1443	copy_nonoverlapping(src:y, dst:x, count:`1`);
1444	copy_nonoverlapping(src:temp.as_ptr(), dst:y, count:`1`);
1445	}
1446
1447	i += `1`;
1448	}
1449	}
1450
1451	// Don't let MIR inline this, because we really want it to keep its noalias metadata
1452	#[rustc_no_mir_inline]
1453	#[inline]
1454	fn swap_chunk<const N: usize>(x: &mut MaybeUninit<[u8; N]>, y: &mut MaybeUninit<[u8; N]>) {
1455	let a: MaybeUninit<[u8; N]> = *x;
1456	let b: MaybeUninit<[u8; N]> = *y;
1457	*x = b;
1458	*y = a;
1459	}
1460
1461	#[inline]
1462	unsafe fn swap_nonoverlapping_bytes(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1463	// Same as `swap_nonoverlapping::<[u8; N]>`.
1464	unsafe fn swap_nonoverlapping_chunks<const N: usize>(
1465	x: *mut MaybeUninit<[u8; N]>,
1466	y: *mut MaybeUninit<[u8; N]>,
1467	chunks: NonZero<usize>,
1468	) {
1469	let chunks = chunks.get();
1470	for i in `0`..chunks {
1471	// SAFETY: i is in [0, chunks) so the adds and dereferences are in-bounds.
1472	unsafe { swap_chunk(&mut x.add(i), &mut* *y.add(i)) };
1473	}
1474	}
1475
1476	// Same as `swap_nonoverlapping_bytes`, but accepts at most 1+2+4=7 bytes
1477	#[inline]
1478	unsafe fn swap_nonoverlapping_short(x: *mut u8, y: *mut u8, bytes: NonZero<usize>) {
1479	// Tail handling for auto-vectorized code sometimes has element-at-a-time behaviour,
1480	// see <https://github.com/rust-lang/rust/issues/134946>.
1481	// By swapping as different sizes, rather than as a loop over bytes,
1482	// we make sure not to end up with, say, seven byte-at-a-time copies.
1483
1484	let bytes = bytes.get();
1485	let mut i = `0`;
1486	macro_rules! swap_prefix {
1487	($($n:literal)+) => {$(
1488	if (bytes & $n) != `0` {
1489	// SAFETY: `i` can only have the same bits set as those in bytes,
1490	// so these `add`s are in-bounds of `bytes`. But the bit for
1491	// `$n` hasn't been set yet, so the `$n` bytes that `swap_chunk`
1492	// will read and write are within the usable range.
1493	unsafe { swap_chunk::<$n>(&mutx.add(i).cast(), &mut**y.add(i).cast()) };
1494	i \|= $n;
1495	}
1496	)+};
1497	}
1498	swap_prefix!(`4` `2` `1`);
1499	debug_assert_eq!(i, bytes);
1500	}
1501
1502	const CHUNK_SIZE: usize = size_of::<*const ()>();
1503	let bytes = bytes.get();
1504
1505	let chunks = bytes / CHUNK_SIZE;
1506	let tail = bytes % CHUNK_SIZE;
1507	if let Some(chunks) = NonZero::new(chunks) {
1508	// SAFETY: this is bytes/CHUNK_SIZECHUNK_SIZE bytes, which is <= bytes,*
1509	// so it's within the range of our non-overlapping bytes.
1510	unsafe { swap_nonoverlapping_chunks::<CHUNK_SIZE>(x.cast(), y.cast(), chunks) };
1511	}
1512	if let Some(tail) = NonZero::new(tail) {
1513	const { assert!(CHUNK_SIZE <= `8`) };
1514	let delta = chunks * CHUNK_SIZE;
1515	// SAFETY: the tail length is below CHUNK SIZE because of the remainder,
1516	// and CHUNK_SIZE is at most 8 by the const assert, so tail <= 7
1517	unsafe { swap_nonoverlapping_short(x.add(delta), y.add(delta), tail) };
1518	}
1519	}
1520
1521	/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1522	///
1523	/// Neither value is dropped.
1524	///
1525	/// This function is semantically equivalent to [`mem::replace`] except that it
1526	/// operates on raw pointers instead of references. When references are
1527	/// available, [`mem::replace`] should be preferred.
1528	///
1529	/// # Safety
1530	///
1531	/// Behavior is undefined if any of the following conditions are violated:
1532	///
1533	/// `dst` must be [valid] for both reads and writes.*
1534	///
1535	/// `dst` must be properly aligned.*
1536	///
1537	/// `dst` must point to a properly initialized value of type `T`.*
1538	///
1539	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1540	///
1541	/// [valid]: self#safety
1542	///
1543	/// # Examples
1544	///
1545	/// ```
1546	/// use std::ptr;
1547	///
1548	/// let mut rust = vec!['b', 'u', 's', 't'];
1549	///
1550	/// // `mem::replace` would have the same effect without requiring the unsafe
1551	/// // block.
1552	/// let b = unsafe {
1553	/// ptr::replace(&mut rust[`0`], 'r')
1554	/// };
1555	///
1556	/// assert_eq!(b, 'b');
1557	/// assert_eq!(rust, &['r', 'u', 's', 't']);
1558	/// ```
1559	#[inline]
1560	#[stable(feature = "rust1", since = "1.0.0")]
1561	#[rustc_const_stable(feature = "const_replace", since = "1.83.0")]
1562	#[rustc_diagnostic_item = "ptr_replace"]
1563	#[track_caller]
1564	pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1565	// SAFETY: the caller must guarantee that `dst` is valid to be
1566	// cast to a mutable reference (valid for writes, aligned, initialized),
1567	// and cannot overlap `src` since `dst` must point to a distinct
1568	// allocation.
1569	unsafe {
1570	ub_checks::assert_unsafe_precondition!(
1571	check_language_ub,
1572	"ptr::replace requires that the pointer argument is aligned and non-null",
1573	(
1574	addr: *const () = dst as *const (),
1575	align: usize = align_of::<T>(),
1576	is_zst: bool = T::IS_ZST,
1577	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1578	);
1579	mem::replace(&mut *dst, src)
1580	}
1581	}
1582
1583	/// Reads the value from `src` without moving it. This leaves the
1584	/// memory in `src` unchanged.
1585	///
1586	/// # Safety
1587	///
1588	/// Behavior is undefined if any of the following conditions are violated:
1589	///
1590	/// `src` must be [valid] for reads.*
1591	///
1592	/// `src` must be properly aligned. Use* [`read_unaligned`] if this is not the
1593	/// case.
1594	///
1595	/// `src` must point to a properly initialized value of type `T`.*
1596	///
1597	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1598	///
1599	/// # Examples
1600	///
1601	/// Basic usage:
1602	///
1603	/// ```
1604	/// let x = `12`;
1605	/// let y = &x as *const i32;
1606	///
1607	/// unsafe {
1608	/// assert_eq!(std::ptr::read(y), `12`);
1609	/// }
1610	/// ```
1611	///
1612	/// Manually implement [`mem::swap`]:
1613	///
1614	/// ```
1615	/// use std::ptr;
1616	///
1617	/// fn swap<T>(a: &mut T, b: &mut T) {
1618	/// unsafe {
1619	/// // Create a bitwise copy of the value at `a` in `tmp`.
1620	/// let tmp = ptr::read(a);
1621	///
1622	/// // Exiting at this point (either by explicitly returning or by
1623	/// // calling a function which panics) would cause the value in `tmp` to
1624	/// // be dropped while the same value is still referenced by `a`. This
1625	/// // could trigger undefined behavior if `T` is not `Copy`.
1626	///
1627	/// // Create a bitwise copy of the value at `b` in `a`.
1628	/// // This is safe because mutable references cannot alias.
1629	/// ptr::copy_nonoverlapping(b, a, `1`);
1630	///
1631	/// // As above, exiting here could trigger undefined behavior because
1632	/// // the same value is referenced by `a` and `b`.
1633	///
1634	/// // Move `tmp` into `b`.
1635	/// ptr::write(b, tmp);
1636	///
1637	/// // `tmp` has been moved (`write` takes ownership of its second argument),
1638	/// // so nothing is dropped implicitly here.
1639	/// }
1640	/// }
1641	///
1642	/// let mut foo = "foo".to_owned();
1643	/// let mut bar = "bar".to_owned();
1644	///
1645	/// swap(&mut foo, &mut bar);
1646	///
1647	/// assert_eq!(foo, "bar");
1648	/// assert_eq!(bar, "foo");
1649	/// ```
1650	///
1651	/// ## Ownership of the Returned Value
1652	///
1653	/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1654	/// If `T` is not [`Copy`], using both the returned value and the value at
1655	/// `src` can violate memory safety. Note that assigning to `src` counts as a
1656	/// use because it will attempt to drop the value at `src`.*
1657	///
1658	/// [`write()`] can be used to overwrite data without causing it to be dropped.
1659	///
1660	/// ```
1661	/// use std::ptr;
1662	///
1663	/// let mut s = String::from("foo");
1664	/// unsafe {
1665	/// // `s2` now points to the same underlying memory as `s`.
1666	/// let mut s2: String = ptr::read(&s);
1667	///
1668	/// assert_eq!(s2, "foo");
1669	///
1670	/// // Assigning to `s2` causes its original value to be dropped. Beyond
1671	/// // this point, `s` must no longer be used, as the underlying memory has
1672	/// // been freed.
1673	/// s2 = String::default();
1674	/// assert_eq!(s2, "");
1675	///
1676	/// // Assigning to `s` would cause the old value to be dropped again,
1677	/// // resulting in undefined behavior.
1678	/// // s = String::from("bar"); // ERROR
1679	///
1680	/// // `ptr::write` can be used to overwrite a value without dropping it.
1681	/// ptr::write(&mut s, String::from("bar"));
1682	/// }
1683	///
1684	/// assert_eq!(s, "bar");
1685	/// ```
1686	///
1687	/// [valid]: self#safety
1688	#[inline]
1689	#[stable(feature = "rust1", since = "1.0.0")]
1690	#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1691	#[track_caller]
1692	#[rustc_diagnostic_item = "ptr_read"]
1693	pub const unsafe fn read<T>(src: *const T) -> T {
1694	// It would be semantically correct to implement this via `copy_nonoverlapping`
1695	// and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1696	// provides enough information to know that this is a typed operation.
1697
1698	// However, as of March 2023 the compiler was not capable of taking advantage
1699	// of that information. Thus, the implementation here switched to an intrinsic,
1700	// which lowers to `_0 = src` in MIR, to address a few issues:*
1701	//
1702	// - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1703	// turning the untyped copy into a typed load. As such, the generated
1704	// `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1705	// `!nonnull`, and `!noundef`, resulting in poorer optimization.
1706	// - Going through the extra local resulted in multiple extra copies, even
1707	// in optimized MIR. (Ignoring StorageLive/Dead, the intrinsic is one
1708	// MIR statement, while the previous implementation was eight.) LLVM
1709	// could sometimes optimize them away, but because `read` is at the core
1710	// of so many things, not having them in the first place improves what we
1711	// hand off to the backend. For example, `mem::replace::<Big>` previously
1712	// emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1713	// - In general, this approach keeps us from getting any more bugs (like
1714	// #106369) that boil down to "`read(p)` is worse than `p`", as this*
1715	// makes them look identical to the backend (or other MIR consumers).
1716	//
1717	// Future enhancements to MIR optimizations might well allow this to return
1718	// to the previous implementation, rather than using an intrinsic.
1719
1720	// SAFETY: the caller must guarantee that `src` is valid for reads.
1721	unsafe {
1722	#[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1723	ub_checks::assert_unsafe_precondition!(
1724	check_language_ub,
1725	"ptr::read requires that the pointer argument is aligned and non-null",
1726	(
1727	addr: *const () = src as *const (),
1728	align: usize = align_of::<T>(),
1729	is_zst: bool = T::IS_ZST,
1730	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1731	);
1732	crate::intrinsics::read_via_copy(src)
1733	}
1734	}
1735
1736	/// Reads the value from `src` without moving it. This leaves the
1737	/// memory in `src` unchanged.
1738	///
1739	/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1740	///
1741	/// # Safety
1742	///
1743	/// Behavior is undefined if any of the following conditions are violated:
1744	///
1745	/// `src` must be [valid] for reads.*
1746	///
1747	/// `src` must point to a properly initialized value of type `T`.*
1748	///
1749	/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1750	/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1751	/// value and the value at `src` can [violate memory safety][read-ownership].*
1752	///
1753	/// [read-ownership]: read#ownership-of-the-returned-value
1754	/// [valid]: self#safety
1755	///
1756	/// ## On `packed` structs
1757	///
1758	/// Attempting to create a raw pointer to an `unaligned` struct field with
1759	/// an expression such as `&packed.unaligned as const FieldType` creates an*
1760	/// intermediate unaligned reference before converting that to a raw pointer.
1761	/// That this reference is temporary and immediately cast is inconsequential
1762	/// as the compiler always expects references to be properly aligned.
1763	/// As a result, using `&packed.unaligned as const FieldType` causes immediate*
1764	/// undefined behavior* in your program.*
1765	///
1766	/// Instead you must use the `&raw const` syntax to create the pointer.
1767	/// You may use that constructed pointer together with this function.
1768	///
1769	/// An example of what not to do and how this relates to `read_unaligned` is:
1770	///
1771	/// ```
1772	/// #[repr(packed, C)]
1773	/// struct Packed {
1774	/// _padding: u8,
1775	/// unaligned: u32,
1776	/// }
1777	///
1778	/// let packed = Packed {
1779	/// _padding: `0x00`,
1780	/// unaligned: `0x01020304`,
1781	/// };
1782	///
1783	/// // Take the address of a 32-bit integer which is not aligned.
1784	/// // In contrast to `&packed.unaligned as const _`, this has no undefined behavior.*
1785	/// let unaligned = &raw const packed.unaligned;
1786	///
1787	/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1788	/// assert_eq!(v, `0x01020304`);
1789	/// ```
1790	///
1791	/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1792	///
1793	/// # Examples
1794	///
1795	/// Read a `usize` value from a byte buffer:
1796	///
1797	/// ```
1798	/// fn read_usize(x: &[u8]) -> usize {
1799	/// assert!(x.len() >= size_of::<usize>());
1800	///
1801	/// let ptr = x.as_ptr() as *const usize;
1802	///
1803	/// unsafe { ptr.read_unaligned() }
1804	/// }
1805	/// ```
1806	#[inline]
1807	#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1808	#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1809	#[track_caller]
1810	#[rustc_diagnostic_item = "ptr_read_unaligned"]
1811	pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1812	let mut tmp: MaybeUninit = MaybeUninit::<T>::uninit();
1813	// SAFETY: the caller must guarantee that `src` is valid for reads.
1814	// `src` cannot overlap `tmp` because `tmp` was just allocated on
1815	// the stack as a separate allocation.
1816	//
1817	// Also, since we just wrote a valid value into `tmp`, it is guaranteed
1818	// to be properly initialized.
1819	unsafe {
1820	copy_nonoverlapping(src as *const u8, dst:tmp.as_mut_ptr() as *mut u8, count:size_of::<T>());
1821	tmp.assume_init()
1822	}
1823	}
1824
1825	/// Overwrites a memory location with the given value without reading or
1826	/// dropping the old value.
1827	///
1828	/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1829	/// allocations or resources, so care should be taken not to overwrite an object
1830	/// that should be dropped.
1831	///
1832	/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1833	/// location pointed to by `dst`.
1834	///
1835	/// This is appropriate for initializing uninitialized memory, or overwriting
1836	/// memory that has previously been [`read`] from.
1837	///
1838	/// # Safety
1839	///
1840	/// Behavior is undefined if any of the following conditions are violated:
1841	///
1842	/// `dst` must be [valid] for writes.*
1843	///
1844	/// `dst` must be properly aligned. Use* [`write_unaligned`] if this is not the
1845	/// case.
1846	///
1847	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1848	///
1849	/// [valid]: self#safety
1850	///
1851	/// # Examples
1852	///
1853	/// Basic usage:
1854	///
1855	/// ```
1856	/// let mut x = `0`;
1857	/// let y = &mut x as *mut i32;
1858	/// let z = `12`;
1859	///
1860	/// unsafe {
1861	/// std::ptr::write(y, z);
1862	/// assert_eq!(std::ptr::read(y), `12`);
1863	/// }
1864	/// ```
1865	///
1866	/// Manually implement [`mem::swap`]:
1867	///
1868	/// ```
1869	/// use std::ptr;
1870	///
1871	/// fn swap<T>(a: &mut T, b: &mut T) {
1872	/// unsafe {
1873	/// // Create a bitwise copy of the value at `a` in `tmp`.
1874	/// let tmp = ptr::read(a);
1875	///
1876	/// // Exiting at this point (either by explicitly returning or by
1877	/// // calling a function which panics) would cause the value in `tmp` to
1878	/// // be dropped while the same value is still referenced by `a`. This
1879	/// // could trigger undefined behavior if `T` is not `Copy`.
1880	///
1881	/// // Create a bitwise copy of the value at `b` in `a`.
1882	/// // This is safe because mutable references cannot alias.
1883	/// ptr::copy_nonoverlapping(b, a, `1`);
1884	///
1885	/// // As above, exiting here could trigger undefined behavior because
1886	/// // the same value is referenced by `a` and `b`.
1887	///
1888	/// // Move `tmp` into `b`.
1889	/// ptr::write(b, tmp);
1890	///
1891	/// // `tmp` has been moved (`write` takes ownership of its second argument),
1892	/// // so nothing is dropped implicitly here.
1893	/// }
1894	/// }
1895	///
1896	/// let mut foo = "foo".to_owned();
1897	/// let mut bar = "bar".to_owned();
1898	///
1899	/// swap(&mut foo, &mut bar);
1900	///
1901	/// assert_eq!(foo, "bar");
1902	/// assert_eq!(bar, "foo");
1903	/// ```
1904	#[inline]
1905	#[stable(feature = "rust1", since = "1.0.0")]
1906	#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1907	#[rustc_diagnostic_item = "ptr_write"]
1908	#[track_caller]
1909	pub const unsafe fn write<T>(dst: *mut T, src: T) {
1910	// Semantically, it would be fine for this to be implemented as a
1911	// `copy_nonoverlapping` and appropriate drop suppression of `src`.
1912
1913	// However, implementing via that currently produces more MIR than is ideal.
1914	// Using an intrinsic keeps it down to just the simple `dst = move src` in*
1915	// MIR (11 statements shorter, at the time of writing), and also allows
1916	// `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1917
1918	// SAFETY: the caller must guarantee that `dst` is valid for writes.
1919	// `dst` cannot overlap `src` because the caller has mutable access
1920	// to `dst` while `src` is owned by this function.
1921	unsafe {
1922	#[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1923	ub_checks::assert_unsafe_precondition!(
1924	check_language_ub,
1925	"ptr::write requires that the pointer argument is aligned and non-null",
1926	(
1927	addr: *mut () = dst as *mut (),
1928	align: usize = align_of::<T>(),
1929	is_zst: bool = T::IS_ZST,
1930	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1931	);
1932	intrinsics::write_via_move(dst, src)
1933	}
1934	}
1935
1936	/// Overwrites a memory location with the given value without reading or
1937	/// dropping the old value.
1938	///
1939	/// Unlike [`write()`], the pointer may be unaligned.
1940	///
1941	/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1942	/// could leak allocations or resources, so care should be taken not to overwrite
1943	/// an object that should be dropped.
1944	///
1945	/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1946	/// location pointed to by `dst`.
1947	///
1948	/// This is appropriate for initializing uninitialized memory, or overwriting
1949	/// memory that has previously been read with [`read_unaligned`].
1950	///
1951	/// # Safety
1952	///
1953	/// Behavior is undefined if any of the following conditions are violated:
1954	///
1955	/// `dst` must be [valid] for writes.*
1956	///
1957	/// [valid]: self#safety
1958	///
1959	/// ## On `packed` structs
1960	///
1961	/// Attempting to create a raw pointer to an `unaligned` struct field with
1962	/// an expression such as `&packed.unaligned as const FieldType` creates an*
1963	/// intermediate unaligned reference before converting that to a raw pointer.
1964	/// That this reference is temporary and immediately cast is inconsequential
1965	/// as the compiler always expects references to be properly aligned.
1966	/// As a result, using `&packed.unaligned as const FieldType` causes immediate*
1967	/// undefined behavior* in your program.*
1968	///
1969	/// Instead, you must use the `&raw mut` syntax to create the pointer.
1970	/// You may use that constructed pointer together with this function.
1971	///
1972	/// An example of how to do it and how this relates to `write_unaligned` is:
1973	///
1974	/// ```
1975	/// #[repr(packed, C)]
1976	/// struct Packed {
1977	/// _padding: u8,
1978	/// unaligned: u32,
1979	/// }
1980	///
1981	/// let mut packed: Packed = unsafe { std::mem::zeroed() };
1982	///
1983	/// // Take the address of a 32-bit integer which is not aligned.
1984	/// // In contrast to `&packed.unaligned as mut _`, this has no undefined behavior.*
1985	/// let unaligned = &raw mut packed.unaligned;
1986	///
1987	/// unsafe { std::ptr::write_unaligned(unaligned, `42`) };
1988	///
1989	/// assert_eq!({packed.unaligned}, `42`); // `{...}` forces copying the field instead of creating a reference.
1990	/// ```
1991	///
1992	/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
1993	/// (as can be seen in the `assert_eq!` above).
1994	///
1995	/// # Examples
1996	///
1997	/// Write a `usize` value to a byte buffer:
1998	///
1999	/// ```
2000	/// fn write_usize(x: &mut [u8], val: usize) {
2001	/// assert!(x.len() >= size_of::<usize>());
2002	///
2003	/// let ptr = x.as_mut_ptr() as *mut usize;
2004	///
2005	/// unsafe { ptr.write_unaligned(val) }
2006	/// }
2007	/// ```
2008	#[inline]
2009	#[stable(feature = "ptr_unaligned", since = "1.17.0")]
2010	#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
2011	#[rustc_diagnostic_item = "ptr_write_unaligned"]
2012	#[track_caller]
2013	pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
2014	// SAFETY: the caller must guarantee that `dst` is valid for writes.
2015	// `dst` cannot overlap `src` because the caller has mutable access
2016	// to `dst` while `src` is owned by this function.
2017	unsafe {
2018	copy_nonoverlapping((&raw const src) as *const u8, dst as *mut u8, count:size_of::<T>());
2019	// We are calling the intrinsic directly to avoid function calls in the generated code.
2020	intrinsics::forget(src);
2021	}
2022	}
2023
2024	/// Performs a volatile read of the value from `src` without moving it. This
2025	/// leaves the memory in `src` unchanged.
2026	///
2027	/// Volatile operations are intended to act on I/O memory, and are guaranteed
2028	/// to not be elided or reordered by the compiler across other volatile
2029	/// operations.
2030	///
2031	/// # Notes
2032	///
2033	/// Rust does not currently have a rigorously and formally defined memory model,
2034	/// so the precise semantics of what "volatile" means here is subject to change
2035	/// over time. That being said, the semantics will almost always end up pretty
2036	/// similar to [C11's definition of volatile][c11].
2037	///
2038	/// The compiler shouldn't change the relative order or number of volatile
2039	/// memory operations. However, volatile memory operations on zero-sized types
2040	/// (e.g., if a zero-sized type is passed to `read_volatile`) are noops
2041	/// and may be ignored.
2042	///
2043	/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
2044	///
2045	/// # Safety
2046	///
2047	/// Behavior is undefined if any of the following conditions are violated:
2048	///
2049	/// `src` must be [valid] for reads.*
2050	///
2051	/// `src` must be properly aligned.*
2052	///
2053	/// `src` must point to a properly initialized value of type `T`.*
2054	///
2055	/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of
2056	/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
2057	/// value and the value at `src` can [violate memory safety][read-ownership].*
2058	/// However, storing non-[`Copy`] types in volatile memory is almost certainly
2059	/// incorrect.
2060	///
2061	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2062	///
2063	/// [valid]: self#safety
2064	/// [read-ownership]: read#ownership-of-the-returned-value
2065	///
2066	/// Just like in C, whether an operation is volatile has no bearing whatsoever
2067	/// on questions involving concurrent access from multiple threads. Volatile
2068	/// accesses behave exactly like non-atomic accesses in that regard. In particular,
2069	/// a race between a `read_volatile` and any write operation to the same location
2070	/// is undefined behavior.
2071	///
2072	/// # Examples
2073	///
2074	/// Basic usage:
2075	///
2076	/// ```
2077	/// let x = `12`;
2078	/// let y = &x as *const i32;
2079	///
2080	/// unsafe {
2081	/// assert_eq!(std::ptr::read_volatile(y), `12`);
2082	/// }
2083	/// ```
2084	#[inline]
2085	#[stable(feature = "volatile", since = "1.9.0")]
2086	#[track_caller]
2087	#[rustc_diagnostic_item = "ptr_read_volatile"]
2088	pub unsafe fn read_volatile<T>(src: *const T) -> T {
2089	// SAFETY: the caller must uphold the safety contract for `volatile_load`.
2090	unsafe {
2091	ub_checks::assert_unsafe_precondition!(
2092	check_language_ub,
2093	"ptr::read_volatile requires that the pointer argument is aligned and non-null",
2094	(
2095	addr: *const () = src as *const (),
2096	align: usize = align_of::<T>(),
2097	is_zst: bool = T::IS_ZST,
2098	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
2099	);
2100	intrinsics::volatile_load(src)
2101	}
2102	}
2103
2104	/// Performs a volatile write of a memory location with the given value without
2105	/// reading or dropping the old value.
2106	///
2107	/// Volatile operations are intended to act on I/O memory, and are guaranteed
2108	/// to not be elided or reordered by the compiler across other volatile
2109	/// operations.
2110	///
2111	/// `write_volatile` does not drop the contents of `dst`. This is safe, but it
2112	/// could leak allocations or resources, so care should be taken not to overwrite
2113	/// an object that should be dropped.
2114	///
2115	/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
2116	/// location pointed to by `dst`.
2117	///
2118	/// # Notes
2119	///
2120	/// Rust does not currently have a rigorously and formally defined memory model,
2121	/// so the precise semantics of what "volatile" means here is subject to change
2122	/// over time. That being said, the semantics will almost always end up pretty
2123	/// similar to [C11's definition of volatile][c11].
2124	///
2125	/// The compiler shouldn't change the relative order or number of volatile
2126	/// memory operations. However, volatile memory operations on zero-sized types
2127	/// (e.g., if a zero-sized type is passed to `write_volatile`) are noops
2128	/// and may be ignored.
2129	///
2130	/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
2131	///
2132	/// # Safety
2133	///
2134	/// Behavior is undefined if any of the following conditions are violated:
2135	///
2136	/// `dst` must be [valid] for writes.*
2137	///
2138	/// `dst` must be properly aligned.*
2139	///
2140	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
2141	///
2142	/// [valid]: self#safety
2143	///
2144	/// Just like in C, whether an operation is volatile has no bearing whatsoever
2145	/// on questions involving concurrent access from multiple threads. Volatile
2146	/// accesses behave exactly like non-atomic accesses in that regard. In particular,
2147	/// a race between a `write_volatile` and any other operation (reading or writing)
2148	/// on the same location is undefined behavior.
2149	///
2150	/// # Examples
2151	///
2152	/// Basic usage:
2153	///
2154	/// ```
2155	/// let mut x = `0`;
2156	/// let y = &mut x as *mut i32;
2157	/// let z = `12`;
2158	///
2159	/// unsafe {
2160	/// std::ptr::write_volatile(y, z);
2161	/// assert_eq!(std::ptr::read_volatile(y), `12`);
2162	/// }
2163	/// ```
2164	#[inline]
2165	#[stable(feature = "volatile", since = "1.9.0")]
2166	#[rustc_diagnostic_item = "ptr_write_volatile"]
2167	#[track_caller]
2168	pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
2169	// SAFETY: the caller must uphold the safety contract for `volatile_store`.
2170	unsafe {
2171	ub_checks::assert_unsafe_precondition!(
2172	check_language_ub,
2173	"ptr::write_volatile requires that the pointer argument is aligned and non-null",
2174	(
2175	addr: *mut () = dst as *mut (),
2176	align: usize = align_of::<T>(),
2177	is_zst: bool = T::IS_ZST,
2178	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
2179	);
2180	intrinsics::volatile_store(dst, val:src);
2181	}
2182	}
2183
2184	/// Align pointer `p`.
2185	///
2186	/// Calculate offset (in terms of elements of `size_of::<T>()` stride) that has to be applied
2187	/// to pointer `p` so that pointer `p` would get aligned to `a`.
2188	///
2189	/// # Safety
2190	/// `a` must be a power of two.
2191	///
2192	/// # Notes
2193	/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
2194	/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
2195	/// constants.
2196	///
2197	/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
2198	/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
2199	/// than trying to adapt this to accommodate that change.
2200	///
2201	/// Any questions go to @nagisa.
2202	#[allow(ptr_to_integer_transmute_in_consts)]
2203	pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
2204	// FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
2205	// 1, where the method versions of these operations are not inlined.
2206	use intrinsics::{
2207	assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl,
2208	unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub,
2209	};
2210
2211	/// Calculate multiplicative modular inverse of `x` modulo `m`.
2212	///
2213	/// This implementation is tailored for `align_offset` and has following preconditions:
2214	///
2215	/// `m` is a power-of-two;*
2216	/// `x < m`; (if `x ≥ m`, pass in `x % m` instead)*
2217	///
2218	/// Implementation of this function shall not panic. Ever.
2219	#[inline]
2220	const unsafe fn mod_inv(x: usize, m: usize) -> usize {
2221	/// Multiplicative modular inverse table modulo 2⁴ = 16.
2222	///
2223	/// Note, that this table does not contain values where inverse does not exist (i.e., for
2224	/// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
2225	const INV_TABLE_MOD_16: [u8; `8`] = [`1`, `11`, `13`, `7`, `9`, `3`, `5`, `15`];
2226	/// Modulo for which the `INV_TABLE_MOD_16` is intended.
2227	const INV_TABLE_MOD: usize = `16`;
2228
2229	// SAFETY: `m` is required to be a power-of-two, hence non-zero.
2230	let m_minus_one = unsafe { unchecked_sub(m, `1`) };
2231	let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - `1`)) >> `1`] as usize;
2232	let mut mod_gate = INV_TABLE_MOD;
2233	// We iterate "up" using the following formula:
2234	//
2235	// $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
2236	//
2237	// This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
2238	// finally reduce the computation to our desired `m` by taking `inverse mod m`.
2239	//
2240	// This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
2241	// will always finish in at most 4 iterations.
2242	loop {
2243	// y = y (2 - xy) mod n*
2244	//
2245	// Note, that we use wrapping operations here intentionally – the original formula
2246	// uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
2247	// usize::MAX` instead, because we take the result `mod n` at the end
2248	// anyway.
2249	if mod_gate >= m {
2250	break;
2251	}
2252	inverse = wrapping_mul(inverse, wrapping_sub(`2usize`, wrapping_mul(x, inverse)));
2253	let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
2254	if overflow {
2255	break;
2256	}
2257	mod_gate = new_gate;
2258	}
2259	inverse & m_minus_one
2260	}
2261
2262	let stride = size_of::<T>();
2263
2264	let addr: usize = p.addr();
2265
2266	// SAFETY: `a` is a power-of-two, therefore non-zero.
2267	let a_minus_one = unsafe { unchecked_sub(a, `1`) };
2268
2269	if stride == `0` {
2270	// SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
2271	// stay the same, so no offset will be able to align the pointer unless it is already
2272	// aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
2273	let p_mod_a = addr & a_minus_one;
2274	return if p_mod_a == `0` { `0` } else { usize::MAX };
2275	}
2276
2277	// SAFETY: `stride == 0` case has been handled by the special case above.
2278	let a_mod_stride = unsafe { unchecked_rem(a, stride) };
2279	if a_mod_stride == `0` {
2280	// SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
2281	// pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
2282	// offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
2283	// offset will be able to produce a `p` aligned to the specified `a`.
2284	//
2285	// The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
2286	// like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
2287	// redistributes operations around the load-bearing, but pessimizing `and` instruction
2288	// sufficiently for LLVM to be able to utilize the various optimizations it knows about.
2289	//
2290	// LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
2291	// at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
2292	// in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
2293	// computation produces.
2294
2295	let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(`0`, a);
2296	let byte_offset = wrapping_sub(aligned_address, addr);
2297	// FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
2298	// SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
2299	// the value by more than `a-1`, so even though the intermediate values might have
2300	// wrapped, the byte_offset is always in `[0, a)`.
2301	unsafe { assume(byte_offset < a) };
2302
2303	// SAFETY: `stride == 0` case has been handled by the special case above.
2304	let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
2305
2306	return if addr_mod_stride == `0` {
2307	// SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
2308	// addr has been verified to be aligned to the original type’s alignment requirements.
2309	unsafe { exact_div(byte_offset, stride) }
2310	} else {
2311	usize::MAX
2312	};
2313	}
2314
2315	// GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
2316	// misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
2317	// advantage of, etc. This case produces machine code that isn’t particularly high quality,
2318	// compared to the special cases above. The code produced here is still within the realm of
2319	// miracles, given the situations this case has to deal with.
2320
2321	// SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
2322	// FIXME(const-hack) replace with min
2323	let gcdpow = unsafe {
2324	let x = cttz_nonzero(stride);
2325	let y = cttz_nonzero(a);
2326	if x < y { x } else { y }
2327	};
2328	// SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`.
2329	let gcd = unsafe { unchecked_shl(`1usize`, gcdpow) };
2330	// SAFETY: gcd is always greater or equal to 1.
2331	if addr & unsafe { unchecked_sub(gcd, `1`) } == `0` {
2332	// This branch solves for the following linear congruence equation:
2333	//
2334	// ` p + so = 0 mod a `
2335	//
2336	// `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
2337	// requested alignment.
2338	//
2339	// With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
2340	// `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
2341	//
2342	// ` p' + s'o = 0 mod a' `
2343	// ` o = (a' - (p' mod a')) (s'^-1 mod a') `*
2344	//
2345	// The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
2346	// second term is "how does incrementing `p` by `s` bytes change the relative alignment of
2347	// `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
2348	// formed if `a` and `s` are not co-prime.
2349	//
2350	// Furthermore, the result produced by this solution is not "minimal", so it is necessary
2351	// to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
2352
2353	// SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2354	// `a`.
2355	let a2 = unsafe { unchecked_shr(a, gcdpow) };
2356	// SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
2357	// in `a` (of which it has exactly one).
2358	let a2minus1 = unsafe { unchecked_sub(a2, `1`) };
2359	// SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2360	// `a`.
2361	let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
2362	// SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2363	// `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
2364	// always be strictly greater than `(p % a) >> gcdpow`.
2365	let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
2366	// SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
2367	// because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
2368	return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
2369	}
2370
2371	// Cannot be aligned at all.
2372	usize::MAX
2373	}
2374
2375	/// Compares raw pointers for equality.
2376	///
2377	/// This is the same as using the `==` operator, but less generic:
2378	/// the arguments have to be `const T` raw pointers,*
2379	/// not anything that implements `PartialEq`.
2380	///
2381	/// This can be used to compare `&T` references (which coerce to `const T` implicitly)*
2382	/// by their address rather than comparing the values they point to
2383	/// (which is what the `PartialEq for &T` implementation does).
2384	///
2385	/// When comparing wide pointers, both the address and the metadata are tested for equality.
2386	/// However, note that comparing trait object pointers (`const dyn Trait`) is unreliable: pointers*
2387	/// to values of the same underlying type can compare inequal (because vtables are duplicated in
2388	/// multiple codegen units), and pointers to values of different* underlying type can compare equal*
2389	/// (since identical vtables can be deduplicated within a codegen unit).
2390	///
2391	/// # Examples
2392	///
2393	/// ```
2394	/// use std::ptr;
2395	///
2396	/// let five = `5`;
2397	/// let other_five = `5`;
2398	/// let five_ref = &five;
2399	/// let same_five_ref = &five;
2400	/// let other_five_ref = &other_five;
2401	///
2402	/// assert!(five_ref == same_five_ref);
2403	/// assert!(ptr::eq(five_ref, same_five_ref));
2404	///
2405	/// assert!(five_ref == other_five_ref);
2406	/// assert!(!ptr::eq(five_ref, other_five_ref));
2407	/// ```
2408	///
2409	/// Slices are also compared by their length (fat pointers):
2410	///
2411	/// ```
2412	/// let a = [`1`, `2`, `3`];
2413	/// assert!(std::ptr::eq(&a[..`3`], &a[..`3`]));
2414	/// assert!(!std::ptr::eq(&a[..`2`], &a[..`3`]));
2415	/// assert!(!std::ptr::eq(&a[`0`..`2`], &a[`1`..`3`]));
2416	/// ```
2417	#[stable(feature = "ptr_eq", since = "1.17.0")]
2418	#[inline(always)]
2419	#[must_use = "pointer comparison produces a value"]
2420	#[rustc_diagnostic_item = "ptr_eq"]
2421	#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2422	pub fn eq<T: ?Sized>(a: *const T, b: *const T) -> bool {
2423	a == b
2424	}
2425
2426	/// Compares the addresses* of the two pointers for equality,*
2427	/// ignoring any metadata in fat pointers.
2428	///
2429	/// If the arguments are thin pointers of the same type,
2430	/// then this is the same as [`eq`].
2431	///
2432	/// # Examples
2433	///
2434	/// ```
2435	/// use std::ptr;
2436	///
2437	/// let whole: &[i32; `3`] = &[`1`, `2`, `3`];
2438	/// let first: &i32 = &whole[`0`];
2439	///
2440	/// assert!(ptr::addr_eq(whole, first));
2441	/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2442	/// ```
2443	#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2444	#[inline(always)]
2445	#[must_use = "pointer comparison produces a value"]
2446	pub fn addr_eq<T: ?Sized, U: ?Sized>(p: *const T, q: *const U) -> bool {
2447	(p as *const ()) == (q as *const ())
2448	}
2449
2450	/// Compares the addresses* of the two function pointers for equality.*
2451	///
2452	/// This is the same as `f == g`, but using this function makes clear that the potentially
2453	/// surprising semantics of function pointer comparison are involved.
2454	///
2455	/// There are very few guarantees* about how functions are compiled and they have no intrinsic*
2456	/// “identity”; in particular, this comparison:
2457	///
2458	/// May return `true` unexpectedly, in cases where functions are equivalent.*
2459	///
2460	/// For example, the following program is likely (but not guaranteed) to print `(true, true)`
2461	/// when compiled with optimization:
2462	///
2463	/// ```
2464	/// let f: fn(i32) -> i32 = \|x\| x;
2465	/// let g: fn(i32) -> i32 = \|x\| x + `0`; // different closure, different body
2466	/// let h: fn(u32) -> u32 = \|x\| x + `0`; // different signature too
2467	/// dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal
2468	/// ```
2469	///
2470	/// May return `false` in any case.*
2471	///
2472	/// This is particularly likely with generic functions but may happen with any function.
2473	/// (From an implementation perspective, this is possible because functions may sometimes be
2474	/// processed more than once by the compiler, resulting in duplicate machine code.)
2475	///
2476	/// Despite these false positives and false negatives, this comparison can still be useful.
2477	/// Specifically, if
2478	///
2479	/// `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and*
2480	/// `ptr::fn_addr_eq(f, g)` returns true,*
2481	///
2482	/// then calling `f` and calling `g` will be equivalent.
2483	///
2484	///
2485	/// # Examples
2486	///
2487	/// ```
2488	/// use std::ptr;
2489	///
2490	/// fn a() { println!("a"); }
2491	/// fn b() { println!("b"); }
2492	/// assert!(!ptr::fn_addr_eq(a as fn(), b as fn()));
2493	/// ```
2494	///
2495	/// [subtype]: https://doc.rust-lang.org/reference/subtyping.html
2496	#[stable(feature = "ptr_fn_addr_eq", since = "1.85.0")]
2497	#[inline(always)]
2498	#[must_use = "function pointer comparison produces a value"]
2499	pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool {
2500	f.addr() == g.addr()
2501	}
2502
2503	/// Hash a raw pointer.
2504	///
2505	/// This can be used to hash a `&T` reference (which coerces to `const T` implicitly)*
2506	/// by its address rather than the value it points to
2507	/// (which is what the `Hash for &T` implementation does).
2508	///
2509	/// # Examples
2510	///
2511	/// ```
2512	/// use std::hash::{DefaultHasher, Hash, Hasher};
2513	/// use std::ptr;
2514	///
2515	/// let five = `5`;
2516	/// let five_ref = &five;
2517	///
2518	/// let mut hasher = DefaultHasher::new();
2519	/// ptr::hash(five_ref, &mut hasher);
2520	/// let actual = hasher.finish();
2521	///
2522	/// let mut hasher = DefaultHasher::new();
2523	/// (five_ref as *const i32).hash(&mut hasher);
2524	/// let expected = hasher.finish();
2525	///
2526	/// assert_eq!(actual, expected);
2527	/// ```
2528	#[stable(feature = "ptr_hash", since = "1.35.0")]
2529	pub fn hash<T: ?Sized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2530	use crate::hash::Hash;
2531	hashee.hash(state:into);
2532	}
2533
2534	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2535	impl<F: FnPtr> PartialEq for F {
2536	#[inline]
2537	fn eq(&self, other: &Self) -> bool {
2538	self.addr() == other.addr()
2539	}
2540	}
2541	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2542	impl<F: FnPtr> Eq for F {}
2543
2544	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2545	impl<F: FnPtr> PartialOrd for F {
2546	#[inline]
2547	fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2548	self.addr().partial_cmp(&other.addr())
2549	}
2550	}
2551	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2552	impl<F: FnPtr> Ord for F {
2553	#[inline]
2554	fn cmp(&self, other: &Self) -> Ordering {
2555	self.addr().cmp(&other.addr())
2556	}
2557	}
2558
2559	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2560	impl<F: FnPtr> hash::Hash for F {
2561	fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2562	state.write_usize(self.addr() as _)
2563	}
2564	}
2565
2566	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2567	impl<F: FnPtr> fmt::Pointer for F {
2568	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2569	fmt::pointer_fmt_inner(self.addr() as _, f)
2570	}
2571	}
2572
2573	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2574	impl<F: FnPtr> fmt::Debug for F {
2575	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2576	fmt::pointer_fmt_inner(self.addr() as _, f)
2577	}
2578	}
2579
2580	/// Creates a `const` raw pointer to a place, without creating an intermediate reference.
2581	///
2582	/// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is soft-deprecated;
2583	/// use `&raw const` instead.
2584	///
2585	/// It is still an open question under which conditions writing through an `addr_of!`-created
2586	/// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the
2587	/// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is
2588	/// based on a reference, local variable, or `static`, then until all details are decided, the same
2589	/// rules as for shared references apply: it is UB to write through a pointer created with this
2590	/// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`])
2591	/// to create a raw pointer that definitely permits mutation.
2592	///
2593	/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2594	/// and points to initialized data. For cases where those requirements do not hold,
2595	/// raw pointers should be used instead. However, `&expr as const _` creates a reference*
2596	/// before casting it to a raw pointer, and that reference is subject to the same rules
2597	/// as all other references. This macro can create a raw pointer without* creating*
2598	/// a reference first.
2599	///
2600	/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2601	/// Doing that with `addr_of` would not make much sense since one could only
2602	/// read the data, and that would be Undefined Behavior.
2603	///
2604	/// # Safety
2605	///
2606	/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2607	/// place or requires the place to be dereferenceable. This means that `addr_of!((ptr).field)`*
2608	/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2609	/// However, `addr_of!(ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.*
2610	///
2611	/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2612	/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2613	/// `Index::index`, respectively. The statements above only apply when no such coercions are
2614	/// applied.
2615	///
2616	/// [`offset`]: pointer::offset
2617	///
2618	/// # Example
2619	///
2620	/// Correct usage: Creating a pointer to unaligned data
2621	///
2622	/// ```
2623	/// use std::ptr;
2624	///
2625	/// #[repr(packed)]
2626	/// struct Packed {
2627	/// f1: u8,
2628	/// f2: u16,
2629	/// }
2630	///
2631	/// let packed = Packed { f1: `1`, f2: `2` };
2632	/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2633	/// let raw_f2 = ptr::addr_of!(packed.f2);
2634	/// assert_eq!(unsafe { raw_f2.read_unaligned() }, `2`);
2635	/// ```
2636	///
2637	/// Incorrect usage: Out-of-bounds fields projection
2638	///
2639	/// ```rust,no_run
2640	/// use std::ptr;
2641	///
2642	/// #[repr(C)]
2643	/// struct MyStruct {
2644	/// field1: i32,
2645	/// field2: i32,
2646	/// }
2647	///
2648	/// let ptr: *const MyStruct = ptr::null();
2649	/// let fieldptr = unsafe { ptr::addr_of!((ptr).field2) }; // Undefined Behavior ⚠️*
2650	/// ```
2651	///
2652	/// The field projection `.field2` would offset the pointer by 4 bytes,
2653	/// but the pointer is not in-bounds of an allocation for 4 bytes,
2654	/// so this offset is Undefined Behavior.
2655	/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2656	/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2657	/// no difference whether the pointer is null or dangling.)
2658	#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2659	#[rustc_macro_transparency = "semitransparent"]
2660	pub macro addr_of($place:expr) {
2661	&raw const $place
2662	}
2663
2664	/// Creates a `mut` raw pointer to a place, without creating an intermediate reference.
2665	///
2666	/// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is soft-deprecated;
2667	/// use `&raw mut` instead.
2668	///
2669	/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2670	/// and points to initialized data. For cases where those requirements do not hold,
2671	/// raw pointers should be used instead. However, `&mut expr as mut _` creates a reference*
2672	/// before casting it to a raw pointer, and that reference is subject to the same rules
2673	/// as all other references. This macro can create a raw pointer without* creating*
2674	/// a reference first.
2675	///
2676	/// # Safety
2677	///
2678	/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2679	/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((ptr).field)`*
2680	/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2681	/// However, `addr_of_mut!(ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.*
2682	///
2683	/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2684	/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2685	/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2686	/// applied.
2687	///
2688	/// [`offset`]: pointer::offset
2689	///
2690	/// # Examples
2691	///
2692	/// Correct usage: Creating a pointer to unaligned data
2693	///
2694	/// ```
2695	/// use std::ptr;
2696	///
2697	/// #[repr(packed)]
2698	/// struct Packed {
2699	/// f1: u8,
2700	/// f2: u16,
2701	/// }
2702	///
2703	/// let mut packed = Packed { f1: `1`, f2: `2` };
2704	/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2705	/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2706	/// unsafe { raw_f2.write_unaligned(`42`); }
2707	/// assert_eq!({packed.f2}, `42`); // `{...}` forces copying the field instead of creating a reference.
2708	/// ```
2709	///
2710	/// Correct usage: Creating a pointer to uninitialized data
2711	///
2712	/// ```rust
2713	/// use std::{ptr, mem::MaybeUninit};
2714	///
2715	/// struct Demo {
2716	/// field: bool,
2717	/// }
2718	///
2719	/// let mut uninit = MaybeUninit::<Demo>::uninit();
2720	/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2721	/// // and thus be Undefined Behavior!
2722	/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2723	/// unsafe { f1_ptr.write(`true`); }
2724	/// let init = unsafe { uninit.assume_init() };
2725	/// ```
2726	///
2727	/// Incorrect usage: Out-of-bounds fields projection
2728	///
2729	/// ```rust,no_run
2730	/// use std::ptr;
2731	///
2732	/// #[repr(C)]
2733	/// struct MyStruct {
2734	/// field1: i32,
2735	/// field2: i32,
2736	/// }
2737	///
2738	/// let ptr: *mut MyStruct = ptr::null_mut();
2739	/// let fieldptr = unsafe { ptr::addr_of_mut!((ptr).field2) }; // Undefined Behavior ⚠️*
2740	/// ```
2741	///
2742	/// The field projection `.field2` would offset the pointer by 4 bytes,
2743	/// but the pointer is not in-bounds of an allocation for 4 bytes,
2744	/// so this offset is Undefined Behavior.
2745	/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2746	/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2747	/// makes no difference whether the pointer is null or dangling.)
2748	#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2749	#[rustc_macro_transparency = "semitransparent"]
2750	pub macro addr_of_mut($place:expr) {
2751	&raw mut $place
2752	}
2753