mod.rs source code [crates/core/src/ptr/mod.rs]

1	//! Manually manage memory through raw pointers.
2	//!
3	//! [See also the pointer primitive types](pointer).
4	//!
5	//! # Safety
6	//!
7	//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8	//! this to be safe, these pointers must be valid* for the given access. Whether a pointer is valid*
9	//! depends on the operation it is used for (read or write), and the extent of the memory that is
10	//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11	//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `mut T`*
12	//! and `const T` to access only a single value, in which case the documentation omits the size and*
13	//! implicitly assumes it to be `size_of::<T>()` bytes.
14	//!
15	//! The precise rules for validity are not determined yet. The guarantees that are
16	//! provided at this point are very minimal:
17	//!
18	//! A* [null] pointer is never* valid, not even for accesses of [size zero][zst].*
19	//! For a pointer to be valid, it is necessary, but not always sufficient, that the pointer*
20	//! be dereferenceable: the memory range of the given size starting at the pointer must all be
21	//! within the bounds of a single allocated object. Note that in Rust,
22	//! every (stack-allocated) variable is considered a separate allocated object.
23	//! Even for operations of [size zero][zst], the pointer must not be pointing to deallocated*
24	//! memory, i.e., deallocation makes pointers invalid even for zero-sized operations. However,
25	//! casting any non-zero integer literal* to a pointer is valid for zero-sized accesses, even if*
26	//! some memory happens to exist at that address and gets deallocated. This corresponds to writing
27	//! your own allocator: allocating zero-sized objects is not very hard. The canonical way to
28	//! obtain a pointer that is valid for zero-sized accesses is [`NonNull::dangling`].
29	//FIXME: mention `ptr::dangling` above, once it is stable.
30	//! All accesses performed by functions in this module are non-atomic in the sense*
31	//! of [atomic operations] used to synchronize between threads. This means it is
32	//! undefined behavior to perform two concurrent accesses to the same location from different
33	//! threads unless both accesses only read from memory. Notice that this explicitly
34	//! includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
35	//! be used for inter-thread synchronization.
36	//! The result of casting a reference to a pointer is valid for as long as the*
37	//! underlying object is live and no reference (just raw pointers) is used to
38	//! access the same memory. That is, reference and pointer accesses cannot be
39	//! interleaved.
40	//!
41	//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
42	//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
43	//! will be provided eventually, as the [aliasing] rules are being determined. For more
44	//! information, see the [book] as well as the section in the reference devoted
45	//! to [undefined behavior][ub].
46	//!
47	//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
48	//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
49	//! [`NonNull::dangling`] are all dangling.
50	//!
51	//! ## Alignment
52	//!
53	//! Valid raw pointers as defined above are not necessarily properly aligned (where
54	//! "proper" alignment is defined by the pointee type, i.e., `const T` must be*
55	//! aligned to `mem::align_of::<T>()`). However, most functions require their
56	//! arguments to be properly aligned, and will explicitly state
57	//! this requirement in their documentation. Notable exceptions to this are
58	//! [`read_unaligned`] and [`write_unaligned`].
59	//!
60	//! When a function requires proper alignment, it does so even if the access
61	//! has size 0, i.e., even if memory is not actually touched. Consider using
62	//! [`NonNull::dangling`] in such cases.
63	//!
64	//! ## Allocated object
65	//!
66	//! For several operations, such as [`offset`] or field projections (`expr.field`), the notion of an
67	//! "allocated object" becomes relevant. An allocated object is a contiguous region of memory.
68	//! Common examples of allocated objects include stack-allocated variables (each variable is a
69	//! separate allocated object), heap allocations (each allocation created by the global allocator is
70	//! a separate allocated object), and `static` variables.
71	//!
72	//! # Strict Provenance
73	//!
74	//! The following text is non-normative, insufficiently formal, and is an extremely strict
75	//! interpretation of provenance. It's ok if your code doesn't strictly conform to it.**
76	//!
77	//! [Strict Provenance][] is an experimental set of APIs that help tools that try
78	//! to validate the memory-safety of your program's execution. Notably this includes [Miri][]
79	//! and [CHERI][], which can detect when you access out of bounds memory or otherwise violate
80	//! Rust's memory model.
81	//!
82	//! Provenance must exist in some form for any programming
83	//! language compiled for modern computer architectures, but specifying a model for provenance
84	//! in a way that is useful to both compilers and programmers is an ongoing challenge.
85	//! The [Strict Provenance][] experiment seeks to explore the question: what if we just said you*
86	//! couldn't do all the nasty operations that make provenance so messy?*
87	//!
88	//! What APIs would have to be removed? What APIs would have to be added? How much would code
89	//! have to change, and is it worse or better now? Would any patterns become truly inexpressible?
90	//! Could we carve out special exceptions for those patterns? Should we?
91	//!
92	//! A secondary goal of this project is to see if we can disambiguate the many functions of
93	//! pointer<->integer casts enough for the definition of `usize` to be loosened so that it
94	//! isn't pointer-sized but address-space/offset/allocation-sized (we'll probably continue
95	//! to conflate these notions). This would potentially make it possible to more efficiently
96	//! target platforms where pointers are larger than offsets, such as CHERI and maybe some
97	//! segmented architectures.
98	//!
99	//! ## Provenance
100	//!
101	//! *This section is non-normative* and is part of the [Strict Provenance][] experiment.**
102	//!
103	//! Pointers are not simply* an "integer" or "address". For instance, it's uncontroversial*
104	//! to say that a Use After Free is clearly Undefined Behaviour, even if you "get lucky"
105	//! and the freed memory gets reallocated before your read/write (in fact this is the
106	//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
107	//! To rationalize this claim, pointers need to somehow be more* than just their addresses:*
108	//! they must have provenance.
109	//!
110	//! When an allocation is created, that allocation has a unique Original Pointer. For alloc
111	//! APIs this is literally the pointer the call returns, and for local variables and statics,
112	//! this is the name of the variable/static. This is mildly overloading the term "pointer"
113	//! for the sake of brevity/exposition.
114	//!
115	//! The Original Pointer for an allocation is guaranteed to have unique access to the entire
116	//! allocation and only* that allocation. In this sense, an allocation can be thought of*
117	//! as a "sandbox" that cannot be broken into or out of. Provenance* is the permission*
118	//! to access an allocation's sandbox and has both a spatial* and temporal component:*
119	//!
120	//! Spatial: A range of bytes that the pointer is allowed to access.*
121	//! Temporal: The lifetime (of the allocation) that access to these bytes is tied to.*
122	//!
123	//! Spatial provenance makes sure you don't go beyond your sandbox, while temporal provenance
124	//! makes sure that you can't "get lucky" after your permission to access some memory
125	//! has been revoked (either through deallocations or borrows expiring).
126	//!
127	//! Provenance is implicitly shared with all pointers transitively derived from
128	//! The Original Pointer through operations like [`offset`], borrowing, and pointer casts.
129	//! Some operations may shrink* the derived provenance, limiting how much memory it can*
130	//! access or how long it's valid for (i.e. borrowing a subfield and subslicing).
131	//!
132	//! Shrinking provenance cannot be undone: even if you "know" there is a larger allocation, you
133	//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine"
134	//! two contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
135	//!
136	//! A reference to a value always has provenance over exactly the memory that field occupies.
137	//! A reference to a slice always has provenance over exactly the range that slice describes.
138	//!
139	//! If an allocation is deallocated, all pointers with provenance to that allocation become
140	//! invalidated, and effectively lose their provenance.
141	//!
142	//! The strict provenance experiment is mostly only interested in exploring stricter spatial
143	//! provenance. In this sense it can be thought of as a subset of the more ambitious and
144	//! formal [Stacked Borrows][] research project, which is what tools like [Miri][] are based on.
145	//! In particular, Stacked Borrows is necessary to properly describe what borrows are allowed
146	//! to do and when they become invalidated. This necessarily involves much more complex
147	//! temporal* reasoning than simply identifying allocations. Adjusting APIs and code*
148	//! for the strict provenance experiment will also greatly help Stacked Borrows.
149	//!
150	//!
151	//! ## Pointer Vs Addresses
152	//!
153	//! *This section is non-normative* and is part of the [Strict Provenance][] experiment.**
154	//!
155	//! One of the largest historical issues with trying to define provenance is that programmers
156	//! freely convert between pointers and integers. Once you allow for this, it generally becomes
157	//! impossible to accurately track and preserve provenance information, and you need to appeal
158	//! to very complex and unreliable heuristics. But of course, converting between pointers and
159	//! integers is very useful, so what can we do?
160	//!
161	//! Also did you know WASM is actually a "Harvard Architecture"? As in function pointers are
162	//! handled completely differently from data pointers? And we kind of just shipped Rust on WASM
163	//! without really addressing the fact that we let you freely convert between function pointers
164	//! and data pointers, because it mostly Just Works? Let's just put that on the "pointer casts
165	//! are dubious" pile.
166	//!
167	//! Strict Provenance attempts to square these circles by decoupling Rust's traditional conflation
168	//! of pointers and `usize` (and `isize`), and defining a pointer to semantically contain the
169	//! following information:
170	//!
171	//! The address-space it is part of (e.g. "data" vs "code" in WASM).*
172	//! The address it points to, which can be represented by a `usize`.*
173	//! The provenance it has, defining the memory it has permission to access.*
174	//! Provenance can be absent, in which case the pointer does not have permission to access any memory.
175	//!
176	//! Under Strict Provenance, a usize cannot* accurately represent a pointer, and converting from*
177	//! a pointer to a usize is generally an operation which only* extracts the address. It is*
178	//! therefore impossible* to construct a valid pointer from a usize because there is no way*
179	//! to restore the address-space and provenance. In other words, pointer-integer-pointer
180	//! roundtrips are not possible (in the sense that the resulting pointer is not dereferenceable).
181	//!
182	//! The key insight to making this model at all* viable is the [`with_addr`][] method:*
183	//!
184	//! ```text
185	//! /// Creates a new pointer with the given address.
186	//! ///
187	//! /// This performs the same operation as an `addr as ptr` cast, but copies
188	//! /// the address-space* and provenance of `self` to the new pointer.*
189	//! /// This allows us to dynamically preserve and propagate this important
190	//! /// information in a way that is otherwise impossible with a unary cast.
191	//! ///
192	//! /// This is equivalent to using `wrapping_offset` to offset `self` to the
193	//! /// given address, and therefore has all the same capabilities and restrictions.
194	//! pub fn with_addr(self, addr: usize) -> Self;
195	//! ```
196	//!
197	//! So you're still able to drop down to the address representation and do whatever
198	//! clever bit tricks you want as long as* you're able to keep around a pointer*
199	//! into the allocation you care about that can "reconstitute" the other parts of the pointer.
200	//! Usually this is very easy, because you only are taking a pointer, messing with the address,
201	//! and then immediately converting back to a pointer. To make this use case more ergonomic,
202	//! we provide the [`map_addr`][] method.
203	//!
204	//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
205	//! [`addr`][] method which promises that the returned address is not part of a
206	//! pointer-usize-pointer roundtrip. In the future we may provide a lint for pointer<->integer
207	//! casts to help you audit if your code conforms to strict provenance.
208	//!
209	//!
210	//! ## Using Strict Provenance
211	//!
212	//! Most code needs no changes to conform to strict provenance, as the only really concerning
213	//! operation that wasn't* obviously already Undefined Behaviour is casts from usize to a*
214	//! pointer. For code which does* cast a usize to a pointer, the scope of the change depends*
215	//! on exactly what you're doing.
216	//!
217	//! In general you just need to make sure that if you want to convert a usize address to a
218	//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
219	//! that has sufficient provenance to perform that read/write itself. In this way all of your
220	//! casts from an address to a pointer are essentially just applying offsets/indexing.
221	//!
222	//! This is generally trivial to do for simple cases like tagged pointers as long as you*
223	//! represent the tagged pointer as an actual pointer and not a usize. For instance:*
224	//!
225	//! ```
226	//! #![feature(strict_provenance)]
227	//!
228	//! unsafe {
229	//! // A flag we want to pack into our pointer
230	//! static HAS_DATA: usize = `0x1`;
231	//! static FLAG_MASK: usize = !HAS_DATA;
232	//!
233	//! // Our value, which must have enough alignment to have spare least-significant-bits.
234	//! let my_precious_data: u32 = `17`;
235	//! assert!(core::mem::align_of::<u32>() > `1`);
236	//!
237	//! // Create a tagged pointer
238	//! let ptr = &my_precious_data as *const u32;
239	//! let tagged = ptr.map_addr(\|addr\| addr \| HAS_DATA);
240	//!
241	//! // Check the flag:
242	//! if tagged.addr() & HAS_DATA != `0` {
243	//! // Untag and read the pointer
244	//! let data = tagged.map_addr(\|addr\| addr & FLAG_MASK*);
245	//! assert_eq!(data, `17`);
246	//! } else {
247	//! unreachable!()
248	//! }
249	//! }
250	//! ```
251	//!
252	//! (Yes, if you've been using AtomicUsize for pointers in concurrent datastructures, you should
253	//! be using AtomicPtr instead. If that messes up the way you atomically manipulate pointers,
254	//! we would like to know why, and what needs to be done to fix it.)
255	//!
256	//! Something more complicated and just generally evil* like an XOR-List requires more significant*
257	//! changes like allocating all nodes in a pre-allocated Vec or Arena and using a pointer
258	//! to the whole allocation to reconstitute the XORed addresses.
259	//!
260	//! Situations where a valid pointer must* be created from just an address, such as baremetal code*
261	//! accessing a memory-mapped interface at a fixed address, are an open question on how to support.
262	//! These situations will* still be allowed, but we might require some kind of "I know what I'm*
263	//! doing" annotation to explain the situation to the compiler. It's also possible they need no
264	//! special attention at all, because they're generally accessing memory outside the scope of
265	//! "the abstract machine", or already using "I know what I'm doing" annotations like "volatile".
266	//!
267	//! Under [Strict Provenance] it is Undefined Behaviour to:
268	//!
269	//! Access memory through a pointer that does not have provenance over that memory.*
270	//!
271	//! [`offset`] a pointer to or from an address it doesn't have provenance over.*
272	//! This means it's always UB to offset a pointer derived from something deallocated,
273	//! even if the offset is 0. Note that a pointer "one past the end" of its provenance
274	//! is not actually outside its provenance, it just has 0 bytes it can load/store.
275	//!
276	//! But it is* still sound to:*
277	//!
278	//! Create a pointer without provenance from just an address (see* [`ptr::dangling`][]). Such a
279	//! pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
280	//! useful for sentinel values like `null` or* to represent a tagged pointer that will never be*
281	//! dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
282	//! fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
283	//! offset, read, write, etc).
284	//!
285	//! Forge an allocation of size zero at any sufficiently aligned non-null address.*
286	//! i.e. the usual "ZSTs are fake, do what you want" rules apply but* this only applies*
287	//! for actual forgery (integers cast to pointers). If you borrow some struct's field
288	//! that happens* to be zero-sized, the resulting pointer will have provenance tied to*
289	//! that allocation and it will still get invalidated if the allocation gets deallocated.
290	//! In the future we may introduce an API to make such a forged allocation explicit.
291	//!
292	//! [`wrapping_offset`][] a pointer outside its provenance. This includes pointers*
293	//! which have "no" provenance. Unfortunately there may be practical limits on this for a
294	//! particular platform, and it's an open question as to how to specify this (if at all).
295	//! Notably, [CHERI][] relies on a compression scheme that can't handle a
296	//! pointer getting offset "too far" out of bounds. If this happens, the address
297	//! returned by `addr` will be the value you expect, but the provenance will get invalidated
298	//! and using it to read/write will fault. The details of this are architecture-specific
299	//! and based on alignment, but the buffer on either side of the pointer's range is pretty
300	//! generous (think kilobytes, not bytes).
301	//!
302	//! Compare arbitrary pointers by address. Addresses are just integers and so there is*
303	//! always a coherent answer, even if the pointers are dangling or from different
304	//! address-spaces/provenances. Of course, comparing addresses from different address-spaces
305	//! is generally going to be meaningless, but so is comparing Kilograms to Meters, and Rust
306	//! doesn't prevent that either. Similarly, if you get "lucky" and notice that a pointer
307	//! one-past-the-end is the "same" address as the start of an unrelated allocation, anything
308	//! you do with that fact is probably* going to be gibberish. The scope of that gibberish*
309	//! is kept under control by the fact that the two pointers still* aren't allowed to access*
310	//! the other's allocation (bytes), because they still have different provenance.
311	//!
312	//! Perform pointer tagging tricks. This falls out of [`wrapping_offset`] but is worth*
313	//! mentioning in more detail because of the limitations of [CHERI][]. Low-bit tagging
314	//! is very robust, and often doesn't even go out of bounds because types ensure
315	//! size >= align (and over-aligning actually gives CHERI more flexibility). Anything
316	//! more complex than this rapidly enters "extremely platform-specific" territory as
317	//! certain things may or may not be allowed based on specific supported operations.
318	//! For instance, ARM explicitly supports high-bit tagging, and so CHERI on ARM inherits
319	//! that and should support it.
320	//!
321	//! ## Exposed Provenance
322	//!
323	//! *This section is non-normative* and is an extension to the [Strict Provenance] experiment.**
324	//!
325	//! As discussed above, pointer-usize-pointer roundtrips are not possible under [Strict Provenance].
326	//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
327	//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
328	//!
329	//! However, there exist situations where pointer-usize-pointer roundtrips cannot be avoided, or
330	//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
331	//! that `usize` can capture all the information that makes up a pointer. The goal of Strict
332	//! Provenance is not to rule out such code; the goal is to put all the other* pointer-manipulating*
333	//! code onto a more solid foundation. Strict Provenance is about improving the situation where
334	//! possible (all the code that can be written with Strict Provenance) without making things worse
335	//! for situations where Strict Provenance is insufficient.
336	//!
337	//! For these situations, there is a highly experimental extension to Strict Provenance called
338	//! Exposed Provenance. This extension permits pointer-usize-pointer roundtrips. However, its
339	//! semantics are on much less solid footing than Strict Provenance, and at this point it is not yet
340	//! clear where a satisfying unambiguous semantics can be defined for Exposed Provenance.
341	//! Furthermore, Exposed Provenance will not work (well) with tools like [Miri] and [CHERI].
342	//!
343	//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
344	//! which are meant to replace `as` casts between pointers and integers. [`expose_provenance`] is a lot like
345	//! [`addr`], but additionally adds the provenance of the pointer to a global list of 'exposed'
346	//! provenances. (This list is purely conceptual, it exists for the purpose of specifying Rust but
347	//! is not materialized in actual executions, except in tools like [Miri].) [`with_exposed_provenance`]
348	//! can be used to construct a pointer with one of these previously 'exposed' provenances.
349	//! [`with_exposed_provenance`] takes only `addr: usize` as arguments, so unlike in [`with_addr`] there is
350	//! no indication of what the correct provenance for the returned pointer is -- and that is exactly
351	//! what makes pointer-usize-pointer roundtrips so tricky to rigorously specify! There is no
352	//! algorithm that decides which provenance will be used. You can think of this as "guessing" the
353	//! right provenance, and the guess will be "maximally in your favor", in the sense that if there is
354	//! any way to avoid undefined behavior, then that is the guess that will be taken. However, if
355	//! there is no* previously 'exposed' provenance that justifies the way the returned pointer will*
356	//! be used, the program has undefined behavior.
357	//!
358	//! Using [`expose_provenance`] or [`with_exposed_provenance`] (or the `as` casts) means that code is
359	//! not* following Strict Provenance rules. The goal of the Strict Provenance experiment is to*
360	//! determine how far one can get in Rust without the use of [`expose_provenance`] and
361	//! [`with_exposed_provenance`], and to encourage code to be written with Strict Provenance APIs only.
362	//! Maximizing the amount of such code is a major win for avoiding specification complexity and to
363	//! facilitate adoption of tools like [CHERI] and [Miri] that can be a big help in increasing the
364	//! confidence in (unsafe) Rust code.
365	//!
366	//! [aliasing]: ../../nomicon/aliasing.html
367	//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
368	//! [ub]: ../../reference/behavior-considered-undefined.html
369	//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
370	//! [atomic operations]: crate::sync::atomic
371	//! [`offset`]: pointer::offset
372	//! [`wrapping_offset`]: pointer::wrapping_offset
373	//! [`with_addr`]: pointer::with_addr
374	//! [`map_addr`]: pointer::map_addr
375	//! [`addr`]: pointer::addr
376	//! [`ptr::dangling`]: core::ptr::dangling
377	//! [`expose_provenance`]: pointer::expose_provenance
378	//! [`with_exposed_provenance`]: with_exposed_provenance
379	//! [Miri]: https://github.com/rust-lang/miri
380	//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
381	//! [Strict Provenance]: https://github.com/rust-lang/rust/issues/95228
382	//! [Stacked Borrows]: https://plv.mpi-sws.org/rustbelt/stacked-borrows/
383
384	#![stable(feature = "rust1", since = "1.0.0")]
385	// There are many unsafe functions taking pointers that don't dereference them.
386	#![allow(clippy::not_unsafe_ptr_arg_deref)]
387
388	use crate::cmp::Ordering;
389	use crate::fmt;
390	use crate::hash;
391	use crate::intrinsics;
392	use crate::marker::FnPtr;
393	use crate::ub_checks;
394
395	use crate::mem::{self, align_of, size_of, MaybeUninit};
396
397	mod alignment;
398	#[unstable(feature = "ptr_alignment_type", issue = "102070")]
399	pub use alignment::Alignment;
400
401	#[stable(feature = "rust1", since = "1.0.0")]
402	#[doc(inline)]
403	pub use crate::intrinsics::copy_nonoverlapping;
404
405	#[stable(feature = "rust1", since = "1.0.0")]
406	#[doc(inline)]
407	pub use crate::intrinsics::copy;
408
409	#[stable(feature = "rust1", since = "1.0.0")]
410	#[doc(inline)]
411	pub use crate::intrinsics::write_bytes;
412
413	mod metadata;
414	#[unstable(feature = "ptr_metadata", issue = "81513")]
415	pub use metadata::{from_raw_parts, from_raw_parts_mut, metadata, DynMetadata, Pointee, Thin};
416
417	mod non_null;
418	#[stable(feature = "nonnull", since = "1.25.0")]
419	pub use non_null::NonNull;
420
421	mod unique;
422	#[unstable(feature = "ptr_internals", issue = "none")]
423	pub use unique::Unique;
424
425	mod const_ptr;
426	mod mut_ptr;
427
428	/// Executes the destructor (if any) of the pointed-to value.
429	///
430	/// This is semantically equivalent to calling [`ptr::read`] and discarding
431	/// the result, but has the following advantages:
432	///
433	/// It is required to use `drop_in_place` to drop unsized types like*
434	/// trait objects, because they can't be read out onto the stack and
435	/// dropped normally.
436	///
437	/// It is friendlier to the optimizer to do this over* [`ptr::read`] when
438	/// dropping manually allocated memory (e.g., in the implementations of
439	/// `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
440	/// sound to elide the copy.
441	///
442	/// It can be used to drop* [pinned] data when `T` is not `repr(packed)`
443	/// (pinned data must not be moved before it is dropped).
444	///
445	/// Unaligned values cannot be dropped in place, they must be copied to an aligned
446	/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
447	/// done automatically by the compiler. This means the fields of packed structs
448	/// are not dropped in-place.
449	///
450	/// [`ptr::read`]: self::read
451	/// [`ptr::read_unaligned`]: self::read_unaligned
452	/// [pinned]: crate::pin
453	///
454	/// # Safety
455	///
456	/// Behavior is undefined if any of the following conditions are violated:
457	///
458	/// `to_drop` must be [valid] for both reads and writes.*
459	///
460	/// `to_drop` must be properly aligned, even if `T` has size 0.*
461	///
462	/// `to_drop` must be nonnull, even if `T` has size 0.*
463	///
464	/// The value `to_drop` points to must be valid for dropping, which may mean*
465	/// it must uphold additional invariants. These invariants depend on the type
466	/// of the value being dropped. For instance, when dropping a Box, the box's
467	/// pointer to the heap must be valid.
468	///
469	/// While `drop_in_place` is executing, the only way to access parts of*
470	/// `to_drop` is through the `&mut self` references supplied to the
471	/// `Drop::drop` methods that `drop_in_place` invokes.
472	///
473	/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
474	/// calling `drop_in_place` can cause undefined behavior. Note that `to_drop =*
475	/// foo` counts as a use because it will cause the value to be dropped
476	/// again. [`write()`] can be used to overwrite data without causing it to be
477	/// dropped.
478	///
479	/// [valid]: self#safety
480	///
481	/// # Examples
482	///
483	/// Manually remove the last item from a vector:
484	///
485	/// ```
486	/// use std::ptr;
487	/// use std::rc::Rc;
488	///
489	/// let last = Rc::new(`1`);
490	/// let weak = Rc::downgrade(&last);
491	///
492	/// let mut v = vec![Rc::new(`0`), last];
493	///
494	/// unsafe {
495	/// // Get a raw pointer to the last element in `v`.
496	/// let ptr = &mut v[`1`] as *mut _;
497	/// // Shorten `v` to prevent the last item from being dropped. We do that first,
498	/// // to prevent issues if the `drop_in_place` below panics.
499	/// v.set_len(`1`);
500	/// // Without a call `drop_in_place`, the last item would never be dropped,
501	/// // and the memory it manages would be leaked.
502	/// ptr::drop_in_place(ptr);
503	/// }
504	///
505	/// assert_eq!(v, &[`0`.into()]);
506	///
507	/// // Ensure that the last item was dropped.
508	/// assert!(weak.upgrade().is_none());
509	/// ```
510	#[stable(feature = "drop_in_place", since = "1.8.0")]
511	#[lang = "drop_in_place"]
512	#[allow(unconditional_recursion)]
513	#[rustc_diagnostic_item = "ptr_drop_in_place"]
514	pub unsafe fn drop_in_place<T: ?Sized>(to_drop: *mut T) {
515	// Code here does not matter - this is replaced by the
516	// real drop glue by the compiler.
517
518	// SAFETY: see comment above
519	unsafe { drop_in_place(to_drop) }
520	}
521
522	/// Creates a null raw pointer.
523	///
524	/// This function is equivalent to zero-initializing the pointer:
525	/// `MaybeUninit::<const T>::zeroed().assume_init()`.*
526	/// The resulting pointer has the address 0.
527	///
528	/// # Examples
529	///
530	/// ```
531	/// use std::ptr;
532	///
533	/// let p: *const i32 = ptr::null();
534	/// assert!(p.is_null());
535	/// assert_eq!(p as usize, `0`); // this pointer has the address 0
536	/// ```
537	#[inline(always)]
538	#[must_use]
539	#[stable(feature = "rust1", since = "1.0.0")]
540	#[rustc_promotable]
541	#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
542	#[rustc_allow_const_fn_unstable(ptr_metadata)]
543	#[rustc_diagnostic_item = "ptr_null"]
544	pub const fn null<T: ?Sized + Thin>() -> *const T {
545	from_raw_parts(data_pointer:without_provenance(`0`), ())
546	}
547
548	/// Creates a null mutable raw pointer.
549	///
550	/// This function is equivalent to zero-initializing the pointer:
551	/// `MaybeUninit::<mut T>::zeroed().assume_init()`.*
552	/// The resulting pointer has the address 0.
553	///
554	/// # Examples
555	///
556	/// ```
557	/// use std::ptr;
558	///
559	/// let p: *mut i32 = ptr::null_mut();
560	/// assert!(p.is_null());
561	/// assert_eq!(p as usize, `0`); // this pointer has the address 0
562	/// ```
563	#[inline(always)]
564	#[must_use]
565	#[stable(feature = "rust1", since = "1.0.0")]
566	#[rustc_promotable]
567	#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
568	#[rustc_allow_const_fn_unstable(ptr_metadata)]
569	#[rustc_diagnostic_item = "ptr_null_mut"]
570	pub const fn null_mut<T: ?Sized + Thin>() -> *mut T {
571	from_raw_parts_mut(data_pointer:without_provenance_mut(`0`), ())
572	}
573
574	/// Creates a pointer with the given address and no provenance.
575	///
576	/// This is equivalent to `ptr::null().with_addr(addr)`.
577	///
578	/// Without provenance, this pointer is not associated with any actual allocation. Such a
579	/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
580	/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
581	/// little more than a usize address in disguise.
582	///
583	/// This is different from `addr as const T`, which creates a pointer that picks up a previously*
584	/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
585	///
586	/// This API and its claimed semantics are part of the Strict Provenance experiment,
587	/// see the [module documentation][crate::ptr] for details.
588	#[inline(always)]
589	#[must_use]
590	#[rustc_const_stable(feature = "stable_things_using_strict_provenance", since = "1.61.0")]
591	#[unstable(feature = "strict_provenance", issue = "95228")]
592	pub const fn without_provenance<T>(addr: usize) -> *const T {
593	// FIXME(strict_provenance_magic): I am magic and should be a compiler intrinsic.
594	// We use transmute rather than a cast so tools like Miri can tell that this
595	// is not* the same as with_exposed_provenance.*
596	// SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
597	// pointer).
598	unsafe { mem::transmute(src:addr) }
599	}
600
601	/// Creates a new pointer that is dangling, but well-aligned.
602	///
603	/// This is useful for initializing types which lazily allocate, like
604	/// `Vec::new` does.
605	///
606	/// Note that the pointer value may potentially represent a valid pointer to
607	/// a `T`, which means this must not be used as a "not yet initialized"
608	/// sentinel value. Types that lazily allocate must track initialization by
609	/// some other means.
610	#[inline(always)]
611	#[must_use]
612	#[rustc_const_stable(feature = "stable_things_using_strict_provenance", since = "1.61.0")]
613	#[unstable(feature = "strict_provenance", issue = "95228")]
614	pub const fn dangling<T>() -> *const T {
615	without_provenance(addr:mem::align_of::<T>())
616	}
617
618	/// Creates a pointer with the given address and no provenance.
619	///
620	/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
621	///
622	/// Without provenance, this pointer is not associated with any actual allocation. Such a
623	/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
624	/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
625	/// little more than a usize address in disguise.
626	///
627	/// This is different from `addr as mut T`, which creates a pointer that picks up a previously*
628	/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
629	///
630	/// This API and its claimed semantics are part of the Strict Provenance experiment,
631	/// see the [module documentation][crate::ptr] for details.
632	#[inline(always)]
633	#[must_use]
634	#[rustc_const_stable(feature = "stable_things_using_strict_provenance", since = "1.61.0")]
635	#[unstable(feature = "strict_provenance", issue = "95228")]
636	pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
637	// FIXME(strict_provenance_magic): I am magic and should be a compiler intrinsic.
638	// We use transmute rather than a cast so tools like Miri can tell that this
639	// is not* the same as with_exposed_provenance.*
640	// SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
641	// pointer).
642	unsafe { mem::transmute(src:addr) }
643	}
644
645	/// Creates a new pointer that is dangling, but well-aligned.
646	///
647	/// This is useful for initializing types which lazily allocate, like
648	/// `Vec::new` does.
649	///
650	/// Note that the pointer value may potentially represent a valid pointer to
651	/// a `T`, which means this must not be used as a "not yet initialized"
652	/// sentinel value. Types that lazily allocate must track initialization by
653	/// some other means.
654	#[inline(always)]
655	#[must_use]
656	#[rustc_const_stable(feature = "stable_things_using_strict_provenance", since = "1.61.0")]
657	#[unstable(feature = "strict_provenance", issue = "95228")]
658	pub const fn dangling_mut<T>() -> *mut T {
659	without_provenance_mut(addr:mem::align_of::<T>())
660	}
661
662	/// Convert an address back to a pointer, picking up a previously 'exposed' provenance.
663	///
664	/// This is a more rigorously specified alternative to `addr as const T`. The provenance of the*
665	/// returned pointer is that of any* pointer that was previously exposed by passing it to*
666	/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory which is
667	/// outside the control of the Rust abstract machine (MMIO registers, for example) is always
668	/// considered to be exposed, so long as this memory is disjoint from memory that will be used by
669	/// the abstract machine such as the stack, heap, and statics.
670	///
671	/// If there is no 'exposed' provenance that justifies the way this pointer will be used,
672	/// the program has undefined behavior. In particular, the aliasing rules still apply: pointers
673	/// and references that have been invalidated due to aliasing accesses cannot be used any more,
674	/// even if they have been exposed!
675	///
676	/// Note that there is no algorithm that decides which provenance will be used. You can think of this
677	/// as "guessing" the right provenance, and the guess will be "maximally in your favor", in the sense
678	/// that if there is any way to avoid undefined behavior (while upholding all aliasing requirements),
679	/// then that is the guess that will be taken.
680	///
681	/// On platforms with multiple address spaces, it is your responsibility to ensure that the
682	/// address makes sense in the address space that this pointer will be used with.
683	///
684	/// Using this function means that code is not* following [Strict*
685	/// Provenance][self#strict-provenance] rules. "Guessing" a
686	/// suitable provenance complicates specification and reasoning and may not be supported by
687	/// tools that help you to stay conformant with the Rust memory model, so it is recommended to
688	/// use [`with_addr`][pointer::with_addr] wherever possible.
689	///
690	/// On most platforms this will produce a value with the same bytes as the address. Platforms
691	/// which need to store additional information in a pointer may not support this operation,
692	/// since it is generally not possible to actually compute* which provenance the returned*
693	/// pointer has to pick up.
694	///
695	/// It is unclear whether this function can be given a satisfying unambiguous specification. This
696	/// API and its claimed semantics are part of [Exposed Provenance][self#exposed-provenance].
697	#[must_use]
698	#[inline(always)]
699	#[unstable(feature = "exposed_provenance", issue = "95228")]
700	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
701	#[allow(fuzzy_provenance_casts)] // this is* the explicit provenance API one should use instead*
702	pub fn with_exposed_provenance<T>(addr: usize) -> *const T
703	where
704	T: Sized,
705	{
706	// FIXME(strict_provenance_magic): I am magic and should be a compiler intrinsic.
707	addr as *const T
708	}
709
710	/// Convert an address back to a mutable pointer, picking up a previously 'exposed' provenance.
711	///
712	/// This is a more rigorously specified alternative to `addr as mut T`. The provenance of the*
713	/// returned pointer is that of any* pointer that was previously passed to*
714	/// [`expose_provenance`][pointer::expose_provenance] or a `ptr as usize` cast. If there is no previously
715	/// 'exposed' provenance that justifies the way this pointer will be used, the program has undefined
716	/// behavior. Note that there is no algorithm that decides which provenance will be used. You can
717	/// think of this as "guessing" the right provenance, and the guess will be "maximally in your
718	/// favor", in the sense that if there is any way to avoid undefined behavior, then that is the
719	/// guess that will be taken.
720	///
721	/// On platforms with multiple address spaces, it is your responsibility to ensure that the
722	/// address makes sense in the address space that this pointer will be used with.
723	///
724	/// Using this function means that code is not* following [Strict*
725	/// Provenance][self#strict-provenance] rules. "Guessing" a
726	/// suitable provenance complicates specification and reasoning and may not be supported by
727	/// tools that help you to stay conformant with the Rust memory model, so it is recommended to
728	/// use [`with_addr`][pointer::with_addr] wherever possible.
729	///
730	/// On most platforms this will produce a value with the same bytes as the address. Platforms
731	/// which need to store additional information in a pointer may not support this operation,
732	/// since it is generally not possible to actually compute* which provenance the returned*
733	/// pointer has to pick up.
734	///
735	/// It is unclear whether this function can be given a satisfying unambiguous specification. This
736	/// API and its claimed semantics are part of [Exposed Provenance][self#exposed-provenance].
737	#[must_use]
738	#[inline(always)]
739	#[unstable(feature = "exposed_provenance", issue = "95228")]
740	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
741	#[allow(fuzzy_provenance_casts)] // this is* the explicit provenance API one should use instead*
742	pub fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T
743	where
744	T: Sized,
745	{
746	// FIXME(strict_provenance_magic): I am magic and should be a compiler intrinsic.
747	addr as *mut T
748	}
749
750	/// Convert a reference to a raw pointer.
751	///
752	/// This is equivalent to `r as const T`, but is a bit safer since it will never silently change*
753	/// type or mutability, in particular if the code is refactored.
754	#[inline(always)]
755	#[must_use]
756	#[stable(feature = "ptr_from_ref", since = "1.76.0")]
757	#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
758	#[rustc_never_returns_null_ptr]
759	#[rustc_diagnostic_item = "ptr_from_ref"]
760	pub const fn from_ref<T: ?Sized>(r: &T) -> *const T {
761	r
762	}
763
764	/// Convert a mutable reference to a raw pointer.
765	///
766	/// This is equivalent to `r as mut T`, but is a bit safer since it will never silently change*
767	/// type or mutability, in particular if the code is refactored.
768	#[inline(always)]
769	#[must_use]
770	#[stable(feature = "ptr_from_ref", since = "1.76.0")]
771	#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
772	#[rustc_allow_const_fn_unstable(const_mut_refs)]
773	#[rustc_never_returns_null_ptr]
774	pub const fn from_mut<T: ?Sized>(r: &mut T) -> *mut T {
775	r
776	}
777
778	/// Forms a raw slice from a pointer and a length.
779	///
780	/// The `len` argument is the number of elements, not the number of bytes.
781	///
782	/// This function is safe, but actually using the return value is unsafe.
783	/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
784	///
785	/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
786	///
787	/// # Examples
788	///
789	/// ```rust
790	/// use std::ptr;
791	///
792	/// // create a slice pointer when starting out with a pointer to the first element
793	/// let x = [`5`, `6`, `7`];
794	/// let raw_pointer = x.as_ptr();
795	/// let slice = ptr::slice_from_raw_parts(raw_pointer, `3`);
796	/// assert_eq!(unsafe { &*slice }[`2`], `7`);
797	/// ```
798	///
799	/// You must ensure that the pointer is valid and not null before dereferencing
800	/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
801	///
802	/// ```rust,should_panic
803	/// use std::ptr;
804	/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), `0`);
805	/// unsafe {
806	/// danger.as_ref().expect("references must not be null");
807	/// }
808	/// ```
809	#[inline]
810	#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
811	#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
812	#[rustc_allow_const_fn_unstable(ptr_metadata)]
813	#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
814	pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
815	from_raw_parts(data_pointer:data.cast(), metadata:len)
816	}
817
818	/// Forms a raw mutable slice from a pointer and a length.
819	///
820	/// The `len` argument is the number of elements, not the number of bytes.
821	///
822	/// Performs the same functionality as [`slice_from_raw_parts`], except that a
823	/// raw mutable slice is returned, as opposed to a raw immutable slice.
824	///
825	/// This function is safe, but actually using the return value is unsafe.
826	/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
827	///
828	/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
829	///
830	/// # Examples
831	///
832	/// ```rust
833	/// use std::ptr;
834	///
835	/// let x = &mut [`5`, `6`, `7`];
836	/// let raw_pointer = x.as_mut_ptr();
837	/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, `3`);
838	///
839	/// unsafe {
840	/// (slice)[`2`] = `99`; // assign a value at an index in the slice*
841	/// };
842	///
843	/// assert_eq!(unsafe { &*slice }[`2`], `99`);
844	/// ```
845	///
846	/// You must ensure that the pointer is valid and not null before dereferencing
847	/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
848	///
849	/// ```rust,should_panic
850	/// use std::ptr;
851	/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), `0`);
852	/// unsafe {
853	/// danger.as_mut().expect("references must not be null");
854	/// }
855	/// ```
856	#[inline]
857	#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
858	#[rustc_const_unstable(feature = "const_slice_from_raw_parts_mut", issue = "67456")]
859	#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
860	pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
861	from_raw_parts_mut(data_pointer:data.cast(), metadata:len)
862	}
863
864	/// Swaps the values at two mutable locations of the same type, without
865	/// deinitializing either.
866	///
867	/// But for the following exceptions, this function is semantically
868	/// equivalent to [`mem::swap`]:
869	///
870	/// It operates on raw pointers instead of references. When references are*
871	/// available, [`mem::swap`] should be preferred.
872	///
873	/// The two pointed-to values may overlap. If the values do overlap, then the*
874	/// overlapping region of memory from `x` will be used. This is demonstrated
875	/// in the second example below.
876	///
877	/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate*
878	/// the requirements of `T`. The initialization state is preserved exactly.
879	///
880	/// # Safety
881	///
882	/// Behavior is undefined if any of the following conditions are violated:
883	///
884	/// Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the*
885	/// other pointer is written. (This means if the memory ranges overlap, the two pointers must not
886	/// be subject to aliasing restrictions relative to each other.)
887	///
888	/// Both `x` and `y` must be properly aligned.*
889	///
890	/// Note that even if `T` has size `0`, the pointers must be non-null and properly aligned.
891	///
892	/// [valid]: self#safety
893	///
894	/// # Examples
895	///
896	/// Swapping two non-overlapping regions:
897	///
898	/// ```
899	/// use std::ptr;
900	///
901	/// let mut array = [`0`, `1`, `2`, `3`];
902	///
903	/// let (x, y) = array.split_at_mut(`2`);
904	/// let x = x.as_mut_ptr().cast::<[u32; `2`]>(); // this is `array[0..2]`
905	/// let y = y.as_mut_ptr().cast::<[u32; `2`]>(); // this is `array[2..4]`
906	///
907	/// unsafe {
908	/// ptr::swap(x, y);
909	/// assert_eq!([`2`, `3`, `0`, `1`], array);
910	/// }
911	/// ```
912	///
913	/// Swapping two overlapping regions:
914	///
915	/// ```
916	/// use std::ptr;
917	///
918	/// let mut array: [i32; `4`] = [`0`, `1`, `2`, `3`];
919	///
920	/// let array_ptr: *mut i32 = array.as_mut_ptr();
921	///
922	/// let x = array_ptr as *mut [i32; `3`]; // this is `array[0..3]`
923	/// let y = unsafe { array_ptr.add(`1`) } as *mut [i32; `3`]; // this is `array[1..4]`
924	///
925	/// unsafe {
926	/// ptr::swap(x, y);
927	/// // The indices `1..3` of the slice overlap between `x` and `y`.
928	/// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
929	/// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
930	/// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
931	/// // This implementation is defined to make the latter choice.
932	/// assert_eq!([`1`, `0`, `1`, `2`], array);
933	/// }
934	/// ```
935	#[inline]
936	#[stable(feature = "rust1", since = "1.0.0")]
937	#[rustc_const_unstable(feature = "const_swap", issue = "83163")]
938	#[rustc_diagnostic_item = "ptr_swap"]
939	pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
940	// Give ourselves some scratch space to work with.
941	// We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
942	let mut tmp: MaybeUninit = MaybeUninit::<T>::uninit();
943
944	// Perform the swap
945	// SAFETY: the caller must guarantee that `x` and `y` are
946	// valid for writes and properly aligned. `tmp` cannot be
947	// overlapping either `x` or `y` because `tmp` was just allocated
948	// on the stack as a separate allocated object.
949	unsafe {
950	copy_nonoverlapping(src:x, dst:tmp.as_mut_ptr(), count:`1`);
951	copy(src:y, dst:x, count:`1`); // `x` and `y` may overlap
952	copy_nonoverlapping(src:tmp.as_ptr(), dst:y, count:`1`);
953	}
954	}
955
956	/// Swaps `count size_of::<T>()` bytes between the two regions of memory*
957	/// beginning at `x` and `y`. The two regions must not* overlap.*
958	///
959	/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
960	/// requirements of `T`. The initialization state is preserved exactly.
961	///
962	/// # Safety
963	///
964	/// Behavior is undefined if any of the following conditions are violated:
965	///
966	/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
967	/// size_of::<T>()` bytes.
968	///
969	/// Both `x` and `y` must be properly aligned.*
970	///
971	/// * The region of memory beginning at `x` with a size of `count *
972	/// size_of::<T>()` bytes must not* overlap with the region of memory*
973	/// beginning at `y` with the same size.
974	///
975	/// Note that even if the effectively copied size (`count size_of::<T>()`) is `0`,*
976	/// the pointers must be non-null and properly aligned.
977	///
978	/// [valid]: self#safety
979	///
980	/// # Examples
981	///
982	/// Basic usage:
983	///
984	/// ```
985	/// use std::ptr;
986	///
987	/// let mut x = [`1`, `2`, `3`, `4`];
988	/// let mut y = [`7`, `8`, `9`];
989	///
990	/// unsafe {
991	/// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), `2`);
992	/// }
993	///
994	/// assert_eq!(x, [`7`, `8`, `3`, `4`]);
995	/// assert_eq!(y, [`1`, `2`, `9`]);
996	/// ```
997	#[inline]
998	#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
999	#[rustc_const_unstable(feature = "const_swap", issue = "83163")]
1000	#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1001	pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1002	#[allow(unused)]
1003	macro_rules! attempt_swap_as_chunks {
1004	($ChunkTy:ty) => {
1005	if mem::align_of::<T>() >= mem::align_of::<$ChunkTy>()
1006	&& mem::size_of::<T>() % mem::size_of::<$ChunkTy>() == `0`
1007	{
1008	let x: *mut $ChunkTy = x.cast();
1009	let y: *mut $ChunkTy = y.cast();
1010	let count = count * (mem::size_of::<T>() / mem::size_of::<$ChunkTy>());
1011	// SAFETY: these are the same bytes that the caller promised were
1012	// ok, just typed as `MaybeUninit<ChunkTy>`s instead of as `T`s.
1013	// The `if` condition above ensures that we're not violating
1014	// alignment requirements, and that the division is exact so
1015	// that we don't lose any bytes off the end.
1016	return unsafe { swap_nonoverlapping_simple_untyped(x, y, count) };
1017	}
1018	};
1019	}
1020
1021	ub_checks::assert_unsafe_precondition!(
1022	check_language_ub,
1023	"ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1024	and the specified memory ranges do not overlap",
1025	(
1026	x: *mut () = x as *mut (),
1027	y: *mut () = y as *mut (),
1028	size: usize = size_of::<T>(),
1029	align: usize = align_of::<T>(),
1030	count: usize = count,
1031	) =>
1032	ub_checks::is_aligned_and_not_null(x, align)
1033	&& ub_checks::is_aligned_and_not_null(y, align)
1034	&& ub_checks::is_nonoverlapping(x, y, size, count)
1035	);
1036
1037	// Split up the slice into small power-of-two-sized chunks that LLVM is able
1038	// to vectorize (unless it's a special type with more-than-pointer alignment,
1039	// because we don't want to pessimize things like slices of SIMD vectors.)
1040	if mem::align_of::<T>() <= mem::size_of::<usize>()
1041	&& (!mem::size_of::<T>().is_power_of_two()
1042	\|\| mem::size_of::<T>() > mem::size_of::<usize>() * `2`)
1043	{
1044	attempt_swap_as_chunks!(usize);
1045	attempt_swap_as_chunks!(u8);
1046	}
1047
1048	// SAFETY: Same preconditions as this function
1049	unsafe { swap_nonoverlapping_simple_untyped(x, y, count) }
1050	}
1051
1052	/// Same behaviour and safety conditions as [`swap_nonoverlapping`]
1053	///
1054	/// LLVM can vectorize this (at least it can for the power-of-two-sized types
1055	/// `swap_nonoverlapping` tries to use) so no need to manually SIMD it.
1056	#[inline]
1057	#[rustc_const_unstable(feature = "const_swap", issue = "83163")]
1058	const unsafe fn swap_nonoverlapping_simple_untyped<T>(x: *mut T, y: *mut T, count: usize) {
1059	let x = x.cast::<MaybeUninit<T>>();
1060	let y = y.cast::<MaybeUninit<T>>();
1061	let mut i = `0`;
1062	while i < count {
1063	// SAFETY: By precondition, `i` is in-bounds because it's below `n`
1064	let x = unsafe { x.add(i) };
1065	// SAFETY: By precondition, `i` is in-bounds because it's below `n`
1066	// and it's distinct from `x` since the ranges are non-overlapping
1067	let y = unsafe { y.add(i) };
1068
1069	// If we end up here, it's because we're using a simple type -- like
1070	// a small power-of-two-sized thing -- or a special type with particularly
1071	// large alignment, particularly SIMD types.
1072	// Thus we're fine just reading-and-writing it, as either it's small
1073	// and that works well anyway or it's special and the type's author
1074	// presumably wanted things to be done in the larger chunk.
1075
1076	// SAFETY: we're only ever given pointers that are valid to read/write,
1077	// including being aligned, and nothing here panics so it's drop-safe.
1078	unsafe {
1079	let a: MaybeUninit<T> = read(x);
1080	let b: MaybeUninit<T> = read(y);
1081	write(x, b);
1082	write(y, a);
1083	}
1084
1085	i += `1`;
1086	}
1087	}
1088
1089	/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1090	///
1091	/// Neither value is dropped.
1092	///
1093	/// This function is semantically equivalent to [`mem::replace`] except that it
1094	/// operates on raw pointers instead of references. When references are
1095	/// available, [`mem::replace`] should be preferred.
1096	///
1097	/// # Safety
1098	///
1099	/// Behavior is undefined if any of the following conditions are violated:
1100	///
1101	/// `dst` must be [valid] for both reads and writes.*
1102	///
1103	/// `dst` must be properly aligned.*
1104	///
1105	/// `dst` must point to a properly initialized value of type `T`.*
1106	///
1107	/// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
1108	///
1109	/// [valid]: self#safety
1110	///
1111	/// # Examples
1112	///
1113	/// ```
1114	/// use std::ptr;
1115	///
1116	/// let mut rust = vec!['b', 'u', 's', 't'];
1117	///
1118	/// // `mem::replace` would have the same effect without requiring the unsafe
1119	/// // block.
1120	/// let b = unsafe {
1121	/// ptr::replace(&mut rust[`0`], 'r')
1122	/// };
1123	///
1124	/// assert_eq!(b, 'b');
1125	/// assert_eq!(rust, &['r', 'u', 's', 't']);
1126	/// ```
1127	#[inline]
1128	#[stable(feature = "rust1", since = "1.0.0")]
1129	#[rustc_const_unstable(feature = "const_replace", issue = "83164")]
1130	#[rustc_diagnostic_item = "ptr_replace"]
1131	pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1132	// SAFETY: the caller must guarantee that `dst` is valid to be
1133	// cast to a mutable reference (valid for writes, aligned, initialized),
1134	// and cannot overlap `src` since `dst` must point to a distinct
1135	// allocated object.
1136	unsafe {
1137	ub_checks::assert_unsafe_precondition!(
1138	check_language_ub,
1139	"ptr::replace requires that the pointer argument is aligned and non-null",
1140	(
1141	addr: *const () = dst as *const (),
1142	align: usize = align_of::<T>(),
1143	) => ub_checks::is_aligned_and_not_null(addr, align)
1144	);
1145	mem::replace(&mut *dst, src)
1146	}
1147	}
1148
1149	/// Reads the value from `src` without moving it. This leaves the
1150	/// memory in `src` unchanged.
1151	///
1152	/// # Safety
1153	///
1154	/// Behavior is undefined if any of the following conditions are violated:
1155	///
1156	/// `src` must be [valid] for reads.*
1157	///
1158	/// `src` must be properly aligned. Use* [`read_unaligned`] if this is not the
1159	/// case.
1160	///
1161	/// `src` must point to a properly initialized value of type `T`.*
1162	///
1163	/// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
1164	///
1165	/// # Examples
1166	///
1167	/// Basic usage:
1168	///
1169	/// ```
1170	/// let x = `12`;
1171	/// let y = &x as *const i32;
1172	///
1173	/// unsafe {
1174	/// assert_eq!(std::ptr::read(y), `12`);
1175	/// }
1176	/// ```
1177	///
1178	/// Manually implement [`mem::swap`]:
1179	///
1180	/// ```
1181	/// use std::ptr;
1182	///
1183	/// fn swap<T>(a: &mut T, b: &mut T) {
1184	/// unsafe {
1185	/// // Create a bitwise copy of the value at `a` in `tmp`.
1186	/// let tmp = ptr::read(a);
1187	///
1188	/// // Exiting at this point (either by explicitly returning or by
1189	/// // calling a function which panics) would cause the value in `tmp` to
1190	/// // be dropped while the same value is still referenced by `a`. This
1191	/// // could trigger undefined behavior if `T` is not `Copy`.
1192	///
1193	/// // Create a bitwise copy of the value at `b` in `a`.
1194	/// // This is safe because mutable references cannot alias.
1195	/// ptr::copy_nonoverlapping(b, a, `1`);
1196	///
1197	/// // As above, exiting here could trigger undefined behavior because
1198	/// // the same value is referenced by `a` and `b`.
1199	///
1200	/// // Move `tmp` into `b`.
1201	/// ptr::write(b, tmp);
1202	///
1203	/// // `tmp` has been moved (`write` takes ownership of its second argument),
1204	/// // so nothing is dropped implicitly here.
1205	/// }
1206	/// }
1207	///
1208	/// let mut foo = "foo".to_owned();
1209	/// let mut bar = "bar".to_owned();
1210	///
1211	/// swap(&mut foo, &mut bar);
1212	///
1213	/// assert_eq!(foo, "bar");
1214	/// assert_eq!(bar, "foo");
1215	/// ```
1216	///
1217	/// ## Ownership of the Returned Value
1218	///
1219	/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1220	/// If `T` is not [`Copy`], using both the returned value and the value at
1221	/// `src` can violate memory safety. Note that assigning to `src` counts as a
1222	/// use because it will attempt to drop the value at `src`.*
1223	///
1224	/// [`write()`] can be used to overwrite data without causing it to be dropped.
1225	///
1226	/// ```
1227	/// use std::ptr;
1228	///
1229	/// let mut s = String::from("foo");
1230	/// unsafe {
1231	/// // `s2` now points to the same underlying memory as `s`.
1232	/// let mut s2: String = ptr::read(&s);
1233	///
1234	/// assert_eq!(s2, "foo");
1235	///
1236	/// // Assigning to `s2` causes its original value to be dropped. Beyond
1237	/// // this point, `s` must no longer be used, as the underlying memory has
1238	/// // been freed.
1239	/// s2 = String::default();
1240	/// assert_eq!(s2, "");
1241	///
1242	/// // Assigning to `s` would cause the old value to be dropped again,
1243	/// // resulting in undefined behavior.
1244	/// // s = String::from("bar"); // ERROR
1245	///
1246	/// // `ptr::write` can be used to overwrite a value without dropping it.
1247	/// ptr::write(&mut s, String::from("bar"));
1248	/// }
1249	///
1250	/// assert_eq!(s, "bar");
1251	/// ```
1252	///
1253	/// [valid]: self#safety
1254	#[inline]
1255	#[stable(feature = "rust1", since = "1.0.0")]
1256	#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1257	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1258	#[rustc_diagnostic_item = "ptr_read"]
1259	pub const unsafe fn read<T>(src: *const T) -> T {
1260	// It would be semantically correct to implement this via `copy_nonoverlapping`
1261	// and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1262	// provides enough information to know that this is a typed operation.
1263
1264	// However, as of March 2023 the compiler was not capable of taking advantage
1265	// of that information. Thus the implementation here switched to an intrinsic,
1266	// which lowers to `_0 = src` in MIR, to address a few issues:*
1267	//
1268	// - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1269	// turning the untyped copy into a typed load. As such, the generated
1270	// `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1271	// `!nonnull`, and `!noundef`, resulting in poorer optimization.
1272	// - Going through the extra local resulted in multiple extra copies, even
1273	// in optimized MIR. (Ignoring StorageLive/Dead, the intrinsic is one
1274	// MIR statement, while the previous implementation was eight.) LLVM
1275	// could sometimes optimize them away, but because `read` is at the core
1276	// of so many things, not having them in the first place improves what we
1277	// hand off to the backend. For example, `mem::replace::<Big>` previously
1278	// emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1279	// - In general, this approach keeps us from getting any more bugs (like
1280	// #106369) that boil down to "`read(p)` is worse than `p`", as this*
1281	// makes them look identical to the backend (or other MIR consumers).
1282	//
1283	// Future enhancements to MIR optimizations might well allow this to return
1284	// to the previous implementation, rather than using an intrinsic.
1285
1286	// SAFETY: the caller must guarantee that `src` is valid for reads.
1287	unsafe {
1288	#[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1289	ub_checks::assert_unsafe_precondition!(
1290	check_language_ub,
1291	"ptr::read requires that the pointer argument is aligned and non-null",
1292	(
1293	addr: *const () = src as *const (),
1294	align: usize = align_of::<T>(),
1295	) => ub_checks::is_aligned_and_not_null(addr, align)
1296	);
1297	crate::intrinsics::read_via_copy(src)
1298	}
1299	}
1300
1301	/// Reads the value from `src` without moving it. This leaves the
1302	/// memory in `src` unchanged.
1303	///
1304	/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1305	///
1306	/// # Safety
1307	///
1308	/// Behavior is undefined if any of the following conditions are violated:
1309	///
1310	/// `src` must be [valid] for reads.*
1311	///
1312	/// `src` must point to a properly initialized value of type `T`.*
1313	///
1314	/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1315	/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1316	/// value and the value at `src` can [violate memory safety][read-ownership].*
1317	///
1318	/// Note that even if `T` has size `0`, the pointer must be non-null.
1319	///
1320	/// [read-ownership]: read#ownership-of-the-returned-value
1321	/// [valid]: self#safety
1322	///
1323	/// ## On `packed` structs
1324	///
1325	/// Attempting to create a raw pointer to an `unaligned` struct field with
1326	/// an expression such as `&packed.unaligned as const FieldType` creates an*
1327	/// intermediate unaligned reference before converting that to a raw pointer.
1328	/// That this reference is temporary and immediately cast is inconsequential
1329	/// as the compiler always expects references to be properly aligned.
1330	/// As a result, using `&packed.unaligned as const FieldType` causes immediate*
1331	/// undefined behavior* in your program.*
1332	///
1333	/// Instead you must use the [`ptr::addr_of!`](addr_of) macro to
1334	/// create the pointer. You may use that returned pointer together with this
1335	/// function.
1336	///
1337	/// An example of what not to do and how this relates to `read_unaligned` is:
1338	///
1339	/// ```
1340	/// #[repr(packed, C)]
1341	/// struct Packed {
1342	/// _padding: u8,
1343	/// unaligned: u32,
1344	/// }
1345	///
1346	/// let packed = Packed {
1347	/// _padding: `0x00`,
1348	/// unaligned: `0x01020304`,
1349	/// };
1350	///
1351	/// // Take the address of a 32-bit integer which is not aligned.
1352	/// // In contrast to `&packed.unaligned as const _`, this has no undefined behavior.*
1353	/// let unaligned = std::ptr::addr_of!(packed.unaligned);
1354	///
1355	/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1356	/// assert_eq!(v, `0x01020304`);
1357	/// ```
1358	///
1359	/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1360	///
1361	/// # Examples
1362	///
1363	/// Read a usize value from a byte buffer:
1364	///
1365	/// ```
1366	/// use std::mem;
1367	///
1368	/// fn read_usize(x: &[u8]) -> usize {
1369	/// assert!(x.len() >= mem::size_of::<usize>());
1370	///
1371	/// let ptr = x.as_ptr() as *const usize;
1372	///
1373	/// unsafe { ptr.read_unaligned() }
1374	/// }
1375	/// ```
1376	#[inline]
1377	#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1378	#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1379	#[rustc_allow_const_fn_unstable(
1380	const_mut_refs,
1381	const_maybe_uninit_as_mut_ptr,
1382	const_intrinsic_copy
1383	)]
1384	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1385	#[rustc_diagnostic_item = "ptr_read_unaligned"]
1386	pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1387	let mut tmp: MaybeUninit = MaybeUninit::<T>::uninit();
1388	// SAFETY: the caller must guarantee that `src` is valid for reads.
1389	// `src` cannot overlap `tmp` because `tmp` was just allocated on
1390	// the stack as a separate allocated object.
1391	//
1392	// Also, since we just wrote a valid value into `tmp`, it is guaranteed
1393	// to be properly initialized.
1394	unsafe {
1395	copy_nonoverlapping(src as *const u8, dst:tmp.as_mut_ptr() as *mut u8, count:mem::size_of::<T>());
1396	tmp.assume_init()
1397	}
1398	}
1399
1400	/// Overwrites a memory location with the given value without reading or
1401	/// dropping the old value.
1402	///
1403	/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1404	/// allocations or resources, so care should be taken not to overwrite an object
1405	/// that should be dropped.
1406	///
1407	/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1408	/// location pointed to by `dst`.
1409	///
1410	/// This is appropriate for initializing uninitialized memory, or overwriting
1411	/// memory that has previously been [`read`] from.
1412	///
1413	/// # Safety
1414	///
1415	/// Behavior is undefined if any of the following conditions are violated:
1416	///
1417	/// `dst` must be [valid] for writes.*
1418	///
1419	/// `dst` must be properly aligned. Use* [`write_unaligned`] if this is not the
1420	/// case.
1421	///
1422	/// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
1423	///
1424	/// [valid]: self#safety
1425	///
1426	/// # Examples
1427	///
1428	/// Basic usage:
1429	///
1430	/// ```
1431	/// let mut x = `0`;
1432	/// let y = &mut x as *mut i32;
1433	/// let z = `12`;
1434	///
1435	/// unsafe {
1436	/// std::ptr::write(y, z);
1437	/// assert_eq!(std::ptr::read(y), `12`);
1438	/// }
1439	/// ```
1440	///
1441	/// Manually implement [`mem::swap`]:
1442	///
1443	/// ```
1444	/// use std::ptr;
1445	///
1446	/// fn swap<T>(a: &mut T, b: &mut T) {
1447	/// unsafe {
1448	/// // Create a bitwise copy of the value at `a` in `tmp`.
1449	/// let tmp = ptr::read(a);
1450	///
1451	/// // Exiting at this point (either by explicitly returning or by
1452	/// // calling a function which panics) would cause the value in `tmp` to
1453	/// // be dropped while the same value is still referenced by `a`. This
1454	/// // could trigger undefined behavior if `T` is not `Copy`.
1455	///
1456	/// // Create a bitwise copy of the value at `b` in `a`.
1457	/// // This is safe because mutable references cannot alias.
1458	/// ptr::copy_nonoverlapping(b, a, `1`);
1459	///
1460	/// // As above, exiting here could trigger undefined behavior because
1461	/// // the same value is referenced by `a` and `b`.
1462	///
1463	/// // Move `tmp` into `b`.
1464	/// ptr::write(b, tmp);
1465	///
1466	/// // `tmp` has been moved (`write` takes ownership of its second argument),
1467	/// // so nothing is dropped implicitly here.
1468	/// }
1469	/// }
1470	///
1471	/// let mut foo = "foo".to_owned();
1472	/// let mut bar = "bar".to_owned();
1473	///
1474	/// swap(&mut foo, &mut bar);
1475	///
1476	/// assert_eq!(foo, "bar");
1477	/// assert_eq!(bar, "foo");
1478	/// ```
1479	#[inline]
1480	#[stable(feature = "rust1", since = "1.0.0")]
1481	#[rustc_const_unstable(feature = "const_ptr_write", issue = "86302")]
1482	#[rustc_diagnostic_item = "ptr_write"]
1483	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1484	pub const unsafe fn write<T>(dst: *mut T, src: T) {
1485	// Semantically, it would be fine for this to be implemented as a
1486	// `copy_nonoverlapping` and appropriate drop suppression of `src`.
1487
1488	// However, implementing via that currently produces more MIR than is ideal.
1489	// Using an intrinsic keeps it down to just the simple `dst = move src` in*
1490	// MIR (11 statements shorter, at the time of writing), and also allows
1491	// `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1492
1493	// SAFETY: the caller must guarantee that `dst` is valid for writes.
1494	// `dst` cannot overlap `src` because the caller has mutable access
1495	// to `dst` while `src` is owned by this function.
1496	unsafe {
1497	#[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1498	ub_checks::assert_unsafe_precondition!(
1499	check_language_ub,
1500	"ptr::write requires that the pointer argument is aligned and non-null",
1501	(
1502	addr: *mut () = dst as *mut (),
1503	align: usize = align_of::<T>(),
1504	) => ub_checks::is_aligned_and_not_null(addr, align)
1505	);
1506	intrinsics::write_via_move(dst, src)
1507	}
1508	}
1509
1510	/// Overwrites a memory location with the given value without reading or
1511	/// dropping the old value.
1512	///
1513	/// Unlike [`write()`], the pointer may be unaligned.
1514	///
1515	/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1516	/// could leak allocations or resources, so care should be taken not to overwrite
1517	/// an object that should be dropped.
1518	///
1519	/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1520	/// location pointed to by `dst`.
1521	///
1522	/// This is appropriate for initializing uninitialized memory, or overwriting
1523	/// memory that has previously been read with [`read_unaligned`].
1524	///
1525	/// # Safety
1526	///
1527	/// Behavior is undefined if any of the following conditions are violated:
1528	///
1529	/// `dst` must be [valid] for writes.*
1530	///
1531	/// Note that even if `T` has size `0`, the pointer must be non-null.
1532	///
1533	/// [valid]: self#safety
1534	///
1535	/// ## On `packed` structs
1536	///
1537	/// Attempting to create a raw pointer to an `unaligned` struct field with
1538	/// an expression such as `&packed.unaligned as const FieldType` creates an*
1539	/// intermediate unaligned reference before converting that to a raw pointer.
1540	/// That this reference is temporary and immediately cast is inconsequential
1541	/// as the compiler always expects references to be properly aligned.
1542	/// As a result, using `&packed.unaligned as const FieldType` causes immediate*
1543	/// undefined behavior* in your program.*
1544	///
1545	/// Instead you must use the [`ptr::addr_of_mut!`](addr_of_mut)
1546	/// macro to create the pointer. You may use that returned pointer together with
1547	/// this function.
1548	///
1549	/// An example of how to do it and how this relates to `write_unaligned` is:
1550	///
1551	/// ```
1552	/// #[repr(packed, C)]
1553	/// struct Packed {
1554	/// _padding: u8,
1555	/// unaligned: u32,
1556	/// }
1557	///
1558	/// let mut packed: Packed = unsafe { std::mem::zeroed() };
1559	///
1560	/// // Take the address of a 32-bit integer which is not aligned.
1561	/// // In contrast to `&packed.unaligned as mut _`, this has no undefined behavior.*
1562	/// let unaligned = std::ptr::addr_of_mut!(packed.unaligned);
1563	///
1564	/// unsafe { std::ptr::write_unaligned(unaligned, `42`) };
1565	///
1566	/// assert_eq!({packed.unaligned}, `42`); // `{...}` forces copying the field instead of creating a reference.
1567	/// ```
1568	///
1569	/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
1570	/// (as can be seen in the `assert_eq!` above).
1571	///
1572	/// # Examples
1573	///
1574	/// Write a usize value to a byte buffer:
1575	///
1576	/// ```
1577	/// use std::mem;
1578	///
1579	/// fn write_usize(x: &mut [u8], val: usize) {
1580	/// assert!(x.len() >= mem::size_of::<usize>());
1581	///
1582	/// let ptr = x.as_mut_ptr() as *mut usize;
1583	///
1584	/// unsafe { ptr.write_unaligned(val) }
1585	/// }
1586	/// ```
1587	#[inline]
1588	#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1589	#[rustc_const_unstable(feature = "const_ptr_write", issue = "86302")]
1590	#[rustc_diagnostic_item = "ptr_write_unaligned"]
1591	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1592	pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
1593	// SAFETY: the caller must guarantee that `dst` is valid for writes.
1594	// `dst` cannot overlap `src` because the caller has mutable access
1595	// to `dst` while `src` is owned by this function.
1596	unsafe {
1597	copy_nonoverlapping(src:addr_of!(src) as *const u8, dst as *mut u8, count:mem::size_of::<T>());
1598	// We are calling the intrinsic directly to avoid function calls in the generated code.
1599	intrinsics::forget(src);
1600	}
1601	}
1602
1603	/// Performs a volatile read of the value from `src` without moving it. This
1604	/// leaves the memory in `src` unchanged.
1605	///
1606	/// Volatile operations are intended to act on I/O memory, and are guaranteed
1607	/// to not be elided or reordered by the compiler across other volatile
1608	/// operations.
1609	///
1610	/// # Notes
1611	///
1612	/// Rust does not currently have a rigorously and formally defined memory model,
1613	/// so the precise semantics of what "volatile" means here is subject to change
1614	/// over time. That being said, the semantics will almost always end up pretty
1615	/// similar to [C11's definition of volatile][c11].
1616	///
1617	/// The compiler shouldn't change the relative order or number of volatile
1618	/// memory operations. However, volatile memory operations on zero-sized types
1619	/// (e.g., if a zero-sized type is passed to `read_volatile`) are noops
1620	/// and may be ignored.
1621	///
1622	/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
1623	///
1624	/// # Safety
1625	///
1626	/// Behavior is undefined if any of the following conditions are violated:
1627	///
1628	/// `src` must be [valid] for reads.*
1629	///
1630	/// `src` must be properly aligned.*
1631	///
1632	/// `src` must point to a properly initialized value of type `T`.*
1633	///
1634	/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of
1635	/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1636	/// value and the value at `src` can [violate memory safety][read-ownership].*
1637	/// However, storing non-[`Copy`] types in volatile memory is almost certainly
1638	/// incorrect.
1639	///
1640	/// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
1641	///
1642	/// [valid]: self#safety
1643	/// [read-ownership]: read#ownership-of-the-returned-value
1644	///
1645	/// Just like in C, whether an operation is volatile has no bearing whatsoever
1646	/// on questions involving concurrent access from multiple threads. Volatile
1647	/// accesses behave exactly like non-atomic accesses in that regard. In particular,
1648	/// a race between a `read_volatile` and any write operation to the same location
1649	/// is undefined behavior.
1650	///
1651	/// # Examples
1652	///
1653	/// Basic usage:
1654	///
1655	/// ```
1656	/// let x = `12`;
1657	/// let y = &x as *const i32;
1658	///
1659	/// unsafe {
1660	/// assert_eq!(std::ptr::read_volatile(y), `12`);
1661	/// }
1662	/// ```
1663	#[inline]
1664	#[stable(feature = "volatile", since = "1.9.0")]
1665	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1666	#[rustc_diagnostic_item = "ptr_read_volatile"]
1667	pub unsafe fn read_volatile<T>(src: *const T) -> T {
1668	// SAFETY: the caller must uphold the safety contract for `volatile_load`.
1669	unsafe {
1670	ub_checks::assert_unsafe_precondition!(
1671	check_language_ub,
1672	"ptr::read_volatile requires that the pointer argument is aligned and non-null",
1673	(
1674	addr: *const () = src as *const (),
1675	align: usize = align_of::<T>(),
1676	) => ub_checks::is_aligned_and_not_null(addr, align)
1677	);
1678	intrinsics::volatile_load(src)
1679	}
1680	}
1681
1682	/// Performs a volatile write of a memory location with the given value without
1683	/// reading or dropping the old value.
1684	///
1685	/// Volatile operations are intended to act on I/O memory, and are guaranteed
1686	/// to not be elided or reordered by the compiler across other volatile
1687	/// operations.
1688	///
1689	/// `write_volatile` does not drop the contents of `dst`. This is safe, but it
1690	/// could leak allocations or resources, so care should be taken not to overwrite
1691	/// an object that should be dropped.
1692	///
1693	/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1694	/// location pointed to by `dst`.
1695	///
1696	/// # Notes
1697	///
1698	/// Rust does not currently have a rigorously and formally defined memory model,
1699	/// so the precise semantics of what "volatile" means here is subject to change
1700	/// over time. That being said, the semantics will almost always end up pretty
1701	/// similar to [C11's definition of volatile][c11].
1702	///
1703	/// The compiler shouldn't change the relative order or number of volatile
1704	/// memory operations. However, volatile memory operations on zero-sized types
1705	/// (e.g., if a zero-sized type is passed to `write_volatile`) are noops
1706	/// and may be ignored.
1707	///
1708	/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
1709	///
1710	/// # Safety
1711	///
1712	/// Behavior is undefined if any of the following conditions are violated:
1713	///
1714	/// `dst` must be [valid] for writes.*
1715	///
1716	/// `dst` must be properly aligned.*
1717	///
1718	/// Note that even if `T` has size `0`, the pointer must be non-null and properly aligned.
1719	///
1720	/// [valid]: self#safety
1721	///
1722	/// Just like in C, whether an operation is volatile has no bearing whatsoever
1723	/// on questions involving concurrent access from multiple threads. Volatile
1724	/// accesses behave exactly like non-atomic accesses in that regard. In particular,
1725	/// a race between a `write_volatile` and any other operation (reading or writing)
1726	/// on the same location is undefined behavior.
1727	///
1728	/// # Examples
1729	///
1730	/// Basic usage:
1731	///
1732	/// ```
1733	/// let mut x = `0`;
1734	/// let y = &mut x as *mut i32;
1735	/// let z = `12`;
1736	///
1737	/// unsafe {
1738	/// std::ptr::write_volatile(y, z);
1739	/// assert_eq!(std::ptr::read_volatile(y), `12`);
1740	/// }
1741	/// ```
1742	#[inline]
1743	#[stable(feature = "volatile", since = "1.9.0")]
1744	#[rustc_diagnostic_item = "ptr_write_volatile"]
1745	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1746	pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
1747	// SAFETY: the caller must uphold the safety contract for `volatile_store`.
1748	unsafe {
1749	ub_checks::assert_unsafe_precondition!(
1750	check_language_ub,
1751	"ptr::write_volatile requires that the pointer argument is aligned and non-null",
1752	(
1753	addr: *mut () = dst as *mut (),
1754	align: usize = align_of::<T>(),
1755	) => ub_checks::is_aligned_and_not_null(addr, align)
1756	);
1757	intrinsics::volatile_store(dst, val:src);
1758	}
1759	}
1760
1761	/// Align pointer `p`.
1762	///
1763	/// Calculate offset (in terms of elements of `size_of::<T>()` stride) that has to be applied
1764	/// to pointer `p` so that pointer `p` would get aligned to `a`.
1765	///
1766	/// # Safety
1767	/// `a` must be a power of two.
1768	///
1769	/// # Notes
1770	/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
1771	/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
1772	/// constants.
1773	///
1774	/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
1775	/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
1776	/// than trying to adapt this to accommodate that change.
1777	///
1778	/// Any questions go to @nagisa.
1779	#[lang = "align_offset"]
1780	pub(crate) const unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
1781	// FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
1782	// 1, where the method versions of these operations are not inlined.
1783	use intrinsics::{
1784	assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_sub,
1785	wrapping_add, wrapping_mul, wrapping_sub,
1786	};
1787	#[cfg(bootstrap)]
1788	const unsafe fn unchecked_shl(value: usize, shift: usize) -> usize {
1789	value << shift
1790	}
1791	#[cfg(bootstrap)]
1792	const unsafe fn unchecked_shr(value: usize, shift: usize) -> usize {
1793	value >> shift
1794	}
1795	#[cfg(not(bootstrap))]
1796	use intrinsics::{unchecked_shl, unchecked_shr};
1797
1798	/// Calculate multiplicative modular inverse of `x` modulo `m`.
1799	///
1800	/// This implementation is tailored for `align_offset` and has following preconditions:
1801	///
1802	/// `m` is a power-of-two;*
1803	/// `x < m`; (if `x ≥ m`, pass in `x % m` instead)*
1804	///
1805	/// Implementation of this function shall not panic. Ever.
1806	#[inline]
1807	const unsafe fn mod_inv(x: usize, m: usize) -> usize {
1808	/// Multiplicative modular inverse table modulo 2⁴ = 16.
1809	///
1810	/// Note, that this table does not contain values where inverse does not exist (i.e., for
1811	/// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
1812	const INV_TABLE_MOD_16: [u8; `8`] = [`1`, `11`, `13`, `7`, `9`, `3`, `5`, `15`];
1813	/// Modulo for which the `INV_TABLE_MOD_16` is intended.
1814	const INV_TABLE_MOD: usize = `16`;
1815
1816	// SAFETY: `m` is required to be a power-of-two, hence non-zero.
1817	let m_minus_one = unsafe { unchecked_sub(m, `1`) };
1818	let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - `1`)) >> `1`] as usize;
1819	let mut mod_gate = INV_TABLE_MOD;
1820	// We iterate "up" using the following formula:
1821	//
1822	// $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
1823	//
1824	// This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
1825	// finally reduce the computation to our desired `m` by taking `inverse mod m`.
1826	//
1827	// This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
1828	// will always finish in at most 4 iterations.
1829	loop {
1830	// y = y (2 - xy) mod n*
1831	//
1832	// Note, that we use wrapping operations here intentionally – the original formula
1833	// uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
1834	// usize::MAX` instead, because we take the result `mod n` at the end
1835	// anyway.
1836	if mod_gate >= m {
1837	break;
1838	}
1839	inverse = wrapping_mul(inverse, wrapping_sub(`2usize`, wrapping_mul(x, inverse)));
1840	let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
1841	if overflow {
1842	break;
1843	}
1844	mod_gate = new_gate;
1845	}
1846	inverse & m_minus_one
1847	}
1848
1849	let stride = mem::size_of::<T>();
1850
1851	// SAFETY: This is just an inlined `p.addr()` (which is not
1852	// a `const fn` so we cannot call it).
1853	// During const eval, we hook this function to ensure that the pointer never
1854	// has provenance, making this sound.
1855	let addr: usize = unsafe { mem::transmute(p) };
1856
1857	// SAFETY: `a` is a power-of-two, therefore non-zero.
1858	let a_minus_one = unsafe { unchecked_sub(a, `1`) };
1859
1860	if stride == `0` {
1861	// SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
1862	// stay the same, so no offset will be able to align the pointer unless it is already
1863	// aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
1864	let p_mod_a = addr & a_minus_one;
1865	return if p_mod_a == `0` { `0` } else { usize::MAX };
1866	}
1867
1868	// SAFETY: `stride == 0` case has been handled by the special case above.
1869	let a_mod_stride = unsafe { unchecked_rem(a, stride) };
1870	if a_mod_stride == `0` {
1871	// SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
1872	// pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
1873	// offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
1874	// offset will be able to produce a `p` aligned to the specified `a`.
1875	//
1876	// The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
1877	// like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
1878	// redistributes operations around the load-bearing, but pessimizing `and` instruction
1879	// sufficiently for LLVM to be able to utilize the various optimizations it knows about.
1880	//
1881	// LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
1882	// at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
1883	// in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
1884	// computation produces.
1885
1886	let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(`0`, a);
1887	let byte_offset = wrapping_sub(aligned_address, addr);
1888	// FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
1889	// SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
1890	// the value by more than `a-1`, so even though the intermediate values might have
1891	// wrapped, the byte_offset is always in `[0, a)`.
1892	unsafe { assume(byte_offset < a) };
1893
1894	// SAFETY: `stride == 0` case has been handled by the special case above.
1895	let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
1896
1897	return if addr_mod_stride == `0` {
1898	// SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
1899	// addr has been verified to be aligned to the original type’s alignment requirements.
1900	unsafe { exact_div(byte_offset, stride) }
1901	} else {
1902	usize::MAX
1903	};
1904	}
1905
1906	// GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
1907	// misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
1908	// advantage of, etc. This case produces machine code that isn’t particularly high quality,
1909	// compared to the special cases above. The code produced here is still within the realm of
1910	// miracles, given the situations this case has to deal with.
1911
1912	// SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
1913	// FIXME(const-hack) replace with min
1914	let gcdpow = unsafe {
1915	let x = cttz_nonzero(stride);
1916	let y = cttz_nonzero(a);
1917	if x < y { x } else { y }
1918	};
1919	// SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a usize.
1920	let gcd = unsafe { unchecked_shl(`1usize`, gcdpow) };
1921	// SAFETY: gcd is always greater or equal to 1.
1922	if addr & unsafe { unchecked_sub(gcd, `1`) } == `0` {
1923	// This branch solves for the following linear congruence equation:
1924	//
1925	// ` p + so = 0 mod a `
1926	//
1927	// `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
1928	// requested alignment.
1929	//
1930	// With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
1931	// `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
1932	//
1933	// ` p' + s'o = 0 mod a' `
1934	// ` o = (a' - (p' mod a')) (s'^-1 mod a') `*
1935	//
1936	// The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
1937	// second term is "how does incrementing `p` by `s` bytes change the relative alignment of
1938	// `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
1939	// formed if `a` and `s` are not co-prime.
1940	//
1941	// Furthermore, the result produced by this solution is not "minimal", so it is necessary
1942	// to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
1943
1944	// SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
1945	// `a`.
1946	let a2 = unsafe { unchecked_shr(a, gcdpow) };
1947	// SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
1948	// in `a` (of which it has exactly one).
1949	let a2minus1 = unsafe { unchecked_sub(a2, `1`) };
1950	// SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
1951	// `a`.
1952	let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
1953	// SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
1954	// `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
1955	// always be strictly greater than `(p % a) >> gcdpow`.
1956	let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
1957	// SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
1958	// because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
1959	return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
1960	}
1961
1962	// Cannot be aligned at all.
1963	usize::MAX
1964	}
1965
1966	/// Compares raw pointers for equality.
1967	///
1968	/// This is the same as using the `==` operator, but less generic:
1969	/// the arguments have to be `const T` raw pointers,*
1970	/// not anything that implements `PartialEq`.
1971	///
1972	/// This can be used to compare `&T` references (which coerce to `const T` implicitly)*
1973	/// by their address rather than comparing the values they point to
1974	/// (which is what the `PartialEq for &T` implementation does).
1975	///
1976	/// When comparing wide pointers, both the address and the metadata are tested for equality.
1977	/// However, note that comparing trait object pointers (`const dyn Trait`) is unreliable: pointers*
1978	/// to values of the same underlying type can compare inequal (because vtables are duplicated in
1979	/// multiple codegen units), and pointers to values of different* underlying type can compare equal*
1980	/// (since identical vtables can be deduplicated within a codegen unit).
1981	///
1982	/// # Examples
1983	///
1984	/// ```
1985	/// use std::ptr;
1986	///
1987	/// let five = `5`;
1988	/// let other_five = `5`;
1989	/// let five_ref = &five;
1990	/// let same_five_ref = &five;
1991	/// let other_five_ref = &other_five;
1992	///
1993	/// assert!(five_ref == same_five_ref);
1994	/// assert!(ptr::eq(five_ref, same_five_ref));
1995	///
1996	/// assert!(five_ref == other_five_ref);
1997	/// assert!(!ptr::eq(five_ref, other_five_ref));
1998	/// ```
1999	///
2000	/// Slices are also compared by their length (fat pointers):
2001	///
2002	/// ```
2003	/// let a = [`1`, `2`, `3`];
2004	/// assert!(std::ptr::eq(&a[..`3`], &a[..`3`]));
2005	/// assert!(!std::ptr::eq(&a[..`2`], &a[..`3`]));
2006	/// assert!(!std::ptr::eq(&a[`0`..`2`], &a[`1`..`3`]));
2007	/// ```
2008	#[stable(feature = "ptr_eq", since = "1.17.0")]
2009	#[inline(always)]
2010	#[must_use = "pointer comparison produces a value"]
2011	#[rustc_diagnostic_item = "ptr_eq"]
2012	#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2013	pub fn eq<T: ?Sized>(a: *const T, b: *const T) -> bool {
2014	a == b
2015	}
2016
2017	/// Compares the addresses* of the two pointers for equality,*
2018	/// ignoring any metadata in fat pointers.
2019	///
2020	/// If the arguments are thin pointers of the same type,
2021	/// then this is the same as [`eq`].
2022	///
2023	/// # Examples
2024	///
2025	/// ```
2026	/// use std::ptr;
2027	///
2028	/// let whole: &[i32; `3`] = &[`1`, `2`, `3`];
2029	/// let first: &i32 = &whole[`0`];
2030	///
2031	/// assert!(ptr::addr_eq(whole, first));
2032	/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2033	/// ```
2034	#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2035	#[inline(always)]
2036	#[must_use = "pointer comparison produces a value"]
2037	pub fn addr_eq<T: ?Sized, U: ?Sized>(p: *const T, q: *const U) -> bool {
2038	(p as *const ()) == (q as *const ())
2039	}
2040
2041	/// Hash a raw pointer.
2042	///
2043	/// This can be used to hash a `&T` reference (which coerces to `const T` implicitly)*
2044	/// by its address rather than the value it points to
2045	/// (which is what the `Hash for &T` implementation does).
2046	///
2047	/// # Examples
2048	///
2049	/// ```
2050	/// use std::hash::{DefaultHasher, Hash, Hasher};
2051	/// use std::ptr;
2052	///
2053	/// let five = `5`;
2054	/// let five_ref = &five;
2055	///
2056	/// let mut hasher = DefaultHasher::new();
2057	/// ptr::hash(five_ref, &mut hasher);
2058	/// let actual = hasher.finish();
2059	///
2060	/// let mut hasher = DefaultHasher::new();
2061	/// (five_ref as *const i32).hash(&mut hasher);
2062	/// let expected = hasher.finish();
2063	///
2064	/// assert_eq!(actual, expected);
2065	/// ```
2066	#[stable(feature = "ptr_hash", since = "1.35.0")]
2067	pub fn hash<T: ?Sized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2068	use crate::hash::Hash;
2069	hashee.hash(state:into);
2070	}
2071
2072	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2073	impl<F: FnPtr> PartialEq for F {
2074	#[inline]
2075	fn eq(&self, other: &Self) -> bool {
2076	self.addr() == other.addr()
2077	}
2078	}
2079	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2080	impl<F: FnPtr> Eq for F {}
2081
2082	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2083	impl<F: FnPtr> PartialOrd for F {
2084	#[inline]
2085	fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2086	self.addr().partial_cmp(&other.addr())
2087	}
2088	}
2089	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2090	impl<F: FnPtr> Ord for F {
2091	#[inline]
2092	fn cmp(&self, other: &Self) -> Ordering {
2093	self.addr().cmp(&other.addr())
2094	}
2095	}
2096
2097	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2098	impl<F: FnPtr> hash::Hash for F {
2099	fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2100	state.write_usize(self.addr() as _)
2101	}
2102	}
2103
2104	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2105	impl<F: FnPtr> fmt::Pointer for F {
2106	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2107	fmt::pointer_fmt_inner(self.addr() as _, f)
2108	}
2109	}
2110
2111	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2112	impl<F: FnPtr> fmt::Debug for F {
2113	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2114	fmt::pointer_fmt_inner(self.addr() as _, f)
2115	}
2116	}
2117
2118	/// Create a `const` raw pointer to a place, without creating an intermediate reference.
2119	///
2120	/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2121	/// and points to initialized data. For cases where those requirements do not hold,
2122	/// raw pointers should be used instead. However, `&expr as const _` creates a reference*
2123	/// before casting it to a raw pointer, and that reference is subject to the same rules
2124	/// as all other references. This macro can create a raw pointer without* creating*
2125	/// a reference first.
2126	///
2127	/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2128	/// Doing that with `addr_of` would not make much sense since one could only
2129	/// read the data, and that would be Undefined Behavior.
2130	///
2131	/// # Safety
2132	///
2133	/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2134	/// place or requires the place to be dereferenceable. This means that `addr_of!((ptr).field)`*
2135	/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2136	/// However, `addr_of!(ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.*
2137	///
2138	/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2139	/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2140	/// `Index::index`, respectively. The statements above only apply when no such coercions are
2141	/// applied.
2142	///
2143	/// [`offset`]: pointer::offset
2144	///
2145	/// # Example
2146	///
2147	/// Correct usage: Creating a pointer to unaligned data
2148	///
2149	/// ```
2150	/// use std::ptr;
2151	///
2152	/// #[repr(packed)]
2153	/// struct Packed {
2154	/// f1: u8,
2155	/// f2: u16,
2156	/// }
2157	///
2158	/// let packed = Packed { f1: `1`, f2: `2` };
2159	/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2160	/// let raw_f2 = ptr::addr_of!(packed.f2);
2161	/// assert_eq!(unsafe { raw_f2.read_unaligned() }, `2`);
2162	/// ```
2163	///
2164	/// Incorrect usage: Out-of-bounds fields projection
2165	///
2166	/// ```rust,no_run
2167	/// use std::ptr;
2168	///
2169	/// #[repr(C)]
2170	/// struct MyStruct {
2171	/// field1: i32,
2172	/// field2: i32,
2173	/// }
2174	///
2175	/// let ptr: *const MyStruct = ptr::null();
2176	/// let fieldptr = unsafe { ptr::addr_of!((ptr).field2) }; // Undefined Behavior ⚠️*
2177	/// ```
2178	///
2179	/// The field projection `.field2` would offset the pointer by 4 bytes,
2180	/// but the pointer is not in-bounds of an allocation for 4 bytes,
2181	/// so this offset is Undefined Behavior.
2182	/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2183	/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2184	/// no difference whether the pointer is null or dangling.)
2185	#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2186	#[rustc_macro_transparency = "semitransparent"]
2187	#[allow_internal_unstable(raw_ref_op)]
2188	pub macro addr_of($place:expr) {
2189	&raw const $place
2190	}
2191
2192	/// Create a `mut` raw pointer to a place, without creating an intermediate reference.
2193	///
2194	/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2195	/// and points to initialized data. For cases where those requirements do not hold,
2196	/// raw pointers should be used instead. However, `&mut expr as mut _` creates a reference*
2197	/// before casting it to a raw pointer, and that reference is subject to the same rules
2198	/// as all other references. This macro can create a raw pointer without* creating*
2199	/// a reference first.
2200	///
2201	/// # Safety
2202	///
2203	/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2204	/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((ptr).field)`*
2205	/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2206	/// However, `addr_of_mut!(ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.*
2207	///
2208	/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2209	/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2210	/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2211	/// applied.
2212	///
2213	/// [`offset`]: pointer::offset
2214	///
2215	/// # Examples
2216	///
2217	/// Correct usage: Creating a pointer to unaligned data
2218	///
2219	/// ```
2220	/// use std::ptr;
2221	///
2222	/// #[repr(packed)]
2223	/// struct Packed {
2224	/// f1: u8,
2225	/// f2: u16,
2226	/// }
2227	///
2228	/// let mut packed = Packed { f1: `1`, f2: `2` };
2229	/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2230	/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2231	/// unsafe { raw_f2.write_unaligned(`42`); }
2232	/// assert_eq!({packed.f2}, `42`); // `{...}` forces copying the field instead of creating a reference.
2233	/// ```
2234	///
2235	/// Correct usage: Creating a pointer to uninitialized data
2236	///
2237	/// ```rust
2238	/// use std::{ptr, mem::MaybeUninit};
2239	///
2240	/// struct Demo {
2241	/// field: bool,
2242	/// }
2243	///
2244	/// let mut uninit = MaybeUninit::<Demo>::uninit();
2245	/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2246	/// // and thus be Undefined Behavior!
2247	/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2248	/// unsafe { f1_ptr.write(`true`); }
2249	/// let init = unsafe { uninit.assume_init() };
2250	/// ```
2251	///
2252	/// Incorrect usage: Out-of-bounds fields projection
2253	///
2254	/// ```rust,no_run
2255	/// use std::ptr;
2256	///
2257	/// #[repr(C)]
2258	/// struct MyStruct {
2259	/// field1: i32,
2260	/// field2: i32,
2261	/// }
2262	///
2263	/// let ptr: *mut MyStruct = ptr::null_mut();
2264	/// let fieldptr = unsafe { ptr::addr_of_mut!((ptr).field2) }; // Undefined Behavior ⚠️*
2265	/// ```
2266	///
2267	/// The field projection `.field2` would offset the pointer by 4 bytes,
2268	/// but the pointer is not in-bounds of an allocation for 4 bytes,
2269	/// so this offset is Undefined Behavior.
2270	/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2271	/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2272	/// makes no difference whether the pointer is null or dangling.)
2273	#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2274	#[rustc_macro_transparency = "semitransparent"]
2275	#[allow_internal_unstable(raw_ref_op)]
2276	pub macro addr_of_mut($place:expr) {
2277	&raw mut $place
2278	}
2279