What you’ll learn:
- Why Rust is important to embedded applications.
- Why deployment of critical applications needs commercial Rust support.
- How GNAT Pro for Rust addresses critical application development.
Rust is a programming language that’s growing in popularity because of its safety features, particularly its memory tracking aspects (take our Quick Poll below about your Rust usage). It can address high-level applications as well as low-level programs such as device drivers. Rust is one of the few languages that can be used to deliver Linux device drivers.
I talked with Tony Aiello, Product Manager at AdaCore, about GNAT Pro for Rust and the importance of having certified Rust tools.
GNAT Pro for Rust provides the basics including the rustc compiler, the cargo build and package manager, and gdb debugger support. It supports Linux targets as well as bare-metal installations. In addition, it features bidirectional Ada-Rust bindings.
Ada and SPARK are other programming languages supported by AdaCore in the GNAT Pro family. The family targets high-reliability applications that require certification and/or long-term support, ranging from avionics to medical and automotive.
Why Should the Compiler be Smarter?
The reason for the interest in Rust is that the language and compiler place restrictions on the programmer by default, unlike programming languages like C. There’s some limited syntax and semantics with C, but the programmer can generally do just about anything without the compiler complaining too much. Early C compilers didn’t even complain about using unassigned variable values.
Figure 1 shows how Ada compares to other languages like C and Java. I would put Rust in the same category as Ada, although Ada does have the edge over Rust in fine-tuning what the programmer can define and what the compiler is able to catch in terms of errors.
AdaCore funded a study of Ada and how it handled errors compared to C to show cost savings possible with Ada. I suspect Rust would garner similar results, although I haven’t found a similar report for Rust. It does highlight the cost of finding errors and how traditional languages falter from the start (Fig. 2).
One only needs to look at the plethora of Computer Vulnerabilities Exposures (CVE) to see why C is more error-prone. This is due to placing more of the responsibility for code quality on the programmer rather than the language and tools.
Rust has many features like enums/algebraic data types and concurrency that help developers write sophisticated programs while allowing the compiler to check their use. However, it’s the memory and pointer management that handles it by default that makes the biggest difference with respect to catching errors. That discussion is beyond the scope of this article, but essentially it forces programmers to define and properly use memory and memory references in a controlled fashion.
It’s possible to write unsafe Rust and turn off these checking features. Still, these must be stated explicitly and should be used sparingly. The same is true of Ada. This enables safe programming languages to address system programming that’s usually done in C with the same level of efficiency in a much safer implementation.
The Importance of Certification and Longevity
Open-source Rust tools are being used for projects from websites to embedded systems, but there’s a place and need for commercial Rust solutions. The reason is the same for C where commercial versions abound. Service and support are the main factors for commercial versions, as companies and developers don’t want to support the tools but rather use them. This is also where longevity comes into play—tools must often be maintained at certain implementation states over long periods of time so that changes to applications can be made with the tools used to create them initially.
Commercial Rust solutions are only now emerging in the marketplace. In addition to support, there’s the need for certification such as ISO 26262. In many of these certifications, having certified tools is part of the process. Certified or certifiable C/C++ tools are available as are Ada and SPARK—a version of Ada with advanced static-analysis capabilities.
Having Rust tools like GNAT Pro for Rust that fit this requirement means Rust code can be used in safety-critical applications from self-driving cars to aircraft. This would not be possible without having these tools available. In the future, assuming Rust continues on course, we’ll see numerous commercial versions of Rust as is the case with C/C++.
Hands-on GNAT Pro for Rust
GNAT Pro for Rust was still in beta when I tried it out and I found no difference when comparing it to the open-source version of Rust. I was able to use the same source code and build specifications without changes to generate applications. This wasn’t an exhaustive test; I only targeted Linux platforms and pulled larger programs from sources like github.
Of course, the test results came out as expected. Essentially, I used the same open-source compiler but from a commercial source. This is where commercial support comes into play.
Chasing the latest version of the compiler is fine for someone who doesn’t need to provide long-term support. It’s not a great idea when it comes to developing software that must be supported over the long run, especially for something like an array of IoT devices with over-the-air updates.
In theory, an unchanging programming language should enable different compilers that are generated years apart to create the same output for a given application. This won’t happen with most programming languages that tend to change over time. C and C++ have regular changes over time. Even minor changes and incompatibilities can cause errors that may be hard to detect.
Rust is evolving more than C and C++. C changes have been more on the side of refinements, while C++ has been adding features. Because Rust is changing more rapidly than C++, the differences between a Rust compiler available today and one next year could be significant.
Commercial support for a fixed instance of a toolset usually means bug fixes as well. These are typically applied to the latest incarnation of a tool, and selective changes may be incorporated into older versions. This could require customization due to differences between the tools. For those without commercial support, such bug fixes would need to be done by the developer.
Check out more videos/articles in the TechXchange: Rusty Programming.