I was wondering what Ferrocene is. It looks like it's an effort to qualify the existing Rust compiler chain under some standards:
> Ferrocene is a qualified Rust compiler tool chain. With this, Ferrous Systems invested its decade of Rust experience to make Rust a first-class language for mission-critical and functional safety systems.
> For its first release, Ferrocene is a ISO 26262 and IEC 61508 qualified version of the existing open-source compiler, rustc. We plan to work on standards like DO-178C, ISO 21434, and IEC 62278 in the future.
> Ferrocene is a qualified downstream of the main Rust compiler, rustc, which is built and maintained for safety-critical and security use.
> Many vendors fork such compilers - they take a current version of the compiler, change it, qualify it, and then release this version to their customers. This often happens in the name of vendor-locked conveniences.
> Ferrocene is the upstream Rust compiler, rustc, unmodified - thoroughly tested on targets that are not supported by upstream.
It is that. IIRC C and C++ are already compliant and they are used in certain industries because of that. The end goal would be to have rust there as well.
C and C++ have safety certified implementations available for certain platforms from proprietary vendors. The language itself isn't, and neither are Clang or GCC upstream versions. In addition to the compiler, writing safety certified C or C++ code requires external tooling for static analysis etc. And lots of paper work to show due diligence with tools, processes and testing.
I can tell from $WORK experience that writing safety certified C or C++ code is very expensive and not fun.
For my line of work (systems programming for automotive industry), using Rust would be a massive improvement over C or C++. The amount of undefined behavior pitfalls and footguns is a big hindrance to productivity.
Perhaps the most labour intensive part is dealing with integer overflows in a way that keeps static analysis tooling happy. Just the fact that Rust has well defined semantics for overflows would save so much time and money.
Alas, using Rust was not a viable option when the project(s) I work with were started.
> Alas, using Rust was not a viable option when the project(s) I work with were started.
We hope things will change. One of the nice things about
Rust is that it can integrate into C in both directions - using C libraries is possible, as well as building components for C codebases. Quite a few of the people we talk to explore (re)writing critical components in rust.
The question is whether the certified version of them defines the behaviour of the flag sufficiently to be accepted as a means og achieving that outcome. It can be very difficult to do anything not endorsed by the standard, even if it's widely implemented.
C and C++ have standards, but certification applies to specific implementations only. Ferrocene aims to create a certified Rust implementation with minimal changes to the main compiler (rustc). To achieve certification, detailed documentation or specifications are needed. Ferrocene is doing that: their focus is on meticulous documentation, ensuring the implementation can be certified using standards like ISO 26262.
> Ferrocene is a qualified Rust compiler tool chain. With this, Ferrous Systems invested its decade of Rust experience to make Rust a first-class language for mission-critical and functional safety systems.
> For its first release, Ferrocene is a ISO 26262 and IEC 61508 qualified version of the existing open-source compiler, rustc. We plan to work on standards like DO-178C, ISO 21434, and IEC 62278 in the future.
https://ferrous-systems.com/ferrocene/
More details on what it is: https://ferrous-systems.com/blog/qualifying-rust-without-for...
> Ferrocene is a qualified downstream of the main Rust compiler, rustc, which is built and maintained for safety-critical and security use.
> Many vendors fork such compilers - they take a current version of the compiler, change it, qualify it, and then release this version to their customers. This often happens in the name of vendor-locked conveniences.
> Ferrocene is the upstream Rust compiler, rustc, unmodified - thoroughly tested on targets that are not supported by upstream.