safety critical

Author: AndyGauge

Cargo.toml

@@ -1,5 +1,5 @@
 [workspace]
-members = ["crates/algorithms/*", "crates/concurrency/*", "crates/development_tools/debugging/tracing", "crates/web", "xtask"]
+members = ["crates/algorithms/*", "crates/concurrency/*", "crates/development_tools/debugging/tracing", "crates/safety_critical/*", "crates/web", "xtask"]
 
 [workspace.package]
 edition = "2024"

Makefile

@@ -21,7 +21,7 @@ dev: build test ## Build and test (development workflow)
 	@echo "Development build complete!"
 
 deploy: clean dev ## Deploy to GitHub Pages (requires maintainer permissions)
-	./scripts/deploy.sh
+	./scripts/deploy.sh --skip-tests
 
 deploy-skip-tests: build ## Deploy to GitHub Pages without running tests
 	./scripts/deploy.sh --skip-tests
@@ -32,4 +32,4 @@ clean: ## Clean build artifacts
 	@echo "Clean complete!"
 
 serve: install-mdbook ## Serve the book locally with live reload
-	mdbook serve --open 
+	mdbook serve --open 

build.rs

@@ -12,6 +12,8 @@ const REMOVED_PREFIXES: &[&str] = &[
     "./src/development_tools/debugging/tracing/",
     "./src/concurrency/actor/",
     "./src/concurrency/custom_future/",
+    "./src/safety_critical/no_panic/",
+    "./src/safety_critical/heapless_alloc/",
 ];
 
 fn main() {

crates/safety_critical/heapless_alloc/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "heapless-example"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+license.workspace = true
+publish.workspace = true
+
+[dependencies]
+heapless = "0.8"

crates/safety_critical/heapless_alloc/src/bin/heapless_alloc.rs

@@ -0,0 +1,120 @@
+use heapless::{String, Vec};
+
+/// A fixed-capacity event log that never touches the heap.
+///
+/// In real-time and safety-critical systems the global allocator is
+/// forbidden because allocation time is unbounded and fragmentation
+/// can cause silent OOM failures in long-running firmware.
+///
+/// [`heapless::Vec`] stores up to `N` elements on the stack (or in a
+/// `static`).  The capacity is fixed at compile time, so the memory
+/// footprint is constant and predictable.
+struct EventLog<const N: usize> {
+    entries: Vec<Event, N>,
+}
+
+#[derive(Debug, Clone)]
+struct Event {
+    timestamp_ms: u32,
+    code: u16,
+}
+
+impl<const N: usize> EventLog<N> {
+    /// Creates an empty log.
+    fn new() -> Self {
+        Self {
+            entries: Vec::new(),
+        }
+    }
+
+    /// Records an event.  Returns `Err` if the log is full instead
+    /// of panicking or allocating—the caller decides what to do.
+    fn record(&mut self, timestamp_ms: u32, code: u16) -> Result<(), Event> {
+        let event = Event { timestamp_ms, code };
+        self.entries.push(event).map_err(|e| e)
+    }
+
+    /// Returns how many events have been recorded.
+    fn len(&self) -> usize {
+        self.entries.len()
+    }
+
+    /// Returns the most recent event, if any.
+    fn latest(&self) -> Option<&Event> {
+        self.entries.last()
+    }
+}
+
+/// Formats a sensor label without heap allocation.
+///
+/// [`heapless::String<N>`] works like `std::string::String` but
+/// stores up to `N` bytes on the stack.  `write!` returns `Err` if
+/// the formatted text would exceed capacity.
+fn format_label(sensor_id: u16, value: f32) -> Result<String<32>, core::fmt::Error> {
+    use core::fmt::Write;
+    let mut buf: String<32> = String::new();
+    write!(buf, "S{sensor_id}={value:.1}")?;
+    Ok(buf)
+}
+
+fn main() {
+    // A log that holds at most 8 events — zero heap allocation.
+    let mut log: EventLog<8> = EventLog::new();
+
+    log.record(100, 0x01).expect("log not full");
+    log.record(200, 0x02).expect("log not full");
+    log.record(300, 0xFF).expect("log not full");
+
+    println!("logged {} events", log.len());
+    println!("latest: {:?}", log.latest().unwrap());
+
+    // Stack-allocated string formatting.
+    let label = format_label(42, 3.14).expect("fits in 32 bytes");
+    println!("label: {label}");
+
+    // Demonstrate capacity enforcement — the 9th push returns Err.
+    let mut full_log: EventLog<2> = EventLog::new();
+    full_log.record(0, 1).unwrap();
+    full_log.record(1, 2).unwrap();
+    let overflow = full_log.record(2, 3);
+    assert!(overflow.is_err());
+    println!("overflow correctly rejected");
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_event_log_records_and_retrieves() {
+        let mut log: EventLog<4> = EventLog::new();
+        log.record(10, 0xAA).unwrap();
+        log.record(20, 0xBB).unwrap();
+
+        assert_eq!(log.len(), 2);
+        assert_eq!(log.latest().unwrap().code, 0xBB);
+    }
+
+    #[test]
+    fn test_event_log_rejects_overflow() {
+        let mut log: EventLog<1> = EventLog::new();
+        assert!(log.record(0, 1).is_ok());
+        assert!(log.record(1, 2).is_err());
+        assert_eq!(log.len(), 1);
+    }
+
+    #[test]
+    fn test_format_label() {
+        let label = format_label(7, 25.0).unwrap();
+        assert_eq!(label.as_str(), "S7=25.0");
+    }
+
+    #[test]
+    fn test_format_label_overflow() {
+        // heapless::String<4> can only hold 4 bytes — "S1=0.0" won't fit.
+        use core::fmt::Write;
+        let mut tiny: heapless::String<4> = heapless::String::new();
+        let result = write!(tiny, "S1=99.9");
+        assert!(result.is_err());
+    }
+}

crates/safety_critical/no_panic/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "no-panic-example"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+license.workspace = true
+publish.workspace = true
+
+[dependencies]
+no-panic = "0.1"

crates/safety_critical/no_panic/src/bin/no_panic.rs

@@ -0,0 +1,100 @@
+use no_panic::no_panic;
+
+/// Sums a slice without any operation that could panic.
+///
+/// In safety-critical code, a `panic!` is a catastrophic failure.
+/// Standard indexing like `slice[i]` inserts a bounds check that
+/// calls `panic!` on out-of-bounds access.  Iterators avoid this
+/// entirely—the compiler can prove no panic path exists.
+#[no_panic]
+fn safe_sum(values: &[i32]) -> i64 {
+    let mut total: i64 = 0;
+    for &v in values {
+        total += v as i64;
+    }
+    total
+}
+
+/// Looks up a value by index, returning `None` instead of panicking.
+///
+/// Using `get()` + exhaustive pattern matching guarantees every code
+/// path is handled.  The `#[no_panic]` attribute makes the compiler
+/// **prove** it at link time—if any hidden panic path remains, the
+/// build fails.
+#[no_panic]
+fn safe_lookup(data: &[u8], index: usize) -> Option<u8> {
+    match data.get(index) {
+        Some(&val) => Some(val),
+        None => None,
+    }
+}
+
+/// Clamps a sensor reading into a valid range without panicking.
+///
+/// Real-world example: an ADC returns a raw `u16` that must be
+/// mapped to 0–100 %.  Using `clamp` and simple arithmetic keeps
+/// the function panic-free.
+#[no_panic]
+fn normalize_sensor(raw: u16, min: u16, max: u16) -> f32 {
+    if max == min {
+        return 0.0;
+    }
+    let clamped = raw.clamp(min, max);
+    (clamped - min) as f32 / (max - min) as f32
+}
+
+fn main() {
+    let readings = [10, 20, 30, 40, 50];
+
+    let total = safe_sum(&readings);
+    println!("sum = {total}");
+    assert_eq!(total, 150);
+
+    let val = safe_lookup(&[0xAA, 0xBB, 0xCC], 1);
+    println!("lookup index 1 = {val:?}");
+    assert_eq!(val, Some(0xBB));
+
+    let miss = safe_lookup(&[0xAA, 0xBB, 0xCC], 99);
+    println!("lookup index 99 = {miss:?}");
+    assert_eq!(miss, None);
+
+    let pct = normalize_sensor(2048, 0, 4095);
+    println!("sensor = {pct:.2}%");
+    assert!((pct - 0.5).abs() < 0.01);
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_safe_sum_empty() {
+        assert_eq!(safe_sum(&[]), 0);
+    }
+
+    #[test]
+    fn test_safe_sum_values() {
+        assert_eq!(safe_sum(&[1, 2, 3]), 6);
+    }
+
+    #[test]
+    fn test_safe_lookup_in_bounds() {
+        assert_eq!(safe_lookup(&[10, 20, 30], 2), Some(30));
+    }
+
+    #[test]
+    fn test_safe_lookup_out_of_bounds() {
+        assert_eq!(safe_lookup(&[10, 20, 30], 5), None);
+    }
+
+    #[test]
+    fn test_normalize_sensor_mid() {
+        let pct = normalize_sensor(2048, 0, 4095);
+        assert!((pct - 0.5).abs() < 0.01);
+    }
+
+    #[test]
+    fn test_normalize_sensor_equal_bounds() {
+        assert_eq!(normalize_sensor(100, 100, 100), 0.0);
+    }
+}

src/SUMMARY.md

@@ -58,6 +58,9 @@
     - [Complex Numbers](science/mathematics/complex_numbers.md)
     - [Statistics](science/mathematics/statistics.md)
     - [Miscellaneous](science/mathematics/miscellaneous.md)
+- [Safety-Critical Rust](safety_critical.md)
+  - [No-Panic Guarantee](safety_critical/no_panic.md)
+  - [Deterministic Memory](safety_critical/heapless_alloc.md)
 - [Text Processing](text.md)
   - [Regular Expressions](text/regex.md)
   - [String Parsing](text/string_parsing.md)

src/links.md

@@ -19,6 +19,8 @@ Keep lines sorted.
 [cat-cryptography]: https://crates.io/categories/cryptography
 [cat-database-badge]: https://img.shields.io/badge/database--x.svg?style=social
 [cat-database]: https://crates.io/categories/database
+[cat-data-structures-badge]: https://img.shields.io/badge/data_structures--x.svg?style=social
+[cat-data-structures]: https://crates.io/categories/data-structures
 [cat-date-and-time-badge]: https://img.shields.io/badge/date_and_time--x.svg?style=social
 [cat-date-and-time]: https://crates.io/categories/date-and-time
 [cat-debugging-badge]: https://img.shields.io/badge/debugging--x.svg?style=social
@@ -80,6 +82,8 @@ Keep lines sorted.
 [flate2]: https://docs.rs/flate2/
 [glob-badge]:https://img.shields.io/crates/v/glob.svg?label=glob
 [glob]: https://docs.rs/glob/
+[heapless-badge]: https://img.shields.io/crates/v/heapless.svg?label=heapless
+[heapless]: https://docs.rs/heapless/
 [hyper-badge]: https://img.shields.io/crates/v/hyper.svg?label=hyper
 [hyper]: https://docs.rs/hyper/
 [image-badge]: https://img.shields.io/crates/v/image.svg?label=image
@@ -98,6 +102,8 @@ Keep lines sorted.
 [nalgebra]: https://docs.rs/nalgebra
 [ndarray-badge]: https://img.shields.io/crate/ndarray.svg?label=ndarray
 [ndarray]: https://docs.rs/ndarray
+[no-panic-badge]: https://img.shields.io/crates/v/no-panic.svg?label=no-panic
+[no-panic]: https://docs.rs/no-panic/
 [num-badge]: https://img.shields.io/crates/v/num.svg?label=num
 [num]: https://docs.rs/num/
 [num_cpus-badge]: https://img.shields.io/crates/v/num_cpus.svg?label=num_cpus

src/safety_critical.md

@@ -0,0 +1,11 @@
+# Safety-Critical Rust
+
+| Recipe | Crates | Categories |
+|--------|--------|------------|
+| [Compile-Time No-Panic Guarantee][ex-no-panic] | [![no-panic-badge]][no-panic] | [![cat-no-std-badge]][cat-no-std] [![cat-rust-patterns-badge]][cat-rust-patterns] |
+| [Deterministic Memory with Heapless Collections][ex-heapless] | [![heapless-badge]][heapless] | [![cat-no-std-badge]][cat-no-std] [![cat-data-structures-badge]][cat-data-structures] |
+
+[ex-no-panic]: safety_critical/no_panic.html#compile-time-no-panic-guarantee
+[ex-heapless]: safety_critical/heapless_alloc.html#deterministic-memory-with-heapless-collections
+
+{{#include links.md}}