misra-rust VS cxx

MISRA and Ferrocene are not really related.

MISRA is, as you say, a set of rules for writing C code, that restrict what you can do.

Ferrocene is a qualified compiler. You write any normal Rust code you want: it's still the upstream Rust compiler. There are no restrictions.

Incidentally, someone has compared what MISRA does to what Rust does: https://github.com/PolySync/misra-rust/blob/master/MISRA-Rul...

Given that they can't repeat the MISRA stuff there, it's a bit disjoined, but it sure is interesting!

A fun github repo: "what would MISRA look like applied to Rust" https://github.com/PolySync/misra-rust/blob/master/MISRA-Rul...

(They're comparing with the C version, not the C++ version...)

> There are huge swathes of MISRA which forbid things which not only aren't possible in Rust or SPARK

I can't vouch for its accuracy, but https://github.com/PolySync/misra-rust

When it comes to MISRA C, it is interesting to note how many (a majority) of its rules do not apply or have native enforcement[1].

You might have also seen the AUTOSTAR Rust in Automotive Working Group announcement recently[2].

[1]: https://github.com/PolySync/misra-rust/blob/master/MISRA-Rul...

[2]: for some reason the announcement was removed from the "News and events" site, https://webcache.googleusercontent.com/search?q=cache%3Ahttp... but it is still available as a PDF https://www.autosar.org/fileadmin/user_upload/20220308_RustW...

There's actually already a comparison: https://github.com/PolySync/misra-rust/blob/master/MISRA-Rules.md

Rust makes quite a few things more rigorous (e.g. pairing allocations with deallocations and reference validity). It basically fulfills the job of a static analyzer baked into the language.

It's also a vastly more analyzable language (in that its syntax is reasonably unambiguous and there's no dynamic runtime in play) and it can be integrated well.

Toolchain quality (error reporting, built in testing, awareness of primitives like "libraries", etc.) is also a huge strong point.

We're reasonably confident that we can use safe Rust as is, with strong guidance on how to do unsafe Rust.

For a tangible investigation of that space, PolySync has a project that has a look at MISRA rules from a Rust perspective. https://github.com/PolySync/misra-rust/blob/master/MISRA-Rul...

Ada is a good example here: the language has not evolved something like MISRA-C (it has evolved SPARK for formal verification, but I see that differently).

There are cxx and autocxx, what else do you propose to do?

I would like to see a comparison of how this compares to Rust. In terms of interoperability it has Cxx (https://cxx.rs) to offer safe bindings to C++ but also has great support for Android, Linux and many other systems. You don't even need to hack together Windows bindings (as explained in the blog post) because Microsoft offers official bindings (https://crates.io/crates/windows). I'm not sure if I'd call it a superpower if any potential interoperability has to be written to be used (compared to it already being available). Or rather, in comparison to what is interoperability a Swift superpower? Certainly not C++ or C which can be used in a far wider set of targets.

We selected Qt as a cross-platform solution. The C++/Rust interface is the clunkiest and ugliest part of the application, and rather complex because some state is shared between several windows in the GUI and several threads in the backend, and any component might modify that state at any time, and updates have to be transmitted to the other components without introducing inconsistencies. Using cxx [1] helped a little, though.

The project began in 2020, and I'm not sure what I'd choose as a GUI framework today – definitely not Qt Widgets, though.

[1] https://cxx.rs/

If the build process for the C library isn't too involved I recommend using cxx bridge (https://cxx.rs/) and letting cargo handle the build and linking. cxx basically allows you to describe the bidirectional interface (although it sounds like you only need 1 direction, which is fine too) in Rust code and it provides a "good enough" API for compiling C code inside the build.rs file.

The tooling for the first kind -- calling Rust from another language -- is a bit less developed, and tends to rely on code generation that doesn't necessarily produce a natural C API. cbindgen, uniffi, cxx, and Diplomat all take this course.

I would like to utilize OMPL's functionality in Rust code, so I want to call into OMPL C++ code somehow in Rust. I've seen two (non-mutually-exclusive) options so far: - rust-cpp, which allows you to write C++ code in Rust within the cpp!() macro. - cxx, which allows you to define both sides of the FFI boundary manually (as opposed to bindgen's automatic generation).

I'm not sure how to do this in cxx; issues like https://github.com/dtolnay/cxx/issues/447 suggest that this isn't settled yet?

I use non-vendored dependencies for the Buck build in https://github.com/dtolnay/cxx.

There's also the cpp and cxx crates for doing C++/Rust interop, but they probably aren't appropriate to use in all cases. The C ABI is definitely the safest way to go unless you're really trying to marry Rust and C++ code bases, not just writing library bindings.

There's also cxx (can't vouch for it personally but it claims to make things a lot easier) https://github.com/dtolnay/cxx