[tptacek]

Because Rust is memory-safe and C isn't. I agree that C is easier to write on embedded platforms and kind of enjoy writing that kind of code myself. But shipping a product requires more than just writing the code; it also entails all the verification work you have to do after the code is working to keep the product in the market, and the verification burdens on embedded software are only going to increase as people generally get more clueful about security. Memory-safe languages will (if they aren't already) be a less expensive way to get a product to market.

[gmueckl]

Protip: look at the tooling requirements for safety critical software (aviation, automotive, industrial, medical...). Nobody is going to allow you to use tools that are not certified for these use cases. Certification of compilers, static checkers etc. Is a huge undertaking that only a few commercial vendors perform on their offerings. Open source is out because nobody even attempts yo run them through that process. What you are left with is highly priced toolchains for Ada, C or C++. The cheapest offerings I know start at high four figures per developer. Validating a new toolchain would likely be to the tune of high 6 up to 7 figures. Don't hold your breath.

[steveklabnik]

https://ferrous-systems.com/blog/sealed-rust-the-pitch/

[gmueckl]

Interesting. This is indeed a massive undertaking as it implicitly covers a lot of LLVM as well. It might take a couple of years until a core language is certified.

[Argorak]

The LLVM got covered as part of ARM switching their toolchain to clang. (FWIW, I'm part of Ferrous Systems)

[tptacek]

I've done professional validation work in automotive, industrial (and utilities), and medical (I'm a low-level C vulnerability researcher and have been since 1995), and believe you are simply wrong.

There are, no doubt, a number of niche systems that require specific toolchains. There are, in our fallen world, systems that require Ada or even particular variants of C. If you want to tell me that aviation flight control systems are such a niche, I will believe you --- I've never had to assess one.

But it is not the case that industrial computing or medical device software are locked into memory-unsafe languages due to industry-wide certificational requirements; in fact, that's something I know not to be true from specific experience. And virtually all of the embedded systems I've had to assess over the years would have benefited, commercially, from a memory-safe implementation language.

[gmueckl]

You surely must be aware of IEC 61508 and ISO 26262 if you work in that field. These govern automotive software and industrial automation (the later has no domain specific standard). It is easily verified that these standards are adhered to in practice. I worked on IEC 61508 compliant systems. And all these standards require that the tools used for compiling, verifying and testing the software is tested and certified to be correct. This certification is performed by a Notified Body. This is mandated by law for medical systems and the standard procedure for the rest.

This is a major barrier to entry for new programming languages in these markets. Note that I am not saying that improved memory safety wouldn't be useful in embedded software. But the market is so conservative in parts that real uptake is at least a decade or two away.

[littlestymaar]

You would be very disappointed if you knew how medical software is made. For instance most of it can crash without issue (and in practice, it does a lot!): all you need is to assess the risks that could result from a crash and mitigate it (for instance: the device should be designed in a way that stops doing anything as soon as its software crashes).

I've been a contractor for a medical devices company for one year, and the process where really lightyears away from what you are describing. Nothing even forces you to write and run unit tests…

Yes, that's scary.

[gmueckl]

Sounds like one of my previous employers.

The next company I worked at was industry, not medical, and this one did it right. So while there's black sheep out there, not all of them are.

Side note: whether a device can fall back to becoming inert on a failure depends on the type of device and the specific risks involved with that failure mode. It may be that stopping to do anything is the wrong thing to do, e.g. in a blood pump.

[adrianN]

All those standards have loopholes that allow you to use tools without certification provided you do the due diligence necessary. I know because I used to develop safety critical software using tools whose only merit was that they were in use before the standards required certification. Basically you run a standardized testsuite and write a document. You don't even have to pass all the tests, you just have to document why test failures don't affect the safety of your product.

Since many people are interested in using Rust for such applications, there are efforts underway to stabilize the compiler and do the necessary paperwork so that not every company needs to do it themselves.

[gmueckl]

These loopholes are slowly but surely being removed. DO-178 for aviation is the first standard to do that. I am certain that the others will follow.

What test suite are you talking about? I am really curious because this would completely upset the whole industry if what you ssid was true for the toolchain.

[adrianN]

I unfortunately don't remember where we got that testsuite, but it was a fairly basic set of C++ standards compliance tests that mainly checked that the standard library was implemented correctly. We developed according to EN-50128.