1 | //! Manually manage memory through raw pointers. |
2 | //! |
3 | //! *[See also the pointer primitive types](pointer).* |
4 | //! |
5 | //! # Safety |
6 | //! |
7 | //! Many functions in this module take raw pointers as arguments and read from or write to them. For |
8 | //! this to be safe, these pointers must be *valid* for the given access. Whether a pointer is valid |
9 | //! depends on the operation it is used for (read or write), and the extent of the memory that is |
10 | //! accessed (i.e., how many bytes are read/written) -- it makes no sense to ask "is this pointer |
11 | //! valid"; one has to ask "is this pointer valid for a given access". Most functions use `*mut T` |
12 | //! and `*const T` to access only a single value, in which case the documentation omits the size and |
13 | //! implicitly assumes it to be `size_of::<T>()` bytes. |
14 | //! |
15 | //! The precise rules for validity are not determined yet. The guarantees that are |
16 | //! provided at this point are very minimal: |
17 | //! |
18 | //! * For memory accesses of [size zero][zst], *every* pointer is valid, including the [null] |
19 | //! pointer. The following points are only concerned with non-zero-sized accesses. |
20 | //! * A [null] pointer is *never* valid. |
21 | //! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be |
22 | //! *dereferenceable*. The [provenance] of the pointer is used to determine which [allocated |
23 | //! object] it is derived from; a pointer is dereferenceable if the memory range of the given size |
24 | //! starting at the pointer is entirely contained within the bounds of that allocated object. Note |
25 | //! that in Rust, every (stack-allocated) variable is considered a separate allocated object. |
26 | //! * All accesses performed by functions in this module are *non-atomic* in the sense |
27 | //! of [atomic operations] used to synchronize between threads. This means it is |
28 | //! undefined behavior to perform two concurrent accesses to the same location from different |
29 | //! threads unless both accesses only read from memory. Notice that this explicitly |
30 | //! includes [`read_volatile`] and [`write_volatile`]: Volatile accesses cannot |
31 | //! be used for inter-thread synchronization. |
32 | //! * The result of casting a reference to a pointer is valid for as long as the |
33 | //! underlying object is live and no reference (just raw pointers) is used to |
34 | //! access the same memory. That is, reference and pointer accesses cannot be |
35 | //! interleaved. |
36 | //! |
37 | //! These axioms, along with careful use of [`offset`] for pointer arithmetic, |
38 | //! are enough to correctly implement many useful things in unsafe code. Stronger guarantees |
39 | //! will be provided eventually, as the [aliasing] rules are being determined. For more |
40 | //! information, see the [book] as well as the section in the reference devoted |
41 | //! to [undefined behavior][ub]. |
42 | //! |
43 | //! We say that a pointer is "dangling" if it is not valid for any non-zero-sized accesses. This |
44 | //! means out-of-bounds pointers, pointers to freed memory, null pointers, and pointers created with |
45 | //! [`NonNull::dangling`] are all dangling. |
46 | //! |
47 | //! ## Alignment |
48 | //! |
49 | //! Valid raw pointers as defined above are not necessarily properly aligned (where |
50 | //! "proper" alignment is defined by the pointee type, i.e., `*const T` must be |
51 | //! aligned to `align_of::<T>()`). However, most functions require their |
52 | //! arguments to be properly aligned, and will explicitly state |
53 | //! this requirement in their documentation. Notable exceptions to this are |
54 | //! [`read_unaligned`] and [`write_unaligned`]. |
55 | //! |
56 | //! When a function requires proper alignment, it does so even if the access |
57 | //! has size 0, i.e., even if memory is not actually touched. Consider using |
58 | //! [`NonNull::dangling`] in such cases. |
59 | //! |
60 | //! ## Pointer to reference conversion |
61 | //! |
62 | //! When converting a pointer to a reference (e.g. via `&*ptr` or `&mut *ptr`), |
63 | //! there are several rules that must be followed: |
64 | //! |
65 | //! * The pointer must be properly aligned. |
66 | //! |
67 | //! * It must be non-null. |
68 | //! |
69 | //! * It must be "dereferenceable" in the sense defined above. |
70 | //! |
71 | //! * The pointer must point to a [valid value] of type `T`. |
72 | //! |
73 | //! * You must enforce Rust's aliasing rules. The exact aliasing rules are not decided yet, so we |
74 | //! only give a rough overview here. The rules also depend on whether a mutable or a shared |
75 | //! reference is being created. |
76 | //! * When creating a mutable reference, then while this reference exists, the memory it points to |
77 | //! must not get accessed (read or written) through any other pointer or reference not derived |
78 | //! from this reference. |
79 | //! * When creating a shared reference, then while this reference exists, the memory it points to |
80 | //! must not get mutated (except inside `UnsafeCell`). |
81 | //! |
82 | //! If a pointer follows all of these rules, it is said to be |
83 | //! *convertible to a (mutable or shared) reference*. |
84 | // ^ we use this term instead of saying that the produced reference must |
85 | // be valid, as the validity of a reference is easily confused for the |
86 | // validity of the thing it refers to, and while the two concepts are |
87 | // closely related, they are not identical. |
88 | //! |
89 | //! These rules apply even if the result is unused! |
90 | //! (The part about being initialized is not yet fully decided, but until |
91 | //! it is, the only safe approach is to ensure that they are indeed initialized.) |
92 | //! |
93 | //! An example of the implications of the above rules is that an expression such |
94 | //! as `unsafe { &*(0 as *const u8) }` is Immediate Undefined Behavior. |
95 | //! |
96 | //! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values |
97 | //! |
98 | //! ## Allocated object |
99 | //! |
100 | //! An *allocated object* is a subset of program memory which is addressable |
101 | //! from Rust, and within which pointer arithmetic is possible. Examples of |
102 | //! allocated objects include heap allocations, stack-allocated variables, |
103 | //! statics, and consts. The safety preconditions of some Rust operations - |
104 | //! such as `offset` and field projections (`expr.field`) - are defined in |
105 | //! terms of the allocated objects on which they operate. |
106 | //! |
107 | //! An allocated object has a base address, a size, and a set of memory |
108 | //! addresses. It is possible for an allocated object to have zero size, but |
109 | //! such an allocated object will still have a base address. The base address |
110 | //! of an allocated object is not necessarily unique. While it is currently the |
111 | //! case that an allocated object always has a set of memory addresses which is |
112 | //! fully contiguous (i.e., has no "holes"), there is no guarantee that this |
113 | //! will not change in the future. |
114 | //! |
115 | //! For any allocated object with `base` address, `size`, and a set of |
116 | //! `addresses`, the following are guaranteed: |
117 | //! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base + |
118 | //! size)` (note that this requires `a < base + size`, not `a <= base + size`) |
119 | //! - `base` is not equal to [`null()`] (i.e., the address with the numerical |
120 | //! value 0) |
121 | //! - `base + size <= usize::MAX` |
122 | //! - `size <= isize::MAX` |
123 | //! |
124 | //! As a consequence of these guarantees, given any address `a` within the set |
125 | //! of addresses of an allocated object: |
126 | //! - It is guaranteed that `a - base` does not overflow `isize` |
127 | //! - It is guaranteed that `a - base` is non-negative |
128 | //! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within |
129 | //! the allocated object), `base + o` will not wrap around the address space (in |
130 | //! other words, will not overflow `usize`) |
131 | //! |
132 | //! [`null()`]: null |
133 | //! |
134 | //! # Provenance |
135 | //! |
136 | //! Pointers are not *simply* an "integer" or "address". For instance, it's uncontroversial |
137 | //! to say that a Use After Free is clearly Undefined Behavior, even if you "get lucky" |
138 | //! and the freed memory gets reallocated before your read/write (in fact this is the |
139 | //! worst-case scenario, UAFs would be much less concerning if this didn't happen!). |
140 | //! As another example, consider that [`wrapping_offset`] is documented to "remember" |
141 | //! the allocated object that the original pointer points to, even if it is offset far |
142 | //! outside the memory range occupied by that allocated object. |
143 | //! To rationalize claims like this, pointers need to somehow be *more* than just their addresses: |
144 | //! they must have **provenance**. |
145 | //! |
146 | //! A pointer value in Rust semantically contains the following information: |
147 | //! |
148 | //! * The **address** it points to, which can be represented by a `usize`. |
149 | //! * The **provenance** it has, defining the memory it has permission to access. Provenance can be |
150 | //! absent, in which case the pointer does not have permission to access any memory. |
151 | //! |
152 | //! The exact structure of provenance is not yet specified, but the permission defined by a |
153 | //! pointer's provenance have a *spatial* component, a *temporal* component, and a *mutability* |
154 | //! component: |
155 | //! |
156 | //! * Spatial: The set of memory addresses that the pointer is allowed to access. |
157 | //! * Temporal: The timespan during which the pointer is allowed to access those memory addresses. |
158 | //! * Mutability: Whether the pointer may only access the memory for reads, or also access it for |
159 | //! writes. Note that this can interact with the other components, e.g. a pointer might permit |
160 | //! mutation only for a subset of addresses, or only for a subset of its maximal timespan. |
161 | //! |
162 | //! When an [allocated object] is created, it has a unique Original Pointer. For alloc |
163 | //! APIs this is literally the pointer the call returns, and for local variables and statics, |
164 | //! this is the name of the variable/static. (This is mildly overloading the term "pointer" |
165 | //! for the sake of brevity/exposition.) |
166 | //! |
167 | //! The Original Pointer for an allocated object has provenance that constrains the *spatial* |
168 | //! permissions of this pointer to the memory range of the allocation, and the *temporal* |
169 | //! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all |
170 | //! pointers transitively derived from the Original Pointer through operations like [`offset`], |
171 | //! borrowing, and pointer casts. Some operations may *shrink* the permissions of the derived |
172 | //! provenance, limiting how much memory it can access or how long it's valid for (i.e. borrowing a |
173 | //! subfield and subslicing can shrink the spatial component of provenance, and all borrowing can |
174 | //! shrink the temporal component of provenance). However, no operation can ever *grow* the |
175 | //! permissions of the derived provenance: even if you "know" there is a larger allocation, you |
176 | //! can't derive a pointer with a larger provenance. Similarly, you cannot "recombine" two |
177 | //! contiguous provenances back into one (i.e. with a `fn merge(&[T], &[T]) -> &[T]`). |
178 | //! |
179 | //! A reference to a place always has provenance over at least the memory that place occupies. |
180 | //! A reference to a slice always has provenance over at least the range that slice describes. |
181 | //! Whether and when exactly the provenance of a reference gets "shrunk" to *exactly* fit |
182 | //! the memory it points to is not yet determined. |
183 | //! |
184 | //! A *shared* reference only ever has provenance that permits reading from memory, |
185 | //! and never permits writes, except inside [`UnsafeCell`]. |
186 | //! |
187 | //! Provenance can affect whether a program has undefined behavior: |
188 | //! |
189 | //! * It is undefined behavior to access memory through a pointer that does not have provenance over |
190 | //! that memory. Note that a pointer "at the end" of its provenance is not actually outside its |
191 | //! provenance, it just has 0 bytes it can load/store. Zero-sized accesses do not require any |
192 | //! provenance since they access an empty range of memory. |
193 | //! |
194 | //! * It is undefined behavior to [`offset`] a pointer across a memory range that is not contained |
195 | //! in the allocated object it is derived from, or to [`offset_from`] two pointers not derived |
196 | //! from the same allocated object. Provenance is used to say what exactly "derived from" even |
197 | //! means: the lineage of a pointer is traced back to the Original Pointer it descends from, and |
198 | //! that identifies the relevant allocated object. In particular, it's always UB to offset a |
199 | //! pointer derived from something that is now deallocated, except if the offset is 0. |
200 | //! |
201 | //! But it *is* still sound to: |
202 | //! |
203 | //! * Create a pointer without provenance from just an address (see [`without_provenance`]). Such a |
204 | //! pointer cannot be used for memory accesses (except for zero-sized accesses). This can still be |
205 | //! useful for sentinel values like `null` *or* to represent a tagged pointer that will never be |
206 | //! dereferenceable. In general, it is always sound for an integer to pretend to be a pointer "for |
207 | //! fun" as long as you don't use operations on it which require it to be valid (non-zero-sized |
208 | //! offset, read, write, etc). |
209 | //! |
210 | //! * Forge an allocation of size zero at any sufficiently aligned non-null address. |
211 | //! i.e. the usual "ZSTs are fake, do what you want" rules apply. |
212 | //! |
213 | //! * [`wrapping_offset`] a pointer outside its provenance. This includes pointers |
214 | //! which have "no" provenance. In particular, this makes it sound to do pointer tagging tricks. |
215 | //! |
216 | //! * Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses |
217 | //! *are* just integers, so there is always a coherent answer, even if the pointers are dangling |
218 | //! or from different provenances. Note that if you get "lucky" and notice that a pointer at the |
219 | //! end of one allocated object is the "same" address as the start of another allocated object, |
220 | //! anything you do with that fact is *probably* going to be gibberish. The scope of that |
221 | //! gibberish is kept under control by the fact that the two pointers *still* aren't allowed to |
222 | //! access the other's allocation (bytes), because they still have different provenance. |
223 | //! |
224 | //! Note that the full definition of provenance in Rust is not decided yet, as this interacts |
225 | //! with the as-yet undecided [aliasing] rules. |
226 | //! |
227 | //! ## Pointers Vs Integers |
228 | //! |
229 | //! From this discussion, it becomes very clear that a `usize` *cannot* accurately represent a pointer, |
230 | //! and converting from a pointer to a `usize` is generally an operation which *only* extracts the |
231 | //! address. Converting this address back into pointer requires somehow answering the question: |
232 | //! which provenance should the resulting pointer have? |
233 | //! |
234 | //! Rust provides two ways of dealing with this situation: *Strict Provenance* and *Exposed Provenance*. |
235 | //! |
236 | //! Note that a pointer *can* represent a `usize` (via [`without_provenance`]), so the right type to |
237 | //! use in situations where a value is "sometimes a pointer and sometimes a bare `usize`" is a |
238 | //! pointer type. |
239 | //! |
240 | //! ## Strict Provenance |
241 | //! |
242 | //! "Strict Provenance" refers to a set of APIs designed to make working with provenance more |
243 | //! explicit. They are intended as substitutes for casting a pointer to an integer and back. |
244 | //! |
245 | //! Entirely avoiding integer-to-pointer casts successfully side-steps the inherent ambiguity of |
246 | //! that operation. This benefits compiler optimizations, and it is pretty much a requirement for |
247 | //! using tools like [Miri] and architectures like [CHERI] that aim to detect and diagnose pointer |
248 | //! misuse. |
249 | //! |
250 | //! The key insight to making programming without integer-to-pointer casts *at all* viable is the |
251 | //! [`with_addr`] method: |
252 | //! |
253 | //! ```text |
254 | //! /// Creates a new pointer with the given address. |
255 | //! /// |
256 | //! /// This performs the same operation as an `addr as ptr` cast, but copies |
257 | //! /// the *provenance* of `self` to the new pointer. |
258 | //! /// This allows us to dynamically preserve and propagate this important |
259 | //! /// information in a way that is otherwise impossible with a unary cast. |
260 | //! /// |
261 | //! /// This is equivalent to using `wrapping_offset` to offset `self` to the |
262 | //! /// given address, and therefore has all the same capabilities and restrictions. |
263 | //! pub fn with_addr(self, addr: usize) -> Self; |
264 | //! ``` |
265 | //! |
266 | //! So you're still able to drop down to the address representation and do whatever |
267 | //! clever bit tricks you want *as long as* you're able to keep around a pointer |
268 | //! into the allocation you care about that can "reconstitute" the provenance. |
269 | //! Usually this is very easy, because you only are taking a pointer, messing with the address, |
270 | //! and then immediately converting back to a pointer. To make this use case more ergonomic, |
271 | //! we provide the [`map_addr`] method. |
272 | //! |
273 | //! To help make it clear that code is "following" Strict Provenance semantics, we also provide an |
274 | //! [`addr`] method which promises that the returned address is not part of a |
275 | //! pointer-integer-pointer roundtrip. In the future we may provide a lint for pointer<->integer |
276 | //! casts to help you audit if your code conforms to strict provenance. |
277 | //! |
278 | //! ### Using Strict Provenance |
279 | //! |
280 | //! Most code needs no changes to conform to strict provenance, as the only really concerning |
281 | //! operation is casts from usize to a pointer. For code which *does* cast a `usize` to a pointer, |
282 | //! the scope of the change depends on exactly what you're doing. |
283 | //! |
284 | //! In general, you just need to make sure that if you want to convert a `usize` address to a |
285 | //! pointer and then use that pointer to read/write memory, you need to keep around a pointer |
286 | //! that has sufficient provenance to perform that read/write itself. In this way all of your |
287 | //! casts from an address to a pointer are essentially just applying offsets/indexing. |
288 | //! |
289 | //! This is generally trivial to do for simple cases like tagged pointers *as long as you |
290 | //! represent the tagged pointer as an actual pointer and not a `usize`*. For instance: |
291 | //! |
292 | //! ``` |
293 | //! unsafe { |
294 | //! // A flag we want to pack into our pointer |
295 | //! static HAS_DATA: usize = 0x1; |
296 | //! static FLAG_MASK: usize = !HAS_DATA; |
297 | //! |
298 | //! // Our value, which must have enough alignment to have spare least-significant-bits. |
299 | //! let my_precious_data: u32 = 17; |
300 | //! assert!(align_of::<u32>() > 1); |
301 | //! |
302 | //! // Create a tagged pointer |
303 | //! let ptr = &my_precious_data as *const u32; |
304 | //! let tagged = ptr.map_addr(|addr| addr | HAS_DATA); |
305 | //! |
306 | //! // Check the flag: |
307 | //! if tagged.addr() & HAS_DATA != 0 { |
308 | //! // Untag and read the pointer |
309 | //! let data = *tagged.map_addr(|addr| addr & FLAG_MASK); |
310 | //! assert_eq!(data, 17); |
311 | //! } else { |
312 | //! unreachable!() |
313 | //! } |
314 | //! } |
315 | //! ``` |
316 | //! |
317 | //! (Yes, if you've been using [`AtomicUsize`] for pointers in concurrent datastructures, you should |
318 | //! be using [`AtomicPtr`] instead. If that messes up the way you atomically manipulate pointers, |
319 | //! we would like to know why, and what needs to be done to fix it.) |
320 | //! |
321 | //! Situations where a valid pointer *must* be created from just an address, such as baremetal code |
322 | //! accessing a memory-mapped interface at a fixed address, cannot currently be handled with strict |
323 | //! provenance APIs and should use [exposed provenance](#exposed-provenance). |
324 | //! |
325 | //! ## Exposed Provenance |
326 | //! |
327 | //! As discussed above, integer-to-pointer casts are not possible with Strict Provenance APIs. |
328 | //! This is by design: the goal of Strict Provenance is to provide a clear specification that we are |
329 | //! confident can be formalized unambiguously and can be subject to precise formal reasoning. |
330 | //! Integer-to-pointer casts do not (currently) have such a clear specification. |
331 | //! |
332 | //! However, there exist situations where integer-to-pointer casts cannot be avoided, or |
333 | //! where avoiding them would require major refactoring. Legacy platform APIs also regularly assume |
334 | //! that `usize` can capture all the information that makes up a pointer. |
335 | //! Bare-metal platforms can also require the synthesis of a pointer "out of thin air" without |
336 | //! anywhere to obtain proper provenance from. |
337 | //! |
338 | //! Rust's model for dealing with integer-to-pointer casts is called *Exposed Provenance*. However, |
339 | //! the semantics of Exposed Provenance are on much less solid footing than Strict Provenance, and |
340 | //! at this point it is not yet clear whether a satisfying unambiguous semantics can be defined for |
341 | //! Exposed Provenance. (If that sounds bad, be reassured that other popular languages that provide |
342 | //! integer-to-pointer casts are not faring any better.) Furthermore, Exposed Provenance will not |
343 | //! work (well) with tools like [Miri] and [CHERI]. |
344 | //! |
345 | //! Exposed Provenance is provided by the [`expose_provenance`] and [`with_exposed_provenance`] methods, |
346 | //! which are equivalent to `as` casts between pointers and integers. |
347 | //! - [`expose_provenance`] is a lot like [`addr`], but additionally adds the provenance of the |
348 | //! pointer to a global list of 'exposed' provenances. (This list is purely conceptual, it exists |
349 | //! for the purpose of specifying Rust but is not materialized in actual executions, except in |
350 | //! tools like [Miri].) |
351 | //! Memory which is outside the control of the Rust abstract machine (MMIO registers, for example) |
352 | //! is always considered to be exposed, so long as this memory is disjoint from memory that will |
353 | //! be used by the abstract machine such as the stack, heap, and statics. |
354 | //! - [`with_exposed_provenance`] can be used to construct a pointer with one of these previously |
355 | //! 'exposed' provenances. [`with_exposed_provenance`] takes only `addr: usize` as arguments, so |
356 | //! unlike in [`with_addr`] there is no indication of what the correct provenance for the returned |
357 | //! pointer is -- and that is exactly what makes integer-to-pointer casts so tricky to rigorously |
358 | //! specify! The compiler will do its best to pick the right provenance for you, but currently we |
359 | //! cannot provide any guarantees about which provenance the resulting pointer will have. Only one |
360 | //! thing is clear: if there is *no* previously 'exposed' provenance that justifies the way the |
361 | //! returned pointer will be used, the program has undefined behavior. |
362 | //! |
363 | //! If at all possible, we encourage code to be ported to [Strict Provenance] APIs, thus avoiding |
364 | //! the need for Exposed Provenance. Maximizing the amount of such code is a major win for avoiding |
365 | //! specification complexity and to facilitate adoption of tools like [CHERI] and [Miri] that can be |
366 | //! a big help in increasing the confidence in (unsafe) Rust code. However, we acknowledge that this |
367 | //! is not always possible, and offer Exposed Provenance as a way to explicit "opt out" of the |
368 | //! well-defined semantics of Strict Provenance, and "opt in" to the unclear semantics of |
369 | //! integer-to-pointer casts. |
370 | //! |
371 | //! [aliasing]: ../../nomicon/aliasing.html |
372 | //! [allocated object]: #allocated-object |
373 | //! [provenance]: #provenance |
374 | //! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer |
375 | //! [ub]: ../../reference/behavior-considered-undefined.html |
376 | //! [zst]: ../../nomicon/exotic-sizes.html#zero-sized-types-zsts |
377 | //! [atomic operations]: crate::sync::atomic |
378 | //! [`offset`]: pointer::offset |
379 | //! [`offset_from`]: pointer::offset_from |
380 | //! [`wrapping_offset`]: pointer::wrapping_offset |
381 | //! [`with_addr`]: pointer::with_addr |
382 | //! [`map_addr`]: pointer::map_addr |
383 | //! [`addr`]: pointer::addr |
384 | //! [`AtomicUsize`]: crate::sync::atomic::AtomicUsize |
385 | //! [`AtomicPtr`]: crate::sync::atomic::AtomicPtr |
386 | //! [`expose_provenance`]: pointer::expose_provenance |
387 | //! [`with_exposed_provenance`]: with_exposed_provenance |
388 | //! [Miri]: https://github.com/rust-lang/miri |
389 | //! [CHERI]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ |
390 | //! [Strict Provenance]: #strict-provenance |
391 | //! [`UnsafeCell`]: core::cell::UnsafeCell |
392 | |
393 | #![stable (feature = "rust1" , since = "1.0.0" )] |
394 | // There are many unsafe functions taking pointers that don't dereference them. |
395 | #![allow (clippy::not_unsafe_ptr_arg_deref)] |
396 | |
397 | use crate::cmp::Ordering; |
398 | use crate::intrinsics::const_eval_select; |
399 | use crate::marker::FnPtr; |
400 | use crate::mem::{self, MaybeUninit, SizedTypeProperties}; |
401 | use crate::{fmt, hash, intrinsics, ub_checks}; |
402 | |
403 | mod alignment; |
404 | #[unstable (feature = "ptr_alignment_type" , issue = "102070" )] |
405 | pub use alignment::Alignment; |
406 | |
407 | #[stable (feature = "rust1" , since = "1.0.0" )] |
408 | #[doc (inline)] |
409 | pub use crate::intrinsics::copy; |
410 | #[stable (feature = "rust1" , since = "1.0.0" )] |
411 | #[doc (inline)] |
412 | pub use crate::intrinsics::copy_nonoverlapping; |
413 | #[stable (feature = "rust1" , since = "1.0.0" )] |
414 | #[doc (inline)] |
415 | pub use crate::intrinsics::write_bytes; |
416 | |
417 | mod metadata; |
418 | #[unstable (feature = "ptr_metadata" , issue = "81513" )] |
419 | pub use metadata::{DynMetadata, Pointee, Thin, from_raw_parts, from_raw_parts_mut, metadata}; |
420 | |
421 | mod non_null; |
422 | #[stable (feature = "nonnull" , since = "1.25.0" )] |
423 | pub use non_null::NonNull; |
424 | |
425 | mod unique; |
426 | #[unstable (feature = "ptr_internals" , issue = "none" )] |
427 | pub use unique::Unique; |
428 | |
429 | mod const_ptr; |
430 | mod mut_ptr; |
431 | |
432 | /// Executes the destructor (if any) of the pointed-to value. |
433 | /// |
434 | /// This is almost the same as calling [`ptr::read`] and discarding |
435 | /// the result, but has the following advantages: |
436 | // FIXME: say something more useful than "almost the same"? |
437 | // There are open questions here: `read` requires the value to be fully valid, e.g. if `T` is a |
438 | // `bool` it must be 0 or 1, if it is a reference then it must be dereferenceable. `drop_in_place` |
439 | // only requires that `*to_drop` be "valid for dropping" and we have not defined what that means. In |
440 | // Miri it currently (May 2024) requires nothing at all for types without drop glue. |
441 | /// |
442 | /// * It is *required* to use `drop_in_place` to drop unsized types like |
443 | /// trait objects, because they can't be read out onto the stack and |
444 | /// dropped normally. |
445 | /// |
446 | /// * It is friendlier to the optimizer to do this over [`ptr::read`] when |
447 | /// dropping manually allocated memory (e.g., in the implementations of |
448 | /// `Box`/`Rc`/`Vec`), as the compiler doesn't need to prove that it's |
449 | /// sound to elide the copy. |
450 | /// |
451 | /// * It can be used to drop [pinned] data when `T` is not `repr(packed)` |
452 | /// (pinned data must not be moved before it is dropped). |
453 | /// |
454 | /// Unaligned values cannot be dropped in place, they must be copied to an aligned |
455 | /// location first using [`ptr::read_unaligned`]. For packed structs, this move is |
456 | /// done automatically by the compiler. This means the fields of packed structs |
457 | /// are not dropped in-place. |
458 | /// |
459 | /// [`ptr::read`]: self::read |
460 | /// [`ptr::read_unaligned`]: self::read_unaligned |
461 | /// [pinned]: crate::pin |
462 | /// |
463 | /// # Safety |
464 | /// |
465 | /// Behavior is undefined if any of the following conditions are violated: |
466 | /// |
467 | /// * `to_drop` must be [valid] for both reads and writes. |
468 | /// |
469 | /// * `to_drop` must be properly aligned, even if `T` has size 0. |
470 | /// |
471 | /// * `to_drop` must be nonnull, even if `T` has size 0. |
472 | /// |
473 | /// * The value `to_drop` points to must be valid for dropping, which may mean |
474 | /// it must uphold additional invariants. These invariants depend on the type |
475 | /// of the value being dropped. For instance, when dropping a Box, the box's |
476 | /// pointer to the heap must be valid. |
477 | /// |
478 | /// * While `drop_in_place` is executing, the only way to access parts of |
479 | /// `to_drop` is through the `&mut self` references supplied to the |
480 | /// `Drop::drop` methods that `drop_in_place` invokes. |
481 | /// |
482 | /// Additionally, if `T` is not [`Copy`], using the pointed-to value after |
483 | /// calling `drop_in_place` can cause undefined behavior. Note that `*to_drop = |
484 | /// foo` counts as a use because it will cause the value to be dropped |
485 | /// again. [`write()`] can be used to overwrite data without causing it to be |
486 | /// dropped. |
487 | /// |
488 | /// [valid]: self#safety |
489 | /// |
490 | /// # Examples |
491 | /// |
492 | /// Manually remove the last item from a vector: |
493 | /// |
494 | /// ``` |
495 | /// use std::ptr; |
496 | /// use std::rc::Rc; |
497 | /// |
498 | /// let last = Rc::new(1); |
499 | /// let weak = Rc::downgrade(&last); |
500 | /// |
501 | /// let mut v = vec![Rc::new(0), last]; |
502 | /// |
503 | /// unsafe { |
504 | /// // Get a raw pointer to the last element in `v`. |
505 | /// let ptr = &mut v[1] as *mut _; |
506 | /// // Shorten `v` to prevent the last item from being dropped. We do that first, |
507 | /// // to prevent issues if the `drop_in_place` below panics. |
508 | /// v.set_len(1); |
509 | /// // Without a call `drop_in_place`, the last item would never be dropped, |
510 | /// // and the memory it manages would be leaked. |
511 | /// ptr::drop_in_place(ptr); |
512 | /// } |
513 | /// |
514 | /// assert_eq!(v, &[0.into()]); |
515 | /// |
516 | /// // Ensure that the last item was dropped. |
517 | /// assert!(weak.upgrade().is_none()); |
518 | /// ``` |
519 | #[stable (feature = "drop_in_place" , since = "1.8.0" )] |
520 | #[lang = "drop_in_place" ] |
521 | #[allow (unconditional_recursion)] |
522 | #[rustc_diagnostic_item = "ptr_drop_in_place" ] |
523 | pub unsafe fn drop_in_place<T: ?Sized>(to_drop: *mut T) { |
524 | // Code here does not matter - this is replaced by the |
525 | // real drop glue by the compiler. |
526 | |
527 | // SAFETY: see comment above |
528 | unsafe { drop_in_place(to_drop) } |
529 | } |
530 | |
531 | /// Creates a null raw pointer. |
532 | /// |
533 | /// This function is equivalent to zero-initializing the pointer: |
534 | /// `MaybeUninit::<*const T>::zeroed().assume_init()`. |
535 | /// The resulting pointer has the address 0. |
536 | /// |
537 | /// # Examples |
538 | /// |
539 | /// ``` |
540 | /// use std::ptr; |
541 | /// |
542 | /// let p: *const i32 = ptr::null(); |
543 | /// assert!(p.is_null()); |
544 | /// assert_eq!(p as usize, 0); // this pointer has the address 0 |
545 | /// ``` |
546 | #[inline (always)] |
547 | #[must_use ] |
548 | #[stable (feature = "rust1" , since = "1.0.0" )] |
549 | #[rustc_promotable ] |
550 | #[rustc_const_stable (feature = "const_ptr_null" , since = "1.24.0" )] |
551 | #[rustc_diagnostic_item = "ptr_null" ] |
552 | pub const fn null<T: ?Sized + Thin>() -> *const T { |
553 | from_raw_parts(data_pointer:without_provenance::<()>(0), ()) |
554 | } |
555 | |
556 | /// Creates a null mutable raw pointer. |
557 | /// |
558 | /// This function is equivalent to zero-initializing the pointer: |
559 | /// `MaybeUninit::<*mut T>::zeroed().assume_init()`. |
560 | /// The resulting pointer has the address 0. |
561 | /// |
562 | /// # Examples |
563 | /// |
564 | /// ``` |
565 | /// use std::ptr; |
566 | /// |
567 | /// let p: *mut i32 = ptr::null_mut(); |
568 | /// assert!(p.is_null()); |
569 | /// assert_eq!(p as usize, 0); // this pointer has the address 0 |
570 | /// ``` |
571 | #[inline (always)] |
572 | #[must_use ] |
573 | #[stable (feature = "rust1" , since = "1.0.0" )] |
574 | #[rustc_promotable ] |
575 | #[rustc_const_stable (feature = "const_ptr_null" , since = "1.24.0" )] |
576 | #[rustc_diagnostic_item = "ptr_null_mut" ] |
577 | pub const fn null_mut<T: ?Sized + Thin>() -> *mut T { |
578 | from_raw_parts_mut(data_pointer:without_provenance_mut::<()>(0), ()) |
579 | } |
580 | |
581 | /// Creates a pointer with the given address and no [provenance][crate::ptr#provenance]. |
582 | /// |
583 | /// This is equivalent to `ptr::null().with_addr(addr)`. |
584 | /// |
585 | /// Without provenance, this pointer is not associated with any actual allocation. Such a |
586 | /// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but |
587 | /// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are |
588 | /// little more than a `usize` address in disguise. |
589 | /// |
590 | /// This is different from `addr as *const T`, which creates a pointer that picks up a previously |
591 | /// exposed provenance. See [`with_exposed_provenance`] for more details on that operation. |
592 | /// |
593 | /// This is a [Strict Provenance][crate::ptr#strict-provenance] API. |
594 | #[inline (always)] |
595 | #[must_use ] |
596 | #[stable (feature = "strict_provenance" , since = "1.84.0" )] |
597 | #[rustc_const_stable (feature = "strict_provenance" , since = "1.84.0" )] |
598 | pub const fn without_provenance<T>(addr: usize) -> *const T { |
599 | without_provenance_mut(addr) |
600 | } |
601 | |
602 | /// Creates a new pointer that is dangling, but non-null and well-aligned. |
603 | /// |
604 | /// This is useful for initializing types which lazily allocate, like |
605 | /// `Vec::new` does. |
606 | /// |
607 | /// Note that the pointer value may potentially represent a valid pointer to |
608 | /// a `T`, which means this must not be used as a "not yet initialized" |
609 | /// sentinel value. Types that lazily allocate must track initialization by |
610 | /// some other means. |
611 | #[inline (always)] |
612 | #[must_use ] |
613 | #[stable (feature = "strict_provenance" , since = "1.84.0" )] |
614 | #[rustc_const_stable (feature = "strict_provenance" , since = "1.84.0" )] |
615 | pub const fn dangling<T>() -> *const T { |
616 | dangling_mut() |
617 | } |
618 | |
619 | /// Creates a pointer with the given address and no [provenance][crate::ptr#provenance]. |
620 | /// |
621 | /// This is equivalent to `ptr::null_mut().with_addr(addr)`. |
622 | /// |
623 | /// Without provenance, this pointer is not associated with any actual allocation. Such a |
624 | /// no-provenance pointer may be used for zero-sized memory accesses (if suitably aligned), but |
625 | /// non-zero-sized memory accesses with a no-provenance pointer are UB. No-provenance pointers are |
626 | /// little more than a `usize` address in disguise. |
627 | /// |
628 | /// This is different from `addr as *mut T`, which creates a pointer that picks up a previously |
629 | /// exposed provenance. See [`with_exposed_provenance_mut`] for more details on that operation. |
630 | /// |
631 | /// This is a [Strict Provenance][crate::ptr#strict-provenance] API. |
632 | #[inline (always)] |
633 | #[must_use ] |
634 | #[stable (feature = "strict_provenance" , since = "1.84.0" )] |
635 | #[rustc_const_stable (feature = "strict_provenance" , since = "1.84.0" )] |
636 | pub const fn without_provenance_mut<T>(addr: usize) -> *mut T { |
637 | // An int-to-pointer transmute currently has exactly the intended semantics: it creates a |
638 | // pointer without provenance. Note that this is *not* a stable guarantee about transmute |
639 | // semantics, it relies on sysroot crates having special status. |
640 | // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that |
641 | // pointer). |
642 | unsafe { mem::transmute(src:addr) } |
643 | } |
644 | |
645 | /// Creates a new pointer that is dangling, but non-null and well-aligned. |
646 | /// |
647 | /// This is useful for initializing types which lazily allocate, like |
648 | /// `Vec::new` does. |
649 | /// |
650 | /// Note that the pointer value may potentially represent a valid pointer to |
651 | /// a `T`, which means this must not be used as a "not yet initialized" |
652 | /// sentinel value. Types that lazily allocate must track initialization by |
653 | /// some other means. |
654 | #[inline (always)] |
655 | #[must_use ] |
656 | #[stable (feature = "strict_provenance" , since = "1.84.0" )] |
657 | #[rustc_const_stable (feature = "strict_provenance" , since = "1.84.0" )] |
658 | pub const fn dangling_mut<T>() -> *mut T { |
659 | NonNull::dangling().as_ptr() |
660 | } |
661 | |
662 | /// Converts an address back to a pointer, picking up some previously 'exposed' |
663 | /// [provenance][crate::ptr#provenance]. |
664 | /// |
665 | /// This is fully equivalent to `addr as *const T`. The provenance of the returned pointer is that |
666 | /// of *some* pointer that was previously exposed by passing it to |
667 | /// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory |
668 | /// which is outside the control of the Rust abstract machine (MMIO registers, for example) is |
669 | /// always considered to be accessible with an exposed provenance, so long as this memory is disjoint |
670 | /// from memory that will be used by the abstract machine such as the stack, heap, and statics. |
671 | /// |
672 | /// The exact provenance that gets picked is not specified. The compiler will do its best to pick |
673 | /// the "right" provenance for you (whatever that may be), but currently we cannot provide any |
674 | /// guarantees about which provenance the resulting pointer will have -- and therefore there |
675 | /// is no definite specification for which memory the resulting pointer may access. |
676 | /// |
677 | /// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer |
678 | /// will be used, the program has undefined behavior. In particular, the aliasing rules still apply: |
679 | /// pointers and references that have been invalidated due to aliasing accesses cannot be used |
680 | /// anymore, even if they have been exposed! |
681 | /// |
682 | /// Due to its inherent ambiguity, this operation may not be supported by tools that help you to |
683 | /// stay conformant with the Rust memory model. It is recommended to use [Strict |
684 | /// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever |
685 | /// possible. |
686 | /// |
687 | /// On most platforms this will produce a value with the same bytes as the address. Platforms |
688 | /// which need to store additional information in a pointer may not support this operation, |
689 | /// since it is generally not possible to actually *compute* which provenance the returned |
690 | /// pointer has to pick up. |
691 | /// |
692 | /// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API. |
693 | #[must_use ] |
694 | #[inline (always)] |
695 | #[stable (feature = "exposed_provenance" , since = "1.84.0" )] |
696 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
697 | #[allow (fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead |
698 | pub fn with_exposed_provenance<T>(addr: usize) -> *const T { |
699 | addr as *const T |
700 | } |
701 | |
702 | /// Converts an address back to a mutable pointer, picking up some previously 'exposed' |
703 | /// [provenance][crate::ptr#provenance]. |
704 | /// |
705 | /// This is fully equivalent to `addr as *mut T`. The provenance of the returned pointer is that |
706 | /// of *some* pointer that was previously exposed by passing it to |
707 | /// [`expose_provenance`][pointer::expose_provenance], or a `ptr as usize` cast. In addition, memory |
708 | /// which is outside the control of the Rust abstract machine (MMIO registers, for example) is |
709 | /// always considered to be accessible with an exposed provenance, so long as this memory is disjoint |
710 | /// from memory that will be used by the abstract machine such as the stack, heap, and statics. |
711 | /// |
712 | /// The exact provenance that gets picked is not specified. The compiler will do its best to pick |
713 | /// the "right" provenance for you (whatever that may be), but currently we cannot provide any |
714 | /// guarantees about which provenance the resulting pointer will have -- and therefore there |
715 | /// is no definite specification for which memory the resulting pointer may access. |
716 | /// |
717 | /// If there is *no* previously 'exposed' provenance that justifies the way the returned pointer |
718 | /// will be used, the program has undefined behavior. In particular, the aliasing rules still apply: |
719 | /// pointers and references that have been invalidated due to aliasing accesses cannot be used |
720 | /// anymore, even if they have been exposed! |
721 | /// |
722 | /// Due to its inherent ambiguity, this operation may not be supported by tools that help you to |
723 | /// stay conformant with the Rust memory model. It is recommended to use [Strict |
724 | /// Provenance][self#strict-provenance] APIs such as [`with_addr`][pointer::with_addr] wherever |
725 | /// possible. |
726 | /// |
727 | /// On most platforms this will produce a value with the same bytes as the address. Platforms |
728 | /// which need to store additional information in a pointer may not support this operation, |
729 | /// since it is generally not possible to actually *compute* which provenance the returned |
730 | /// pointer has to pick up. |
731 | /// |
732 | /// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API. |
733 | #[must_use ] |
734 | #[inline (always)] |
735 | #[stable (feature = "exposed_provenance" , since = "1.84.0" )] |
736 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
737 | #[allow (fuzzy_provenance_casts)] // this *is* the explicit provenance API one should use instead |
738 | pub fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T { |
739 | addr as *mut T |
740 | } |
741 | |
742 | /// Converts a reference to a raw pointer. |
743 | /// |
744 | /// For `r: &T`, `from_ref(r)` is equivalent to `r as *const T` (except for the caveat noted below), |
745 | /// but is a bit safer since it will never silently change type or mutability, in particular if the |
746 | /// code is refactored. |
747 | /// |
748 | /// The caller must ensure that the pointee outlives the pointer this function returns, or else it |
749 | /// will end up dangling. |
750 | /// |
751 | /// The caller must also ensure that the memory the pointer (non-transitively) points to is never |
752 | /// written to (except inside an `UnsafeCell`) using this pointer or any pointer derived from it. If |
753 | /// you need to mutate the pointee, use [`from_mut`]. Specifically, to turn a mutable reference `m: |
754 | /// &mut T` into `*const T`, prefer `from_mut(m).cast_const()` to obtain a pointer that can later be |
755 | /// used for mutation. |
756 | /// |
757 | /// ## Interaction with lifetime extension |
758 | /// |
759 | /// Note that this has subtle interactions with the rules for lifetime extension of temporaries in |
760 | /// tail expressions. This code is valid, albeit in a non-obvious way: |
761 | /// ```rust |
762 | /// # type T = i32; |
763 | /// # fn foo() -> T { 42 } |
764 | /// // The temporary holding the return value of `foo` has its lifetime extended, |
765 | /// // because the surrounding expression involves no function call. |
766 | /// let p = &foo() as *const T; |
767 | /// unsafe { p.read() }; |
768 | /// ``` |
769 | /// Naively replacing the cast with `from_ref` is not valid: |
770 | /// ```rust,no_run |
771 | /// # use std::ptr; |
772 | /// # type T = i32; |
773 | /// # fn foo() -> T { 42 } |
774 | /// // The temporary holding the return value of `foo` does *not* have its lifetime extended, |
775 | /// // because the surrounding expression involves a function call. |
776 | /// let p = ptr::from_ref(&foo()); |
777 | /// unsafe { p.read() }; // UB! Reading from a dangling pointer ⚠️ |
778 | /// ``` |
779 | /// The recommended way to write this code is to avoid relying on lifetime extension |
780 | /// when raw pointers are involved: |
781 | /// ```rust |
782 | /// # use std::ptr; |
783 | /// # type T = i32; |
784 | /// # fn foo() -> T { 42 } |
785 | /// let x = foo(); |
786 | /// let p = ptr::from_ref(&x); |
787 | /// unsafe { p.read() }; |
788 | /// ``` |
789 | #[inline (always)] |
790 | #[must_use ] |
791 | #[stable (feature = "ptr_from_ref" , since = "1.76.0" )] |
792 | #[rustc_const_stable (feature = "ptr_from_ref" , since = "1.76.0" )] |
793 | #[rustc_never_returns_null_ptr ] |
794 | #[rustc_diagnostic_item = "ptr_from_ref" ] |
795 | pub const fn from_ref<T: ?Sized>(r: &T) -> *const T { |
796 | r |
797 | } |
798 | |
799 | /// Converts a mutable reference to a raw pointer. |
800 | /// |
801 | /// For `r: &mut T`, `from_mut(r)` is equivalent to `r as *mut T` (except for the caveat noted |
802 | /// below), but is a bit safer since it will never silently change type or mutability, in particular |
803 | /// if the code is refactored. |
804 | /// |
805 | /// The caller must ensure that the pointee outlives the pointer this function returns, or else it |
806 | /// will end up dangling. |
807 | /// |
808 | /// ## Interaction with lifetime extension |
809 | /// |
810 | /// Note that this has subtle interactions with the rules for lifetime extension of temporaries in |
811 | /// tail expressions. This code is valid, albeit in a non-obvious way: |
812 | /// ```rust |
813 | /// # type T = i32; |
814 | /// # fn foo() -> T { 42 } |
815 | /// // The temporary holding the return value of `foo` has its lifetime extended, |
816 | /// // because the surrounding expression involves no function call. |
817 | /// let p = &mut foo() as *mut T; |
818 | /// unsafe { p.write(T::default()) }; |
819 | /// ``` |
820 | /// Naively replacing the cast with `from_mut` is not valid: |
821 | /// ```rust,no_run |
822 | /// # use std::ptr; |
823 | /// # type T = i32; |
824 | /// # fn foo() -> T { 42 } |
825 | /// // The temporary holding the return value of `foo` does *not* have its lifetime extended, |
826 | /// // because the surrounding expression involves a function call. |
827 | /// let p = ptr::from_mut(&mut foo()); |
828 | /// unsafe { p.write(T::default()) }; // UB! Writing to a dangling pointer ⚠️ |
829 | /// ``` |
830 | /// The recommended way to write this code is to avoid relying on lifetime extension |
831 | /// when raw pointers are involved: |
832 | /// ```rust |
833 | /// # use std::ptr; |
834 | /// # type T = i32; |
835 | /// # fn foo() -> T { 42 } |
836 | /// let mut x = foo(); |
837 | /// let p = ptr::from_mut(&mut x); |
838 | /// unsafe { p.write(T::default()) }; |
839 | /// ``` |
840 | #[inline (always)] |
841 | #[must_use ] |
842 | #[stable (feature = "ptr_from_ref" , since = "1.76.0" )] |
843 | #[rustc_const_stable (feature = "ptr_from_ref" , since = "1.76.0" )] |
844 | #[rustc_never_returns_null_ptr ] |
845 | pub const fn from_mut<T: ?Sized>(r: &mut T) -> *mut T { |
846 | r |
847 | } |
848 | |
849 | /// Forms a raw slice from a pointer and a length. |
850 | /// |
851 | /// The `len` argument is the number of **elements**, not the number of bytes. |
852 | /// |
853 | /// This function is safe, but actually using the return value is unsafe. |
854 | /// See the documentation of [`slice::from_raw_parts`] for slice safety requirements. |
855 | /// |
856 | /// [`slice::from_raw_parts`]: crate::slice::from_raw_parts |
857 | /// |
858 | /// # Examples |
859 | /// |
860 | /// ```rust |
861 | /// use std::ptr; |
862 | /// |
863 | /// // create a slice pointer when starting out with a pointer to the first element |
864 | /// let x = [5, 6, 7]; |
865 | /// let raw_pointer = x.as_ptr(); |
866 | /// let slice = ptr::slice_from_raw_parts(raw_pointer, 3); |
867 | /// assert_eq!(unsafe { &*slice }[2], 7); |
868 | /// ``` |
869 | /// |
870 | /// You must ensure that the pointer is valid and not null before dereferencing |
871 | /// the raw slice. A slice reference must never have a null pointer, even if it's empty. |
872 | /// |
873 | /// ```rust,should_panic |
874 | /// use std::ptr; |
875 | /// let danger: *const [u8] = ptr::slice_from_raw_parts(ptr::null(), 0); |
876 | /// unsafe { |
877 | /// danger.as_ref().expect("references must not be null" ); |
878 | /// } |
879 | /// ``` |
880 | #[inline ] |
881 | #[stable (feature = "slice_from_raw_parts" , since = "1.42.0" )] |
882 | #[rustc_const_stable (feature = "const_slice_from_raw_parts" , since = "1.64.0" )] |
883 | #[rustc_diagnostic_item = "ptr_slice_from_raw_parts" ] |
884 | pub const fn slice_from_raw_parts<T>(data: *const T, len: usize) -> *const [T] { |
885 | from_raw_parts(data, metadata:len) |
886 | } |
887 | |
888 | /// Forms a raw mutable slice from a pointer and a length. |
889 | /// |
890 | /// The `len` argument is the number of **elements**, not the number of bytes. |
891 | /// |
892 | /// Performs the same functionality as [`slice_from_raw_parts`], except that a |
893 | /// raw mutable slice is returned, as opposed to a raw immutable slice. |
894 | /// |
895 | /// This function is safe, but actually using the return value is unsafe. |
896 | /// See the documentation of [`slice::from_raw_parts_mut`] for slice safety requirements. |
897 | /// |
898 | /// [`slice::from_raw_parts_mut`]: crate::slice::from_raw_parts_mut |
899 | /// |
900 | /// # Examples |
901 | /// |
902 | /// ```rust |
903 | /// use std::ptr; |
904 | /// |
905 | /// let x = &mut [5, 6, 7]; |
906 | /// let raw_pointer = x.as_mut_ptr(); |
907 | /// let slice = ptr::slice_from_raw_parts_mut(raw_pointer, 3); |
908 | /// |
909 | /// unsafe { |
910 | /// (*slice)[2] = 99; // assign a value at an index in the slice |
911 | /// }; |
912 | /// |
913 | /// assert_eq!(unsafe { &*slice }[2], 99); |
914 | /// ``` |
915 | /// |
916 | /// You must ensure that the pointer is valid and not null before dereferencing |
917 | /// the raw slice. A slice reference must never have a null pointer, even if it's empty. |
918 | /// |
919 | /// ```rust,should_panic |
920 | /// use std::ptr; |
921 | /// let danger: *mut [u8] = ptr::slice_from_raw_parts_mut(ptr::null_mut(), 0); |
922 | /// unsafe { |
923 | /// danger.as_mut().expect("references must not be null" ); |
924 | /// } |
925 | /// ``` |
926 | #[inline ] |
927 | #[stable (feature = "slice_from_raw_parts" , since = "1.42.0" )] |
928 | #[rustc_const_stable (feature = "const_slice_from_raw_parts_mut" , since = "1.83.0" )] |
929 | #[rustc_diagnostic_item = "ptr_slice_from_raw_parts_mut" ] |
930 | pub const fn slice_from_raw_parts_mut<T>(data: *mut T, len: usize) -> *mut [T] { |
931 | from_raw_parts_mut(data, metadata:len) |
932 | } |
933 | |
934 | /// Swaps the values at two mutable locations of the same type, without |
935 | /// deinitializing either. |
936 | /// |
937 | /// But for the following exceptions, this function is semantically |
938 | /// equivalent to [`mem::swap`]: |
939 | /// |
940 | /// * It operates on raw pointers instead of references. When references are |
941 | /// available, [`mem::swap`] should be preferred. |
942 | /// |
943 | /// * The two pointed-to values may overlap. If the values do overlap, then the |
944 | /// overlapping region of memory from `x` will be used. This is demonstrated |
945 | /// in the second example below. |
946 | /// |
947 | /// * The operation is "untyped" in the sense that data may be uninitialized or otherwise violate |
948 | /// the requirements of `T`. The initialization state is preserved exactly. |
949 | /// |
950 | /// # Safety |
951 | /// |
952 | /// Behavior is undefined if any of the following conditions are violated: |
953 | /// |
954 | /// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the |
955 | /// other pointer is written. (This means if the memory ranges overlap, the two pointers must not |
956 | /// be subject to aliasing restrictions relative to each other.) |
957 | /// |
958 | /// * Both `x` and `y` must be properly aligned. |
959 | /// |
960 | /// Note that even if `T` has size `0`, the pointers must be properly aligned. |
961 | /// |
962 | /// [valid]: self#safety |
963 | /// |
964 | /// # Examples |
965 | /// |
966 | /// Swapping two non-overlapping regions: |
967 | /// |
968 | /// ``` |
969 | /// use std::ptr; |
970 | /// |
971 | /// let mut array = [0, 1, 2, 3]; |
972 | /// |
973 | /// let (x, y) = array.split_at_mut(2); |
974 | /// let x = x.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[0..2]` |
975 | /// let y = y.as_mut_ptr().cast::<[u32; 2]>(); // this is `array[2..4]` |
976 | /// |
977 | /// unsafe { |
978 | /// ptr::swap(x, y); |
979 | /// assert_eq!([2, 3, 0, 1], array); |
980 | /// } |
981 | /// ``` |
982 | /// |
983 | /// Swapping two overlapping regions: |
984 | /// |
985 | /// ``` |
986 | /// use std::ptr; |
987 | /// |
988 | /// let mut array: [i32; 4] = [0, 1, 2, 3]; |
989 | /// |
990 | /// let array_ptr: *mut i32 = array.as_mut_ptr(); |
991 | /// |
992 | /// let x = array_ptr as *mut [i32; 3]; // this is `array[0..3]` |
993 | /// let y = unsafe { array_ptr.add(1) } as *mut [i32; 3]; // this is `array[1..4]` |
994 | /// |
995 | /// unsafe { |
996 | /// ptr::swap(x, y); |
997 | /// // The indices `1..3` of the slice overlap between `x` and `y`. |
998 | /// // Reasonable results would be for to them be `[2, 3]`, so that indices `0..3` are |
999 | /// // `[1, 2, 3]` (matching `y` before the `swap`); or for them to be `[0, 1]` |
1000 | /// // so that indices `1..4` are `[0, 1, 2]` (matching `x` before the `swap`). |
1001 | /// // This implementation is defined to make the latter choice. |
1002 | /// assert_eq!([1, 0, 1, 2], array); |
1003 | /// } |
1004 | /// ``` |
1005 | #[inline ] |
1006 | #[stable (feature = "rust1" , since = "1.0.0" )] |
1007 | #[rustc_const_stable (feature = "const_swap" , since = "1.85.0" )] |
1008 | #[rustc_diagnostic_item = "ptr_swap" ] |
1009 | pub const unsafe fn swap<T>(x: *mut T, y: *mut T) { |
1010 | // Give ourselves some scratch space to work with. |
1011 | // We do not have to worry about drops: `MaybeUninit` does nothing when dropped. |
1012 | let mut tmp: MaybeUninit = MaybeUninit::<T>::uninit(); |
1013 | |
1014 | // Perform the swap |
1015 | // SAFETY: the caller must guarantee that `x` and `y` are |
1016 | // valid for writes and properly aligned. `tmp` cannot be |
1017 | // overlapping either `x` or `y` because `tmp` was just allocated |
1018 | // on the stack as a separate allocated object. |
1019 | unsafe { |
1020 | copy_nonoverlapping(src:x, dst:tmp.as_mut_ptr(), count:1); |
1021 | copy(src:y, dst:x, count:1); // `x` and `y` may overlap |
1022 | copy_nonoverlapping(src:tmp.as_ptr(), dst:y, count:1); |
1023 | } |
1024 | } |
1025 | |
1026 | /// Swaps `count * size_of::<T>()` bytes between the two regions of memory |
1027 | /// beginning at `x` and `y`. The two regions must *not* overlap. |
1028 | /// |
1029 | /// The operation is "untyped" in the sense that data may be uninitialized or otherwise violate the |
1030 | /// requirements of `T`. The initialization state is preserved exactly. |
1031 | /// |
1032 | /// # Safety |
1033 | /// |
1034 | /// Behavior is undefined if any of the following conditions are violated: |
1035 | /// |
1036 | /// * Both `x` and `y` must be [valid] for both reads and writes of `count * |
1037 | /// size_of::<T>()` bytes. |
1038 | /// |
1039 | /// * Both `x` and `y` must be properly aligned. |
1040 | /// |
1041 | /// * The region of memory beginning at `x` with a size of `count * |
1042 | /// size_of::<T>()` bytes must *not* overlap with the region of memory |
1043 | /// beginning at `y` with the same size. |
1044 | /// |
1045 | /// Note that even if the effectively copied size (`count * size_of::<T>()`) is `0`, |
1046 | /// the pointers must be properly aligned. |
1047 | /// |
1048 | /// [valid]: self#safety |
1049 | /// |
1050 | /// # Examples |
1051 | /// |
1052 | /// Basic usage: |
1053 | /// |
1054 | /// ``` |
1055 | /// use std::ptr; |
1056 | /// |
1057 | /// let mut x = [1, 2, 3, 4]; |
1058 | /// let mut y = [7, 8, 9]; |
1059 | /// |
1060 | /// unsafe { |
1061 | /// ptr::swap_nonoverlapping(x.as_mut_ptr(), y.as_mut_ptr(), 2); |
1062 | /// } |
1063 | /// |
1064 | /// assert_eq!(x, [7, 8, 3, 4]); |
1065 | /// assert_eq!(y, [1, 2, 9]); |
1066 | /// ``` |
1067 | #[inline ] |
1068 | #[stable (feature = "swap_nonoverlapping" , since = "1.27.0" )] |
1069 | #[rustc_const_unstable (feature = "const_swap_nonoverlapping" , issue = "133668" )] |
1070 | #[rustc_diagnostic_item = "ptr_swap_nonoverlapping" ] |
1071 | pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) { |
1072 | ub_checks::assert_unsafe_precondition!( |
1073 | check_library_ub, |
1074 | "ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \ |
1075 | and the specified memory ranges do not overlap" , |
1076 | ( |
1077 | x: *mut () = x as *mut (), |
1078 | y: *mut () = y as *mut (), |
1079 | size: usize = size_of::<T>(), |
1080 | align: usize = align_of::<T>(), |
1081 | count: usize = count, |
1082 | ) => { |
1083 | let zero_size = size == 0 || count == 0; |
1084 | ub_checks::maybe_is_aligned_and_not_null(x, align, zero_size) |
1085 | && ub_checks::maybe_is_aligned_and_not_null(y, align, zero_size) |
1086 | && ub_checks::maybe_is_nonoverlapping(x, y, size, count) |
1087 | } |
1088 | ); |
1089 | |
1090 | const_eval_select!( |
1091 | @capture[T] { x: *mut T, y: *mut T, count: usize }: |
1092 | if const { |
1093 | // At compile-time we want to always copy this in chunks of `T`, to ensure that if there |
1094 | // are pointers inside `T` we will copy them in one go rather than trying to copy a part |
1095 | // of a pointer (which would not work). |
1096 | // SAFETY: Same preconditions as this function |
1097 | unsafe { swap_nonoverlapping_simple_untyped(x, y, count) } |
1098 | } else { |
1099 | macro_rules! attempt_swap_as_chunks { |
1100 | ($ChunkTy:ty) => { |
1101 | if align_of::<T>() >= align_of::<$ChunkTy>() |
1102 | && size_of::<T>() % size_of::<$ChunkTy>() == 0 |
1103 | { |
1104 | let x: *mut $ChunkTy = x.cast(); |
1105 | let y: *mut $ChunkTy = y.cast(); |
1106 | let count = count * (size_of::<T>() / size_of::<$ChunkTy>()); |
1107 | // SAFETY: these are the same bytes that the caller promised were |
1108 | // ok, just typed as `MaybeUninit<ChunkTy>`s instead of as `T`s. |
1109 | // The `if` condition above ensures that we're not violating |
1110 | // alignment requirements, and that the division is exact so |
1111 | // that we don't lose any bytes off the end. |
1112 | return unsafe { swap_nonoverlapping_simple_untyped(x, y, count) }; |
1113 | } |
1114 | }; |
1115 | } |
1116 | |
1117 | // Split up the slice into small power-of-two-sized chunks that LLVM is able |
1118 | // to vectorize (unless it's a special type with more-than-pointer alignment, |
1119 | // because we don't want to pessimize things like slices of SIMD vectors.) |
1120 | if align_of::<T>() <= size_of::<usize>() |
1121 | && (!size_of::<T>().is_power_of_two() |
1122 | || size_of::<T>() > size_of::<usize>() * 2) |
1123 | { |
1124 | attempt_swap_as_chunks!(usize); |
1125 | attempt_swap_as_chunks!(u8); |
1126 | } |
1127 | |
1128 | // SAFETY: Same preconditions as this function |
1129 | unsafe { swap_nonoverlapping_simple_untyped(x, y, count) } |
1130 | } |
1131 | ) |
1132 | } |
1133 | |
1134 | /// Same behavior and safety conditions as [`swap_nonoverlapping`] |
1135 | /// |
1136 | /// LLVM can vectorize this (at least it can for the power-of-two-sized types |
1137 | /// `swap_nonoverlapping` tries to use) so no need to manually SIMD it. |
1138 | #[inline ] |
1139 | const unsafe fn swap_nonoverlapping_simple_untyped<T>(x: *mut T, y: *mut T, count: usize) { |
1140 | let x = x.cast::<MaybeUninit<T>>(); |
1141 | let y = y.cast::<MaybeUninit<T>>(); |
1142 | let mut i = 0; |
1143 | while i < count { |
1144 | // SAFETY: By precondition, `i` is in-bounds because it's below `n` |
1145 | let x = unsafe { x.add(i) }; |
1146 | // SAFETY: By precondition, `i` is in-bounds because it's below `n` |
1147 | // and it's distinct from `x` since the ranges are non-overlapping |
1148 | let y = unsafe { y.add(i) }; |
1149 | |
1150 | // If we end up here, it's because we're using a simple type -- like |
1151 | // a small power-of-two-sized thing -- or a special type with particularly |
1152 | // large alignment, particularly SIMD types. |
1153 | // Thus, we're fine just reading-and-writing it, as either it's small |
1154 | // and that works well anyway or it's special and the type's author |
1155 | // presumably wanted things to be done in the larger chunk. |
1156 | |
1157 | // SAFETY: we're only ever given pointers that are valid to read/write, |
1158 | // including being aligned, and nothing here panics so it's drop-safe. |
1159 | unsafe { |
1160 | let a: MaybeUninit<T> = read(x); |
1161 | let b: MaybeUninit<T> = read(y); |
1162 | write(x, b); |
1163 | write(y, a); |
1164 | } |
1165 | |
1166 | i += 1; |
1167 | } |
1168 | } |
1169 | |
1170 | /// Moves `src` into the pointed `dst`, returning the previous `dst` value. |
1171 | /// |
1172 | /// Neither value is dropped. |
1173 | /// |
1174 | /// This function is semantically equivalent to [`mem::replace`] except that it |
1175 | /// operates on raw pointers instead of references. When references are |
1176 | /// available, [`mem::replace`] should be preferred. |
1177 | /// |
1178 | /// # Safety |
1179 | /// |
1180 | /// Behavior is undefined if any of the following conditions are violated: |
1181 | /// |
1182 | /// * `dst` must be [valid] for both reads and writes. |
1183 | /// |
1184 | /// * `dst` must be properly aligned. |
1185 | /// |
1186 | /// * `dst` must point to a properly initialized value of type `T`. |
1187 | /// |
1188 | /// Note that even if `T` has size `0`, the pointer must be properly aligned. |
1189 | /// |
1190 | /// [valid]: self#safety |
1191 | /// |
1192 | /// # Examples |
1193 | /// |
1194 | /// ``` |
1195 | /// use std::ptr; |
1196 | /// |
1197 | /// let mut rust = vec!['b' , 'u' , 's' , 't' ]; |
1198 | /// |
1199 | /// // `mem::replace` would have the same effect without requiring the unsafe |
1200 | /// // block. |
1201 | /// let b = unsafe { |
1202 | /// ptr::replace(&mut rust[0], 'r' ) |
1203 | /// }; |
1204 | /// |
1205 | /// assert_eq!(b, 'b' ); |
1206 | /// assert_eq!(rust, &['r' , 'u' , 's' , 't' ]); |
1207 | /// ``` |
1208 | #[inline ] |
1209 | #[stable (feature = "rust1" , since = "1.0.0" )] |
1210 | #[rustc_const_stable (feature = "const_replace" , since = "1.83.0" )] |
1211 | #[rustc_diagnostic_item = "ptr_replace" ] |
1212 | pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T { |
1213 | // SAFETY: the caller must guarantee that `dst` is valid to be |
1214 | // cast to a mutable reference (valid for writes, aligned, initialized), |
1215 | // and cannot overlap `src` since `dst` must point to a distinct |
1216 | // allocated object. |
1217 | unsafe { |
1218 | ub_checks::assert_unsafe_precondition!( |
1219 | check_language_ub, |
1220 | "ptr::replace requires that the pointer argument is aligned and non-null" , |
1221 | ( |
1222 | addr: *const () = dst as *const (), |
1223 | align: usize = align_of::<T>(), |
1224 | is_zst: bool = T::IS_ZST, |
1225 | ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst) |
1226 | ); |
1227 | mem::replace(&mut *dst, src) |
1228 | } |
1229 | } |
1230 | |
1231 | /// Reads the value from `src` without moving it. This leaves the |
1232 | /// memory in `src` unchanged. |
1233 | /// |
1234 | /// # Safety |
1235 | /// |
1236 | /// Behavior is undefined if any of the following conditions are violated: |
1237 | /// |
1238 | /// * `src` must be [valid] for reads. |
1239 | /// |
1240 | /// * `src` must be properly aligned. Use [`read_unaligned`] if this is not the |
1241 | /// case. |
1242 | /// |
1243 | /// * `src` must point to a properly initialized value of type `T`. |
1244 | /// |
1245 | /// Note that even if `T` has size `0`, the pointer must be properly aligned. |
1246 | /// |
1247 | /// # Examples |
1248 | /// |
1249 | /// Basic usage: |
1250 | /// |
1251 | /// ``` |
1252 | /// let x = 12; |
1253 | /// let y = &x as *const i32; |
1254 | /// |
1255 | /// unsafe { |
1256 | /// assert_eq!(std::ptr::read(y), 12); |
1257 | /// } |
1258 | /// ``` |
1259 | /// |
1260 | /// Manually implement [`mem::swap`]: |
1261 | /// |
1262 | /// ``` |
1263 | /// use std::ptr; |
1264 | /// |
1265 | /// fn swap<T>(a: &mut T, b: &mut T) { |
1266 | /// unsafe { |
1267 | /// // Create a bitwise copy of the value at `a` in `tmp`. |
1268 | /// let tmp = ptr::read(a); |
1269 | /// |
1270 | /// // Exiting at this point (either by explicitly returning or by |
1271 | /// // calling a function which panics) would cause the value in `tmp` to |
1272 | /// // be dropped while the same value is still referenced by `a`. This |
1273 | /// // could trigger undefined behavior if `T` is not `Copy`. |
1274 | /// |
1275 | /// // Create a bitwise copy of the value at `b` in `a`. |
1276 | /// // This is safe because mutable references cannot alias. |
1277 | /// ptr::copy_nonoverlapping(b, a, 1); |
1278 | /// |
1279 | /// // As above, exiting here could trigger undefined behavior because |
1280 | /// // the same value is referenced by `a` and `b`. |
1281 | /// |
1282 | /// // Move `tmp` into `b`. |
1283 | /// ptr::write(b, tmp); |
1284 | /// |
1285 | /// // `tmp` has been moved (`write` takes ownership of its second argument), |
1286 | /// // so nothing is dropped implicitly here. |
1287 | /// } |
1288 | /// } |
1289 | /// |
1290 | /// let mut foo = "foo" .to_owned(); |
1291 | /// let mut bar = "bar" .to_owned(); |
1292 | /// |
1293 | /// swap(&mut foo, &mut bar); |
1294 | /// |
1295 | /// assert_eq!(foo, "bar" ); |
1296 | /// assert_eq!(bar, "foo" ); |
1297 | /// ``` |
1298 | /// |
1299 | /// ## Ownership of the Returned Value |
1300 | /// |
1301 | /// `read` creates a bitwise copy of `T`, regardless of whether `T` is [`Copy`]. |
1302 | /// If `T` is not [`Copy`], using both the returned value and the value at |
1303 | /// `*src` can violate memory safety. Note that assigning to `*src` counts as a |
1304 | /// use because it will attempt to drop the value at `*src`. |
1305 | /// |
1306 | /// [`write()`] can be used to overwrite data without causing it to be dropped. |
1307 | /// |
1308 | /// ``` |
1309 | /// use std::ptr; |
1310 | /// |
1311 | /// let mut s = String::from("foo" ); |
1312 | /// unsafe { |
1313 | /// // `s2` now points to the same underlying memory as `s`. |
1314 | /// let mut s2: String = ptr::read(&s); |
1315 | /// |
1316 | /// assert_eq!(s2, "foo" ); |
1317 | /// |
1318 | /// // Assigning to `s2` causes its original value to be dropped. Beyond |
1319 | /// // this point, `s` must no longer be used, as the underlying memory has |
1320 | /// // been freed. |
1321 | /// s2 = String::default(); |
1322 | /// assert_eq!(s2, "" ); |
1323 | /// |
1324 | /// // Assigning to `s` would cause the old value to be dropped again, |
1325 | /// // resulting in undefined behavior. |
1326 | /// // s = String::from("bar"); // ERROR |
1327 | /// |
1328 | /// // `ptr::write` can be used to overwrite a value without dropping it. |
1329 | /// ptr::write(&mut s, String::from("bar" )); |
1330 | /// } |
1331 | /// |
1332 | /// assert_eq!(s, "bar" ); |
1333 | /// ``` |
1334 | /// |
1335 | /// [valid]: self#safety |
1336 | #[inline ] |
1337 | #[stable (feature = "rust1" , since = "1.0.0" )] |
1338 | #[rustc_const_stable (feature = "const_ptr_read" , since = "1.71.0" )] |
1339 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1340 | #[rustc_diagnostic_item = "ptr_read" ] |
1341 | pub const unsafe fn read<T>(src: *const T) -> T { |
1342 | // It would be semantically correct to implement this via `copy_nonoverlapping` |
1343 | // and `MaybeUninit`, as was done before PR #109035. Calling `assume_init` |
1344 | // provides enough information to know that this is a typed operation. |
1345 | |
1346 | // However, as of March 2023 the compiler was not capable of taking advantage |
1347 | // of that information. Thus, the implementation here switched to an intrinsic, |
1348 | // which lowers to `_0 = *src` in MIR, to address a few issues: |
1349 | // |
1350 | // - Using `MaybeUninit::assume_init` after a `copy_nonoverlapping` was not |
1351 | // turning the untyped copy into a typed load. As such, the generated |
1352 | // `load` in LLVM didn't get various metadata, such as `!range` (#73258), |
1353 | // `!nonnull`, and `!noundef`, resulting in poorer optimization. |
1354 | // - Going through the extra local resulted in multiple extra copies, even |
1355 | // in optimized MIR. (Ignoring StorageLive/Dead, the intrinsic is one |
1356 | // MIR statement, while the previous implementation was eight.) LLVM |
1357 | // could sometimes optimize them away, but because `read` is at the core |
1358 | // of so many things, not having them in the first place improves what we |
1359 | // hand off to the backend. For example, `mem::replace::<Big>` previously |
1360 | // emitted 4 `alloca` and 6 `memcpy`s, but is now 1 `alloc` and 3 `memcpy`s. |
1361 | // - In general, this approach keeps us from getting any more bugs (like |
1362 | // #106369) that boil down to "`read(p)` is worse than `*p`", as this |
1363 | // makes them look identical to the backend (or other MIR consumers). |
1364 | // |
1365 | // Future enhancements to MIR optimizations might well allow this to return |
1366 | // to the previous implementation, rather than using an intrinsic. |
1367 | |
1368 | // SAFETY: the caller must guarantee that `src` is valid for reads. |
1369 | unsafe { |
1370 | #[cfg (debug_assertions)] // Too expensive to always enable (for now?) |
1371 | ub_checks::assert_unsafe_precondition!( |
1372 | check_language_ub, |
1373 | "ptr::read requires that the pointer argument is aligned and non-null" , |
1374 | ( |
1375 | addr: *const () = src as *const (), |
1376 | align: usize = align_of::<T>(), |
1377 | is_zst: bool = T::IS_ZST, |
1378 | ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst) |
1379 | ); |
1380 | crate::intrinsics::read_via_copy(src) |
1381 | } |
1382 | } |
1383 | |
1384 | /// Reads the value from `src` without moving it. This leaves the |
1385 | /// memory in `src` unchanged. |
1386 | /// |
1387 | /// Unlike [`read`], `read_unaligned` works with unaligned pointers. |
1388 | /// |
1389 | /// # Safety |
1390 | /// |
1391 | /// Behavior is undefined if any of the following conditions are violated: |
1392 | /// |
1393 | /// * `src` must be [valid] for reads. |
1394 | /// |
1395 | /// * `src` must point to a properly initialized value of type `T`. |
1396 | /// |
1397 | /// Like [`read`], `read_unaligned` creates a bitwise copy of `T`, regardless of |
1398 | /// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned |
1399 | /// value and the value at `*src` can [violate memory safety][read-ownership]. |
1400 | /// |
1401 | /// [read-ownership]: read#ownership-of-the-returned-value |
1402 | /// [valid]: self#safety |
1403 | /// |
1404 | /// ## On `packed` structs |
1405 | /// |
1406 | /// Attempting to create a raw pointer to an `unaligned` struct field with |
1407 | /// an expression such as `&packed.unaligned as *const FieldType` creates an |
1408 | /// intermediate unaligned reference before converting that to a raw pointer. |
1409 | /// That this reference is temporary and immediately cast is inconsequential |
1410 | /// as the compiler always expects references to be properly aligned. |
1411 | /// As a result, using `&packed.unaligned as *const FieldType` causes immediate |
1412 | /// *undefined behavior* in your program. |
1413 | /// |
1414 | /// Instead you must use the `&raw const` syntax to create the pointer. |
1415 | /// You may use that constructed pointer together with this function. |
1416 | /// |
1417 | /// An example of what not to do and how this relates to `read_unaligned` is: |
1418 | /// |
1419 | /// ``` |
1420 | /// #[repr(packed, C)] |
1421 | /// struct Packed { |
1422 | /// _padding: u8, |
1423 | /// unaligned: u32, |
1424 | /// } |
1425 | /// |
1426 | /// let packed = Packed { |
1427 | /// _padding: 0x00, |
1428 | /// unaligned: 0x01020304, |
1429 | /// }; |
1430 | /// |
1431 | /// // Take the address of a 32-bit integer which is not aligned. |
1432 | /// // In contrast to `&packed.unaligned as *const _`, this has no undefined behavior. |
1433 | /// let unaligned = &raw const packed.unaligned; |
1434 | /// |
1435 | /// let v = unsafe { std::ptr::read_unaligned(unaligned) }; |
1436 | /// assert_eq!(v, 0x01020304); |
1437 | /// ``` |
1438 | /// |
1439 | /// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however. |
1440 | /// |
1441 | /// # Examples |
1442 | /// |
1443 | /// Read a `usize` value from a byte buffer: |
1444 | /// |
1445 | /// ``` |
1446 | /// fn read_usize(x: &[u8]) -> usize { |
1447 | /// assert!(x.len() >= size_of::<usize>()); |
1448 | /// |
1449 | /// let ptr = x.as_ptr() as *const usize; |
1450 | /// |
1451 | /// unsafe { ptr.read_unaligned() } |
1452 | /// } |
1453 | /// ``` |
1454 | #[inline ] |
1455 | #[stable (feature = "ptr_unaligned" , since = "1.17.0" )] |
1456 | #[rustc_const_stable (feature = "const_ptr_read" , since = "1.71.0" )] |
1457 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1458 | #[rustc_diagnostic_item = "ptr_read_unaligned" ] |
1459 | pub const unsafe fn read_unaligned<T>(src: *const T) -> T { |
1460 | let mut tmp: MaybeUninit = MaybeUninit::<T>::uninit(); |
1461 | // SAFETY: the caller must guarantee that `src` is valid for reads. |
1462 | // `src` cannot overlap `tmp` because `tmp` was just allocated on |
1463 | // the stack as a separate allocated object. |
1464 | // |
1465 | // Also, since we just wrote a valid value into `tmp`, it is guaranteed |
1466 | // to be properly initialized. |
1467 | unsafe { |
1468 | copy_nonoverlapping(src as *const u8, dst:tmp.as_mut_ptr() as *mut u8, count:size_of::<T>()); |
1469 | tmp.assume_init() |
1470 | } |
1471 | } |
1472 | |
1473 | /// Overwrites a memory location with the given value without reading or |
1474 | /// dropping the old value. |
1475 | /// |
1476 | /// `write` does not drop the contents of `dst`. This is safe, but it could leak |
1477 | /// allocations or resources, so care should be taken not to overwrite an object |
1478 | /// that should be dropped. |
1479 | /// |
1480 | /// Additionally, it does not drop `src`. Semantically, `src` is moved into the |
1481 | /// location pointed to by `dst`. |
1482 | /// |
1483 | /// This is appropriate for initializing uninitialized memory, or overwriting |
1484 | /// memory that has previously been [`read`] from. |
1485 | /// |
1486 | /// # Safety |
1487 | /// |
1488 | /// Behavior is undefined if any of the following conditions are violated: |
1489 | /// |
1490 | /// * `dst` must be [valid] for writes. |
1491 | /// |
1492 | /// * `dst` must be properly aligned. Use [`write_unaligned`] if this is not the |
1493 | /// case. |
1494 | /// |
1495 | /// Note that even if `T` has size `0`, the pointer must be properly aligned. |
1496 | /// |
1497 | /// [valid]: self#safety |
1498 | /// |
1499 | /// # Examples |
1500 | /// |
1501 | /// Basic usage: |
1502 | /// |
1503 | /// ``` |
1504 | /// let mut x = 0; |
1505 | /// let y = &mut x as *mut i32; |
1506 | /// let z = 12; |
1507 | /// |
1508 | /// unsafe { |
1509 | /// std::ptr::write(y, z); |
1510 | /// assert_eq!(std::ptr::read(y), 12); |
1511 | /// } |
1512 | /// ``` |
1513 | /// |
1514 | /// Manually implement [`mem::swap`]: |
1515 | /// |
1516 | /// ``` |
1517 | /// use std::ptr; |
1518 | /// |
1519 | /// fn swap<T>(a: &mut T, b: &mut T) { |
1520 | /// unsafe { |
1521 | /// // Create a bitwise copy of the value at `a` in `tmp`. |
1522 | /// let tmp = ptr::read(a); |
1523 | /// |
1524 | /// // Exiting at this point (either by explicitly returning or by |
1525 | /// // calling a function which panics) would cause the value in `tmp` to |
1526 | /// // be dropped while the same value is still referenced by `a`. This |
1527 | /// // could trigger undefined behavior if `T` is not `Copy`. |
1528 | /// |
1529 | /// // Create a bitwise copy of the value at `b` in `a`. |
1530 | /// // This is safe because mutable references cannot alias. |
1531 | /// ptr::copy_nonoverlapping(b, a, 1); |
1532 | /// |
1533 | /// // As above, exiting here could trigger undefined behavior because |
1534 | /// // the same value is referenced by `a` and `b`. |
1535 | /// |
1536 | /// // Move `tmp` into `b`. |
1537 | /// ptr::write(b, tmp); |
1538 | /// |
1539 | /// // `tmp` has been moved (`write` takes ownership of its second argument), |
1540 | /// // so nothing is dropped implicitly here. |
1541 | /// } |
1542 | /// } |
1543 | /// |
1544 | /// let mut foo = "foo" .to_owned(); |
1545 | /// let mut bar = "bar" .to_owned(); |
1546 | /// |
1547 | /// swap(&mut foo, &mut bar); |
1548 | /// |
1549 | /// assert_eq!(foo, "bar" ); |
1550 | /// assert_eq!(bar, "foo" ); |
1551 | /// ``` |
1552 | #[inline ] |
1553 | #[stable (feature = "rust1" , since = "1.0.0" )] |
1554 | #[rustc_const_stable (feature = "const_ptr_write" , since = "1.83.0" )] |
1555 | #[rustc_diagnostic_item = "ptr_write" ] |
1556 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1557 | pub const unsafe fn write<T>(dst: *mut T, src: T) { |
1558 | // Semantically, it would be fine for this to be implemented as a |
1559 | // `copy_nonoverlapping` and appropriate drop suppression of `src`. |
1560 | |
1561 | // However, implementing via that currently produces more MIR than is ideal. |
1562 | // Using an intrinsic keeps it down to just the simple `*dst = move src` in |
1563 | // MIR (11 statements shorter, at the time of writing), and also allows |
1564 | // `src` to stay an SSA value in codegen_ssa, rather than a memory one. |
1565 | |
1566 | // SAFETY: the caller must guarantee that `dst` is valid for writes. |
1567 | // `dst` cannot overlap `src` because the caller has mutable access |
1568 | // to `dst` while `src` is owned by this function. |
1569 | unsafe { |
1570 | #[cfg (debug_assertions)] // Too expensive to always enable (for now?) |
1571 | ub_checks::assert_unsafe_precondition!( |
1572 | check_language_ub, |
1573 | "ptr::write requires that the pointer argument is aligned and non-null" , |
1574 | ( |
1575 | addr: *mut () = dst as *mut (), |
1576 | align: usize = align_of::<T>(), |
1577 | is_zst: bool = T::IS_ZST, |
1578 | ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst) |
1579 | ); |
1580 | intrinsics::write_via_move(dst, src) |
1581 | } |
1582 | } |
1583 | |
1584 | /// Overwrites a memory location with the given value without reading or |
1585 | /// dropping the old value. |
1586 | /// |
1587 | /// Unlike [`write()`], the pointer may be unaligned. |
1588 | /// |
1589 | /// `write_unaligned` does not drop the contents of `dst`. This is safe, but it |
1590 | /// could leak allocations or resources, so care should be taken not to overwrite |
1591 | /// an object that should be dropped. |
1592 | /// |
1593 | /// Additionally, it does not drop `src`. Semantically, `src` is moved into the |
1594 | /// location pointed to by `dst`. |
1595 | /// |
1596 | /// This is appropriate for initializing uninitialized memory, or overwriting |
1597 | /// memory that has previously been read with [`read_unaligned`]. |
1598 | /// |
1599 | /// # Safety |
1600 | /// |
1601 | /// Behavior is undefined if any of the following conditions are violated: |
1602 | /// |
1603 | /// * `dst` must be [valid] for writes. |
1604 | /// |
1605 | /// [valid]: self#safety |
1606 | /// |
1607 | /// ## On `packed` structs |
1608 | /// |
1609 | /// Attempting to create a raw pointer to an `unaligned` struct field with |
1610 | /// an expression such as `&packed.unaligned as *const FieldType` creates an |
1611 | /// intermediate unaligned reference before converting that to a raw pointer. |
1612 | /// That this reference is temporary and immediately cast is inconsequential |
1613 | /// as the compiler always expects references to be properly aligned. |
1614 | /// As a result, using `&packed.unaligned as *const FieldType` causes immediate |
1615 | /// *undefined behavior* in your program. |
1616 | /// |
1617 | /// Instead, you must use the `&raw mut` syntax to create the pointer. |
1618 | /// You may use that constructed pointer together with this function. |
1619 | /// |
1620 | /// An example of how to do it and how this relates to `write_unaligned` is: |
1621 | /// |
1622 | /// ``` |
1623 | /// #[repr(packed, C)] |
1624 | /// struct Packed { |
1625 | /// _padding: u8, |
1626 | /// unaligned: u32, |
1627 | /// } |
1628 | /// |
1629 | /// let mut packed: Packed = unsafe { std::mem::zeroed() }; |
1630 | /// |
1631 | /// // Take the address of a 32-bit integer which is not aligned. |
1632 | /// // In contrast to `&packed.unaligned as *mut _`, this has no undefined behavior. |
1633 | /// let unaligned = &raw mut packed.unaligned; |
1634 | /// |
1635 | /// unsafe { std::ptr::write_unaligned(unaligned, 42) }; |
1636 | /// |
1637 | /// assert_eq!({packed.unaligned}, 42); // `{...}` forces copying the field instead of creating a reference. |
1638 | /// ``` |
1639 | /// |
1640 | /// Accessing unaligned fields directly with e.g. `packed.unaligned` is safe however |
1641 | /// (as can be seen in the `assert_eq!` above). |
1642 | /// |
1643 | /// # Examples |
1644 | /// |
1645 | /// Write a `usize` value to a byte buffer: |
1646 | /// |
1647 | /// ``` |
1648 | /// fn write_usize(x: &mut [u8], val: usize) { |
1649 | /// assert!(x.len() >= size_of::<usize>()); |
1650 | /// |
1651 | /// let ptr = x.as_mut_ptr() as *mut usize; |
1652 | /// |
1653 | /// unsafe { ptr.write_unaligned(val) } |
1654 | /// } |
1655 | /// ``` |
1656 | #[inline ] |
1657 | #[stable (feature = "ptr_unaligned" , since = "1.17.0" )] |
1658 | #[rustc_const_stable (feature = "const_ptr_write" , since = "1.83.0" )] |
1659 | #[rustc_diagnostic_item = "ptr_write_unaligned" ] |
1660 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1661 | pub const unsafe fn write_unaligned<T>(dst: *mut T, src: T) { |
1662 | // SAFETY: the caller must guarantee that `dst` is valid for writes. |
1663 | // `dst` cannot overlap `src` because the caller has mutable access |
1664 | // to `dst` while `src` is owned by this function. |
1665 | unsafe { |
1666 | copy_nonoverlapping((&raw const src) as *const u8, dst as *mut u8, count:size_of::<T>()); |
1667 | // We are calling the intrinsic directly to avoid function calls in the generated code. |
1668 | intrinsics::forget(src); |
1669 | } |
1670 | } |
1671 | |
1672 | /// Performs a volatile read of the value from `src` without moving it. This |
1673 | /// leaves the memory in `src` unchanged. |
1674 | /// |
1675 | /// Volatile operations are intended to act on I/O memory, and are guaranteed |
1676 | /// to not be elided or reordered by the compiler across other volatile |
1677 | /// operations. |
1678 | /// |
1679 | /// # Notes |
1680 | /// |
1681 | /// Rust does not currently have a rigorously and formally defined memory model, |
1682 | /// so the precise semantics of what "volatile" means here is subject to change |
1683 | /// over time. That being said, the semantics will almost always end up pretty |
1684 | /// similar to [C11's definition of volatile][c11]. |
1685 | /// |
1686 | /// The compiler shouldn't change the relative order or number of volatile |
1687 | /// memory operations. However, volatile memory operations on zero-sized types |
1688 | /// (e.g., if a zero-sized type is passed to `read_volatile`) are noops |
1689 | /// and may be ignored. |
1690 | /// |
1691 | /// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf |
1692 | /// |
1693 | /// # Safety |
1694 | /// |
1695 | /// Behavior is undefined if any of the following conditions are violated: |
1696 | /// |
1697 | /// * `src` must be [valid] for reads. |
1698 | /// |
1699 | /// * `src` must be properly aligned. |
1700 | /// |
1701 | /// * `src` must point to a properly initialized value of type `T`. |
1702 | /// |
1703 | /// Like [`read`], `read_volatile` creates a bitwise copy of `T`, regardless of |
1704 | /// whether `T` is [`Copy`]. If `T` is not [`Copy`], using both the returned |
1705 | /// value and the value at `*src` can [violate memory safety][read-ownership]. |
1706 | /// However, storing non-[`Copy`] types in volatile memory is almost certainly |
1707 | /// incorrect. |
1708 | /// |
1709 | /// Note that even if `T` has size `0`, the pointer must be properly aligned. |
1710 | /// |
1711 | /// [valid]: self#safety |
1712 | /// [read-ownership]: read#ownership-of-the-returned-value |
1713 | /// |
1714 | /// Just like in C, whether an operation is volatile has no bearing whatsoever |
1715 | /// on questions involving concurrent access from multiple threads. Volatile |
1716 | /// accesses behave exactly like non-atomic accesses in that regard. In particular, |
1717 | /// a race between a `read_volatile` and any write operation to the same location |
1718 | /// is undefined behavior. |
1719 | /// |
1720 | /// # Examples |
1721 | /// |
1722 | /// Basic usage: |
1723 | /// |
1724 | /// ``` |
1725 | /// let x = 12; |
1726 | /// let y = &x as *const i32; |
1727 | /// |
1728 | /// unsafe { |
1729 | /// assert_eq!(std::ptr::read_volatile(y), 12); |
1730 | /// } |
1731 | /// ``` |
1732 | #[inline ] |
1733 | #[stable (feature = "volatile" , since = "1.9.0" )] |
1734 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1735 | #[rustc_diagnostic_item = "ptr_read_volatile" ] |
1736 | pub unsafe fn read_volatile<T>(src: *const T) -> T { |
1737 | // SAFETY: the caller must uphold the safety contract for `volatile_load`. |
1738 | unsafe { |
1739 | ub_checks::assert_unsafe_precondition!( |
1740 | check_language_ub, |
1741 | "ptr::read_volatile requires that the pointer argument is aligned and non-null" , |
1742 | ( |
1743 | addr: *const () = src as *const (), |
1744 | align: usize = align_of::<T>(), |
1745 | is_zst: bool = T::IS_ZST, |
1746 | ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst) |
1747 | ); |
1748 | intrinsics::volatile_load(src) |
1749 | } |
1750 | } |
1751 | |
1752 | /// Performs a volatile write of a memory location with the given value without |
1753 | /// reading or dropping the old value. |
1754 | /// |
1755 | /// Volatile operations are intended to act on I/O memory, and are guaranteed |
1756 | /// to not be elided or reordered by the compiler across other volatile |
1757 | /// operations. |
1758 | /// |
1759 | /// `write_volatile` does not drop the contents of `dst`. This is safe, but it |
1760 | /// could leak allocations or resources, so care should be taken not to overwrite |
1761 | /// an object that should be dropped. |
1762 | /// |
1763 | /// Additionally, it does not drop `src`. Semantically, `src` is moved into the |
1764 | /// location pointed to by `dst`. |
1765 | /// |
1766 | /// # Notes |
1767 | /// |
1768 | /// Rust does not currently have a rigorously and formally defined memory model, |
1769 | /// so the precise semantics of what "volatile" means here is subject to change |
1770 | /// over time. That being said, the semantics will almost always end up pretty |
1771 | /// similar to [C11's definition of volatile][c11]. |
1772 | /// |
1773 | /// The compiler shouldn't change the relative order or number of volatile |
1774 | /// memory operations. However, volatile memory operations on zero-sized types |
1775 | /// (e.g., if a zero-sized type is passed to `write_volatile`) are noops |
1776 | /// and may be ignored. |
1777 | /// |
1778 | /// [c11]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf |
1779 | /// |
1780 | /// # Safety |
1781 | /// |
1782 | /// Behavior is undefined if any of the following conditions are violated: |
1783 | /// |
1784 | /// * `dst` must be [valid] for writes. |
1785 | /// |
1786 | /// * `dst` must be properly aligned. |
1787 | /// |
1788 | /// Note that even if `T` has size `0`, the pointer must be properly aligned. |
1789 | /// |
1790 | /// [valid]: self#safety |
1791 | /// |
1792 | /// Just like in C, whether an operation is volatile has no bearing whatsoever |
1793 | /// on questions involving concurrent access from multiple threads. Volatile |
1794 | /// accesses behave exactly like non-atomic accesses in that regard. In particular, |
1795 | /// a race between a `write_volatile` and any other operation (reading or writing) |
1796 | /// on the same location is undefined behavior. |
1797 | /// |
1798 | /// # Examples |
1799 | /// |
1800 | /// Basic usage: |
1801 | /// |
1802 | /// ``` |
1803 | /// let mut x = 0; |
1804 | /// let y = &mut x as *mut i32; |
1805 | /// let z = 12; |
1806 | /// |
1807 | /// unsafe { |
1808 | /// std::ptr::write_volatile(y, z); |
1809 | /// assert_eq!(std::ptr::read_volatile(y), 12); |
1810 | /// } |
1811 | /// ``` |
1812 | #[inline ] |
1813 | #[stable (feature = "volatile" , since = "1.9.0" )] |
1814 | #[rustc_diagnostic_item = "ptr_write_volatile" ] |
1815 | #[cfg_attr (miri, track_caller)] // even without panics, this helps for Miri backtraces |
1816 | pub unsafe fn write_volatile<T>(dst: *mut T, src: T) { |
1817 | // SAFETY: the caller must uphold the safety contract for `volatile_store`. |
1818 | unsafe { |
1819 | ub_checks::assert_unsafe_precondition!( |
1820 | check_language_ub, |
1821 | "ptr::write_volatile requires that the pointer argument is aligned and non-null" , |
1822 | ( |
1823 | addr: *mut () = dst as *mut (), |
1824 | align: usize = align_of::<T>(), |
1825 | is_zst: bool = T::IS_ZST, |
1826 | ) => ub_checks::maybe_is_aligned_and_not_null(addr, align, is_zst) |
1827 | ); |
1828 | intrinsics::volatile_store(dst, val:src); |
1829 | } |
1830 | } |
1831 | |
1832 | /// Align pointer `p`. |
1833 | /// |
1834 | /// Calculate offset (in terms of elements of `size_of::<T>()` stride) that has to be applied |
1835 | /// to pointer `p` so that pointer `p` would get aligned to `a`. |
1836 | /// |
1837 | /// # Safety |
1838 | /// `a` must be a power of two. |
1839 | /// |
1840 | /// # Notes |
1841 | /// This implementation has been carefully tailored to not panic. It is UB for this to panic. |
1842 | /// The only real change that can be made here is change of `INV_TABLE_MOD_16` and associated |
1843 | /// constants. |
1844 | /// |
1845 | /// If we ever decide to make it possible to call the intrinsic with `a` that is not a |
1846 | /// power-of-two, it will probably be more prudent to just change to a naive implementation rather |
1847 | /// than trying to adapt this to accommodate that change. |
1848 | /// |
1849 | /// Any questions go to @nagisa. |
1850 | #[allow (ptr_to_integer_transmute_in_consts)] |
1851 | pub(crate) unsafe fn align_offset<T: Sized>(p: *const T, a: usize) -> usize { |
1852 | // FIXME(#75598): Direct use of these intrinsics improves codegen significantly at opt-level <= |
1853 | // 1, where the method versions of these operations are not inlined. |
1854 | use intrinsics::{ |
1855 | assume, cttz_nonzero, exact_div, mul_with_overflow, unchecked_rem, unchecked_shl, |
1856 | unchecked_shr, unchecked_sub, wrapping_add, wrapping_mul, wrapping_sub, |
1857 | }; |
1858 | |
1859 | /// Calculate multiplicative modular inverse of `x` modulo `m`. |
1860 | /// |
1861 | /// This implementation is tailored for `align_offset` and has following preconditions: |
1862 | /// |
1863 | /// * `m` is a power-of-two; |
1864 | /// * `x < m`; (if `x ≥ m`, pass in `x % m` instead) |
1865 | /// |
1866 | /// Implementation of this function shall not panic. Ever. |
1867 | #[inline ] |
1868 | const unsafe fn mod_inv(x: usize, m: usize) -> usize { |
1869 | /// Multiplicative modular inverse table modulo 2⁴ = 16. |
1870 | /// |
1871 | /// Note, that this table does not contain values where inverse does not exist (i.e., for |
1872 | /// `0⁻¹ mod 16`, `2⁻¹ mod 16`, etc.) |
1873 | const INV_TABLE_MOD_16: [u8; 8] = [1, 11, 13, 7, 9, 3, 5, 15]; |
1874 | /// Modulo for which the `INV_TABLE_MOD_16` is intended. |
1875 | const INV_TABLE_MOD: usize = 16; |
1876 | |
1877 | // SAFETY: `m` is required to be a power-of-two, hence non-zero. |
1878 | let m_minus_one = unsafe { unchecked_sub(m, 1) }; |
1879 | let mut inverse = INV_TABLE_MOD_16[(x & (INV_TABLE_MOD - 1)) >> 1] as usize; |
1880 | let mut mod_gate = INV_TABLE_MOD; |
1881 | // We iterate "up" using the following formula: |
1882 | // |
1883 | // $$ xy ≡ 1 (mod 2ⁿ) → xy (2 - xy) ≡ 1 (mod 2²ⁿ) $$ |
1884 | // |
1885 | // This application needs to be applied at least until `2²ⁿ ≥ m`, at which point we can |
1886 | // finally reduce the computation to our desired `m` by taking `inverse mod m`. |
1887 | // |
1888 | // This computation is `O(log log m)`, which is to say, that on 64-bit machines this loop |
1889 | // will always finish in at most 4 iterations. |
1890 | loop { |
1891 | // y = y * (2 - xy) mod n |
1892 | // |
1893 | // Note, that we use wrapping operations here intentionally – the original formula |
1894 | // uses e.g., subtraction `mod n`. It is entirely fine to do them `mod |
1895 | // usize::MAX` instead, because we take the result `mod n` at the end |
1896 | // anyway. |
1897 | if mod_gate >= m { |
1898 | break; |
1899 | } |
1900 | inverse = wrapping_mul(inverse, wrapping_sub(2usize, wrapping_mul(x, inverse))); |
1901 | let (new_gate, overflow) = mul_with_overflow(mod_gate, mod_gate); |
1902 | if overflow { |
1903 | break; |
1904 | } |
1905 | mod_gate = new_gate; |
1906 | } |
1907 | inverse & m_minus_one |
1908 | } |
1909 | |
1910 | let stride = size_of::<T>(); |
1911 | |
1912 | let addr: usize = p.addr(); |
1913 | |
1914 | // SAFETY: `a` is a power-of-two, therefore non-zero. |
1915 | let a_minus_one = unsafe { unchecked_sub(a, 1) }; |
1916 | |
1917 | if stride == 0 { |
1918 | // SPECIAL_CASE: handle 0-sized types. No matter how many times we step, the address will |
1919 | // stay the same, so no offset will be able to align the pointer unless it is already |
1920 | // aligned. This branch _will_ be optimized out as `stride` is known at compile-time. |
1921 | let p_mod_a = addr & a_minus_one; |
1922 | return if p_mod_a == 0 { 0 } else { usize::MAX }; |
1923 | } |
1924 | |
1925 | // SAFETY: `stride == 0` case has been handled by the special case above. |
1926 | let a_mod_stride = unsafe { unchecked_rem(a, stride) }; |
1927 | if a_mod_stride == 0 { |
1928 | // SPECIAL_CASE: In cases where the `a` is divisible by `stride`, byte offset to align a |
1929 | // pointer can be computed more simply through `-p (mod a)`. In the off-chance the byte |
1930 | // offset is not a multiple of `stride`, the input pointer was misaligned and no pointer |
1931 | // offset will be able to produce a `p` aligned to the specified `a`. |
1932 | // |
1933 | // The naive `-p (mod a)` equation inhibits LLVM's ability to select instructions |
1934 | // like `lea`. We compute `(round_up_to_next_alignment(p, a) - p)` instead. This |
1935 | // redistributes operations around the load-bearing, but pessimizing `and` instruction |
1936 | // sufficiently for LLVM to be able to utilize the various optimizations it knows about. |
1937 | // |
1938 | // LLVM handles the branch here particularly nicely. If this branch needs to be evaluated |
1939 | // at runtime, it will produce a mask `if addr_mod_stride == 0 { 0 } else { usize::MAX }` |
1940 | // in a branch-free way and then bitwise-OR it with whatever result the `-p mod a` |
1941 | // computation produces. |
1942 | |
1943 | let aligned_address = wrapping_add(addr, a_minus_one) & wrapping_sub(0, a); |
1944 | let byte_offset = wrapping_sub(aligned_address, addr); |
1945 | // FIXME: Remove the assume after <https://github.com/llvm/llvm-project/issues/62502> |
1946 | // SAFETY: Masking by `-a` can only affect the low bits, and thus cannot have reduced |
1947 | // the value by more than `a-1`, so even though the intermediate values might have |
1948 | // wrapped, the byte_offset is always in `[0, a)`. |
1949 | unsafe { assume(byte_offset < a) }; |
1950 | |
1951 | // SAFETY: `stride == 0` case has been handled by the special case above. |
1952 | let addr_mod_stride = unsafe { unchecked_rem(addr, stride) }; |
1953 | |
1954 | return if addr_mod_stride == 0 { |
1955 | // SAFETY: `stride` is non-zero. This is guaranteed to divide exactly as well, because |
1956 | // addr has been verified to be aligned to the original type’s alignment requirements. |
1957 | unsafe { exact_div(byte_offset, stride) } |
1958 | } else { |
1959 | usize::MAX |
1960 | }; |
1961 | } |
1962 | |
1963 | // GENERAL_CASE: From here on we’re handling the very general case where `addr` may be |
1964 | // misaligned, there isn’t an obvious relationship between `stride` and `a` that we can take an |
1965 | // advantage of, etc. This case produces machine code that isn’t particularly high quality, |
1966 | // compared to the special cases above. The code produced here is still within the realm of |
1967 | // miracles, given the situations this case has to deal with. |
1968 | |
1969 | // SAFETY: a is power-of-two hence non-zero. stride == 0 case is handled above. |
1970 | // FIXME(const-hack) replace with min |
1971 | let gcdpow = unsafe { |
1972 | let x = cttz_nonzero(stride); |
1973 | let y = cttz_nonzero(a); |
1974 | if x < y { x } else { y } |
1975 | }; |
1976 | // SAFETY: gcdpow has an upper-bound that’s at most the number of bits in a `usize`. |
1977 | let gcd = unsafe { unchecked_shl(1usize, gcdpow) }; |
1978 | // SAFETY: gcd is always greater or equal to 1. |
1979 | if addr & unsafe { unchecked_sub(gcd, 1) } == 0 { |
1980 | // This branch solves for the following linear congruence equation: |
1981 | // |
1982 | // ` p + so = 0 mod a ` |
1983 | // |
1984 | // `p` here is the pointer value, `s` - stride of `T`, `o` offset in `T`s, and `a` - the |
1985 | // requested alignment. |
1986 | // |
1987 | // With `g = gcd(a, s)`, and the above condition asserting that `p` is also divisible by |
1988 | // `g`, we can denote `a' = a/g`, `s' = s/g`, `p' = p/g`, then this becomes equivalent to: |
1989 | // |
1990 | // ` p' + s'o = 0 mod a' ` |
1991 | // ` o = (a' - (p' mod a')) * (s'^-1 mod a') ` |
1992 | // |
1993 | // The first term is "the relative alignment of `p` to `a`" (divided by the `g`), the |
1994 | // second term is "how does incrementing `p` by `s` bytes change the relative alignment of |
1995 | // `p`" (again divided by `g`). Division by `g` is necessary to make the inverse well |
1996 | // formed if `a` and `s` are not co-prime. |
1997 | // |
1998 | // Furthermore, the result produced by this solution is not "minimal", so it is necessary |
1999 | // to take the result `o mod lcm(s, a)`. This `lcm(s, a)` is the same as `a'`. |
2000 | |
2001 | // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in |
2002 | // `a`. |
2003 | let a2 = unsafe { unchecked_shr(a, gcdpow) }; |
2004 | // SAFETY: `a2` is non-zero. Shifting `a` by `gcdpow` cannot shift out any of the set bits |
2005 | // in `a` (of which it has exactly one). |
2006 | let a2minus1 = unsafe { unchecked_sub(a2, 1) }; |
2007 | // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in |
2008 | // `a`. |
2009 | let s2 = unsafe { unchecked_shr(stride & a_minus_one, gcdpow) }; |
2010 | // SAFETY: `gcdpow` has an upper-bound not greater than the number of trailing 0-bits in |
2011 | // `a`. Furthermore, the subtraction cannot overflow, because `a2 = a >> gcdpow` will |
2012 | // always be strictly greater than `(p % a) >> gcdpow`. |
2013 | let minusp2 = unsafe { unchecked_sub(a2, unchecked_shr(addr & a_minus_one, gcdpow)) }; |
2014 | // SAFETY: `a2` is a power-of-two, as proven above. `s2` is strictly less than `a2` |
2015 | // because `(s % a) >> gcdpow` is strictly less than `a >> gcdpow`. |
2016 | return wrapping_mul(minusp2, unsafe { mod_inv(s2, a2) }) & a2minus1; |
2017 | } |
2018 | |
2019 | // Cannot be aligned at all. |
2020 | usize::MAX |
2021 | } |
2022 | |
2023 | /// Compares raw pointers for equality. |
2024 | /// |
2025 | /// This is the same as using the `==` operator, but less generic: |
2026 | /// the arguments have to be `*const T` raw pointers, |
2027 | /// not anything that implements `PartialEq`. |
2028 | /// |
2029 | /// This can be used to compare `&T` references (which coerce to `*const T` implicitly) |
2030 | /// by their address rather than comparing the values they point to |
2031 | /// (which is what the `PartialEq for &T` implementation does). |
2032 | /// |
2033 | /// When comparing wide pointers, both the address and the metadata are tested for equality. |
2034 | /// However, note that comparing trait object pointers (`*const dyn Trait`) is unreliable: pointers |
2035 | /// to values of the same underlying type can compare inequal (because vtables are duplicated in |
2036 | /// multiple codegen units), and pointers to values of *different* underlying type can compare equal |
2037 | /// (since identical vtables can be deduplicated within a codegen unit). |
2038 | /// |
2039 | /// # Examples |
2040 | /// |
2041 | /// ``` |
2042 | /// use std::ptr; |
2043 | /// |
2044 | /// let five = 5; |
2045 | /// let other_five = 5; |
2046 | /// let five_ref = &five; |
2047 | /// let same_five_ref = &five; |
2048 | /// let other_five_ref = &other_five; |
2049 | /// |
2050 | /// assert!(five_ref == same_five_ref); |
2051 | /// assert!(ptr::eq(five_ref, same_five_ref)); |
2052 | /// |
2053 | /// assert!(five_ref == other_five_ref); |
2054 | /// assert!(!ptr::eq(five_ref, other_five_ref)); |
2055 | /// ``` |
2056 | /// |
2057 | /// Slices are also compared by their length (fat pointers): |
2058 | /// |
2059 | /// ``` |
2060 | /// let a = [1, 2, 3]; |
2061 | /// assert!(std::ptr::eq(&a[..3], &a[..3])); |
2062 | /// assert!(!std::ptr::eq(&a[..2], &a[..3])); |
2063 | /// assert!(!std::ptr::eq(&a[0..2], &a[1..3])); |
2064 | /// ``` |
2065 | #[stable (feature = "ptr_eq" , since = "1.17.0" )] |
2066 | #[inline (always)] |
2067 | #[must_use = "pointer comparison produces a value" ] |
2068 | #[rustc_diagnostic_item = "ptr_eq" ] |
2069 | #[allow (ambiguous_wide_pointer_comparisons)] // it's actually clear here |
2070 | pub fn eq<T: ?Sized>(a: *const T, b: *const T) -> bool { |
2071 | a == b |
2072 | } |
2073 | |
2074 | /// Compares the *addresses* of the two pointers for equality, |
2075 | /// ignoring any metadata in fat pointers. |
2076 | /// |
2077 | /// If the arguments are thin pointers of the same type, |
2078 | /// then this is the same as [`eq`]. |
2079 | /// |
2080 | /// # Examples |
2081 | /// |
2082 | /// ``` |
2083 | /// use std::ptr; |
2084 | /// |
2085 | /// let whole: &[i32; 3] = &[1, 2, 3]; |
2086 | /// let first: &i32 = &whole[0]; |
2087 | /// |
2088 | /// assert!(ptr::addr_eq(whole, first)); |
2089 | /// assert!(!ptr::eq::<dyn std::fmt::Debug>(whole, first)); |
2090 | /// ``` |
2091 | #[stable (feature = "ptr_addr_eq" , since = "1.76.0" )] |
2092 | #[inline (always)] |
2093 | #[must_use = "pointer comparison produces a value" ] |
2094 | pub fn addr_eq<T: ?Sized, U: ?Sized>(p: *const T, q: *const U) -> bool { |
2095 | (p as *const ()) == (q as *const ()) |
2096 | } |
2097 | |
2098 | /// Compares the *addresses* of the two function pointers for equality. |
2099 | /// |
2100 | /// This is the same as `f == g`, but using this function makes clear that the potentially |
2101 | /// surprising semantics of function pointer comparison are involved. |
2102 | /// |
2103 | /// There are **very few guarantees** about how functions are compiled and they have no intrinsic |
2104 | /// “identity”; in particular, this comparison: |
2105 | /// |
2106 | /// * May return `true` unexpectedly, in cases where functions are equivalent. |
2107 | /// |
2108 | /// For example, the following program is likely (but not guaranteed) to print `(true, true)` |
2109 | /// when compiled with optimization: |
2110 | /// |
2111 | /// ``` |
2112 | /// let f: fn(i32) -> i32 = |x| x; |
2113 | /// let g: fn(i32) -> i32 = |x| x + 0; // different closure, different body |
2114 | /// let h: fn(u32) -> u32 = |x| x + 0; // different signature too |
2115 | /// dbg!(std::ptr::fn_addr_eq(f, g), std::ptr::fn_addr_eq(f, h)); // not guaranteed to be equal |
2116 | /// ``` |
2117 | /// |
2118 | /// * May return `false` in any case. |
2119 | /// |
2120 | /// This is particularly likely with generic functions but may happen with any function. |
2121 | /// (From an implementation perspective, this is possible because functions may sometimes be |
2122 | /// processed more than once by the compiler, resulting in duplicate machine code.) |
2123 | /// |
2124 | /// Despite these false positives and false negatives, this comparison can still be useful. |
2125 | /// Specifically, if |
2126 | /// |
2127 | /// * `T` is the same type as `U`, `T` is a [subtype] of `U`, or `U` is a [subtype] of `T`, and |
2128 | /// * `ptr::fn_addr_eq(f, g)` returns true, |
2129 | /// |
2130 | /// then calling `f` and calling `g` will be equivalent. |
2131 | /// |
2132 | /// |
2133 | /// # Examples |
2134 | /// |
2135 | /// ``` |
2136 | /// use std::ptr; |
2137 | /// |
2138 | /// fn a() { println!("a" ); } |
2139 | /// fn b() { println!("b" ); } |
2140 | /// assert!(!ptr::fn_addr_eq(a as fn(), b as fn())); |
2141 | /// ``` |
2142 | /// |
2143 | /// [subtype]: https://doc.rust-lang.org/reference/subtyping.html |
2144 | #[stable (feature = "ptr_fn_addr_eq" , since = "1.85.0" )] |
2145 | #[inline (always)] |
2146 | #[must_use = "function pointer comparison produces a value" ] |
2147 | pub fn fn_addr_eq<T: FnPtr, U: FnPtr>(f: T, g: U) -> bool { |
2148 | f.addr() == g.addr() |
2149 | } |
2150 | |
2151 | /// Hash a raw pointer. |
2152 | /// |
2153 | /// This can be used to hash a `&T` reference (which coerces to `*const T` implicitly) |
2154 | /// by its address rather than the value it points to |
2155 | /// (which is what the `Hash for &T` implementation does). |
2156 | /// |
2157 | /// # Examples |
2158 | /// |
2159 | /// ``` |
2160 | /// use std::hash::{DefaultHasher, Hash, Hasher}; |
2161 | /// use std::ptr; |
2162 | /// |
2163 | /// let five = 5; |
2164 | /// let five_ref = &five; |
2165 | /// |
2166 | /// let mut hasher = DefaultHasher::new(); |
2167 | /// ptr::hash(five_ref, &mut hasher); |
2168 | /// let actual = hasher.finish(); |
2169 | /// |
2170 | /// let mut hasher = DefaultHasher::new(); |
2171 | /// (five_ref as *const i32).hash(&mut hasher); |
2172 | /// let expected = hasher.finish(); |
2173 | /// |
2174 | /// assert_eq!(actual, expected); |
2175 | /// ``` |
2176 | #[stable (feature = "ptr_hash" , since = "1.35.0" )] |
2177 | pub fn hash<T: ?Sized, S: hash::Hasher>(hashee: *const T, into: &mut S) { |
2178 | use crate::hash::Hash; |
2179 | hashee.hash(state:into); |
2180 | } |
2181 | |
2182 | #[stable (feature = "fnptr_impls" , since = "1.4.0" )] |
2183 | impl<F: FnPtr> PartialEq for F { |
2184 | #[inline ] |
2185 | fn eq(&self, other: &Self) -> bool { |
2186 | self.addr() == other.addr() |
2187 | } |
2188 | } |
2189 | #[stable (feature = "fnptr_impls" , since = "1.4.0" )] |
2190 | impl<F: FnPtr> Eq for F {} |
2191 | |
2192 | #[stable (feature = "fnptr_impls" , since = "1.4.0" )] |
2193 | impl<F: FnPtr> PartialOrd for F { |
2194 | #[inline ] |
2195 | fn partial_cmp(&self, other: &Self) -> Option<Ordering> { |
2196 | self.addr().partial_cmp(&other.addr()) |
2197 | } |
2198 | } |
2199 | #[stable (feature = "fnptr_impls" , since = "1.4.0" )] |
2200 | impl<F: FnPtr> Ord for F { |
2201 | #[inline ] |
2202 | fn cmp(&self, other: &Self) -> Ordering { |
2203 | self.addr().cmp(&other.addr()) |
2204 | } |
2205 | } |
2206 | |
2207 | #[stable (feature = "fnptr_impls" , since = "1.4.0" )] |
2208 | impl<F: FnPtr> hash::Hash for F { |
2209 | fn hash<HH: hash::Hasher>(&self, state: &mut HH) { |
2210 | state.write_usize(self.addr() as _) |
2211 | } |
2212 | } |
2213 | |
2214 | #[stable (feature = "fnptr_impls" , since = "1.4.0" )] |
2215 | impl<F: FnPtr> fmt::Pointer for F { |
2216 | fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { |
2217 | fmt::pointer_fmt_inner(self.addr() as _, f) |
2218 | } |
2219 | } |
2220 | |
2221 | #[stable (feature = "fnptr_impls" , since = "1.4.0" )] |
2222 | impl<F: FnPtr> fmt::Debug for F { |
2223 | fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { |
2224 | fmt::pointer_fmt_inner(self.addr() as _, f) |
2225 | } |
2226 | } |
2227 | |
2228 | /// Creates a `const` raw pointer to a place, without creating an intermediate reference. |
2229 | /// |
2230 | /// `addr_of!(expr)` is equivalent to `&raw const expr`. The macro is *soft-deprecated*; |
2231 | /// use `&raw const` instead. |
2232 | /// |
2233 | /// It is still an open question under which conditions writing through an `addr_of!`-created |
2234 | /// pointer is permitted. If the place `expr` evaluates to is based on a raw pointer, then the |
2235 | /// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is |
2236 | /// based on a reference, local variable, or `static`, then until all details are decided, the same |
2237 | /// rules as for shared references apply: it is UB to write through a pointer created with this |
2238 | /// operation, except for bytes located inside an `UnsafeCell`. Use `&raw mut` (or [`addr_of_mut`]) |
2239 | /// to create a raw pointer that definitely permits mutation. |
2240 | /// |
2241 | /// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned |
2242 | /// and points to initialized data. For cases where those requirements do not hold, |
2243 | /// raw pointers should be used instead. However, `&expr as *const _` creates a reference |
2244 | /// before casting it to a raw pointer, and that reference is subject to the same rules |
2245 | /// as all other references. This macro can create a raw pointer *without* creating |
2246 | /// a reference first. |
2247 | /// |
2248 | /// See [`addr_of_mut`] for how to create a pointer to uninitialized data. |
2249 | /// Doing that with `addr_of` would not make much sense since one could only |
2250 | /// read the data, and that would be Undefined Behavior. |
2251 | /// |
2252 | /// # Safety |
2253 | /// |
2254 | /// The `expr` in `addr_of!(expr)` is evaluated as a place expression, but never loads from the |
2255 | /// place or requires the place to be dereferenceable. This means that `addr_of!((*ptr).field)` |
2256 | /// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`]. |
2257 | /// However, `addr_of!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned. |
2258 | /// |
2259 | /// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside |
2260 | /// `addr_of!` like everywhere else, in which case a reference is created to call `Deref::deref` or |
2261 | /// `Index::index`, respectively. The statements above only apply when no such coercions are |
2262 | /// applied. |
2263 | /// |
2264 | /// [`offset`]: pointer::offset |
2265 | /// |
2266 | /// # Example |
2267 | /// |
2268 | /// **Correct usage: Creating a pointer to unaligned data** |
2269 | /// |
2270 | /// ``` |
2271 | /// use std::ptr; |
2272 | /// |
2273 | /// #[repr(packed)] |
2274 | /// struct Packed { |
2275 | /// f1: u8, |
2276 | /// f2: u16, |
2277 | /// } |
2278 | /// |
2279 | /// let packed = Packed { f1: 1, f2: 2 }; |
2280 | /// // `&packed.f2` would create an unaligned reference, and thus be Undefined Behavior! |
2281 | /// let raw_f2 = ptr::addr_of!(packed.f2); |
2282 | /// assert_eq!(unsafe { raw_f2.read_unaligned() }, 2); |
2283 | /// ``` |
2284 | /// |
2285 | /// **Incorrect usage: Out-of-bounds fields projection** |
2286 | /// |
2287 | /// ```rust,no_run |
2288 | /// use std::ptr; |
2289 | /// |
2290 | /// #[repr(C)] |
2291 | /// struct MyStruct { |
2292 | /// field1: i32, |
2293 | /// field2: i32, |
2294 | /// } |
2295 | /// |
2296 | /// let ptr: *const MyStruct = ptr::null(); |
2297 | /// let fieldptr = unsafe { ptr::addr_of!((*ptr).field2) }; // Undefined Behavior ⚠️ |
2298 | /// ``` |
2299 | /// |
2300 | /// The field projection `.field2` would offset the pointer by 4 bytes, |
2301 | /// but the pointer is not in-bounds of an allocation for 4 bytes, |
2302 | /// so this offset is Undefined Behavior. |
2303 | /// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the |
2304 | /// same requirements apply to field projections, even inside `addr_of!`. (In particular, it makes |
2305 | /// no difference whether the pointer is null or dangling.) |
2306 | #[stable (feature = "raw_ref_macros" , since = "1.51.0" )] |
2307 | #[rustc_macro_transparency = "semitransparent" ] |
2308 | pub macro addr_of($place:expr) { |
2309 | &raw const $place |
2310 | } |
2311 | |
2312 | /// Creates a `mut` raw pointer to a place, without creating an intermediate reference. |
2313 | /// |
2314 | /// `addr_of_mut!(expr)` is equivalent to `&raw mut expr`. The macro is *soft-deprecated*; |
2315 | /// use `&raw mut` instead. |
2316 | /// |
2317 | /// Creating a reference with `&`/`&mut` is only allowed if the pointer is properly aligned |
2318 | /// and points to initialized data. For cases where those requirements do not hold, |
2319 | /// raw pointers should be used instead. However, `&mut expr as *mut _` creates a reference |
2320 | /// before casting it to a raw pointer, and that reference is subject to the same rules |
2321 | /// as all other references. This macro can create a raw pointer *without* creating |
2322 | /// a reference first. |
2323 | /// |
2324 | /// # Safety |
2325 | /// |
2326 | /// The `expr` in `addr_of_mut!(expr)` is evaluated as a place expression, but never loads from the |
2327 | /// place or requires the place to be dereferenceable. This means that `addr_of_mut!((*ptr).field)` |
2328 | /// still requires the projection to `field` to be in-bounds, using the same rules as [`offset`]. |
2329 | /// However, `addr_of_mut!(*ptr)` is defined behavior even if `ptr` is null, dangling, or misaligned. |
2330 | /// |
2331 | /// Note that `Deref`/`Index` coercions (and their mutable counterparts) are applied inside |
2332 | /// `addr_of_mut!` like everywhere else, in which case a reference is created to call `Deref::deref` |
2333 | /// or `Index::index`, respectively. The statements above only apply when no such coercions are |
2334 | /// applied. |
2335 | /// |
2336 | /// [`offset`]: pointer::offset |
2337 | /// |
2338 | /// # Examples |
2339 | /// |
2340 | /// **Correct usage: Creating a pointer to unaligned data** |
2341 | /// |
2342 | /// ``` |
2343 | /// use std::ptr; |
2344 | /// |
2345 | /// #[repr(packed)] |
2346 | /// struct Packed { |
2347 | /// f1: u8, |
2348 | /// f2: u16, |
2349 | /// } |
2350 | /// |
2351 | /// let mut packed = Packed { f1: 1, f2: 2 }; |
2352 | /// // `&mut packed.f2` would create an unaligned reference, and thus be Undefined Behavior! |
2353 | /// let raw_f2 = ptr::addr_of_mut!(packed.f2); |
2354 | /// unsafe { raw_f2.write_unaligned(42); } |
2355 | /// assert_eq!({packed.f2}, 42); // `{...}` forces copying the field instead of creating a reference. |
2356 | /// ``` |
2357 | /// |
2358 | /// **Correct usage: Creating a pointer to uninitialized data** |
2359 | /// |
2360 | /// ```rust |
2361 | /// use std::{ptr, mem::MaybeUninit}; |
2362 | /// |
2363 | /// struct Demo { |
2364 | /// field: bool, |
2365 | /// } |
2366 | /// |
2367 | /// let mut uninit = MaybeUninit::<Demo>::uninit(); |
2368 | /// // `&uninit.as_mut().field` would create a reference to an uninitialized `bool`, |
2369 | /// // and thus be Undefined Behavior! |
2370 | /// let f1_ptr = unsafe { ptr::addr_of_mut!((*uninit.as_mut_ptr()).field) }; |
2371 | /// unsafe { f1_ptr.write(true); } |
2372 | /// let init = unsafe { uninit.assume_init() }; |
2373 | /// ``` |
2374 | /// |
2375 | /// **Incorrect usage: Out-of-bounds fields projection** |
2376 | /// |
2377 | /// ```rust,no_run |
2378 | /// use std::ptr; |
2379 | /// |
2380 | /// #[repr(C)] |
2381 | /// struct MyStruct { |
2382 | /// field1: i32, |
2383 | /// field2: i32, |
2384 | /// } |
2385 | /// |
2386 | /// let ptr: *mut MyStruct = ptr::null_mut(); |
2387 | /// let fieldptr = unsafe { ptr::addr_of_mut!((*ptr).field2) }; // Undefined Behavior ⚠️ |
2388 | /// ``` |
2389 | /// |
2390 | /// The field projection `.field2` would offset the pointer by 4 bytes, |
2391 | /// but the pointer is not in-bounds of an allocation for 4 bytes, |
2392 | /// so this offset is Undefined Behavior. |
2393 | /// See the [`offset`] docs for a full list of requirements for inbounds pointer arithmetic; the |
2394 | /// same requirements apply to field projections, even inside `addr_of_mut!`. (In particular, it |
2395 | /// makes no difference whether the pointer is null or dangling.) |
2396 | #[stable (feature = "raw_ref_macros" , since = "1.51.0" )] |
2397 | #[rustc_macro_transparency = "semitransparent" ] |
2398 | pub macro addr_of_mut($place:expr) { |
2399 | &raw mut $place |
2400 | } |
2401 | |