Choose Rust for developing the redundancy switcher

[TetsuKawa]

Summary

I am designing a redundancy system to switch to a Sub ECU if the Main ECU or Main VCU becomes inoperable. This redundancy setup could become crucial for autonomous driving and may eventually be overseen by the Autoware Foundation. I plan to develop this ECU-switching program in Rust and would appreciate input on whether using Rust might pose any challenges if the Autoware Foundation were to manage it in the future.

Description

The proposed system configuration includes a Main ECU, Sub ECU, Main VCU, and Sub VCU. The Main ECU will run the standard Autoware software, while the Sub ECU will manage vehicle behavior if the Main ECU becomes inoperable.

Each device will run a software component called redundancy_switcher. This software will select a leader if a link failure or node failure occurs between the ECUs, VCUs, or nodes. The selected leader will manage node selection for vehicle control and instruct vehicle behavior accordingly. The algorithm for leader selection is based on a published paper, which will serve as the foundation for implementing redundancy_switcher.

For the language choice for redundancy_switcher, implementing it in C++ like Autoware is an option, but I prefer Rust for the following reasons:

• Memory safety detects many bugs at compile-time.
• Rust offers execution speed comparable to C/C++.
• It enables compile-time static analysis of data races in concurrent processing.
• It simplifies writing unit and integration tests.

Given the potential severity of bugs in redundancy_switcher for autonomous driving applications, I believe Rust is the best choice. However, if using Rust might complicate management by the Autoware Foundation, I am open to considering other options. Otherwise, I intend to proceed with Rust.

Thank you!

[ytakano]

I also think Rust language is good for autonomous driving applications from safety and security perspectives.

As Mario Noseda, et al. argued in "Rust for Secure IoT Applications, Why C Is Getting Rusty" https://digitalcollection.zhaw.ch/server/api/core/bitstreams/244187a4-94d6-4745-94b3-619b17649614/content, Rust is safer than MISRA-C C/C++ because some significant vulnerabilities of C/C++ cannot be identified by popular static analyzer as this paper introduced.

redundancy_switcher is a mission critical component and it should be safe and secure as much as possible to prevent critical incidents.

[TetsuKawa]

Thank you for your comments! The papers you introduced are very interesting.

Currently, the redundancy_switcher is designed for bare metal, but it could be implemented with a separate thread for each receiving socket. I believe that even in a multi-threaded implementation, using Rust would provide a safer approach.