That C/C++ have a formal standard and have an entire tool ecosystem is a huge advantage over Rust for mission critical and safety critical areas (not that Rust would be used for SC applications).
> "is a huge advantage over Rust for mission critical and safety critical areas"
There's no C/C++. They are entirely different languages (even if C is supposed to be a subset).
Not exactly suitable for mission critical systems. The fact that they are used for that is more due to the fact that they can interface with hardware at a fairly low level and the amount of engineers with C (and nowadays, C++) knowledge.
The 'formal' standard doesn't help you much when there's so much undefined behavior.
> There's no C/C++. They are entirely different languages (even if C is supposed to be a subset).
I think the OP is trying to say that both C and C++ have international standards.
> Not exactly suitable for mission critical systems. The fact that they are used for that is more due to the fact that they can interface with hardware at a fairly low level and the amount of engineers with C (and nowadays, C++) knowledge.
And highly deterministic behaviors, crucial in real time systems. But I think Rust is trying to provide those guarantees too.
If Rust had a formal standard, and had the tool ecosystem, then I could see it being an interesting possibility for critical systems, certainly for the same places that Java + RTSJ would be appropriate. I won't be the first one to try and push a Rust-powered device through regulatory approval though.
> There's no C/C++. They are entirely different languages (even if C is supposed to be a subset).
C++ is a subset of C, not the other way around.
> the fact that they can interface with hardware at a fairly low level
That's certainly one reason. Others include raw performance (think real-time safety-critical applications), no funny abstractions, tighter memory footprint, more flexibility, etc.
> and the amount of engineers with C (and nowadays, C++)
While I believe there are a number of C++ engineers out there, I'd wager that the number of competent C language engineers has dwindled over the years. Sure, everyone learns some C, but to know it well enough to write embedded real-time safety-critical systems is a whole different game. (not to mention the number of Java engineers has greatly outpaced even C++ engineers, thanks to University teaching Java, Android's dominance, and the lower barrier to entry).
> The 'formal' standard doesn't help you much when there's so much undefined behavior.
The formal standard defines what is undefined. Your safety-critical code shouldn't rely on some compiler-specific quirks or some magical code, but rather it should stay within the bounds of well-defined behavior.
I can't see how this statement could possibly be true.
> no funny abstractions
Really? Maybe I suck at C++, but I can't meaningfully reason about template-heavy code. Not about the run-time performance, nor resource consumption. STL and Boost are beyond funny if you ask me.
> The formal standard defines what is undefined. Your safety-critical code shouldn't rely on some compiler-specific quirks or some magical code, but rather it should stay within the bounds of well-defined behavior.
Agreed. But take a look at the specification and you'll be amazed on just how much stuff is left for the actual implementation to figure out.
You are right, they have diverged. However my initial statement was/is true, as C++ started as a subset of C (even though the two are totally incompatible for all non-trivial programs today).
A formal standard that has undefined behavior and is apparently difficult to implement a compiler for. It seems C++ is popular for mission critical software despite its standards.
Basically, avoid using C++, except for <insert list of features here>.
The way Qt does is actually quite pleasant to work with, but they avoid most language features and roll their own (QObject, I'm looking at you), even including their own preprocessor.
This is incorrect. Any language with a well-defined semantics (such as a compiler or interpreter) can be validated formally. It may just be too time-consuming for people to bother. For example the operational semantics of C has been implemented formally, e.g. [1]. The same could be done with C++.
My day job is currently writing embedded high availability code to a slightly modified version of the JSF coding standard (which is itself a modified version of MISRA for C++). There's a lot of safety that Rust would give us on top of C++ with the coding standard's rules, and we're waiting for Rust to simply mature a little.
To me, it seems like in the future Rust could occupy the same niche as Java + RTSJ does presently. I'm just not clear on how or why Rust would be sufficiently better to overcome the track record of Java + RTSJ.
JITs and interpreters suck for realtime, and there's only so many optimizations that an AOT compiler can do to a Java codebase (hence why JITs ar so prevalent for Java). Pushing all of these verifications into compile time significantly reduces the run time requirements.
Honestly I see Rust as (potentially, down the road) being a better, less verbose Ada than a better C++ or Java. You tend to write Rust code much like you would an Ada or VHDL program.
Both JamaicaVM and PERC seem to have favorable requirements when run with AOT compilation, and the JIT compilation didn't seem too onerous either. What problems have you run into?
I ask because I'm in the process of spec'ing out a safety critical medical device, and JamaicaVM is the lead candidate at the moment.
There's no C/C++. They are entirely different languages (even if C is supposed to be a subset).
Not exactly suitable for mission critical systems. The fact that they are used for that is more due to the fact that they can interface with hardware at a fairly low level and the amount of engineers with C (and nowadays, C++) knowledge.
The 'formal' standard doesn't help you much when there's so much undefined behavior.
Tool availability is a fair point.