Never used Rust but I'd like to point out the YouTube channel Low Level which covers security vulnerabilities (CVEs). He ends each video with "would Rust have fixed this?" and it's pretty interesting.

A very recent one is this: https://youtu.be/BTjj1ILCwRs?t=10m (timestamped to the relevant section)

According to him, when writing embedded software in Rust (and UEFI is embedded), you have to use Rust in unsafe mode which basically disables all the memory safety features. So in that kind of environment Rust isn't really better than C, at least when it comes to memory safety.

That's not to say Rust isn't still a good option. It probably is.

Again, I never used Rust so I'm just parroting stuff I've heard, take all of this with a grain of salt.

[–] calcopiritus@lemmy.world 12 points 3 days ago (1 children)

Rust doesn't have "safe" and "unsafe" modes in the sense your comment alludes to.

You can just do the little unsafe thing in a function that guarantees its safety, and then the rest of the code is safe.

For example, using C functions from rust is unsafe, but most of the time a simple wrapper can be made safe.

Example C function:

int arraysum(const int *array, int length) {
    int sum = 0;
    while (length > 0) {
        sum += *array;
        array++;
        length--;
   }
}

In rust, you can call that function safely by just wrapping it with a function that makes sure that length is always the size of array. Such as:

fn rust_arraysum(array: Vec<i32>) -> i32 {
    unsafe{ arraysum(array.as_ptr(), array.len() as i32)}
}

Even though unsafe is used, it is perfectly safe to do so. And now we can call rust_arraysum without entering "unsafe mode"

You could do similar wrappers if you want to write your embedded code. Where only a fraction of the code is potentially unsafe.

And even in unsafe blocks, you don't disable all of the rust checks.

[–] NeatNit@discuss.tchncs.de 4 points 3 days ago* (last edited 3 days ago)

Thanks for this. I was paraphrasing (badly, it seems). The video actually says it better:

To write code that lives in an embedded environment, it has to run in this mode in Rust called "no standard" (#![no_std]) and this mode called "no main" (#![no_main]). Basically you have no access to any of the core utilities in Rust, you have to write a lot of them yourself.

He then explains how embedded code necessarily has global mutability which is "the antithesis" of Rust development.

So yeah, you could make all of those wrappers, but at the end of the day you'll end up with about the same amount of "unsafe" code as you would making the same thing in C++.

Edit: but if what you said still applies, it does seem like Rust would watch your back somewhat better than C++ would in that it wouldn't even compile unsafe operations outside of unsafe blocks, unlike C++ to the best of my knowledge where you kind of have to review the code yourself to make sure it only uses the appropriate wrappers.

[–] Croquette@sh.itjust.works 3 points 3 days ago (1 children)

I am glad for your comment because I work with mcus and embedded solutions in C, so Rust, in that case, wouldn't be neccesarily safer than C.

I will have to look into it. I need to do 30h of training every two years, so I will learn Rust regardless, but I was thinking about eventually switching to Rust for embedded projects. Might just keep Rust as my scripting language because it is easier for me than Python

[–] NeatNit@discuss.tchncs.de 4 points 3 days ago

It's an interesting discussion. As someone who doesn't actually deal with this and who literally never used Rust, I feel out of me depth. But it does sound like Rust has much better mechanisms to catch a programmer's mistake. See my reply to the other guy.