Struct std::ptr::NonNull

1.25.0 · source ·
#[repr(transparent)]
pub struct NonNull<T>where T: ?Sized,{ /* private fields */ }
Expand description

*mut T but non-zero and covariant.

This is often the correct thing to use when building data structures using raw pointers, but is ultimately more dangerous to use because of its additional properties. If you’re not sure if you should use NonNull<T>, just use *mut T!

Unlike *mut T, the pointer must always be non-null, even if the pointer is never dereferenced. This is so that enums may use this forbidden value as a discriminant – Option<NonNull<T>> has the same size as *mut T. However the pointer may still dangle if it isn’t dereferenced.

Unlike *mut T, NonNull<T> was chosen to be covariant over T. This makes it possible to use NonNull<T> when building covariant types, but introduces the risk of unsoundness if used in a type that shouldn’t actually be covariant. (The opposite choice was made for *mut T even though technically the unsoundness could only be caused by calling unsafe functions.)

Covariance is correct for most safe abstractions, such as Box, Rc, Arc, Vec, and LinkedList. This is the case because they provide a public API that follows the normal shared XOR mutable rules of Rust.

If your type cannot safely be covariant, you must ensure it contains some additional field to provide invariance. Often this field will be a PhantomData type like PhantomData<Cell<T>> or PhantomData<&'a mut T>.

Notice that NonNull<T> has a From instance for &T. However, this does not change the fact that mutating through a (pointer derived from a) shared reference is undefined behavior unless the mutation happens inside an UnsafeCell<T>. The same goes for creating a mutable reference from a shared reference. When using this From instance without an UnsafeCell<T>, it is your responsibility to ensure that as_mut is never called, and as_ptr is never used for mutation.

Representation

Thanks to the null pointer optimization, NonNull<T> and Option<NonNull<T>> are guaranteed to have the same size and alignment:

use std::ptr::NonNull;

assert_eq!(size_of::<NonNull<i16>>(), size_of::<Option<NonNull<i16>>>());
assert_eq!(align_of::<NonNull<i16>>(), align_of::<Option<NonNull<i16>>>());

assert_eq!(size_of::<NonNull<str>>(), size_of::<Option<NonNull<str>>>());
assert_eq!(align_of::<NonNull<str>>(), align_of::<Option<NonNull<str>>>());
Run

Implementations§

source§

impl<T> NonNull<T>

const: 1.36.0 · source

pub const fn dangling() -> NonNull<T>

Creates a new NonNull that is dangling, but well-aligned.

This is useful for initializing types which lazily allocate, like Vec::new does.

Note that the pointer value may potentially represent a valid pointer to a T, which means this must not be used as a “not yet initialized” sentinel value. Types that lazily allocate must track initialization by some other means.

Examples
use std::ptr::NonNull;

let ptr = NonNull::<u32>::dangling();
// Important: don't try to access the value of `ptr` without
// initializing it first! The pointer is not null but isn't valid either!
Run
const: unstable · source

pub unsafe fn as_uninit_ref<'a>(self) -> &'a MaybeUninit<T>

🔬This is a nightly-only experimental API. (ptr_as_uninit #75402)

Returns a shared references to the value. In contrast to as_ref, this does not require that the value has to be initialized.

For the mutable counterpart see as_uninit_mut.

Safety

When calling this method, you have to ensure that all of the following is true:

  • The pointer must be properly aligned.

  • It must be “dereferenceable” in the sense defined in the module documentation.

  • You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get mutated (except inside UnsafeCell).

This applies even if the result of this method is unused!

const: unstable · source

pub unsafe fn as_uninit_mut<'a>(self) -> &'a mut MaybeUninit<T>

🔬This is a nightly-only experimental API. (ptr_as_uninit #75402)

Returns a unique references to the value. In contrast to as_mut, this does not require that the value has to be initialized.

For the shared counterpart see as_uninit_ref.

Safety

When calling this method, you have to ensure that all of the following is true:

  • The pointer must be properly aligned.

  • It must be “dereferenceable” in the sense defined in the module documentation.

  • You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get accessed (read or written) through any other pointer.

This applies even if the result of this method is unused!

source§

impl<T> NonNull<T>where T: ?Sized,

const: 1.25.0 · source

pub const unsafe fn new_unchecked(ptr: *mut T) -> NonNull<T>

Creates a new NonNull.

Safety

ptr must be non-null.

Examples
use std::ptr::NonNull;

let mut x = 0u32;
let ptr = unsafe { NonNull::new_unchecked(&mut x as *mut _) };
Run

Incorrect usage of this function:

use std::ptr::NonNull;

// NEVER DO THAT!!! This is undefined behavior. ⚠️
let ptr = unsafe { NonNull::<u32>::new_unchecked(std::ptr::null_mut()) };
Run
const: unstable · source

pub fn new(ptr: *mut T) -> Option<NonNull<T>>

Creates a new NonNull if ptr is non-null.

Examples
use std::ptr::NonNull;

let mut x = 0u32;
let ptr = NonNull::<u32>::new(&mut x as *mut _).expect("ptr is null!");

if let Some(ptr) = NonNull::<u32>::new(std::ptr::null_mut()) {
    unreachable!();
}
Run
const: unstable · source

pub fn from_raw_parts( data_address: NonNull<()>, metadata: <T as Pointee>::Metadata ) -> NonNull<T>

🔬This is a nightly-only experimental API. (ptr_metadata #81513)

Performs the same functionality as std::ptr::from_raw_parts, except that a NonNull pointer is returned, as opposed to a raw *const pointer.

See the documentation of std::ptr::from_raw_parts for more details.

const: unstable · source

pub fn to_raw_parts(self) -> (NonNull<()>, <T as Pointee>::Metadata)

🔬This is a nightly-only experimental API. (ptr_metadata #81513)

Decompose a (possibly wide) pointer into its address and metadata components.

The pointer can be later reconstructed with NonNull::from_raw_parts.

source

pub fn addr(self) -> NonZeroUsize

🔬This is a nightly-only experimental API. (strict_provenance #95228)

Gets the “address” portion of the pointer.

For more details see the equivalent method on a raw pointer, pointer::addr.

This API and its claimed semantics are part of the Strict Provenance experiment, see the ptr module documentation.

source

pub fn with_addr(self, addr: NonZeroUsize) -> NonNull<T>

🔬This is a nightly-only experimental API. (strict_provenance #95228)

Creates a new pointer with the given address.

For more details see the equivalent method on a raw pointer, pointer::with_addr.

This API and its claimed semantics are part of the Strict Provenance experiment, see the ptr module documentation.

source

pub fn map_addr( self, f: impl FnOnce(NonZeroUsize) -> NonZeroUsize ) -> NonNull<T>

🔬This is a nightly-only experimental API. (strict_provenance #95228)

Creates a new pointer by mapping self’s address to a new one.

For more details see the equivalent method on a raw pointer, pointer::map_addr.

This API and its claimed semantics are part of the Strict Provenance experiment, see the ptr module documentation.

const: 1.32.0 · source

pub const fn as_ptr(self) -> *mut T

Acquires the underlying *mut pointer.

Examples
use std::ptr::NonNull;

let mut x = 0u32;
let ptr = NonNull::new(&mut x).expect("ptr is null!");

let x_value = unsafe { *ptr.as_ptr() };
assert_eq!(x_value, 0);

unsafe { *ptr.as_ptr() += 2; }
let x_value = unsafe { *ptr.as_ptr() };
assert_eq!(x_value, 2);
Run
const: 1.73.0 · source

pub const unsafe fn as_ref<'a>(&self) -> &'a T

Returns a shared reference to the value. If the value may be uninitialized, as_uninit_ref must be used instead.

For the mutable counterpart see as_mut.

Safety

When calling this method, you have to ensure that all of the following is true:

  • The pointer must be properly aligned.

  • It must be “dereferenceable” in the sense defined in the module documentation.

  • The pointer must point to an initialized instance of T.

  • You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get mutated (except inside UnsafeCell).

This applies even if the result of this method is unused! (The part about being initialized is not yet fully decided, but until it is, the only safe approach is to ensure that they are indeed initialized.)

Examples
use std::ptr::NonNull;

let mut x = 0u32;
let ptr = NonNull::new(&mut x as *mut _).expect("ptr is null!");

let ref_x = unsafe { ptr.as_ref() };
println!("{ref_x}");
Run
const: unstable · source

pub unsafe fn as_mut<'a>(&mut self) -> &'a mut T

Returns a unique reference to the value. If the value may be uninitialized, as_uninit_mut must be used instead.

For the shared counterpart see as_ref.

Safety

When calling this method, you have to ensure that all of the following is true:

  • The pointer must be properly aligned.

  • It must be “dereferenceable” in the sense defined in the module documentation.

  • The pointer must point to an initialized instance of T.

  • You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get accessed (read or written) through any other pointer.

This applies even if the result of this method is unused! (The part about being initialized is not yet fully decided, but until it is, the only safe approach is to ensure that they are indeed initialized.)

Examples
use std::ptr::NonNull;

let mut x = 0u32;
let mut ptr = NonNull::new(&mut x).expect("null pointer");

let x_ref = unsafe { ptr.as_mut() };
assert_eq!(*x_ref, 0);
*x_ref += 2;
assert_eq!(*x_ref, 2);
Run
1.27.0 (const: 1.36.0) · source

pub const fn cast<U>(self) -> NonNull<U>

Casts to a pointer of another type.

Examples
use std::ptr::NonNull;

let mut x = 0u32;
let ptr = NonNull::new(&mut x as *mut _).expect("null pointer");

let casted_ptr = ptr.cast::<i8>();
let raw_ptr: *mut i8 = casted_ptr.as_ptr();
Run
source§

impl<T> NonNull<[T]>

1.70.0 (const: unstable) · source

pub fn slice_from_raw_parts(data: NonNull<T>, len: usize) -> NonNull<[T]>

Creates a non-null raw slice from a thin pointer and a length.

The len argument is the number of elements, not the number of bytes.

This function is safe, but dereferencing the return value is unsafe. See the documentation of slice::from_raw_parts for slice safety requirements.

Examples
use std::ptr::NonNull;

// create a slice pointer when starting out with a pointer to the first element
let mut x = [5, 6, 7];
let nonnull_pointer = NonNull::new(x.as_mut_ptr()).unwrap();
let slice = NonNull::slice_from_raw_parts(nonnull_pointer, 3);
assert_eq!(unsafe { slice.as_ref()[2] }, 7);
Run

(Note that this example artificially demonstrates a use of this method, but let slice = NonNull::from(&x[..]); would be a better way to write code like this.)

1.63.0 (const: 1.63.0) · source

pub const fn len(self) -> usize

Returns the length of a non-null raw slice.

The returned value is the number of elements, not the number of bytes.

This function is safe, even when the non-null raw slice cannot be dereferenced to a slice because the pointer does not have a valid address.

Examples
use std::ptr::NonNull;

let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3);
assert_eq!(slice.len(), 3);
Run
const: unstable · source

pub fn as_non_null_ptr(self) -> NonNull<T>

🔬This is a nightly-only experimental API. (slice_ptr_get #74265)

Returns a non-null pointer to the slice’s buffer.

Examples
#![feature(slice_ptr_get)]
use std::ptr::NonNull;

let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3);
assert_eq!(slice.as_non_null_ptr(), NonNull::<i8>::dangling());
Run
const: unstable · source

pub fn as_mut_ptr(self) -> *mut T

🔬This is a nightly-only experimental API. (slice_ptr_get #74265)

Returns a raw pointer to the slice’s buffer.

Examples
#![feature(slice_ptr_get)]
use std::ptr::NonNull;

let slice: NonNull<[i8]> = NonNull::slice_from_raw_parts(NonNull::dangling(), 3);
assert_eq!(slice.as_mut_ptr(), NonNull::<i8>::dangling().as_ptr());
Run
const: unstable · source

pub unsafe fn as_uninit_slice<'a>(self) -> &'a [MaybeUninit<T>]

🔬This is a nightly-only experimental API. (ptr_as_uninit #75402)

Returns a shared reference to a slice of possibly uninitialized values. In contrast to as_ref, this does not require that the value has to be initialized.

For the mutable counterpart see as_uninit_slice_mut.

Safety

When calling this method, you have to ensure that all of the following is true:

  • The pointer must be valid for reads for ptr.len() * mem::size_of::<T>() many bytes, and it must be properly aligned. This means in particular:

    • The entire memory range of this slice must be contained within a single allocated object! Slices can never span across multiple allocated objects.

    • The pointer must be aligned even for zero-length slices. One reason for this is that enum layout optimizations may rely on references (including slices of any length) being aligned and non-null to distinguish them from other data. You can obtain a pointer that is usable as data for zero-length slices using NonNull::dangling().

  • The total size ptr.len() * mem::size_of::<T>() of the slice must be no larger than isize::MAX. See the safety documentation of pointer::offset.

  • You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get mutated (except inside UnsafeCell).

This applies even if the result of this method is unused!

See also slice::from_raw_parts.

const: unstable · source

pub unsafe fn as_uninit_slice_mut<'a>(self) -> &'a mut [MaybeUninit<T>]

🔬This is a nightly-only experimental API. (ptr_as_uninit #75402)

Returns a unique reference to a slice of possibly uninitialized values. In contrast to as_mut, this does not require that the value has to be initialized.

For the shared counterpart see as_uninit_slice.

Safety

When calling this method, you have to ensure that all of the following is true:

  • The pointer must be valid for reads and writes for ptr.len() * mem::size_of::<T>() many bytes, and it must be properly aligned. This means in particular:

    • The entire memory range of this slice must be contained within a single allocated object! Slices can never span across multiple allocated objects.

    • The pointer must be aligned even for zero-length slices. One reason for this is that enum layout optimizations may rely on references (including slices of any length) being aligned and non-null to distinguish them from other data. You can obtain a pointer that is usable as data for zero-length slices using NonNull::dangling().

  • The total size ptr.len() * mem::size_of::<T>() of the slice must be no larger than isize::MAX. See the safety documentation of pointer::offset.

  • You must enforce Rust’s aliasing rules, since the returned lifetime 'a is arbitrarily chosen and does not necessarily reflect the actual lifetime of the data. In particular, while this reference exists, the memory the pointer points to must not get accessed (read or written) through any other pointer.

This applies even if the result of this method is unused!

See also slice::from_raw_parts_mut.

Examples
#![feature(allocator_api, ptr_as_uninit)]

use std::alloc::{Allocator, Layout, Global};
use std::mem::MaybeUninit;
use std::ptr::NonNull;

let memory: NonNull<[u8]> = Global.allocate(Layout::new::<[u8; 32]>())?;
// This is safe as `memory` is valid for reads and writes for `memory.len()` many bytes.
// Note that calling `memory.as_mut()` is not allowed here as the content may be uninitialized.
let slice: &mut [MaybeUninit<u8>] = unsafe { memory.as_uninit_slice_mut() };
Run
source

pub unsafe fn get_unchecked_mut<I>( self, index: I ) -> NonNull<<I as SliceIndex<[T]>>::Output>where I: SliceIndex<[T]>,

🔬This is a nightly-only experimental API. (slice_ptr_get #74265)

Returns a raw pointer to an element or subslice, without doing bounds checking.

Calling this method with an out-of-bounds index or when self is not dereferenceable is undefined behavior even if the resulting pointer is not used.

Examples
#![feature(slice_ptr_get)]
use std::ptr::NonNull;

let x = &mut [1, 2, 4];
let x = NonNull::slice_from_raw_parts(NonNull::new(x.as_mut_ptr()).unwrap(), x.len());

unsafe {
    assert_eq!(x.get_unchecked_mut(1).as_ptr(), x.as_non_null_ptr().as_ptr().add(1));
}
Run

Trait Implementations§

source§

impl<T> Clone for NonNull<T>where T: ?Sized,

source§

fn clone(&self) -> NonNull<T>

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl<T> Debug for NonNull<T>where T: ?Sized,

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
source§

impl<T> From<&T> for NonNull<T>where T: ?Sized,

source§

fn from(reference: &T) -> NonNull<T>

Converts a &T to a NonNull<T>.

This conversion is safe and infallible since references cannot be null.

source§

impl<T> From<&mut T> for NonNull<T>where T: ?Sized,

source§

fn from(reference: &mut T) -> NonNull<T>

Converts a &mut T to a NonNull<T>.

This conversion is safe and infallible since references cannot be null.

source§

impl<T> Hash for NonNull<T>where T: ?Sized,

source§

fn hash<H>(&self, state: &mut H)where H: Hasher,

Feeds this value into the given Hasher. Read more
1.3.0 · source§

fn hash_slice<H>(data: &[Self], state: &mut H)where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more
source§

impl<T> Ord for NonNull<T>where T: ?Sized,

source§

fn cmp(&self, other: &NonNull<T>) -> Ordering

This method returns an Ordering between self and other. Read more
1.21.0 · source§

fn max(self, other: Self) -> Selfwhere Self: Sized,

Compares and returns the maximum of two values. Read more
1.21.0 · source§

fn min(self, other: Self) -> Selfwhere Self: Sized,

Compares and returns the minimum of two values. Read more
1.50.0 · source§

fn clamp(self, min: Self, max: Self) -> Selfwhere Self: Sized + PartialOrd<Self>,

Restrict a value to a certain interval. Read more
source§

impl<T> PartialEq<NonNull<T>> for NonNull<T>where T: ?Sized,

source§

fn eq(&self, other: &NonNull<T>) -> bool

This method tests for self and other values to be equal, and is used by ==.
1.0.0 · source§

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
source§

impl<T> PartialOrd<NonNull<T>> for NonNull<T>where T: ?Sized,

source§

fn partial_cmp(&self, other: &NonNull<T>) -> Option<Ordering>

This method returns an ordering between self and other values if one exists. Read more
1.0.0 · source§

fn lt(&self, other: &Rhs) -> bool

This method tests less than (for self and other) and is used by the < operator. Read more
1.0.0 · source§

fn le(&self, other: &Rhs) -> bool

This method tests less than or equal to (for self and other) and is used by the <= operator. Read more
1.0.0 · source§

fn gt(&self, other: &Rhs) -> bool

This method tests greater than (for self and other) and is used by the > operator. Read more
1.0.0 · source§

fn ge(&self, other: &Rhs) -> bool

This method tests greater than or equal to (for self and other) and is used by the >= operator. Read more
source§

impl<T> Pointer for NonNull<T>where T: ?Sized,

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.
source§

impl<T, U> CoerceUnsized<NonNull<U>> for NonNull<T>where T: Unsize<U> + ?Sized, U: ?Sized,

source§

impl<T> Copy for NonNull<T>where T: ?Sized,

source§

impl<T, U> DispatchFromDyn<NonNull<U>> for NonNull<T>where T: Unsize<U> + ?Sized, U: ?Sized,

source§

impl<T> Eq for NonNull<T>where T: ?Sized,

source§

impl<T> !Send for NonNull<T>where T: ?Sized,

NonNull pointers are not Send because the data they reference may be aliased.

source§

impl<T> !Sync for NonNull<T>where T: ?Sized,

NonNull pointers are not Sync because the data they reference may be aliased.

source§

impl<T> UnwindSafe for NonNull<T>where T: RefUnwindSafe + ?Sized,

Auto Trait Implementations§

§

impl<T: ?Sized> RefUnwindSafe for NonNull<T>where T: RefUnwindSafe,

§

impl<T: ?Sized> Unpin for NonNull<T>

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for Twhere T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for Twhere U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for Twhere T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.