Certified Compiler

I am working at a company which sometimes does medical embedded projects.

For these kind of projects the suspect of a save, language, without buffer overflows, and reliably working hardware are a godsend.

Now for any medical project a certain degree of verification/certification is required.
Is it somehow possible to let the Rust Compiler be certified? Maybe offer a special license for the “certified” compiler version, which companies will have to pay. Or just offer the certification for everybody using version x.

For a medical project this would be one very important part, before i could even start using rust.

1 Like

Maybe a custom compiler would need to be written and IMO no compiler, or to say, no piece of software is 100% reliable (nor is any hardware). Plus the licensing model of Rust would be an issue too. would prevent anyone from ‘selling’ it. Elaborating on that, Rust is OSS and licensed under the Apache License and MIT License. Also there have been contributions by lots of developers across GitHub and hence the ‘Rust Team’ doesn’t really own the code. To sell it or provide custom licensing, the ‘Rust Team’ would have to take consent of all contributors and lots of legal stuff there (I am not a lawyer, but come on, an OSS contributor knows quite a bit :wink:).

It’s much like why ZFS was not pulled into Linux as it used a separate license, and here it’s way more than that. If a custom compiler is written, maybe that can be certified and then sold, and I’m not too sure about that.


What are some other certified compilers that you use in this space? Are they all proprietary, or are there open source options?


FWIW, open source is not necessarily at odds with selling certified software. For example, here are lists of security certifications from Red Hat, SUSE, and Canonical. (disclaimer: I work for Red Hat.)


Not at all. Anyone can take the Rust source code and sell it, with or without modifications. Why anyone would buy it while it’s available for free online is another question…


The OP just said why: legal liability.

1 Like

Nobody mentioned liability?

Exactly my point, why’d anyone buy it?

I think not buy like you want to use product and rewards the creator of it.

But like some kind of trust, that the compiler have run some kind of various required tests. And backed by a person who is willing to spend their time in jail or pay some compensation, if the software is not working as expected.

In medical application, I think it is expected.

In this case it is useless, if you buy it, and you still have notice/or disclaimer
“Use at your own risk”.


I’ve never heard of required certifications for compilers and I’ve talked with devs about this who work in the medical industry.

Is this a law for a specific country? Can you post a link to the information for that specific certification that is needed?

It may sounds weird for many people to certificate/verify compiler, but there is at least one industry-class compiler that does so: the CompCert C Compiler


The CompCert C Compiler translates C code to machine code using 9 layers of different IRs and transitions between them are mathematically proven to work as intended. Compared to other popular compilers like gcc and clang, it’s slow at compile time and produce slower code. But it’s formally verified to compile C codes as C standard specification.

1 Like

James Munns (@jahmez) is very interested in talking to companies that want a certified Rust compiler. I think he has a plan to address this problem.

What i know of that is typically used, is IAR or Keil.

Well it boils down to legal liability.

Why wouldn’t it be? Somebody just has to pay whatever entity does the certification that you need whatever fee they charge. There are probably consultancies that can be paid to make whatever toolchain changes are required for the certification, if any - maybe the certification entity offers these as well.

Those can be submitted as a PR that can be merged, resulting in a commit that represents a compiler that has been certified.

If you then wanted to use a newer version, you’d need to pay for a new certification.

Maybe offer a special license for the “certified” compiler version, which companies will have to pay.

Whoever pays for the certification of a particular commit is free to keep the changes private and sell the toolchain as a product.

Well it boils down to legal liability.

This does not require a product, only some entity that’s liable. If the particular commit was certified incorrectly, the certifying entity is liable for that.


What are your certification requirements? If it is just about supply chain and configuration management, there should be plenty of pre-existing examples (e.g., embedding Firefox in a medical device in a context that is not safety-critical).

If it is about toolchain support for building safety-critical software that can be certified, that is obviously much, much harder. This will only be possible for a language subset. You might be able to get some feedback from the various consulting companies that have experience with LLVM in a safety-critical context. This is likely only feasible if the system is very large, otherwise the overhead of bringing up a Rust toolchain in this context will be prohibitive.

The final interpretation is a certified or certifying compiler, that is, a compiler that is either proven (partially) correct, or that provides a proof, along with the object code, that the object code implements the semantics of the source code. That requires formal semantics for the Rust subset the compiler uses and the target machine language, and typically, neither is available today.


A certification of the compiler is only possible if there is a committee agreeing on a version of rust which will then be there for a couple of years, before a new version is published. For the certification the working processes are important. From the requirements made by the committee new requirements for parts of the compiler are derived. They have to be well documented and tests have to be written.

So once the committee agrees on some standards, it is not possible to insert new features in the language for a couple of years. This all makes Rust not certifiable at the moment. One reason is LLVM, you probably can not use it in the certified compiler. It will at least take 10 years till Rust is ready to be used in aircrafts or nuclear power plants. At the moment the most widespread language in this area is Ada, not C (since it is unsafe).

It is rather strange, why branching can not do the job?

Rust team can create long-term-support branch (LTS) and do not insert new features into it,
at the same time you can keep going with mainline as usual new features, new bugs and so on.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.