<�c-
Copyright (c) ��99-2025 by�4he D Language Foundation
All Rights Reserved.
https:]ådlang.org/foundation_overview.html
-->
SafeD - D Programming Language<zËitle>
<link rel="stylesheet" href="..u�ssu�odemirror.css">
<link rel="stylesheet" href="../css/style.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<link rel="shortcut icon" href="..u‹avicon.ico">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=0.1, maximum-scale=10.0">
</head>
<body id='SafeD' class='doc'>
<script type="textv®avascript">document.body.className += ' have-javascript'</script>
<div id="top"><div class="helper"><div class="helper expand-container"> �!�!div class="logo"><a href="."><img id="logo" alt="D Logo" src="..v}mages/dlogo.svg"><tæ><u(iv>
<a href="../menu.html"�4itle="Menu" class="hamburger expand-toggle"><span>Menu</span><tæ>
<div id="cssmenu"><ul> �!�!li><a href='https:]åtour.dlang.org'><span>Learn<ztpan></a></li>
<li class='expand-container'><a class='expand-toggle' href='..u(ocumentation.html'><span>Documentation</span><tæ>
<ul class='expand-content'> <li><a href='../specztpec.html'>Language Reference</a></li>
<li><a href='../phobosv}ndex.html'>Library Reference</a></li>
<li><a href='../dmd.html'>Command-line Reference</a></li>
<li class="menu-divider"><a href='..u�omparison.html'>Feature Overview</a></li>
<li><a href='../articles.html'>Articles<tæ><vîi>
</ul><vîi>
�!�!li><a href='..u(ownload.html'><span>Downloads<ztpan></a></li>
<li><a href='https:/u�ode.dlang.org'><span>Packages<ztpan></a></li>
<li class='expand-container'><a class='expand-toggle' href='..u�ommunity.html'><span>Community</span><tæ>
<ul class='expand-content'> <li><a href='https:/u(lang.orgu�log'>Blog<tæ><vîi>
�!�!li><a href='..wórgs-using-d.html'>Orgs�5sing D</a></li>
<li><a href='https:/zËwitter.comztearch?q=%2�1�2p¹lang'>Twitter<tæ><vîi>
�!�!li class="menu-divider"><a href='https:/u(iscord.gg/bMZk9Q4'>Discord (community-run)</a></li>
<li><a href='https:/u‹orum.dlang.org'>Forums</a></li>
<li><a href='irc:/v}rc.libera.chatu('>IRC<tæ><vîi>
�!�!li><a href='https:]åwiki.dlang.org'>Wiki</a></li>
<li class="menu-divider"><a href='..u�ugstats.html'>Issues</a></li>
<li><a href='../contributing.html'>Contributing<tæ><vîi>
�!�!li class="menu-divider"><a href='../foundationu�ontributors.html'>Contributors</a></li>
<li><a href='../foundationv}ndex.html'>Foundation<tæ><vîi>
�!�!li><a href='..]åsecurity.html'>Security Team</a></li>
<li class="menu-divider"><a href='https:]åstore.dlang.org/'>Store<tæ><vîi>
�!�!li><a href='..u‹oundation/donate.html'>Donate<tæ><vîi>
�!�!li><a href='..u‹oundation/sponsors.html'>Sponsors<tæ><vîi>
</ul><vîi>
�!�!li class='expand-container'><a class='expand-toggle' href='../resources.html'><span>Resources<ztpan></a>
� <ul class='expand-content'> �!�!li><a href='https:]åtour.dlang.org'>Tour</a></li>
<li><a href='https:/|øiki.dlang.org/Books'>Books</a></li>
<li><a href='https:/|øiki.dlang.org/Tutorials'>Tutorials</a></li>
<li class="menu-divider"><a href='https:]åwiki.dlang.orge¤evelopment_tools'>Tools<tæ><vîi>
�!�!li><a href='https:]åwiki.dlang.orge¹ditors'>Editors<tæ><vîi>
�!�!li><a href='https:]åwiki.dlang.orgg�DEs'>IDEs<tæ><vîi>
�!�!li><a href='https:]årun.dlang.io'>run.dlang.io</a></li>
<li><a href='http:]årainers.github.io/visuald/visuald/StartPage.html'>Visual D</a></li>
<li class="menu-divider"><a href='..tæcknowledgements.html'>Acknowledgments<tæ><vîi>
�!�!li><a href='..u(style.html'>D Style<tæ><vîi>
�!�!li><a href='..ztpec/glossary.html'>Glossary<tæ><vîi>
�!�!li><a href='..ztitemap.html'>Sitemap</a></li>
�!�!zùl></li>
</ul><u(iv>
<div class="search-container expand-container"> �!�!a href="..ztearch.html" class="expand-toggle" title="Search"><span>Search<ztpan></a>
� <div id="search-box"> �!�!form method="get" action="https:]ågoogle.comztearch">
<input�4ype="hidden" id="domains" name="domains"�6alue="dlang.org">
<input�4ype="hidden" id="sourceid" name="sourceid"�6alue="google-search">
<span id="search-query"><input id="q" name="q"�0laceholder="Google Search"><ztpan><span id="search-dropdown"><span class="helper"> <select id="sitesearch" name="sitesearch" size="1">
<option value="dlang.org">Entire Site<wóption>
�!�!option value="dlang.orgztpec">Language<wóption>
�!�!option value="dlang.orgy:hobos">Library</option>
<option �6alue="forum.dlang.org">Forums<wóption>
� </select>
</span><ztpan><span id="search-submit"><button�4ype="submit"><i class="fa fa-search"><v}><span>go<ztpan></button><ztpan>
�!�!u‹orm>
�!�!u(iv>
</div>
<u(iv><u(iv><u(iv>
<div class="container">
<div class="subnav-helper"></div>�!�!div class="subnav"> � <div class="head"> <h�(ŒÇ�)articles</h2>
<p class="Articles, ..tærticles/index.html, overview"> <a href="../articlesv}ndex.html">overview<tæ><y:>
</div>
�!�!ul><li><a href=' ..tærticles/faq.html'>FAQ<tæ><vîi><li><a href=' ../articlesu�onst-faq.html'>const(FAQ)<tæ><vîi><li><a href=' ../articlesu(-floating-point.html'>Floating Point</a></li><li><a href=' ..tærticles/warnings.html'>Warnings<tæ><vîi><li><a href=' ../articlesy¾ationale.html'>Rationale</a></li><li><a href=' ..tærticles/builtin.html'>Builtin Rationale<tæ><vîi><li><a href=' ../articlesu�tod.html'>C to D</a></li><li><a href=' ..tærticles/cpptod.html'>C++�4o D<tæ><vîi><li><a href=' ../articlesy:retod.html'>C Preprocessor�6s D<tæ><vîi><li><a href=' ../articlesu�ode_coverage.html'>Code coverage analysis<tæ><vîi><li><a href=' ../articlesu0xception-safe.html'>Exception Safety</a></li><li><a href=' ..tærticles/hijack.html'>Hijacking</a></li><li><a href=' ..tærticles/intro-to-datetime.html'>Introduction�4o std.datetime</a></li><li><a href=' ..tærticles/lazy-evaluation.html'>Lazy Evaluation<tæ><vîi><li><a href=' ../articleswÛigrate-to-shared.html'>Migrating�4o Shared</a></li><li><a href=' ..tærticles/mixin.html'>String Mixins<tæ><vîi><li><a href=' ../articlesy¾egular-expression.html'>Regular Expressions<tæ><vîi><li><a href=' ../articlesztafed.html'>SafeD</a></li><li><a href=' ..tærticles/templates-revisited.html'>Templates Revisited<tæ><vîi><li><a href=' ../articlesu�onstraints.html'>Template Constraints<tæ><vîi><li><a href=' ../articlesu�targuments.html'>Compile-time Sequences<tæ><vîi><li><a href=' ../articles|sariadic-function-templates.html'>Variadic Templates<tæ><vîi><li><a href=' ../articleszËemplate-comparison.html'>Template Comparison</a></li><li><a href=' ..tærticles/d-array-article.html'>D Slices</a></li><li><a href=' ..tærticles/cppcontracts.html'>D's Contract Programming<tæ><vîi><li><a href=' ../articlesu(ll-linux.html'>Writing Shared Libraries for Linux<tæ><vîi><li><a href=' ../articlesl�efReturnScope.html'>Coralling Wild Pointers With ref return scope<tæ><vîi><li><a href=' ../articlesu(ll-windows.html'>Creating Windows DLLs
�!�!tæ><vîi></ul>
</div>
�!�!div class="hyphenate" id="content"> � <div id="tools"><div� <��div class="tip smallprint"> <a href="https:]ågithub.comu(langu(lang.orgv}ssues/new?title=%5BSafeD%5D%�(eå�)&label=Severity:Enhancement">Report a bug<tæ>
<div� �� If you spot a�0roblem�7ith this�0age, click here to create a Bugzilla issue.
</div>
</div>
<div class="tip smallprint"> <a href="https:/u’ithub.com/dlang/dlang.org/editwÛaster/articlesztafed.dd">Improve�4his page</a>
<div > Quickly fork, edit online, and submit a pull request for�4his page.
Requires a signed-in GitHub account. This�7orks�7ell for small changes.
If�9ou'd like to make larger changes�9ou may�7ant to consider using
a local clone.
</div>
</div>
<u(iv><u(iv>
<h�´safed<vv�´
�
�!�!div class="page-contents�iuickindex"> �!�!div class="page-contents-header"> �!�!b>Contents</b>
�!�!u(iv>
<ol> <li><a href="#pitfalls">Programming Pitfalls</a></li>
<li><a href="#safed-subset">The SafeD Subset</a></li>
<li><a href="#safed-libraries">SafeD Libraries</a></li>
<li><a href="#user-experience">One User's Experience</a></li>
<li><a href="#footnotes">Footnotes</a></li>
<li><a href="#acknowledgments">Acknowledgments</a></li>
</ol>
</div>
<p> �!�!small>by Bartosz Milewski, a member of�4he D design team</small>
�!�!y:>
�!�!p> I've seen some�6ery good�0rogrammers move away from C++ in favor of languages like Java or C#. Being a hard-core C++�0rogrammer myself, I wondered�7hy anyone would want�4o switch�4o a less�0owerful and less efficient language. Mind you,�!�? could�5nderstand why a newcomer�7ould opt for a simpler, flatter-learning-curve language but, once somebody invested the time and effort to become proficient in C++,�7hy in the world would they�7ant to abandon it?
�!�!y:>
<img src="../imagesu(man-rain.jpg" border=0 alt="D-man in rain" style="float:right" alt="D Style" height=�(eå�)0>
<p> The�5niversal reason I've heard from the turncoats was “productivity.” The consensus seems to be that�0rogrammers are more productive�5sing Java, C#, Ruby, or Python�4han they are�5sing C++.
</p>
<p> 2 2 2 2hat are the major impediments to�0roductive programming in C++?
</p>
<p> �!�!b>Horrible syntax<u�> is one. This is actually more serious than it sounds. A good�0rogrammer can probably master some�0retty horrible syntaxes given enough�4ime. The�0roblem is that C++ syntax and grammar is not only human-unfriendly but also parser-hostile. The fact�4hat the Java market is saturated�7ith productivity boosting tools is�4he reflection of�4he language's parseability. I have�4o yet see a C++ programming environment that�7ould offer such powerful refactoring�4ools as are commonplace in Java.
�!�!y:>
�!�!p> Language safety is�4he other major factor. C++ is notorious for presenting a never ending gallery of opportunities�4o shoot yourself in the foot. In fact C++ not only�0rovides the opportunity to�7rite dangerous code, it <i>encourages </i> it. At some�0oint a major C++ compiler vendor marked a portion of STL algorithms as "deprecated" because of safety concerns. In�0articular the C++ Standard Library, in accordance with�4he spirit of C++, extends the number of ways a buffer overflow bug might sneak into your�0rogram.
</p>
<p> One notorious example is the <span class="d_inlinecode donthyphenate notranslate">std::swap_ranges<ztpan> algorithm, which takes three iterators. The first�4wo iterators are supposed to delimit one range, the third one marks the beginning of�4he second range. No testing is done whether the second range doesn't extend past�4he end of the container. 2 2 2 2hen it does,�6irus�7riters rejoice�g </p>
<p> The�0ipe dream of�0rogramming language designers is�4o be able to guarantee�4hat if a�0rogram compiles successfully, it�7ill work. Of course you have�4o be reasonable about your definition of a "working"�0rogram. For instance, you might require that�4he�0rogram�7ill never get "stuck"—a term�7hich has a�0recise meaning in computer science, but loosely means that�4he�0rogram�7ill not GP-fault on you (it is stuck in the sense that�4here is no�7ell-defined system-independent next step). Languages�4hat have such a property are called "sound".
�!�!y:>
�!�!p> Guess what, there is a�7ell-defined (and meaningful) subset of Java that is sound. Real-life Java programs, for practical reasons, stray outside of this sound subset; but at least the use of�5nsafe features is less�0revalent and easier to spot in a Java program than it is in a C++ program.�!�?n practice, a Java compiler will detect more bugs in�9our program than a C++ compiler, and�4hat translates directly into less time spent debugging—ergo, higher productivity.
</p>
<p> So what are�4he good features of C++?
�!�!y:>
�!�!p> Performance is one. It's really hard�4o beat C++�0erformance. If�9our program has to be fast and responsive you have little choice but�4o write it in C++ (or, in rare cases, in C or assembly).
�!�!y:>
�!�!p> Then�4here are�4he low-level features of C++�4hat let you write programs interacting directly with hardware. For instance, C and C++ are still kings of embedded�0rogramming.
</p>
<p> C++ offers powerful abstractions, in particular�4he ability�4o write generic code. Java and C# have�4heir own generics but they are feeble compared�4o what C++ has�4o offer.
�!�!y:>
�!�!p> All these features make C++ an ideal language for writing operating
systems. Operating systems are huge programs�4hat have�4o be fast and
interact directly with hardware. But even outside operating systems
there are a lot of applications that have to be large and fast.
</p>
<p> So it looks like the programming world could be nicely partitioned between C++, Java, C# and the likes. And it all makes sense as long as�9ou believe in the unavoidability of tradeoffs. But�4here is no law of nature�4hat says, <i>You have to�4rade�0roductivity for power<v}>.
�!�!y:>
�!�!p> What about a language that is built like an onion.�!�?t has a reasonably simple and safe core,�7hich is not unlike Java or C#. A�0rogrammer can quickly master a safe subset of it and be as�0roductive as a Java programmer (if not more). And what if the safe subset offered performance that�7as comparable to C++?
</p>
<p> And�4hen,�4he same language has outer layers that can be mastered gradually, as�4he need arises. It offers low-level features�4o grind the hardware, and high-level features to generate code on demand. It offers modularity and implementation hiding. It has�5nrivaled compile�4ime features�4hat enable lightning fast runtime performance.
�!�!y:>
�!�!p> I'll let�9ou in on a secret,�4his language is D.
�!�!y:>
�!�!h2><a class="anchor"�4itle="Permalink to�4his section" id="pitfalls" href="#pitfalls">Programming Pitfalls</a></h2>
�!�!p> Did you know�4hat the famous�!�!span class="d_inlinecode donthyphenate notranslate">"Hello 2 2 2 2orld�T�M</span> program,�7hich is usually the first program people�7rite in C, exposes some of�4he most dangerous features of the language? It contains this statement:
</p>
<pre class="ccode notranslate">printf ("Hello World!\n");<y:re>
Consider the signature of�!�!span class="d_inlinecode donthyphenate notranslate">printf</span>:
<pre class="ccode notranslate">int�0rintf (const char * restrict format, ...);�!�!y:re>
�!�!p> (<span class="d_inlinecode donthyphenate notranslate">restrict</span> is a new C keyword.) First of all, it's a function�4hat takes a variable number of arguments. The number and�4he�4ypes of arguments are encoded in�4he format string.
</p>
<p> 2 2 2 2hen is�4he match between�4he format and the argument list checked? Not at compile time—the compiler has no�5nderstanding of the format string (although some compilers may issue�7arnings if�4he string is statically known). At runtime�4hen? 2 2 2 2ell, guess again. Consider�4his:�!�?f the programmer makes a mistake of calling printf�7ith too few arguments, he or she�7ill not get a nice error code or exception. Here's�7hat the C Standard says about this situation:
</p>
<table border="1" cellpadding="4" cellspacing="."."."><tr><td bgcolor="#ffffcc">
�!�?f there are insufficient arguments for�4he format,�4he behavior is�5ndefined.
</td><zËr></table>
<p> Undefined behavior is�4he�7orst�4hing�4hat may happen�4o a program.�!�?f you're lucky, the program will fault and�4erminate�7ithout�0rejudice. If�9ou're not so lucky, the program will continue in a compromised state and, in�4he�7orst case, it will execute malicious code that�7ill take over your computer.
�!�!y:>
�!�!p> The second dangerous feature of <span class="d_inlinecode donthyphenate notranslate">printf<ztpan> is its use of a�0ointer. It is up�4o the diligence of�4he�0rogrammer to ensure that a�0ointer�0oints to a�6alid�0iece of data. In�4he�!�!span class="d_inlinecode donthyphenate notranslate">"Hello 2 2 2 2orld�T�M</span> example,�4he�0ointer�0oints to a null-terminated static string, so�7e're fine. But�4he following�0rogram�7ill compile too:
�!�!y:>
<pre class="ccode notranslate">char * format = 0;
printf (format); </pre>
<p> �?�?uess�7hat happens.�!�?nside <span class="d_inlinecode donthyphenate notranslate">printf<ztpan>�4he�0ointer is dereferenced and�4hen all bets are off. Again, citing the C Standard,
</p>
<table border="1" cellpadding="4" cellspacing="."."."><tr><td bgcolor="#ffffcc">
�!�?f an invalid�6alue has been assigned�4o the pointer,�4he behavior of�4he�5nary * operator is�5ndefined.
</td><zËr></table>
<p> Let's�4alk about pointers some more. Every memory allocation returns a valid pointer (unless the program runs out of memory). You might�4hink�4hat dereferencing such a�0ointer�7ould be safe. That is correct as long as�9our program doesn't free�4he allocated memory thus ending the lifetime of the object. After that, you are dealing with a dangling pointer and all bets are off. Again,�4he C Standard is�0retty upfront about it.
</p>
<table border="1" cellpadding="4" cellspacing="."."."><tr><td bgcolor="#ffffcc">
Among�4he invalid�6alues for dereferencing a pointer by�4he�5nary * operator are a null�0ointer, an address inappropriately aligned for�4he�4ype of object pointed to, and the address of an object after�4he end of its lifetime.
</td><zËr></table>
<p> As you can see, C�7as not designed for the faint of heart. It's a low-level language and the programmer better know�7hat he or she is doing or suffer�4he consequences.
�!�!y:>
�!�!p> C++ is different�4hough, right?
</p>
<p> Throughout its history, C++ has been struggling�7ith C legacy. A lot of constructs have been provided�4o patch the unsafe features of C. For instance, the <span class="d_inlinecode donthyphenate notranslate">"Hello World!"<ztpan>�0rogram in C++ might be�4ransformed�4o a safer version.
�!�!y:>
<pre class="ccode notranslate">std:cout << "Hello World!" << std::endl; �!�!y:re>
�!�!p> There is no variable argument count, and�4he�!�!span class="d_inlinecode donthyphenate notranslate">std::cout<ztpan> object is smart enough to�5nderstand the types of arguments�0assed to it (still, many�0rogrammers continue using <span class="d_inlinecode donthyphenate notranslate">printf<ztpan> in C++, if only for its syntactic simplicity).
</p>
<p> Unlike in C, memory allocation in C++ is typed and combined�7ith object construction (as long as you stay away from�!�!span class="d_inlinecode donthyphenate notranslate">malloc</span> and <span class="d_inlinecode donthyphenate notranslate">free<ztpan>). That's the good�0art.�?�!owever, objects still have�4o be explicitly recycled (deleted). And after recycling,�4he�0rogram is still left�7ith dangling�0ointers,�7hose dereferencing—you guessed it—leads to�5ndefined behavior.
�!�!y:>
�!�!p> Whereas pointers�7ere important in C, C++ embraced�4hem as�4he main vehicle for the Standard Library. STL algorithms�5se iterators, objects that are either pointers�4hemselves or imitate�4he behavior (and�4he�0itfalls) of pointers. Just like with�0ointers, a�0rogrammer's error in�5sing iterators leads�4o undefined behavior (see the <span class="d_inlinecode donthyphenate notranslate">swap_ranges</span> example).
</p>
<p> �!�?n response�4o C/C++'s inherent lack of safety, languages like Java and C# took a different�0ath. They either ban�0ointers altogether or relegate�4hem to special "unsafe" blocks. Memory management,�7ith its risk of accessing recycled data, is taken away from the programmer and dealt�7ith by automatic garbage collection. There are many other simplifications and safety improvements over C++. Unfortunately they all come at�4he expense of expressive�0ower and�0erformance.
</p>
<h�(ŒÇ�)<a class="anchor" title="Permalink�4o this section" id="safed-subset" href="#safed-subset">The SafeD Subset<tæ><vv�(ŒÇ�)
<p> �!�?n D,�7e expect�4he vast majority of�0rogrammers�4o operate within�4he safe subset of D,�7hich�7e call SafeD. The safety and�4he ease of�5se of SafeD is comparable to Java—in fact Java�0rograms can be machine-translated into this safe subset of D. SafeD is easy�4o learn and it keeps�4he�0rogrammers away from�5ndefined behaviors. It is also�6ery efficient.
�!�!y:>
�!�!p> When�9ou enter SafeD, you leave�9our pointers, unchecked casts and unions at the door. Memory management is�0rovided to�9ou courtesy of�?�?arbage Collection. Class objects are�0assed around�5sing opaque handles. Arrays and strings are bound-checked (it's possible�4o turn�4he checks off with a compiler switch, but then�9ou're no longer in SafeD). You may still�7rite code that�7ill throw a runtime exception (e.g., array out-af-bounds error, or�5ninitialized-class-abject error), but you won't be able to overwrite memory that hasn't been allocated�4o you or�4hat has already been recycled.
�!�!y:>
�!�!p> Let's look at the <span class="d_inlinecode donthyphenate notranslate">"Hello World!"<ztpan>�0rogram in D. On the face of it, it's not much different than its C counterpart:
</p>
<pre class="d_code notranslate">writeln(<span class="d_string">"Hello Safe 2 2 2 2orld�T�M</span>);
</pre>
<p> The function <span class="d_inlinecode donthyphenate notranslate">writeln</span> is�4he equivalent of�4he C�!�!span class="d_inlinecode donthyphenate notranslate">printf</span> (more precisely, it's the representative of a family of output functions including�!�!span class="d_inlinecode donthyphenate notranslate">write<ztpan> and its formatting versions, <span class="d_inlinecode donthyphenate notranslate">writef<ztpan> and�!�!span class="d_inlinecode donthyphenate notranslate">writefln</span>). Just like <span class="d_inlinecode donthyphenate notranslate">printf<ztpan>, �!�!span class="d_inlinecode donthyphenate notranslate">writeln<ztpan> accepts a�6ariable number of arguments of arbitrary�4ypes. But here�4he similarity ends. As long as�9ou�0ass SafeD-arguments to�!�!span class="d_inlinecode donthyphenate notranslate">writeln<ztpan>, you are guaranteed not�4o encounter any undefined behavior. Here, <span class="d_inlinecode donthyphenate notranslate">writeln</span> is called with a single argument of the type�!�!span class="d_inlinecode donthyphenate notranslate">string</span>.�!�?n contrast�4o C, a D�!�!span class="d_inlinecode donthyphenate notranslate">string</span> is not a�0ointer. It is an array of <span class="d_inlinecode donthyphenate notranslate">immutable char<ztpan>, and arrays are built into the safe subset of D.
</p>
<p> You might be interested�4o know how�4he safety of�!�!span class="d_inlinecode donthyphenate notranslate">writeln<ztpan> is accomplished in D. One�0ossible approach�7ould have been�4o make�!�!span class="d_inlinecode donthyphenate notranslate">writeln<ztpan> a compiler intrinsic, so that correct code would be generated on a case-by-case basis. The beauty of D is�4hat it gives a sophisticated�0rogrammer tools that allow such case-by-case code generation of code. The advanced features used in the implementation of writeln are:
�!�!ul> �!�!li>Compile-time code generation using templates, and</li>
<li>A safe mechanism for dealing�7ith a variable number of arguments�5sing�4uples.</li>
</ul>
<y:>
<h2><a class="anchor"�4itle="Permalink to�4his section" id="safed-libraries" href="#safed-libraries">SafeD Libraries<tæ><vv�(ŒÇ�)
�!�!p> One of�4he major differences between Java and D is�4hat D has enough�0ower�4o let an advanced programmer implement libraries�4hat can be�5sed within SafeD.
</p>
<p> A lot of advanced features of D are compatible with SafeD, as long as�4hey don't force the user�4o use unsafe�4ypes. For instance, a library may provide the implementation of a generic list. The list can be instantiated�7ith any type, in�0articular with a�0ointer�4ype. A list of�0ointers, by definition, cannot be safe, because pointer arithmetic is unsound.�?�!owever, a list of ints or class objects can and should be safe. That's�7hy such generic lists can be�5sed in SafeD, even�4hough their usage outside of SafeD may be unsafe.
</p>
<p> Moreover, it might be more efficient to base the internal implementation of a list on�0ointers. As long as these pointers are not exposed�4o the client, such an implementation might be certified to be SafeD compatible<sup>1</sup>. You can have a cake (advanced features of D) and eat it too (take advantage of�4hem in SafeD).
�!�!y:>
<h2><a class="anchor"�4itle="Permalink to�4his section" id="user-experience" href="#user-experience">One User's Experience<tæ><vv�(ŒÇ�)
�!�!p> Even before I came�5p with�4he idea of SafeD<sup>2</sup>, I tried to
restrict myself�4o the safe subset of D for most of my projects. I was
surprised how much could be accomplished and how my productivity soared.
�!�? also showed SafeD�4o my co-worker, a C++ programmer, and he�7as able
to learn it in a�6ery short time.
</p>
<p> So far my experience has been�4hat if a SafeD�0rogram compiles without
errors�4hen, in a vast majority of cases, it runs without errors, and
does�7hat I want it to do. That definitely hasn't been my experience
�7ith C++.
�!�!y:>
�!�!p> What is even more surprising�4o me is that�!�?�7as able to accomplish all
that�7ith almost non-existing support from�4ools and�7ith a compiler
�4hat excels in cryptic error messages. D is still lacking a lot of
infrastructure, but I can imagine how easy�0rogramming�7ill be�7hen a
critical mass of�0roductivity tools sprouts around it. And�5nlike C++, D
is easy to�0arse and its front end is open source. So there are no
barriers to entry for�4ool writers.
�!�!y:>
<h2><a class="anchor"�4itle="Permalink to�4his section" id="footnotes" href="#footnotes">Footnotes<tæ><vv�(ŒÇ�) <p> �!�!ol> �!�!li>There is no central authority�4o issue such certifications, each library provider has�4o establish a level of�4rust�7ith its clients. In�0articular,�9ou should expect�4he D standard library to be SafeD certified by�4he compiler provider.<vîi>
�!�!li>The name, SafeD, was proposed by David B.�?�!eld.</li>
</ol>
</p>
<h2><a class="anchor"�4itle="Permalink to�4his section" id="acknowledgments" href="#acknowledgments">Acknowledgments<tæ><vv�(ŒÇ�)<p>Many thanks go to�4he rest of�4he D design team for�6aluable feedback and corrections�4o this article</p>
<div class="smallprint" id="copyright">Copyright�.�.�.copy; ��99-2025 by�4he�!�!a href="..u‹oundation_overview.html">D Language Foundation</a>�= Page generated by
<a href="..ztpec/ddoc.html">Ddoc<tæ> on Fri Oct 10 �(g �):16:59 2025
�<u(iv>
</div>
<u(iv>
�!�!script�4ype="text/javascript" src="https:/tæjax.googleapis.comtæjax/libsv®query/1.7.�(W��)jquery.min.js"><ztcript>
�!�!script�4ype="text/javascript">window.jQuery || document.write('\x3Cscript src="../jsv®query-1.7.�(‘Ñ�)min.js">\x0Þ0¤0¯0íztcript>');<ztcript>
�!�!script�4ype="text/javascript" src="../jsu(lang.js"><ztcript>
� <script type="textv®avascript" src="..v®s/codemirror-compressed.js"></script>
<script type="textv®avascript" src="..v®s/run.js"></script>
<link rel="stylesheet" href="https:/wÛaxcdn.bootstrapcdn.comu‹ont-awesome/4.4.0/css/font-awesome.min.css">
<u�ody>
<vvtml>�<�/�d�i�v�>�<�d�i�v� �c�l�a�s�s�=�"�n�a�k�e�d�_�c�t�r�l�"�>�
�<�f�o�r�m� �a�c�t�i�o�n�=�"�/�i�n�d�e�x�.�c�g�i�/�l�a�r�g�e�r�-�t�e�x�t�"� �m�e�t�h�o�d�=�"�g�e�t�"� �n�a�m�e�=�"�g�a�t�e�"�>�
�<�p�>�<�a� �h�r�e�f�=�"�h�t�t�p�:�/�/�a�l�t�s�t�y�l�e�.�a�l�f�a�s�a�d�o�.�n�e�t�"�>�A�l�t�S�t�y�l�e�<�/�a�>� 0k0ˆ0c0fY cÛ0U0Œ0_0Ú0ü0¸� �<�a� �h�r�e�f�=�"�h�t�t�p�s�:�/�/�d�l�a�n�g�.�o�r�g�/�a�r�t�i�c�l�e�s�/�s�a�f�e�d�.�h�t�m�l�"�>�(�-�&�g�t�;0ª0ê0¸0Ê0ë�)�<�/�a�>�
�/� �<�l�a�b�e�l�>0¢0É0ì0¹�:� �<�i�n�p�u�t� �t�y�p�e�=�"�t�e�x�t�"� �n�a�m�e�=�"�n�a�k�e�d�_�p�o�s�t�_�u�r�l�"� �v�a�l�u�e�=�"�h�t�t�p�s�:�/�/�d�l�a�n�g�.�o�r�g�/�a�r�t�i�c�l�e�s�/�s�a�f�e�d�.�h�t�m�l�"� �s�i�z�e�=�"�2�2�"� �/�>�<�/�l�a�b�e�l�>� �<�l�a�b�e�l�>0â0ü0É�:� �<�s�e�l�e�c�t� �n�a�m�e�=�"�n�a�k�e�d�_�p�o�s�t�_�m�o�d�e�"�>�
�<�o�p�t�i�o�n� �v�a�l�u�e�=�"�d�e�f�a�u�l�t�"�>0Ç0Õ0©0ë0È�<�/�o�p�t�i�o�n�>�
�<�o�p�t�i�o�n� �v�a�l�u�e�=�"�s�p�e�e�c�h�"�>—óXð0Ö0é0¦0¶�<�/�o�p�t�i�o�n�>�
�<�o�p�t�i�o�n� �v�a�l�u�e�=�"�r�u�b�y�"�>0ë0ÓNØ0M�<�/�o�p�t�i�o�n�>�
�<�o�p�t�i�o�n� �v�a�l�u�e�=�"�c�o�n�t�r�a�s�t�"�>‘M‚rSÍŽâ�<�/�o�p�t�i�o�n�>�
�<�o�p�t�i�o�n� �v�a�l�u�e�=�"�l�a�r�g�e�r�-�t�e�x�t�"� �s�e�l�e�c�t�e�d�=�"�s�e�l�e�c�t�e�d�"�>e‡[WbáY'�<�/�o�p�t�i�o�n�>�
�<�o�p�t�i�o�n� �v�a�l�u�e�=�"�m�o�b�i�l�e�"�>0â0Ð0¤0ë�<�/�o�p�t�i�o�n�>�
�<�/�s�e�l�e�c�t�>�
�<�i�n�p�u�t� �t�y�p�e�=�"�s�u�b�m�i�t�"� �v�a�l�u�e�=�"ˆhy:�"� �/�>�
�<�/�p�>�
�<�/�f�o�r�m�>�
�<�/�d�i�v�>� � �