“Software Defined Vehicle (SDV)” is a term which is becoming increasingly common in the automotive software industry. It refers to a vehicle whose features and functions are primarily implemented in software and, moreover, that the hardware components used in the vehicle play a secondary role in defining the vehicle specification. There are three major trends which will drive the evolution of SDVs — electrification, autonomous driving and connectivity.
Modern vehicles come with more than 100 electronic control units (ECUs) which run millions of lines of code. For SDVs, the number will be even higher as the computational power required to run them scales even further.
Automotive software is traditionally developed in C and C++, as these languages are most suitable for resource constrained embedded systems. However, these languages are highly prone to issues related to memory safety and data race conditions. A good alternative is Rust; it’s a language specifically designed to overcome these limitations without the overhead of a runtime garbage collection mechanism. Furthermore, it has been observed across the industry that the efficiency of Rust in terms of execution time and memory usage is comparable with C and C++ — that means you’re not losing anything in terms of performance.
The built-in safety from memory leaks and race conditions offered by Rust makes it very suitable for automotive software where functional safety and security are highly valued. Considering this, automotive organizations like AUTOSAR and SAE have already formed interest groups (discussed in later sections) to evaluate the usability of Rust in automotive middleware and system software.
Additionally, being a modern language, Rust offers sophisticated build tools, such as Cargo, which make it easy for developers to follow the best software development practices such as TDD, dependency management through crates, linter checks, formatting and documentation among other things. This mature ecosystem of tools provides a standardized approach for managing large projects that enhances developer productivity.
This blog offers a perspective on Rust as a preferred language for automotive software development and outlines how Rust could be gradually adopted by the automotive industry.
A case for a new language
Recent Data shows that a majority of severe runtime bugs are related to memory safety and data races:
Approximately 70% of vulnerabilities observed by Microsoft in their release software are memory safety issues.
As observed in the Chromium project, approximately 70% of the high severity bugs are memory unsafety problems (that is, mistakes with C/C++ pointers).
Thus, it is reasonable to say that the software written in C/C++ is prone to memory safety issues and that it’s difficult to catch these issues during the software development process (compilation, QA, static/dynamic testing etc.). Therefore, industry has been continuously evaluating other languages; the most promising alternative seems to be Rust.
Indeed, there’s a need for the automotive industry to look at modern programming languages which can solve at least the critical problems, where C and C++ are failing, without sacrificing the runtime efficiency offered by these languages. Here are some reasons why Rust is being considered as a strong alternative:
Rust enforces memory safety at compile time - The Ownership Based Resource Management (OBRM) approach used by Rust for handling data ensures memory safety without compromising runtime efficiency.
Safe concurrency - The OBRM approach also ensures safe sharing of data among multiple execution threads without race conditions.
Modern compiler and tools - Rust compiler produces accurate warnings and errors which help developers to fix issues quickly. Rust build environment includes modern tools such as Cargo for build management, formatter, linter, documentation generator, testing etc. which improve developer productivity.
Rust community and ecosystem - As Rust adoption is increasing in the industry, the Rust community is growing fast. There is a great collection of open source libraries and projects for developers to navigate through the Rust development journey.
Although it’s not easy to quantify the direct business impact of the Rust features described above, we can relate these features with the general business outcomes as shown in Figure 1.
Adoption of Rust in the automotive industry
To develop automotive software in Rust, you will need to consider a few factors discussed below.
Interoperability with C and C++ code
Adopting a new language in a greenfield project is relatively straightforward. However, most projects start with an existing codebase and prior work already having been done. Clearly, it’s not practical to simply change all of the existing codebase into Rust. Apparently, Rust designers were mindful of this fact, and as a result, the language provides good mechanisms for interoperability with C/C++.
The Foreign Function Interface (FFI) provides built-in support for binding with external C code. Though C++ bindings are not directly supported by FFI, the cxx library provides a safe mechanism for calling C++ code from Rust and Rust code from C++. This makes it possible to implement some new features in Rust in a project where the primary language of development is C or C++, or use existing C/C++ libraries in a Rust application.
It’s worth noting that Rust may not provide the seamless interoperability with C++ that Carbon does. Although Carbon has been spoken of as a natural successor to C++, it is currently in a somewhat experimental phase; it may take a long time to reach a state where it can be used for production grade software development in the automotive industry.
Rust for safety critical systems
Functional safety and cyber security are primary requirements for automotive software. Rust inherently offers memory safety, thread safety and type safety which is a prerequisite for developing functionally safe and secure software.
As mentioned earlier, more than 70% of all common vulnerabilities and exposures at Microsoft are memory safety issues. Several industry-wide studies indicate similar observations about security vulnerabilities. This makes Rust a particularly useful language for developing secure software.
At present, standard Rust tools (rustc compiler) are not ISO 26262 compliant. However, multiple initiatives within the automotive industry indicate that there is interest in adopting Rust for automotive software development. Below are a few projects/initiatives that demonstrate this intent.
- Ferrocene Language Specification (FLS)
AdaCore and Ferrous Systems are building a qualified Rust toolchain for safety-critical systems to cater regulated markets such as automotive, avionics, space and railway.
AUTOSAR formed a subgroup within the Working Group for Functional Safety (WG-SAF) to investigate how Rust could be applied in Adaptive Platform Context.
- SAE forms SAfEr Rust Task Force
SAE International has formed a task force to generate a document describing the guidelines for writing safety critical software in Rust for the automotive and avionics industry.
- Eclipse SommR
SommR is an automotive grade implementation of the SOME/IP specification for embedded Linux systems. This is an Eclipse foundation project which is being developed in Rust.
Rust-for-Linux is a Linux Foundation project which aims to add support for the Rust language to the Linux Kernel. Though this is not an automotive industry specific project, Linux is widely used as an operating system in various industries including the automotive industry.
Further, at the time of writing, it is being reported that Linux kernel from version 6.1 will officially support Rust.
Rust with ROS
ROS (Robot Operating System) is an open source software development kit for robotics applications. It’s backed by several automotive companies as it provides useful tools for autonomous driving. Autoware is an open source project built on ROS which specifically helps to develop software for autonomous vehicles.
ROS doesn’t officially support Rust’s client library, but ros2-rust is a community-driven project which includes a set of projects (the rclrs client library, code generator, examples and more) that helps developers write ROS 2 applications in Rust.
Rust for embedded systems
Rust is suitable for resource constrained bare metal embedded systems (ie. they don’t have an operating system) with limited computation power and onboard memory. Typically, C (and, to a lesser extent, C++) is preferred for such applications; however, the memory safety and type safety offered by Rust can be useful in such applications as well. The Embedded Rust Book discusses in detail how Rust can be used for embedded systems.
Rust adoption strategy
Using Rust for a greenfield project would be straightforward — you just need to choose Rust for your project! However, in many cases, you will have an existing codebase or dependencies written in other languages like C++. With the interoperability features available in Rust for C/C++, it’s possible to develop some components of the project in Rust and then integrate these components with the rest of the C++ code. CXX is a library which provides a safe mechanism for two-way binding between C++ code and Rust code. There are multiple possible approaches; which one you choose will ultimately be based on architecture, project file structure, and primary build tools.
For example, in a C++ project which uses CMake build tools, you may write custom cargo commands to build Rust components.
There could also be a scenario where you started with a Rust project and you want to use an existing C++ component such as a licensed C++ library. Cargo provides different ways to build C++ code or use C++ libraries with Rust code.
Although, technically it’s feasible to combine Rust and C++ components in a project, it nevertheless poses certain challenges for maintenance and project management. The software architecture could, for instance, become a bit complex, and the project team will inevitably require both C++ and Rust developers. If existing C++ developers plan to learn and develop in Rust, it should be noted that there is a significant learning curve — this means it could take some time for them to get up to speed enough to ship Rust code.
Rust matches C++ in terms of performance and, in some quarters, much more, particularly when it comes to memory safety, managing runtime issues and security vulnerabilities. For these reasons, we can be confident in using it in the automotive space. And as automotive software evolves for SDVs, moving to Rust will likely only increase in attractiveness. It could help manage post-release maintenance costs and allow product teams to focus on new features, ultimately reducing the time to market.
The challenges with Rust, such as the lack of an ISO26262 compliant toolchain, its learning curve and the availability of the talent in the industry, are temporary. As the tools available for Rust become certified from a safety perspective and interest in the language grows any sense of trepidation about using it will begin to dissipate. Moreover, because Rust has features that make it interoperable with other programming languages, it should be possible for project managers to develop delivery strategies that minimize delays and spiraling costs.In the current situation, where companies are facing issues handling rising software complexity, many will be tempted to shy away from such a bold move. However, being quick to adopt Rust not only offers a real chance to gain a competitive advantage, it could also trigger a change in the domain. The question is not if Rust, but when!
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.