1use super::*;
2use crate::cmp::Ordering::{Equal, Greater, Less};
3use crate::intrinsics::const_eval_select;
4use crate::mem::{self, SizedTypeProperties};
5use crate::slice::{self, SliceIndex};
67impl<T: PointeeSized> *const T {
8#[doc = "Returns `true` if the pointer is null.\n\nNote that unsized types have many possible null pointers, as only the\nraw data pointer is considered, not their length, vtable, etc.\nTherefore, two pointers that are null may still not compare equal to\neach other.\n\n# Panics during const evaluation\n\nIf this method is used during const evaluation, and `self` is a pointer\nthat is offset beyond the bounds of the memory it initially pointed to,\nthen there might not be enough information to determine whether the\npointer is null. This is because the absolute address in memory is not\nknown at compile time. If the nullness of the pointer cannot be\ndetermined, this method will panic.\n\nIn-bounds pointers are never null, so the method will never panic for\nsuch pointers.\n"include_str!("docs/is_null.md")]
9///
10 /// # Examples
11 ///
12 /// ```
13 /// let s: &str = "Follow the rabbit";
14 /// let ptr: *const u8 = s.as_ptr();
15 /// assert!(!ptr.is_null());
16 /// ```
17#[stable(feature = "rust1", since = "1.0.0")]
18 #[rustc_const_stable(feature = "const_ptr_is_null", since = "1.84.0")]
19 #[rustc_diagnostic_item = "ptr_const_is_null"]
20 #[inline]
21 #[rustc_allow_const_fn_unstable(const_eval_select)]
22pub const fn is_null(self) -> bool {
23// Compare via a cast to a thin pointer, so fat pointers are only
24 // considering their "data" part for null-ness.
25let ptr = selfas *const u8;
26{
#[inline]
fn runtime(ptr: *const u8) -> bool { { ptr.addr() == 0 } }
#[inline]
#[rustc_allow_const_fn_unstable(const_raw_ptr_comparison)]
const fn compiletime(ptr: *const u8) -> bool {
let _ = ptr;
{
match (ptr).guaranteed_eq(null_mut()) {
Some(res) => res,
None => {
crate::panicking::panic_fmt(format_args!("null-ness of this pointer cannot be determined in const context"));
}
}
}
}
const_eval_select((ptr,), compiletime, runtime)
}const_eval_select!(
27 @capture { ptr: *const u8 } -> bool:
28// This use of `const_raw_ptr_comparison` has been explicitly blessed by t-lang.
29if const #[rustc_allow_const_fn_unstable(const_raw_ptr_comparison)] {
30match (ptr).guaranteed_eq(null_mut()) {
31Some(res) => res,
32// To remain maximally conservative, we stop execution when we don't
33 // know whether the pointer is null or not.
34 // We can *not* return `false` here, that would be unsound in `NonNull::new`!
35None => panic!("null-ness of this pointer cannot be determined in const context"),
36 }
37 } else {
38 ptr.addr() == 0
39}
40 )41 }
4243/// Casts to a pointer of another type.
44#[stable(feature = "ptr_cast", since = "1.38.0")]
45 #[rustc_const_stable(feature = "const_ptr_cast", since = "1.38.0")]
46 #[rustc_diagnostic_item = "const_ptr_cast"]
47 #[inline(always)]
48pub const fn cast<U>(self) -> *const U {
49selfas _
50}
5152/// Try to cast to a pointer of another type by checking alignment.
53 ///
54 /// If the pointer is properly aligned to the target type, it will be
55 /// cast to the target type. Otherwise, `None` is returned.
56 ///
57 /// # Examples
58 ///
59 /// ```rust
60 /// #![feature(pointer_try_cast_aligned)]
61 ///
62 /// let x = 0u64;
63 ///
64 /// let aligned: *const u64 = &x;
65 /// let unaligned = unsafe { aligned.byte_add(1) };
66 ///
67 /// assert!(aligned.try_cast_aligned::<u32>().is_some());
68 /// assert!(unaligned.try_cast_aligned::<u32>().is_none());
69 /// ```
70#[unstable(feature = "pointer_try_cast_aligned", issue = "141221")]
71 #[must_use = "this returns the result of the operation, \
72 without modifying the original"]
73 #[inline]
74pub fn try_cast_aligned<U>(self) -> Option<*const U> {
75if self.is_aligned_to(align_of::<U>()) { Some(self.cast()) } else { None }
76 }
7778/// Uses the address value in a new pointer of another type.
79 ///
80 /// This operation will ignore the address part of its `meta` operand and discard existing
81 /// metadata of `self`. For pointers to a sized types (thin pointers), this has the same effect
82 /// as a simple cast. For pointers to an unsized type (fat pointers) this recombines the address
83 /// with new metadata such as slice lengths or `dyn`-vtable.
84 ///
85 /// The resulting pointer will have provenance of `self`. This operation is semantically the
86 /// same as creating a new pointer with the data pointer value of `self` but the metadata of
87 /// `meta`, being fat or thin depending on the `meta` operand.
88 ///
89 /// # Examples
90 ///
91 /// This function is primarily useful for enabling pointer arithmetic on potentially fat
92 /// pointers. The pointer is cast to a sized pointee to utilize offset operations and then
93 /// recombined with its own original metadata.
94 ///
95 /// ```
96 /// #![feature(set_ptr_value)]
97 /// # use core::fmt::Debug;
98 /// let arr: [i32; 3] = [1, 2, 3];
99 /// let mut ptr = arr.as_ptr() as *const dyn Debug;
100 /// let thin = ptr as *const u8;
101 /// unsafe {
102 /// ptr = thin.add(8).with_metadata_of(ptr);
103 /// # assert_eq!(*(ptr as *const i32), 3);
104 /// println!("{:?}", &*ptr); // will print "3"
105 /// }
106 /// ```
107 ///
108 /// # *Incorrect* usage
109 ///
110 /// The provenance from pointers is *not* combined. The result must only be used to refer to the
111 /// address allowed by `self`.
112 ///
113 /// ```rust,no_run
114 /// #![feature(set_ptr_value)]
115 /// let x = 0u32;
116 /// let y = 1u32;
117 ///
118 /// let x = (&x) as *const u32;
119 /// let y = (&y) as *const u32;
120 ///
121 /// let offset = (x as usize - y as usize) / 4;
122 /// let bad = x.wrapping_add(offset).with_metadata_of(y);
123 ///
124 /// // This dereference is UB. The pointer only has provenance for `x` but points to `y`.
125 /// println!("{:?}", unsafe { &*bad });
126 /// ```
127#[unstable(feature = "set_ptr_value", issue = "75091")]
128 #[must_use = "returns a new pointer rather than modifying its argument"]
129 #[inline]
130pub const fn with_metadata_of<U>(self, meta: *const U) -> *const U
131where
132U: PointeeSized,
133 {
134from_raw_parts::<U>(selfas *const (), metadata(meta))
135 }
136137/// Changes constness without changing the type.
138 ///
139 /// This is a bit safer than `as` because it wouldn't silently change the type if the code is
140 /// refactored.
141#[stable(feature = "ptr_const_cast", since = "1.65.0")]
142 #[rustc_const_stable(feature = "ptr_const_cast", since = "1.65.0")]
143 #[rustc_diagnostic_item = "ptr_cast_mut"]
144 #[inline(always)]
145pub const fn cast_mut(self) -> *mut T {
146selfas _
147}
148149#[doc = "Gets the \"address\" portion of the pointer.\n\nThis is similar to `self as usize`, except that the [provenance][crate::ptr#provenance] of\nthe pointer is discarded and not [exposed][crate::ptr#exposed-provenance]. This means that\ncasting the returned address back to a pointer yields a [pointer without\nprovenance][without_provenance], which is undefined behavior to dereference. To properly\nrestore the lost information and obtain a dereferenceable pointer, use\n[`with_addr`][pointer::with_addr] or [`map_addr`][pointer::map_addr].\n\nIf using those APIs is not possible because there is no way to preserve a pointer with the\nrequired provenance, then Strict Provenance might not be for you. Use pointer-integer casts\nor [`expose_provenance`][pointer::expose_provenance] and [`with_exposed_provenance`][with_exposed_provenance]\ninstead. However, note that this makes your code less portable and less amenable to tools\nthat check for compliance with the Rust memory model.\n\nOn most platforms this will produce a value with the same bytes as the original\npointer, because all the bytes are dedicated to describing the address.\nPlatforms which need to store additional information in the pointer may\nperform a change of representation to produce a value containing only the address\nportion of the pointer. What that means is up to the platform to define.\n\nThis is a [Strict Provenance][crate::ptr#strict-provenance] API.\n"include_str!("./docs/addr.md")]
150 #[must_use]
151 #[inline(always)]
152 #[stable(feature = "strict_provenance", since = "1.84.0")]
153pub fn addr(self) -> usize {
154// A pointer-to-integer transmute currently has exactly the right semantics: it returns the
155 // address without exposing the provenance. Note that this is *not* a stable guarantee about
156 // transmute semantics, it relies on sysroot crates having special status.
157 // SAFETY: Pointer-to-integer transmutes are valid (if you are okay with losing the
158 // provenance).
159unsafe { mem::transmute(self.cast::<()>()) }
160 }
161162/// Exposes the ["provenance"][crate::ptr#provenance] part of the pointer for future use in
163 /// [`with_exposed_provenance`] and returns the "address" portion.
164 ///
165 /// This is equivalent to `self as usize`, which semantically discards provenance information.
166 /// Furthermore, this (like the `as` cast) has the implicit side-effect of marking the
167 /// provenance as 'exposed', so on platforms that support it you can later call
168 /// [`with_exposed_provenance`] to reconstitute the original pointer including its provenance.
169 ///
170 /// Due to its inherent ambiguity, [`with_exposed_provenance`] may not be supported by tools
171 /// that help you to stay conformant with the Rust memory model. It is recommended to use
172 /// [Strict Provenance][crate::ptr#strict-provenance] APIs such as [`with_addr`][pointer::with_addr]
173 /// wherever possible, in which case [`addr`][pointer::addr] should be used instead of `expose_provenance`.
174 ///
175 /// On most platforms this will produce a value with the same bytes as the original pointer,
176 /// because all the bytes are dedicated to describing the address. Platforms which need to store
177 /// additional information in the pointer may not support this operation, since the 'expose'
178 /// side-effect which is required for [`with_exposed_provenance`] to work is typically not
179 /// available.
180 ///
181 /// This is an [Exposed Provenance][crate::ptr#exposed-provenance] API.
182 ///
183 /// [`with_exposed_provenance`]: with_exposed_provenance
184#[inline(always)]
185 #[stable(feature = "exposed_provenance", since = "1.84.0")]
186 #[expect(implicit_provenance_casts, reason = "this *is* the replacement")]
187pub fn expose_provenance(self) -> usize {
188self.cast::<()>() as usize189 }
190191/// Creates a new pointer with the given address and the [provenance][crate::ptr#provenance] of
192 /// `self`.
193 ///
194 /// This is similar to a `addr as *const T` cast, but copies
195 /// the *provenance* of `self` to the new pointer.
196 /// This avoids the inherent ambiguity of the unary cast.
197 ///
198 /// This is equivalent to using [`wrapping_offset`][pointer::wrapping_offset] to offset
199 /// `self` to the given address, and therefore has all the same capabilities and restrictions.
200 ///
201 /// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
202#[must_use]
203 #[inline]
204 #[stable(feature = "strict_provenance", since = "1.84.0")]
205pub fn with_addr(self, addr: usize) -> Self {
206// This should probably be an intrinsic to avoid doing any sort of arithmetic, but
207 // meanwhile, we can implement it with `wrapping_offset`, which preserves the pointer's
208 // provenance.
209let self_addr = self.addr() as isize;
210let dest_addr = addras isize;
211let offset = dest_addr.wrapping_sub(self_addr);
212self.wrapping_byte_offset(offset)
213 }
214215/// Creates a new pointer by mapping `self`'s address to a new one, preserving the
216 /// [provenance][crate::ptr#provenance] of `self`.
217 ///
218 /// This is a convenience for [`with_addr`][pointer::with_addr], see that method for details.
219 ///
220 /// This is a [Strict Provenance][crate::ptr#strict-provenance] API.
221#[must_use]
222 #[inline]
223 #[stable(feature = "strict_provenance", since = "1.84.0")]
224pub fn map_addr(self, f: impl FnOnce(usize) -> usize) -> Self {
225self.with_addr(f(self.addr()))
226 }
227228/// Decompose a (possibly wide) pointer into its data pointer and metadata components.
229 ///
230 /// The pointer can be later reconstructed with [`from_raw_parts`].
231#[unstable(feature = "ptr_metadata", issue = "81513")]
232 #[inline]
233pub const fn to_raw_parts(self) -> (*const (), <T as super::Pointee>::Metadata) {
234 (self.cast(), metadata(self))
235 }
236237#[doc = "Returns `None` if the pointer is null, or else returns a shared reference to\nthe value wrapped in `Some`. If the value may be uninitialized, [`as_uninit_ref`]\nmust be used instead. If the value is known to be non-null, [`as_ref_unchecked`]\ncan be used instead.\n\n# Safety\n\nWhen calling this method, you have to ensure that *either* the pointer is null *or*\nthe pointer is [convertible to a reference](crate::ptr#pointer-to-reference-conversion).\n\n# Panics during const evaluation\n\nThis method will panic during const evaluation if the pointer cannot be\ndetermined to be null or not. See [`is_null`] for more information.\n\n# Null-unchecked version\n\nIf you are sure the pointer can never be null, you can use `as_ref_unchecked` which returns\n`&mut T` instead of `Option<&mut T>`.\n"include_str!("./docs/as_ref.md")]
238///
239 /// ```
240 /// let ptr: *const u8 = &10u8 as *const u8;
241 ///
242 /// unsafe {
243 /// let val_back = ptr.as_ref_unchecked();
244 /// assert_eq!(val_back, &10);
245 /// }
246 /// ```
247 ///
248 /// # Examples
249 ///
250 /// ```
251 /// let ptr: *const u8 = &10u8 as *const u8;
252 ///
253 /// unsafe {
254 /// if let Some(val_back) = ptr.as_ref() {
255 /// assert_eq!(val_back, &10);
256 /// }
257 /// }
258 /// ```
259 ///
260 ///
261 /// [`is_null`]: #method.is_null
262 /// [`as_uninit_ref`]: #method.as_uninit_ref
263 /// [`as_ref_unchecked`]: #method.as_ref_unchecked
264#[stable(feature = "ptr_as_ref", since = "1.9.0")]
265 #[rustc_const_stable(feature = "const_ptr_is_null", since = "1.84.0")]
266 #[inline]
267pub const unsafe fn as_ref<'a>(self) -> Option<&'a T> {
268// SAFETY: the caller must guarantee that `self` is valid
269 // for a reference if it isn't null.
270if self.is_null() { None } else { unsafe { Some(&*self) } }
271 }
272273/// Returns a shared reference to the value behind the pointer.
274 /// If the pointer may be null or the value may be uninitialized, [`as_uninit_ref`] must be used instead.
275 /// If the pointer may be null, but the value is known to have been initialized, [`as_ref`] must be used instead.
276 ///
277 /// [`as_ref`]: #method.as_ref
278 /// [`as_uninit_ref`]: #method.as_uninit_ref
279 ///
280 /// # Safety
281 ///
282 /// When calling this method, you have to ensure that
283 /// the pointer is [convertible to a reference](crate::ptr#pointer-to-reference-conversion).
284 ///
285 /// # Examples
286 ///
287 /// ```
288 /// let ptr: *const u8 = &10u8 as *const u8;
289 ///
290 /// unsafe {
291 /// assert_eq!(ptr.as_ref_unchecked(), &10);
292 /// }
293 /// ```
294#[stable(feature = "ptr_as_ref_unchecked", since = "1.95.0")]
295 #[rustc_const_stable(feature = "ptr_as_ref_unchecked", since = "1.95.0")]
296 #[inline]
297 #[must_use]
298pub const unsafe fn as_ref_unchecked<'a>(self) -> &'a T {
299// SAFETY: the caller must guarantee that `self` is valid for a reference
300unsafe { &*self }
301 }
302303#[doc = "Returns `None` if the pointer is null, or else returns a shared reference to\nthe value wrapped in `Some`. In contrast to [`as_ref`], this does not require\nthat the value has to be initialized.\n\n# Safety\n\nWhen calling this method, you have to ensure that *either* the pointer is null *or*\nthe pointer is [convertible to a reference](crate::ptr#pointer-to-reference-conversion).\nNote that because the created reference is to `MaybeUninit<T>`, the\nsource pointer can point to uninitialized memory.\n\n# Panics during const evaluation\n\nThis method will panic during const evaluation if the pointer cannot be\ndetermined to be null or not. See [`is_null`] for more information.\n"include_str!("./docs/as_uninit_ref.md")]
304///
305 /// [`is_null`]: #method.is_null
306 /// [`as_ref`]: #method.as_ref
307 ///
308 /// # Examples
309 ///
310 /// ```
311 /// #![feature(ptr_as_uninit)]
312 ///
313 /// let ptr: *const u8 = &10u8 as *const u8;
314 ///
315 /// unsafe {
316 /// if let Some(val_back) = ptr.as_uninit_ref() {
317 /// assert_eq!(val_back.assume_init(), 10);
318 /// }
319 /// }
320 /// ```
321#[inline]
322 #[unstable(feature = "ptr_as_uninit", issue = "75402")]
323pub const unsafe fn as_uninit_ref<'a>(self) -> Option<&'a MaybeUninit<T>>
324where
325T: Sized,
326 {
327// SAFETY: the caller must guarantee that `self` meets all the
328 // requirements for a reference.
329if self.is_null() { None } else { Some(unsafe { &*(selfas *const MaybeUninit<T>) }) }
330 }
331332#[doc = "Adds a signed offset to a pointer.\n\n`count` is in units of T; e.g., a `count` of 3 represents a pointer\noffset of `3 * size_of::<T>()` bytes.\n\n# Safety\n\nIf any of the following conditions are violated, the result is Undefined Behavior:\n\n* The offset in bytes, `count * size_of::<T>()`, computed on mathematical integers (without\n\"wrapping around\"), must fit in an `isize`.\n\n* Let `result` be `self.addr() + count * size_of::<T>()`, computed on mathematical integers.\nThis must fit in a `usize`.\n\n* If the computed offset is non-zero, then `self` must be [derived from][crate::ptr#provenance] a pointer to some\n[allocation], and the entire memory range between `self` and `result`\n(i.e., `min(self.addr(), result)..max(self.addr(), result)`)\nmust be in bounds of that allocation.\n\nAllocations can never be larger than `isize::MAX` bytes and they can only contain addresses\nrepresentable by `usize`, so technically the last condition implies the first two. This implies, for\ninstance, that `vec.as_ptr().offset(vec.len() as isize)` (for `vec: Vec<T>`) is always safe.\n\n[allocation]: crate::ptr#allocation\n"include_str!("./docs/offset.md")]
333///
334 /// Consider using [`wrapping_offset`](#method.wrapping_offset) instead if these constraints are
335 /// difficult to satisfy. The only advantage of this method is that it
336 /// enables more aggressive compiler optimizations.
337 ///
338 /// # Examples
339 ///
340 /// ```
341 /// let s: &str = "123";
342 /// let ptr: *const u8 = s.as_ptr();
343 ///
344 /// unsafe {
345 /// assert_eq!(*ptr.offset(1) as char, '2');
346 /// assert_eq!(*ptr.offset(2) as char, '3');
347 /// }
348 /// ```
349#[stable(feature = "rust1", since = "1.0.0")]
350 #[must_use = "returns a new pointer rather than modifying its argument"]
351 #[rustc_const_stable(feature = "const_ptr_offset", since = "1.61.0")]
352 #[inline(always)]
353 #[track_caller]
354pub const unsafe fn offset(self, count: isize) -> *const T
355where
356T: Sized,
357 {
358#[inline]
359 #[rustc_allow_const_fn_unstable(const_eval_select)]
360const fn runtime_offset_nowrap(this: *const (), count: isize, size: usize) -> bool {
361// We can use const_eval_select here because this is only for UB checks.
362{
#[inline]
fn runtime(this: *const (), count: isize, size: usize) -> bool {
{
let Some(byte_offset) =
count.checked_mul(size as isize) else { return false; };
let (_, overflow) =
this.addr().overflowing_add_signed(byte_offset);
!overflow
}
}
#[inline]
const fn compiletime(this: *const (), count: isize, size: usize) -> bool {
let _ = this;
let _ = count;
let _ = size;
{ true }
}
const_eval_select((this, count, size), compiletime, runtime)
}const_eval_select!(
363 @capture { this: *const (), count: isize, size: usize } -> bool:
364if const {
365true
366} else {
367// `size` is the size of a Rust type, so we know that
368 // `size <= isize::MAX` and thus `as` cast here is not lossy.
369let Some(byte_offset) = count.checked_mul(size as isize) else {
370return false;
371 };
372let (_, overflow) = this.addr().overflowing_add_signed(byte_offset);
373 !overflow
374 }
375 )376 }
377378{
#[rustc_no_mir_inline]
#[inline]
#[rustc_nounwind]
#[track_caller]
const fn precondition_check(this: *const (), count: isize, size: usize) {
if !runtime_offset_nowrap(this, count, size) {
let msg =
"unsafe precondition(s) violated: ptr::offset requires the address calculation to not overflow\n\nThis indicates a bug in the program. This Undefined Behavior check is optional, and cannot be relied on for safety.";
::core::panicking::panic_nounwind_fmt(::core::fmt::Arguments::from_str(msg),
false);
}
}
if ::core::ub_checks::check_language_ub() {
precondition_check(self as *const (), count, size_of::<T>());
}
};ub_checks::assert_unsafe_precondition!(
379 check_language_ub,
380"ptr::offset requires the address calculation to not overflow",
381 (
382 this: *const () = self as *const (),
383 count: isize = count,
384 size: usize = size_of::<T>(),
385 ) => runtime_offset_nowrap(this, count, size)
386 );
387388// SAFETY: the caller must uphold the safety contract for `offset`.
389unsafe { intrinsics::offset(self, count) }
390 }
391392/// Adds a signed offset in bytes to a pointer.
393 ///
394 /// `count` is in units of **bytes**.
395 ///
396 /// This is purely a convenience for casting to a `u8` pointer and
397 /// using [offset][pointer::offset] on it. See that method for documentation
398 /// and safety requirements.
399 ///
400 /// For non-`Sized` pointees this operation changes only the data pointer,
401 /// leaving the metadata untouched.
402#[must_use]
403 #[inline(always)]
404 #[stable(feature = "pointer_byte_offsets", since = "1.75.0")]
405 #[rustc_const_stable(feature = "const_pointer_byte_offsets", since = "1.75.0")]
406 #[track_caller]
407pub const unsafe fn byte_offset(self, count: isize) -> Self {
408// SAFETY: the caller must uphold the safety contract for `offset`.
409unsafe { self.cast::<u8>().offset(count).with_metadata_of(self) }
410 }
411412/// Adds a signed offset to a pointer using wrapping arithmetic.
413 ///
414 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
415 /// offset of `3 * size_of::<T>()` bytes.
416 ///
417 /// # Safety
418 ///
419 /// This operation itself is always safe, but using the resulting pointer is not.
420 ///
421 /// The resulting pointer "remembers" the [allocation] that `self` points to
422 /// (this is called "[Provenance](ptr/index.html#provenance)").
423 /// The pointer must not be used to read or write other allocations.
424 ///
425 /// In other words, `let z = x.wrapping_offset((y as isize) - (x as isize))` does *not* make `z`
426 /// the same as `y` even if we assume `T` has size `1` and there is no overflow: `z` is still
427 /// attached to the object `x` is attached to, and dereferencing it is Undefined Behavior unless
428 /// `x` and `y` point into the same allocation.
429 ///
430 /// Compared to [`offset`], this method basically delays the requirement of staying within the
431 /// same allocation: [`offset`] is immediate Undefined Behavior when crossing object
432 /// boundaries; `wrapping_offset` produces a pointer but still leads to Undefined Behavior if a
433 /// pointer is dereferenced when it is out-of-bounds of the object it is attached to. [`offset`]
434 /// can be optimized better and is thus preferable in performance-sensitive code.
435 ///
436 /// The delayed check only considers the value of the pointer that was dereferenced, not the
437 /// intermediate values used during the computation of the final result. For example,
438 /// `x.wrapping_offset(o).wrapping_offset(o.wrapping_neg())` is always the same as `x`. In other
439 /// words, leaving the allocation and then re-entering it later is permitted.
440 ///
441 /// [`offset`]: #method.offset
442 /// [allocation]: crate::ptr#allocation
443 ///
444 /// # Examples
445 ///
446 /// ```
447 /// # use std::fmt::Write;
448 /// // Iterate using a raw pointer in increments of two elements
449 /// let data = [1u8, 2, 3, 4, 5];
450 /// let mut ptr: *const u8 = data.as_ptr();
451 /// let step = 2;
452 /// let end_rounded_up = ptr.wrapping_offset(6);
453 ///
454 /// let mut out = String::new();
455 /// while ptr != end_rounded_up {
456 /// unsafe {
457 /// write!(&mut out, "{}, ", *ptr)?;
458 /// }
459 /// ptr = ptr.wrapping_offset(step);
460 /// }
461 /// assert_eq!(out.as_str(), "1, 3, 5, ");
462 /// # std::fmt::Result::Ok(())
463 /// ```
464#[stable(feature = "ptr_wrapping_offset", since = "1.16.0")]
465 #[must_use = "returns a new pointer rather than modifying its argument"]
466 #[rustc_const_stable(feature = "const_ptr_offset", since = "1.61.0")]
467 #[inline(always)]
468pub const fn wrapping_offset(self, count: isize) -> *const T
469where
470T: Sized,
471 {
472// SAFETY: the `arith_offset` intrinsic has no prerequisites to be called.
473unsafe { intrinsics::arith_offset(self, count) }
474 }
475476/// Adds a signed offset in bytes to a pointer using wrapping arithmetic.
477 ///
478 /// `count` is in units of **bytes**.
479 ///
480 /// This is purely a convenience for casting to a `u8` pointer and
481 /// using [wrapping_offset][pointer::wrapping_offset] on it. See that method
482 /// for documentation.
483 ///
484 /// For non-`Sized` pointees this operation changes only the data pointer,
485 /// leaving the metadata untouched.
486#[must_use]
487 #[inline(always)]
488 #[stable(feature = "pointer_byte_offsets", since = "1.75.0")]
489 #[rustc_const_stable(feature = "const_pointer_byte_offsets", since = "1.75.0")]
490pub const fn wrapping_byte_offset(self, count: isize) -> Self {
491self.cast::<u8>().wrapping_offset(count).with_metadata_of(self)
492 }
493494/// Masks out bits of the pointer according to a mask.
495 ///
496 /// This is convenience for `ptr.map_addr(|a| a & mask)`.
497 ///
498 /// For non-`Sized` pointees this operation changes only the data pointer,
499 /// leaving the metadata untouched.
500 ///
501 /// ## Examples
502 ///
503 /// ```
504 /// #![feature(ptr_mask)]
505 /// let v = 17_u32;
506 /// let ptr: *const u32 = &v;
507 ///
508 /// // `u32` is 4 bytes aligned,
509 /// // which means that lower 2 bits are always 0.
510 /// let tag_mask = 0b11;
511 /// let ptr_mask = !tag_mask;
512 ///
513 /// // We can store something in these lower bits
514 /// let tagged_ptr = ptr.map_addr(|a| a | 0b10);
515 ///
516 /// // Get the "tag" back
517 /// let tag = tagged_ptr.addr() & tag_mask;
518 /// assert_eq!(tag, 0b10);
519 ///
520 /// // Note that `tagged_ptr` is unaligned, it's UB to read from it.
521 /// // To get original pointer `mask` can be used:
522 /// let masked_ptr = tagged_ptr.mask(ptr_mask);
523 /// assert_eq!(unsafe { *masked_ptr }, 17);
524 /// ```
525#[unstable(feature = "ptr_mask", issue = "98290")]
526 #[must_use = "returns a new pointer rather than modifying its argument"]
527 #[inline(always)]
528pub fn mask(self, mask: usize) -> *const T {
529 intrinsics::ptr_mask(self.cast::<()>(), mask).with_metadata_of(self)
530 }
531532/// Calculates the distance between two pointers within the same allocation. The returned value is in
533 /// units of T: the distance in bytes divided by `size_of::<T>()`.
534 ///
535 /// This is equivalent to `(self as isize - origin as isize) / (size_of::<T>() as isize)`,
536 /// except that it has a lot more opportunities for UB, in exchange for the compiler
537 /// better understanding what you are doing.
538 ///
539 /// The primary motivation of this method is for computing the `len` of an array/slice
540 /// of `T` that you are currently representing as a "start" and "end" pointer
541 /// (and "end" is "one past the end" of the array).
542 /// In that case, `end.offset_from(start)` gets you the length of the array.
543 ///
544 /// All of the following safety requirements are trivially satisfied for this usecase.
545 ///
546 /// [`offset`]: #method.offset
547 ///
548 /// # Safety
549 ///
550 /// If any of the following conditions are violated, the result is Undefined Behavior:
551 ///
552 /// * `self` and `origin` must either
553 ///
554 /// * point to the same address, or
555 /// * both be [derived from][crate::ptr#provenance] a pointer to the same [allocation], and the memory range between
556 /// the two pointers must be in bounds of that object. (See below for an example.)
557 ///
558 /// * The distance between the pointers, in bytes, must be an exact multiple
559 /// of the size of `T`.
560 ///
561 /// As a consequence, the absolute distance between the pointers, in bytes, computed on
562 /// mathematical integers (without "wrapping around"), cannot overflow an `isize`. This is
563 /// implied by the in-bounds requirement, and the fact that no allocation can be larger
564 /// than `isize::MAX` bytes.
565 ///
566 /// The requirement for pointers to be derived from the same allocation is primarily
567 /// needed for `const`-compatibility: the distance between pointers into *different* allocated
568 /// objects is not known at compile-time. However, the requirement also exists at
569 /// runtime and may be exploited by optimizations. If you wish to compute the difference between
570 /// pointers that are not guaranteed to be from the same allocation, use
571 /// `(self.addr() as isize - origin.addr() as isize) / size_of::<T>()`.
572 ///
573 /// [`add`]: #method.add
574 /// [allocation]: crate::ptr#allocation
575 ///
576 /// # Panics
577 ///
578 /// This function panics if `T` is a Zero-Sized Type ("ZST").
579 ///
580 /// # Examples
581 ///
582 /// Basic usage:
583 ///
584 /// ```
585 /// let a = [0; 5];
586 /// let ptr1: *const i32 = &a[1];
587 /// let ptr2: *const i32 = &a[3];
588 /// unsafe {
589 /// assert_eq!(ptr2.offset_from(ptr1), 2);
590 /// assert_eq!(ptr1.offset_from(ptr2), -2);
591 /// assert_eq!(ptr1.offset(2), ptr2);
592 /// assert_eq!(ptr2.offset(-2), ptr1);
593 /// }
594 /// ```
595 ///
596 /// *Incorrect* usage:
597 ///
598 /// ```rust,no_run
599 /// let ptr1 = Box::into_raw(Box::new(0u8)) as *const u8;
600 /// let ptr2 = Box::into_raw(Box::new(1u8)) as *const u8;
601 /// let diff = (ptr2 as isize).wrapping_sub(ptr1 as isize);
602 /// // Make ptr2_other an "alias" of ptr2.add(1), but derived from ptr1.
603 /// let ptr2_other = (ptr1 as *const u8).wrapping_offset(diff).wrapping_offset(1);
604 /// assert_eq!(ptr2 as usize, ptr2_other as usize);
605 /// // Since ptr2_other and ptr2 are derived from pointers to different objects,
606 /// // computing their offset is undefined behavior, even though
607 /// // they point to addresses that are in-bounds of the same object!
608 /// unsafe {
609 /// let one = ptr2_other.offset_from(ptr2); // Undefined Behavior! ⚠️
610 /// }
611 /// ```
612#[stable(feature = "ptr_offset_from", since = "1.47.0")]
613 #[rustc_const_stable(feature = "const_ptr_offset_from", since = "1.65.0")]
614 #[inline]
615 #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
616pub const unsafe fn offset_from(self, origin: *const T) -> isize617where
618T: Sized,
619 {
620let pointee_size = size_of::<T>();
621if !(0 < pointee_size && pointee_size <= isize::MAX as usize) {
crate::panicking::panic("assertion failed: 0 < pointee_size && pointee_size <= isize::MAX as usize")
};assert!(0 < pointee_size && pointee_size <= isize::MAX as usize);
622// SAFETY: the caller must uphold the safety contract for `ptr_offset_from`.
623unsafe { intrinsics::ptr_offset_from(self, origin) }
624 }
625626/// Calculates the distance between two pointers within the same allocation. The returned value is in
627 /// units of **bytes**.
628 ///
629 /// This is purely a convenience for casting to a `u8` pointer and
630 /// using [`offset_from`][pointer::offset_from] on it. See that method for
631 /// documentation and safety requirements.
632 ///
633 /// For non-`Sized` pointees this operation considers only the data pointers,
634 /// ignoring the metadata.
635#[inline(always)]
636 #[stable(feature = "pointer_byte_offsets", since = "1.75.0")]
637 #[rustc_const_stable(feature = "const_pointer_byte_offsets", since = "1.75.0")]
638 #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
639pub const unsafe fn byte_offset_from<U: ?Sized>(self, origin: *const U) -> isize {
640// SAFETY: the caller must uphold the safety contract for `offset_from`.
641unsafe { self.cast::<u8>().offset_from(origin.cast::<u8>()) }
642 }
643644/// Calculates the distance between two pointers within the same allocation, *where it's known that
645 /// `self` is equal to or greater than `origin`*. The returned value is in
646 /// units of T: the distance in bytes is divided by `size_of::<T>()`.
647 ///
648 /// This computes the same value that [`offset_from`](#method.offset_from)
649 /// would compute, but with the added precondition that the offset is
650 /// guaranteed to be non-negative. This method is equivalent to
651 /// `usize::try_from(self.offset_from(origin)).unwrap_unchecked()`,
652 /// but it provides slightly more information to the optimizer, which can
653 /// sometimes allow it to optimize slightly better with some backends.
654 ///
655 /// This method can be thought of as recovering the `count` that was passed
656 /// to [`add`](#method.add) (or, with the parameters in the other order,
657 /// to [`sub`](#method.sub)). The following are all equivalent, assuming
658 /// that their safety preconditions are met:
659 /// ```rust
660 /// # unsafe fn blah(ptr: *const i32, origin: *const i32, count: usize) -> bool { unsafe {
661 /// ptr.offset_from_unsigned(origin) == count
662 /// # &&
663 /// origin.add(count) == ptr
664 /// # &&
665 /// ptr.sub(count) == origin
666 /// # } }
667 /// ```
668 ///
669 /// # Safety
670 ///
671 /// - The distance between the pointers must be non-negative (`self >= origin`)
672 ///
673 /// - *All* the safety conditions of [`offset_from`](#method.offset_from)
674 /// apply to this method as well; see it for the full details.
675 ///
676 /// Importantly, despite the return type of this method being able to represent
677 /// a larger offset, it's still *not permitted* to pass pointers which differ
678 /// by more than `isize::MAX` *bytes*. As such, the result of this method will
679 /// always be less than or equal to `isize::MAX as usize`.
680 ///
681 /// # Panics
682 ///
683 /// This function panics if `T` is a Zero-Sized Type ("ZST").
684 ///
685 /// # Examples
686 ///
687 /// ```
688 /// let a = [0; 5];
689 /// let ptr1: *const i32 = &a[1];
690 /// let ptr2: *const i32 = &a[3];
691 /// unsafe {
692 /// assert_eq!(ptr2.offset_from_unsigned(ptr1), 2);
693 /// assert_eq!(ptr1.add(2), ptr2);
694 /// assert_eq!(ptr2.sub(2), ptr1);
695 /// assert_eq!(ptr2.offset_from_unsigned(ptr2), 0);
696 /// }
697 ///
698 /// // This would be incorrect, as the pointers are not correctly ordered:
699 /// // ptr1.offset_from_unsigned(ptr2)
700 /// ```
701#[stable(feature = "ptr_sub_ptr", since = "1.87.0")]
702 #[rustc_const_stable(feature = "const_ptr_sub_ptr", since = "1.87.0")]
703 #[inline]
704 #[track_caller]
705pub const unsafe fn offset_from_unsigned(self, origin: *const T) -> usize706where
707T: Sized,
708 {
709#[rustc_allow_const_fn_unstable(const_eval_select)]
710const fn runtime_ptr_ge(this: *const (), origin: *const ()) -> bool {
711{
#[inline]
fn runtime(this: *const (), origin: *const ()) -> bool {
{ this >= origin }
}
#[inline]
const fn compiletime(this: *const (), origin: *const ()) -> bool {
let _ = this;
let _ = origin;
{ true }
}
const_eval_select((this, origin), compiletime, runtime)
}const_eval_select!(
712 @capture { this: *const (), origin: *const () } -> bool:
713if const {
714true
715} else {
716 this >= origin
717 }
718 )719 }
720721{
#[rustc_no_mir_inline]
#[inline]
#[rustc_nounwind]
#[track_caller]
const fn precondition_check(this: *const (), origin: *const ()) {
if !runtime_ptr_ge(this, origin) {
let msg =
"unsafe precondition(s) violated: ptr::offset_from_unsigned requires `self >= origin`\n\nThis indicates a bug in the program. This Undefined Behavior check is optional, and cannot be relied on for safety.";
::core::panicking::panic_nounwind_fmt(::core::fmt::Arguments::from_str(msg),
false);
}
}
if ::core::ub_checks::check_language_ub() {
precondition_check(self as *const (), origin as *const ());
}
};ub_checks::assert_unsafe_precondition!(
722 check_language_ub,
723"ptr::offset_from_unsigned requires `self >= origin`",
724 (
725 this: *const () = self as *const (),
726 origin: *const () = origin as *const (),
727 ) => runtime_ptr_ge(this, origin)
728 );
729730let pointee_size = size_of::<T>();
731if !(0 < pointee_size && pointee_size <= isize::MAX as usize) {
crate::panicking::panic("assertion failed: 0 < pointee_size && pointee_size <= isize::MAX as usize")
};assert!(0 < pointee_size && pointee_size <= isize::MAX as usize);
732// SAFETY: the caller must uphold the safety contract for `ptr_offset_from_unsigned`.
733unsafe { intrinsics::ptr_offset_from_unsigned(self, origin) }
734 }
735736/// Calculates the distance between two pointers within the same allocation, *where it's known that
737 /// `self` is equal to or greater than `origin`*. The returned value is in
738 /// units of **bytes**.
739 ///
740 /// This is purely a convenience for casting to a `u8` pointer and
741 /// using [`offset_from_unsigned`][pointer::offset_from_unsigned] on it.
742 /// See that method for documentation and safety requirements.
743 ///
744 /// For non-`Sized` pointees this operation considers only the data pointers,
745 /// ignoring the metadata.
746#[stable(feature = "ptr_sub_ptr", since = "1.87.0")]
747 #[rustc_const_stable(feature = "const_ptr_sub_ptr", since = "1.87.0")]
748 #[inline]
749 #[track_caller]
750pub const unsafe fn byte_offset_from_unsigned<U: ?Sized>(self, origin: *const U) -> usize {
751// SAFETY: the caller must uphold the safety contract for `offset_from_unsigned`.
752unsafe { self.cast::<u8>().offset_from_unsigned(origin.cast::<u8>()) }
753 }
754755/// Returns whether two pointers are guaranteed to be equal.
756 ///
757 /// At runtime this function behaves like `Some(self == other)`.
758 /// However, in some contexts (e.g., compile-time evaluation),
759 /// it is not always possible to determine equality of two pointers, so this function may
760 /// spuriously return `None` for pointers that later actually turn out to have its equality known.
761 /// But when it returns `Some`, the pointers' equality is guaranteed to be known.
762 ///
763 /// The return value may change from `Some` to `None` and vice versa depending on the compiler
764 /// version and unsafe code must not
765 /// rely on the result of this function for soundness. It is suggested to only use this function
766 /// for performance optimizations where spurious `None` return values by this function do not
767 /// affect the outcome, but just the performance.
768 /// The consequences of using this method to make runtime and compile-time code behave
769 /// differently have not been explored. This method should not be used to introduce such
770 /// differences, and it should also not be stabilized before we have a better understanding
771 /// of this issue.
772#[unstable(feature = "const_raw_ptr_comparison", issue = "53020")]
773 #[rustc_const_unstable(feature = "const_raw_ptr_comparison", issue = "53020")]
774 #[inline]
775pub const fn guaranteed_eq(self, other: *const T) -> Option<bool>
776where
777T: Sized,
778 {
779match intrinsics::ptr_guaranteed_cmp(self, other) {
7802 => None,
781 other => Some(other == 1),
782 }
783 }
784785/// Returns whether two pointers are guaranteed to be inequal.
786 ///
787 /// At runtime this function behaves like `Some(self != other)`.
788 /// However, in some contexts (e.g., compile-time evaluation),
789 /// it is not always possible to determine inequality of two pointers, so this function may
790 /// spuriously return `None` for pointers that later actually turn out to have its inequality known.
791 /// But when it returns `Some`, the pointers' inequality is guaranteed to be known.
792 ///
793 /// The return value may change from `Some` to `None` and vice versa depending on the compiler
794 /// version and unsafe code must not
795 /// rely on the result of this function for soundness. It is suggested to only use this function
796 /// for performance optimizations where spurious `None` return values by this function do not
797 /// affect the outcome, but just the performance.
798 /// The consequences of using this method to make runtime and compile-time code behave
799 /// differently have not been explored. This method should not be used to introduce such
800 /// differences, and it should also not be stabilized before we have a better understanding
801 /// of this issue.
802#[unstable(feature = "const_raw_ptr_comparison", issue = "53020")]
803 #[rustc_const_unstable(feature = "const_raw_ptr_comparison", issue = "53020")]
804 #[inline]
805pub const fn guaranteed_ne(self, other: *const T) -> Option<bool>
806where
807T: Sized,
808 {
809match self.guaranteed_eq(other) {
810None => None,
811Some(eq) => Some(!eq),
812 }
813 }
814815#[doc = "Adds an unsigned offset to a pointer.\n\nThis can only move the pointer forward (or not move it). If you need to move forward or\nbackward depending on the value, then you might want [`offset`](#method.offset) instead\nwhich takes a signed offset.\n\n`count` is in units of T; e.g., a `count` of 3 represents a pointer\noffset of `3 * size_of::<T>()` bytes.\n\n# Safety\n\nIf any of the following conditions are violated, the result is Undefined Behavior:\n\n* The offset in bytes, `count * size_of::<T>()`, computed on mathematical integers (without\n\"wrapping around\"), must fit in an `isize`.\n\n* Let `result` be `self.addr() + count * size_of::<T>()`, computed on mathematical integers.\nThis must fit in a `usize`.\n\n* If the computed offset is non-zero, then `self` must be [derived from][crate::ptr#provenance] a pointer to some\n[allocation], and the entire memory range between `self` and `result`\n(i.e., `self.addr()..result`) must be in bounds of that allocation.\n\nAllocations can never be larger than `isize::MAX` bytes and they can only contain addresses\nrepresentable by `usize`, so technically the last condition implies the first two. This implies, for\ninstance, that `vec.as_ptr().add(vec.len())` (for `vec: Vec<T>`) is always safe.\n\n[allocation]: crate::ptr#allocation\n"include_str!("./docs/add.md")]
816///
817 /// Consider using [`wrapping_add`](#method.wrapping_add) instead if these constraints are
818 /// difficult to satisfy. The only advantage of this method is that it
819 /// enables more aggressive compiler optimizations.
820 ///
821 /// # Examples
822 ///
823 /// ```
824 /// let s: &str = "123";
825 /// let ptr: *const u8 = s.as_ptr();
826 ///
827 /// unsafe {
828 /// assert_eq!(*ptr.add(1), b'2');
829 /// assert_eq!(*ptr.add(2), b'3');
830 /// }
831 /// ```
832#[stable(feature = "pointer_methods", since = "1.26.0")]
833 #[must_use = "returns a new pointer rather than modifying its argument"]
834 #[rustc_const_stable(feature = "const_ptr_offset", since = "1.61.0")]
835 #[inline(always)]
836 #[track_caller]
837pub const unsafe fn add(self, count: usize) -> Self
838where
839T: Sized,
840 {
841#[cfg(debug_assertions)]
842 #[inline]
843 #[rustc_allow_const_fn_unstable(const_eval_select)]
844const fn runtime_add_nowrap(this: *const (), count: usize, size: usize) -> bool {
845{
#[inline]
fn runtime(this: *const (), count: usize, size: usize) -> bool {
{
let Some(byte_offset) =
count.checked_mul(size) else { return false; };
let (_, overflow) = this.addr().overflowing_add(byte_offset);
byte_offset <= (isize::MAX as usize) && !overflow
}
}
#[inline]
const fn compiletime(this: *const (), count: usize, size: usize) -> bool {
let _ = this;
let _ = count;
let _ = size;
{ true }
}
const_eval_select((this, count, size), compiletime, runtime)
}const_eval_select!(
846 @capture { this: *const (), count: usize, size: usize } -> bool:
847if const {
848true
849} else {
850let Some(byte_offset) = count.checked_mul(size) else {
851return false;
852 };
853let (_, overflow) = this.addr().overflowing_add(byte_offset);
854 byte_offset <= (isize::MAX as usize) && !overflow
855 }
856 )857 }
858859#[cfg(debug_assertions)] // Expensive, and doesn't catch much in the wild.
860{
#[rustc_no_mir_inline]
#[inline]
#[rustc_nounwind]
#[track_caller]
const fn precondition_check(this: *const (), count: usize, size: usize) {
if !runtime_add_nowrap(this, count, size) {
let msg =
"unsafe precondition(s) violated: ptr::add requires that the address calculation does not overflow\n\nThis indicates a bug in the program. This Undefined Behavior check is optional, and cannot be relied on for safety.";
::core::panicking::panic_nounwind_fmt(::core::fmt::Arguments::from_str(msg),
false);
}
}
if ::core::ub_checks::check_language_ub() {
precondition_check(self as *const (), count, size_of::<T>());
}
};ub_checks::assert_unsafe_precondition!(
861 check_language_ub,
862"ptr::add requires that the address calculation does not overflow",
863 (
864 this: *const () = self as *const (),
865 count: usize = count,
866 size: usize = size_of::<T>(),
867 ) => runtime_add_nowrap(this, count, size)
868 );
869870// SAFETY: the caller must uphold the safety contract for `offset`.
871unsafe { intrinsics::offset(self, count) }
872 }
873874/// Adds an unsigned offset in bytes to a pointer.
875 ///
876 /// `count` is in units of bytes.
877 ///
878 /// This is purely a convenience for casting to a `u8` pointer and
879 /// using [add][pointer::add] on it. See that method for documentation
880 /// and safety requirements.
881 ///
882 /// For non-`Sized` pointees this operation changes only the data pointer,
883 /// leaving the metadata untouched.
884#[must_use]
885 #[inline(always)]
886 #[stable(feature = "pointer_byte_offsets", since = "1.75.0")]
887 #[rustc_const_stable(feature = "const_pointer_byte_offsets", since = "1.75.0")]
888 #[track_caller]
889pub const unsafe fn byte_add(self, count: usize) -> Self {
890// SAFETY: the caller must uphold the safety contract for `add`.
891unsafe { self.cast::<u8>().add(count).with_metadata_of(self) }
892 }
893894#[doc = "Subtracts an unsigned offset from a pointer.\n\nThis can only move the pointer backward (or not move it). If you need to move forward or\nbackward depending on the value, then you might want [`offset`](#method.offset) instead\nwhich takes a signed offset.\n\n`count` is in units of T; e.g., a `count` of 3 represents a pointer\noffset of `3 * size_of::<T>()` bytes.\n\n# Safety\n\nIf any of the following conditions are violated, the result is Undefined Behavior:\n\n* The offset in bytes, `count * size_of::<T>()`, computed on mathematical integers (without\n \"wrapping around\"), must fit in an `isize`.\n\n* Let `result` be `self.addr() - count * size_of::<T>()`, computed on mathematical integers.\nThis must fit in a `usize`.\n\n* If the computed offset is non-zero, then `self` must be [derived from][crate::ptr#provenance] a pointer to some\n[allocation], and the entire memory range between `self` and `result`\n(i.e., `result..self.addr()`) must be in bounds of that allocation.\n\nAllocations can never be larger than `isize::MAX` bytes and they can only contain addresses\nrepresentable by `usize`, so technically the last condition implies the first two.\n\n[allocation]: crate::ptr#allocation\n"include_str!("./docs/sub.md")]
895///
896 /// Consider using [`wrapping_sub`](#method.wrapping_sub) instead if these constraints are
897 /// difficult to satisfy. The only advantage of this method is that it
898 /// enables more aggressive compiler optimizations.
899 ///
900 /// # Examples
901 ///
902 /// ```
903 /// let s: &str = "123";
904 ///
905 /// unsafe {
906 /// let end: *const u8 = s.as_ptr().add(3);
907 /// assert_eq!(*end.sub(1), b'3');
908 /// assert_eq!(*end.sub(2), b'2');
909 /// }
910 /// ```
911#[stable(feature = "pointer_methods", since = "1.26.0")]
912 #[must_use = "returns a new pointer rather than modifying its argument"]
913 #[rustc_const_stable(feature = "const_ptr_offset", since = "1.61.0")]
914 #[inline(always)]
915 #[track_caller]
916pub const unsafe fn sub(self, count: usize) -> Self
917where
918T: Sized,
919 {
920#[cfg(debug_assertions)]
921 #[inline]
922 #[rustc_allow_const_fn_unstable(const_eval_select)]
923const fn runtime_sub_nowrap(this: *const (), count: usize, size: usize) -> bool {
924{
#[inline]
fn runtime(this: *const (), count: usize, size: usize) -> bool {
{
let Some(byte_offset) =
count.checked_mul(size) else { return false; };
byte_offset <= (isize::MAX as usize) && this.addr() >= byte_offset
}
}
#[inline]
const fn compiletime(this: *const (), count: usize, size: usize) -> bool {
let _ = this;
let _ = count;
let _ = size;
{ true }
}
const_eval_select((this, count, size), compiletime, runtime)
}const_eval_select!(
925 @capture { this: *const (), count: usize, size: usize } -> bool:
926if const {
927true
928} else {
929let Some(byte_offset) = count.checked_mul(size) else {
930return false;
931 };
932 byte_offset <= (isize::MAX as usize) && this.addr() >= byte_offset
933 }
934 )935 }
936937#[cfg(debug_assertions)] // Expensive, and doesn't catch much in the wild.
938{
#[rustc_no_mir_inline]
#[inline]
#[rustc_nounwind]
#[track_caller]
const fn precondition_check(this: *const (), count: usize, size: usize) {
if !runtime_sub_nowrap(this, count, size) {
let msg =
"unsafe precondition(s) violated: ptr::sub requires that the address calculation does not overflow\n\nThis indicates a bug in the program. This Undefined Behavior check is optional, and cannot be relied on for safety.";
::core::panicking::panic_nounwind_fmt(::core::fmt::Arguments::from_str(msg),
false);
}
}
if ::core::ub_checks::check_language_ub() {
precondition_check(self as *const (), count, size_of::<T>());
}
};ub_checks::assert_unsafe_precondition!(
939 check_language_ub,
940"ptr::sub requires that the address calculation does not overflow",
941 (
942 this: *const () = self as *const (),
943 count: usize = count,
944 size: usize = size_of::<T>(),
945 ) => runtime_sub_nowrap(this, count, size)
946 );
947948if T::IS_ZST {
949// Pointer arithmetic does nothing when the pointee is a ZST.
950self951 } else {
952// SAFETY: the caller must uphold the safety contract for `offset`.
953 // Because the pointee is *not* a ZST, that means that `count` is
954 // at most `isize::MAX`, and thus the negation cannot overflow.
955unsafe { intrinsics::offset(self, intrinsics::unchecked_sub(0, countas isize)) }
956 }
957 }
958959/// Subtracts an unsigned offset in bytes from a pointer.
960 ///
961 /// `count` is in units of bytes.
962 ///
963 /// This is purely a convenience for casting to a `u8` pointer and
964 /// using [sub][pointer::sub] on it. See that method for documentation
965 /// and safety requirements.
966 ///
967 /// For non-`Sized` pointees this operation changes only the data pointer,
968 /// leaving the metadata untouched.
969#[must_use]
970 #[inline(always)]
971 #[stable(feature = "pointer_byte_offsets", since = "1.75.0")]
972 #[rustc_const_stable(feature = "const_pointer_byte_offsets", since = "1.75.0")]
973 #[track_caller]
974pub const unsafe fn byte_sub(self, count: usize) -> Self {
975// SAFETY: the caller must uphold the safety contract for `sub`.
976unsafe { self.cast::<u8>().sub(count).with_metadata_of(self) }
977 }
978979/// Adds an unsigned offset to a pointer using wrapping arithmetic.
980 ///
981 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
982 /// offset of `3 * size_of::<T>()` bytes.
983 ///
984 /// # Safety
985 ///
986 /// This operation itself is always safe, but using the resulting pointer is not.
987 ///
988 /// The resulting pointer "remembers" the [allocation] that `self` points to; it must not
989 /// be used to read or write other allocations.
990 ///
991 /// In other words, `let z = x.wrapping_add((y as usize) - (x as usize))` does *not* make `z`
992 /// the same as `y` even if we assume `T` has size `1` and there is no overflow: `z` is still
993 /// attached to the object `x` is attached to, and dereferencing it is Undefined Behavior unless
994 /// `x` and `y` point into the same allocation.
995 ///
996 /// Compared to [`add`], this method basically delays the requirement of staying within the
997 /// same allocation: [`add`] is immediate Undefined Behavior when crossing object
998 /// boundaries; `wrapping_add` produces a pointer but still leads to Undefined Behavior if a
999 /// pointer is dereferenced when it is out-of-bounds of the object it is attached to. [`add`]
1000 /// can be optimized better and is thus preferable in performance-sensitive code.
1001 ///
1002 /// The delayed check only considers the value of the pointer that was dereferenced, not the
1003 /// intermediate values used during the computation of the final result. For example,
1004 /// `x.wrapping_add(o).wrapping_sub(o)` is always the same as `x`. In other words, leaving the
1005 /// allocation and then re-entering it later is permitted.
1006 ///
1007 /// [`add`]: #method.add
1008 /// [allocation]: crate::ptr#allocation
1009 ///
1010 /// # Examples
1011 ///
1012 /// ```
1013 /// # use std::fmt::Write;
1014 /// // Iterate using a raw pointer in increments of two elements
1015 /// let data = [1u8, 2, 3, 4, 5];
1016 /// let mut ptr: *const u8 = data.as_ptr();
1017 /// let step = 2;
1018 /// let end_rounded_up = ptr.wrapping_add(6);
1019 ///
1020 /// let mut out = String::new();
1021 /// while ptr != end_rounded_up {
1022 /// unsafe {
1023 /// write!(&mut out, "{}, ", *ptr)?;
1024 /// }
1025 /// ptr = ptr.wrapping_add(step);
1026 /// }
1027 /// assert_eq!(out, "1, 3, 5, ");
1028 /// # std::fmt::Result::Ok(())
1029 /// ```
1030#[stable(feature = "pointer_methods", since = "1.26.0")]
1031 #[must_use = "returns a new pointer rather than modifying its argument"]
1032 #[rustc_const_stable(feature = "const_ptr_offset", since = "1.61.0")]
1033 #[inline(always)]
1034pub const fn wrapping_add(self, count: usize) -> Self
1035where
1036T: Sized,
1037 {
1038self.wrapping_offset(countas isize)
1039 }
10401041/// Adds an unsigned offset in bytes to a pointer using wrapping arithmetic.
1042 ///
1043 /// `count` is in units of bytes.
1044 ///
1045 /// This is purely a convenience for casting to a `u8` pointer and
1046 /// using [wrapping_add][pointer::wrapping_add] on it. See that method for documentation.
1047 ///
1048 /// For non-`Sized` pointees this operation changes only the data pointer,
1049 /// leaving the metadata untouched.
1050#[must_use]
1051 #[inline(always)]
1052 #[stable(feature = "pointer_byte_offsets", since = "1.75.0")]
1053 #[rustc_const_stable(feature = "const_pointer_byte_offsets", since = "1.75.0")]
1054pub const fn wrapping_byte_add(self, count: usize) -> Self {
1055self.cast::<u8>().wrapping_add(count).with_metadata_of(self)
1056 }
10571058/// Subtracts an unsigned offset from a pointer using wrapping arithmetic.
1059 ///
1060 /// `count` is in units of T; e.g., a `count` of 3 represents a pointer
1061 /// offset of `3 * size_of::<T>()` bytes.
1062 ///
1063 /// # Safety
1064 ///
1065 /// This operation itself is always safe, but using the resulting pointer is not.
1066 ///
1067 /// The resulting pointer "remembers" the [allocation] that `self` points to; it must not
1068 /// be used to read or write other allocations.
1069 ///
1070 /// In other words, `let z = x.wrapping_sub((x as usize) - (y as usize))` does *not* make `z`
1071 /// the same as `y` even if we assume `T` has size `1` and there is no overflow: `z` is still
1072 /// attached to the object `x` is attached to, and dereferencing it is Undefined Behavior unless
1073 /// `x` and `y` point into the same allocation.
1074 ///
1075 /// Compared to [`sub`], this method basically delays the requirement of staying within the
1076 /// same allocation: [`sub`] is immediate Undefined Behavior when crossing object
1077 /// boundaries; `wrapping_sub` produces a pointer but still leads to Undefined Behavior if a
1078 /// pointer is dereferenced when it is out-of-bounds of the object it is attached to. [`sub`]
1079 /// can be optimized better and is thus preferable in performance-sensitive code.
1080 ///
1081 /// The delayed check only considers the value of the pointer that was dereferenced, not the
1082 /// intermediate values used during the computation of the final result. For example,
1083 /// `x.wrapping_add(o).wrapping_sub(o)` is always the same as `x`. In other words, leaving the
1084 /// allocation and then re-entering it later is permitted.
1085 ///
1086 /// [`sub`]: #method.sub
1087 /// [allocation]: crate::ptr#allocation
1088 ///
1089 /// # Examples
1090 ///
1091 /// ```
1092 /// # use std::fmt::Write;
1093 /// // Iterate using a raw pointer in increments of two elements (backwards)
1094 /// let data = [1u8, 2, 3, 4, 5];
1095 /// let mut ptr: *const u8 = data.as_ptr();
1096 /// let start_rounded_down = ptr.wrapping_sub(2);
1097 /// ptr = ptr.wrapping_add(4);
1098 /// let step = 2;
1099 /// let mut out = String::new();
1100 /// while ptr != start_rounded_down {
1101 /// unsafe {
1102 /// write!(&mut out, "{}, ", *ptr)?;
1103 /// }
1104 /// ptr = ptr.wrapping_sub(step);
1105 /// }
1106 /// assert_eq!(out, "5, 3, 1, ");
1107 /// # std::fmt::Result::Ok(())
1108 /// ```
1109#[stable(feature = "pointer_methods", since = "1.26.0")]
1110 #[must_use = "returns a new pointer rather than modifying its argument"]
1111 #[rustc_const_stable(feature = "const_ptr_offset", since = "1.61.0")]
1112 #[inline(always)]
1113pub const fn wrapping_sub(self, count: usize) -> Self
1114where
1115T: Sized,
1116 {
1117self.wrapping_offset((countas isize).wrapping_neg())
1118 }
11191120/// Subtracts an unsigned offset in bytes from a pointer using wrapping arithmetic.
1121 ///
1122 /// `count` is in units of bytes.
1123 ///
1124 /// This is purely a convenience for casting to a `u8` pointer and
1125 /// using [wrapping_sub][pointer::wrapping_sub] on it. See that method for documentation.
1126 ///
1127 /// For non-`Sized` pointees this operation changes only the data pointer,
1128 /// leaving the metadata untouched.
1129#[must_use]
1130 #[inline(always)]
1131 #[stable(feature = "pointer_byte_offsets", since = "1.75.0")]
1132 #[rustc_const_stable(feature = "const_pointer_byte_offsets", since = "1.75.0")]
1133pub const fn wrapping_byte_sub(self, count: usize) -> Self {
1134self.cast::<u8>().wrapping_sub(count).with_metadata_of(self)
1135 }
11361137/// Reads the value from `self` without moving it. This leaves the
1138 /// memory in `self` unchanged.
1139 ///
1140 /// See [`ptr::read`] for safety concerns and examples.
1141 ///
1142 /// [`ptr::read`]: crate::ptr::read()
1143#[stable(feature = "pointer_methods", since = "1.26.0")]
1144 #[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1145 #[inline]
1146 #[track_caller]
1147pub const unsafe fn read(self) -> T
1148where
1149T: Sized,
1150 {
1151// SAFETY: the caller must uphold the safety contract for `read`.
1152unsafe { read(self) }
1153 }
11541155/// Performs a volatile read of the value from `self` without moving it. This
1156 /// leaves the memory in `self` unchanged.
1157 ///
1158 /// Volatile operations are intended to act on I/O memory, and are guaranteed
1159 /// to not be elided or reordered by the compiler across other volatile
1160 /// operations.
1161 ///
1162 /// See [`ptr::read_volatile`] for safety concerns and examples.
1163 ///
1164 /// [`ptr::read_volatile`]: crate::ptr::read_volatile()
1165#[stable(feature = "pointer_methods", since = "1.26.0")]
1166 #[rustc_const_unstable(feature = "const_volatile", issue = "159094")]
1167 #[inline]
1168 #[track_caller]
1169pub const unsafe fn read_volatile(self) -> T
1170where
1171T: Sized,
1172 {
1173// SAFETY: the caller must uphold the safety contract for `read_volatile`.
1174unsafe { read_volatile(self) }
1175 }
11761177/// Reads the value from `self` without moving it. This leaves the
1178 /// memory in `self` unchanged.
1179 ///
1180 /// Unlike `read`, the pointer may be unaligned.
1181 ///
1182 /// See [`ptr::read_unaligned`] for safety concerns and examples.
1183 ///
1184 /// [`ptr::read_unaligned`]: crate::ptr::read_unaligned()
1185#[stable(feature = "pointer_methods", since = "1.26.0")]
1186 #[rustc_const_stable(feature = "const_ptr_read", since = "1.71.0")]
1187 #[inline]
1188 #[track_caller]
1189pub const unsafe fn read_unaligned(self) -> T
1190where
1191T: Sized,
1192 {
1193// SAFETY: the caller must uphold the safety contract for `read_unaligned`.
1194unsafe { read_unaligned(self) }
1195 }
11961197/// Copies `count * size_of::<T>()` bytes from `self` to `dest`. The source
1198 /// and destination may overlap.
1199 ///
1200 /// NOTE: this has the *same* argument order as [`ptr::copy`].
1201 ///
1202 /// See [`ptr::copy`] for safety concerns and examples.
1203 ///
1204 /// [`ptr::copy`]: crate::ptr::copy()
1205#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
1206 #[stable(feature = "pointer_methods", since = "1.26.0")]
1207 #[inline]
1208 #[track_caller]
1209pub const unsafe fn copy_to(self, dest: *mut T, count: usize)
1210where
1211T: Sized,
1212 {
1213// SAFETY: the caller must uphold the safety contract for `copy`.
1214unsafe { copy(self, dest, count) }
1215 }
12161217/// Copies `count * size_of::<T>()` bytes from `self` to `dest`. The source
1218 /// and destination may *not* overlap.
1219 ///
1220 /// NOTE: this has the *same* argument order as [`ptr::copy_nonoverlapping`].
1221 ///
1222 /// See [`ptr::copy_nonoverlapping`] for safety concerns and examples.
1223 ///
1224 /// [`ptr::copy_nonoverlapping`]: crate::ptr::copy_nonoverlapping()
1225#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.83.0")]
1226 #[stable(feature = "pointer_methods", since = "1.26.0")]
1227 #[inline]
1228 #[track_caller]
1229pub const unsafe fn copy_to_nonoverlapping(self, dest: *mut T, count: usize)
1230where
1231T: Sized,
1232 {
1233// SAFETY: the caller must uphold the safety contract for `copy_nonoverlapping`.
1234unsafe { copy_nonoverlapping(self, dest, count) }
1235 }
12361237/// Computes the offset that needs to be applied to the pointer in order to make it aligned to
1238 /// `align`.
1239 ///
1240 /// If it is not possible to align the pointer, the implementation returns
1241 /// `usize::MAX`.
1242 ///
1243 /// The offset is expressed in number of `T` elements, and not bytes. The value returned can be
1244 /// used with the `wrapping_add` method.
1245 ///
1246 /// There are no guarantees whatsoever that offsetting the pointer will not overflow or go
1247 /// beyond the allocation that the pointer points into. It is up to the caller to ensure that
1248 /// the returned offset is correct in all terms other than alignment.
1249 ///
1250 /// # Panics
1251 ///
1252 /// The function panics if `align` is not a power-of-two.
1253 ///
1254 /// # Examples
1255 ///
1256 /// Accessing adjacent `u8` as `u16`
1257 ///
1258 /// ```
1259 /// # unsafe {
1260 /// let x = [5_u8, 6, 7, 8, 9];
1261 /// let ptr = x.as_ptr();
1262 /// let offset = ptr.align_offset(align_of::<u16>());
1263 ///
1264 /// if offset < x.len() - 1 {
1265 /// let u16_ptr = ptr.add(offset).cast::<u16>();
1266 /// assert!(*u16_ptr == u16::from_ne_bytes([5, 6]) || *u16_ptr == u16::from_ne_bytes([6, 7]));
1267 /// } else {
1268 /// // while the pointer can be aligned via `offset`, it would point
1269 /// // outside the allocation
1270 /// }
1271 /// # }
1272 /// ```
1273#[must_use]
1274 #[inline]
1275 #[stable(feature = "align_offset", since = "1.36.0")]
1276pub fn align_offset(self, align: usize) -> usize1277where
1278T: Sized,
1279 {
1280if !align.is_power_of_two() {
1281{
crate::panicking::panic_fmt(format_args!("align_offset: align is not a power-of-two"));
};panic!("align_offset: align is not a power-of-two");
1282 }
12831284// SAFETY: `align` has been checked to be a power of 2 above
1285let ret = unsafe { align_offset(self, align) };
12861287// Inform Miri that we want to consider the resulting pointer to be suitably aligned.
1288#[cfg(miri)]
1289if ret != usize::MAX {
1290 intrinsics::miri_promise_symbolic_alignment(self.wrapping_add(ret).cast(), align);
1291 }
12921293ret1294 }
12951296/// Returns whether the pointer is properly aligned for `T`.
1297 ///
1298 /// # Examples
1299 ///
1300 /// ```
1301 /// // On some platforms, the alignment of i32 is less than 4.
1302 /// #[repr(align(4))]
1303 /// struct AlignedI32(i32);
1304 ///
1305 /// let data = AlignedI32(42);
1306 /// let ptr = &data as *const AlignedI32;
1307 ///
1308 /// assert!(ptr.is_aligned());
1309 /// assert!(!ptr.wrapping_byte_add(1).is_aligned());
1310 /// ```
1311#[must_use]
1312 #[inline]
1313 #[stable(feature = "pointer_is_aligned", since = "1.79.0")]
1314pub fn is_aligned(self) -> bool1315where
1316T: Sized,
1317 {
1318self.is_aligned_to(align_of::<T>())
1319 }
13201321/// Returns whether the pointer is aligned to `align`.
1322 ///
1323 /// For non-`Sized` pointees this operation considers only the data pointer,
1324 /// ignoring the metadata.
1325 ///
1326 /// # Panics
1327 ///
1328 /// The function panics if `align` is not a power-of-two (this includes 0).
1329 ///
1330 /// # Examples
1331 ///
1332 /// ```
1333 /// #![feature(pointer_is_aligned_to)]
1334 ///
1335 /// // On some platforms, the alignment of i32 is less than 4.
1336 /// #[repr(align(4))]
1337 /// struct AlignedI32(i32);
1338 ///
1339 /// let data = AlignedI32(42);
1340 /// let ptr = &data as *const AlignedI32;
1341 ///
1342 /// assert!(ptr.is_aligned_to(1));
1343 /// assert!(ptr.is_aligned_to(2));
1344 /// assert!(ptr.is_aligned_to(4));
1345 ///
1346 /// assert!(ptr.wrapping_byte_add(2).is_aligned_to(2));
1347 /// assert!(!ptr.wrapping_byte_add(2).is_aligned_to(4));
1348 ///
1349 /// assert_ne!(ptr.is_aligned_to(8), ptr.wrapping_add(1).is_aligned_to(8));
1350 /// ```
1351#[must_use]
1352 #[inline]
1353 #[unstable(feature = "pointer_is_aligned_to", issue = "96284")]
1354pub fn is_aligned_to(self, align: usize) -> bool {
1355if !align.is_power_of_two() {
1356{
crate::panicking::panic_fmt(format_args!("is_aligned_to: align is not a power-of-two"));
};panic!("is_aligned_to: align is not a power-of-two");
1357 }
13581359self.addr() & (align - 1) == 0
1360}
1361}
13621363impl<T> *const T {
1364/// Casts from a type to its maybe-uninitialized version.
1365#[must_use]
1366 #[inline(always)]
1367 #[unstable(feature = "cast_maybe_uninit", issue = "145036")]
1368pub const fn cast_uninit(self) -> *const MaybeUninit<T> {
1369selfas _
1370}
13711372/// Forms a raw slice from a pointer and a length.
1373 ///
1374 /// The `len` argument is the number of **elements**, not the number of bytes.
1375 ///
1376 /// This function is safe, but actually using the return value is unsafe.
1377 /// See the documentation of [`slice::from_raw_parts`] for slice safety requirements.
1378 ///
1379 /// [`slice::from_raw_parts`]: crate::slice::from_raw_parts
1380 ///
1381 /// # Examples
1382 ///
1383 /// ```rust
1384 /// #![feature(ptr_cast_slice)]
1385 ///
1386 /// // create a slice pointer when starting out with a pointer to the first element
1387 /// let x = [5, 6, 7];
1388 /// let raw_slice = x.as_ptr().cast_slice(3);
1389 /// assert_eq!(unsafe { &*raw_slice }[2], 7);
1390 /// ```
1391 ///
1392 /// You must ensure that the pointer is valid and not null before dereferencing
1393 /// the raw slice. A slice reference must never have a null pointer, even if it's empty.
1394 ///
1395 /// ```rust,should_panic
1396 /// #![feature(ptr_cast_slice)]
1397 /// use std::ptr;
1398 /// let danger: *const [u8] = ptr::null::<u8>().cast_slice(0);
1399 /// unsafe {
1400 /// danger.as_ref().expect("references must not be null");
1401 /// }
1402 /// ```
1403#[inline]
1404 #[unstable(feature = "ptr_cast_slice", issue = "149103")]
1405pub const fn cast_slice(self, len: usize) -> *const [T] {
1406slice_from_raw_parts(self, len)
1407 }
1408}
1409impl<T> *const MaybeUninit<T> {
1410/// Casts from a maybe-uninitialized type to its initialized version.
1411 ///
1412 /// This is always safe, since UB can only occur if the pointer is read
1413 /// before being initialized.
1414#[must_use]
1415 #[inline(always)]
1416 #[unstable(feature = "cast_maybe_uninit", issue = "145036")]
1417pub const fn cast_init(self) -> *const T {
1418selfas _
1419}
1420}
14211422impl<T> *const [T] {
1423/// Returns the length of a raw slice.
1424 ///
1425 /// The returned value is the number of **elements**, not the number of bytes.
1426 ///
1427 /// This function is safe, even when the raw slice cannot be cast to a slice
1428 /// reference because the pointer is null or unaligned.
1429 ///
1430 /// # Examples
1431 ///
1432 /// ```rust
1433 /// use std::ptr;
1434 ///
1435 /// let slice: *const [i8] = ptr::slice_from_raw_parts(ptr::null(), 3);
1436 /// assert_eq!(slice.len(), 3);
1437 /// ```
1438#[inline]
1439 #[stable(feature = "slice_ptr_len", since = "1.79.0")]
1440 #[rustc_const_stable(feature = "const_slice_ptr_len", since = "1.79.0")]
1441pub const fn len(self) -> usize {
1442metadata(self)
1443 }
14441445/// Returns `true` if the raw slice has a length of 0.
1446 ///
1447 /// # Examples
1448 ///
1449 /// ```
1450 /// use std::ptr;
1451 ///
1452 /// let slice: *const [i8] = ptr::slice_from_raw_parts(ptr::null(), 3);
1453 /// assert!(!slice.is_empty());
1454 /// ```
1455#[inline(always)]
1456 #[stable(feature = "slice_ptr_len", since = "1.79.0")]
1457 #[rustc_const_stable(feature = "const_slice_ptr_len", since = "1.79.0")]
1458pub const fn is_empty(self) -> bool {
1459self.len() == 0
1460}
14611462/// Returns a raw pointer to the slice's buffer.
1463 ///
1464 /// This is equivalent to casting `self` to `*const T`, but more type-safe.
1465 ///
1466 /// # Examples
1467 ///
1468 /// ```rust
1469 /// #![feature(slice_ptr_get)]
1470 /// use std::ptr;
1471 ///
1472 /// let slice: *const [i8] = ptr::slice_from_raw_parts(ptr::null(), 3);
1473 /// assert_eq!(slice.as_ptr(), ptr::null());
1474 /// ```
1475#[inline]
1476 #[unstable(feature = "slice_ptr_get", issue = "74265")]
1477pub const fn as_ptr(self) -> *const T {
1478selfas *const T
1479 }
14801481/// Gets a raw pointer to the underlying array.
1482 ///
1483 /// If `N` is not exactly equal to the length of `self`, then this method returns `None`.
1484#[stable(feature = "core_slice_as_array", since = "1.93.0")]
1485 #[rustc_const_stable(feature = "core_slice_as_array", since = "1.93.0")]
1486 #[inline]
1487 #[must_use]
1488pub const fn as_array<const N: usize>(self) -> Option<*const [T; N]> {
1489if self.len() == N {
1490let me = self.as_ptr() as *const [T; N];
1491Some(me)
1492 } else {
1493None1494 }
1495 }
14961497/// Returns a raw pointer to an element or subslice, without doing bounds
1498 /// checking.
1499 ///
1500 /// Calling this method with an [out-of-bounds index] or when `self` is not dereferenceable
1501 /// is *[undefined behavior]* even if the resulting pointer is not used.
1502 ///
1503 /// [out-of-bounds index]: #method.add
1504 /// [undefined behavior]: https://doc.rust-lang.org/reference/behavior-considered-undefined.html
1505 ///
1506 /// # Examples
1507 ///
1508 /// ```
1509 /// #![feature(slice_ptr_get)]
1510 ///
1511 /// let x = &[1, 2, 4] as *const [i32];
1512 ///
1513 /// unsafe {
1514 /// assert_eq!(x.get_unchecked(1), x.as_ptr().add(1));
1515 /// }
1516 /// ```
1517#[unstable(feature = "slice_ptr_get", issue = "74265")]
1518 #[rustc_const_unstable(feature = "const_index", issue = "143775")]
1519 #[inline]
1520pub const unsafe fn get_unchecked<I>(self, index: I) -> *const I::Output
1521where
1522I: [const] SliceIndex<[T]>,
1523 {
1524// SAFETY: the caller ensures that `self` is dereferenceable and `index` in-bounds.
1525unsafe { index.get_unchecked(self) }
1526 }
15271528#[doc = "Returns `None` if the pointer is null, or else returns a shared slice to\nthe value wrapped in `Some`. In contrast to [`as_ref`], this does not require\nthat the value has to be initialized.\n\n[`as_ref`]: #method.as_ref\n\n# Safety\n\nWhen calling this method, you have to ensure that *either* the pointer is null *or*\nall of the following is true:\n\n* The pointer must be [valid] for reads for `ptr.len() * size_of::<T>()` many bytes,\n and it must be properly aligned. This means in particular:\n\n* The entire memory range of this slice must be contained within a single [allocation]!\n Slices can never span across multiple allocations.\n\n* The pointer must be aligned even for zero-length slices. One\n reason for this is that enum layout optimizations may rely on references\n (including slices of any length) being aligned and non-null to distinguish\n them from other data. You can obtain a pointer that is usable as `data`\n for zero-length slices using [`NonNull::dangling()`].\n\n* The total size `ptr.len() * size_of::<T>()` of the slice must be no larger than `isize::MAX`.\n See the safety documentation of [`pointer::offset`].\n\n* You must enforce Rust\'s aliasing rules, since the returned lifetime `\'a` is\n arbitrarily chosen and does not necessarily reflect the actual lifetime of the data.\n In particular, while this reference exists, the memory the pointer points to must\n not get mutated (except inside `UnsafeCell`).\n\nThis applies even if the result of this method is unused!\n\nSee also [`slice::from_raw_parts`][].\n\n[valid]: crate::ptr#safety\n[allocation]: crate::ptr#allocation\n\n# Panics during const evaluation\n\nThis method will panic during const evaluation if the pointer cannot be\ndetermined to be null or not. See [`is_null`] for more information.\n\n[`is_null`]: #method.is_null\n"include_str!("docs/as_uninit_slice.md")]
1529 #[inline]
1530 #[unstable(feature = "ptr_as_uninit", issue = "75402")]
1531pub const unsafe fn as_uninit_slice<'a>(self) -> Option<&'a [MaybeUninit<T>]> {
1532if self.is_null() {
1533None1534 } else {
1535// SAFETY: the caller must uphold the safety contract for `as_uninit_slice`.
1536Some(unsafe { slice::from_raw_parts(selfas *const MaybeUninit<T>, self.len()) })
1537 }
1538 }
1539}
15401541impl<T> *const T {
1542/// Casts from a pointer-to-`T` to a pointer-to-`[T; N]`.
1543#[inline]
1544 #[unstable(feature = "ptr_cast_array", issue = "144514")]
1545pub const fn cast_array<const N: usize>(self) -> *const [T; N] {
1546self.cast()
1547 }
1548}
15491550impl<T, const N: usize> *const [T; N] {
1551/// Returns a raw pointer to the array's buffer.
1552 ///
1553 /// This is equivalent to casting `self` to `*const T`, but more type-safe.
1554 ///
1555 /// # Examples
1556 ///
1557 /// ```rust
1558 /// #![feature(array_ptr_get)]
1559 /// use std::ptr;
1560 ///
1561 /// let arr: *const [i8; 3] = ptr::null();
1562 /// assert_eq!(arr.as_ptr(), ptr::null());
1563 /// ```
1564#[inline]
1565 #[unstable(feature = "array_ptr_get", issue = "119834")]
1566pub const fn as_ptr(self) -> *const T {
1567selfas *const T
1568 }
15691570/// Returns a raw pointer to a slice containing the entire array.
1571 ///
1572 /// # Examples
1573 ///
1574 /// ```
1575 /// #![feature(array_ptr_get)]
1576 ///
1577 /// let arr: *const [i32; 3] = &[1, 2, 4] as *const [i32; 3];
1578 /// let slice: *const [i32] = arr.as_slice();
1579 /// assert_eq!(slice.len(), 3);
1580 /// ```
1581#[inline]
1582 #[unstable(feature = "array_ptr_get", issue = "119834")]
1583pub const fn as_slice(self) -> *const [T] {
1584self1585 }
1586}
15871588/// Pointer equality is by address, as produced by the [`<*const T>::addr`](pointer::addr) method.
1589#[stable(feature = "rust1", since = "1.0.0")]
1590#[diagnostic::on_const(
1591 message = "pointers cannot be reliably compared during const eval",
1592 note = "see issue #53020 <https://github.com/rust-lang/rust/issues/53020> for more information"
1593)]
1594impl<T: PointeeSized> PartialEqfor *const T {
1595#[inline]
1596 #[allow(ambiguous_wide_pointer_comparisons)]
1597fn eq(&self, other: &*const T) -> bool {
1598*self == *other1599 }
1600}
16011602/// Pointer equality is an equivalence relation.
1603#[stable(feature = "rust1", since = "1.0.0")]
1604#[diagnostic::on_const(
1605 message = "pointers cannot be reliably compared during const eval",
1606 note = "see issue #53020 <https://github.com/rust-lang/rust/issues/53020> for more information"
1607)]
1608impl<T: PointeeSized> Eqfor *const T {}
16091610/// Pointer comparison is by address, as produced by the `[`<*const T>::addr`](pointer::addr)` method.
1611#[stable(feature = "rust1", since = "1.0.0")]
1612#[diagnostic::on_const(
1613 message = "pointers cannot be reliably compared during const eval",
1614 note = "see issue #53020 <https://github.com/rust-lang/rust/issues/53020> for more information"
1615)]
1616impl<T: PointeeSized> Ordfor *const T {
1617#[inline]
1618 #[allow(ambiguous_wide_pointer_comparisons)]
1619fn cmp(&self, other: &*const T) -> Ordering {
1620if self < other {
1621Less1622 } else if self == other {
1623Equal1624 } else {
1625Greater1626 }
1627 }
1628}
16291630/// Pointer comparison is by address, as produced by the `[`<*const T>::addr`](pointer::addr)` method.
1631#[stable(feature = "rust1", since = "1.0.0")]
1632#[diagnostic::on_const(
1633 message = "pointers cannot be reliably compared during const eval",
1634 note = "see issue #53020 <https://github.com/rust-lang/rust/issues/53020> for more information"
1635)]
1636impl<T: PointeeSized> PartialOrdfor *const T {
1637#[inline]
1638 #[allow(ambiguous_wide_pointer_comparisons)]
1639fn partial_cmp(&self, other: &*const T) -> Option<Ordering> {
1640Some(self.cmp(other))
1641 }
16421643#[inline]
1644 #[allow(ambiguous_wide_pointer_comparisons)]
1645fn lt(&self, other: &*const T) -> bool {
1646*self < *other1647 }
16481649#[inline]
1650 #[allow(ambiguous_wide_pointer_comparisons)]
1651fn le(&self, other: &*const T) -> bool {
1652*self <= *other1653 }
16541655#[inline]
1656 #[allow(ambiguous_wide_pointer_comparisons)]
1657fn gt(&self, other: &*const T) -> bool {
1658*self > *other1659 }
16601661#[inline]
1662 #[allow(ambiguous_wide_pointer_comparisons)]
1663fn ge(&self, other: &*const T) -> bool {
1664*self >= *other1665 }
1666}
16671668#[stable(feature = "raw_ptr_default", since = "1.88.0")]
1669impl<T: ?Sized + Thin> Defaultfor *const T {
1670/// Returns the default value of [`null()`][crate::ptr::null].
1671fn default() -> Self {
1672crate::ptr::null()
1673 }
1674}