[HN Gopher] How Masten Space Systems Is Using Ada and Spark to L...
___________________________________________________________________
How Masten Space Systems Is Using Ada and Spark to Land on the
Moon's South Pole [pdf]
Author : MaxBarraclough
Score : 29 points
Date : 2021-09-30 20:36 UTC (2 hours ago)
(HTM) web link (www.adacore.com)
(TXT) w3m dump (www.adacore.com)
| StatsAreFun wrote:
| I wish I had more opportunity to use Ada. GNAT Studio can be
| buggy but the language itself and the safety it brings to
| software engineering is really nice to work with.
| okl wrote:
| > Ghosh says they're trying to fully understand what they're
| building before they start coding.
|
| This should be normal practice IMO.
| sjburt wrote:
| I've seen this approach. The wrong thing still gets built, but
| at least you know why it was built that way.
| olah_1 wrote:
| I'm sure Ada makes a reliable program, but wouldn't it also be
| good to have an Erlang/Elixir style "self-healing" system with
| supervisors that can stop and restart each other?
| Jtsummers wrote:
| That actually is done with a lot of these kinds of systems. In
| many of the ones I've worked on you have software or hardware
| "watchdog timers" that have to be reset, or a process will be
| terminated and restarted (how will vary a bit). Hardware
| watchdog timers usually trigger something like a reboot,
| causing the program to be reloaded and restarted. That's about
| the simplest you can make a supervisor, but you can have more
| complex ones monitoring the actual internals to respond should
| the state become corrupted in some fashion as well.
|
| https://en.wikipedia.org/wiki/Watchdog_timer
| trothamel wrote:
| The programs that ran on the Apollo Guidance Computer were
| written this way. If there was a sufficiently bad error, the
| AGC would restart execution. The programs took advantage of
| the memory in use at the time being non-volatile, and not
| reset to zero when the computer restarted, so the program
| could figure out what the CSM or LM was doing, and continue
| it.
|
| This actually happened on Apollo 11. The 1201 and 1202
| program alarms were the computer overloading, and running out
| of space for more processes. When this happened, the computer
| would reset, and navigation would pick up again.
| MaxBarraclough wrote:
| I'm not sure that mindset fits for this kind of problem. It's
| not a web server handling lots of independent requests, it's a
| real-time critical system that is required to always transition
| to the correct state within the deadline. I'm no expert on this
| stuff though.
| Verdex wrote:
| I'm interested in hearing more.
|
| I've been looking into erlang on and off for nearly 14 years
| now. I think the language is really neat. But the self-healing
| supervisor tree thing is something that I've yet to get my head
| wrapped around.
|
| Like ... if you have some code that's like "X / 0" then it
| seems like it's not going to matter how many times you restart
| the process.
| macintux wrote:
| The general strategy is to test the system to the point where
| any bug like that is an edge case, some weird input you
| didn't expect.
|
| So every time you get that input you'll still crash, but
| other transactions will continue normally. Hopefully that
| input is either due to a transitory glitch like a bit flipped
| in RAM, or a user who isn't bored enough to keep submitting
| it, but either way the process isolation means all your other
| jobs can continue.
| SkyMarshal wrote:
| Ada/Spark can do that too, but you also want things like memory
| safety, hard real-time and/or constant-time capability, and
| provable correctness. Ada also enables those capabilities.
___________________________________________________________________
(page generated 2021-09-30 23:00 UTC)