The “90% ban” isn’t about hating C++ — it’s about guaranteeing determinism. In avionics, anything that can hide allocations, add unpredictable control flow, or complicate WCET analysis gets removed. Once you operate under those constraints, every language shrinks to a tiny, fully-auditable subset anyway.

▲

grougnax 17 hours ago | parent [-]

They could use 100% of Rust

▲

accelbred 7 hours ago | parent [-]

No they could not. Rusts standard library heavily uses dynamic memory allocation and panics, for example. MISRA C:2025 Addendum 6 covers MISRA rules that still apply to Rust, as an example of how one would restrict Rust in safety-critical contexts.

▲

steveklabnik 7 hours ago | parent [-]

In safety critical contexts, you're not usually using the standard library. Or at least, you're using core, not alloc or std.

Panics can still exist, of course, but depending on the system design you probably don't want them either, which is a bit more difficult to remove but not the end of the world.

I hadn't seen that addendum though yet, that's very cool!

	▲	accelbred 7 minutes ago \| parent [-]
		Yeah, for work stuff where we follow MISRA conventions, its easiest to use no_std and ban using third-party crates as runtime dependencies.