Using Rust for railway software / [no_core]

Adacore handles this in pretty much the same manner as Redhat: open-source the compiler at a slow rate (one big release per year), but sell next-business-day support contracts and certified releases for a premium.

2 Likes

It seems that nobody has mentioned it so I'll just say it: if you want to go on with this what you need is professional support. That costs money, but you seem to be ok with that, so please contact the Rust team directly and officially, they can help you get it. In particular, you might want:

  • professional help with the certification process provided by someone that is an expert in both the Rust language and the certification process itself
  • bug-fixes back-ported professionally for ESR versions
  • professional support in general: you might find problems specific to your field that might need fixing, have general questions, etc. An answer on a forum post is barely accountable, but a report written by an expert has weight.

So please, officially contact the Rust team about any of this. They might not be able to directly offer you any of it, but they might know people or companies who can.

If 2-3 companies that are willing to pay a reasonable price for this kind of support pop up, that is already enough to have somebody working full-time on this (inside or outside the Mozilla Corporation). For all you know Alstom might end up donating money to the Mozilla Foundation instead... getting professional support for free due to tax deductions... But I am not a lawyer nor a contract manager so don't listen to me.

3 Likes

We have already contacted the Rust team to inform them of what we are working on (few month before we start actually). But all this discussion on certification, license and support is just too soon and off-topic.
For now, I am just evaluating (technically) if Rust can be a good language for the kind of development we do at Alstom (and what advantages it has over C, ADA or other languages on the market). The [no_core] subject was about knowing what subset of the language I can actually use for the evaluation and if there is a blocking situation that forbid totally Rust usage in our development (still even with libcore we can make (embedded or not) programs that do not requires a certification).
My question is here on the forum because I believe that the answer may benefit to someone else. However, we have drifted from the original subject and discussed about support and certification but yes, if we get there, we will definitely ask to the Rust team if there is some way to get professional support.

Edit: To be clear since my answer to skade about ESR, we are off-topic and what I say reflect more my personal opinion than anything else. I was just trying to discuss and answer to the questions, I'm not asking for anything.

7 Likes

Just out of curiosity, can you elaborate a bit on some other "new" programming languages which you would consider for railway use in this R&D project?

I'm asking this for two reasons. First, knowing what languages you are trying to evaluate and compare in this project may help us inform you on where the differences and similarities lie. Second, I have the (possibly wrong) impression that many programming language designers have been neglecting embedded and low-level use cases lately in an attempt to simplify implementation, and that it's getting harder these days to find new programming languages with the basic ability to cast integers into pointers, let alone predictable timing characteristics. Just would like to know, out of personal interest, whether that feeling is accurate or just psychological bias at work.

"new" covers a lot actually when you use C89 :sweat_smile:.
The initial list was quite long but Rust is the last one investigated now. Candidates that went quite far was D and Nim. D could be good for us in its mode "safeD" and without its garbage collector but I was not very confident about it after reading some experiences on it. Especially the fact that no one seems to use it without its garbage collector. Rust beat it on the line but we could give a try to D if things does not go well with Rust. In the end we may also stick to C and ADA.

2 Likes
  • Am I the only one who thinks the certification sounds like an integer32 thing? @carols10cents

  • The reason no_core isn't stable is that you can, by incorrectly defining parts of libcore, crash the compiler or cause it to emit unsound code. It doesn't have it in the name, but the #[lang="XXX"] attribute is unsafe.

2 Likes

Nope, as it's basically the rust consultant out there, it's a logical pick for commercial things.
For Germany/Europe, I know that Asquera gives commercial rust training. Not sure if they do other commercial work?
@skade, do I recall correctly that that's your employer? Or am I mixing things up in my brain?

(Edit: fixed broken link)

A small question, because I'm not sure if you are aware of the RustBelt project (http://plv.mpi-sws.org/rustbelt/):
What does a compiler certification look like? What is the difference to formally proofing a compiler and a certified complier?
If I'm not totally wrong, the people from the RustBelt project are trying to formally proof the Rust compiler. That could come in handy if you need to get a certified compiler.
I must say, that I would find it most useful to have a certified rust compiler, as I know of no alternatives but Ada or working with a prooven subset of C99

2 Likes

I am the owner ;). We're open to all kinds of Rust commercial services, it's just that our trainings are the most successful and visible ones.

2 Likes

Oh, I was so close, yet so far away! :smile:

But who knows, your Berlin base is closer to (French) Alstom than integer32 is (San Francisco, I believe?)...

My question is here on the forum because I believe that the answer may benefit to someone else. However, we have drifted from the original subject and discussed about support and certification but yes, if we get there, we will definitely ask to the Rust team if there is some way to get professional support.

Just to let you know I am working on embedded medical devices, and even if we don't consider using Rust now, I am really interested by that kind of discussion.

2 Likes

Ha, at last I can chime in! Thanks to @oli_obk for pinging me :wink:

We used to work freelance on automotive software using Rust and did start evaluating the use of Rust in this field specifically for safety critical parts, although only up to a possible SIL3 (that is "safety integrity level", has not been mentioned before). The automotive industry has the ASIL ("automotive SIL") standard as well, ranging from A-D, with ASIL D being roughly equivalent to SIL 3. If you want to read the standard, be prepared to shell out a couple thousand dollars for ISO 26262 and IEC 61508 though.

To avoid misunderstanding: The definition of "verified" and "validated" differs greatly between mechanical engineering (where most of the requirements are written) and computer science (which I assume is the background of most software engineers developing in Rust at the moment). To my knowledge, few if no compilers or systems in use are actually formally verified in a mathematical sense. The standards often are either not strict enough or overly specific, they can be a hindrance and catch only the biggest blunders. Still, as far as I know, not adhering to them is considered grossly negligent. Be prepared of learning that safety is not guaranteed by the standard and safe software will not necessarily result in passing the evaluation.

For research, I have talked with employees of TÜV about the possibility of getting Rust into an appropriate TCL ("tool confidence level"), which can (but need not) involve a test suite verifying the software does what it is supposed to do. Many vendors will sell you "pre-certified" compilers, e.g. a typical C compiler that has this seal of approval will usually cost at least $10,000 (ARM), I believe there are additional modules specifically for automotive that cost extra. Libraries are usually included there as well. You can see how an Open Source solution would be very valuable.

Getting there will involve a good bit of work and money and a lot of paperwork, but I think it is not impossible. I do remember the anecdote of one of the older employees that, according to him, was once in a similar situation: He had trouble getting this newfangled language called "C" approved for use, replacing a lot of safe and trustworthy assembly code...

@japaric's work has really pushed things forward for Rust embedded; but has a different focus: Lots of features are a little scary when developing safety critical software -- the focus is completely different, what is an exciting new function that is "safe enough" in a normal use case is just a liability (too many lines of code) in a safety critical environment. You can see why IoT with its thirst for features is such a scary prospect!

If someone wants to push this forward, I am excited as well. I did ask about the cost of sponsoring this kind of development on #rust about 1.5 years ago, but shrugs abounded.

Then there's the platform: I think ARM is the most likely candidate. Have a look at things like Cortex-R MCUs. At the very least, ARM needs to have first-class support for the ARM embedded architecture -- it did not always. Rust 1.13 had a floating point bug that for us would result in miscalculations (turned a 42 into a very small float) in engine torque. Things did not look good for the platform then.

Last time I talked to adacore, which have a lot of experience in Ada in this regard (who doesn't like listing fighter jets, railway systems as references? =)) they said they were watching Rust closely and with interest. It was my impression that SIL4 and above was more likely to be Ada instead of C, but that may have been the marketing. Their trade fair booth did feature a verified trainset though!

@oeble Let me know if you want to hear a few more experiences, I do not want to stretch my NDAs any further here though. Recently, we did form a consulting company (49nord) for embedded Rust work (though we branch out as needed, as the market for this particular niche is way too small at the moment). On the plus side, we are almost as close to France as you can get without leaving Germany ;).

10 Likes

Do you know how verification would work with a language that has no standard?

No, sorry. Defining one (possibly for a subset) is something that would probably be one of the more expensive parts of the process. Finding out whether or not this is actually required will probably involve a lot of discussions with the person doing the actual audit.

That is only half the story though, there's the backend still - ARM has a line of "safety" certified compilers, I believe either version 6 or 7 switched to LLVM recently, but don't quote me on that. They would know more about these things.

A good strategy would be to find out what the actual, hard requirements are first. Every time I approached the topic initially, I was surprised how far my (somewhat academic) intuition was off, e.g. I kept thinking how to formally verify a specific subset of a part of the toolchain when the reply to the question was more like "oh, we just run a few tests here and if they all pass, it's validated".

8 Likes

Since rust has unit/integration tests embedded in the codebase, it can maybe a good candidate for a mind changing on sw development & proof.
Based on a clean coding practices, the industrial could afford more ambitious codes and non regression management thanks to the tests
Obviously this is at the huge cost of reworking processes and certification BUT improve delivery time by at least an order of magnitude. Designing fluidity...

I doubt that this is true. Compiler vendors (especially GCC and LLVM/Clang) have been changing handling of undefined code.

This topic was automatically closed after 41 hours. We invite you to open a new topic if you have further questions or comments.