Keep in mind that for this kind of project you want static analysis and formal verification (model checking for example) rather than just day-to-day safety features.
I.e. the Rust this, Rust that spam is a little naive to the task at hand, even though it would be a step up from C
NASA even has their own sound static analyzer for memory safety. If you use something like that, and depending on the context, there isn't even necessarily a memory safety advantage to using Rust over C or C++.
It was my understanding that when formal methods were used, they were used on very small subsets of code and not used in general. I do wonder about TLA+ and would love to hear more about how they use such tools.
I know I've seen an older document that specifically prohibited use of malloc that the risk was too great. Is that still the case?
Formal methods are indeed hard. They generally thrive on hardware, software is a wholly different kettle of fish in terms of the size of the problem (the actual methods are often similar, but hardware design generally encourages certain patterns that are easier to analyse)
I'm not related to this project or aerospace, so I can't divine more knowledge than anyone else, although I have seen many coding standards that forbid malloc after some critical time (e.g. no dynamic memory allocation after the plane is off the ground)
The problem is not the language, the problem are unbounded loops. Like linked lists vs vectors. Termination is theoretically impossible to prove, but practically you can handle it.
Parts of the STL were formally verified. cprover (with satabs and cbmc) can handle C, C++ or Java.
F' uses autogenerated classes, which helps a lot avoiding mistakes.
Case in point, while it is nice that Microsoft is now playing with Rust, it is quite far away from offering this to Windows developers, https://microsoft.github.io/microsoft-ui-xaml
Advocacy should always be tempered with a bit of hard reality check, otherwise one just ends up scaring possible adopters away.
Yes, but C is one of the languages with the very low amounts of inherent safety. So using a language/tooling that will be offering stricter possibilities of validations of behaviour/more safeguards against unsafe behaviour would likely catch a lot more bugs earlier when they are easier and cheaper to fix.
Probably once people have decades of experience with it and know every single trap or quirk perfectly.
Rust almost certainly could do the job now but stakes are so high no one would take that risk when its proven that C can do it and with enough auditing and conservatism, it can be done pretty safely.
I don't think the barrier is _people_ knowing the traps, as people are always fallible and any system relying on them knowing the "traps and quirks" is fundamentally pointless. I do think the barrier is, rather, _tools_ knowing the traps. Most systems in this class, FPrime included, rely extensively on code generation and model-to-code auditing, which, while usually not formally proven (unfortunately), is battle-tested.
Now, these sorts of systems should actually be _easier_, in the long-term, to build in Rust, since the type system can enable a class of proof which simply was not historically possible, but for the time being, the tooling doesn't exist yet.
I think the "safety" of "familiarity" vs pushing the envelope of what we can do technically are different things. We used to build brand new computers and operating systems from scratch specifically for these types of things.
The risks are indeed high for managerial staff. I worked at a large quasi-government place. "you won't ever get fired for using Microsoft, Oracle, etc" was a tagline we heard often in non-critical systems, so I imagine there would need to be some major technical reason to switch.
> Probably once people have decades of experience with it and know every single trap or quirk perfectly.
people were writing mission-critical C++ when C++ was new / only a few years old; with this in mind, rust is probably good to go with sufficient application/system testing
that said, since C++ & associated tooling exists, there is more of an opportunity cost since, in the context of today, there are more alternatives that could be considered
I think this is spot on. The tooling is there for C++, but human mistakes are much more prevalent, and the discipline to apply the tooling is not a given.
There should be an industry push for certified Rust tooling, it would save the aerospace and auto industry billions. Or you could use the unsexy but also very good ADA 2012, which is already certified.
iirc, SPARK has proof capabilities that outstrip the memory-safety guarantees of Rust. basically design by contract, where you can check loop invariants and statically verify complex preconditions and postconditions.
I suppose the workflow would be to flesh out and check the abstract design in something like Coq or (maybe) TLAPS, generate a refinement into the SPARK code contracts, then implement the functions. Since the toolchains are verified there shouldn't be much surface area for bugs left.
Iterator invalidation is a kind of use-after-free.
Mutating aliased objects is, of course, usually the desired outcome and not a bug. It becomes a bug when your program's concurrency logic is not thought through, and there are no easy solutions here.
