Idea / Pre-RFC: Null-free pointer and Zeroable reference

Even setting all of that aside, core itself heavily depends on &T. This cannot be resolved by a third-party library, and even introducing alternatives within core would invite circular dependencies. Moreover, &T does not even live in core. It resides in the compiler as TyKind::Ref, and a single line in the layout computation ensures it can never reach 0x0:

// compiler/rustc_ty_utils/src/layout.rs:410-414
ty::Ref(_, pointee, _) | ty::RawPtr(pointee, _) => {
    let mut data_ptr = scalar_unit(Pointer(AddressSpace::ZERO));
    if !ty.is_raw_ptr() {
        data_ptr.valid_range_mut().start = 1;
    }

This single expression is where the non-null invariant is physically enforced. No library - whether in core or third-party - can reach below this.

H4n_uL:

And looking at replace_memory in your any_mem sketch, that's the operation ptr::replace couldn't do soundly because it relies on &mut *dst internally (rust#138351).

As noted above, this has already led to a soundness issue.

The zeroable reference primitive proposed to address this may seem like an excessive solution at first glance, but consider NonZero<T>. Today, NonZero<usize> sits alongside usize, and the two coexist. &T currently occupies the position of NonZero<usize>, but the usize that should sit beside it is missing. This is not a new paradigm, nor a sledgehammer to crack a nut. It is simply restoring the missing counterpart of NonZero<?> == &T.