The Memory Safe D Spec
Memory Safety for a program is defined as it being impossible for the program to corrupt memory. Therefore, the Safe D consists only of programming language features that are guaranteed to never result in memory corruption.
Safe D is enabled on a per-module basis by compiling with the -safe compiler switch.
System Modules
Many programming tasks cannot be statically checked for safety. System modules are not checked for safety, even if directed to do so. System modules must be vetted by hand. Safety is controlled at the module level, rather than at the declaration or statement level, in order to encourage the modularization and clean separation of unsafe from safe code. By restricting unsafe code to system modules only, if a memory corruption error does occur, the programmer need only look at those modules rather than the entire program.
Proscribed Forms
- Inline assembler.
- Casting away const or immutable attributes.
- Casting away shared attributes.
- Casting from one pointer type to another pointer type,
except for:
- casting to void* is allowed
- casting from a pointer to an arithmetic type to a pointer to another arithmetic type of the same or smaller size is allowed
- Casting from a non-pointer type to a pointer type.
A safe module can import and use the public interface of a system module.
Limitations
Safe D does not imply that code is portable, uses only sound programming practices, is free of byte order dependencies, or other bugs. It is focussed only on eliminating memory corruption possibilities.