Creates a new NonNull that is dangling, but well-aligned.

This is useful for initializing types which lazily allocate, like Vec::new does.

Note that the address of the returned pointer may potentially be that of a valid pointer, which means this must not be used as a “not yet initialized” sentinel value. Types that lazily allocate must track initialization by some other means.

§Examples

use std::ptr::NonNull;

let ptr = NonNull::<u32>::dangling();
// Important: don't try to access the value of `ptr` without
// initializing it first! The pointer is not null but isn't valid either!

Returns a shared references to the value. In contrast to as_ref, this does not require that the value has to be initialized.

For the mutable counterpart see as_uninit_mut.

§Safety

When calling this method, you have to ensure that the pointer is convertible to a reference. Note that because the created reference is to MaybeUninit<T>, the source pointer can point to uninitialized memory.

Returns a unique references to the value. In contrast to as_mut, this does not require that the value has to be initialized.

For the shared counterpart see as_uninit_ref.

§Safety

When calling this method, you have to ensure that the pointer is convertible to a reference. Note that because the created reference is to MaybeUninit<T>, the source pointer can point to uninitialized memory.

Creates a new NonNull.

§Safety

ptr must be non-null.

§Examples

use std::ptr::NonNull;

let mut x = 0u32;
let ptr = unsafe { NonNull::new_unchecked(&mut x as *mut _) };

Incorrect usage of this function:

use std::ptr::NonNull;

// NEVER DO THAT!!! This is undefined behavior. ⚠️
let ptr = unsafe { NonNull::<u32>::new_unchecked(std::ptr::null_mut()) };

Creates a new NonNull if ptr is non-null.

§Panics during const evaluation

This method will panic during const evaluation if the pointer cannot be determined to be null or not. See is_null for more information.

§Examples

use std::ptr::NonNull;

let mut x = 0u32;
let ptr = NonNull::<u32>::new(&mut x as *mut _).expect("ptr is null!");

if let Some(ptr) = NonNull::<u32>::new(std::ptr::null_mut()) {
    unreachable!();
}

Decompose a (possibly wide) pointer into its data pointer and metadata components.

The pointer can be later reconstructed with NonNull::from_raw_parts.

Gets the “address” portion of the pointer.

For more details, see the equivalent method on a raw pointer, pointer::addr.

This is a Strict Provenance API.

Acquires the underlying *mut pointer.

§Examples

use std::ptr::NonNull;

let mut x = 0u32;
let ptr = NonNull::new(&mut x).expect("ptr is null!");

let x_value = unsafe { *ptr.as_ptr() };
assert_eq!(x_value, 0);

unsafe { *ptr.as_ptr() += 2; }
let x_value = unsafe { *ptr.as_ptr() };
assert_eq!(x_value, 2);

Returns a shared reference to the value. If the value may be uninitialized, as_uninit_ref must be used instead.

For the mutable counterpart see as_mut.

§Safety

When calling this method, you have to ensure that the pointer is convertible to a reference.

§Examples

use std::ptr::NonNull;

let mut x = 0u32;
let ptr = NonNull::new(&mut x as *mut _).expect("ptr is null!");

let ref_x = unsafe { ptr.as_ref() };
println!("{ref_x}");

Returns a unique reference to the value. If the value may be uninitialized, as_uninit_mut must be used instead.

For the shared counterpart see as_ref.

§Safety

When calling this method, you have to ensure that the pointer is convertible to a reference.

§Examples

use std::ptr::NonNull;

let mut x = 0u32;
let mut ptr = NonNull::new(&mut x).expect("null pointer");

let x_ref = unsafe { ptr.as_mut() };
assert_eq!(*x_ref, 0);
*x_ref += 2;
assert_eq!(*x_ref, 2);

Casts to a pointer of another type.

§Examples

use std::ptr::NonNull;

let mut x = 0u32;
let ptr = NonNull::new(&mut x as *mut _).expect("null pointer");

let casted_ptr = ptr.cast::<i8>();
let raw_ptr: *mut i8 = casted_ptr.as_ptr();

Try to cast to a pointer of another type by checking alignment.

If the pointer is properly aligned to the target type, it will be cast to the target type. Otherwise, None is returned.

§Examples

#![feature(pointer_try_cast_aligned)]
use std::ptr::NonNull;

let mut x = 0u64;

let aligned = NonNull::from_mut(&mut x);
let unaligned = unsafe { aligned.byte_add(1) };

assert!(aligned.try_cast_aligned::<u32>().is_some());
assert!(unaligned.try_cast_aligned::<u32>().is_none());

Adds an offset to a pointer.

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

§Safety

If any of the following conditions are violated, the result is Undefined Behavior:

• The computed offset, count * size_of::<T>() bytes, must not overflow isize.

• If the computed offset is non-zero, then self must be derived from a pointer to some allocation, and the entire memory range between self and the result must be in bounds of that allocation. In particular, this range must not “wrap around” the edge of the address space.

Allocations can never be larger than isize::MAX bytes, so if the computed offset stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. This implies, for instance, that vec.as_ptr().add(vec.len()) (for vec: Vec<T>) is always safe.

§Examples

use std::ptr::NonNull;

let mut s = [1, 2, 3];
let ptr: NonNull<u32> = NonNull::new(s.as_mut_ptr()).unwrap();

unsafe {
    println!("{}", ptr.offset(1).read());
    println!("{}", ptr.offset(2).read());
}

Calculates the offset from a pointer in bytes.

count is in units of bytes.

This is purely a convenience for casting to a u8 pointer and using offset on it. See that method for documentation and safety requirements.

For non-Sized pointees this operation changes only the data pointer, leaving the metadata untouched.

Adds an offset to a pointer (convenience for .offset(count as isize)).

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

§Safety

If any of the following conditions are violated, the result is Undefined Behavior:

• The computed offset, count * size_of::<T>() bytes, must not overflow isize.

• If the computed offset is non-zero, then self must be derived from a pointer to some allocation, and the entire memory range between self and the result must be in bounds of that allocation. In particular, this range must not “wrap around” the edge of the address space.

Allocations can never be larger than isize::MAX bytes, so if the computed offset stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. This implies, for instance, that vec.as_ptr().add(vec.len()) (for vec: Vec<T>) is always safe.

§Examples

use std::ptr::NonNull;

let s: &str = "123";
let ptr: NonNull<u8> = NonNull::new(s.as_ptr().cast_mut()).unwrap();

unsafe {
    println!("{}", ptr.add(1).read() as char);
    println!("{}", ptr.add(2).read() as char);
}

Calculates the offset from a pointer in bytes (convenience for .byte_offset(count as isize)).

count is in units of bytes.

This is purely a convenience for casting to a u8 pointer and using add on it. See that method for documentation and safety requirements.

For non-Sized pointees this operation changes only the data pointer, leaving the metadata untouched.

Subtracts an offset from a pointer (convenience for .offset((count as isize).wrapping_neg())).

count is in units of T; e.g., a count of 3 represents a pointer offset of 3 * size_of::<T>() bytes.

§Safety

If any of the following conditions are violated, the result is Undefined Behavior:

• The computed offset, count * size_of::<T>() bytes, must not overflow isize.

• If the computed offset is non-zero, then self must be derived from a pointer to some allocation, and the entire memory range between self and the result must be in bounds of that allocation. In particular, this range must not “wrap around” the edge of the address space.

Allocations can never be larger than isize::MAX bytes, so if the computed offset stays in bounds of the allocation, it is guaranteed to satisfy the first requirement. This implies, for instance, that vec.as_ptr().add(vec.len()) (for vec: Vec<T>) is always safe.

§Examples

use std::ptr::NonNull;

let s: &str = "123";

unsafe {
    let end: NonNull<u8> = NonNull::new(s.as_ptr().cast_mut()).unwrap().add(3);
    println!("{}", end.sub(1).read() as char);
    println!("{}", end.sub(2).read() as char);
}

Calculates the offset from a pointer in bytes (convenience for .byte_offset((count as isize).wrapping_neg())).

count is in units of bytes.

This is purely a convenience for casting to a u8 pointer and using sub on it. See that method for documentation and safety requirements.

For non-Sized pointees this operation changes only the data pointer, leaving the metadata untouched.

Calculates the distance between two pointers within the same allocation. The returned value is in units of T: the distance in bytes divided by size_of::<T>().

This is equivalent to (self as isize - origin as isize) / (size_of::<T>() as isize), except that it has a lot more opportunities for UB, in exchange for the compiler better understanding what you are doing.

The primary motivation of this method is for computing the len of an array/slice of T that you are currently representing as a “start” and “end” pointer (and “end” is “one past the end” of the array). In that case, end.offset_from(start) gets you the length of the array.

All of the following safety requirements are trivially satisfied for this usecase.

§Safety

If any of the following conditions are violated, the result is Undefined Behavior:

• self and origin must either

  • point to the same address, or
  • both be derived from a pointer to the same allocation, and the memory range between the two pointers must be in bounds of that object. (See below for an example.)

• The distance between the pointers, in bytes, must be an exact multiple of the size of T.

As a consequence, the absolute distance between the pointers, in bytes, computed on mathematical integers (without “wrapping around”), cannot overflow an isize. This is implied by the in-bounds requirement, and the fact that no allocation can be larger than isize::MAX bytes.

The requirement for pointers to be derived from the same allocation is primarily needed for const-compatibility: the distance between pointers into different allocated objects is not known at compile-time. However, the requirement also exists at runtime and may be exploited by optimizations. If you wish to compute the difference between pointers that are not guaranteed to be from the same allocation, use (self as isize - origin as isize) / size_of::<T>().

§Panics

This function panics if T is a Zero-Sized Type (“ZST”).

§Examples

Basic usage:

use std::ptr::NonNull;

let a = [0; 5];
let ptr1: NonNull<u32> = NonNull::from(&a[1]);
let ptr2: NonNull<u32> = NonNull::from(&a[3]);
unsafe {
    assert_eq!(ptr2.offset_from(ptr1), 2);
    assert_eq!(ptr1.offset_from(ptr2), -2);
    assert_eq!(ptr1.offset(2), ptr2);
    assert_eq!(ptr2.offset(-2), ptr1);
}

Incorrect usage:

use std::ptr::NonNull;

let ptr1 = NonNull::new(Box::into_raw(Box::new(0u8))).unwrap();
let ptr2 = NonNull::new(Box::into_raw(Box::new(1u8))).unwrap();
let diff = (ptr2.addr().get() as isize).wrapping_sub(ptr1.addr().get() as isize);
// Make ptr2_other an "alias" of ptr2.add(1), but derived from ptr1.
let diff_plus_1 = diff.wrapping_add(1);
let ptr2_other = NonNull::new(ptr1.as_ptr().wrapping_byte_offset(diff_plus_1)).unwrap();
assert_eq!(ptr2.addr(), ptr2_other.addr());
// Since ptr2_other and ptr2 are derived from pointers to different objects,
// computing their offset is undefined behavior, even though
// they point to addresses that are in-bounds of the same object!

let one = unsafe { ptr2_other.offset_from(ptr2) }; // Undefined Behavior! ⚠️

Calculates the distance between two pointers within the same allocation. The returned value is in units of bytes.

This is purely a convenience for casting to a u8 pointer and using offset_from on it. See that method for documentation and safety requirements.

For non-Sized pointees this operation considers only the data pointers, ignoring the metadata.

Calculates the distance between two pointers within the same allocation, where it’s known that self is equal to or greater than origin. The returned value is in units of T: the distance in bytes is divided by size_of::<T>().

This computes the same value that offset_from would compute, but with the added precondition that the offset is guaranteed to be non-negative. This method is equivalent to usize::try_from(self.offset_from(origin)).unwrap_unchecked(), but it provides slightly more information to the optimizer, which can sometimes allow it to optimize slightly better with some backends.

This method can be though of as recovering the count that was passed to add (or, with the parameters in the other order, to sub). The following are all equivalent, assuming that their safety preconditions are met:

ptr.offset_from_unsigned(origin) == count
origin.add(count) == ptr
ptr.sub(count) == origin

§Safety

• The distance between the pointers must be non-negative (self >= origin)

• All the safety conditions of offset_from apply to this method as well; see it for the full details.

Importantly, despite the return type of this method being able to represent a larger offset, it’s still not permitted to pass pointers which differ by more than isize::MAX bytes. As such, the result of this method will always be less than or equal to isize::MAX as usize.

§Panics

This function panics if T is a Zero-Sized Type (“ZST”).

§Examples

use std::ptr::NonNull;

let a = [0; 5];
let ptr1: NonNull<u32> = NonNull::from(&a[1]);
let ptr2: NonNull<u32> = NonNull::from(&a[3]);
unsafe {
    assert_eq!(ptr2.offset_from_unsigned(ptr1), 2);
    assert_eq!(ptr1.add(2), ptr2);
    assert_eq!(ptr2.sub(2), ptr1);
    assert_eq!(ptr2.offset_from_unsigned(ptr2), 0);
}

// This would be incorrect, as the pointers are not correctly ordered:
// ptr1.offset_from_unsigned(ptr2)

Calculates the distance between two pointers within the same allocation, where it’s known that self is equal to or greater than origin. The returned value is in units of bytes.

This is purely a convenience for casting to a u8 pointer and using offset_from_unsigned on it. See that method for documentation and safety requirements.

For non-Sized pointees this operation considers only the data pointers, ignoring the metadata.

Reads the value from self without moving it. This leaves the memory in self unchanged.

See ptr::read for safety concerns and examples.

Performs a volatile read of the value from self without moving it. This leaves the memory in self unchanged.

Volatile operations are intended to act on I/O memory, and are guaranteed to not be elided or reordered by the compiler across other volatile operations.

See ptr::read_volatile for safety concerns and examples.

Reads the value from self without moving it. This leaves the memory in self unchanged.

Unlike read, the pointer may be unaligned.

See ptr::read_unaligned for safety concerns and examples.

Copies count * size_of::<T>() bytes from self to dest. The source and destination may overlap.

NOTE: this has the same argument order as ptr::copy.

See ptr::copy for safety concerns and examples.

Copies count * size_of::<T>() bytes from src to self. The source and destination may overlap.

NOTE: this has the opposite argument order of ptr::copy.

See ptr::copy for safety concerns and examples.

Executes the destructor (if any) of the pointed-to value.

See ptr::drop_in_place for safety concerns and examples.

Overwrites a memory location with the given value without reading or dropping the old value.

See ptr::write for safety concerns and examples.

Invokes memset on the specified pointer, setting count * size_of::<T>() bytes of memory starting at self to val.

See ptr::write_bytes for safety concerns and examples.

Performs a volatile write of a memory location with the given value without reading or dropping the old value.

Volatile operations are intended to act on I/O memory, and are guaranteed to not be elided or reordered by the compiler across other volatile operations.

See ptr::write_volatile for safety concerns and examples.

Overwrites a memory location with the given value without reading or dropping the old value.

Unlike write, the pointer may be unaligned.

See ptr::write_unaligned for safety concerns and examples.

Replaces the value at self with src, returning the old value, without dropping either.

See ptr::replace for safety concerns and examples.

Swaps the values at two mutable locations of the same type, without deinitializing either. They may overlap, unlike mem::swap which is otherwise equivalent.

See ptr::swap for safety concerns and examples.

Computes the offset that needs to be applied to the pointer in order to make it aligned to align.

If it is not possible to align the pointer, the implementation returns usize::MAX.

The offset is expressed in number of T elements, and not bytes.

There are no guarantees whatsoever that offsetting the pointer will not overflow or go beyond the allocation that the pointer points into. It is up to the caller to ensure that the returned offset is correct in all terms other than alignment.

When this is called during compile-time evaluation (which is unstable), the implementation may return usize::MAX in cases where that can never happen at runtime. This is because the actual alignment of pointers is not known yet during compile-time, so an offset with guaranteed alignment can sometimes not be computed. For example, a buffer declared as [u8; N] might be allocated at an odd or an even address, but at compile-time this is not yet known, so the execution has to be correct for either choice. It is therefore impossible to find an offset that is guaranteed to be 2-aligned. (This behavior is subject to change, as usual for unstable APIs.)

§Panics

The function panics if align is not a power-of-two.

§Examples

Accessing adjacent u8 as u16

use std::ptr::NonNull;

let x = [5_u8, 6, 7, 8, 9];
let ptr = NonNull::new(x.as_ptr() as *mut u8).unwrap();
let offset = ptr.align_offset(align_of::<u16>());

if offset < x.len() - 1 {
    let u16_ptr = ptr.add(offset).cast::<u16>();
    assert!(u16_ptr.read() == u16::from_ne_bytes([5, 6]) || u16_ptr.read() == u16::from_ne_bytes([6, 7]));
} else {
    // while the pointer can be aligned via `offset`, it would point
    // outside the allocation
}

Returns whether the pointer is properly aligned for T.

§Examples

use std::ptr::NonNull;

// On some platforms, the alignment of i32 is less than 4.
#[repr(align(4))]
struct AlignedI32(i32);

let data = AlignedI32(42);
let ptr = NonNull::<AlignedI32>::from(&data);

assert!(ptr.is_aligned());
assert!(!NonNull::new(ptr.as_ptr().wrapping_byte_add(1)).unwrap().is_aligned());

Returns whether the pointer is aligned to align.

For non-Sized pointees this operation considers only the data pointer, ignoring the metadata.

§Panics

The function panics if align is not a power-of-two (this includes 0).

§Examples

#![feature(pointer_is_aligned_to)]

// On some platforms, the alignment of i32 is less than 4.
#[repr(align(4))]
struct AlignedI32(i32);

let data = AlignedI32(42);
let ptr = &data as *const AlignedI32;

assert!(ptr.is_aligned_to(1));
assert!(ptr.is_aligned_to(2));
assert!(ptr.is_aligned_to(4));

assert!(ptr.wrapping_byte_add(2).is_aligned_to(2));
assert!(!ptr.wrapping_byte_add(2).is_aligned_to(4));

assert_ne!(ptr.is_aligned_to(8), ptr.wrapping_add(1).is_aligned_to(8));

Casts from a maybe-uninitialized type to its initialized version.

This is always safe, since UB can only occur if the pointer is read before being initialized.

Creates a non-null raw slice from a thin pointer and a length.

The len argument is the number of elements, not the number of bytes.

This function is safe, but dereferencing the return value is unsafe. See the documentation of slice::from_raw_parts for slice safety requirements.

§Examples

use std::ptr::NonNull;

// create a slice pointer when starting out with a pointer to the first element
let mut x = [5, 6, 7];
let nonnull_pointer = NonNull::new(x.as_mut_ptr()).unwrap();
let slice = NonNull::slice_from_raw_parts(nonnull_pointer, 3);
assert_eq!(unsafe { slice.as_ref()[2] }, 7);

(Note that this example artificially demonstrates a use of this method, but let slice = NonNull::from(&x[..]); would be a better way to write code like this.)

Returns the length of a non-null raw slice.

The returned value is the number of elements, not the number of bytes.

This function is safe, even when the non-null raw slice cannot be dereferenced to a slice because the pointer does not have a valid address.

§Examples

use std::ptr::NonNull;

let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3);
assert_eq!(slice.len(), 3);

Returns true if the non-null raw slice has a length of 0.

§Examples

use std::ptr::NonNull;

let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3);
assert!(!slice.is_empty());

Returns a non-null pointer to the slice’s buffer.

§Examples

#![feature(slice_ptr_get)]
use std::ptr::NonNull;

let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3);
assert_eq!(slice.as_non_null_ptr(), NonNull::<i8>::dangling());

Returns a raw pointer to the slice’s buffer.

§Examples

#![feature(slice_ptr_get)]
use std::ptr::NonNull;

let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3);
assert_eq!(slice.as_mut_ptr(), NonNull::<i8>::dangling().as_ptr());

Returns a shared reference to a slice of possibly uninitialized values. In contrast to as_ref, this does not require that the value has to be initialized.

For the mutable counterpart see as_uninit_slice_mut.

§Safety

When calling this method, you have to ensure that all of the following is true:

• The pointer must be valid for reads for ptr.len() * size_of::<T>() many bytes, and it must be properly aligned. This means in particular:

  • The entire memory range of this slice must be contained within a single allocation! Slices can never span across multiple allocations.

  • The pointer must be aligned even for zero-length slices. One reason for this is that enum layout optimizations may rely on references (including slices of any length) being aligned and non-null to distinguish them from other data. You can obtain a pointer that is usable as data for zero-length slices using NonNull::dangling().

• The total size ptr.len() * size_of::<T>() of the slice must be no larger than isize::MAX. See the safety documentation of pointer::offset.

• You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get mutated (except inside UnsafeCell).

This applies even if the result of this method is unused!

See also slice::from_raw_parts.

Returns a unique reference to a slice of possibly uninitialized values. In contrast to as_mut, this does not require that the value has to be initialized.

For the shared counterpart see as_uninit_slice.

§Safety

When calling this method, you have to ensure that all of the following is true:

• The pointer must be valid for reads and writes for ptr.len() * size_of::<T>() many bytes, and it must be properly aligned. This means in particular:

  • The entire memory range of this slice must be contained within a single allocation! Slices can never span across multiple allocations.

  • The pointer must be aligned even for zero-length slices. One reason for this is that enum layout optimizations may rely on references (including slices of any length) being aligned and non-null to distinguish them from other data. You can obtain a pointer that is usable as data for zero-length slices using NonNull::dangling().

• The total size ptr.len() * size_of::<T>() of the slice must be no larger than isize::MAX. See the safety documentation of pointer::offset.

• You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get accessed (read or written) through any other pointer.

This applies even if the result of this method is unused!

See also slice::from_raw_parts_mut.

§Examples

#![feature(allocator_api, ptr_as_uninit)]

use std::alloc::{Allocator, Layout, Global};
use std::mem::MaybeUninit;
use std::ptr::NonNull;

let memory: NonNull<[u8]> = Global.allocate(Layout::new::<[u8; 32]>())?;
// This is safe as `memory` is valid for reads and writes for `memory.len()` many bytes.
// Note that calling `memory.as_mut()` is not allowed here as the content may be uninitialized.
let slice: &mut [MaybeUninit<u8>] = unsafe { memory.as_uninit_slice_mut() };

Returns a raw pointer to an element or subslice, without doing bounds checking.

Calling this method with an out-of-bounds index or when self is not dereferenceable is undefined behavior even if the resulting pointer is not used.

§Examples

#![feature(slice_ptr_get)]
use std::ptr::NonNull;

let x = &mut [1, 2, 4];
let x = NonNull::slice_from_raw_parts(NonNull::new(x.as_mut_ptr()).unwrap(), x.len());

unsafe {
    assert_eq!(x.get_unchecked_mut(1).as_ptr(), x.as_non_null_ptr().as_ptr().add(1));
}

Converts a &T to a NonNull<T>.

This conversion is safe and infallible since references cannot be null.

Converts a &mut T to a NonNull<T>.

This conversion is safe and infallible since references cannot be null.