The state of Rust trying to catch up with Ada
whoami
oli-obk
a maintainer of the Rust compiler
what is this talk not about
Rust evangelism
what it is about
- unsafe/unchecked
- generic packages/modules
- safety certification
- contracts
- subtypes
unchecked vs unsafe
#[no_mangle]
extern "C" fn malloc(_n: usize) -> *const u8 {
std::ptr::dangling()
}
generic packages/modules
error: expected one of `;` or `{`, found `<`
--> src/lib.rs:1:8
|
1 | mod foo<T> {}
| ^ expected one of `;` or `{`
safety certification
Ferrocene (https://ferrocene.dev)
It’s official: Ferrocene is ISO 26262 and IEC 61508 qualified!
contracts
use core::contracts::*;
#[requires(x.bar > 50)]
#[ensures(|ret| *ret > 100)]
fn foo(x: Bar) -> i32 {
x.bar + 50
}
pattern types/subtypes
state on stable Rust
subtype Non_Zero is Integer range 1..Integer'Last;
subtype Non_Null_Foo is not null Foo;
use std::num::NonZeroU32;
type NonNullFoo = std::ptr::NonNull<Foo>;
Tangent: strong vs weak type aliases
type Foo = u32; |
type Bar = u32; |
|---|---|
let x: Foo = 1; |
let x: Bar = 1; |
Patterns
match foo {
1..100 => {}
_ => {}
}
case Foo is
when 1 .. 100 => null;
when others => null;
end case;
match bar {
Dog | Cat | Bat => {}
_ => {}
}
case Bar is
when Dog | Cat | Bat => null;
when others => null;
end case;
Matching on two things simultaneously
match (foo, bar) {
(1..10, Dog | Cat) => {}
(10..20, Dog | Cat | Bat) => {}
(_, Bat) => {}
_ => {}
}
subtype Non_Zero is Integer range 1..Integer'Last;
subtype Non_Null is not null SomePointer;
type NonZeroU32 = u32 is 1..;
// non-null is WIP
type NonNull = *const Thing is !null;
So what's the difference?
- pattern types need explicit creation
- instead of just being part of type conversion
- pattern types do not do strong typing
u32 is 1..is always the same as any otheru32 is 1..
- pattern types only coerce, they don't relate
Creation
let x: u32 is 1.. = 42;
subtype Non_Zero is Integer range 1..Integer'Last;
X: Non_Zero := 42;
let a: u32 = 42;
let x: u32 is 1.. = transmute(a);
subtype Non_Zero is Integer range 1..Integer'Last;
A: Integer := 42;
X: Non_Zero := A;
Future creation
Without specifying the pattern again:
type Grade = u32 is 1..=6;
type Passing = u32 is 1..=5;
let grade: Grade = read_from_somewhere();
if let Some(passing) = Passing::try_from(grade) {
// yay
}
Patterns can be combined
type SomePercent = Option<u32> is Some(0..=100);
type Disjunctive = u32 is 0..=100 | 500..=1000;
type Tuple = (u32, &str) is (0..=100, "cake" | "fruit");
Summary
- TODO
- generic modules
- WIP
- contracts
- pattern types
- idiomatic conversion from/to
- caught up
- safety certification
- sound-by-default:
unsafeopt-out
The state of Rust trying to catch up with Ada
{"title":"The state of Rust trying to catch up with Ada","description":"extern/no_mangle not needing jnsafe","contributors":"[{\"id\":\"ce357653-6779-4c50-b873-5c2ef0815935\",\"add\":6158,\"del\":1290}]"}