#[repr(transparent)]pub struct NonNull<T> where
T: ?Sized, { /* fields omitted */ }
Expand description
*mut T
but non-zero and covariant.
This is often the correct thing to use when building data structures using
raw pointers, but is ultimately more dangerous to use because of its additional
properties. If you’re not sure if you should use NonNull<T>
, just use *mut T
!
Unlike *mut T
, the pointer must always be non-null, even if the pointer
is never dereferenced. This is so that enums may use this forbidden value
as a discriminant – Option<NonNull<T>>
has the same size as *mut T
.
However the pointer may still dangle if it isn’t dereferenced.
Unlike *mut T
, NonNull<T>
was chosen to be covariant over T
. This makes it
possible to use NonNull<T>
when building covariant types, but introduces the
risk of unsoundness if used in a type that shouldn’t actually be covariant.
(The opposite choice was made for *mut T
even though technically the unsoundness
could only be caused by calling unsafe functions.)
Covariance is correct for most safe abstractions, such as Box
, Rc
, Arc
, Vec
,
and LinkedList
. This is the case because they provide a public API that follows the
normal shared XOR mutable rules of Rust.
If your type cannot safely be covariant, you must ensure it contains some
additional field to provide invariance. Often this field will be a PhantomData
type like PhantomData<Cell<T>>
or PhantomData<&'a mut T>
.
Notice that NonNull<T>
has a From
instance for &T
. However, this does
not change the fact that mutating through a (pointer derived from a) shared
reference is undefined behavior unless the mutation happens inside an
UnsafeCell<T>
. The same goes for creating a mutable reference from a shared
reference. When using this From
instance without an UnsafeCell<T>
,
it is your responsibility to ensure that as_mut
is never called, and as_ptr
is never used for mutation.
Implementations
Creates a new NonNull
that is dangling, but well-aligned.
This is useful for initializing types which lazily allocate, like
Vec::new
does.
Note that the pointer value may potentially represent a valid pointer to
a T
, which means this must not be used as a “not yet initialized”
sentinel value. Types that lazily allocate must track initialization by
some other means.
Examples
use std::ptr::NonNull;
let ptr = NonNull::<u32>::dangling();
// Important: don't try to access the value of `ptr` without
// initializing it first! The pointer is not null but isn't valid either!
RunReturns a shared references to the value. In contrast to as_ref
, this does not require
that the value has to be initialized.
For the mutable counterpart see as_uninit_mut
.
Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be properly aligned.
-
It must be “dereferenceable” in the sense defined in the module documentation.
-
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, for the duration of this lifetime, the memory the pointer points to must not get mutated (except insideUnsafeCell
).
This applies even if the result of this method is unused!
Returns a unique references to the value. In contrast to as_mut
, this does not require
that the value has to be initialized.
For the shared counterpart see as_uninit_ref
.
Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be properly aligned.
-
It must be “dereferenceable” in the sense defined in the module documentation.
-
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, for the duration of this lifetime, the memory the pointer points to must not get accessed (read or written) through any other pointer.
This applies even if the result of this method is unused!
Creates a new NonNull
.
Safety
ptr
must be non-null.
Examples
use std::ptr::NonNull;
let mut x = 0u32;
let ptr = unsafe { NonNull::new_unchecked(&mut x as *mut _) };
RunIncorrect usage of this function:
use std::ptr::NonNull;
// NEVER DO THAT!!! This is undefined behavior. ⚠️
let ptr = unsafe { NonNull::<u32>::new_unchecked(std::ptr::null_mut()) };
RunPerforms the same functionality as std::ptr::from_raw_parts
, except that a
NonNull
pointer is returned, as opposed to a raw *const
pointer.
See the documentation of std::ptr::from_raw_parts
for more details.
Decompose a (possibly wide) pointer into its address and metadata components.
The pointer can be later reconstructed with NonNull::from_raw_parts
.
Acquires the underlying *mut
pointer.
Examples
use std::ptr::NonNull;
let mut x = 0u32;
let ptr = NonNull::new(&mut x).expect("ptr is null!");
let x_value = unsafe { *ptr.as_ptr() };
assert_eq!(x_value, 0);
unsafe { *ptr.as_ptr() += 2; }
let x_value = unsafe { *ptr.as_ptr() };
assert_eq!(x_value, 2);
RunReturns a shared reference to the value. If the value may be uninitialized, as_uninit_ref
must be used instead.
For the mutable counterpart see as_mut
.
Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be properly aligned.
-
It must be “dereferenceable” in the sense defined in the module documentation.
-
The pointer must point to an initialized instance of
T
. -
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, for the duration of this lifetime, the memory the pointer points to must not get mutated (except insideUnsafeCell
).
This applies even if the result of this method is unused! (The part about being initialized is not yet fully decided, but until it is, the only safe approach is to ensure that they are indeed initialized.)
Examples
use std::ptr::NonNull;
let mut x = 0u32;
let ptr = NonNull::new(&mut x as *mut _).expect("ptr is null!");
let ref_x = unsafe { ptr.as_ref() };
println!("{}", ref_x);
RunReturns a unique reference to the value. If the value may be uninitialized, as_uninit_mut
must be used instead.
For the shared counterpart see as_ref
.
Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be properly aligned.
-
It must be “dereferenceable” in the sense defined in the module documentation.
-
The pointer must point to an initialized instance of
T
. -
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, for the duration of this lifetime, the memory the pointer points to must not get accessed (read or written) through any other pointer.
This applies even if the result of this method is unused! (The part about being initialized is not yet fully decided, but until it is, the only safe approach is to ensure that they are indeed initialized.)
Examples
use std::ptr::NonNull;
let mut x = 0u32;
let mut ptr = NonNull::new(&mut x).expect("null pointer");
let x_ref = unsafe { ptr.as_mut() };
assert_eq!(*x_ref, 0);
*x_ref += 2;
assert_eq!(*x_ref, 2);
RunCreates a non-null raw slice from a thin pointer and a length.
The len
argument is the number of elements, not the number of bytes.
This function is safe, but dereferencing the return value is unsafe.
See the documentation of slice::from_raw_parts
for slice safety requirements.
Examples
#![feature(nonnull_slice_from_raw_parts)]
use std::ptr::NonNull;
// create a slice pointer when starting out with a pointer to the first element
let mut x = [5, 6, 7];
let nonnull_pointer = NonNull::new(x.as_mut_ptr()).unwrap();
let slice = NonNull::slice_from_raw_parts(nonnull_pointer, 3);
assert_eq!(unsafe { slice.as_ref()[2] }, 7);
Run(Note that this example artificially demonstrates a use of this method,
but let slice = NonNull::from(&x[..]);
would be a better way to write code like this.)
Returns the length of a non-null raw slice.
The returned value is the number of elements, not the number of bytes.
This function is safe, even when the non-null raw slice cannot be dereferenced to a slice because the pointer does not have a valid address.
Examples
#![feature(slice_ptr_len, nonnull_slice_from_raw_parts)]
use std::ptr::NonNull;
let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3);
assert_eq!(slice.len(), 3);
RunReturns a shared reference to a slice of possibly uninitialized values. In contrast to
as_ref
, this does not require that the value has to be initialized.
For the mutable counterpart see as_uninit_slice_mut
.
Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be valid for reads for
ptr.len() * mem::size_of::<T>()
many bytes, and it must be properly aligned. This means in particular:-
The entire memory range of this slice must be contained within a single allocated object! Slices can never span across multiple allocated objects.
-
The pointer must be aligned even for zero-length slices. One reason for this is that enum layout optimizations may rely on references (including slices of any length) being aligned and non-null to distinguish them from other data. You can obtain a pointer that is usable as
data
for zero-length slices usingNonNull::dangling()
.
-
-
The total size
ptr.len() * mem::size_of::<T>()
of the slice must be no larger thanisize::MAX
. See the safety documentation ofpointer::offset
. -
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, for the duration of this lifetime, the memory the pointer points to must not get mutated (except insideUnsafeCell
).
This applies even if the result of this method is unused!
See also slice::from_raw_parts
.
Returns a unique reference to a slice of possibly uninitialized values. In contrast to
as_mut
, this does not require that the value has to be initialized.
For the shared counterpart see as_uninit_slice
.
Safety
When calling this method, you have to ensure that all of the following is true:
-
The pointer must be valid for reads and writes for
ptr.len() * mem::size_of::<T>()
many bytes, and it must be properly aligned. This means in particular:-
The entire memory range of this slice must be contained within a single allocated object! Slices can never span across multiple allocated objects.
-
The pointer must be aligned even for zero-length slices. One reason for this is that enum layout optimizations may rely on references (including slices of any length) being aligned and non-null to distinguish them from other data. You can obtain a pointer that is usable as
data
for zero-length slices usingNonNull::dangling()
.
-
-
The total size
ptr.len() * mem::size_of::<T>()
of the slice must be no larger thanisize::MAX
. See the safety documentation ofpointer::offset
. -
You must enforce Rust’s aliasing rules, since the returned lifetime
'a
is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, for the duration of this lifetime, the memory the pointer points to must not get accessed (read or written) through any other pointer.
This applies even if the result of this method is unused!
See also slice::from_raw_parts_mut
.
Examples
#![feature(allocator_api, ptr_as_uninit)]
use std::alloc::{Allocator, Layout, Global};
use std::mem::MaybeUninit;
use std::ptr::NonNull;
let memory: NonNull<[u8]> = Global.allocate(Layout::new::<[u8; 32]>())?;
// This is safe as `memory` is valid for reads and writes for `memory.len()` many bytes.
// Note that calling `memory.as_mut()` is not allowed here as the content may be uninitialized.
let slice: &mut [MaybeUninit<u8>] = unsafe { memory.as_uninit_slice_mut() };
Runpub unsafe fn get_unchecked_mut<I>(
self,
index: I
) -> NonNull<<I as SliceIndex<[T]>>::Output> where
I: SliceIndex<[T]>,
pub unsafe fn get_unchecked_mut<I>(
self,
index: I
) -> NonNull<<I as SliceIndex<[T]>>::Output> where
I: SliceIndex<[T]>,
Returns a raw pointer to an element or subslice, without doing bounds checking.
Calling this method with an out-of-bounds index or when self
is not dereferenceable
is undefined behavior even if the resulting pointer is not used.
Examples
#![feature(slice_ptr_get, nonnull_slice_from_raw_parts)]
use std::ptr::NonNull;
let x = &mut [1, 2, 4];
let x = NonNull::slice_from_raw_parts(NonNull::new(x.as_mut_ptr()).unwrap(), x.len());
unsafe {
assert_eq!(x.get_unchecked_mut(1).as_ptr(), x.as_non_null_ptr().as_ptr().add(1));
}
RunTrait Implementations
This method returns an ordering between self
and other
values if one exists. Read more
This method tests less than (for self
and other
) and is used by the <
operator. Read more
This method tests less than or equal to (for self
and other
) and is used by the <=
operator. Read more
This method tests greater than (for self
and other
) and is used by the >
operator. Read more
NonNull
pointers are not Send
because the data they reference may be aliased.
NonNull
pointers are not Sync
because the data they reference may be aliased.