Rust celebrates 10th anniversary
Cette publication existe aussi en Français
As Rust celebrates its 10th anniversary, Nick Flaherty talks to Tony Aiello and Stephen Hedrick at AdaCore on the evolution of the language for embedded and mission-critical systems
Rust avoids the memory issues that occur with C and C++, ensuring that code can be developed for secure and safety critical applications. But there are several perceptions holding it back, that there aren’t enough skilled engineers with experience in the language, and the tools aren’t ready.
There are parallels between the development of the Rust language and the Ada formal language. AdaCore develops tools for safety critical systems, and launched a version of its GNAT Pro tool for Rust in 2023.
“Our perspective is different from the broad mainstream perspective. Our focus is on developing tools for high integrity applications, often in the embedded domain, and that’s aerospace and defence, some new space, automotive, medical” said Aiello, head of product and innovation at AdaCore and the product manager responsible for launching the Rust tools.
“What we are seeing is Rust building in momentum. Interest in Rust is largely driven by the rank and file engineers who want to find an avant garde approach, using it in hobby projects and are agitating in their teams to get Rust adopted.”
“If there is hesitance from manager its less about engineers as it is that this hasn’t been proven in use in our domain and there is question about the completeness of the ecosystem, the qualification of safety standards, these are the kinds of things that need to be addressed,” he said
“This is still a young language and a lot of things will mature over time. The fact there is still a buzz and that is increasing and starting to permeate industry, it’s important to note that any mainstream language has these hurdles to overcome,” said Hedrick, the current Rust product manager
One of the objections to using Rust is that developers can use C properly for safety critical code.
“I don’t believe in doing C properly. I don’t think C is an appropriate language to use for safety critical application full stop,” said Aiello. “Nvidia went with SPARK and used full formal methods for its safety critical development and there’s a case study on that. If you are going to write new code you shouldn’t use C.”
“When we first started talking about a Rust product we were surprised that there wasn’t the groundswell of interest we expected. There were lots of conversations, and customers wanted to learn about Rust,” said Aiello. “Fast forward to today we have many more prospects that seem to be very close to becoming serious about Rust but there is a hesitation in not wanting to be first. I am cautiously optimistic based on what we are hearing through the safety critical consortium.”
“There are things that seem similar to Ada. It is a type safe language, and this slows people down so it is a little bit similar, but I feel that there are more difference than similarities.
One of the factors was the Ada mandate issued in 1991 by the US Department of Defense to standardise software development DoD and address the proliferation of different programming languages and dialects.
“Ada was less than ten years old when the mandate came out and the feeling was that the compilers weren’t ready,” said Aiello. “The compilers for Rust are ready, so the rustc compiler is appropriately fast and appropriately stable. The code that is emitted is efficient but probably the most important difference is while in the workforce there are fewer Rust engineers than C, there is a huge community behind Rust. The strength of the community is hard to understate.”
The Rust ecosystem
But he does acknowledge the gaps in the ecosystem, particularly Modified Condition/Decision Coverage (MC/DC). This is a code coverage criterion used to ensure the reliability and robustness of critical software systems and goes beyond basic coverage to verify that each condition within a decision independently affects the outcome of that decision
“There are gaps and we are filling them. We have a coverage tool for Rust that will be coming out in the fall. MC/DC coverage was missing and this is absolutely required. Another gap is a coding standard for rust in safety critical standards. The Rust Foundation’s Safety Critical Consortium is building out a coding standard and once this is done the tools will follow. In the meantime it is ad hoc, but it a more nuanced solution at the moment.”
Certification of runtime libraries such as such as liballoc, libcore and libstd is required for compliance for safety critical standards such as ISO26262 in automotive and IEC61508 for industrial and this is also a potential issue.
“Ada has a rich runtime and Rust has a rich runtime,” said Aiello. “You can do without libstd, but libcore is viewed as fundamental to the language. This is a large library with 36,000 lines of code and that goes into the end application and that needs to be certified. That will be time consuming and costly and we discuss this with prospects. However once a few of these are done it puts the whole community in a better situation.”
“In the future there may be pressure against the recompilation of the libraries. If you want to ship a Rust library you have to ship it open source which may have issues with proprietary code. This is also not something that the project is unaware of,” he said. “There are discussions on when and how to tackle the API problem for proprietary code.”
The Safety Critical Consortium includes the Rust Foundation, AdaCore, ARM, Ferrous Systems, OxidOS, HighTec EDV-Systeme, TrustInSoft, Veecle, and Woven by Toyota to support the use of the language and expand the ecosystem with existing safety-critical projects and standards including SAE JA1020.
“Because of the active work in the Safety Critical Consortium there is a lot of progress so as things move forward people will see this as more of a viable option,” said Hedrick. “The more we have industry adoption stories to show real world applications, that’s the thing to shoot for. There’s a lot more to come and there’s a lot of potential and that’s the great thing.
Aiello does not see the same pressure for a mandate for Rust. “What there is is a strong push for a memory safety mandate and a push for memory safe hardware like CHERI,” he said. “Even today I am still hearing that there is pressure from their customers to pivot to memory safety.”
AI copilots can also help with coding in Rust.
“I think it’s a great idea especially when it comes to learning it,” said Hedrick. “Then you can get as complex as you want. As the tide rises so will the boats, as more hobbyist and community robotics projects come out, on Raspberry Pi and other platforms, that can extend to research in companies.”
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
