pub struct NonNull<T>where
T: ?Sized,{ /* private fields */ }
Expand description
*mut T
but non-zero and covariant.
This is often the correct thing to use when building data structures using
raw pointers, but is ultimately more dangerous to use because of its additional
properties. If you’re not sure if you should use NonNull<T>
, just use *mut T
!
Unlike *mut T
, the pointer must always be non-null, even if the pointer
is never dereferenced. This is so that enums may use this forbidden value
as a discriminant – Option<NonNull<T>>
has the same size as *mut T
.
However the pointer may still dangle if it isn’t dereferenced.
Unlike *mut T
, NonNull<T>
was chosen to be covariant over T
. This makes it
possible to use NonNull<T>
when building covariant types, but introduces the
risk of unsoundness if used in a type that shouldn’t actually be covariant.
(The opposite choice was made for *mut T
even though technically the unsoundness
could only be caused by calling unsafe functions.)
Covariance is correct for most safe abstractions, such as Box
, Rc
, Arc
, Vec
,
and LinkedList
. This is the case because they provide a public API that follows the
normal shared XOR mutable rules of Rust.
If your type cannot safely be covariant, you must ensure it contains some
additional field to provide invariance. Often this field will be a PhantomData
type like PhantomData<Cell<T>>
or PhantomData<&'a mut T>
.
Notice that NonNull<T>
has a From
instance for &T
. However, this does
not change the fact that mutating through a (pointer derived from a) shared
reference is undefined behavior unless the mutation happens inside an
UnsafeCell<T>
. The same goes for creating a mutable reference from a shared
reference. When using this From
instance without an UnsafeCell<T>
,
it is your responsibility to ensure that as_mut
is never called, and as_ptr
is never used for mutation.
§Representation
Thanks to the null pointer optimization,
NonNull<T>
and Option<NonNull<T>>
are guaranteed to have the same size and alignment:
use std::ptr::NonNull;
assert_eq!(size_of::<NonNull<i16>>(), size_of::<Option<NonNull<i16>>>());
assert_eq!(align_of::<NonNull<i16>>(), align_of::<Option<NonNull<i16>>>());
assert_eq!(size_of::<NonNull<str>>(), size_of::<Option<NonNull<str>>>());
assert_eq!(align_of::<NonNull<str>>(), align_of::<Option<NonNull<str>>>());
RunImplementations§
source§impl<T> NonNull<T>
impl<T> NonNull<T>
const: 1.36.0 · sourcepub const fn dangling() -> NonNull<T>
pub const fn dangling() -> NonNull<T>
Creates a new NonNull
that is dangling, but well-aligned.
This is useful for initializing types which lazily allocate, like
Vec::new
does.
Note that the pointer value may potentially represent a valid pointer to
a T
, which means this must not be used as a “not yet initialized”
sentinel value. Types that lazily allocate must track initialization by
some other means.
§Examples
use std::ptr::NonNull;
let ptr = NonNull::<u32>::dangling();
// Important: don't try to access the value of `ptr` without
// initializing it first! The pointer is not null but isn't valid either!
Runconst: unstable · sourcepub unsafe fn as_uninit_ref<'a>(self) -> &'a MaybeUninit<T>
🔬This is a nightly-only experimental API. (ptr_as_uninit
#75402)
pub unsafe fn as_uninit_ref<'a>(self) -> &'a MaybeUninit<T>
ptr_as_uninit
#75402)Returns a shared references to the value. In contrast to as_ref
, this does not require
that the value has to be initialized.
For the mutable counterpart see as_uninit_mut
.
§Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be properly aligned.
-
It must be “dereferenceable” in the sense defined in the module documentation.
-
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get mutated (except insideUnsafeCell
).
This applies even if the result of this method is unused!
const: unstable · sourcepub unsafe fn as_uninit_mut<'a>(self) -> &'a mut MaybeUninit<T>
🔬This is a nightly-only experimental API. (ptr_as_uninit
#75402)
pub unsafe fn as_uninit_mut<'a>(self) -> &'a mut MaybeUninit<T>
ptr_as_uninit
#75402)Returns a unique references to the value. In contrast to as_mut
, this does not require
that the value has to be initialized.
For the shared counterpart see as_uninit_ref
.
§Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be properly aligned.
-
It must be “dereferenceable” in the sense defined in the module documentation.
-
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get accessed (read or written) through any other pointer.
This applies even if the result of this method is unused!
source§impl<T> NonNull<T>where
T: ?Sized,
impl<T> NonNull<T>where
T: ?Sized,
const: 1.25.0 · sourcepub const unsafe fn new_unchecked(ptr: *mut T) -> NonNull<T>
pub const unsafe fn new_unchecked(ptr: *mut T) -> NonNull<T>
Creates a new NonNull
.
§Safety
ptr
must be non-null.
§Examples
use std::ptr::NonNull;
let mut x = 0u32;
let ptr = unsafe { NonNull::new_unchecked(&mut x as *mut _) };
RunIncorrect usage of this function:
use std::ptr::NonNull;
// NEVER DO THAT!!! This is undefined behavior. ⚠️
let ptr = unsafe { NonNull::<u32>::new_unchecked(std::ptr::null_mut()) };
Runconst: unstable · sourcepub fn from_raw_parts(
data_pointer: NonNull<()>,
metadata: <T as Pointee>::Metadata
) -> NonNull<T>
🔬This is a nightly-only experimental API. (ptr_metadata
#81513)
pub fn from_raw_parts( data_pointer: NonNull<()>, metadata: <T as Pointee>::Metadata ) -> NonNull<T>
ptr_metadata
#81513)Performs the same functionality as std::ptr::from_raw_parts
, except that a
NonNull
pointer is returned, as opposed to a raw *const
pointer.
See the documentation of std::ptr::from_raw_parts
for more details.
const: unstable · sourcepub fn to_raw_parts(self) -> (NonNull<()>, <T as Pointee>::Metadata)
🔬This is a nightly-only experimental API. (ptr_metadata
#81513)
pub fn to_raw_parts(self) -> (NonNull<()>, <T as Pointee>::Metadata)
ptr_metadata
#81513)Decompose a (possibly wide) pointer into its data pointer and metadata components.
The pointer can be later reconstructed with NonNull::from_raw_parts
.
sourcepub fn addr(self) -> NonZero<usize>
🔬This is a nightly-only experimental API. (strict_provenance
#95228)
pub fn addr(self) -> NonZero<usize>
strict_provenance
#95228)Gets the “address” portion of the pointer.
For more details see the equivalent method on a raw pointer, pointer::addr
.
This API and its claimed semantics are part of the Strict Provenance experiment,
see the ptr
module documentation.
sourcepub fn with_addr(self, addr: NonZero<usize>) -> NonNull<T>
🔬This is a nightly-only experimental API. (strict_provenance
#95228)
pub fn with_addr(self, addr: NonZero<usize>) -> NonNull<T>
strict_provenance
#95228)Creates a new pointer with the given address.
For more details see the equivalent method on a raw pointer, pointer::with_addr
.
This API and its claimed semantics are part of the Strict Provenance experiment,
see the ptr
module documentation.
sourcepub fn map_addr(
self,
f: impl FnOnce(NonZero<usize>) -> NonZero<usize>
) -> NonNull<T>
🔬This is a nightly-only experimental API. (strict_provenance
#95228)
pub fn map_addr( self, f: impl FnOnce(NonZero<usize>) -> NonZero<usize> ) -> NonNull<T>
strict_provenance
#95228)Creates a new pointer by mapping self
’s address to a new one.
For more details see the equivalent method on a raw pointer, pointer::map_addr
.
This API and its claimed semantics are part of the Strict Provenance experiment,
see the ptr
module documentation.
const: 1.32.0 · sourcepub const fn as_ptr(self) -> *mut T
pub const fn as_ptr(self) -> *mut T
Acquires the underlying *mut
pointer.
§Examples
use std::ptr::NonNull;
let mut x = 0u32;
let ptr = NonNull::new(&mut x).expect("ptr is null!");
let x_value = unsafe { *ptr.as_ptr() };
assert_eq!(x_value, 0);
unsafe { *ptr.as_ptr() += 2; }
let x_value = unsafe { *ptr.as_ptr() };
assert_eq!(x_value, 2);
Runconst: 1.73.0 · sourcepub const unsafe fn as_ref<'a>(&self) -> &'a T
pub const unsafe fn as_ref<'a>(&self) -> &'a T
Returns a shared reference to the value. If the value may be uninitialized, as_uninit_ref
must be used instead.
For the mutable counterpart see as_mut
.
§Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be properly aligned.
-
It must be “dereferenceable” in the sense defined in the module documentation.
-
The pointer must point to an initialized instance of
T
. -
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get mutated (except insideUnsafeCell
).
This applies even if the result of this method is unused! (The part about being initialized is not yet fully decided, but until it is, the only safe approach is to ensure that they are indeed initialized.)
§Examples
use std::ptr::NonNull;
let mut x = 0u32;
let ptr = NonNull::new(&mut x as *mut _).expect("ptr is null!");
let ref_x = unsafe { ptr.as_ref() };
println!("{ref_x}");
Runconst: unstable · sourcepub unsafe fn as_mut<'a>(&mut self) -> &'a mut T
pub unsafe fn as_mut<'a>(&mut self) -> &'a mut T
Returns a unique reference to the value. If the value may be uninitialized, as_uninit_mut
must be used instead.
For the shared counterpart see as_ref
.
§Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be properly aligned.
-
It must be “dereferenceable” in the sense defined in the module documentation.
-
The pointer must point to an initialized instance of
T
. -
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get accessed (read or written) through any other pointer.
This applies even if the result of this method is unused! (The part about being initialized is not yet fully decided, but until it is, the only safe approach is to ensure that they are indeed initialized.)
§Examples
use std::ptr::NonNull;
let mut x = 0u32;
let mut ptr = NonNull::new(&mut x).expect("null pointer");
let x_ref = unsafe { ptr.as_mut() };
assert_eq!(*x_ref, 0);
*x_ref += 2;
assert_eq!(*x_ref, 2);
Runconst: unstable · sourcepub unsafe fn offset(self, count: isize) -> NonNull<T>
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn offset(self, count: isize) -> NonNull<T>
non_null_convenience
#117691)Calculates the offset from a pointer.
count
is in units of T; e.g., a count
of 3 represents a pointer
offset of 3 * size_of::<T>()
bytes.
§Safety
If any of the following conditions are violated, the result is Undefined Behavior:
-
Both the starting and resulting pointer must be either in bounds or one byte past the end of the same allocated object.
-
The computed offset, in bytes, cannot overflow an
isize
. -
The offset being in bounds cannot rely on “wrapping around” the address space. That is, the infinite-precision sum, in bytes must fit in a usize.
The compiler and standard library generally tries to ensure allocations
never reach a size where an offset is a concern. For instance, Vec
and Box
ensure they never allocate more than isize::MAX
bytes, so
vec.as_ptr().add(vec.len())
is always safe.
Most platforms fundamentally can’t even construct such an allocation.
For instance, no known 64-bit platform can ever serve a request
for 263 bytes due to page-table limitations or splitting the address space.
However, some 32-bit and 16-bit platforms may successfully serve a request for
more than isize::MAX
bytes with things like Physical Address
Extension. As such, memory acquired directly from allocators or memory
mapped files may be too large to handle with this function.
§Examples
#![feature(non_null_convenience)]
use std::ptr::NonNull;
let mut s = [1, 2, 3];
let ptr: NonNull<u32> = NonNull::new(s.as_mut_ptr()).unwrap();
unsafe {
println!("{}", ptr.offset(1).read());
println!("{}", ptr.offset(2).read());
}
Runconst: unstable · sourcepub unsafe fn byte_offset(self, count: isize) -> NonNull<T>
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn byte_offset(self, count: isize) -> NonNull<T>
non_null_convenience
#117691)Calculates the offset from a pointer in bytes.
count
is in units of bytes.
This is purely a convenience for casting to a u8
pointer and
using offset on it. See that method for documentation
and safety requirements.
For non-Sized
pointees this operation changes only the data pointer,
leaving the metadata untouched.
const: unstable · sourcepub unsafe fn add(self, count: usize) -> NonNull<T>
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn add(self, count: usize) -> NonNull<T>
non_null_convenience
#117691)Calculates the offset from a pointer (convenience for .offset(count as isize)
).
count
is in units of T; e.g., a count
of 3 represents a pointer
offset of 3 * size_of::<T>()
bytes.
§Safety
If any of the following conditions are violated, the result is Undefined Behavior:
-
Both the starting and resulting pointer must be either in bounds or one byte past the end of the same allocated object.
-
The computed offset, in bytes, cannot overflow an
isize
. -
The offset being in bounds cannot rely on “wrapping around” the address space. That is, the infinite-precision sum must fit in a
usize
.
The compiler and standard library generally tries to ensure allocations
never reach a size where an offset is a concern. For instance, Vec
and Box
ensure they never allocate more than isize::MAX
bytes, so
vec.as_ptr().add(vec.len())
is always safe.
Most platforms fundamentally can’t even construct such an allocation.
For instance, no known 64-bit platform can ever serve a request
for 263 bytes due to page-table limitations or splitting the address space.
However, some 32-bit and 16-bit platforms may successfully serve a request for
more than isize::MAX
bytes with things like Physical Address
Extension. As such, memory acquired directly from allocators or memory
mapped files may be too large to handle with this function.
§Examples
#![feature(non_null_convenience)]
use std::ptr::NonNull;
let s: &str = "123";
let ptr: NonNull<u8> = NonNull::new(s.as_ptr().cast_mut()).unwrap();
unsafe {
println!("{}", ptr.add(1).read() as char);
println!("{}", ptr.add(2).read() as char);
}
Runconst: unstable · sourcepub unsafe fn byte_add(self, count: usize) -> NonNull<T>
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn byte_add(self, count: usize) -> NonNull<T>
non_null_convenience
#117691)Calculates the offset from a pointer in bytes (convenience for .byte_offset(count as isize)
).
count
is in units of bytes.
This is purely a convenience for casting to a u8
pointer and
using add
on it. See that method for documentation
and safety requirements.
For non-Sized
pointees this operation changes only the data pointer,
leaving the metadata untouched.
const: unstable · sourcepub unsafe fn sub(self, count: usize) -> NonNull<T>
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn sub(self, count: usize) -> NonNull<T>
non_null_convenience
#117691)Calculates the offset from a pointer (convenience for
.offset((count as isize).wrapping_neg())
).
count
is in units of T; e.g., a count
of 3 represents a pointer
offset of 3 * size_of::<T>()
bytes.
§Safety
If any of the following conditions are violated, the result is Undefined Behavior:
-
Both the starting and resulting pointer must be either in bounds or one byte past the end of the same allocated object.
-
The computed offset cannot exceed
isize::MAX
bytes. -
The offset being in bounds cannot rely on “wrapping around” the address space. That is, the infinite-precision sum must fit in a usize.
The compiler and standard library generally tries to ensure allocations
never reach a size where an offset is a concern. For instance, Vec
and Box
ensure they never allocate more than isize::MAX
bytes, so
vec.as_ptr().add(vec.len()).sub(vec.len())
is always safe.
Most platforms fundamentally can’t even construct such an allocation.
For instance, no known 64-bit platform can ever serve a request
for 263 bytes due to page-table limitations or splitting the address space.
However, some 32-bit and 16-bit platforms may successfully serve a request for
more than isize::MAX
bytes with things like Physical Address
Extension. As such, memory acquired directly from allocators or memory
mapped files may be too large to handle with this function.
§Examples
#![feature(non_null_convenience)]
use std::ptr::NonNull;
let s: &str = "123";
unsafe {
let end: NonNull<u8> = NonNull::new(s.as_ptr().cast_mut()).unwrap().add(3);
println!("{}", end.sub(1).read() as char);
println!("{}", end.sub(2).read() as char);
}
Runconst: unstable · sourcepub unsafe fn byte_sub(self, count: usize) -> NonNull<T>
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn byte_sub(self, count: usize) -> NonNull<T>
non_null_convenience
#117691)Calculates the offset from a pointer in bytes (convenience for
.byte_offset((count as isize).wrapping_neg())
).
count
is in units of bytes.
This is purely a convenience for casting to a u8
pointer and
using sub
on it. See that method for documentation
and safety requirements.
For non-Sized
pointees this operation changes only the data pointer,
leaving the metadata untouched.
const: unstable · sourcepub unsafe fn offset_from(self, origin: NonNull<T>) -> isize
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn offset_from(self, origin: NonNull<T>) -> isize
non_null_convenience
#117691)Calculates the distance between two pointers. The returned value is in
units of T: the distance in bytes divided by mem::size_of::<T>()
.
This is equivalent to (self as isize - origin as isize) / (mem::size_of::<T>() as isize)
,
except that it has a lot more opportunities for UB, in exchange for the compiler
better understanding what you are doing.
The primary motivation of this method is for computing the len
of an array/slice
of T
that you are currently representing as a “start” and “end” pointer
(and “end” is “one past the end” of the array).
In that case, end.offset_from(start)
gets you the length of the array.
All of the following safety requirements are trivially satisfied for this usecase.
§Safety
If any of the following conditions are violated, the result is Undefined Behavior:
-
Both
self
andorigin
must be either in bounds or one byte past the end of the same allocated object. -
Both pointers must be derived from a pointer to the same object. (See below for an example.)
-
The distance between the pointers, in bytes, must be an exact multiple of the size of
T
. -
The distance between the pointers, in bytes, cannot overflow an
isize
. -
The distance being in bounds cannot rely on “wrapping around” the address space.
Rust types are never larger than isize::MAX
and Rust allocations never wrap around the
address space, so two pointers within some value of any Rust type T
will always satisfy
the last two conditions. The standard library also generally ensures that allocations
never reach a size where an offset is a concern. For instance, Vec
and Box
ensure they
never allocate more than isize::MAX
bytes, so ptr_into_vec.offset_from(vec.as_ptr())
always satisfies the last two conditions.
Most platforms fundamentally can’t even construct such a large allocation.
For instance, no known 64-bit platform can ever serve a request
for 263 bytes due to page-table limitations or splitting the address space.
However, some 32-bit and 16-bit platforms may successfully serve a request for
more than isize::MAX
bytes with things like Physical Address
Extension. As such, memory acquired directly from allocators or memory
mapped files may be too large to handle with this function.
(Note that offset
and add
also have a similar limitation and hence cannot be used on
such large allocations either.)
The requirement for pointers to be derived from the same allocated object is primarily
needed for const
-compatibility: the distance between pointers into different allocated
objects is not known at compile-time. However, the requirement also exists at
runtime and may be exploited by optimizations. If you wish to compute the difference between
pointers that are not guaranteed to be from the same allocation, use (self as isize - origin as isize) / mem::size_of::<T>()
.
§Panics
This function panics if T
is a Zero-Sized Type (“ZST”).
§Examples
Basic usage:
#![feature(non_null_convenience)]
use std::ptr::NonNull;
let a = [0; 5];
let ptr1: NonNull<u32> = NonNull::from(&a[1]);
let ptr2: NonNull<u32> = NonNull::from(&a[3]);
unsafe {
assert_eq!(ptr2.offset_from(ptr1), 2);
assert_eq!(ptr1.offset_from(ptr2), -2);
assert_eq!(ptr1.offset(2), ptr2);
assert_eq!(ptr2.offset(-2), ptr1);
}
RunIncorrect usage:
#![feature(non_null_convenience, strict_provenance)]
use std::ptr::NonNull;
let ptr1 = NonNull::new(Box::into_raw(Box::new(0u8))).unwrap();
let ptr2 = NonNull::new(Box::into_raw(Box::new(1u8))).unwrap();
let diff = (ptr2.addr().get() as isize).wrapping_sub(ptr1.addr().get() as isize);
// Make ptr2_other an "alias" of ptr2, but derived from ptr1.
let ptr2_other = NonNull::new(ptr1.as_ptr().wrapping_byte_offset(diff)).unwrap();
assert_eq!(ptr2.addr(), ptr2_other.addr());
// Since ptr2_other and ptr2 are derived from pointers to different objects,
// computing their offset is undefined behavior, even though
// they point to the same address!
unsafe {
let zero = ptr2_other.offset_from(ptr2); // Undefined Behavior
}
Runconst: unstable · sourcepub unsafe fn byte_offset_from<U>(self, origin: NonNull<U>) -> isizewhere
U: ?Sized,
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn byte_offset_from<U>(self, origin: NonNull<U>) -> isizewhere
U: ?Sized,
non_null_convenience
#117691)Calculates the distance between two pointers. The returned value is in units of bytes.
This is purely a convenience for casting to a u8
pointer and
using offset_from
on it. See that method for
documentation and safety requirements.
For non-Sized
pointees this operation considers only the data pointers,
ignoring the metadata.
const: unstable · sourcepub unsafe fn sub_ptr(self, subtracted: NonNull<T>) -> usize
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn sub_ptr(self, subtracted: NonNull<T>) -> usize
non_null_convenience
#117691)Calculates the distance between two pointers, where it’s known that
self
is equal to or greater than origin
. The returned value is in
units of T: the distance in bytes is divided by mem::size_of::<T>()
.
This computes the same value that offset_from
would compute, but with the added precondition that the offset is
guaranteed to be non-negative. This method is equivalent to
usize::try_from(self.offset_from(origin)).unwrap_unchecked()
,
but it provides slightly more information to the optimizer, which can
sometimes allow it to optimize slightly better with some backends.
This method can be though of as recovering the count
that was passed
to add
(or, with the parameters in the other order,
to sub
). The following are all equivalent, assuming
that their safety preconditions are met:
ptr.sub_ptr(origin) == count
origin.add(count) == ptr
ptr.sub(count) == origin
Run§Safety
-
The distance between the pointers must be non-negative (
self >= origin
) -
All the safety conditions of
offset_from
apply to this method as well; see it for the full details.
Importantly, despite the return type of this method being able to represent
a larger offset, it’s still not permitted to pass pointers which differ
by more than isize::MAX
bytes. As such, the result of this method will
always be less than or equal to isize::MAX as usize
.
§Panics
This function panics if T
is a Zero-Sized Type (“ZST”).
§Examples
#![feature(non_null_convenience)]
use std::ptr::NonNull;
let a = [0; 5];
let ptr1: NonNull<u32> = NonNull::from(&a[1]);
let ptr2: NonNull<u32> = NonNull::from(&a[3]);
unsafe {
assert_eq!(ptr2.sub_ptr(ptr1), 2);
assert_eq!(ptr1.add(2), ptr2);
assert_eq!(ptr2.sub(2), ptr1);
assert_eq!(ptr2.sub_ptr(ptr2), 0);
}
// This would be incorrect, as the pointers are not correctly ordered:
// ptr1.sub_ptr(ptr2)
Runconst: unstable · sourcepub unsafe fn read(self) -> T
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn read(self) -> T
non_null_convenience
#117691)Reads the value from self
without moving it. This leaves the
memory in self
unchanged.
See ptr::read
for safety concerns and examples.
sourcepub unsafe fn read_volatile(self) -> T
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn read_volatile(self) -> T
non_null_convenience
#117691)Performs a volatile read of the value from self
without moving it. This
leaves the memory in self
unchanged.
Volatile operations are intended to act on I/O memory, and are guaranteed to not be elided or reordered by the compiler across other volatile operations.
See ptr::read_volatile
for safety concerns and examples.
const: unstable · sourcepub unsafe fn read_unaligned(self) -> T
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn read_unaligned(self) -> T
non_null_convenience
#117691)Reads the value from self
without moving it. This leaves the
memory in self
unchanged.
Unlike read
, the pointer may be unaligned.
See ptr::read_unaligned
for safety concerns and examples.
const: unstable · sourcepub unsafe fn copy_to(self, dest: NonNull<T>, count: usize)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn copy_to(self, dest: NonNull<T>, count: usize)
non_null_convenience
#117691)const: unstable · sourcepub unsafe fn copy_to_nonoverlapping(self, dest: NonNull<T>, count: usize)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn copy_to_nonoverlapping(self, dest: NonNull<T>, count: usize)
non_null_convenience
#117691)Copies count * size_of<T>
bytes from self
to dest
. The source
and destination may not overlap.
NOTE: this has the same argument order as ptr::copy_nonoverlapping
.
See ptr::copy_nonoverlapping
for safety concerns and examples.
const: unstable · sourcepub unsafe fn copy_from(self, src: NonNull<T>, count: usize)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn copy_from(self, src: NonNull<T>, count: usize)
non_null_convenience
#117691)const: unstable · sourcepub unsafe fn copy_from_nonoverlapping(self, src: NonNull<T>, count: usize)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn copy_from_nonoverlapping(self, src: NonNull<T>, count: usize)
non_null_convenience
#117691)Copies count * size_of<T>
bytes from src
to self
. The source
and destination may not overlap.
NOTE: this has the opposite argument order of ptr::copy_nonoverlapping
.
See ptr::copy_nonoverlapping
for safety concerns and examples.
sourcepub unsafe fn drop_in_place(self)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn drop_in_place(self)
non_null_convenience
#117691)Executes the destructor (if any) of the pointed-to value.
See ptr::drop_in_place
for safety concerns and examples.
const: unstable · sourcepub unsafe fn write(self, val: T)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn write(self, val: T)
non_null_convenience
#117691)Overwrites a memory location with the given value without reading or dropping the old value.
See ptr::write
for safety concerns and examples.
const: unstable · sourcepub unsafe fn write_bytes(self, val: u8, count: usize)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn write_bytes(self, val: u8, count: usize)
non_null_convenience
#117691)Invokes memset on the specified pointer, setting count * size_of::<T>()
bytes of memory starting at self
to val
.
See ptr::write_bytes
for safety concerns and examples.
sourcepub unsafe fn write_volatile(self, val: T)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn write_volatile(self, val: T)
non_null_convenience
#117691)Performs a volatile write of a memory location with the given value without reading or dropping the old value.
Volatile operations are intended to act on I/O memory, and are guaranteed to not be elided or reordered by the compiler across other volatile operations.
See ptr::write_volatile
for safety concerns and examples.
const: unstable · sourcepub unsafe fn write_unaligned(self, val: T)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn write_unaligned(self, val: T)
non_null_convenience
#117691)Overwrites a memory location with the given value without reading or dropping the old value.
Unlike write
, the pointer may be unaligned.
See ptr::write_unaligned
for safety concerns and examples.
sourcepub unsafe fn replace(self, src: T) -> T
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn replace(self, src: T) -> T
non_null_convenience
#117691)Replaces the value at self
with src
, returning the old
value, without dropping either.
See ptr::replace
for safety concerns and examples.
const: unstable · sourcepub unsafe fn swap(self, with: NonNull<T>)
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub unsafe fn swap(self, with: NonNull<T>)
non_null_convenience
#117691)Swaps the values at two mutable locations of the same type, without
deinitializing either. They may overlap, unlike mem::swap
which is
otherwise equivalent.
See ptr::swap
for safety concerns and examples.
const: unstable · sourcepub fn align_offset(self, align: usize) -> usize
🔬This is a nightly-only experimental API. (non_null_convenience
#117691)
pub fn align_offset(self, align: usize) -> usize
non_null_convenience
#117691)Computes the offset that needs to be applied to the pointer in order to make it aligned to
align
.
If it is not possible to align the pointer, the implementation returns
usize::MAX
. It is permissible for the implementation to always
return usize::MAX
. Only your algorithm’s performance can depend
on getting a usable offset here, not its correctness.
The offset is expressed in number of T
elements, and not bytes.
There are no guarantees whatsoever that offsetting the pointer will not overflow or go beyond the allocation that the pointer points into. It is up to the caller to ensure that the returned offset is correct in all terms other than alignment.
§Panics
The function panics if align
is not a power-of-two.
§Examples
Accessing adjacent u8
as u16
#![feature(non_null_convenience)]
use std::mem::align_of;
use std::ptr::NonNull;
let x = [5_u8, 6, 7, 8, 9];
let ptr = NonNull::new(x.as_ptr() as *mut u8).unwrap();
let offset = ptr.align_offset(align_of::<u16>());
if offset < x.len() - 1 {
let u16_ptr = ptr.add(offset).cast::<u16>();
assert!(u16_ptr.read() == u16::from_ne_bytes([5, 6]) || u16_ptr.read() == u16::from_ne_bytes([6, 7]));
} else {
// while the pointer can be aligned via `offset`, it would point
// outside the allocation
}
Run1.79.0 (const: unstable) · sourcepub fn is_aligned(self) -> bool
pub fn is_aligned(self) -> bool
Returns whether the pointer is properly aligned for T
.
§Examples
use std::ptr::NonNull;
// On some platforms, the alignment of i32 is less than 4.
#[repr(align(4))]
struct AlignedI32(i32);
let data = AlignedI32(42);
let ptr = NonNull::<AlignedI32>::from(&data);
assert!(ptr.is_aligned());
assert!(!NonNull::new(ptr.as_ptr().wrapping_byte_add(1)).unwrap().is_aligned());
Run§At compiletime
Note: Alignment at compiletime is experimental and subject to change. See the tracking issue for details.
At compiletime, the compiler may not know where a value will end up in memory.
Calling this function on a pointer created from a reference at compiletime will only
return true
if the pointer is guaranteed to be aligned. This means that the pointer
is never aligned if cast to a type with a stricter alignment than the reference’s
underlying allocation.
#![feature(const_pointer_is_aligned)]
#![feature(non_null_convenience)]
#![feature(const_option)]
#![feature(const_nonnull_new)]
use std::ptr::NonNull;
// On some platforms, the alignment of primitives is less than their size.
#[repr(align(4))]
struct AlignedI32(i32);
#[repr(align(8))]
struct AlignedI64(i64);
const _: () = {
let data = [AlignedI32(42), AlignedI32(42)];
let ptr = NonNull::<AlignedI32>::new(&data[0] as *const _ as *mut _).unwrap();
assert!(ptr.is_aligned());
// At runtime either `ptr1` or `ptr2` would be aligned, but at compiletime neither is aligned.
let ptr1 = ptr.cast::<AlignedI64>();
let ptr2 = unsafe { ptr.add(1).cast::<AlignedI64>() };
assert!(!ptr1.is_aligned());
assert!(!ptr2.is_aligned());
};
RunDue to this behavior, it is possible that a runtime pointer derived from a compiletime pointer is aligned, even if the compiletime pointer wasn’t aligned.
#![feature(const_pointer_is_aligned)]
// On some platforms, the alignment of primitives is less than their size.
#[repr(align(4))]
struct AlignedI32(i32);
#[repr(align(8))]
struct AlignedI64(i64);
// At compiletime, neither `COMPTIME_PTR` nor `COMPTIME_PTR + 1` is aligned.
const COMPTIME_PTR: *const AlignedI32 = &AlignedI32(42);
const _: () = assert!(!COMPTIME_PTR.cast::<AlignedI64>().is_aligned());
const _: () = assert!(!COMPTIME_PTR.wrapping_add(1).cast::<AlignedI64>().is_aligned());
// At runtime, either `runtime_ptr` or `runtime_ptr + 1` is aligned.
let runtime_ptr = COMPTIME_PTR;
assert_ne!(
runtime_ptr.cast::<AlignedI64>().is_aligned(),
runtime_ptr.wrapping_add(1).cast::<AlignedI64>().is_aligned(),
);
RunIf a pointer is created from a fixed address, this function behaves the same during runtime and compiletime.
#![feature(const_pointer_is_aligned)]
#![feature(const_option)]
#![feature(const_nonnull_new)]
use std::ptr::NonNull;
// On some platforms, the alignment of primitives is less than their size.
#[repr(align(4))]
struct AlignedI32(i32);
#[repr(align(8))]
struct AlignedI64(i64);
const _: () = {
let ptr = NonNull::new(40 as *mut AlignedI32).unwrap();
assert!(ptr.is_aligned());
// For pointers with a known address, runtime and compiletime behavior are identical.
let ptr1 = ptr.cast::<AlignedI64>();
let ptr2 = NonNull::new(ptr.as_ptr().wrapping_add(1)).unwrap().cast::<AlignedI64>();
assert!(ptr1.is_aligned());
assert!(!ptr2.is_aligned());
};
Runconst: unstable · sourcepub fn is_aligned_to(self, align: usize) -> bool
🔬This is a nightly-only experimental API. (pointer_is_aligned_to
#96284)
pub fn is_aligned_to(self, align: usize) -> bool
pointer_is_aligned_to
#96284)Returns whether the pointer is aligned to align
.
For non-Sized
pointees this operation considers only the data pointer,
ignoring the metadata.
§Panics
The function panics if align
is not a power-of-two (this includes 0).
§Examples
#![feature(pointer_is_aligned_to)]
// On some platforms, the alignment of i32 is less than 4.
#[repr(align(4))]
struct AlignedI32(i32);
let data = AlignedI32(42);
let ptr = &data as *const AlignedI32;
assert!(ptr.is_aligned_to(1));
assert!(ptr.is_aligned_to(2));
assert!(ptr.is_aligned_to(4));
assert!(ptr.wrapping_byte_add(2).is_aligned_to(2));
assert!(!ptr.wrapping_byte_add(2).is_aligned_to(4));
assert_ne!(ptr.is_aligned_to(8), ptr.wrapping_add(1).is_aligned_to(8));
Run§At compiletime
Note: Alignment at compiletime is experimental and subject to change. See the tracking issue for details.
At compiletime, the compiler may not know where a value will end up in memory.
Calling this function on a pointer created from a reference at compiletime will only
return true
if the pointer is guaranteed to be aligned. This means that the pointer
cannot be stricter aligned than the reference’s underlying allocation.
#![feature(pointer_is_aligned_to)]
#![feature(const_pointer_is_aligned)]
// On some platforms, the alignment of i32 is less than 4.
#[repr(align(4))]
struct AlignedI32(i32);
const _: () = {
let data = AlignedI32(42);
let ptr = &data as *const AlignedI32;
assert!(ptr.is_aligned_to(1));
assert!(ptr.is_aligned_to(2));
assert!(ptr.is_aligned_to(4));
// At compiletime, we know for sure that the pointer isn't aligned to 8.
assert!(!ptr.is_aligned_to(8));
assert!(!ptr.wrapping_add(1).is_aligned_to(8));
};
RunDue to this behavior, it is possible that a runtime pointer derived from a compiletime pointer is aligned, even if the compiletime pointer wasn’t aligned.
#![feature(pointer_is_aligned_to)]
#![feature(const_pointer_is_aligned)]
// On some platforms, the alignment of i32 is less than 4.
#[repr(align(4))]
struct AlignedI32(i32);
// At compiletime, neither `COMPTIME_PTR` nor `COMPTIME_PTR + 1` is aligned.
const COMPTIME_PTR: *const AlignedI32 = &AlignedI32(42);
const _: () = assert!(!COMPTIME_PTR.is_aligned_to(8));
const _: () = assert!(!COMPTIME_PTR.wrapping_add(1).is_aligned_to(8));
// At runtime, either `runtime_ptr` or `runtime_ptr + 1` is aligned.
let runtime_ptr = COMPTIME_PTR;
assert_ne!(
runtime_ptr.is_aligned_to(8),
runtime_ptr.wrapping_add(1).is_aligned_to(8),
);
RunIf a pointer is created from a fixed address, this function behaves the same during runtime and compiletime.
#![feature(pointer_is_aligned_to)]
#![feature(const_pointer_is_aligned)]
const _: () = {
let ptr = 40 as *const u8;
assert!(ptr.is_aligned_to(1));
assert!(ptr.is_aligned_to(2));
assert!(ptr.is_aligned_to(4));
assert!(ptr.is_aligned_to(8));
assert!(!ptr.is_aligned_to(16));
};
Runsource§impl<T> NonNull<[T]>
impl<T> NonNull<[T]>
1.70.0 (const: unstable) · sourcepub fn slice_from_raw_parts(data: NonNull<T>, len: usize) -> NonNull<[T]>
pub fn slice_from_raw_parts(data: NonNull<T>, len: usize) -> NonNull<[T]>
Creates a non-null raw slice from a thin pointer and a length.
The len
argument is the number of elements, not the number of bytes.
This function is safe, but dereferencing the return value is unsafe.
See the documentation of slice::from_raw_parts
for slice safety requirements.
§Examples
use std::ptr::NonNull;
// create a slice pointer when starting out with a pointer to the first element
let mut x = [5, 6, 7];
let nonnull_pointer = NonNull::new(x.as_mut_ptr()).unwrap();
let slice = NonNull::slice_from_raw_parts(nonnull_pointer, 3);
assert_eq!(unsafe { slice.as_ref()[2] }, 7);
Run(Note that this example artificially demonstrates a use of this method,
but let slice = NonNull::from(&x[..]);
would be a better way to write code like this.)
1.63.0 (const: 1.63.0) · sourcepub const fn len(self) -> usize
pub const fn len(self) -> usize
Returns the length of a non-null raw slice.
The returned value is the number of elements, not the number of bytes.
This function is safe, even when the non-null raw slice cannot be dereferenced to a slice because the pointer does not have a valid address.
§Examples
use std::ptr::NonNull;
let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3);
assert_eq!(slice.len(), 3);
Runconst: unstable · sourcepub fn is_empty(self) -> bool
🔬This is a nightly-only experimental API. (slice_ptr_is_empty_nonnull
#71146)
pub fn is_empty(self) -> bool
slice_ptr_is_empty_nonnull
#71146)const: unstable · sourcepub fn as_non_null_ptr(self) -> NonNull<T>
🔬This is a nightly-only experimental API. (slice_ptr_get
#74265)
pub fn as_non_null_ptr(self) -> NonNull<T>
slice_ptr_get
#74265)const: unstable · sourcepub fn as_mut_ptr(self) -> *mut T
🔬This is a nightly-only experimental API. (slice_ptr_get
#74265)
pub fn as_mut_ptr(self) -> *mut T
slice_ptr_get
#74265)const: unstable · sourcepub unsafe fn as_uninit_slice<'a>(self) -> &'a [MaybeUninit<T>]
🔬This is a nightly-only experimental API. (ptr_as_uninit
#75402)
pub unsafe fn as_uninit_slice<'a>(self) -> &'a [MaybeUninit<T>]
ptr_as_uninit
#75402)Returns a shared reference to a slice of possibly uninitialized values. In contrast to
as_ref
, this does not require that the value has to be initialized.
For the mutable counterpart see as_uninit_slice_mut
.
§Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be valid for reads for
ptr.len() * mem::size_of::<T>()
many bytes, and it must be properly aligned. This means in particular:-
The entire memory range of this slice must be contained within a single allocated object! Slices can never span across multiple allocated objects.
-
The pointer must be aligned even for zero-length slices. One reason for this is that enum layout optimizations may rely on references (including slices of any length) being aligned and non-null to distinguish them from other data. You can obtain a pointer that is usable as
data
for zero-length slices usingNonNull::dangling()
.
-
-
The total size
ptr.len() * mem::size_of::<T>()
of the slice must be no larger thanisize::MAX
. See the safety documentation ofpointer::offset
. -
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get mutated (except insideUnsafeCell
).
This applies even if the result of this method is unused!
See also slice::from_raw_parts
.
const: unstable · sourcepub unsafe fn as_uninit_slice_mut<'a>(self) -> &'a mut [MaybeUninit<T>]
🔬This is a nightly-only experimental API. (ptr_as_uninit
#75402)
pub unsafe fn as_uninit_slice_mut<'a>(self) -> &'a mut [MaybeUninit<T>]
ptr_as_uninit
#75402)Returns a unique reference to a slice of possibly uninitialized values. In contrast to
as_mut
, this does not require that the value has to be initialized.
For the shared counterpart see as_uninit_slice
.
§Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be valid for reads and writes for
ptr.len() * mem::size_of::<T>()
many bytes, and it must be properly aligned. This means in particular:-
The entire memory range of this slice must be contained within a single allocated object! Slices can never span across multiple allocated objects.
-
The pointer must be aligned even for zero-length slices. One reason for this is that enum layout optimizations may rely on references (including slices of any length) being aligned and non-null to distinguish them from other data. You can obtain a pointer that is usable as
data
for zero-length slices usingNonNull::dangling()
.
-
-
The total size
ptr.len() * mem::size_of::<T>()
of the slice must be no larger thanisize::MAX
. See the safety documentation ofpointer::offset
. -
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get accessed (read or written) through any other pointer.
This applies even if the result of this method is unused!
See also slice::from_raw_parts_mut
.
§Examples
#![feature(allocator_api, ptr_as_uninit)]
use std::alloc::{Allocator, Layout, Global};
use std::mem::MaybeUninit;
use std::ptr::NonNull;
let memory: NonNull<[u8]> = Global.allocate(Layout::new::<[u8; 32]>())?;
// This is safe as `memory` is valid for reads and writes for `memory.len()` many bytes.
// Note that calling `memory.as_mut()` is not allowed here as the content may be uninitialized.
let slice: &mut [MaybeUninit<u8>] = unsafe { memory.as_uninit_slice_mut() };
Runsourcepub unsafe fn get_unchecked_mut<I>(
self,
index: I
) -> NonNull<<I as SliceIndex<[T]>>::Output>where
I: SliceIndex<[T]>,
🔬This is a nightly-only experimental API. (slice_ptr_get
#74265)
pub unsafe fn get_unchecked_mut<I>(
self,
index: I
) -> NonNull<<I as SliceIndex<[T]>>::Output>where
I: SliceIndex<[T]>,
slice_ptr_get
#74265)Returns a raw pointer to an element or subslice, without doing bounds checking.
Calling this method with an out-of-bounds index or when self
is not dereferenceable
is undefined behavior even if the resulting pointer is not used.
§Examples
#![feature(slice_ptr_get)]
use std::ptr::NonNull;
let x = &mut [1, 2, 4];
let x = NonNull::slice_from_raw_parts(NonNull::new(x.as_mut_ptr()).unwrap(), x.len());
unsafe {
assert_eq!(x.get_unchecked_mut(1).as_ptr(), x.as_non_null_ptr().as_ptr().add(1));
}
RunTrait Implementations§
source§impl<T> Ord for NonNull<T>where
T: ?Sized,
impl<T> Ord for NonNull<T>where
T: ?Sized,
1.21.0 · source§fn max(self, other: Self) -> Selfwhere
Self: Sized,
fn max(self, other: Self) -> Selfwhere
Self: Sized,
source§impl<T> PartialEq for NonNull<T>where
T: ?Sized,
impl<T> PartialEq for NonNull<T>where
T: ?Sized,
source§impl<T> PartialOrd for NonNull<T>where
T: ?Sized,
impl<T> PartialOrd for NonNull<T>where
T: ?Sized,
1.0.0 · source§fn le(&self, other: &Rhs) -> bool
fn le(&self, other: &Rhs) -> bool
self
and other
) and is used by the <=
operator. Read moreimpl<T, U> CoerceUnsized<NonNull<U>> for NonNull<T>
impl<T> Copy for NonNull<T>where
T: ?Sized,
impl<T, U> DispatchFromDyn<NonNull<U>> for NonNull<T>
impl<T> Eq for NonNull<T>where
T: ?Sized,
impl<T> !Send for NonNull<T>where
T: ?Sized,
NonNull
pointers are not Send
because the data they reference may be aliased.
impl<T> !Sync for NonNull<T>where
T: ?Sized,
NonNull
pointers are not Sync
because the data they reference may be aliased.