1 | use crate::cmp::Ordering; |
2 | use crate::marker::Unsize; |
3 | use crate::mem::{MaybeUninit, SizedTypeProperties}; |
4 | use crate::num::NonZero; |
5 | use crate::ops::{CoerceUnsized, DispatchFromDyn}; |
6 | use crate::pin::PinCoerceUnsized; |
7 | use crate::ptr::Unique; |
8 | use crate::slice::{self, SliceIndex}; |
9 | use crate::ub_checks::assert_unsafe_precondition; |
10 | use crate::{fmt, hash, intrinsics, mem, ptr}; |
11 | |
12 | /// `*mut T` but non-zero and [covariant]. |
13 | /// |
14 | /// This is often the correct thing to use when building data structures using |
15 | /// raw pointers, but is ultimately more dangerous to use because of its additional |
16 | /// properties. If you're not sure if you should use `NonNull<T>`, just use `*mut T`! |
17 | /// |
18 | /// Unlike `*mut T`, the pointer must always be non-null, even if the pointer |
19 | /// is never dereferenced. This is so that enums may use this forbidden value |
20 | /// as a discriminant -- `Option<NonNull<T>>` has the same size as `*mut T`. |
21 | /// However the pointer may still dangle if it isn't dereferenced. |
22 | /// |
23 | /// Unlike `*mut T`, `NonNull<T>` was chosen to be covariant over `T`. This makes it |
24 | /// possible to use `NonNull<T>` when building covariant types, but introduces the |
25 | /// risk of unsoundness if used in a type that shouldn't actually be covariant. |
26 | /// (The opposite choice was made for `*mut T` even though technically the unsoundness |
27 | /// could only be caused by calling unsafe functions.) |
28 | /// |
29 | /// Covariance is correct for most safe abstractions, such as `Box`, `Rc`, `Arc`, `Vec`, |
30 | /// and `LinkedList`. This is the case because they provide a public API that follows the |
31 | /// normal shared XOR mutable rules of Rust. |
32 | /// |
33 | /// If your type cannot safely be covariant, you must ensure it contains some |
34 | /// additional field to provide invariance. Often this field will be a [`PhantomData`] |
35 | /// type like `PhantomData<Cell<T>>` or `PhantomData<&'a mut T>`. |
36 | /// |
37 | /// Notice that `NonNull<T>` has a `From` instance for `&T`. However, this does |
38 | /// not change the fact that mutating through a (pointer derived from a) shared |
39 | /// reference is undefined behavior unless the mutation happens inside an |
40 | /// [`UnsafeCell<T>`]. The same goes for creating a mutable reference from a shared |
41 | /// reference. When using this `From` instance without an `UnsafeCell<T>`, |
42 | /// it is your responsibility to ensure that `as_mut` is never called, and `as_ptr` |
43 | /// is never used for mutation. |
44 | /// |
45 | /// # Representation |
46 | /// |
47 | /// Thanks to the [null pointer optimization], |
48 | /// `NonNull<T>` and `Option<NonNull<T>>` |
49 | /// are guaranteed to have the same size and alignment: |
50 | /// |
51 | /// ``` |
52 | /// use std::ptr::NonNull; |
53 | /// |
54 | /// assert_eq!(size_of::<NonNull<i16>>(), size_of::<Option<NonNull<i16>>>()); |
55 | /// assert_eq!(align_of::<NonNull<i16>>(), align_of::<Option<NonNull<i16>>>()); |
56 | /// |
57 | /// assert_eq!(size_of::<NonNull<str>>(), size_of::<Option<NonNull<str>>>()); |
58 | /// assert_eq!(align_of::<NonNull<str>>(), align_of::<Option<NonNull<str>>>()); |
59 | /// ``` |
60 | /// |
61 | /// [covariant]: https://doc.rust-lang.org/reference/subtyping.html |
62 | /// [`PhantomData`]: crate::marker::PhantomData |
63 | /// [`UnsafeCell<T>`]: crate::cell::UnsafeCell |
64 | /// [null pointer optimization]: crate::option#representation |
65 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
66 | #[repr (transparent)] |
67 | #[rustc_layout_scalar_valid_range_start (1)] |
68 | #[rustc_nonnull_optimization_guaranteed ] |
69 | #[rustc_diagnostic_item = "NonNull" ] |
70 | pub struct NonNull<T: ?Sized> { |
71 | // Remember to use `.as_ptr()` instead of `.pointer`, as field projecting to |
72 | // this is banned by <https://github.com/rust-lang/compiler-team/issues/807>. |
73 | pointer: *const T, |
74 | } |
75 | |
76 | /// `NonNull` pointers are not `Send` because the data they reference may be aliased. |
77 | // N.B., this impl is unnecessary, but should provide better error messages. |
78 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
79 | impl<T: ?Sized> !Send for NonNull<T> {} |
80 | |
81 | /// `NonNull` pointers are not `Sync` because the data they reference may be aliased. |
82 | // N.B., this impl is unnecessary, but should provide better error messages. |
83 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
84 | impl<T: ?Sized> !Sync for NonNull<T> {} |
85 | |
86 | impl<T: Sized> NonNull<T> { |
87 | /// Creates a pointer with the given address and no [provenance][crate::ptr#provenance]. |
88 | /// |
89 | /// For more details, see the equivalent method on a raw pointer, [`ptr::without_provenance_mut`]. |
90 | /// |
91 | /// This is a [Strict Provenance][crate::ptr#strict-provenance] API. |
92 | #[stable (feature = "nonnull_provenance" , since = "CURRENT_RUSTC_VERSION" )] |
93 | #[rustc_const_stable (feature = "nonnull_provenance" , since = "CURRENT_RUSTC_VERSION" )] |
94 | #[must_use ] |
95 | #[inline ] |
96 | pub const fn without_provenance(addr: NonZero<usize>) -> Self { |
97 | let pointer = crate::ptr::without_provenance(addr.get()); |
98 | // SAFETY: we know `addr` is non-zero. |
99 | unsafe { NonNull { pointer } } |
100 | } |
101 | |
102 | /// Creates a new `NonNull` that is dangling, but well-aligned. |
103 | /// |
104 | /// This is useful for initializing types which lazily allocate, like |
105 | /// `Vec::new` does. |
106 | /// |
107 | /// Note that the pointer value may potentially represent a valid pointer to |
108 | /// a `T`, which means this must not be used as a "not yet initialized" |
109 | /// sentinel value. Types that lazily allocate must track initialization by |
110 | /// some other means. |
111 | /// |
112 | /// # Examples |
113 | /// |
114 | /// ``` |
115 | /// use std::ptr::NonNull; |
116 | /// |
117 | /// let ptr = NonNull::<u32>::dangling(); |
118 | /// // Important: don't try to access the value of `ptr` without |
119 | /// // initializing it first! The pointer is not null but isn't valid either! |
120 | /// ``` |
121 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
122 | #[rustc_const_stable (feature = "const_nonnull_dangling" , since = "1.36.0" )] |
123 | #[must_use ] |
124 | #[inline ] |
125 | pub const fn dangling() -> Self { |
126 | let align = crate::ptr::Alignment::of::<T>(); |
127 | NonNull::without_provenance(align.as_nonzero()) |
128 | } |
129 | |
130 | /// Converts an address back to a mutable pointer, picking up some previously 'exposed' |
131 | /// [provenance][crate::ptr#provenance]. |
132 | /// |
133 | /// For more details, see the equivalent method on a raw pointer, [`ptr::with_exposed_provenance_mut`]. |
134 | /// |
135 | /// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API. |
136 | #[stable (feature = "nonnull_provenance" , since = "CURRENT_RUSTC_VERSION" )] |
137 | #[inline ] |
138 | pub fn with_exposed_provenance(addr: NonZero<usize>) -> Self { |
139 | // SAFETY: we know `addr` is non-zero. |
140 | unsafe { |
141 | let ptr = crate::ptr::with_exposed_provenance_mut(addr.get()); |
142 | NonNull::new_unchecked(ptr) |
143 | } |
144 | } |
145 | |
146 | /// Returns a shared references to the value. In contrast to [`as_ref`], this does not require |
147 | /// that the value has to be initialized. |
148 | /// |
149 | /// For the mutable counterpart see [`as_uninit_mut`]. |
150 | /// |
151 | /// [`as_ref`]: NonNull::as_ref |
152 | /// [`as_uninit_mut`]: NonNull::as_uninit_mut |
153 | /// |
154 | /// # Safety |
155 | /// |
156 | /// When calling this method, you have to ensure that |
157 | /// the pointer is [convertible to a reference](crate::ptr#pointer-to-reference-conversion). |
158 | /// Note that because the created reference is to `MaybeUninit<T>`, the |
159 | /// source pointer can point to uninitialized memory. |
160 | #[inline ] |
161 | #[must_use ] |
162 | #[unstable (feature = "ptr_as_uninit" , issue = "75402" )] |
163 | pub const unsafe fn as_uninit_ref<'a>(self) -> &'a MaybeUninit<T> { |
164 | // SAFETY: the caller must guarantee that `self` meets all the |
165 | // requirements for a reference. |
166 | unsafe { &*self.cast().as_ptr() } |
167 | } |
168 | |
169 | /// Returns a unique references to the value. In contrast to [`as_mut`], this does not require |
170 | /// that the value has to be initialized. |
171 | /// |
172 | /// For the shared counterpart see [`as_uninit_ref`]. |
173 | /// |
174 | /// [`as_mut`]: NonNull::as_mut |
175 | /// [`as_uninit_ref`]: NonNull::as_uninit_ref |
176 | /// |
177 | /// # Safety |
178 | /// |
179 | /// When calling this method, you have to ensure that |
180 | /// the pointer is [convertible to a reference](crate::ptr#pointer-to-reference-conversion). |
181 | /// Note that because the created reference is to `MaybeUninit<T>`, the |
182 | /// source pointer can point to uninitialized memory. |
183 | #[inline ] |
184 | #[must_use ] |
185 | #[unstable (feature = "ptr_as_uninit" , issue = "75402" )] |
186 | pub const unsafe fn as_uninit_mut<'a>(self) -> &'a mut MaybeUninit<T> { |
187 | // SAFETY: the caller must guarantee that `self` meets all the |
188 | // requirements for a reference. |
189 | unsafe { &mut *self.cast().as_ptr() } |
190 | } |
191 | } |
192 | |
193 | impl<T: ?Sized> NonNull<T> { |
194 | /// Creates a new `NonNull`. |
195 | /// |
196 | /// # Safety |
197 | /// |
198 | /// `ptr` must be non-null. |
199 | /// |
200 | /// # Examples |
201 | /// |
202 | /// ``` |
203 | /// use std::ptr::NonNull; |
204 | /// |
205 | /// let mut x = 0u32; |
206 | /// let ptr = unsafe { NonNull::new_unchecked(&mut x as *mut _) }; |
207 | /// ``` |
208 | /// |
209 | /// *Incorrect* usage of this function: |
210 | /// |
211 | /// ```rust,no_run |
212 | /// use std::ptr::NonNull; |
213 | /// |
214 | /// // NEVER DO THAT!!! This is undefined behavior. ⚠️ |
215 | /// let ptr = unsafe { NonNull::<u32>::new_unchecked(std::ptr::null_mut()) }; |
216 | /// ``` |
217 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
218 | #[rustc_const_stable (feature = "const_nonnull_new_unchecked" , since = "1.25.0" )] |
219 | #[inline ] |
220 | #[track_caller ] |
221 | pub const unsafe fn new_unchecked(ptr: *mut T) -> Self { |
222 | // SAFETY: the caller must guarantee that `ptr` is non-null. |
223 | unsafe { |
224 | assert_unsafe_precondition!( |
225 | check_language_ub, |
226 | "NonNull::new_unchecked requires that the pointer is non-null" , |
227 | (ptr: *mut () = ptr as *mut ()) => !ptr.is_null() |
228 | ); |
229 | NonNull { pointer: ptr as _ } |
230 | } |
231 | } |
232 | |
233 | /// Creates a new `NonNull` if `ptr` is non-null. |
234 | /// |
235 | /// # Panics during const evaluation |
236 | /// |
237 | /// This method will panic during const evaluation if the pointer cannot be |
238 | /// determined to be null or not. See [`is_null`] for more information. |
239 | /// |
240 | /// [`is_null`]: ../primitive.pointer.html#method.is_null-1 |
241 | /// |
242 | /// # Examples |
243 | /// |
244 | /// ``` |
245 | /// use std::ptr::NonNull; |
246 | /// |
247 | /// let mut x = 0u32; |
248 | /// let ptr = NonNull::<u32>::new(&mut x as *mut _).expect("ptr is null!" ); |
249 | /// |
250 | /// if let Some(ptr) = NonNull::<u32>::new(std::ptr::null_mut()) { |
251 | /// unreachable!(); |
252 | /// } |
253 | /// ``` |
254 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
255 | #[rustc_const_stable (feature = "const_nonnull_new" , since = "1.85.0" )] |
256 | #[inline ] |
257 | pub const fn new(ptr: *mut T) -> Option<Self> { |
258 | if !ptr.is_null() { |
259 | // SAFETY: The pointer is already checked and is not null |
260 | Some(unsafe { Self::new_unchecked(ptr) }) |
261 | } else { |
262 | None |
263 | } |
264 | } |
265 | |
266 | /// Converts a reference to a `NonNull` pointer. |
267 | #[stable (feature = "non_null_from_ref" , since = "CURRENT_RUSTC_VERSION" )] |
268 | #[rustc_const_stable (feature = "non_null_from_ref" , since = "CURRENT_RUSTC_VERSION" )] |
269 | #[inline ] |
270 | pub const fn from_ref(r: &T) -> Self { |
271 | // SAFETY: A reference cannot be null. |
272 | unsafe { NonNull { pointer: r as *const T } } |
273 | } |
274 | |
275 | /// Converts a mutable reference to a `NonNull` pointer. |
276 | #[stable (feature = "non_null_from_ref" , since = "CURRENT_RUSTC_VERSION" )] |
277 | #[rustc_const_stable (feature = "non_null_from_ref" , since = "CURRENT_RUSTC_VERSION" )] |
278 | #[inline ] |
279 | pub const fn from_mut(r: &mut T) -> Self { |
280 | // SAFETY: A mutable reference cannot be null. |
281 | unsafe { NonNull { pointer: r as *mut T } } |
282 | } |
283 | |
284 | /// Performs the same functionality as [`std::ptr::from_raw_parts`], except that a |
285 | /// `NonNull` pointer is returned, as opposed to a raw `*const` pointer. |
286 | /// |
287 | /// See the documentation of [`std::ptr::from_raw_parts`] for more details. |
288 | /// |
289 | /// [`std::ptr::from_raw_parts`]: crate::ptr::from_raw_parts |
290 | #[unstable (feature = "ptr_metadata" , issue = "81513" )] |
291 | #[inline ] |
292 | pub const fn from_raw_parts( |
293 | data_pointer: NonNull<impl super::Thin>, |
294 | metadata: <T as super::Pointee>::Metadata, |
295 | ) -> NonNull<T> { |
296 | // SAFETY: The result of `ptr::from::raw_parts_mut` is non-null because `data_pointer` is. |
297 | unsafe { |
298 | NonNull::new_unchecked(super::from_raw_parts_mut(data_pointer.as_ptr(), metadata)) |
299 | } |
300 | } |
301 | |
302 | /// Decompose a (possibly wide) pointer into its data pointer and metadata components. |
303 | /// |
304 | /// The pointer can be later reconstructed with [`NonNull::from_raw_parts`]. |
305 | #[unstable (feature = "ptr_metadata" , issue = "81513" )] |
306 | #[must_use = "this returns the result of the operation, \ |
307 | without modifying the original" ] |
308 | #[inline ] |
309 | pub const fn to_raw_parts(self) -> (NonNull<()>, <T as super::Pointee>::Metadata) { |
310 | (self.cast(), super::metadata(self.as_ptr())) |
311 | } |
312 | |
313 | /// Gets the "address" portion of the pointer. |
314 | /// |
315 | /// For more details, see the equivalent method on a raw pointer, [`pointer::addr`]. |
316 | /// |
317 | /// This is a [Strict Provenance][crate::ptr#strict-provenance] API. |
318 | #[must_use ] |
319 | #[inline ] |
320 | #[stable (feature = "strict_provenance" , since = "1.84.0" )] |
321 | pub fn addr(self) -> NonZero<usize> { |
322 | // SAFETY: The pointer is guaranteed by the type to be non-null, |
323 | // meaning that the address will be non-zero. |
324 | unsafe { NonZero::new_unchecked(self.as_ptr().addr()) } |
325 | } |
326 | |
327 | /// Exposes the ["provenance"][crate::ptr#provenance] part of the pointer for future use in |
328 | /// [`with_exposed_provenance`][NonNull::with_exposed_provenance] and returns the "address" portion. |
329 | /// |
330 | /// For more details, see the equivalent method on a raw pointer, [`pointer::expose_provenance`]. |
331 | /// |
332 | /// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API. |
333 | #[stable (feature = "nonnull_provenance" , since = "CURRENT_RUSTC_VERSION" )] |
334 | pub fn expose_provenance(self) -> NonZero<usize> { |
335 | // SAFETY: The pointer is guaranteed by the type to be non-null, |
336 | // meaning that the address will be non-zero. |
337 | unsafe { NonZero::new_unchecked(self.as_ptr().expose_provenance()) } |
338 | } |
339 | |
340 | /// Creates a new pointer with the given address and the [provenance][crate::ptr#provenance] of |
341 | /// `self`. |
342 | /// |
343 | /// For more details, see the equivalent method on a raw pointer, [`pointer::with_addr`]. |
344 | /// |
345 | /// This is a [Strict Provenance][crate::ptr#strict-provenance] API. |
346 | #[must_use ] |
347 | #[inline ] |
348 | #[stable (feature = "strict_provenance" , since = "1.84.0" )] |
349 | pub fn with_addr(self, addr: NonZero<usize>) -> Self { |
350 | // SAFETY: The result of `ptr::from::with_addr` is non-null because `addr` is guaranteed to be non-zero. |
351 | unsafe { NonNull::new_unchecked(self.as_ptr().with_addr(addr.get()) as *mut _) } |
352 | } |
353 | |
354 | /// Creates a new pointer by mapping `self`'s address to a new one, preserving the |
355 | /// [provenance][crate::ptr#provenance] of `self`. |
356 | /// |
357 | /// For more details, see the equivalent method on a raw pointer, [`pointer::map_addr`]. |
358 | /// |
359 | /// This is a [Strict Provenance][crate::ptr#strict-provenance] API. |
360 | #[must_use ] |
361 | #[inline ] |
362 | #[stable (feature = "strict_provenance" , since = "1.84.0" )] |
363 | pub fn map_addr(self, f: impl FnOnce(NonZero<usize>) -> NonZero<usize>) -> Self { |
364 | self.with_addr(f(self.addr())) |
365 | } |
366 | |
367 | /// Acquires the underlying `*mut` pointer. |
368 | /// |
369 | /// # Examples |
370 | /// |
371 | /// ``` |
372 | /// use std::ptr::NonNull; |
373 | /// |
374 | /// let mut x = 0u32; |
375 | /// let ptr = NonNull::new(&mut x).expect("ptr is null!" ); |
376 | /// |
377 | /// let x_value = unsafe { *ptr.as_ptr() }; |
378 | /// assert_eq!(x_value, 0); |
379 | /// |
380 | /// unsafe { *ptr.as_ptr() += 2; } |
381 | /// let x_value = unsafe { *ptr.as_ptr() }; |
382 | /// assert_eq!(x_value, 2); |
383 | /// ``` |
384 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
385 | #[rustc_const_stable (feature = "const_nonnull_as_ptr" , since = "1.32.0" )] |
386 | #[rustc_never_returns_null_ptr ] |
387 | #[must_use ] |
388 | #[inline (always)] |
389 | pub const fn as_ptr(self) -> *mut T { |
390 | // This is a transmute for the same reasons as `NonZero::get`. |
391 | |
392 | // SAFETY: `NonNull` is `transparent` over a `*const T`, and `*const T` |
393 | // and `*mut T` have the same layout, so transitively we can transmute |
394 | // our `NonNull` to a `*mut T` directly. |
395 | unsafe { mem::transmute::<Self, *mut T>(self) } |
396 | } |
397 | |
398 | /// Returns a shared reference to the value. If the value may be uninitialized, [`as_uninit_ref`] |
399 | /// must be used instead. |
400 | /// |
401 | /// For the mutable counterpart see [`as_mut`]. |
402 | /// |
403 | /// [`as_uninit_ref`]: NonNull::as_uninit_ref |
404 | /// [`as_mut`]: NonNull::as_mut |
405 | /// |
406 | /// # Safety |
407 | /// |
408 | /// When calling this method, you have to ensure that |
409 | /// the pointer is [convertible to a reference](crate::ptr#pointer-to-reference-conversion). |
410 | /// |
411 | /// # Examples |
412 | /// |
413 | /// ``` |
414 | /// use std::ptr::NonNull; |
415 | /// |
416 | /// let mut x = 0u32; |
417 | /// let ptr = NonNull::new(&mut x as *mut _).expect("ptr is null!" ); |
418 | /// |
419 | /// let ref_x = unsafe { ptr.as_ref() }; |
420 | /// println!("{ref_x}" ); |
421 | /// ``` |
422 | /// |
423 | /// [the module documentation]: crate::ptr#safety |
424 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
425 | #[rustc_const_stable (feature = "const_nonnull_as_ref" , since = "1.73.0" )] |
426 | #[must_use ] |
427 | #[inline (always)] |
428 | pub const unsafe fn as_ref<'a>(&self) -> &'a T { |
429 | // SAFETY: the caller must guarantee that `self` meets all the |
430 | // requirements for a reference. |
431 | // `cast_const` avoids a mutable raw pointer deref. |
432 | unsafe { &*self.as_ptr().cast_const() } |
433 | } |
434 | |
435 | /// Returns a unique reference to the value. If the value may be uninitialized, [`as_uninit_mut`] |
436 | /// must be used instead. |
437 | /// |
438 | /// For the shared counterpart see [`as_ref`]. |
439 | /// |
440 | /// [`as_uninit_mut`]: NonNull::as_uninit_mut |
441 | /// [`as_ref`]: NonNull::as_ref |
442 | /// |
443 | /// # Safety |
444 | /// |
445 | /// When calling this method, you have to ensure that |
446 | /// the pointer is [convertible to a reference](crate::ptr#pointer-to-reference-conversion). |
447 | /// # Examples |
448 | /// |
449 | /// ``` |
450 | /// use std::ptr::NonNull; |
451 | /// |
452 | /// let mut x = 0u32; |
453 | /// let mut ptr = NonNull::new(&mut x).expect("null pointer" ); |
454 | /// |
455 | /// let x_ref = unsafe { ptr.as_mut() }; |
456 | /// assert_eq!(*x_ref, 0); |
457 | /// *x_ref += 2; |
458 | /// assert_eq!(*x_ref, 2); |
459 | /// ``` |
460 | /// |
461 | /// [the module documentation]: crate::ptr#safety |
462 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
463 | #[rustc_const_stable (feature = "const_ptr_as_ref" , since = "1.83.0" )] |
464 | #[must_use ] |
465 | #[inline (always)] |
466 | pub const unsafe fn as_mut<'a>(&mut self) -> &'a mut T { |
467 | // SAFETY: the caller must guarantee that `self` meets all the |
468 | // requirements for a mutable reference. |
469 | unsafe { &mut *self.as_ptr() } |
470 | } |
471 | |
472 | /// Casts to a pointer of another type. |
473 | /// |
474 | /// # Examples |
475 | /// |
476 | /// ``` |
477 | /// use std::ptr::NonNull; |
478 | /// |
479 | /// let mut x = 0u32; |
480 | /// let ptr = NonNull::new(&mut x as *mut _).expect("null pointer" ); |
481 | /// |
482 | /// let casted_ptr = ptr.cast::<i8>(); |
483 | /// let raw_ptr: *mut i8 = casted_ptr.as_ptr(); |
484 | /// ``` |
485 | #[stable (feature = "nonnull_cast" , since = "1.27.0" )] |
486 | #[rustc_const_stable (feature = "const_nonnull_cast" , since = "1.36.0" )] |
487 | #[must_use = "this returns the result of the operation, \ |
488 | without modifying the original" ] |
489 | #[inline ] |
490 | pub const fn cast<U>(self) -> NonNull<U> { |
491 | // SAFETY: `self` is a `NonNull` pointer which is necessarily non-null |
492 | unsafe { NonNull { pointer: self.as_ptr() as *mut U } } |
493 | } |
494 | |
495 | /// Try to cast to a pointer of another type by checking aligment. |
496 | /// |
497 | /// If the pointer is properly aligned to the target type, it will be |
498 | /// cast to the target type. Otherwise, `None` is returned. |
499 | /// |
500 | /// # Examples |
501 | /// |
502 | /// ```rust |
503 | /// #![feature(pointer_try_cast_aligned)] |
504 | /// use std::ptr::NonNull; |
505 | /// |
506 | /// let mut x = 0u64; |
507 | /// |
508 | /// let aligned = NonNull::from_mut(&mut x); |
509 | /// let unaligned = unsafe { aligned.byte_add(1) }; |
510 | /// |
511 | /// assert!(aligned.try_cast_aligned::<u32>().is_some()); |
512 | /// assert!(unaligned.try_cast_aligned::<u32>().is_none()); |
513 | /// ``` |
514 | #[unstable (feature = "pointer_try_cast_aligned" , issue = "141221" )] |
515 | #[must_use = "this returns the result of the operation, \ |
516 | without modifying the original" ] |
517 | #[inline ] |
518 | pub fn try_cast_aligned<U>(self) -> Option<NonNull<U>> { |
519 | if self.is_aligned_to(align_of::<U>()) { Some(self.cast()) } else { None } |
520 | } |
521 | |
522 | /// Adds an offset to a pointer. |
523 | /// |
524 | /// `count` is in units of T; e.g., a `count` of 3 represents a pointer |
525 | /// offset of `3 * size_of::<T>()` bytes. |
526 | /// |
527 | /// # Safety |
528 | /// |
529 | /// If any of the following conditions are violated, the result is Undefined Behavior: |
530 | /// |
531 | /// * The computed offset, `count * size_of::<T>()` bytes, must not overflow `isize`. |
532 | /// |
533 | /// * If the computed offset is non-zero, then `self` must be derived from a pointer to some |
534 | /// [allocation], and the entire memory range between `self` and the result must be in |
535 | /// bounds of that allocation. In particular, this range must not "wrap around" the edge |
536 | /// of the address space. |
537 | /// |
538 | /// Allocations can never be larger than `isize::MAX` bytes, so if the computed offset |
539 | /// stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. |
540 | /// This implies, for instance, that `vec.as_ptr().add(vec.len())` (for `vec: Vec<T>`) is always |
541 | /// safe. |
542 | /// |
543 | /// [allocation]: crate::ptr#allocation |
544 | /// |
545 | /// # Examples |
546 | /// |
547 | /// ``` |
548 | /// use std::ptr::NonNull; |
549 | /// |
550 | /// let mut s = [1, 2, 3]; |
551 | /// let ptr: NonNull<u32> = NonNull::new(s.as_mut_ptr()).unwrap(); |
552 | /// |
553 | /// unsafe { |
554 | /// println!("{}" , ptr.offset(1).read()); |
555 | /// println!("{}" , ptr.offset(2).read()); |
556 | /// } |
557 | /// ``` |
558 | #[inline (always)] |
559 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
560 | #[must_use = "returns a new pointer rather than modifying its argument" ] |
561 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
562 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
563 | pub const unsafe fn offset(self, count: isize) -> Self |
564 | where |
565 | T: Sized, |
566 | { |
567 | // SAFETY: the caller must uphold the safety contract for `offset`. |
568 | // Additionally safety contract of `offset` guarantees that the resulting pointer is |
569 | // pointing to an allocation, there can't be an allocation at null, thus it's safe to |
570 | // construct `NonNull`. |
571 | unsafe { NonNull { pointer: intrinsics::offset(self.as_ptr(), count) } } |
572 | } |
573 | |
574 | /// Calculates the offset from a pointer in bytes. |
575 | /// |
576 | /// `count` is in units of **bytes**. |
577 | /// |
578 | /// This is purely a convenience for casting to a `u8` pointer and |
579 | /// using [offset][pointer::offset] on it. See that method for documentation |
580 | /// and safety requirements. |
581 | /// |
582 | /// For non-`Sized` pointees this operation changes only the data pointer, |
583 | /// leaving the metadata untouched. |
584 | #[must_use ] |
585 | #[inline (always)] |
586 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
587 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
588 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
589 | pub const unsafe fn byte_offset(self, count: isize) -> Self { |
590 | // SAFETY: the caller must uphold the safety contract for `offset` and `byte_offset` has |
591 | // the same safety contract. |
592 | // Additionally safety contract of `offset` guarantees that the resulting pointer is |
593 | // pointing to an allocation, there can't be an allocation at null, thus it's safe to |
594 | // construct `NonNull`. |
595 | unsafe { NonNull { pointer: self.as_ptr().byte_offset(count) } } |
596 | } |
597 | |
598 | /// Adds an offset to a pointer (convenience for `.offset(count as isize)`). |
599 | /// |
600 | /// `count` is in units of T; e.g., a `count` of 3 represents a pointer |
601 | /// offset of `3 * size_of::<T>()` bytes. |
602 | /// |
603 | /// # Safety |
604 | /// |
605 | /// If any of the following conditions are violated, the result is Undefined Behavior: |
606 | /// |
607 | /// * The computed offset, `count * size_of::<T>()` bytes, must not overflow `isize`. |
608 | /// |
609 | /// * If the computed offset is non-zero, then `self` must be derived from a pointer to some |
610 | /// [allocation], and the entire memory range between `self` and the result must be in |
611 | /// bounds of that allocation. In particular, this range must not "wrap around" the edge |
612 | /// of the address space. |
613 | /// |
614 | /// Allocations can never be larger than `isize::MAX` bytes, so if the computed offset |
615 | /// stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. |
616 | /// This implies, for instance, that `vec.as_ptr().add(vec.len())` (for `vec: Vec<T>`) is always |
617 | /// safe. |
618 | /// |
619 | /// [allocation]: crate::ptr#allocation |
620 | /// |
621 | /// # Examples |
622 | /// |
623 | /// ``` |
624 | /// use std::ptr::NonNull; |
625 | /// |
626 | /// let s: &str = "123" ; |
627 | /// let ptr: NonNull<u8> = NonNull::new(s.as_ptr().cast_mut()).unwrap(); |
628 | /// |
629 | /// unsafe { |
630 | /// println!("{}" , ptr.add(1).read() as char); |
631 | /// println!("{}" , ptr.add(2).read() as char); |
632 | /// } |
633 | /// ``` |
634 | #[inline (always)] |
635 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
636 | #[must_use = "returns a new pointer rather than modifying its argument" ] |
637 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
638 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
639 | pub const unsafe fn add(self, count: usize) -> Self |
640 | where |
641 | T: Sized, |
642 | { |
643 | // SAFETY: the caller must uphold the safety contract for `offset`. |
644 | // Additionally safety contract of `offset` guarantees that the resulting pointer is |
645 | // pointing to an allocation, there can't be an allocation at null, thus it's safe to |
646 | // construct `NonNull`. |
647 | unsafe { NonNull { pointer: intrinsics::offset(self.as_ptr(), count) } } |
648 | } |
649 | |
650 | /// Calculates the offset from a pointer in bytes (convenience for `.byte_offset(count as isize)`). |
651 | /// |
652 | /// `count` is in units of bytes. |
653 | /// |
654 | /// This is purely a convenience for casting to a `u8` pointer and |
655 | /// using [`add`][NonNull::add] on it. See that method for documentation |
656 | /// and safety requirements. |
657 | /// |
658 | /// For non-`Sized` pointees this operation changes only the data pointer, |
659 | /// leaving the metadata untouched. |
660 | #[must_use ] |
661 | #[inline (always)] |
662 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
663 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
664 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
665 | pub const unsafe fn byte_add(self, count: usize) -> Self { |
666 | // SAFETY: the caller must uphold the safety contract for `add` and `byte_add` has the same |
667 | // safety contract. |
668 | // Additionally safety contract of `add` guarantees that the resulting pointer is pointing |
669 | // to an allocation, there can't be an allocation at null, thus it's safe to construct |
670 | // `NonNull`. |
671 | unsafe { NonNull { pointer: self.as_ptr().byte_add(count) } } |
672 | } |
673 | |
674 | /// Subtracts an offset from a pointer (convenience for |
675 | /// `.offset((count as isize).wrapping_neg())`). |
676 | /// |
677 | /// `count` is in units of T; e.g., a `count` of 3 represents a pointer |
678 | /// offset of `3 * size_of::<T>()` bytes. |
679 | /// |
680 | /// # Safety |
681 | /// |
682 | /// If any of the following conditions are violated, the result is Undefined Behavior: |
683 | /// |
684 | /// * The computed offset, `count * size_of::<T>()` bytes, must not overflow `isize`. |
685 | /// |
686 | /// * If the computed offset is non-zero, then `self` must be derived from a pointer to some |
687 | /// [allocation], and the entire memory range between `self` and the result must be in |
688 | /// bounds of that allocation. In particular, this range must not "wrap around" the edge |
689 | /// of the address space. |
690 | /// |
691 | /// Allocations can never be larger than `isize::MAX` bytes, so if the computed offset |
692 | /// stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. |
693 | /// This implies, for instance, that `vec.as_ptr().add(vec.len())` (for `vec: Vec<T>`) is always |
694 | /// safe. |
695 | /// |
696 | /// [allocation]: crate::ptr#allocation |
697 | /// |
698 | /// # Examples |
699 | /// |
700 | /// ``` |
701 | /// use std::ptr::NonNull; |
702 | /// |
703 | /// let s: &str = "123" ; |
704 | /// |
705 | /// unsafe { |
706 | /// let end: NonNull<u8> = NonNull::new(s.as_ptr().cast_mut()).unwrap().add(3); |
707 | /// println!("{}" , end.sub(1).read() as char); |
708 | /// println!("{}" , end.sub(2).read() as char); |
709 | /// } |
710 | /// ``` |
711 | #[inline (always)] |
712 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
713 | #[must_use = "returns a new pointer rather than modifying its argument" ] |
714 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
715 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
716 | pub const unsafe fn sub(self, count: usize) -> Self |
717 | where |
718 | T: Sized, |
719 | { |
720 | if T::IS_ZST { |
721 | // Pointer arithmetic does nothing when the pointee is a ZST. |
722 | self |
723 | } else { |
724 | // SAFETY: the caller must uphold the safety contract for `offset`. |
725 | // Because the pointee is *not* a ZST, that means that `count` is |
726 | // at most `isize::MAX`, and thus the negation cannot overflow. |
727 | unsafe { self.offset((count as isize).unchecked_neg()) } |
728 | } |
729 | } |
730 | |
731 | /// Calculates the offset from a pointer in bytes (convenience for |
732 | /// `.byte_offset((count as isize).wrapping_neg())`). |
733 | /// |
734 | /// `count` is in units of bytes. |
735 | /// |
736 | /// This is purely a convenience for casting to a `u8` pointer and |
737 | /// using [`sub`][NonNull::sub] on it. See that method for documentation |
738 | /// and safety requirements. |
739 | /// |
740 | /// For non-`Sized` pointees this operation changes only the data pointer, |
741 | /// leaving the metadata untouched. |
742 | #[must_use ] |
743 | #[inline (always)] |
744 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
745 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
746 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
747 | pub const unsafe fn byte_sub(self, count: usize) -> Self { |
748 | // SAFETY: the caller must uphold the safety contract for `sub` and `byte_sub` has the same |
749 | // safety contract. |
750 | // Additionally safety contract of `sub` guarantees that the resulting pointer is pointing |
751 | // to an allocation, there can't be an allocation at null, thus it's safe to construct |
752 | // `NonNull`. |
753 | unsafe { NonNull { pointer: self.as_ptr().byte_sub(count) } } |
754 | } |
755 | |
756 | /// Calculates the distance between two pointers within the same allocation. The returned value is in |
757 | /// units of T: the distance in bytes divided by `size_of::<T>()`. |
758 | /// |
759 | /// This is equivalent to `(self as isize - origin as isize) / (size_of::<T>() as isize)`, |
760 | /// except that it has a lot more opportunities for UB, in exchange for the compiler |
761 | /// better understanding what you are doing. |
762 | /// |
763 | /// The primary motivation of this method is for computing the `len` of an array/slice |
764 | /// of `T` that you are currently representing as a "start" and "end" pointer |
765 | /// (and "end" is "one past the end" of the array). |
766 | /// In that case, `end.offset_from(start)` gets you the length of the array. |
767 | /// |
768 | /// All of the following safety requirements are trivially satisfied for this usecase. |
769 | /// |
770 | /// [`offset`]: #method.offset |
771 | /// |
772 | /// # Safety |
773 | /// |
774 | /// If any of the following conditions are violated, the result is Undefined Behavior: |
775 | /// |
776 | /// * `self` and `origin` must either |
777 | /// |
778 | /// * point to the same address, or |
779 | /// * both be *derived from* a pointer to the same [allocation], and the memory range between |
780 | /// the two pointers must be in bounds of that object. (See below for an example.) |
781 | /// |
782 | /// * The distance between the pointers, in bytes, must be an exact multiple |
783 | /// of the size of `T`. |
784 | /// |
785 | /// As a consequence, the absolute distance between the pointers, in bytes, computed on |
786 | /// mathematical integers (without "wrapping around"), cannot overflow an `isize`. This is |
787 | /// implied by the in-bounds requirement, and the fact that no allocation can be larger |
788 | /// than `isize::MAX` bytes. |
789 | /// |
790 | /// The requirement for pointers to be derived from the same allocation is primarily |
791 | /// needed for `const`-compatibility: the distance between pointers into *different* allocated |
792 | /// objects is not known at compile-time. However, the requirement also exists at |
793 | /// runtime and may be exploited by optimizations. If you wish to compute the difference between |
794 | /// pointers that are not guaranteed to be from the same allocation, use `(self as isize - |
795 | /// origin as isize) / size_of::<T>()`. |
796 | // FIXME: recommend `addr()` instead of `as usize` once that is stable. |
797 | /// |
798 | /// [`add`]: #method.add |
799 | /// [allocation]: crate::ptr#allocation |
800 | /// |
801 | /// # Panics |
802 | /// |
803 | /// This function panics if `T` is a Zero-Sized Type ("ZST"). |
804 | /// |
805 | /// # Examples |
806 | /// |
807 | /// Basic usage: |
808 | /// |
809 | /// ``` |
810 | /// use std::ptr::NonNull; |
811 | /// |
812 | /// let a = [0; 5]; |
813 | /// let ptr1: NonNull<u32> = NonNull::from(&a[1]); |
814 | /// let ptr2: NonNull<u32> = NonNull::from(&a[3]); |
815 | /// unsafe { |
816 | /// assert_eq!(ptr2.offset_from(ptr1), 2); |
817 | /// assert_eq!(ptr1.offset_from(ptr2), -2); |
818 | /// assert_eq!(ptr1.offset(2), ptr2); |
819 | /// assert_eq!(ptr2.offset(-2), ptr1); |
820 | /// } |
821 | /// ``` |
822 | /// |
823 | /// *Incorrect* usage: |
824 | /// |
825 | /// ```rust,no_run |
826 | /// use std::ptr::NonNull; |
827 | /// |
828 | /// let ptr1 = NonNull::new(Box::into_raw(Box::new(0u8))).unwrap(); |
829 | /// let ptr2 = NonNull::new(Box::into_raw(Box::new(1u8))).unwrap(); |
830 | /// let diff = (ptr2.addr().get() as isize).wrapping_sub(ptr1.addr().get() as isize); |
831 | /// // Make ptr2_other an "alias" of ptr2.add(1), but derived from ptr1. |
832 | /// let diff_plus_1 = diff.wrapping_add(1); |
833 | /// let ptr2_other = NonNull::new(ptr1.as_ptr().wrapping_byte_offset(diff_plus_1)).unwrap(); |
834 | /// assert_eq!(ptr2.addr(), ptr2_other.addr()); |
835 | /// // Since ptr2_other and ptr2 are derived from pointers to different objects, |
836 | /// // computing their offset is undefined behavior, even though |
837 | /// // they point to addresses that are in-bounds of the same object! |
838 | /// |
839 | /// let one = unsafe { ptr2_other.offset_from(ptr2) }; // Undefined Behavior! ⚠️ |
840 | /// ``` |
841 | #[inline ] |
842 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
843 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
844 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
845 | pub const unsafe fn offset_from(self, origin: NonNull<T>) -> isize |
846 | where |
847 | T: Sized, |
848 | { |
849 | // SAFETY: the caller must uphold the safety contract for `offset_from`. |
850 | unsafe { self.as_ptr().offset_from(origin.as_ptr()) } |
851 | } |
852 | |
853 | /// Calculates the distance between two pointers within the same allocation. The returned value is in |
854 | /// units of **bytes**. |
855 | /// |
856 | /// This is purely a convenience for casting to a `u8` pointer and |
857 | /// using [`offset_from`][NonNull::offset_from] on it. See that method for |
858 | /// documentation and safety requirements. |
859 | /// |
860 | /// For non-`Sized` pointees this operation considers only the data pointers, |
861 | /// ignoring the metadata. |
862 | #[inline (always)] |
863 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
864 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
865 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
866 | pub const unsafe fn byte_offset_from<U: ?Sized>(self, origin: NonNull<U>) -> isize { |
867 | // SAFETY: the caller must uphold the safety contract for `byte_offset_from`. |
868 | unsafe { self.as_ptr().byte_offset_from(origin.as_ptr()) } |
869 | } |
870 | |
871 | // N.B. `wrapping_offset``, `wrapping_add`, etc are not implemented because they can wrap to null |
872 | |
873 | /// Calculates the distance between two pointers within the same allocation, *where it's known that |
874 | /// `self` is equal to or greater than `origin`*. The returned value is in |
875 | /// units of T: the distance in bytes is divided by `size_of::<T>()`. |
876 | /// |
877 | /// This computes the same value that [`offset_from`](#method.offset_from) |
878 | /// would compute, but with the added precondition that the offset is |
879 | /// guaranteed to be non-negative. This method is equivalent to |
880 | /// `usize::try_from(self.offset_from(origin)).unwrap_unchecked()`, |
881 | /// but it provides slightly more information to the optimizer, which can |
882 | /// sometimes allow it to optimize slightly better with some backends. |
883 | /// |
884 | /// This method can be though of as recovering the `count` that was passed |
885 | /// to [`add`](#method.add) (or, with the parameters in the other order, |
886 | /// to [`sub`](#method.sub)). The following are all equivalent, assuming |
887 | /// that their safety preconditions are met: |
888 | /// ```rust |
889 | /// # unsafe fn blah(ptr: std::ptr::NonNull<u32>, origin: std::ptr::NonNull<u32>, count: usize) -> bool { unsafe { |
890 | /// ptr.offset_from_unsigned(origin) == count |
891 | /// # && |
892 | /// origin.add(count) == ptr |
893 | /// # && |
894 | /// ptr.sub(count) == origin |
895 | /// # } } |
896 | /// ``` |
897 | /// |
898 | /// # Safety |
899 | /// |
900 | /// - The distance between the pointers must be non-negative (`self >= origin`) |
901 | /// |
902 | /// - *All* the safety conditions of [`offset_from`](#method.offset_from) |
903 | /// apply to this method as well; see it for the full details. |
904 | /// |
905 | /// Importantly, despite the return type of this method being able to represent |
906 | /// a larger offset, it's still *not permitted* to pass pointers which differ |
907 | /// by more than `isize::MAX` *bytes*. As such, the result of this method will |
908 | /// always be less than or equal to `isize::MAX as usize`. |
909 | /// |
910 | /// # Panics |
911 | /// |
912 | /// This function panics if `T` is a Zero-Sized Type ("ZST"). |
913 | /// |
914 | /// # Examples |
915 | /// |
916 | /// ``` |
917 | /// use std::ptr::NonNull; |
918 | /// |
919 | /// let a = [0; 5]; |
920 | /// let ptr1: NonNull<u32> = NonNull::from(&a[1]); |
921 | /// let ptr2: NonNull<u32> = NonNull::from(&a[3]); |
922 | /// unsafe { |
923 | /// assert_eq!(ptr2.offset_from_unsigned(ptr1), 2); |
924 | /// assert_eq!(ptr1.add(2), ptr2); |
925 | /// assert_eq!(ptr2.sub(2), ptr1); |
926 | /// assert_eq!(ptr2.offset_from_unsigned(ptr2), 0); |
927 | /// } |
928 | /// |
929 | /// // This would be incorrect, as the pointers are not correctly ordered: |
930 | /// // ptr1.offset_from_unsigned(ptr2) |
931 | /// ``` |
932 | #[inline ] |
933 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
934 | #[stable (feature = "ptr_sub_ptr" , since = "1.87.0" )] |
935 | #[rustc_const_stable (feature = "const_ptr_sub_ptr" , since = "1.87.0" )] |
936 | pub const unsafe fn offset_from_unsigned(self, subtracted: NonNull<T>) -> usize |
937 | where |
938 | T: Sized, |
939 | { |
940 | // SAFETY: the caller must uphold the safety contract for `offset_from_unsigned`. |
941 | unsafe { self.as_ptr().offset_from_unsigned(subtracted.as_ptr()) } |
942 | } |
943 | |
944 | /// Calculates the distance between two pointers within the same allocation, *where it's known that |
945 | /// `self` is equal to or greater than `origin`*. The returned value is in |
946 | /// units of **bytes**. |
947 | /// |
948 | /// This is purely a convenience for casting to a `u8` pointer and |
949 | /// using [`offset_from_unsigned`][NonNull::offset_from_unsigned] on it. |
950 | /// See that method for documentation and safety requirements. |
951 | /// |
952 | /// For non-`Sized` pointees this operation considers only the data pointers, |
953 | /// ignoring the metadata. |
954 | #[inline (always)] |
955 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
956 | #[stable (feature = "ptr_sub_ptr" , since = "1.87.0" )] |
957 | #[rustc_const_stable (feature = "const_ptr_sub_ptr" , since = "1.87.0" )] |
958 | pub const unsafe fn byte_offset_from_unsigned<U: ?Sized>(self, origin: NonNull<U>) -> usize { |
959 | // SAFETY: the caller must uphold the safety contract for `byte_offset_from_unsigned`. |
960 | unsafe { self.as_ptr().byte_offset_from_unsigned(origin.as_ptr()) } |
961 | } |
962 | |
963 | /// Reads the value from `self` without moving it. This leaves the |
964 | /// memory in `self` unchanged. |
965 | /// |
966 | /// See [`ptr::read`] for safety concerns and examples. |
967 | /// |
968 | /// [`ptr::read`]: crate::ptr::read() |
969 | #[inline ] |
970 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
971 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
972 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
973 | pub const unsafe fn read(self) -> T |
974 | where |
975 | T: Sized, |
976 | { |
977 | // SAFETY: the caller must uphold the safety contract for `read`. |
978 | unsafe { ptr::read(self.as_ptr()) } |
979 | } |
980 | |
981 | /// Performs a volatile read of the value from `self` without moving it. This |
982 | /// leaves the memory in `self` unchanged. |
983 | /// |
984 | /// Volatile operations are intended to act on I/O memory, and are guaranteed |
985 | /// to not be elided or reordered by the compiler across other volatile |
986 | /// operations. |
987 | /// |
988 | /// See [`ptr::read_volatile`] for safety concerns and examples. |
989 | /// |
990 | /// [`ptr::read_volatile`]: crate::ptr::read_volatile() |
991 | #[inline ] |
992 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
993 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
994 | pub unsafe fn read_volatile(self) -> T |
995 | where |
996 | T: Sized, |
997 | { |
998 | // SAFETY: the caller must uphold the safety contract for `read_volatile`. |
999 | unsafe { ptr::read_volatile(self.as_ptr()) } |
1000 | } |
1001 | |
1002 | /// Reads the value from `self` without moving it. This leaves the |
1003 | /// memory in `self` unchanged. |
1004 | /// |
1005 | /// Unlike `read`, the pointer may be unaligned. |
1006 | /// |
1007 | /// See [`ptr::read_unaligned`] for safety concerns and examples. |
1008 | /// |
1009 | /// [`ptr::read_unaligned`]: crate::ptr::read_unaligned() |
1010 | #[inline ] |
1011 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1012 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1013 | #[rustc_const_stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1014 | pub const unsafe fn read_unaligned(self) -> T |
1015 | where |
1016 | T: Sized, |
1017 | { |
1018 | // SAFETY: the caller must uphold the safety contract for `read_unaligned`. |
1019 | unsafe { ptr::read_unaligned(self.as_ptr()) } |
1020 | } |
1021 | |
1022 | /// Copies `count * size_of::<T>()` bytes from `self` to `dest`. The source |
1023 | /// and destination may overlap. |
1024 | /// |
1025 | /// NOTE: this has the *same* argument order as [`ptr::copy`]. |
1026 | /// |
1027 | /// See [`ptr::copy`] for safety concerns and examples. |
1028 | /// |
1029 | /// [`ptr::copy`]: crate::ptr::copy() |
1030 | #[inline (always)] |
1031 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1032 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1033 | #[rustc_const_stable (feature = "const_intrinsic_copy" , since = "1.83.0" )] |
1034 | pub const unsafe fn copy_to(self, dest: NonNull<T>, count: usize) |
1035 | where |
1036 | T: Sized, |
1037 | { |
1038 | // SAFETY: the caller must uphold the safety contract for `copy`. |
1039 | unsafe { ptr::copy(self.as_ptr(), dest.as_ptr(), count) } |
1040 | } |
1041 | |
1042 | /// Copies `count * size_of::<T>()` bytes from `self` to `dest`. The source |
1043 | /// and destination may *not* overlap. |
1044 | /// |
1045 | /// NOTE: this has the *same* argument order as [`ptr::copy_nonoverlapping`]. |
1046 | /// |
1047 | /// See [`ptr::copy_nonoverlapping`] for safety concerns and examples. |
1048 | /// |
1049 | /// [`ptr::copy_nonoverlapping`]: crate::ptr::copy_nonoverlapping() |
1050 | #[inline (always)] |
1051 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1052 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1053 | #[rustc_const_stable (feature = "const_intrinsic_copy" , since = "1.83.0" )] |
1054 | pub const unsafe fn copy_to_nonoverlapping(self, dest: NonNull<T>, count: usize) |
1055 | where |
1056 | T: Sized, |
1057 | { |
1058 | // SAFETY: the caller must uphold the safety contract for `copy_nonoverlapping`. |
1059 | unsafe { ptr::copy_nonoverlapping(self.as_ptr(), dest.as_ptr(), count) } |
1060 | } |
1061 | |
1062 | /// Copies `count * size_of::<T>()` bytes from `src` to `self`. The source |
1063 | /// and destination may overlap. |
1064 | /// |
1065 | /// NOTE: this has the *opposite* argument order of [`ptr::copy`]. |
1066 | /// |
1067 | /// See [`ptr::copy`] for safety concerns and examples. |
1068 | /// |
1069 | /// [`ptr::copy`]: crate::ptr::copy() |
1070 | #[inline (always)] |
1071 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1072 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1073 | #[rustc_const_stable (feature = "const_intrinsic_copy" , since = "1.83.0" )] |
1074 | pub const unsafe fn copy_from(self, src: NonNull<T>, count: usize) |
1075 | where |
1076 | T: Sized, |
1077 | { |
1078 | // SAFETY: the caller must uphold the safety contract for `copy`. |
1079 | unsafe { ptr::copy(src.as_ptr(), self.as_ptr(), count) } |
1080 | } |
1081 | |
1082 | /// Copies `count * size_of::<T>()` bytes from `src` to `self`. The source |
1083 | /// and destination may *not* overlap. |
1084 | /// |
1085 | /// NOTE: this has the *opposite* argument order of [`ptr::copy_nonoverlapping`]. |
1086 | /// |
1087 | /// See [`ptr::copy_nonoverlapping`] for safety concerns and examples. |
1088 | /// |
1089 | /// [`ptr::copy_nonoverlapping`]: crate::ptr::copy_nonoverlapping() |
1090 | #[inline (always)] |
1091 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1092 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1093 | #[rustc_const_stable (feature = "const_intrinsic_copy" , since = "1.83.0" )] |
1094 | pub const unsafe fn copy_from_nonoverlapping(self, src: NonNull<T>, count: usize) |
1095 | where |
1096 | T: Sized, |
1097 | { |
1098 | // SAFETY: the caller must uphold the safety contract for `copy_nonoverlapping`. |
1099 | unsafe { ptr::copy_nonoverlapping(src.as_ptr(), self.as_ptr(), count) } |
1100 | } |
1101 | |
1102 | /// Executes the destructor (if any) of the pointed-to value. |
1103 | /// |
1104 | /// See [`ptr::drop_in_place`] for safety concerns and examples. |
1105 | /// |
1106 | /// [`ptr::drop_in_place`]: crate::ptr::drop_in_place() |
1107 | #[inline (always)] |
1108 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1109 | pub unsafe fn drop_in_place(self) { |
1110 | // SAFETY: the caller must uphold the safety contract for `drop_in_place`. |
1111 | unsafe { ptr::drop_in_place(self.as_ptr()) } |
1112 | } |
1113 | |
1114 | /// Overwrites a memory location with the given value without reading or |
1115 | /// dropping the old value. |
1116 | /// |
1117 | /// See [`ptr::write`] for safety concerns and examples. |
1118 | /// |
1119 | /// [`ptr::write`]: crate::ptr::write() |
1120 | #[inline (always)] |
1121 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1122 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1123 | #[rustc_const_stable (feature = "const_ptr_write" , since = "1.83.0" )] |
1124 | pub const unsafe fn write(self, val: T) |
1125 | where |
1126 | T: Sized, |
1127 | { |
1128 | // SAFETY: the caller must uphold the safety contract for `write`. |
1129 | unsafe { ptr::write(self.as_ptr(), val) } |
1130 | } |
1131 | |
1132 | /// Invokes memset on the specified pointer, setting `count * size_of::<T>()` |
1133 | /// bytes of memory starting at `self` to `val`. |
1134 | /// |
1135 | /// See [`ptr::write_bytes`] for safety concerns and examples. |
1136 | /// |
1137 | /// [`ptr::write_bytes`]: crate::ptr::write_bytes() |
1138 | #[inline (always)] |
1139 | #[doc (alias = "memset" )] |
1140 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1141 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1142 | #[rustc_const_stable (feature = "const_ptr_write" , since = "1.83.0" )] |
1143 | pub const unsafe fn write_bytes(self, val: u8, count: usize) |
1144 | where |
1145 | T: Sized, |
1146 | { |
1147 | // SAFETY: the caller must uphold the safety contract for `write_bytes`. |
1148 | unsafe { ptr::write_bytes(self.as_ptr(), val, count) } |
1149 | } |
1150 | |
1151 | /// Performs a volatile write of a memory location with the given value without |
1152 | /// reading or dropping the old value. |
1153 | /// |
1154 | /// Volatile operations are intended to act on I/O memory, and are guaranteed |
1155 | /// to not be elided or reordered by the compiler across other volatile |
1156 | /// operations. |
1157 | /// |
1158 | /// See [`ptr::write_volatile`] for safety concerns and examples. |
1159 | /// |
1160 | /// [`ptr::write_volatile`]: crate::ptr::write_volatile() |
1161 | #[inline (always)] |
1162 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1163 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1164 | pub unsafe fn write_volatile(self, val: T) |
1165 | where |
1166 | T: Sized, |
1167 | { |
1168 | // SAFETY: the caller must uphold the safety contract for `write_volatile`. |
1169 | unsafe { ptr::write_volatile(self.as_ptr(), val) } |
1170 | } |
1171 | |
1172 | /// Overwrites a memory location with the given value without reading or |
1173 | /// dropping the old value. |
1174 | /// |
1175 | /// Unlike `write`, the pointer may be unaligned. |
1176 | /// |
1177 | /// See [`ptr::write_unaligned`] for safety concerns and examples. |
1178 | /// |
1179 | /// [`ptr::write_unaligned`]: crate::ptr::write_unaligned() |
1180 | #[inline (always)] |
1181 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1182 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1183 | #[rustc_const_stable (feature = "const_ptr_write" , since = "1.83.0" )] |
1184 | pub const unsafe fn write_unaligned(self, val: T) |
1185 | where |
1186 | T: Sized, |
1187 | { |
1188 | // SAFETY: the caller must uphold the safety contract for `write_unaligned`. |
1189 | unsafe { ptr::write_unaligned(self.as_ptr(), val) } |
1190 | } |
1191 | |
1192 | /// Replaces the value at `self` with `src`, returning the old |
1193 | /// value, without dropping either. |
1194 | /// |
1195 | /// See [`ptr::replace`] for safety concerns and examples. |
1196 | /// |
1197 | /// [`ptr::replace`]: crate::ptr::replace() |
1198 | #[inline (always)] |
1199 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1200 | #[rustc_const_stable (feature = "const_inherent_ptr_replace" , since = "1.88.0" )] |
1201 | pub const unsafe fn replace(self, src: T) -> T |
1202 | where |
1203 | T: Sized, |
1204 | { |
1205 | // SAFETY: the caller must uphold the safety contract for `replace`. |
1206 | unsafe { ptr::replace(self.as_ptr(), src) } |
1207 | } |
1208 | |
1209 | /// Swaps the values at two mutable locations of the same type, without |
1210 | /// deinitializing either. They may overlap, unlike `mem::swap` which is |
1211 | /// otherwise equivalent. |
1212 | /// |
1213 | /// See [`ptr::swap`] for safety concerns and examples. |
1214 | /// |
1215 | /// [`ptr::swap`]: crate::ptr::swap() |
1216 | #[inline (always)] |
1217 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1218 | #[rustc_const_stable (feature = "const_swap" , since = "1.85.0" )] |
1219 | pub const unsafe fn swap(self, with: NonNull<T>) |
1220 | where |
1221 | T: Sized, |
1222 | { |
1223 | // SAFETY: the caller must uphold the safety contract for `swap`. |
1224 | unsafe { ptr::swap(self.as_ptr(), with.as_ptr()) } |
1225 | } |
1226 | |
1227 | /// Computes the offset that needs to be applied to the pointer in order to make it aligned to |
1228 | /// `align`. |
1229 | /// |
1230 | /// If it is not possible to align the pointer, the implementation returns |
1231 | /// `usize::MAX`. |
1232 | /// |
1233 | /// The offset is expressed in number of `T` elements, and not bytes. |
1234 | /// |
1235 | /// There are no guarantees whatsoever that offsetting the pointer will not overflow or go |
1236 | /// beyond the allocation that the pointer points into. It is up to the caller to ensure that |
1237 | /// the returned offset is correct in all terms other than alignment. |
1238 | /// |
1239 | /// When this is called during compile-time evaluation (which is unstable), the implementation |
1240 | /// may return `usize::MAX` in cases where that can never happen at runtime. This is because the |
1241 | /// actual alignment of pointers is not known yet during compile-time, so an offset with |
1242 | /// guaranteed alignment can sometimes not be computed. For example, a buffer declared as `[u8; |
1243 | /// N]` might be allocated at an odd or an even address, but at compile-time this is not yet |
1244 | /// known, so the execution has to be correct for either choice. It is therefore impossible to |
1245 | /// find an offset that is guaranteed to be 2-aligned. (This behavior is subject to change, as usual |
1246 | /// for unstable APIs.) |
1247 | /// |
1248 | /// # Panics |
1249 | /// |
1250 | /// The function panics if `align` is not a power-of-two. |
1251 | /// |
1252 | /// # Examples |
1253 | /// |
1254 | /// Accessing adjacent `u8` as `u16` |
1255 | /// |
1256 | /// ``` |
1257 | /// use std::ptr::NonNull; |
1258 | /// |
1259 | /// # unsafe { |
1260 | /// let x = [5_u8, 6, 7, 8, 9]; |
1261 | /// let ptr = NonNull::new(x.as_ptr() as *mut u8).unwrap(); |
1262 | /// let offset = ptr.align_offset(align_of::<u16>()); |
1263 | /// |
1264 | /// if offset < x.len() - 1 { |
1265 | /// let u16_ptr = ptr.add(offset).cast::<u16>(); |
1266 | /// assert!(u16_ptr.read() == u16::from_ne_bytes([5, 6]) || u16_ptr.read() == u16::from_ne_bytes([6, 7])); |
1267 | /// } else { |
1268 | /// // while the pointer can be aligned via `offset`, it would point |
1269 | /// // outside the allocation |
1270 | /// } |
1271 | /// # } |
1272 | /// ``` |
1273 | #[inline ] |
1274 | #[must_use ] |
1275 | #[stable (feature = "non_null_convenience" , since = "1.80.0" )] |
1276 | pub fn align_offset(self, align: usize) -> usize |
1277 | where |
1278 | T: Sized, |
1279 | { |
1280 | if !align.is_power_of_two() { |
1281 | panic!("align_offset: align is not a power-of-two" ); |
1282 | } |
1283 | |
1284 | { |
1285 | // SAFETY: `align` has been checked to be a power of 2 above. |
1286 | unsafe { ptr::align_offset(self.as_ptr(), align) } |
1287 | } |
1288 | } |
1289 | |
1290 | /// Returns whether the pointer is properly aligned for `T`. |
1291 | /// |
1292 | /// # Examples |
1293 | /// |
1294 | /// ``` |
1295 | /// use std::ptr::NonNull; |
1296 | /// |
1297 | /// // On some platforms, the alignment of i32 is less than 4. |
1298 | /// #[repr(align(4))] |
1299 | /// struct AlignedI32(i32); |
1300 | /// |
1301 | /// let data = AlignedI32(42); |
1302 | /// let ptr = NonNull::<AlignedI32>::from(&data); |
1303 | /// |
1304 | /// assert!(ptr.is_aligned()); |
1305 | /// assert!(!NonNull::new(ptr.as_ptr().wrapping_byte_add(1)).unwrap().is_aligned()); |
1306 | /// ``` |
1307 | #[inline ] |
1308 | #[must_use ] |
1309 | #[stable (feature = "pointer_is_aligned" , since = "1.79.0" )] |
1310 | pub fn is_aligned(self) -> bool |
1311 | where |
1312 | T: Sized, |
1313 | { |
1314 | self.as_ptr().is_aligned() |
1315 | } |
1316 | |
1317 | /// Returns whether the pointer is aligned to `align`. |
1318 | /// |
1319 | /// For non-`Sized` pointees this operation considers only the data pointer, |
1320 | /// ignoring the metadata. |
1321 | /// |
1322 | /// # Panics |
1323 | /// |
1324 | /// The function panics if `align` is not a power-of-two (this includes 0). |
1325 | /// |
1326 | /// # Examples |
1327 | /// |
1328 | /// ``` |
1329 | /// #![feature(pointer_is_aligned_to)] |
1330 | /// |
1331 | /// // On some platforms, the alignment of i32 is less than 4. |
1332 | /// #[repr(align(4))] |
1333 | /// struct AlignedI32(i32); |
1334 | /// |
1335 | /// let data = AlignedI32(42); |
1336 | /// let ptr = &data as *const AlignedI32; |
1337 | /// |
1338 | /// assert!(ptr.is_aligned_to(1)); |
1339 | /// assert!(ptr.is_aligned_to(2)); |
1340 | /// assert!(ptr.is_aligned_to(4)); |
1341 | /// |
1342 | /// assert!(ptr.wrapping_byte_add(2).is_aligned_to(2)); |
1343 | /// assert!(!ptr.wrapping_byte_add(2).is_aligned_to(4)); |
1344 | /// |
1345 | /// assert_ne!(ptr.is_aligned_to(8), ptr.wrapping_add(1).is_aligned_to(8)); |
1346 | /// ``` |
1347 | #[inline ] |
1348 | #[must_use ] |
1349 | #[unstable (feature = "pointer_is_aligned_to" , issue = "96284" )] |
1350 | pub fn is_aligned_to(self, align: usize) -> bool { |
1351 | self.as_ptr().is_aligned_to(align) |
1352 | } |
1353 | } |
1354 | |
1355 | impl<T> NonNull<[T]> { |
1356 | /// Creates a non-null raw slice from a thin pointer and a length. |
1357 | /// |
1358 | /// The `len` argument is the number of **elements**, not the number of bytes. |
1359 | /// |
1360 | /// This function is safe, but dereferencing the return value is unsafe. |
1361 | /// See the documentation of [`slice::from_raw_parts`] for slice safety requirements. |
1362 | /// |
1363 | /// # Examples |
1364 | /// |
1365 | /// ```rust |
1366 | /// use std::ptr::NonNull; |
1367 | /// |
1368 | /// // create a slice pointer when starting out with a pointer to the first element |
1369 | /// let mut x = [5, 6, 7]; |
1370 | /// let nonnull_pointer = NonNull::new(x.as_mut_ptr()).unwrap(); |
1371 | /// let slice = NonNull::slice_from_raw_parts(nonnull_pointer, 3); |
1372 | /// assert_eq!(unsafe { slice.as_ref()[2] }, 7); |
1373 | /// ``` |
1374 | /// |
1375 | /// (Note that this example artificially demonstrates a use of this method, |
1376 | /// but `let slice = NonNull::from(&x[..]);` would be a better way to write code like this.) |
1377 | #[stable (feature = "nonnull_slice_from_raw_parts" , since = "1.70.0" )] |
1378 | #[rustc_const_stable (feature = "const_slice_from_raw_parts_mut" , since = "1.83.0" )] |
1379 | #[must_use ] |
1380 | #[inline ] |
1381 | pub const fn slice_from_raw_parts(data: NonNull<T>, len: usize) -> Self { |
1382 | // SAFETY: `data` is a `NonNull` pointer which is necessarily non-null |
1383 | unsafe { Self::new_unchecked(super::slice_from_raw_parts_mut(data.as_ptr(), len)) } |
1384 | } |
1385 | |
1386 | /// Returns the length of a non-null raw slice. |
1387 | /// |
1388 | /// The returned value is the number of **elements**, not the number of bytes. |
1389 | /// |
1390 | /// This function is safe, even when the non-null raw slice cannot be dereferenced to a slice |
1391 | /// because the pointer does not have a valid address. |
1392 | /// |
1393 | /// # Examples |
1394 | /// |
1395 | /// ```rust |
1396 | /// use std::ptr::NonNull; |
1397 | /// |
1398 | /// let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3); |
1399 | /// assert_eq!(slice.len(), 3); |
1400 | /// ``` |
1401 | #[stable (feature = "slice_ptr_len_nonnull" , since = "1.63.0" )] |
1402 | #[rustc_const_stable (feature = "const_slice_ptr_len_nonnull" , since = "1.63.0" )] |
1403 | #[must_use ] |
1404 | #[inline ] |
1405 | pub const fn len(self) -> usize { |
1406 | self.as_ptr().len() |
1407 | } |
1408 | |
1409 | /// Returns `true` if the non-null raw slice has a length of 0. |
1410 | /// |
1411 | /// # Examples |
1412 | /// |
1413 | /// ```rust |
1414 | /// use std::ptr::NonNull; |
1415 | /// |
1416 | /// let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3); |
1417 | /// assert!(!slice.is_empty()); |
1418 | /// ``` |
1419 | #[stable (feature = "slice_ptr_is_empty_nonnull" , since = "1.79.0" )] |
1420 | #[rustc_const_stable (feature = "const_slice_ptr_is_empty_nonnull" , since = "1.79.0" )] |
1421 | #[must_use ] |
1422 | #[inline ] |
1423 | pub const fn is_empty(self) -> bool { |
1424 | self.len() == 0 |
1425 | } |
1426 | |
1427 | /// Returns a non-null pointer to the slice's buffer. |
1428 | /// |
1429 | /// # Examples |
1430 | /// |
1431 | /// ```rust |
1432 | /// #![feature(slice_ptr_get)] |
1433 | /// use std::ptr::NonNull; |
1434 | /// |
1435 | /// let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3); |
1436 | /// assert_eq!(slice.as_non_null_ptr(), NonNull::<i8>::dangling()); |
1437 | /// ``` |
1438 | #[inline ] |
1439 | #[must_use ] |
1440 | #[unstable (feature = "slice_ptr_get" , issue = "74265" )] |
1441 | pub const fn as_non_null_ptr(self) -> NonNull<T> { |
1442 | self.cast() |
1443 | } |
1444 | |
1445 | /// Returns a raw pointer to the slice's buffer. |
1446 | /// |
1447 | /// # Examples |
1448 | /// |
1449 | /// ```rust |
1450 | /// #![feature(slice_ptr_get)] |
1451 | /// use std::ptr::NonNull; |
1452 | /// |
1453 | /// let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3); |
1454 | /// assert_eq!(slice.as_mut_ptr(), NonNull::<i8>::dangling().as_ptr()); |
1455 | /// ``` |
1456 | #[inline ] |
1457 | #[must_use ] |
1458 | #[unstable (feature = "slice_ptr_get" , issue = "74265" )] |
1459 | #[rustc_never_returns_null_ptr ] |
1460 | pub const fn as_mut_ptr(self) -> *mut T { |
1461 | self.as_non_null_ptr().as_ptr() |
1462 | } |
1463 | |
1464 | /// Returns a shared reference to a slice of possibly uninitialized values. In contrast to |
1465 | /// [`as_ref`], this does not require that the value has to be initialized. |
1466 | /// |
1467 | /// For the mutable counterpart see [`as_uninit_slice_mut`]. |
1468 | /// |
1469 | /// [`as_ref`]: NonNull::as_ref |
1470 | /// [`as_uninit_slice_mut`]: NonNull::as_uninit_slice_mut |
1471 | /// |
1472 | /// # Safety |
1473 | /// |
1474 | /// When calling this method, you have to ensure that all of the following is true: |
1475 | /// |
1476 | /// * The pointer must be [valid] for reads for `ptr.len() * size_of::<T>()` many bytes, |
1477 | /// and it must be properly aligned. This means in particular: |
1478 | /// |
1479 | /// * The entire memory range of this slice must be contained within a single allocation! |
1480 | /// Slices can never span across multiple allocations. |
1481 | /// |
1482 | /// * The pointer must be aligned even for zero-length slices. One |
1483 | /// reason for this is that enum layout optimizations may rely on references |
1484 | /// (including slices of any length) being aligned and non-null to distinguish |
1485 | /// them from other data. You can obtain a pointer that is usable as `data` |
1486 | /// for zero-length slices using [`NonNull::dangling()`]. |
1487 | /// |
1488 | /// * The total size `ptr.len() * size_of::<T>()` of the slice must be no larger than `isize::MAX`. |
1489 | /// See the safety documentation of [`pointer::offset`]. |
1490 | /// |
1491 | /// * You must enforce Rust's aliasing rules, since the returned lifetime `'a` is |
1492 | /// arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. |
1493 | /// In particular, while this reference exists, the memory the pointer points to must |
1494 | /// not get mutated (except inside `UnsafeCell`). |
1495 | /// |
1496 | /// This applies even if the result of this method is unused! |
1497 | /// |
1498 | /// See also [`slice::from_raw_parts`]. |
1499 | /// |
1500 | /// [valid]: crate::ptr#safety |
1501 | #[inline ] |
1502 | #[must_use ] |
1503 | #[unstable (feature = "ptr_as_uninit" , issue = "75402" )] |
1504 | pub const unsafe fn as_uninit_slice<'a>(self) -> &'a [MaybeUninit<T>] { |
1505 | // SAFETY: the caller must uphold the safety contract for `as_uninit_slice`. |
1506 | unsafe { slice::from_raw_parts(self.cast().as_ptr(), self.len()) } |
1507 | } |
1508 | |
1509 | /// Returns a unique reference to a slice of possibly uninitialized values. In contrast to |
1510 | /// [`as_mut`], this does not require that the value has to be initialized. |
1511 | /// |
1512 | /// For the shared counterpart see [`as_uninit_slice`]. |
1513 | /// |
1514 | /// [`as_mut`]: NonNull::as_mut |
1515 | /// [`as_uninit_slice`]: NonNull::as_uninit_slice |
1516 | /// |
1517 | /// # Safety |
1518 | /// |
1519 | /// When calling this method, you have to ensure that all of the following is true: |
1520 | /// |
1521 | /// * The pointer must be [valid] for reads and writes for `ptr.len() * size_of::<T>()` |
1522 | /// many bytes, and it must be properly aligned. This means in particular: |
1523 | /// |
1524 | /// * The entire memory range of this slice must be contained within a single allocation! |
1525 | /// Slices can never span across multiple allocations. |
1526 | /// |
1527 | /// * The pointer must be aligned even for zero-length slices. One |
1528 | /// reason for this is that enum layout optimizations may rely on references |
1529 | /// (including slices of any length) being aligned and non-null to distinguish |
1530 | /// them from other data. You can obtain a pointer that is usable as `data` |
1531 | /// for zero-length slices using [`NonNull::dangling()`]. |
1532 | /// |
1533 | /// * The total size `ptr.len() * size_of::<T>()` of the slice must be no larger than `isize::MAX`. |
1534 | /// See the safety documentation of [`pointer::offset`]. |
1535 | /// |
1536 | /// * You must enforce Rust's aliasing rules, since the returned lifetime `'a` is |
1537 | /// arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. |
1538 | /// In particular, while this reference exists, the memory the pointer points to must |
1539 | /// not get accessed (read or written) through any other pointer. |
1540 | /// |
1541 | /// This applies even if the result of this method is unused! |
1542 | /// |
1543 | /// See also [`slice::from_raw_parts_mut`]. |
1544 | /// |
1545 | /// [valid]: crate::ptr#safety |
1546 | /// |
1547 | /// # Examples |
1548 | /// |
1549 | /// ```rust |
1550 | /// #![feature(allocator_api, ptr_as_uninit)] |
1551 | /// |
1552 | /// use std::alloc::{Allocator, Layout, Global}; |
1553 | /// use std::mem::MaybeUninit; |
1554 | /// use std::ptr::NonNull; |
1555 | /// |
1556 | /// let memory: NonNull<[u8]> = Global.allocate(Layout::new::<[u8; 32]>())?; |
1557 | /// // This is safe as `memory` is valid for reads and writes for `memory.len()` many bytes. |
1558 | /// // Note that calling `memory.as_mut()` is not allowed here as the content may be uninitialized. |
1559 | /// # #[allow (unused_variables)] |
1560 | /// let slice: &mut [MaybeUninit<u8>] = unsafe { memory.as_uninit_slice_mut() }; |
1561 | /// # // Prevent leaks for Miri. |
1562 | /// # unsafe { Global.deallocate(memory.cast(), Layout::new::<[u8; 32]>()); } |
1563 | /// # Ok::<_, std::alloc::AllocError>(()) |
1564 | /// ``` |
1565 | #[inline ] |
1566 | #[must_use ] |
1567 | #[unstable (feature = "ptr_as_uninit" , issue = "75402" )] |
1568 | pub const unsafe fn as_uninit_slice_mut<'a>(self) -> &'a mut [MaybeUninit<T>] { |
1569 | // SAFETY: the caller must uphold the safety contract for `as_uninit_slice_mut`. |
1570 | unsafe { slice::from_raw_parts_mut(self.cast().as_ptr(), self.len()) } |
1571 | } |
1572 | |
1573 | /// Returns a raw pointer to an element or subslice, without doing bounds |
1574 | /// checking. |
1575 | /// |
1576 | /// Calling this method with an out-of-bounds index or when `self` is not dereferenceable |
1577 | /// is *[undefined behavior]* even if the resulting pointer is not used. |
1578 | /// |
1579 | /// [undefined behavior]: https://doc.rust-lang.org/reference/behavior-considered-undefined.html |
1580 | /// |
1581 | /// # Examples |
1582 | /// |
1583 | /// ``` |
1584 | /// #![feature(slice_ptr_get)] |
1585 | /// use std::ptr::NonNull; |
1586 | /// |
1587 | /// let x = &mut [1, 2, 4]; |
1588 | /// let x = NonNull::slice_from_raw_parts(NonNull::new(x.as_mut_ptr()).unwrap(), x.len()); |
1589 | /// |
1590 | /// unsafe { |
1591 | /// assert_eq!(x.get_unchecked_mut(1).as_ptr(), x.as_non_null_ptr().as_ptr().add(1)); |
1592 | /// } |
1593 | /// ``` |
1594 | #[unstable (feature = "slice_ptr_get" , issue = "74265" )] |
1595 | #[inline ] |
1596 | pub unsafe fn get_unchecked_mut<I>(self, index: I) -> NonNull<I::Output> |
1597 | where |
1598 | I: SliceIndex<[T]>, |
1599 | { |
1600 | // SAFETY: the caller ensures that `self` is dereferenceable and `index` in-bounds. |
1601 | // As a consequence, the resulting pointer cannot be null. |
1602 | unsafe { NonNull::new_unchecked(self.as_ptr().get_unchecked_mut(index)) } |
1603 | } |
1604 | } |
1605 | |
1606 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1607 | impl<T: ?Sized> Clone for NonNull<T> { |
1608 | #[inline (always)] |
1609 | fn clone(&self) -> Self { |
1610 | *self |
1611 | } |
1612 | } |
1613 | |
1614 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1615 | impl<T: ?Sized> Copy for NonNull<T> {} |
1616 | |
1617 | #[unstable (feature = "coerce_unsized" , issue = "18598" )] |
1618 | impl<T: ?Sized, U: ?Sized> CoerceUnsized<NonNull<U>> for NonNull<T> where T: Unsize<U> {} |
1619 | |
1620 | #[unstable (feature = "dispatch_from_dyn" , issue = "none" )] |
1621 | impl<T: ?Sized, U: ?Sized> DispatchFromDyn<NonNull<U>> for NonNull<T> where T: Unsize<U> {} |
1622 | |
1623 | #[stable (feature = "pin" , since = "1.33.0" )] |
1624 | unsafe impl<T: ?Sized> PinCoerceUnsized for NonNull<T> {} |
1625 | |
1626 | #[unstable (feature = "pointer_like_trait" , issue = "none" )] |
1627 | impl<T> core::marker::PointerLike for NonNull<T> {} |
1628 | |
1629 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1630 | impl<T: ?Sized> fmt::Debug for NonNull<T> { |
1631 | fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { |
1632 | fmt::Pointer::fmt(&self.as_ptr(), f) |
1633 | } |
1634 | } |
1635 | |
1636 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1637 | impl<T: ?Sized> fmt::Pointer for NonNull<T> { |
1638 | fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { |
1639 | fmt::Pointer::fmt(&self.as_ptr(), f) |
1640 | } |
1641 | } |
1642 | |
1643 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1644 | impl<T: ?Sized> Eq for NonNull<T> {} |
1645 | |
1646 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1647 | impl<T: ?Sized> PartialEq for NonNull<T> { |
1648 | #[inline ] |
1649 | #[allow (ambiguous_wide_pointer_comparisons)] |
1650 | fn eq(&self, other: &Self) -> bool { |
1651 | self.as_ptr() == other.as_ptr() |
1652 | } |
1653 | } |
1654 | |
1655 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1656 | impl<T: ?Sized> Ord for NonNull<T> { |
1657 | #[inline ] |
1658 | #[allow (ambiguous_wide_pointer_comparisons)] |
1659 | fn cmp(&self, other: &Self) -> Ordering { |
1660 | self.as_ptr().cmp(&other.as_ptr()) |
1661 | } |
1662 | } |
1663 | |
1664 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1665 | impl<T: ?Sized> PartialOrd for NonNull<T> { |
1666 | #[inline ] |
1667 | #[allow (ambiguous_wide_pointer_comparisons)] |
1668 | fn partial_cmp(&self, other: &Self) -> Option<Ordering> { |
1669 | self.as_ptr().partial_cmp(&other.as_ptr()) |
1670 | } |
1671 | } |
1672 | |
1673 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1674 | impl<T: ?Sized> hash::Hash for NonNull<T> { |
1675 | #[inline ] |
1676 | fn hash<H: hash::Hasher>(&self, state: &mut H) { |
1677 | self.as_ptr().hash(state) |
1678 | } |
1679 | } |
1680 | |
1681 | #[unstable (feature = "ptr_internals" , issue = "none" )] |
1682 | impl<T: ?Sized> From<Unique<T>> for NonNull<T> { |
1683 | #[inline ] |
1684 | fn from(unique: Unique<T>) -> Self { |
1685 | unique.as_non_null_ptr() |
1686 | } |
1687 | } |
1688 | |
1689 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1690 | impl<T: ?Sized> From<&mut T> for NonNull<T> { |
1691 | /// Converts a `&mut T` to a `NonNull<T>`. |
1692 | /// |
1693 | /// This conversion is safe and infallible since references cannot be null. |
1694 | #[inline ] |
1695 | fn from(r: &mut T) -> Self { |
1696 | NonNull::from_mut(r) |
1697 | } |
1698 | } |
1699 | |
1700 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
1701 | impl<T: ?Sized> From<&T> for NonNull<T> { |
1702 | /// Converts a `&T` to a `NonNull<T>`. |
1703 | /// |
1704 | /// This conversion is safe and infallible since references cannot be null. |
1705 | #[inline ] |
1706 | fn from(r: &T) -> Self { |
1707 | NonNull::from_ref(r) |
1708 | } |
1709 | } |
1710 | |