SE Radio 690: Florian Gilcher on Rust for Safety-Critical Systems

Florian Gilcher, co-founder of Ferrous Systems and the Rust Foundation, speaks with host Giovanni Asproni about the application of Rust in mission- and safety-critical systems. The discussion starts with a brief overview of such systems, and an introduction to Rust, emphasizing aspects that make it well-suited for critical environments.

Florian and Giovanni then discuss how Rust compares to C and C++ — two widely used languages in this sector. They proceed to outline important factors that companies should consider when assessing whether to move from C or other languages to Rust. The episode also touches on Ferrocene, an open-source Rust toolchain qualified for safety- and mission-critical systems, which was developed and supported by Ferrous Systems. The conversation ends with some reflections on the future of Rust for mission- and safety-critical applications.

Brought to you by IEEE Computer Society and IEEE Software magazine.

Florian Gilcher, co-founder of Ferrous Systems and the Rust Foundation, speaks with host Giovanni Asproni about the application of Rust in mission- and safety-critical systems. The discussion starts with a brief overview of such systems, and an introduction to Rust, emphasizing aspects that make it well-suited for critical environments.

Florian and Giovanni then discuss how Rust compares to C and C++ — two widely used languages in this sector. They proceed to outline important factors that companies should consider when assessing whether to move from C or other languages to Rust. The episode also touches on Ferrocene, an open-source Rust toolchain qualified for safety- and mission-critical systems, which was developed and supported by Ferrous Systems. The conversation ends with some reflections on the future of Rust for mission- and safety-critical applications.

Brought to you by IEEE Computer Society and IEEE Software magazine.

Show Notes

Related Episodes

• SE Radio 644: Tim McNamara on Error Handling in Rust

• SE Radio 490: Tim McNamara on Rust 2021 Edition

• SE Radio 279: Florian Gilcher on Rust

• SE Radio 152: MISRA with Johan Bezem

Articles and Resources

• Safety-critical system definition

• Rust language official site

• Ferrocene open-source Rust toolchain for safety-critical systems

• MISRA-C addendum for Rust

• Tock OS operating system

Transcript

Transcript brought to you by IEEE Software magazine.

This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.

Giovanni Asproni 00:00:18 Welcome to Software Engineering Radio. I’m your host, Giovanni Asproni and today I will be discussing Rust for mission and safety critical systems with Florian Gilcher. Florian is the managing director and co-founder of Ferrous Systems. He has worked with the Rust programming language since 2013 and he co-founded the Rust Foundation. His company is the creator of Ferrocene, an open-source Rust compiler tool chain, qualified for safety and mission critical applications. Florian, welcome to Software Engineering Radio. Is there anything I missed that you’d like to add?

Florian Gilcher 00:00:49 Oh, I think that’s been perfect. Thank you, Giovanni.

Giovanni Asproni 00:00:52 You are not even new to the Radio because I see that you were a guest in Episode 279 about Rust. In fact, it was quite some time ago.

Florian Gilcher 00:01:00 Exactly. That was actually before forming Ferrous Systems when was I was the lead of the community team in the Rust Project. So I was more representing the project there.

Giovanni Asproni 00:01:09 And in fact, there are some episodes that are related to this one that is the

• Episode 644 with Tim McNamara on Error Handling in Rust,

• Episode 490 with Tim McNamara on Rust 2021 Edition.

• Florian Episode 279 on Rust. So it’s a bit of an old episode, but I think is being about the language, I mean the basic ideas should be the same pretty much maybe the language evolved, but the core ideas.

Florian Gilcher 00:01:34 Yeah, and I hope my understanding is refined, that’s a very new language back then.

Giovanni Asproni 00:01:39 Yes. And then also there is Episode 152. This is quite an old one, is about MISRA with Johan Bezem and all of them will be linked in the show notes. Now ready to start Florian?

Florian Gilcher 00:01:54 Of course. Let’s go.

Giovanni Asproni 00:01:56 Okay, so let’s set some context. Let’s start from the very basics. What is a mission-critical system?

Florian Gilcher 00:02:02 I mean the punchy one-liner is anything that if it fails, it hurts you. Particularly mission critical is usually it hurts you fiscally. We’re talking about safety critical, we’re talking about systems where people could be harmed. All lives are at stake.

Giovanni Asproni 00:02:16 Okay, there are distinctions between mission and safety critical. What is the difference there?

Florian Gilcher 00:02:22 It is something like you’re running a major web service, you’re major running a major data center. It is critical that your base systems never fail. If they fail, the whole data center is down. None of your clients can work. That can have repercussions in, for example, a whole hospital system may go down like this is often called mission critical. But because something like for example, an AWS data center is nowadays so part of everything in our lives, this can have repercussions down the line where safety critical systems fail because they haven’t anticipated that case and people could actually be harmed. So the distinction is actually, from my perspective, getting harder and harder, the perspective that I’m taking is there’s a new found desire in software correctness for multiple reasons coming out of different directions. Rust as a programming language that says safe and correct code directly in its claim comes out of a web browser company. It was originally designed at Mozilla and not just because someone wanted to build such a language just for fun in Mozilla research, but because they had legitimate need for that. So that’s pretty interesting that a language that we’re currently talking about or like is this the new language in safety critical comes out of a space that is pretty far from safety critical, but mindset wise is pretty close.

Giovanni Asproni 00:03:46 Yeah. And I think that sometimes we realize that the systems are safety critical when something bad happens. You know, like cloud providers that have some kind of loss of service for whatever reason, or I think something ago happened even to Google, I think Gmail issues things. So and all of a sudden entire business cannot really work anymore.

Florian Gilcher 00:04:06 Yeah. And that was a memory safety issue. It was another point of the reference that they actually actively ran into the retro about that is quite clear about this.

Giovanni Asproni 00:04:14 So yeah, you are smiling because this is like, it wouldn’t have happened with Rust I guess, joking.

Florian Gilcher 00:04:23 In a way, yes, there’s other bugs of that scale that you can build on Rust, but Rust is there to help with that. So I think one of the things that legitimizes, I don’t need to legitimize Rust, but that is interesting about this whole move is Rust is not alone in being a new memory safe systems programming language. For example, Apple has developed Swift, which is pretty much in the same generation of programming languages. So it’s not just Rust coming up and saying, you all bad here. We know it better. It is much more a generation of new software development that also then invests into new base tooling, because it has new needs.

Giovanni Asproni 00:04:58 Yeah, yeah. Can I ask you, what are the criteria to say that a mission or a safety critical system is actually good enough for its purpose?

[...]

Original source