mod.rs source code [crates/core/src/ptr/mod.rs]

1	//! Manually manage memory through raw pointers.
2	//!
3	//! [See also the pointer primitive types](pointer).
4	//!
5	//! # Safety
6	//!
7	//! Many functions in this module take raw pointers as arguments and read from or write to them. For
8	//! this to be safe, these pointers must be valid* for the given access. Whether a pointer is valid*
9	//! depends on the operation it is used for (read or write), and the extent of the memory that is
10	//! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer
11	//! valid"; one has to ask "is this pointer valid for a given access". Most functions use `mut T`*
12	//! and `const T` to access only a single value, in which case the documentation omits the size and*
13	//! implicitly assumes it to be `size_of::<T>()` bytes.
14	//!
15	//! The precise rules for validity are not determined yet. The guarantees that are
16	//! provided at this point are very minimal:
17	//!
18	//! For memory accesses of [size zero][zst], every pointer is valid, including the* [null]
19	//! pointer. The following points are only concerned with non-zero-sized accesses.
20	//! A* [null] pointer is never* valid.*
21	//! For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be*
22	//! dereferenceable. The [provenance] of the pointer is used to determine which [allocated
23	//! object] it is derived from; a pointer is dereferenceable if the memory range of the given size
24	//! starting at the pointer is entirely contained within the bounds of that allocated object. Note
25	//! that in Rust, every (stack-allocated) variable is considered a separate allocated object.
26	//! All accesses performed by functions in this module are non-atomic in the sense*
27	//! of [atomic operations] used to synchronize between threads. This means it is
28	//! undefined behavior to perform two concurrent accesses to the same location from different
29	//! threads unless both accesses only read from memory. Notice that this explicitly
30	//! includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot
31	//! be used for inter-thread synchronization.
32	//! The result of casting a reference to a pointer is valid for as long as the*
33	//! underlying object is live and no reference (just raw pointers) is used to
34	//! access the same memory. That is, reference and pointer accesses cannot be
35	//! interleaved.
36	//!
37	//! These axioms, along with careful use of [`offset`] for pointer arithmetic,
38	//! are enough to correctly implement many useful things in unsafe code. Stronger guarantees
39	//! will be provided eventually, as the [aliasing] rules are being determined. For more
40	//! information, see the [book] as well as the section in the reference devoted
41	//! to [undefined behavior][ub].
42	//!
43	//! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This
44	//! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with
45	//! [`NonNull::dangling`] are all dangling.
46	//!
47	//! ## Alignment
48	//!
49	//! Valid raw pointers as defined above are not necessarily properly aligned (where
50	//! "proper" alignment is defined by the pointee type, i.e., `const T` must be*
51	//! aligned to `align_of::<T>()`). However, most functions require their
52	//! arguments to be properly aligned, and will explicitly state
53	//! this requirement in their documentation. Notable exceptions to this are
54	//! [`read_unaligned`] and [`write_unaligned`].
55	//!
56	//! When a function requires proper alignment, it does so even if the access
57	//! has size 0, i.e., even if memory is not actually touched. Consider using
58	//! [`NonNull::dangling`] in such cases.
59	//!
60	//! ## Pointer to reference conversion
61	//!
62	//! When converting a pointer to a reference (e.g. via `&ptr` or `&mut ptr`),
63	//! there are several rules that must be followed:
64	//!
65	//! The pointer must be properly aligned.*
66	//!
67	//! It must be non-null.*
68	//!
69	//! It must be "dereferenceable" in the sense defined above.*
70	//!
71	//! The pointer must point to a [valid value] of type `T`.*
72	//!
73	//! You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we*
74	//! only give a rough overview here. The rules also depend on whether a mutable or a shared
75	//! reference is being created.
76	//! When creating a mutable reference, then while this reference exists, the memory it points to*
77	//! must not get accessed (read or written) through any other pointer or reference not derived
78	//! from this reference.
79	//! When creating a shared reference, then while this reference exists, the memory it points to*
80	//! must not get mutated (except inside `UnsafeCell`).
81	//!
82	//! If a pointer follows all of these rules, it is said to be
83	//! convertible to a (mutable or shared) reference.
84	// ^ we use this term instead of saying that the produced reference must
85	// be valid, as the validity of a reference is easily confused for the
86	// validity of the thing it refers to, and while the two concepts are
87	// closely related, they are not identical.
88	//!
89	//! These rules apply even if the result is unused!
90	//! (The part about being initialized is not yet fully decided, but until
91	//! it is, the only safe approach is to ensure that they are indeed initialized.)
92	//!
93	//! An example of the implications of the above rules is that an expression such
94	//! as `unsafe { &(0 as const u8) }` is Immediate Undefined Behavior.
95	//!
96	//! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values
97	//!
98	//! ## Allocated object
99	//!
100	//! An allocated object* is a subset of program memory which is addressable*
101	//! from Rust, and within which pointer arithmetic is possible. Examples of
102	//! allocated objects include heap allocations, stack-allocated variables,
103	//! statics, and consts. The safety preconditions of some Rust operations -
104	//! such as `offset` and field projections (`expr.field`) - are defined in
105	//! terms of the allocated objects on which they operate.
106	//!
107	//! An allocated object has a base address, a size, and a set of memory
108	//! addresses. It is possible for an allocated object to have zero size, but
109	//! such an allocated object will still have a base address. The base address
110	//! of an allocated object is not necessarily unique. While it is currently the
111	//! case that an allocated object always has a set of memory addresses which is
112	//! fully contiguous (i.e., has no "holes"), there is no guarantee that this
113	//! will not change in the future.
114	//!
115	//! For any allocated object with `base` address, `size`, and a set of
116	//! `addresses`, the following are guaranteed:
117	//! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base +
118	//! size)` (note that this requires `a < base + size`, not `a <= base + size`)
119	//! - `base` is not equal to [`null()`] (i.e., the address with the numerical
120	//! value 0)
121	//! - `base + size <= usize::MAX`
122	//! - `size <= isize::MAX`
123	//!
124	//! As a consequence of these guarantees, given any address `a` within the set
125	//! of addresses of an allocated object:
126	//! - It is guaranteed that `a - base` does not overflow `isize`
127	//! - It is guaranteed that `a - base` is non-negative
128	//! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within
129	//! the allocated object), `base + o` will not wrap around the address space (in
130	//! other words, will not overflow `usize`)
131	//!
132	//! [`null()`]: null
133	//!
134	//! # Provenance
135	//!
136	//! Pointers are not simply* an "integer" or "address". For instance, it's uncontroversial*
137	//! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky"
138	//! and the freed memory gets reallocated before your read/write (in fact this is the
139	//! worst-case scenario, UAFs would be much less concerning if this didn't happen!).
140	//! As another example, consider that [`wrapping_offset`] is documented to "remember"
141	//! the allocated object that the original pointer points to, even if it is offset far
142	//! outside the memory range occupied by that allocated object.
143	//! To rationalize claims like this, pointers need to somehow be more* than just their addresses:*
144	//! they must have provenance.
145	//!
146	//! A pointer value in Rust semantically contains the following information:
147	//!
148	//! The address it points to, which can be represented by a `usize`.*
149	//! The provenance it has, defining the memory it has permission to access. Provenance can be*
150	//! absent, in which case the pointer does not have permission to access any memory.
151	//!
152	//! The exact structure of provenance is not yet specified, but the permission defined by a
153	//! pointer's provenance have a spatial component, a temporal component, and a mutability
154	//! component:
155	//!
156	//! Spatial: The set of memory addresses that the pointer is allowed to access.*
157	//! Temporal: The timespan during which the pointer is allowed to access those memory addresses.*
158	//! Mutability: Whether the pointer may only access the memory for reads, or also access it for*
159	//! writes. Note that this can interact with the other components, e.g. a pointer might permit
160	//! mutation only for a subset of addresses, or only for a subset of its maximal timespan.
161	//!
162	//! When an [allocated object] is created, it has a unique Original Pointer. For alloc
163	//! APIs this is literally the pointer the call returns, and for local variables and statics,
164	//! this is the name of the variable/static. (This is mildly overloading the term "pointer"
165	//! for the sake of brevity/exposition.)
166	//!
167	//! The Original Pointer for an allocated object has provenance that constrains the spatial
168	//! permissions of this pointer to the memory range of the allocation, and the temporal
169	//! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all
170	//! pointers transitively derived from the Original Pointer through operations like [`offset`],
171	//! borrowing, and pointer casts. Some operations may shrink* the permissions of the derived*
172	//! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a
173	//! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can
174	//! shrink the temporal component of provenance). However, no operation can ever grow* the*
175	//! permissions of the derived provenance: even if you "know" there is a larger allocation, you
176	//! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two
177	//! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`).
178	//!
179	//! A reference to a place always has provenance over at least the memory that place occupies.
180	//! A reference to a slice always has provenance over at least the range that slice describes.
181	//! Whether and when exactly the provenance of a reference gets "shrunk" to exactly* fit*
182	//! the memory it points to is not yet determined.
183	//!
184	//! A shared* reference only ever has provenance that permits reading from memory,*
185	//! and never permits writes, except inside [`UnsafeCell`].
186	//!
187	//! Provenance can affect whether a program has undefined behavior:
188	//!
189	//! It is undefined behavior to access memory through a pointer that does not have provenance over*
190	//! that memory. Note that a pointer "at the end" of its provenance is not actually outside its
191	//! provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any
192	//! provenance since they access an empty range of memory.
193	//!
194	//! It is undefined behavior to [`offset`] a pointer across a memory range that is not contained*
195	//! in the allocated object it is derived from, or to [`offset_from`] two pointers not derived
196	//! from the same allocated object. Provenance is used to say what exactly "derived from" even
197	//! means: the lineage of a pointer is traced back to the Original Pointer it descends from, and
198	//! that identifies the relevant allocated object. In particular, it's always UB to offset a
199	//! pointer derived from something that is now deallocated, except if the offset is 0.
200	//!
201	//! But it is* still sound to:*
202	//!
203	//! Create a pointer without provenance from just an address (see* [`without_provenance`]). Such a
204	//! pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be
205	//! useful for sentinel values like `null` or* to represent a tagged pointer that will never be*
206	//! dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for
207	//! fun" as long as you don't use operations on it which require it to be valid (non-zero-sized
208	//! offset, read, write, etc).
209	//!
210	//! Forge an allocation of size zero at any sufficiently aligned non-null address.*
211	//! i.e. the usual "ZSTs are fake, do what you want" rules apply.
212	//!
213	//! [`wrapping_offset`] a pointer outside its provenance. This includes pointers*
214	//! which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks.
215	//!
216	//! Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses*
217	//! are* just integers, so there is always a coherent answer, even if the pointers are dangling*
218	//! or from different provenances. Note that if you get "lucky" and notice that a pointer at the
219	//! end of one allocated object is the "same" address as the start of another allocated object,
220	//! anything you do with that fact is probably* going to be gibberish. The scope of that*
221	//! gibberish is kept under control by the fact that the two pointers still* aren't allowed to*
222	//! access the other's allocation (bytes), because they still have different provenance.
223	//!
224	//! Note that the full definition of provenance in Rust is not decided yet, as this interacts
225	//! with the as-yet undecided [aliasing] rules.
226	//!
227	//! ## Pointers Vs Integers
228	//!
229	//! From this discussion, it becomes very clear that a `usize` cannot* accurately represent a pointer,*
230	//! and converting from a pointer to a `usize` is generally an operation which only* extracts the*
231	//! address. Converting this address back into pointer requires somehow answering the question:
232	//! which provenance should the resulting pointer have?
233	//!
234	//! Rust provides two ways of dealing with this situation: Strict Provenance* and Exposed Provenance.*
235	//!
236	//! Note that a pointer can* represent a `usize` (via* [`without_provenance`]), so the right type to
237	//! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a
238	//! pointer type.
239	//!
240	//! ## Strict Provenance
241	//!
242	//! "Strict Provenance" refers to a set of APIs designed to make working with provenance more
243	//! explicit. They are intended as substitutes for casting a pointer to an integer and back.
244	//!
245	//! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of
246	//! that operation. This benefits compiler optimizations, and it is pretty much a requirement for
247	//! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer
248	//! misuse.
249	//!
250	//! The key insight to making programming without integer-to-pointer casts at all* viable is the*
251	//! [`with_addr`] method:
252	//!
253	//! ```text
254	//! /// Creates a new pointer with the given address.
255	//! ///
256	//! /// This performs the same operation as an `addr as ptr` cast, but copies
257	//! /// the provenance* of `self` to the new pointer.*
258	//! /// This allows us to dynamically preserve and propagate this important
259	//! /// information in a way that is otherwise impossible with a unary cast.
260	//! ///
261	//! /// This is equivalent to using `wrapping_offset` to offset `self` to the
262	//! /// given address, and therefore has all the same capabilities and restrictions.
263	//! pub fn with_addr(self, addr: usize) -> Self;
264	//! ```
265	//!
266	//! So you're still able to drop down to the address representation and do whatever
267	//! clever bit tricks you want as long as* you're able to keep around a pointer*
268	//! into the allocation you care about that can "reconstitute" the provenance.
269	//! Usually this is very easy, because you only are taking a pointer, messing with the address,
270	//! and then immediately converting back to a pointer. To make this use case more ergonomic,
271	//! we provide the [`map_addr`] method.
272	//!
273	//! To help make it clear that code is "following" Strict Provenance semantics, we also provide an
274	//! [`addr`] method which promises that the returned address is not part of a
275	//! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer
276	//! casts to help you audit if your code conforms to strict provenance.
277	//!
278	//! ### Using Strict Provenance
279	//!
280	//! Most code needs no changes to conform to strict provenance, as the only really concerning
281	//! operation is casts from usize to a pointer. For code which does* cast a `usize` to a pointer,*
282	//! the scope of the change depends on exactly what you're doing.
283	//!
284	//! In general, you just need to make sure that if you want to convert a `usize` address to a
285	//! pointer and then use that pointer to read/write memory, you need to keep around a pointer
286	//! that has sufficient provenance to perform that read/write itself. In this way all of your
287	//! casts from an address to a pointer are essentially just applying offsets/indexing.
288	//!
289	//! This is generally trivial to do for simple cases like tagged pointers as long as you*
290	//! represent the tagged pointer as an actual pointer and not a `usize`. For instance:*
291	//!
292	//! ```
293	//! unsafe {
294	//! // A flag we want to pack into our pointer
295	//! static HAS_DATA: usize = `0x1`;
296	//! static FLAG_MASK: usize = !HAS_DATA;
297	//!
298	//! // Our value, which must have enough alignment to have spare least-significant-bits.
299	//! let my_precious_data: u32 = `17`;
300	//! assert!(align_of::<u32>() > `1`);
301	//!
302	//! // Create a tagged pointer
303	//! let ptr = &my_precious_data as *const u32;
304	//! let tagged = ptr.map_addr(\|addr\| addr \| HAS_DATA);
305	//!
306	//! // Check the flag:
307	//! if tagged.addr() & HAS_DATA != `0` {
308	//! // Untag and read the pointer
309	//! let data = tagged.map_addr(\|addr\| addr & FLAG_MASK*);
310	//! assert_eq!(data, `17`);
311	//! } else {
312	//! unreachable!()
313	//! }
314	//! }
315	//! ```
316	//!
317	//! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should
318	//! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers,
319	//! we would like to know why, and what needs to be done to fix it.)
320	//!
321	//! Situations where a valid pointer must* be created from just an address, such as baremetal code*
322	//! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict
323	//! provenance APIs and should use [exposed provenance](#exposed-provenance).
324	//!
325	//! ## Exposed Provenance
326	//!
327	//! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs.
328	//! This is by design: the goal of Strict Provenance is to provide a clear specification that we are
329	//! confident can be formalized unambiguously and can be subject to precise formal reasoning.
330	//! Integer-to-pointer casts do not (currently) have such a clear specification.
331	//!
332	//! However, there exist situations where integer-to-pointer casts cannot be avoided, or
333	//! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume
334	//! that `usize` can capture all the information that makes up a pointer.
335	//! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without
336	//! anywhere to obtain proper provenance from.
337	//!
338	//! Rust's model for dealing with integer-to-pointer casts is called Exposed Provenance. However,
339	//! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and
340	//! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for
341	//! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide
342	//! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not
343	//! work (well) with tools like [Miri] and [CHERI].
344	//!
345	//! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods,
346	//! which are equivalent to `as` casts between pointers and integers.
347	//! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the
348	//! pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists
349	//! for the purpose of specifying Rust but is not materialized in actual executions, except in
350	//! tools like [Miri].)
351	//! Memory which is outside the control of the Rust abstract machine (MMIO registers, for example)
352	//! is always considered to be exposed, so long as this memory is disjoint from memory that will
353	//! be used by the abstract machine such as the stack, heap, and statics.
354	//! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously
355	//! 'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so
356	//! unlike in [`with_addr`] there is no indication of what the correct provenance for the returned
357	//! pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously
358	//! specify! The compiler will do its best to pick the right provenance for you, but currently we
359	//! cannot provide any guarantees about which provenance the resulting pointer will have. Only one
360	//! thing is clear: if there is no* previously 'exposed' provenance that justifies the way the*
361	//! returned pointer will be used, the program has undefined behavior.
362	//!
363	//! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding
364	//! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding
365	//! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be
366	//! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this
367	//! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the
368	//! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of
369	//! integer-to-pointer casts.
370	//!
371	//! [aliasing]: ../../nomicon/aliasing.html
372	//! [allocated object]: #allocated-object
373	//! [provenance]: #provenance
374	//! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer
375	//! [ub]: ../../reference/behavior-considered-undefined.html
376	//! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts
377	//! [atomic operations]: crate::sync::atomic
378	//! [`offset`]: pointer::offset
379	//! [`offset_from`]: pointer::offset_from
380	//! [`wrapping_offset`]: pointer::wrapping_offset
381	//! [`with_addr`]: pointer::with_addr
382	//! [`map_addr`]: pointer::map_addr
383	//! [`addr`]: pointer::addr
384	//! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize
385	//! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr
386	//! [`expose_provenance`]: pointer::expose_provenance
387	//! [`with_exposed_provenance`]: with_exposed_provenance
388	//! [Miri]: https://github.com/rust-lang/miri
389	//! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
390	//! [Strict Provenance]: #strict-provenance
391	//! [`UnsafeCell`]: core::cell::UnsafeCell
392
393	#![stable(feature = "rust1", since = "1.0.0")]
394	// There are many unsafe functions taking pointers that don't dereference them.
395	#![allow(clippy::not_unsafe_ptr_arg_deref)]
396
397	use crate::cmp::Ordering;
398	use crate::intrinsics::const_eval_select;
399	use crate::marker::FnPtr;
400	use crate::mem::{self, MaybeUninit, SizedTypeProperties};
401	use crate::{fmt, hash, intrinsics, ub_checks};
402
403	mod alignment;
404	#[unstable(feature = "ptr_alignment_type", issue = "102070")]
405	pub use alignment::Alignment;
406
407	#[stable(feature = "rust1", since = "1.0.0")]
408	#[doc(inline)]
409	pub use crate::intrinsics::copy;
410	#[stable(feature = "rust1", since = "1.0.0")]
411	#[doc(inline)]
412	pub use crate::intrinsics::copy_nonoverlapping;
413	#[stable(feature = "rust1", since = "1.0.0")]
414	#[doc(inline)]
415	pub use crate::intrinsics::write_bytes;
416
417	mod metadata;
418	#[unstable(feature = "ptr_metadata", issue = "81513")]
419	pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata};
420
421	mod non_null;
422	#[stable(feature = "nonnull", since = "1.25.0")]
423	pub use non_null::NonNull;
424
425	mod unique;
426	#[unstable(feature = "ptr_internals", issue = "none")]
427	pub use unique::Unique;
428
429	mod const_ptr;
430	mod mut_ptr;
431
432	/// Executes the destructor (if any) of the pointed-to value.
433	///
434	/// This is almost the same as calling [`ptr::read`] and discarding
435	/// the result, but has the following advantages:
436	// FIXME: say something more useful than "almost the same"?
437	// There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a
438	// `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place`
439	// only requires that `to_drop` be "valid for dropping" and we have not defined what that means. In*
440	// Miri it currently (May 2024) requires nothing at all for types without drop glue.
441	///
442	/// It is required to use `drop_in_place` to drop unsized types like*
443	/// trait objects, because they can't be read out onto the stack and
444	/// dropped normally.
445	///
446	/// It is friendlier to the optimizer to do this over* [`ptr::read`] when
447	/// dropping manually allocated memory (e.g., in the implementations of
448	/// `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's
449	/// sound to elide the copy.
450	///
451	/// It can be used to drop* [pinned] data when `T` is not `repr(packed)`
452	/// (pinned data must not be moved before it is dropped).
453	///
454	/// Unaligned values cannot be dropped in place, they must be copied to an aligned
455	/// location first using [`ptr::read_unaligned`]. For packed structs, this move is
456	/// done automatically by the compiler. This means the fields of packed structs
457	/// are not dropped in-place.
458	///
459	/// [`ptr::read`]: self::read
460	/// [`ptr::read_unaligned`]: self::read_unaligned
461	/// [pinned]: crate::pin
462	///
463	/// # Safety
464	///
465	/// Behavior is undefined if any of the following conditions are violated:
466	///
467	/// `to_drop` must be [valid] for both reads and writes.*
468	///
469	/// `to_drop` must be properly aligned, even if `T` has size 0.*
470	///
471	/// `to_drop` must be nonnull, even if `T` has size 0.*
472	///
473	/// The value `to_drop` points to must be valid for dropping, which may mean*
474	/// it must uphold additional invariants. These invariants depend on the type
475	/// of the value being dropped. For instance, when dropping a Box, the box's
476	/// pointer to the heap must be valid.
477	///
478	/// While `drop_in_place` is executing, the only way to access parts of*
479	/// `to_drop` is through the `&mut self` references supplied to the
480	/// `Drop::drop` methods that `drop_in_place` invokes.
481	///
482	/// Additionally, if `T` is not [`Copy`], using the pointed-to value after
483	/// calling `drop_in_place` can cause undefined behavior. Note that `to_drop =*
484	/// foo` counts as a use because it will cause the value to be dropped
485	/// again. [`write()`] can be used to overwrite data without causing it to be
486	/// dropped.
487	///
488	/// [valid]: self#safety
489	///
490	/// # Examples
491	///
492	/// Manually remove the last item from a vector:
493	///
494	/// ```
495	/// use std::ptr;
496	/// use std::rc::Rc;
497	///
498	/// let last = Rc::new(`1`);
499	/// let weak = Rc::downgrade(&last);
500	///
501	/// let mut v = vec![Rc::new(`0`), last];
502	///
503	/// unsafe {
504	/// // Get a raw pointer to the last element in `v`.
505	/// let ptr = &mut v[`1`] as *mut _;
506	/// // Shorten `v` to prevent the last item from being dropped. We do that first,
507	/// // to prevent issues if the `drop_in_place` below panics.
508	/// v.set_len(`1`);
509	/// // Without a call `drop_in_place`, the last item would never be dropped,
510	/// // and the memory it manages would be leaked.
511	/// ptr::drop_in_place(ptr);
512	/// }
513	///
514	/// assert_eq!(v, &[`0`.into()]);
515	///
516	/// // Ensure that the last item was dropped.
517	/// assert!(weak.upgrade().is_none());
518	/// ```
519	#[stable(feature = "drop_in_place", since = "1.8.0")]
520	#[lang = "drop_in_place"]
521	#[allow(unconditional_recursion)]
522	#[rustc_diagnostic_item = "ptr_drop_in_place"]
523	pub unsafe fn drop_in_place<T: ?Sized>(to_drop: *mut T) {
524	// Code here does not matter - this is replaced by the
525	// real drop glue by the compiler.
526
527	// SAFETY: see comment above
528	unsafe { drop_in_place(to_drop) }
529	}
530
531	/// Creates a null raw pointer.
532	///
533	/// This function is equivalent to zero-initializing the pointer:
534	/// `MaybeUninit::<const T>::zeroed().assume_init()`.*
535	/// The resulting pointer has the address 0.
536	///
537	/// # Examples
538	///
539	/// ```
540	/// use std::ptr;
541	///
542	/// let p: *const i32 = ptr::null();
543	/// assert!(p.is_null());
544	/// assert_eq!(p as usize, `0`); // this pointer has the address 0
545	/// ```
546	#[inline(always)]
547	#[must_use]
548	#[stable(feature = "rust1", since = "1.0.0")]
549	#[rustc_promotable]
550	#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
551	#[rustc_diagnostic_item = "ptr_null"]
552	pub const fn null<T: ?Sized + Thin>() -> *const T {
553	from_raw_parts(data_pointer:without_provenance::<()>(`0`), ())
554	}
555
556	/// Creates a null mutable raw pointer.
557	///
558	/// This function is equivalent to zero-initializing the pointer:
559	/// `MaybeUninit::<mut T>::zeroed().assume_init()`.*
560	/// The resulting pointer has the address 0.
561	///
562	/// # Examples
563	///
564	/// ```
565	/// use std::ptr;
566	///
567	/// let p: *mut i32 = ptr::null_mut();
568	/// assert!(p.is_null());
569	/// assert_eq!(p as usize, `0`); // this pointer has the address 0
570	/// ```
571	#[inline(always)]
572	#[must_use]
573	#[stable(feature = "rust1", since = "1.0.0")]
574	#[rustc_promotable]
575	#[rustc_const_stable(feature = "const_ptr_null", since = "1.24.0")]
576	#[rustc_diagnostic_item = "ptr_null_mut"]
577	pub const fn null_mut<T: ?Sized + Thin>() -> *mut T {
578	from_raw_parts_mut(data_pointer:without_provenance_mut::<()>(`0`), ())
579	}
580
581	/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
582	///
583	/// This is equivalent to `ptr::null().with_addr(addr)`.
584	///
585	/// Without provenance, this pointer is not associated with any actual allocation. Such a
586	/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
587	/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
588	/// little more than a `usize` address in disguise.
589	///
590	/// This is different from `addr as const T`, which creates a pointer that picks up a previously*
591	/// exposed provenance. See [`with_exposed_provenance`] for more details on that operation.
592	///
593	/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
594	#[inline(always)]
595	#[must_use]
596	#[stable(feature = "strict_provenance", since = "1.84.0")]
597	#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
598	pub const fn without_provenance<T>(addr: usize) -> *const T {
599	without_provenance_mut(addr)
600	}
601
602	/// Creates a new pointer that is dangling, but non-null and well-aligned.
603	///
604	/// This is useful for initializing types which lazily allocate, like
605	/// `Vec::new` does.
606	///
607	/// Note that the pointer value may potentially represent a valid pointer to
608	/// a `T`, which means this must not be used as a "not yet initialized"
609	/// sentinel value. Types that lazily allocate must track initialization by
610	/// some other means.
611	#[inline(always)]
612	#[must_use]
613	#[stable(feature = "strict_provenance", since = "1.84.0")]
614	#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
615	pub const fn dangling<T>() -> *const T {
616	dangling_mut()
617	}
618
619	/// Creates a pointer with the given address and no [provenance][crate::ptr#provenance].
620	///
621	/// This is equivalent to `ptr::null_mut().with_addr(addr)`.
622	///
623	/// Without provenance, this pointer is not associated with any actual allocation. Such a
624	/// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but
625	/// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are
626	/// little more than a `usize` address in disguise.
627	///
628	/// This is different from `addr as mut T`, which creates a pointer that picks up a previously*
629	/// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation.
630	///
631	/// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
632	#[inline(always)]
633	#[must_use]
634	#[stable(feature = "strict_provenance", since = "1.84.0")]
635	#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
636	pub const fn without_provenance_mut<T>(addr: usize) -> *mut T {
637	// An int-to-pointer transmute currently has exactly the intended semantics: it creates a
638	// pointer without provenance. Note that this is not* a stable guarantee about transmute*
639	// semantics, it relies on sysroot crates having special status.
640	// SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
641	// pointer).
642	unsafe { mem::transmute(src:addr) }
643	}
644
645	/// Creates a new pointer that is dangling, but non-null and well-aligned.
646	///
647	/// This is useful for initializing types which lazily allocate, like
648	/// `Vec::new` does.
649	///
650	/// Note that the pointer value may potentially represent a valid pointer to
651	/// a `T`, which means this must not be used as a "not yet initialized"
652	/// sentinel value. Types that lazily allocate must track initialization by
653	/// some other means.
654	#[inline(always)]
655	#[must_use]
656	#[stable(feature = "strict_provenance", since = "1.84.0")]
657	#[rustc_const_stable(feature = "strict_provenance", since = "1.84.0")]
658	pub const fn dangling_mut<T>() -> *mut T {
659	NonNull::dangling().as_ptr()
660	}
661
662	/// Converts an address back to a pointer, picking up some previously 'exposed'
663	/// [provenance][crate::ptr#provenance].
664	///
665	/// This is fully equivalent to `addr as const T`. The provenance of the returned pointer is that*
666	/// of some* pointer that was previously exposed by passing it to*
667	/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
668	/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
669	/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
670	/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
671	///
672	/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
673	/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
674	/// guarantees about which provenance the resulting pointer will have -- and therefore there
675	/// is no definite specification for which memory the resulting pointer may access.
676	///
677	/// If there is no* previously 'exposed' provenance that justifies the way the returned pointer*
678	/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
679	/// pointers and references that have been invalidated due to aliasing accesses cannot be used
680	/// anymore, even if they have been exposed!
681	///
682	/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
683	/// stay conformant with the Rust memory model. It is recommended to use [Strict
684	/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
685	/// possible.
686	///
687	/// On most platforms this will produce a value with the same bytes as the address. Platforms
688	/// which need to store additional information in a pointer may not support this operation,
689	/// since it is generally not possible to actually compute* which provenance the returned*
690	/// pointer has to pick up.
691	///
692	/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
693	#[must_use]
694	#[inline(always)]
695	#[stable(feature = "exposed_provenance", since = "1.84.0")]
696	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
697	#[allow(fuzzy_provenance_casts)] // this is* the explicit provenance API one should use instead*
698	pub fn with_exposed_provenance<T>(addr: usize) -> *const T {
699	addr as *const T
700	}
701
702	/// Converts an address back to a mutable pointer, picking up some previously 'exposed'
703	/// [provenance][crate::ptr#provenance].
704	///
705	/// This is fully equivalent to `addr as mut T`. The provenance of the returned pointer is that*
706	/// of some* pointer that was previously exposed by passing it to*
707	/// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory
708	/// which is outside the control of the Rust abstract machine (MMIO registers, for example) is
709	/// always considered to be accessible with an exposed provenance, so long as this memory is disjoint
710	/// from memory that will be used by the abstract machine such as the stack, heap, and statics.
711	///
712	/// The exact provenance that gets picked is not specified. The compiler will do its best to pick
713	/// the "right" provenance for you (whatever that may be), but currently we cannot provide any
714	/// guarantees about which provenance the resulting pointer will have -- and therefore there
715	/// is no definite specification for which memory the resulting pointer may access.
716	///
717	/// If there is no* previously 'exposed' provenance that justifies the way the returned pointer*
718	/// will be used, the program has undefined behavior. In particular, the aliasing rules still apply:
719	/// pointers and references that have been invalidated due to aliasing accesses cannot be used
720	/// anymore, even if they have been exposed!
721	///
722	/// Due to its inherent ambiguity, this operation may not be supported by tools that help you to
723	/// stay conformant with the Rust memory model. It is recommended to use [Strict
724	/// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever
725	/// possible.
726	///
727	/// On most platforms this will produce a value with the same bytes as the address. Platforms
728	/// which need to store additional information in a pointer may not support this operation,
729	/// since it is generally not possible to actually compute* which provenance the returned*
730	/// pointer has to pick up.
731	///
732	/// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
733	#[must_use]
734	#[inline(always)]
735	#[stable(feature = "exposed_provenance", since = "1.84.0")]
736	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
737	#[allow(fuzzy_provenance_casts)] // this is* the explicit provenance API one should use instead*
738	pub fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T {
739	addr as *mut T
740	}
741
742	/// Converts a reference to a raw pointer.
743	///
744	/// For `r: &T`, `from_ref(r)` is equivalent to `r as const T` (except for the caveat noted below),*
745	/// but is a bit safer since it will never silently change type or mutability, in particular if the
746	/// code is refactored.
747	///
748	/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
749	/// will end up dangling.
750	///
751	/// The caller must also ensure that the memory the pointer (non-transitively) points to is never
752	/// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If
753	/// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m:
754	/// &mut T` into `const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be*
755	/// used for mutation.
756	///
757	/// ## Interaction with lifetime extension
758	///
759	/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
760	/// tail expressions. This code is valid, albeit in a non-obvious way:
761	/// ```rust
762	/// # type T = i32;
763	/// # fn foo() -> T { `42` }
764	/// // The temporary holding the return value of `foo` has its lifetime extended,
765	/// // because the surrounding expression involves no function call.
766	/// let p = &foo() as *const T;
767	/// unsafe { p.read() };
768	/// ```
769	/// Naively replacing the cast with `from_ref` is not valid:
770	/// ```rust,no_run
771	/// # use std::ptr;
772	/// # type T = i32;
773	/// # fn foo() -> T { `42` }
774	/// // The temporary holding the return value of `foo` does not* have its lifetime extended,*
775	/// // because the surrounding expression involves a function call.
776	/// let p = ptr::from_ref(&foo());
777	/// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️
778	/// ```
779	/// The recommended way to write this code is to avoid relying on lifetime extension
780	/// when raw pointers are involved:
781	/// ```rust
782	/// # use std::ptr;
783	/// # type T = i32;
784	/// # fn foo() -> T { `42` }
785	/// let x = foo();
786	/// let p = ptr::from_ref(&x);
787	/// unsafe { p.read() };
788	/// ```
789	#[inline(always)]
790	#[must_use]
791	#[stable(feature = "ptr_from_ref", since = "1.76.0")]
792	#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
793	#[rustc_never_returns_null_ptr]
794	#[rustc_diagnostic_item = "ptr_from_ref"]
795	pub const fn from_ref<T: ?Sized>(r: &T) -> *const T {
796	r
797	}
798
799	/// Converts a mutable reference to a raw pointer.
800	///
801	/// For `r: &mut T`, `from_mut(r)` is equivalent to `r as mut T` (except for the caveat noted*
802	/// below), but is a bit safer since it will never silently change type or mutability, in particular
803	/// if the code is refactored.
804	///
805	/// The caller must ensure that the pointee outlives the pointer this function returns, or else it
806	/// will end up dangling.
807	///
808	/// ## Interaction with lifetime extension
809	///
810	/// Note that this has subtle interactions with the rules for lifetime extension of temporaries in
811	/// tail expressions. This code is valid, albeit in a non-obvious way:
812	/// ```rust
813	/// # type T = i32;
814	/// # fn foo() -> T { `42` }
815	/// // The temporary holding the return value of `foo` has its lifetime extended,
816	/// // because the surrounding expression involves no function call.
817	/// let p = &mut foo() as *mut T;
818	/// unsafe { p.write(T::default()) };
819	/// ```
820	/// Naively replacing the cast with `from_mut` is not valid:
821	/// ```rust,no_run
822	/// # use std::ptr;
823	/// # type T = i32;
824	/// # fn foo() -> T { `42` }
825	/// // The temporary holding the return value of `foo` does not* have its lifetime extended,*
826	/// // because the surrounding expression involves a function call.
827	/// let p = ptr::from_mut(&mut foo());
828	/// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️
829	/// ```
830	/// The recommended way to write this code is to avoid relying on lifetime extension
831	/// when raw pointers are involved:
832	/// ```rust
833	/// # use std::ptr;
834	/// # type T = i32;
835	/// # fn foo() -> T { `42` }
836	/// let mut x = foo();
837	/// let p = ptr::from_mut(&mut x);
838	/// unsafe { p.write(T::default()) };
839	/// ```
840	#[inline(always)]
841	#[must_use]
842	#[stable(feature = "ptr_from_ref", since = "1.76.0")]
843	#[rustc_const_stable(feature = "ptr_from_ref", since = "1.76.0")]
844	#[rustc_never_returns_null_ptr]
845	pub const fn from_mut<T: ?Sized>(r: &mut T) -> *mut T {
846	r
847	}
848
849	/// Forms a raw slice from a pointer and a length.
850	///
851	/// The `len` argument is the number of elements, not the number of bytes.
852	///
853	/// This function is safe, but actually using the return value is unsafe.
854	/// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
855	///
856	/// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
857	///
858	/// # Examples
859	///
860	/// ```rust
861	/// use std::ptr;
862	///
863	/// // create a slice pointer when starting out with a pointer to the first element
864	/// let x = [`5`, `6`, `7`];
865	/// let raw_pointer = x.as_ptr();
866	/// let slice = ptr::slice_from_raw_parts(raw_pointer, `3`);
867	/// assert_eq!(unsafe { &*slice }[`2`], `7`);
868	/// ```
869	///
870	/// You must ensure that the pointer is valid and not null before dereferencing
871	/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
872	///
873	/// ```rust,should_panic
874	/// use std::ptr;
875	/// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), `0`);
876	/// unsafe {
877	/// danger.as_ref().expect("references must not be null");
878	/// }
879	/// ```
880	#[inline]
881	#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
882	#[rustc_const_stable(feature = "const_slice_from_raw_parts", since = "1.64.0")]
883	#[rustc_diagnostic_item = "ptr_slice_from_raw_parts"]
884	pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] {
885	from_raw_parts(data, metadata:len)
886	}
887
888	/// Forms a raw mutable slice from a pointer and a length.
889	///
890	/// The `len` argument is the number of elements, not the number of bytes.
891	///
892	/// Performs the same functionality as [`slice_from_raw_parts`], except that a
893	/// raw mutable slice is returned, as opposed to a raw immutable slice.
894	///
895	/// This function is safe, but actually using the return value is unsafe.
896	/// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements.
897	///
898	/// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut
899	///
900	/// # Examples
901	///
902	/// ```rust
903	/// use std::ptr;
904	///
905	/// let x = &mut [`5`, `6`, `7`];
906	/// let raw_pointer = x.as_mut_ptr();
907	/// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, `3`);
908	///
909	/// unsafe {
910	/// (slice)[`2`] = `99`; // assign a value at an index in the slice*
911	/// };
912	///
913	/// assert_eq!(unsafe { &*slice }[`2`], `99`);
914	/// ```
915	///
916	/// You must ensure that the pointer is valid and not null before dereferencing
917	/// the raw slice. A slice reference must never have a null pointer, even if it's empty.
918	///
919	/// ```rust,should_panic
920	/// use std::ptr;
921	/// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), `0`);
922	/// unsafe {
923	/// danger.as_mut().expect("references must not be null");
924	/// }
925	/// ```
926	#[inline]
927	#[stable(feature = "slice_from_raw_parts", since = "1.42.0")]
928	#[rustc_const_stable(feature = "const_slice_from_raw_parts_mut", since = "1.83.0")]
929	#[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut"]
930	pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] {
931	from_raw_parts_mut(data, metadata:len)
932	}
933
934	/// Swaps the values at two mutable locations of the same type, without
935	/// deinitializing either.
936	///
937	/// But for the following exceptions, this function is semantically
938	/// equivalent to [`mem::swap`]:
939	///
940	/// It operates on raw pointers instead of references. When references are*
941	/// available, [`mem::swap`] should be preferred.
942	///
943	/// The two pointed-to values may overlap. If the values do overlap, then the*
944	/// overlapping region of memory from `x` will be used. This is demonstrated
945	/// in the second example below.
946	///
947	/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate*
948	/// the requirements of `T`. The initialization state is preserved exactly.
949	///
950	/// # Safety
951	///
952	/// Behavior is undefined if any of the following conditions are violated:
953	///
954	/// Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the*
955	/// other pointer is written. (This means if the memory ranges overlap, the two pointers must not
956	/// be subject to aliasing restrictions relative to each other.)
957	///
958	/// Both `x` and `y` must be properly aligned.*
959	///
960	/// Note that even if `T` has size `0`, the pointers must be properly aligned.
961	///
962	/// [valid]: self#safety
963	///
964	/// # Examples
965	///
966	/// Swapping two non-overlapping regions:
967	///
968	/// ```
969	/// use std::ptr;
970	///
971	/// let mut array = [`0`, `1`, `2`, `3`];
972	///
973	/// let (x, y) = array.split_at_mut(`2`);
974	/// let x = x.as_mut_ptr().cast::<[u32; `2`]>(); // this is `array[0..2]`
975	/// let y = y.as_mut_ptr().cast::<[u32; `2`]>(); // this is `array[2..4]`
976	///
977	/// unsafe {
978	/// ptr::swap(x, y);
979	/// assert_eq!([`2`, `3`, `0`, `1`], array);
980	/// }
981	/// ```
982	///
983	/// Swapping two overlapping regions:
984	///
985	/// ```
986	/// use std::ptr;
987	///
988	/// let mut array: [i32; `4`] = [`0`, `1`, `2`, `3`];
989	///
990	/// let array_ptr: *mut i32 = array.as_mut_ptr();
991	///
992	/// let x = array_ptr as *mut [i32; `3`]; // this is `array[0..3]`
993	/// let y = unsafe { array_ptr.add(`1`) } as *mut [i32; `3`]; // this is `array[1..4]`
994	///
995	/// unsafe {
996	/// ptr::swap(x, y);
997	/// // The indices `1..3` of the slice overlap between `x` and `y`.
998	/// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are
999	/// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]`
1000	/// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`).
1001	/// // This implementation is defined to make the latter choice.
1002	/// assert_eq!([`1`, `0`, `1`, `2`], array);
1003	/// }
1004	/// ```
1005	#[inline]
1006	#[stable(feature = "rust1", since = "1.0.0")]
1007	#[rustc_const_stable(feature = "const_swap", since = "1.85.0")]
1008	#[rustc_diagnostic_item = "ptr_swap"]
1009	pub const unsafe fn swap<T>(x: *mut T, y: *mut T) {
1010	// Give ourselves some scratch space to work with.
1011	// We do not have to worry about drops: `MaybeUninit` does nothing when dropped.
1012	let mut tmp: MaybeUninit = MaybeUninit::<T>::uninit();
1013
1014	// Perform the swap
1015	// SAFETY: the caller must guarantee that `x` and `y` are
1016	// valid for writes and properly aligned. `tmp` cannot be
1017	// overlapping either `x` or `y` because `tmp` was just allocated
1018	// on the stack as a separate allocated object.
1019	unsafe {
1020	copy_nonoverlapping(src:x, dst:tmp.as_mut_ptr(), count:`1`);
1021	copy(src:y, dst:x, count:`1`); // `x` and `y` may overlap
1022	copy_nonoverlapping(src:tmp.as_ptr(), dst:y, count:`1`);
1023	}
1024	}
1025
1026	/// Swaps `count size_of::<T>()` bytes between the two regions of memory*
1027	/// beginning at `x` and `y`. The two regions must not* overlap.*
1028	///
1029	/// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the
1030	/// requirements of `T`. The initialization state is preserved exactly.
1031	///
1032	/// # Safety
1033	///
1034	/// Behavior is undefined if any of the following conditions are violated:
1035	///
1036	/// * Both `x` and `y` must be [valid] for both reads and writes of `count *
1037	/// size_of::<T>()` bytes.
1038	///
1039	/// Both `x` and `y` must be properly aligned.*
1040	///
1041	/// * The region of memory beginning at `x` with a size of `count *
1042	/// size_of::<T>()` bytes must not* overlap with the region of memory*
1043	/// beginning at `y` with the same size.
1044	///
1045	/// Note that even if the effectively copied size (`count size_of::<T>()`) is `0`,*
1046	/// the pointers must be properly aligned.
1047	///
1048	/// [valid]: self#safety
1049	///
1050	/// # Examples
1051	///
1052	/// Basic usage:
1053	///
1054	/// ```
1055	/// use std::ptr;
1056	///
1057	/// let mut x = [`1`, `2`, `3`, `4`];
1058	/// let mut y = [`7`, `8`, `9`];
1059	///
1060	/// unsafe {
1061	/// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), `2`);
1062	/// }
1063	///
1064	/// assert_eq!(x, [`7`, `8`, `3`, `4`]);
1065	/// assert_eq!(y, [`1`, `2`, `9`]);
1066	/// ```
1067	#[inline]
1068	#[stable(feature = "swap_nonoverlapping", since = "1.27.0")]
1069	#[rustc_const_unstable(feature = "const_swap_nonoverlapping", issue = "133668")]
1070	#[rustc_diagnostic_item = "ptr_swap_nonoverlapping"]
1071	pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) {
1072	ub_checks::assert_unsafe_precondition!(
1073	check_library_ub,
1074	"ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \
1075	and the specified memory ranges do not overlap",
1076	(
1077	x: *mut () = x as *mut (),
1078	y: *mut () = y as *mut (),
1079	size: usize = size_of::<T>(),
1080	align: usize = align_of::<T>(),
1081	count: usize = count,
1082	) => {
1083	let zero_size = size == `0` \|\| count == `0`;
1084	ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size)
1085	&& ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size)
1086	&& ub_checks::maybe_is_nonoverlapping(x, y, size, count)
1087	}
1088	);
1089
1090	const_eval_select!(
1091	@capture[T] { x: *mut T, y: *mut T, count: usize }:
1092	if const {
1093	// At compile-time we want to always copy this in chunks of `T`, to ensure that if there
1094	// are pointers inside `T` we will copy them in one go rather than trying to copy a part
1095	// of a pointer (which would not work).
1096	// SAFETY: Same preconditions as this function
1097	unsafe { swap_nonoverlapping_simple_untyped(x, y, count) }
1098	} else {
1099	macro_rules! attempt_swap_as_chunks {
1100	($ChunkTy:ty) => {
1101	if align_of::<T>() >= align_of::<$ChunkTy>()
1102	&& size_of::<T>() % size_of::<$ChunkTy>() == `0`
1103	{
1104	let x: *mut $ChunkTy = x.cast();
1105	let y: *mut $ChunkTy = y.cast();
1106	let count = count * (size_of::<T>() / size_of::<$ChunkTy>());
1107	// SAFETY: these are the same bytes that the caller promised were
1108	// ok, just typed as `MaybeUninit<ChunkTy>`s instead of as `T`s.
1109	// The `if` condition above ensures that we're not violating
1110	// alignment requirements, and that the division is exact so
1111	// that we don't lose any bytes off the end.
1112	return unsafe { swap_nonoverlapping_simple_untyped(x, y, count) };
1113	}
1114	};
1115	}
1116
1117	// Split up the slice into small power-of-two-sized chunks that LLVM is able
1118	// to vectorize (unless it's a special type with more-than-pointer alignment,
1119	// because we don't want to pessimize things like slices of SIMD vectors.)
1120	if align_of::<T>() <= size_of::<usize>()
1121	&& (!size_of::<T>().is_power_of_two()
1122	\|\| size_of::<T>() > size_of::<usize>() * `2`)
1123	{
1124	attempt_swap_as_chunks!(usize);
1125	attempt_swap_as_chunks!(u8);
1126	}
1127
1128	// SAFETY: Same preconditions as this function
1129	unsafe { swap_nonoverlapping_simple_untyped(x, y, count) }
1130	}
1131	)
1132	}
1133
1134	/// Same behavior and safety conditions as [`swap_nonoverlapping`]
1135	///
1136	/// LLVM can vectorize this (at least it can for the power-of-two-sized types
1137	/// `swap_nonoverlapping` tries to use) so no need to manually SIMD it.
1138	#[inline]
1139	const unsafe fn swap_nonoverlapping_simple_untyped<T>(x: *mut T, y: *mut T, count: usize) {
1140	let x = x.cast::<MaybeUninit<T>>();
1141	let y = y.cast::<MaybeUninit<T>>();
1142	let mut i = `0`;
1143	while i < count {
1144	// SAFETY: By precondition, `i` is in-bounds because it's below `n`
1145	let x = unsafe { x.add(i) };
1146	// SAFETY: By precondition, `i` is in-bounds because it's below `n`
1147	// and it's distinct from `x` since the ranges are non-overlapping
1148	let y = unsafe { y.add(i) };
1149
1150	// If we end up here, it's because we're using a simple type -- like
1151	// a small power-of-two-sized thing -- or a special type with particularly
1152	// large alignment, particularly SIMD types.
1153	// Thus, we're fine just reading-and-writing it, as either it's small
1154	// and that works well anyway or it's special and the type's author
1155	// presumably wanted things to be done in the larger chunk.
1156
1157	// SAFETY: we're only ever given pointers that are valid to read/write,
1158	// including being aligned, and nothing here panics so it's drop-safe.
1159	unsafe {
1160	let a: MaybeUninit<T> = read(x);
1161	let b: MaybeUninit<T> = read(y);
1162	write(x, b);
1163	write(y, a);
1164	}
1165
1166	i += `1`;
1167	}
1168	}
1169
1170	/// Moves `src` into the pointed `dst`, returning the previous `dst` value.
1171	///
1172	/// Neither value is dropped.
1173	///
1174	/// This function is semantically equivalent to [`mem::replace`] except that it
1175	/// operates on raw pointers instead of references. When references are
1176	/// available, [`mem::replace`] should be preferred.
1177	///
1178	/// # Safety
1179	///
1180	/// Behavior is undefined if any of the following conditions are violated:
1181	///
1182	/// `dst` must be [valid] for both reads and writes.*
1183	///
1184	/// `dst` must be properly aligned.*
1185	///
1186	/// `dst` must point to a properly initialized value of type `T`.*
1187	///
1188	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1189	///
1190	/// [valid]: self#safety
1191	///
1192	/// # Examples
1193	///
1194	/// ```
1195	/// use std::ptr;
1196	///
1197	/// let mut rust = vec!['b', 'u', 's', 't'];
1198	///
1199	/// // `mem::replace` would have the same effect without requiring the unsafe
1200	/// // block.
1201	/// let b = unsafe {
1202	/// ptr::replace(&mut rust[`0`], 'r')
1203	/// };
1204	///
1205	/// assert_eq!(b, 'b');
1206	/// assert_eq!(rust, &['r', 'u', 's', 't']);
1207	/// ```
1208	#[inline]
1209	#[stable(feature = "rust1", since = "1.0.0")]
1210	#[rustc_const_stable(feature = "const_replace", since = "1.83.0")]
1211	#[rustc_diagnostic_item = "ptr_replace"]
1212	pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T {
1213	// SAFETY: the caller must guarantee that `dst` is valid to be
1214	// cast to a mutable reference (valid for writes, aligned, initialized),
1215	// and cannot overlap `src` since `dst` must point to a distinct
1216	// allocated object.
1217	unsafe {
1218	ub_checks::assert_unsafe_precondition!(
1219	check_language_ub,
1220	"ptr::replace requires that the pointer argument is aligned and non-null",
1221	(
1222	addr: *const () = dst as *const (),
1223	align: usize = align_of::<T>(),
1224	is_zst: bool = T::IS_ZST,
1225	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1226	);
1227	mem::replace(&mut *dst, src)
1228	}
1229	}
1230
1231	/// Reads the value from `src` without moving it. This leaves the
1232	/// memory in `src` unchanged.
1233	///
1234	/// # Safety
1235	///
1236	/// Behavior is undefined if any of the following conditions are violated:
1237	///
1238	/// `src` must be [valid] for reads.*
1239	///
1240	/// `src` must be properly aligned. Use* [`read_unaligned`] if this is not the
1241	/// case.
1242	///
1243	/// `src` must point to a properly initialized value of type `T`.*
1244	///
1245	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1246	///
1247	/// # Examples
1248	///
1249	/// Basic usage:
1250	///
1251	/// ```
1252	/// let x = `12`;
1253	/// let y = &x as *const i32;
1254	///
1255	/// unsafe {
1256	/// assert_eq!(std::ptr::read(y), `12`);
1257	/// }
1258	/// ```
1259	///
1260	/// Manually implement [`mem::swap`]:
1261	///
1262	/// ```
1263	/// use std::ptr;
1264	///
1265	/// fn swap<T>(a: &mut T, b: &mut T) {
1266	/// unsafe {
1267	/// // Create a bitwise copy of the value at `a` in `tmp`.
1268	/// let tmp = ptr::read(a);
1269	///
1270	/// // Exiting at this point (either by explicitly returning or by
1271	/// // calling a function which panics) would cause the value in `tmp` to
1272	/// // be dropped while the same value is still referenced by `a`. This
1273	/// // could trigger undefined behavior if `T` is not `Copy`.
1274	///
1275	/// // Create a bitwise copy of the value at `b` in `a`.
1276	/// // This is safe because mutable references cannot alias.
1277	/// ptr::copy_nonoverlapping(b, a, `1`);
1278	///
1279	/// // As above, exiting here could trigger undefined behavior because
1280	/// // the same value is referenced by `a` and `b`.
1281	///
1282	/// // Move `tmp` into `b`.
1283	/// ptr::write(b, tmp);
1284	///
1285	/// // `tmp` has been moved (`write` takes ownership of its second argument),
1286	/// // so nothing is dropped implicitly here.
1287	/// }
1288	/// }
1289	///
1290	/// let mut foo = "foo".to_owned();
1291	/// let mut bar = "bar".to_owned();
1292	///
1293	/// swap(&mut foo, &mut bar);
1294	///
1295	/// assert_eq!(foo, "bar");
1296	/// assert_eq!(bar, "foo");
1297	/// ```
1298	///
1299	/// ## Ownership of the Returned Value
1300	///
1301	/// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`].
1302	/// If `T` is not [`Copy`], using both the returned value and the value at
1303	/// `src` can violate memory safety. Note that assigning to `src` counts as a
1304	/// use because it will attempt to drop the value at `src`.*
1305	///
1306	/// [`write()`] can be used to overwrite data without causing it to be dropped.
1307	///
1308	/// ```
1309	/// use std::ptr;
1310	///
1311	/// let mut s = String::from("foo");
1312	/// unsafe {
1313	/// // `s2` now points to the same underlying memory as `s`.
1314	/// let mut s2: String = ptr::read(&s);
1315	///
1316	/// assert_eq!(s2, "foo");
1317	///
1318	/// // Assigning to `s2` causes its original value to be dropped. Beyond
1319	/// // this point, `s` must no longer be used, as the underlying memory has
1320	/// // been freed.
1321	/// s2 = String::default();
1322	/// assert_eq!(s2, "");
1323	///
1324	/// // Assigning to `s` would cause the old value to be dropped again,
1325	/// // resulting in undefined behavior.
1326	/// // s = String::from("bar"); // ERROR
1327	///
1328	/// // `ptr::write` can be used to overwrite a value without dropping it.
1329	/// ptr::write(&mut s, String::from("bar"));
1330	/// }
1331	///
1332	/// assert_eq!(s, "bar");
1333	/// ```
1334	///
1335	/// [valid]: self#safety
1336	#[inline]
1337	#[stable(feature = "rust1", since = "1.0.0")]
1338	#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1339	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1340	#[rustc_diagnostic_item = "ptr_read"]
1341	pub const unsafe fn read<T>(src: *const T) -> T {
1342	// It would be semantically correct to implement this via `copy_nonoverlapping`
1343	// and `MaybeUninit`, as was done before PR #109035. Calling `assume_init`
1344	// provides enough information to know that this is a typed operation.
1345
1346	// However, as of March 2023 the compiler was not capable of taking advantage
1347	// of that information. Thus, the implementation here switched to an intrinsic,
1348	// which lowers to `_0 = src` in MIR, to address a few issues:*
1349	//
1350	// - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not
1351	// turning the untyped copy into a typed load. As such, the generated
1352	// `load` in LLVM didn't get various metadata, such as `!range` (#73258),
1353	// `!nonnull`, and `!noundef`, resulting in poorer optimization.
1354	// - Going through the extra local resulted in multiple extra copies, even
1355	// in optimized MIR. (Ignoring StorageLive/Dead, the intrinsic is one
1356	// MIR statement, while the previous implementation was eight.) LLVM
1357	// could sometimes optimize them away, but because `read` is at the core
1358	// of so many things, not having them in the first place improves what we
1359	// hand off to the backend. For example, `mem::replace::<Big>` previously
1360	// emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s.
1361	// - In general, this approach keeps us from getting any more bugs (like
1362	// #106369) that boil down to "`read(p)` is worse than `p`", as this*
1363	// makes them look identical to the backend (or other MIR consumers).
1364	//
1365	// Future enhancements to MIR optimizations might well allow this to return
1366	// to the previous implementation, rather than using an intrinsic.
1367
1368	// SAFETY: the caller must guarantee that `src` is valid for reads.
1369	unsafe {
1370	#[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1371	ub_checks::assert_unsafe_precondition!(
1372	check_language_ub,
1373	"ptr::read requires that the pointer argument is aligned and non-null",
1374	(
1375	addr: *const () = src as *const (),
1376	align: usize = align_of::<T>(),
1377	is_zst: bool = T::IS_ZST,
1378	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1379	);
1380	crate::intrinsics::read_via_copy(src)
1381	}
1382	}
1383
1384	/// Reads the value from `src` without moving it. This leaves the
1385	/// memory in `src` unchanged.
1386	///
1387	/// Unlike [`read`], `read_unaligned` works with unaligned pointers.
1388	///
1389	/// # Safety
1390	///
1391	/// Behavior is undefined if any of the following conditions are violated:
1392	///
1393	/// `src` must be [valid] for reads.*
1394	///
1395	/// `src` must point to a properly initialized value of type `T`.*
1396	///
1397	/// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of
1398	/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1399	/// value and the value at `src` can [violate memory safety][read-ownership].*
1400	///
1401	/// [read-ownership]: read#ownership-of-the-returned-value
1402	/// [valid]: self#safety
1403	///
1404	/// ## On `packed` structs
1405	///
1406	/// Attempting to create a raw pointer to an `unaligned` struct field with
1407	/// an expression such as `&packed.unaligned as const FieldType` creates an*
1408	/// intermediate unaligned reference before converting that to a raw pointer.
1409	/// That this reference is temporary and immediately cast is inconsequential
1410	/// as the compiler always expects references to be properly aligned.
1411	/// As a result, using `&packed.unaligned as const FieldType` causes immediate*
1412	/// undefined behavior* in your program.*
1413	///
1414	/// Instead you must use the `&raw const` syntax to create the pointer.
1415	/// You may use that constructed pointer together with this function.
1416	///
1417	/// An example of what not to do and how this relates to `read_unaligned` is:
1418	///
1419	/// ```
1420	/// #[repr(packed, C)]
1421	/// struct Packed {
1422	/// _padding: u8,
1423	/// unaligned: u32,
1424	/// }
1425	///
1426	/// let packed = Packed {
1427	/// _padding: `0x00`,
1428	/// unaligned: `0x01020304`,
1429	/// };
1430	///
1431	/// // Take the address of a 32-bit integer which is not aligned.
1432	/// // In contrast to `&packed.unaligned as const _`, this has no undefined behavior.*
1433	/// let unaligned = &raw const packed.unaligned;
1434	///
1435	/// let v = unsafe { std::ptr::read_unaligned(unaligned) };
1436	/// assert_eq!(v, `0x01020304`);
1437	/// ```
1438	///
1439	/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however.
1440	///
1441	/// # Examples
1442	///
1443	/// Read a `usize` value from a byte buffer:
1444	///
1445	/// ```
1446	/// fn read_usize(x: &[u8]) -> usize {
1447	/// assert!(x.len() >= size_of::<usize>());
1448	///
1449	/// let ptr = x.as_ptr() as *const usize;
1450	///
1451	/// unsafe { ptr.read_unaligned() }
1452	/// }
1453	/// ```
1454	#[inline]
1455	#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1456	#[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1457	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1458	#[rustc_diagnostic_item = "ptr_read_unaligned"]
1459	pub const unsafe fn read_unaligned<T>(src: *const T) -> T {
1460	let mut tmp: MaybeUninit = MaybeUninit::<T>::uninit();
1461	// SAFETY: the caller must guarantee that `src` is valid for reads.
1462	// `src` cannot overlap `tmp` because `tmp` was just allocated on
1463	// the stack as a separate allocated object.
1464	//
1465	// Also, since we just wrote a valid value into `tmp`, it is guaranteed
1466	// to be properly initialized.
1467	unsafe {
1468	copy_nonoverlapping(src as *const u8, dst:tmp.as_mut_ptr() as *mut u8, count:size_of::<T>());
1469	tmp.assume_init()
1470	}
1471	}
1472
1473	/// Overwrites a memory location with the given value without reading or
1474	/// dropping the old value.
1475	///
1476	/// `write` does not drop the contents of `dst`. This is safe, but it could leak
1477	/// allocations or resources, so care should be taken not to overwrite an object
1478	/// that should be dropped.
1479	///
1480	/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1481	/// location pointed to by `dst`.
1482	///
1483	/// This is appropriate for initializing uninitialized memory, or overwriting
1484	/// memory that has previously been [`read`] from.
1485	///
1486	/// # Safety
1487	///
1488	/// Behavior is undefined if any of the following conditions are violated:
1489	///
1490	/// `dst` must be [valid] for writes.*
1491	///
1492	/// `dst` must be properly aligned. Use* [`write_unaligned`] if this is not the
1493	/// case.
1494	///
1495	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1496	///
1497	/// [valid]: self#safety
1498	///
1499	/// # Examples
1500	///
1501	/// Basic usage:
1502	///
1503	/// ```
1504	/// let mut x = `0`;
1505	/// let y = &mut x as *mut i32;
1506	/// let z = `12`;
1507	///
1508	/// unsafe {
1509	/// std::ptr::write(y, z);
1510	/// assert_eq!(std::ptr::read(y), `12`);
1511	/// }
1512	/// ```
1513	///
1514	/// Manually implement [`mem::swap`]:
1515	///
1516	/// ```
1517	/// use std::ptr;
1518	///
1519	/// fn swap<T>(a: &mut T, b: &mut T) {
1520	/// unsafe {
1521	/// // Create a bitwise copy of the value at `a` in `tmp`.
1522	/// let tmp = ptr::read(a);
1523	///
1524	/// // Exiting at this point (either by explicitly returning or by
1525	/// // calling a function which panics) would cause the value in `tmp` to
1526	/// // be dropped while the same value is still referenced by `a`. This
1527	/// // could trigger undefined behavior if `T` is not `Copy`.
1528	///
1529	/// // Create a bitwise copy of the value at `b` in `a`.
1530	/// // This is safe because mutable references cannot alias.
1531	/// ptr::copy_nonoverlapping(b, a, `1`);
1532	///
1533	/// // As above, exiting here could trigger undefined behavior because
1534	/// // the same value is referenced by `a` and `b`.
1535	///
1536	/// // Move `tmp` into `b`.
1537	/// ptr::write(b, tmp);
1538	///
1539	/// // `tmp` has been moved (`write` takes ownership of its second argument),
1540	/// // so nothing is dropped implicitly here.
1541	/// }
1542	/// }
1543	///
1544	/// let mut foo = "foo".to_owned();
1545	/// let mut bar = "bar".to_owned();
1546	///
1547	/// swap(&mut foo, &mut bar);
1548	///
1549	/// assert_eq!(foo, "bar");
1550	/// assert_eq!(bar, "foo");
1551	/// ```
1552	#[inline]
1553	#[stable(feature = "rust1", since = "1.0.0")]
1554	#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1555	#[rustc_diagnostic_item = "ptr_write"]
1556	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1557	pub const unsafe fn write<T>(dst: *mut T, src: T) {
1558	// Semantically, it would be fine for this to be implemented as a
1559	// `copy_nonoverlapping` and appropriate drop suppression of `src`.
1560
1561	// However, implementing via that currently produces more MIR than is ideal.
1562	// Using an intrinsic keeps it down to just the simple `dst = move src` in*
1563	// MIR (11 statements shorter, at the time of writing), and also allows
1564	// `src` to stay an SSA value in codegen_ssa, rather than a memory one.
1565
1566	// SAFETY: the caller must guarantee that `dst` is valid for writes.
1567	// `dst` cannot overlap `src` because the caller has mutable access
1568	// to `dst` while `src` is owned by this function.
1569	unsafe {
1570	#[cfg(debug_assertions)] // Too expensive to always enable (for now?)
1571	ub_checks::assert_unsafe_precondition!(
1572	check_language_ub,
1573	"ptr::write requires that the pointer argument is aligned and non-null",
1574	(
1575	addr: *mut () = dst as *mut (),
1576	align: usize = align_of::<T>(),
1577	is_zst: bool = T::IS_ZST,
1578	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1579	);
1580	intrinsics::write_via_move(dst, src)
1581	}
1582	}
1583
1584	/// Overwrites a memory location with the given value without reading or
1585	/// dropping the old value.
1586	///
1587	/// Unlike [`write()`], the pointer may be unaligned.
1588	///
1589	/// `write_unaligned` does not drop the contents of `dst`. This is safe, but it
1590	/// could leak allocations or resources, so care should be taken not to overwrite
1591	/// an object that should be dropped.
1592	///
1593	/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1594	/// location pointed to by `dst`.
1595	///
1596	/// This is appropriate for initializing uninitialized memory, or overwriting
1597	/// memory that has previously been read with [`read_unaligned`].
1598	///
1599	/// # Safety
1600	///
1601	/// Behavior is undefined if any of the following conditions are violated:
1602	///
1603	/// `dst` must be [valid] for writes.*
1604	///
1605	/// [valid]: self#safety
1606	///
1607	/// ## On `packed` structs
1608	///
1609	/// Attempting to create a raw pointer to an `unaligned` struct field with
1610	/// an expression such as `&packed.unaligned as const FieldType` creates an*
1611	/// intermediate unaligned reference before converting that to a raw pointer.
1612	/// That this reference is temporary and immediately cast is inconsequential
1613	/// as the compiler always expects references to be properly aligned.
1614	/// As a result, using `&packed.unaligned as const FieldType` causes immediate*
1615	/// undefined behavior* in your program.*
1616	///
1617	/// Instead, you must use the `&raw mut` syntax to create the pointer.
1618	/// You may use that constructed pointer together with this function.
1619	///
1620	/// An example of how to do it and how this relates to `write_unaligned` is:
1621	///
1622	/// ```
1623	/// #[repr(packed, C)]
1624	/// struct Packed {
1625	/// _padding: u8,
1626	/// unaligned: u32,
1627	/// }
1628	///
1629	/// let mut packed: Packed = unsafe { std::mem::zeroed() };
1630	///
1631	/// // Take the address of a 32-bit integer which is not aligned.
1632	/// // In contrast to `&packed.unaligned as mut _`, this has no undefined behavior.*
1633	/// let unaligned = &raw mut packed.unaligned;
1634	///
1635	/// unsafe { std::ptr::write_unaligned(unaligned, `42`) };
1636	///
1637	/// assert_eq!({packed.unaligned}, `42`); // `{...}` forces copying the field instead of creating a reference.
1638	/// ```
1639	///
1640	/// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however
1641	/// (as can be seen in the `assert_eq!` above).
1642	///
1643	/// # Examples
1644	///
1645	/// Write a `usize` value to a byte buffer:
1646	///
1647	/// ```
1648	/// fn write_usize(x: &mut [u8], val: usize) {
1649	/// assert!(x.len() >= size_of::<usize>());
1650	///
1651	/// let ptr = x.as_mut_ptr() as *mut usize;
1652	///
1653	/// unsafe { ptr.write_unaligned(val) }
1654	/// }
1655	/// ```
1656	#[inline]
1657	#[stable(feature = "ptr_unaligned", since = "1.17.0")]
1658	#[rustc_const_stable(feature = "const_ptr_write", since = "1.83.0")]
1659	#[rustc_diagnostic_item = "ptr_write_unaligned"]
1660	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1661	pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) {
1662	// SAFETY: the caller must guarantee that `dst` is valid for writes.
1663	// `dst` cannot overlap `src` because the caller has mutable access
1664	// to `dst` while `src` is owned by this function.
1665	unsafe {
1666	copy_nonoverlapping((&raw const src) as *const u8, dst as *mut u8, count:size_of::<T>());
1667	// We are calling the intrinsic directly to avoid function calls in the generated code.
1668	intrinsics::forget(src);
1669	}
1670	}
1671
1672	/// Performs a volatile read of the value from `src` without moving it. This
1673	/// leaves the memory in `src` unchanged.
1674	///
1675	/// Volatile operations are intended to act on I/O memory, and are guaranteed
1676	/// to not be elided or reordered by the compiler across other volatile
1677	/// operations.
1678	///
1679	/// # Notes
1680	///
1681	/// Rust does not currently have a rigorously and formally defined memory model,
1682	/// so the precise semantics of what "volatile" means here is subject to change
1683	/// over time. That being said, the semantics will almost always end up pretty
1684	/// similar to [C11's definition of volatile][c11].
1685	///
1686	/// The compiler shouldn't change the relative order or number of volatile
1687	/// memory operations. However, volatile memory operations on zero-sized types
1688	/// (e.g., if a zero-sized type is passed to `read_volatile`) are noops
1689	/// and may be ignored.
1690	///
1691	/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
1692	///
1693	/// # Safety
1694	///
1695	/// Behavior is undefined if any of the following conditions are violated:
1696	///
1697	/// `src` must be [valid] for reads.*
1698	///
1699	/// `src` must be properly aligned.*
1700	///
1701	/// `src` must point to a properly initialized value of type `T`.*
1702	///
1703	/// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of
1704	/// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned
1705	/// value and the value at `src` can [violate memory safety][read-ownership].*
1706	/// However, storing non-[`Copy`] types in volatile memory is almost certainly
1707	/// incorrect.
1708	///
1709	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1710	///
1711	/// [valid]: self#safety
1712	/// [read-ownership]: read#ownership-of-the-returned-value
1713	///
1714	/// Just like in C, whether an operation is volatile has no bearing whatsoever
1715	/// on questions involving concurrent access from multiple threads. Volatile
1716	/// accesses behave exactly like non-atomic accesses in that regard. In particular,
1717	/// a race between a `read_volatile` and any write operation to the same location
1718	/// is undefined behavior.
1719	///
1720	/// # Examples
1721	///
1722	/// Basic usage:
1723	///
1724	/// ```
1725	/// let x = `12`;
1726	/// let y = &x as *const i32;
1727	///
1728	/// unsafe {
1729	/// assert_eq!(std::ptr::read_volatile(y), `12`);
1730	/// }
1731	/// ```
1732	#[inline]
1733	#[stable(feature = "volatile", since = "1.9.0")]
1734	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1735	#[rustc_diagnostic_item = "ptr_read_volatile"]
1736	pub unsafe fn read_volatile<T>(src: *const T) -> T {
1737	// SAFETY: the caller must uphold the safety contract for `volatile_load`.
1738	unsafe {
1739	ub_checks::assert_unsafe_precondition!(
1740	check_language_ub,
1741	"ptr::read_volatile requires that the pointer argument is aligned and non-null",
1742	(
1743	addr: *const () = src as *const (),
1744	align: usize = align_of::<T>(),
1745	is_zst: bool = T::IS_ZST,
1746	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1747	);
1748	intrinsics::volatile_load(src)
1749	}
1750	}
1751
1752	/// Performs a volatile write of a memory location with the given value without
1753	/// reading or dropping the old value.
1754	///
1755	/// Volatile operations are intended to act on I/O memory, and are guaranteed
1756	/// to not be elided or reordered by the compiler across other volatile
1757	/// operations.
1758	///
1759	/// `write_volatile` does not drop the contents of `dst`. This is safe, but it
1760	/// could leak allocations or resources, so care should be taken not to overwrite
1761	/// an object that should be dropped.
1762	///
1763	/// Additionally, it does not drop `src`. Semantically, `src` is moved into the
1764	/// location pointed to by `dst`.
1765	///
1766	/// # Notes
1767	///
1768	/// Rust does not currently have a rigorously and formally defined memory model,
1769	/// so the precise semantics of what "volatile" means here is subject to change
1770	/// over time. That being said, the semantics will almost always end up pretty
1771	/// similar to [C11's definition of volatile][c11].
1772	///
1773	/// The compiler shouldn't change the relative order or number of volatile
1774	/// memory operations. However, volatile memory operations on zero-sized types
1775	/// (e.g., if a zero-sized type is passed to `write_volatile`) are noops
1776	/// and may be ignored.
1777	///
1778	/// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
1779	///
1780	/// # Safety
1781	///
1782	/// Behavior is undefined if any of the following conditions are violated:
1783	///
1784	/// `dst` must be [valid] for writes.*
1785	///
1786	/// `dst` must be properly aligned.*
1787	///
1788	/// Note that even if `T` has size `0`, the pointer must be properly aligned.
1789	///
1790	/// [valid]: self#safety
1791	///
1792	/// Just like in C, whether an operation is volatile has no bearing whatsoever
1793	/// on questions involving concurrent access from multiple threads. Volatile
1794	/// accesses behave exactly like non-atomic accesses in that regard. In particular,
1795	/// a race between a `write_volatile` and any other operation (reading or writing)
1796	/// on the same location is undefined behavior.
1797	///
1798	/// # Examples
1799	///
1800	/// Basic usage:
1801	///
1802	/// ```
1803	/// let mut x = `0`;
1804	/// let y = &mut x as *mut i32;
1805	/// let z = `12`;
1806	///
1807	/// unsafe {
1808	/// std::ptr::write_volatile(y, z);
1809	/// assert_eq!(std::ptr::read_volatile(y), `12`);
1810	/// }
1811	/// ```
1812	#[inline]
1813	#[stable(feature = "volatile", since = "1.9.0")]
1814	#[rustc_diagnostic_item = "ptr_write_volatile"]
1815	#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
1816	pub unsafe fn write_volatile<T>(dst: *mut T, src: T) {
1817	// SAFETY: the caller must uphold the safety contract for `volatile_store`.
1818	unsafe {
1819	ub_checks::assert_unsafe_precondition!(
1820	check_language_ub,
1821	"ptr::write_volatile requires that the pointer argument is aligned and non-null",
1822	(
1823	addr: *mut () = dst as *mut (),
1824	align: usize = align_of::<T>(),
1825	is_zst: bool = T::IS_ZST,
1826	) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst)
1827	);
1828	intrinsics::volatile_store(dst, val:src);
1829	}
1830	}
1831
1832	/// Align pointer `p`.
1833	///
1834	/// Calculate offset (in terms of elements of `size_of::<T>()` stride) that has to be applied
1835	/// to pointer `p` so that pointer `p` would get aligned to `a`.
1836	///
1837	/// # Safety
1838	/// `a` must be a power of two.
1839	///
1840	/// # Notes
1841	/// This implementation has been carefully tailored to not panic. It is UB for this to panic.
1842	/// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated
1843	/// constants.
1844	///
1845	/// If we ever decide to make it possible to call the intrinsic with `a` that is not a
1846	/// power-of-two, it will probably be more prudent to just change to a naive implementation rather
1847	/// than trying to adapt this to accommodate that change.
1848	///
1849	/// Any questions go to @nagisa.
1850	#[allow(ptr_to_integer_transmute_in_consts)]
1851	pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize {
1852	// FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <=
1853	// 1, where the method versions of these operations are not inlined.
1854	use intrinsics::{
1855	assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl,
1856	unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub,
1857	};
1858
1859	/// Calculate multiplicative modular inverse of `x` modulo `m`.
1860	///
1861	/// This implementation is tailored for `align_offset` and has following preconditions:
1862	///
1863	/// `m` is a power-of-two;*
1864	/// `x < m`; (if `x ≥ m`, pass in `x % m` instead)*
1865	///
1866	/// Implementation of this function shall not panic. Ever.
1867	#[inline]
1868	const unsafe fn mod_inv(x: usize, m: usize) -> usize {
1869	/// Multiplicative modular inverse table modulo 2⁴ = 16.
1870	///
1871	/// Note, that this table does not contain values where inverse does not exist (i.e., for
1872	/// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.)
1873	const INV_TABLE_MOD_16: [u8; `8`] = [`1`, `11`, `13`, `7`, `9`, `3`, `5`, `15`];
1874	/// Modulo for which the `INV_TABLE_MOD_16` is intended.
1875	const INV_TABLE_MOD: usize = `16`;
1876
1877	// SAFETY: `m` is required to be a power-of-two, hence non-zero.
1878	let m_minus_one = unsafe { unchecked_sub(m, `1`) };
1879	let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - `1`)) >> `1`] as usize;
1880	let mut mod_gate = INV_TABLE_MOD;
1881	// We iterate "up" using the following formula:
1882	//
1883	// $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$
1884	//
1885	// This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can
1886	// finally reduce the computation to our desired `m` by taking `inverse mod m`.
1887	//
1888	// This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop
1889	// will always finish in at most 4 iterations.
1890	loop {
1891	// y = y (2 - xy) mod n*
1892	//
1893	// Note, that we use wrapping operations here intentionally – the original formula
1894	// uses e.g., subtraction `mod n`. It is entirely fine to do them `mod
1895	// usize::MAX` instead, because we take the result `mod n` at the end
1896	// anyway.
1897	if mod_gate >= m {
1898	break;
1899	}
1900	inverse = wrapping_mul(inverse, wrapping_sub(`2usize`, wrapping_mul(x, inverse)));
1901	let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate);
1902	if overflow {
1903	break;
1904	}
1905	mod_gate = new_gate;
1906	}
1907	inverse & m_minus_one
1908	}
1909
1910	let stride = size_of::<T>();
1911
1912	let addr: usize = p.addr();
1913
1914	// SAFETY: `a` is a power-of-two, therefore non-zero.
1915	let a_minus_one = unsafe { unchecked_sub(a, `1`) };
1916
1917	if stride == `0` {
1918	// SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will
1919	// stay the same, so no offset will be able to align the pointer unless it is already
1920	// aligned. This branch _will_ be optimized out as `stride` is known at compile-time.
1921	let p_mod_a = addr & a_minus_one;
1922	return if p_mod_a == `0` { `0` } else { usize::MAX };
1923	}
1924
1925	// SAFETY: `stride == 0` case has been handled by the special case above.
1926	let a_mod_stride = unsafe { unchecked_rem(a, stride) };
1927	if a_mod_stride == `0` {
1928	// SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a
1929	// pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte
1930	// offset is not a multiple of `stride`, the input pointer was misaligned and no pointer
1931	// offset will be able to produce a `p` aligned to the specified `a`.
1932	//
1933	// The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions
1934	// like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This
1935	// redistributes operations around the load-bearing, but pessimizing `and` instruction
1936	// sufficiently for LLVM to be able to utilize the various optimizations it knows about.
1937	//
1938	// LLVM handles the branch here particularly nicely. If this branch needs to be evaluated
1939	// at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }`
1940	// in a branch-free way and then bitwise-OR it with whatever result the `-p mod a`
1941	// computation produces.
1942
1943	let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(`0`, a);
1944	let byte_offset = wrapping_sub(aligned_address, addr);
1945	// FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502>
1946	// SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced
1947	// the value by more than `a-1`, so even though the intermediate values might have
1948	// wrapped, the byte_offset is always in `[0, a)`.
1949	unsafe { assume(byte_offset < a) };
1950
1951	// SAFETY: `stride == 0` case has been handled by the special case above.
1952	let addr_mod_stride = unsafe { unchecked_rem(addr, stride) };
1953
1954	return if addr_mod_stride == `0` {
1955	// SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because
1956	// addr has been verified to be aligned to the original type’s alignment requirements.
1957	unsafe { exact_div(byte_offset, stride) }
1958	} else {
1959	usize::MAX
1960	};
1961	}
1962
1963	// GENERAL_CASE: From here on we’re handling the very general case where `addr` may be
1964	// misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an
1965	// advantage of, etc. This case produces machine code that isn’t particularly high quality,
1966	// compared to the special cases above. The code produced here is still within the realm of
1967	// miracles, given the situations this case has to deal with.
1968
1969	// SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above.
1970	// FIXME(const-hack) replace with min
1971	let gcdpow = unsafe {
1972	let x = cttz_nonzero(stride);
1973	let y = cttz_nonzero(a);
1974	if x < y { x } else { y }
1975	};
1976	// SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`.
1977	let gcd = unsafe { unchecked_shl(`1usize`, gcdpow) };
1978	// SAFETY: gcd is always greater or equal to 1.
1979	if addr & unsafe { unchecked_sub(gcd, `1`) } == `0` {
1980	// This branch solves for the following linear congruence equation:
1981	//
1982	// ` p + so = 0 mod a `
1983	//
1984	// `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the
1985	// requested alignment.
1986	//
1987	// With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by
1988	// `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to:
1989	//
1990	// ` p' + s'o = 0 mod a' `
1991	// ` o = (a' - (p' mod a')) (s'^-1 mod a') `*
1992	//
1993	// The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the
1994	// second term is "how does incrementing `p` by `s` bytes change the relative alignment of
1995	// `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well
1996	// formed if `a` and `s` are not co-prime.
1997	//
1998	// Furthermore, the result produced by this solution is not "minimal", so it is necessary
1999	// to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`.
2000
2001	// SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2002	// `a`.
2003	let a2 = unsafe { unchecked_shr(a, gcdpow) };
2004	// SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits
2005	// in `a` (of which it has exactly one).
2006	let a2minus1 = unsafe { unchecked_sub(a2, `1`) };
2007	// SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2008	// `a`.
2009	let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) };
2010	// SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in
2011	// `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will
2012	// always be strictly greater than `(p % a) >> gcdpow`.
2013	let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) };
2014	// SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2`
2015	// because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`.
2016	return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1;
2017	}
2018
2019	// Cannot be aligned at all.
2020	usize::MAX
2021	}
2022
2023	/// Compares raw pointers for equality.
2024	///
2025	/// This is the same as using the `==` operator, but less generic:
2026	/// the arguments have to be `const T` raw pointers,*
2027	/// not anything that implements `PartialEq`.
2028	///
2029	/// This can be used to compare `&T` references (which coerce to `const T` implicitly)*
2030	/// by their address rather than comparing the values they point to
2031	/// (which is what the `PartialEq for &T` implementation does).
2032	///
2033	/// When comparing wide pointers, both the address and the metadata are tested for equality.
2034	/// However, note that comparing trait object pointers (`const dyn Trait`) is unreliable: pointers*
2035	/// to values of the same underlying type can compare inequal (because vtables are duplicated in
2036	/// multiple codegen units), and pointers to values of different* underlying type can compare equal*
2037	/// (since identical vtables can be deduplicated within a codegen unit).
2038	///
2039	/// # Examples
2040	///
2041	/// ```
2042	/// use std::ptr;
2043	///
2044	/// let five = `5`;
2045	/// let other_five = `5`;
2046	/// let five_ref = &five;
2047	/// let same_five_ref = &five;
2048	/// let other_five_ref = &other_five;
2049	///
2050	/// assert!(five_ref == same_five_ref);
2051	/// assert!(ptr::eq(five_ref, same_five_ref));
2052	///
2053	/// assert!(five_ref == other_five_ref);
2054	/// assert!(!ptr::eq(five_ref, other_five_ref));
2055	/// ```
2056	///
2057	/// Slices are also compared by their length (fat pointers):
2058	///
2059	/// ```
2060	/// let a = [`1`, `2`, `3`];
2061	/// assert!(std::ptr::eq(&a[..`3`], &a[..`3`]));
2062	/// assert!(!std::ptr::eq(&a[..`2`], &a[..`3`]));
2063	/// assert!(!std::ptr::eq(&a[`0`..`2`], &a[`1`..`3`]));
2064	/// ```
2065	#[stable(feature = "ptr_eq", since = "1.17.0")]
2066	#[inline(always)]
2067	#[must_use = "pointer comparison produces a value"]
2068	#[rustc_diagnostic_item = "ptr_eq"]
2069	#[allow(ambiguous_wide_pointer_comparisons)] // it's actually clear here
2070	pub fn eq<T: ?Sized>(a: *const T, b: *const T) -> bool {
2071	a == b
2072	}
2073
2074	/// Compares the addresses* of the two pointers for equality,*
2075	/// ignoring any metadata in fat pointers.
2076	///
2077	/// If the arguments are thin pointers of the same type,
2078	/// then this is the same as [`eq`].
2079	///
2080	/// # Examples
2081	///
2082	/// ```
2083	/// use std::ptr;
2084	///
2085	/// let whole: &[i32; `3`] = &[`1`, `2`, `3`];
2086	/// let first: &i32 = &whole[`0`];
2087	///
2088	/// assert!(ptr::addr_eq(whole, first));
2089	/// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first));
2090	/// ```
2091	#[stable(feature = "ptr_addr_eq", since = "1.76.0")]
2092	#[inline(always)]
2093	#[must_use = "pointer comparison produces a value"]
2094	pub fn addr_eq<T: ?Sized, U: ?Sized>(p: *const T, q: *const U) -> bool {
2095	(p as *const ()) == (q as *const ())
2096	}
2097
2098	/// Compares the addresses* of the two function pointers for equality.*
2099	///
2100	/// This is the same as `f == g`, but using this function makes clear that the potentially
2101	/// surprising semantics of function pointer comparison are involved.
2102	///
2103	/// There are very few guarantees* about how functions are compiled and they have no intrinsic*
2104	/// “identity”; in particular, this comparison:
2105	///
2106	/// May return `true` unexpectedly, in cases where functions are equivalent.*
2107	///
2108	/// For example, the following program is likely (but not guaranteed) to print `(true, true)`
2109	/// when compiled with optimization:
2110	///
2111	/// ```
2112	/// let f: fn(i32) -> i32 = \|x\| x;
2113	/// let g: fn(i32) -> i32 = \|x\| x + `0`; // different closure, different body
2114	/// let h: fn(u32) -> u32 = \|x\| x + `0`; // different signature too
2115	/// dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal
2116	/// ```
2117	///
2118	/// May return `false` in any case.*
2119	///
2120	/// This is particularly likely with generic functions but may happen with any function.
2121	/// (From an implementation perspective, this is possible because functions may sometimes be
2122	/// processed more than once by the compiler, resulting in duplicate machine code.)
2123	///
2124	/// Despite these false positives and false negatives, this comparison can still be useful.
2125	/// Specifically, if
2126	///
2127	/// `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and*
2128	/// `ptr::fn_addr_eq(f, g)` returns true,*
2129	///
2130	/// then calling `f` and calling `g` will be equivalent.
2131	///
2132	///
2133	/// # Examples
2134	///
2135	/// ```
2136	/// use std::ptr;
2137	///
2138	/// fn a() { println!("a"); }
2139	/// fn b() { println!("b"); }
2140	/// assert!(!ptr::fn_addr_eq(a as fn(), b as fn()));
2141	/// ```
2142	///
2143	/// [subtype]: https://doc.rust-lang.org/reference/subtyping.html
2144	#[stable(feature = "ptr_fn_addr_eq", since = "1.85.0")]
2145	#[inline(always)]
2146	#[must_use = "function pointer comparison produces a value"]
2147	pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool {
2148	f.addr() == g.addr()
2149	}
2150
2151	/// Hash a raw pointer.
2152	///
2153	/// This can be used to hash a `&T` reference (which coerces to `const T` implicitly)*
2154	/// by its address rather than the value it points to
2155	/// (which is what the `Hash for &T` implementation does).
2156	///
2157	/// # Examples
2158	///
2159	/// ```
2160	/// use std::hash::{DefaultHasher, Hash, Hasher};
2161	/// use std::ptr;
2162	///
2163	/// let five = `5`;
2164	/// let five_ref = &five;
2165	///
2166	/// let mut hasher = DefaultHasher::new();
2167	/// ptr::hash(five_ref, &mut hasher);
2168	/// let actual = hasher.finish();
2169	///
2170	/// let mut hasher = DefaultHasher::new();
2171	/// (five_ref as *const i32).hash(&mut hasher);
2172	/// let expected = hasher.finish();
2173	///
2174	/// assert_eq!(actual, expected);
2175	/// ```
2176	#[stable(feature = "ptr_hash", since = "1.35.0")]
2177	pub fn hash<T: ?Sized, S: hash::Hasher>(hashee: *const T, into: &mut S) {
2178	use crate::hash::Hash;
2179	hashee.hash(state:into);
2180	}
2181
2182	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2183	impl<F: FnPtr> PartialEq for F {
2184	#[inline]
2185	fn eq(&self, other: &Self) -> bool {
2186	self.addr() == other.addr()
2187	}
2188	}
2189	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2190	impl<F: FnPtr> Eq for F {}
2191
2192	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2193	impl<F: FnPtr> PartialOrd for F {
2194	#[inline]
2195	fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
2196	self.addr().partial_cmp(&other.addr())
2197	}
2198	}
2199	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2200	impl<F: FnPtr> Ord for F {
2201	#[inline]
2202	fn cmp(&self, other: &Self) -> Ordering {
2203	self.addr().cmp(&other.addr())
2204	}
2205	}
2206
2207	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2208	impl<F: FnPtr> hash::Hash for F {
2209	fn hash<HH: hash::Hasher>(&self, state: &mut HH) {
2210	state.write_usize(self.addr() as _)
2211	}
2212	}
2213
2214	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2215	impl<F: FnPtr> fmt::Pointer for F {
2216	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2217	fmt::pointer_fmt_inner(self.addr() as _, f)
2218	}
2219	}
2220
2221	#[stable(feature = "fnptr_impls", since = "1.4.0")]
2222	impl<F: FnPtr> fmt::Debug for F {
2223	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2224	fmt::pointer_fmt_inner(self.addr() as _, f)
2225	}
2226	}
2227
2228	/// Creates a `const` raw pointer to a place, without creating an intermediate reference.
2229	///
2230	/// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is soft-deprecated;
2231	/// use `&raw const` instead.
2232	///
2233	/// It is still an open question under which conditions writing through an `addr_of!`-created
2234	/// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the
2235	/// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is
2236	/// based on a reference, local variable, or `static`, then until all details are decided, the same
2237	/// rules as for shared references apply: it is UB to write through a pointer created with this
2238	/// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`])
2239	/// to create a raw pointer that definitely permits mutation.
2240	///
2241	/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2242	/// and points to initialized data. For cases where those requirements do not hold,
2243	/// raw pointers should be used instead. However, `&expr as const _` creates a reference*
2244	/// before casting it to a raw pointer, and that reference is subject to the same rules
2245	/// as all other references. This macro can create a raw pointer without* creating*
2246	/// a reference first.
2247	///
2248	/// See [`addr_of_mut`] for how to create a pointer to uninitialized data.
2249	/// Doing that with `addr_of` would not make much sense since one could only
2250	/// read the data, and that would be Undefined Behavior.
2251	///
2252	/// # Safety
2253	///
2254	/// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the
2255	/// place or requires the place to be dereferenceable. This means that `addr_of!((ptr).field)`*
2256	/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2257	/// However, `addr_of!(ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.*
2258	///
2259	/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2260	/// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or
2261	/// `Index::index`, respectively. The statements above only apply when no such coercions are
2262	/// applied.
2263	///
2264	/// [`offset`]: pointer::offset
2265	///
2266	/// # Example
2267	///
2268	/// Correct usage: Creating a pointer to unaligned data
2269	///
2270	/// ```
2271	/// use std::ptr;
2272	///
2273	/// #[repr(packed)]
2274	/// struct Packed {
2275	/// f1: u8,
2276	/// f2: u16,
2277	/// }
2278	///
2279	/// let packed = Packed { f1: `1`, f2: `2` };
2280	/// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2281	/// let raw_f2 = ptr::addr_of!(packed.f2);
2282	/// assert_eq!(unsafe { raw_f2.read_unaligned() }, `2`);
2283	/// ```
2284	///
2285	/// Incorrect usage: Out-of-bounds fields projection
2286	///
2287	/// ```rust,no_run
2288	/// use std::ptr;
2289	///
2290	/// #[repr(C)]
2291	/// struct MyStruct {
2292	/// field1: i32,
2293	/// field2: i32,
2294	/// }
2295	///
2296	/// let ptr: *const MyStruct = ptr::null();
2297	/// let fieldptr = unsafe { ptr::addr_of!((ptr).field2) }; // Undefined Behavior ⚠️*
2298	/// ```
2299	///
2300	/// The field projection `.field2` would offset the pointer by 4 bytes,
2301	/// but the pointer is not in-bounds of an allocation for 4 bytes,
2302	/// so this offset is Undefined Behavior.
2303	/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2304	/// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes
2305	/// no difference whether the pointer is null or dangling.)
2306	#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2307	#[rustc_macro_transparency = "semitransparent"]
2308	pub macro addr_of($place:expr) {
2309	&raw const $place
2310	}
2311
2312	/// Creates a `mut` raw pointer to a place, without creating an intermediate reference.
2313	///
2314	/// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is soft-deprecated;
2315	/// use `&raw mut` instead.
2316	///
2317	/// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned
2318	/// and points to initialized data. For cases where those requirements do not hold,
2319	/// raw pointers should be used instead. However, `&mut expr as mut _` creates a reference*
2320	/// before casting it to a raw pointer, and that reference is subject to the same rules
2321	/// as all other references. This macro can create a raw pointer without* creating*
2322	/// a reference first.
2323	///
2324	/// # Safety
2325	///
2326	/// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the
2327	/// place or requires the place to be dereferenceable. This means that `addr_of_mut!((ptr).field)`*
2328	/// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`].
2329	/// However, `addr_of_mut!(ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned.*
2330	///
2331	/// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside
2332	/// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref`
2333	/// or `Index::index`, respectively. The statements above only apply when no such coercions are
2334	/// applied.
2335	///
2336	/// [`offset`]: pointer::offset
2337	///
2338	/// # Examples
2339	///
2340	/// Correct usage: Creating a pointer to unaligned data
2341	///
2342	/// ```
2343	/// use std::ptr;
2344	///
2345	/// #[repr(packed)]
2346	/// struct Packed {
2347	/// f1: u8,
2348	/// f2: u16,
2349	/// }
2350	///
2351	/// let mut packed = Packed { f1: `1`, f2: `2` };
2352	/// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior!
2353	/// let raw_f2 = ptr::addr_of_mut!(packed.f2);
2354	/// unsafe { raw_f2.write_unaligned(`42`); }
2355	/// assert_eq!({packed.f2}, `42`); // `{...}` forces copying the field instead of creating a reference.
2356	/// ```
2357	///
2358	/// Correct usage: Creating a pointer to uninitialized data
2359	///
2360	/// ```rust
2361	/// use std::{ptr, mem::MaybeUninit};
2362	///
2363	/// struct Demo {
2364	/// field: bool,
2365	/// }
2366	///
2367	/// let mut uninit = MaybeUninit::<Demo>::uninit();
2368	/// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`,
2369	/// // and thus be Undefined Behavior!
2370	/// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) };
2371	/// unsafe { f1_ptr.write(`true`); }
2372	/// let init = unsafe { uninit.assume_init() };
2373	/// ```
2374	///
2375	/// Incorrect usage: Out-of-bounds fields projection
2376	///
2377	/// ```rust,no_run
2378	/// use std::ptr;
2379	///
2380	/// #[repr(C)]
2381	/// struct MyStruct {
2382	/// field1: i32,
2383	/// field2: i32,
2384	/// }
2385	///
2386	/// let ptr: *mut MyStruct = ptr::null_mut();
2387	/// let fieldptr = unsafe { ptr::addr_of_mut!((ptr).field2) }; // Undefined Behavior ⚠️*
2388	/// ```
2389	///
2390	/// The field projection `.field2` would offset the pointer by 4 bytes,
2391	/// but the pointer is not in-bounds of an allocation for 4 bytes,
2392	/// so this offset is Undefined Behavior.
2393	/// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the
2394	/// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it
2395	/// makes no difference whether the pointer is null or dangling.)
2396	#[stable(feature = "raw_ref_macros", since = "1.51.0")]
2397	#[rustc_macro_transparency = "semitransparent"]
2398	pub macro addr_of_mut($place:expr) {
2399	&raw mut $place
2400	}
2401