Manually manage memory through raw pointers.
Many functions in this module take raw pointers as arguments and read from
or write to them. For this to be safe, these pointers must be valid.
Whether a pointer is valid depends on the operation it is used for
(read or write), and the extent of the memory that is accessed (i.e.,
how many bytes are read/written). Most functions use
*mut T and
to access only a single value, in which case the documentation omits the size
and implicitly assumes it to be
The precise rules for validity are not determined yet. The guarantees that are provided at this point are very minimal:
- A null pointer is never valid, not even for accesses of size zero.
- For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be dereferenceable: the memory range of the given size starting at the pointer must all be within the bounds of a single allocated object. Note that in Rust, every (stack-allocated) variable is considered a separate allocated object.
- Even for operations of size zero, the pointer must not be pointing to deallocated
memory, i.e., deallocation makes pointers invalid even for zero-sized operations. However,
casting any non-zero integer literal to a pointer is valid for zero-sized accesses, even if
some memory happens to exist at that address and gets deallocated. This corresponds to writing
your own allocator: allocating zero-sized objects is not very hard. The canonical way to
obtain a pointer that is valid for zero-sized accesses is
- All accesses performed by functions in this module are non-atomic in the sense
of atomic operations used to synchronize between threads. This means it is
undefined behavior to perform two concurrent accesses to the same location from different
threads unless both accesses only read from memory. Notice that this explicitly
write_volatile: Volatile accesses cannot be used for inter-thread synchronization.
- The result of casting a reference to a pointer is valid for as long as the underlying object is live and no reference (just raw pointers) is used to access the same memory.
These axioms, along with careful use of
offset for pointer arithmetic,
are enough to correctly implement many useful things in unsafe code. Stronger guarantees
will be provided eventually, as the aliasing rules are being determined. For more
information, see the book as well as the section in the reference devoted
to undefined behavior.
Valid raw pointers as defined above are not necessarily properly aligned (where
“proper” alignment is defined by the pointee type, i.e.,
*const T must be
mem::align_of::<T>()). However, most functions require their
arguments to be properly aligned, and will explicitly state
this requirement in their documentation. Notable exceptions to this are
When a function requires proper alignment, it does so even if the access
has size 0, i.e., even if memory is not actually touched. Consider using
NonNull::dangling in such cases.
For several operations, such as
offset or field projections (
expr.field), the notion of an
“allocated object” becomes relevant. An allocated object is a contiguous region of memory.
Common examples of allocated objects include stack-allocated variables (each variable is a
separate allocated object), heap allocations (each allocation created by the global allocator is
a separate allocated object), and
const raw pointer to a place, without creating an intermediate reference.
mut raw pointer to a place, without creating an intermediate reference.
The metadata for a
Dyn = dyn SomeTrait trait object type.
*mut T but non-zero and covariant.
Provides the pointer metadata type of any pointed-to type.
Forms a (possibly-wide) raw pointer from a data address and metadata.
Performs the same functionality as
from_raw_parts, except that a
*mut pointer is returned, as opposed to a raw
Extract the metadata component of a pointer.
count * size_of::<T>() bytes from
dst. The source
and destination must not overlap.
Compares raw pointers for equality.
Hash a raw pointer.
Creates a null raw pointer.
Creates a null mutable raw pointer.
Performs a volatile read of the value from
src without moving it. This
leaves the memory in
Forms a raw slice from a pointer and a length.
Performs the same functionality as
slice_from_raw_parts, except that a
raw mutable slice is returned, as opposed to a raw immutable slice.
count * size_of::<T>() bytes between the two regions of memory
y. The two regions must not overlap.
Overwrites a memory location with the given value without reading or dropping the old value.