Skip to content

Add machine readable lists covering all proposed tools and desired compiler features #463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
+294 −0
Open

Add machine readable lists covering all proposed tools and desired compiler features #463

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
10bc2ea
first yaml list
manczak-ifx Sep 29, 2025
380405a
yaml with tools list structure
manczak-ifx Sep 29, 2025
258f5b8
added desired compiler features list
manczak-ifx Oct 1, 2025
944b538
Bring tools list in better searchable format
mhatzl Oct 1, 2025
7174ae0
Merge branch 'feature/tools-list' of github.com:manczak-ifx/safety-cr…
mhatzl Oct 1, 2025
316cb13
Add safety & security category field for desired features
mhatzl Oct 1, 2025
0711a59
Add proposed tools to list
mhatzl Oct 1, 2025
30b5b8c
Change file name to a better fitting one
mhatzl Oct 1, 2025
6d78675
Fix standards naming
mhatzl Oct 20, 2025
2f292f1
Fix safety level names
mhatzl Oct 20, 2025
5dd39e9
Fix license typo
mhatzl Oct 20, 2025
26481fe
Remove redundant information
mhatzl Oct 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions subcommittee/tooling/compiler-features/desired-compiler-features.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# This file lists desired Rust compiler features for security and safety-critical applications,
# which are currently missing or incomplete in the standard Rust toolchain.

metadata:
title: "Desired Rust Compiler Features"
version: "1.0"
date: "2025-10-01"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intended to be something like a "last modified date" of this file?

Suggested change
date: "2025-10-01"
date: "2025-10-01"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say more like a "last time listed topics have been reviewed".

modified we can do with git history, but knowing when was the last time someone took the time to go through the listed topics and checked their latest status would be good to know.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for example in case nothing about the topics changed, the version should stay the same, but we'd still like to note that we have looked at the list.

if you agree I'd add a comment above the field.

purpose: "Track missing compiler features needed for safety-critical Rust applications"
considered-standards:
- name: "ISO 26262"
levels: ["ASIL A", "ASIL B", "ASIL C", "ASIL D"]
description: "Road vehicles - Functional safety"
- name: "DO-178C"
levels: ["DAL-E", "DAL-D", "DAL-C", "DAL-B", "DAL-A"]
description: "Software Considerations in Airborne Systems and Equipment Certification"
- name: "IEC 62304"
levels: ["Class A", "Class B", "Class C"]
description: "Medical device software - software life cycle processes"
- name: "IEC 61508"
levels: ["SIL-1", "SIL-2", "SIL-3", "SIL-4"]
description: "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems"
- name: "ISO/SAE 21434"
levels: ["CAL 1", "CAL 2", "CAL 3", "CAL 4"]
description: "Road vehicles — Cybersecurity engineering"

topics:
- name: "Stack Protector"
description: "Stack buffer overflow detection and protection mechanism"
priority: "High"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it may be possible to have there be a priority listed.
However -- I think it's important to be clear on how such a field is populated.

I would like to discuss this in a meeting on how to capture this.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as discussed, we would likely keep it in for now, but will try to clarify what "high" means in this list and in regard to rustc.

status: "Missing"
category: "Security"
rationale: "Stack protection is not available in any Rust compiler, but required for runtime stack overflow detection in safety-critical systems"
related-links:
- "https://developer.arm.com/documentation/dui0774/l/Compiler-Command-line-Options/-fstack-protector---fstack-protector-all---fstack-protector-strong---fno-stack-protector"
- "https://github.com/rust-lang/rust/issues/114903"

- name: "TrustZone"
description: "TrustZone support for ARM Cortex-M processors"
priority: "High"
status: "Nightly"
category: "Security"
rationale: "TrustZone support is available only on nightly Rust. Stabilizing it is required for data sagmentation on cortex-m devices"
related-links:
- "https://developer.arm.com/documentation/100690/latest/"
- "https://github.com/rust-lang/rust/issues/81391"
- "https://github.com/rust-lang/rust/issues/75835"

- name: "Control Flow Integrity (CFI)"
description: "Control flow integrity protection against ROP/JOP attacks"
priority: "Medium"
status: "Partial"
category: "Security"
rationale: "Prevents control flow hijacking attacks in safety-critical applications. Currently limited CFI support, not comprehensive for all control flow transfers"
related-links:
- "https://clang.llvm.org/docs/ControlFlowIntegrity.html"
- "https://github.com/rust-lang/rust/issues/89653"

- name: "Deterministic Code Generation"
description: "Reproducible binary output for certification requirements"
priority: "High"
status: "Partial"
category: "Safety"
rationale: "Not fully deterministic across different build environments. Required for certification processes that mandate reproducible builds"
related-links:
- "https://github.com/rust-lang/rust/issues/34902"

- name: "Coverage Instrumentation for Macros"
description: "Code coverage that includes macro expansions"
priority: "High"
status: "Missing"
category: "Safety"
rationale: "Coverage tools cannot instrument macro-generated code. Complete coverage analysis required for safety certification"
related-links:
- "https://github.com/rust-lang/rust/issues/79417"

- name: "MC/DC"
description: "MC/DC is currently not supported by any Rust compiler."
priority: "High"
status: "Missing"
category: "Safety"
rationale: "MC/DC is needed to reach highest levels of safety-critical software for example in DO-178C."
related-links:
- "https://github.com/rust-lang/rust/issues/124144"
- "https://github.com/rust-lang/rust/pull/144999"
210 changes: 210 additions & 0 deletions subcommittee/tooling/tool-list/available-tools.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,210 @@
# This file lists available safety-critical Rust tools and their qualification state.

metadata:
title: "Rust Tooling for use in Safety Critical Projects"
version: "1.0"
date: "2025-09-29"
tracked-standards:
- name: "ISO-26262"
levels: ["ASIL-A", "ASIL-B", "ASIL-C", "ASIL-D"]
description: "Road vehicles - Functional safety"
- name: "DO-178C"
levels: ["DAL-E", "DAL-D", "DAL-C", "DAL-B", "DAL-A"]
description: "Software Considerations in Airborne Systems and Equipment Certification"
- name: "IEC 62304"
levels: ["Class A", "Class B", "Class C"]
description: "Medical device software - software life cycle processes"
- name: "IEC 61508"
levels: ["SIL-1", "SIL-2", "SIL-3", "SIL-4"]
description: "Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems"

# Tools organized alphabetically by name
tools:

- name: "cargo"
type: "package-manager"
vendor: "-"
url: "https://github.com/rust-lang/cargo"
description: "Built-in Rust package manager and test runner"
license: "Apache 2.0 & MIT"
qualified: []

- name: "cargo-nextest"
type: "test-runner"
url: "https://nexte.st"
vendor: "-"
description: "Next-generation test runner for Rust"
license: "Apache 2.0 & MIT"
qualified: []

- name: "cargo-tarpaulin"
type: "code-coverage"
url: "https://github.com/xd009642/tarpaulin"
vendor: "-"
description: "Code coverage tool for Rust"
license: "Apache 2.0 & MIT"
qualified: []

- name: "clippy"
type: "static-analysis"
url: "https://github.com/rust-lang/rust-clippy"
vendor: "-"
description: "Clippy is a collection of lints to catch common mistakes and improve Rust code. It analyzes code for potential bugs, performance issues, style violations, and suggests more idiomatic Rust patterns."
license: "Apache 2.0 & MIT"
qualified: []

- name: "creusot"
type: "formal-verification"
url: "https://github.com/creusot-rs/creusot"
vendor: "-"
description: "Creusot is a deductive verifier for Rust code. It verifies your code is safe from panics, overflows, and assertion failures. By adding annotations you can take it further and verify your code does the correct thing."
license: "LGPL 2.1"
qualified: []

- name: "defmt-test"
type: "test-runner"
url: "https://github.com/knurling-rs/defmt"
vendor: "Ferrous Systems"
description: "Embedded testing framework"
license: "Apache 2.0 & MIT"
qualified: []

- name: "Ferrocene"
type: "compiler"
url: "https://ferrocene.dev"
vendor: "Ferrous Systems"
description: "Open-source qualified Rust compiler toolchain for safety- and mission-critical systems"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would keep description basic to avoid marketing speak (and this applies to descriptions of the other toolchains)

Suggested change
description: "Open-source qualified Rust compiler toolchain for safety- and mission-critical systems"
description: "Compiler toolchain"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think one or two short sentences as description is fine.
Otherwise, this field becomes quite useless, because the type is already compiler.

This list will be the base for the website and having a short paragraph per tool as description probably looks quite good.

I think a bit of marketing speak in this field is ok.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we allow a bit of marketing...

# Ferrocene entry
description: "Rust compiler toolchain developed in the open"

that is for 2 reaons

  • it being open source is already shown in the license field
    as sidenote, you can develop in private and only make your software to paying customers while retaining an open source license
  • it being suitable for mission-critical use is not relevant to the safety-critical domain

if we avoid the marketing part, we could maybe mention qualified targets (which will easily get stale), or some other thing about Ferrocene... not sure what

license: "commercial"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ferrocene modifications to rustc retain the upstream license

Suggested change
license: "commercial"
license: "Apache 2.0 & MIT"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as discussed, we might need to split the license field into source-license and product-license, because even though the Ferrocene source is Apache 2.0 & MIT, to get the docs for Ferrocene to be qualified, you'll need to pay so "commercial".

but I don't like this split of the license field, because it only really makes sense for commercial products.

maybe we make the license field accept either String or an object?
e.g.

license: "Apache 2.0"

license:
  - source: "Apache 2.0"
  - product: "commercial"

or we have license and cost and tools could either be

  • cost: "free"
  • cost: "commercial"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we make the license field accept either String or an object

looks like an improvement

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

product might be a bit confusing, because it somewhat overlaps with source.

maybe we name the field qual-kit, meaning qualification kit.
because commonly that is what customers must pay for even if the source is open source licensed and publicly available

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thinking further on this, and inspired by your comment, I think we should leave license as plain text, and we can add an optional field, example

# Ferrocene entry
license: "Apache 2.0 & MIT"
additional-details: binaries and support available with a monthly/yearly subscription, and qualification kit available for an additional fee

we can also leave "additional-details" off for now, to avoid slowing forward movement of this pr

qualified:
- name: "ISO 26262"
up-to: "ASIL-D"
- name: "IEC 62304"
up-to: "Class C"
- name: "IEC 61308"
up-to: "SIL 4"


- name: "flamegraph"
type: "profiler"
url: "https://github.com/flamegraph-rs/flamegraph"
vendor: "-"
description: "Flame graph profiler for Rust"
license: "Apache 2.0 & MIT"
qualified: []

- name: "GNAT Pro for Rust"
type: "compiler"
url: "https://www.adacore.com/gnatpro-rust"
vendor: "AdaCore"
description: "AdaCore's Toolsuite for High-Assurance Rust Software; Includes stable toolchain for long-term development, long-term support, and qualification"
license: "commercial"
qualified: []

- name: "HighTec Rust Compiler"
type: "compiler"
url: "https://hightec-rt.com/products/rust-development-platform"
vendor: "HighTec"
description: "ISO 26262 ASIL D qualified Rust Compiler Development Platform for ARM based Stellar from STMicroelectronics and Infineon AURIX"
license: "commercial"
qualified:
- name: "ISO 26262"
up-to: "ASIL-D"

- name: "kani"
type: "formal-verification"
url: "https://github.com/model-checking/kani"
vendor: "-"
description: "Kani is an open-source verification tool that uses model checking to analyze Rust programs. Kani is particularly useful for verifying unsafe code blocks in Rust, where the 'unsafe superpowers' are unchecked by the compiler."
license: "Apache 2.0 & MIT"
qualified: []

- name: "Lauterbach Trace32 Debugger"
type: "debugger"
url: "https://www.lauterbach.com/"
vendor: "Lauterbach"
description: "Lauterbach‘s TRACE32® tools are a suite of leading-edge hardware and software components that enables you to analyze, optimize and certify all kinds of embedded systems."
license: "commercial"
qualified: []

- name: "mantra"
type: "requirements-traceability"
url: "https://crates.io/crates/mantra"
vendor: "-"
description: "Requirements traceability with structural code analysis and code coverage"
license: "MIT"
qualified: []

- name: "OpenFastTrace"
type: "requirements-traceability"
url: "https://github.com/itsallcode/openfasttrace"
vendor: "-"
description: "OpenFastTrace (short OFT) is a requirement tracing suite."
license: "GPL-3.0"
qualified: []

- name: "PLS UDE"
type: "debugger"
url: "https://www.pls-mc.com/products/universal-debug-engine/"
vendor: "PLS Programmierbare Logik & Systeme GmbH"
description: "UDE® Universal Debug Engine is the powerful development tool for debugging, tracing, and testing embedded software for a wide range of multicore SoCs and microcontrollers."
license: "commercial"
qualified: []

- name: "Reqtify"
type: "requirements-traceability"
url: "https://www.3ds.com/products/catia/reqtify"
vendor: "Dassault Systèmes"
description: "Reqtify is a solution which allows implementing an End-To-End Traceability along the whole V-Cycle across very different types of document and data bases (by plugin connector)."
license: "commercial"
qualified: []

- name: "sphinx-needs"
type: "requirements-traceability"
url: "https://sphinxcontrib-needs.readthedocs.io/"
vendor: ""
description: "Sphinx Needs is a requirements management extension for Sphinx documentation that enables tracing and linking of requirements, specifications, test cases, and other project artifacts"
license: "MIT"
qualified: []

- name: "TESSY"
type: "test-runner"
url: "https://www.razorcat.com/en/product-tessy.html"
vendor: "Razorcat"
description: "Qualified unit testing tool"
license: "commercial"
qualified: []

- name: "TrustInSoft Analyzer"
type: "static-analysis"
url: "https://www.trust-in-soft.com/trustinsoft-analyzer"
vendor: "TrustInSoft"
description: "Static analysis for C, C++, and soon to be Rust code"
license: "commercial"
qualified: []

- name: "VectorCast"
type: "test-runner"
url: "https://www.vector.com/us/en/products/products-a-z/software/vectorcast/"
vendor: "Vector Software"
description: "Qualified test runner and generator for safety-critical applications"
license: "commercial"
qualified: []

- name: "verifast"
type: "formal-verification"
url: "https://github.com/verifast/verifast"
vendor: "-"
description: "VeriFast is a tool for modular formal verification of the absence of undefined behavior in Rust1 programs that use unsafe blocks and the soundness of Rust modules that use unsafe blocks."
license: "MIT"
qualified: []


open-topics:
- name: "Fault Injection Tests"
description: "No generally applicable tool exists to inject faults in Rust projects during testing."

- name: "Coding Guidelines"
description: "No Rust coding guidelines currently exist, so no tool can enforce them."

- name: "Graphical Representation"
description: "Missing tools that are capable to represent Rust code in a graphical way (e.g. flow chart)."