Rust in Automotive

Florian Gilcher, Christof Petig, May 2022

Structure

AUTOSAR adaptive and Rust
Tiny introduction to Functional Safety
Ferrocene compiler qualification

AUTomotive Open System ARchitecture

alliance of OEMs, Tier-1s, HW+SW+tool+silicon suppliers, …
Munich based
Two system variants
- classic: Microcontroler, C API
- adaptive: POSIX, C++17 API

AUTOSAR adaptive specs

POSIX PSE51 system interface
Reference implementation (Demonstrator)
system defined in ARXML
dynamic communication bindings
- similar to CORBA, dbus, ROS, …
- SOME/IP, shm or DDS backend

AUTOSAR adaptive (ARa)

Autosar layers

Rust for AUTOSAR adaptive

Static bindings
- Manually using C API
- Working demonstrator
Dynamic bindings (ARXML), WIP
- Async or blocking style
- Implement services from traits

Rust ara code example

Rust code example

Com: Proxy and Skeleton

Proxy and skeleton and App

Functional Safety, ISO 26262?

Goal is to avoid hazardous malfunction
ISO 26262 implements IEC 61508 standard for Automotive
Five levels: QM, A…D

Hazards by non-functioning systems are scope of “SOTIF” ISO/PAS 21448
Cyber security is scope of ISO/SAE 21434

ISO 26262 and software

Document for later need

Part 6/12 is about software
- Set of practices to avoid common errors
- Per level, customization expected
- Designing, coding, testing guidelines

Rust and functional safety

SAE international …
- Former "Society of Automotive Engineers"
… hosts the SAfEr Rust Task Force
Concretize ISO 26262 and more for Rust:
- Language subset, guidelines, evidence

SAE international

Volunteer based standards body
HQ Warrendale, PA
140k+ Members are individuals, not companies
Publishing technical information since 1906
Also Aerospace standards ⇒ S.A.E. to SAE international

Wishlist

FuSa goals match with Linux kernel and EmbAssy
Async
- Documentation of async memory allocation
- streams, async traits
- non-allocating interfaces preferred (dyn*)
no implicit dtor, explicit call by value

What is Ferrocene?

A high assurances downstream of the Rust compiler, quality managed
Additional (proprietary) targets
Extended testing for specific configurations
- Even compiler flags need to be tested in every used combination!
A long term support organisation

Quality management

Quality management ensures to customer that they have a good understanding of the tools quality
It gives a support framework that allows to inform them of and fix issues fast
It explains what features are there, how they are implemented and how they are tested.

Upstreaming

Ferrocene upstreams what can be maintained by the Rust project
- test suite improvements
- documentation
- upstreamable targets
- fixes for problems found

https://rustacean-station.org/episode/067-quentin-ochem-florian-gilcher/

Summary

AUTOSAR is de facto standard OS in automotive
- You can already use Rust by wrapping the C/++ API
Rust is suited for safety requirements
- Ongoing work on standard practices
- Ferrocene is doing compiler qualification
- Libraries and async need additional work

Appendix: Additional links

The Economic Impacts of Inadequate Infrastructure for Software Testing

Rust Formal Methods IG: Ferrocene

Rust in Automotive Florian Gilcher, Christof Petig, May 2022

{"metaMigratedAt":"2023-06-17T00:12:38.937Z","metaMigratedFrom":"YAML","title":"Rust in Automotive","breaks":true,"slideOptions":"{\"theme\":\"white\"}","contributors":"[{\"id\":\"de2fe656-f960-4cb7-bf10-766aa1bd039f\",\"add\":8465,\"del\":4139},{\"id\":\"db349910-53c1-45a5-aa34-1ac5434980b0\",\"add\":88,\"del\":0}]"}

changed 3 years ago 1039 views
owned this note