"Nvidia Security Team: “What if we just stopped using C?”, 170 comments (2022), https://news.ycombinator.com/item?id=42998383
I personally think that AdaCore, and friends, missed an opportunity in the early 2000's to fully embrace open source... they left a big gap which Rust has filled nicely.
I still think Ada is a great programming language. When a question comes up along the lines of: "what's the best programming language nobody's heard of?", or "what's the best programming language that is under used?" Ada is usually my first answer. I think other good answers include F#, <insert LISP flavor>, Odin, Prolog, Haxe, and Futhark (if you're into that sort of thing).
And from the vendor point of view releasing a compiler under libre license allows for concurrents to undercut one on R&D leading to the compiler and related tools certification. So from business point of view it just makes no sense. This is very different from contributing to, say, clang, where a cost of maintaining own closed fork outweighs any disadvantages of contributing.
This is the original announcement from 2020,
"SPARK/Ada Journey to Adoption"
https://youtu.be/DZSSyWlsb28?si=vh4gO-LT2N3Skaql
Also we are now on Ada 202x already, quite different from Ada83, that some Rust folks keep comparing their favourite language with.
You get all the niceties of a language more in line with Object Pascal productivity, formal proofs, a RAII approach safer than C++ (controlled types, automatic stack types, unbound collection types), industry baremetal profiles like Ravenscar, and the recent versions are in the process of having affine types as well (aka borrow checker).
For example, it seems it's not possible to get a sub-string slice reference to an original unbounded string. In rust, a &str -> &str signature is trivial.
So it seems Ada still relies on discipline, while SPARK does not have the zero-cost abstractions that C++ and Rust have.
If that's true (is it?), then I'd definitely choose C++/Rust over Ada any time, since performance is very important to me.
Ada has as much zero cost abstractions as C++ and Rust have, and one of the reasons of Ravenscar is even what to turn off for bare metal deployments, and real time OS deployments.
> Ada has as much zero cost abstractions as C++ and Rust have.
Couldn't find anything about it (see above), but does Ada come with any monomorphization tricks?
The way generics are implemented in Ada compilers is implementation specific.
> What you don’t use, you don’t pay for. And further: What you do use, you couldn’t hand code any better.
without monomorphizing the generics?
Also I find funny this point of view on Ada, given the poor examples WG21 has added into the C++ standard library, that will never be fixed due to never-ending ABI drama.
With that said. How does:
> By letting the compilers decide the best way to implement them.
Get you to zero cost generics. What if implementor just says "let them eat memory" and boxes the generic.
Spark is a different use case from rust - it’s a full prover, and the goal is formal verification, typically in contexts where human life is at stake ( say, you’re writing software for an artificial heart , to take an extreme example ). This comes at the cost of being less flexible, but they’ve been slowly evolving spark so that it can handle increasingly complex cases .
Ada has had shared aliases since 1995. Its had zero cost abstractions since before then.
Slicing memory from a string is in the intro manual, for example.
my_var(2 .. 6)
[0] https://blog.adacore.com/memory-safety-in-ada-and-spark-thro...
I think the closest thing to a &str in Ada would be an "access String" or "access constant String", which you would get either from an allocated "String" or from a declared "aliased String". You'd create a subslice with "string(x..y)'Access". Though I'm not sure whether that actually works without explicitly declaring an array of "aliased Character", the Manual is dense (as with C++, it's nearly meaningless unless you already know what it's supposed to mean) and the tutorials generally avoid talking about access objects.
To be more specific, how would one implement something like a "Get_First_Word" or "Trim_Whitespace" without copying?
[0] https://www.adaic.org/resources/add_content/docs/craft/html/...
[1] http://www.ada-auth.org/standards/22rm/html/RM-3-10-2.html
If you want a copy, with Unbounded String, you'll need to call To_String on the slice.
[0] https://sites.radford.edu/~nokie/classes/320/std_lib_html/ad...
Also, the Unbounded_String owns its copy of the data, as opposed to referencing other data. The difference with String seems to be just that it can grow. It's still more like std::string than std::string_view.
Note that both std::string and std::string_view are essentially just a pointer and a length (std::string also has a capacity but let's ignore that). The difference is that trying to duplicate a std::string will end up duplicating (deep-copying) the data behind the pointer as well, where as duplicating a std::string_view will not.
Could you help me understand/interpret that link the same way you do, in case I'm missing something?
But what Unbounded does is... "U.Reference (U.First .. U.Last)". It returns a reference. It's not duplicating, because that would defeat the point of its entire existence. Its the buffer, containing one or more string objects, and you're just slicing a reference out of it - because that's the point.
If you want a String, you need to allocate one.
function Slice
(Source : in Unbounded_String;
Low : in Positive;
High : in Natural)
return String;
For example, here's the actual GNAT source of the function [1]:
function Slice
(Source : Unbounded_String;
Low : Positive;
High : Natural) return String
is
begin
-- Note: test of High > Length is in accordance with AI95-00128
if Low - 1 > Source.Last or else High > Source.Last then
raise Index_Error;
else
return Source.Reference (Low .. High);
end if;
end Slice;
[1] https://github.com/gcc-mirror/gcc/blob/master/gcc/ada/libgna...
Regarding access values, I listed out some of Ada's various restrictions. Its scope rules prevent referencing objects at deeper levels, objects must be explicitly marked aliased to create an access value to them, and there's far less need for access values (for instance, no pointers are needed to pass parameters by reference). Additionally, Ada offers the ability to dynamically size some objects and reclaim their memory without explicit memory allocation.
After I highlighted these details, ChatGPT admitted it had unfairly evaluated Ada, concluding it's a very safe and robust language, albeit using different techniques than Rust.
I understand the value proposition of Formal Verification with Spark.
But for me the killer features with Ada, thinking specifically of embedded systems is:
- The expressiveness you gain with Ada's Type System
- The Ravenscar profile (very impressive work from a small group of folks in the IRTAW group)
[2] https://www.adacore.com/press/adacore-announces-the-first-qu...
https://www.slideshare.net/slideshow/toyota-unintended-accel...
Also, unintended acceleration seems to have gone away. The control hardware has been changed; driver age, not so much.
Then, I was sitting there with the engine revving loudly for no reason. Car behind me started backing up. I decided to just shut it off and turn it back on. It went away.
Scary stuff. Especially since I had no idea why it happened.
FirmwareBurner•1d ago
gneuromante•1d ago
bb88•1d ago
However, the tooling for Ada was never as good as C++ tooling.
firesteelrain•1d ago
johnnyjeans•1d ago
particularly when the language you're replacing was explicitly designed for your domain, and the language you're replacing it with is an entropic event horizon from which no coherent thoughtform can escape.
[1] - https://www.dote.osd.mil/Portals/97/pub/reports/FY2024/other...
[2] - https://www.gao.gov/products/gao-24-107177
nabla9•1d ago
Ada is technically better choice.
CivBase•1d ago
Ada's developmemt tools are fewer, less featued, and more costly due to low demand.
johnisgood•1d ago
Such as?
dardeaup•1d ago
For Ada, is there anything other than AdaCore? Is that the same as GNATStudio?
Edit* - fixed Ada capitalization
cjbgkagh•1d ago
cjbgkagh•1d ago
FirmwareBurner•24m ago
Could you elaborate on this please? What is "high tech" here?
p_l•1d ago
None of the tools mentioned, other than in limited level IDEs (for practical purposes in safety critical C++ expect some niche variation of Eclipse just like if you used Ada) are valid for the F-35 project.
RavSS•1d ago
ryao•1d ago
shakna•1d ago
Each of those has an optional IDE. All of the IDEs you mentioned also support Ada.
CivBase•1d ago
Want an IDE? I hope you like GNAT Pro Studio.
Want a static analysis tool? I hope you like CodePeer.
Want to do unit testing? I hope you like Rapita.
ajxs•1d ago
nabla9•1d ago
When C++ was chosen for F-35 there were more verification tools to Ada than C++.
sam_bristow•1d ago
pjmlp•1d ago
seabird•1d ago
I get that there's more tools for C++ but first class formal verification support and a language that's generally designed to save you from yourself seems like something you would stand your ground on. Ada is supremely good at killing people and/or keeping them un-killed, there's a reason you still see it kicking around in defense and aerospace despite the common perception that it's a bygone relic.
FirmwareBurner•1d ago
Do you think the auto industry will have a easier time finding Ada talent at their pay rates? Or that talent will want to specialize into Ada just to pigeonhole themselves into the Automotive jobs market?
cmrdporcupine•21h ago
Arguably picking up Rust -- with its frankly exotic value passing and ownership semantics -- is much harder than learning Ada.
FirmwareBurner•21h ago
Low wages and the negative resume drive development might be reasons.
Believe it or not, pigeon holing yourself in niche/uncool tech for years, can and will negatively impact your future hiring prospects at good jobs, since hiring in tech is broken and HR selects resumes on buzzwords and on your "last X years of experience in Y framework".
seabird•17h ago
Ada is not some exotic thing that requites SF comp. If it's such a major adjustment coming from C/C++ that it's actually causing you trouble, you have other problems.
It's comical bringing up the automotive industry considering that its responsible for AUTOSAR, which is simultaneously widely hated by engineers and completely useless outside the industry.
FirmwareBurner•1h ago
I dunno about Detroit since I don't live there, but in Europe the auto industry is on a major downturn with cost cutting, layoffs and hiring freezes. Good luck getting hired anywhere now if you're laid off from the Auto industry and your specialty is some niche stuff only used in the auto industry. Also, IIRC, the company I worked for recently laid off 35% staff at their Auburn Hills office overnight so I doubt the situation around Detroit is as rosy as you make it seem.
> If it's such a major adjustment coming from C/C++ that it's actually causing you trouble, you have other problems.
Like I said, there should be no problem for a (skilled) programmer to adjust from C++ to Ada or vice versa, the problem is convincing HR to hire you on that premise. Ask me how I know (see my username).
Gone are the days of the SW generalists programmer, who would be hired with the expectation to learn on the job the new language used at that job, companies now are only looking for people with X on-the-job YoE on that programming language or framework, not self taught people coming from other programing languages.
This is not something you can control, it's the hiring market that's broken, so you can only adapt to it by not pigeonholing yourself in things that might be a career dead-end.
>It's comical bringing up the automotive industry considering that its responsible for AUTOSAR
AUTOSAR did what it was supposed to do: be a vendor lock in program for German bureaucratic companies and job security program for workers in that industry. That's what Germany and German companies do best: create massive amounts of bureaucracy requirements as a moat for an industry they have a foothold in, then sell you the solution. Why do you think SAP is also German?
zoom6628•22h ago
I knew someone a while back who worked on Patriot missile software. It was Ada. And Patriot still a formidable weapon.
FirmwareBurner•21h ago
Let me repeat myself again, Ada won't save you from human bugs. If you hire bad programmers or have bad dev and test practices, there's no magic programming language that will save you from your calculation and logic mistakes. You can code in raw machine code like you're 1960's NASA, and still have less bugs than a clueless vibe coder in Ada/Rust/etc. if you know what you're doing and have the right test and verification processes.
[1] https://www.cs.unc.edu/~smp/COMP205/LECTURES/ERROR/lec23/nod...
anthk•20h ago
On integers casted into floats, a Forth programmer would use a fixed point in a much saner way, they had experience for decades on it.
seabird•17h ago
FirmwareBurner•1h ago
2. In mission critical systems we always used fixed point fractional numbers in C as a representation of floats, to avoid floating point issues, so any issues of the language are moot.
firesteelrain•1d ago
anthk•1d ago
firesteelrain•1d ago
zppln•21h ago
People need to ask themselves what benefits Rust would bring to an high assurance system (e.g. DO-178C Level A). You're not gonna want to malloc mid-flight even if you have a borrow checker.
The entire point of e.g. DO-178C is to show that the software only does exactly what it is supposed to do under all assumptions and have any derived behavior fed back to the safety process for evaluation. Software can never in itself make a system safe.
All that aside, modern tooling may be more ergonomic etc so I'm not saying languages like Rust shouldn't be considered, they just aren't as useful here as I think a lot of people assume.
firesteelrain•20h ago
bb88•6h ago
I'm reminded by mozilla's sign "You must be this tall to write threaded code." [1] How much do you restrict your language and libraries to make it safe? Like custom templates? How do you define ownership of objects and lifetimes -- or just malloc everything all at once?
[1] https://bholley.net/blog/2015/must-be-this-tall-to-write-mul...
zppln•2h ago
> or just malloc everything all at once?
Yes! But here's the thing: this isn't done due to the footguns associated with memory management, it is done because you want as little dynamic behavior as possible. For Level A software you need to show that your software has both bounded execution time and memory usage, and be robust against all inputs. Achieving that is so much easier without dynamic memory management.
Also, another thing to keep in mind is that DO-178 has you show that your software requirements are traceable to system requirements, your software design to your software requirements, your source code to your software design and your object code to your source code. But testing should be requirements based. So if your compiler inserts a bounds check now you have object code not traceable to source code and for which you won't have coverage because your requirement mention it. But what if you mention it in your requirements? Well, then you'd have to implement it manually in source code to uphold traceability anyway...
I will caveat the above by saying that other players may interpret things differently or have found ways to do things more cleverly.
steveklabnik•15h ago
Ferrocene isn’t DO-178C certified… yet. But it has similar certifications in other industries.
zppln•14h ago
Also, tools follows DO-330 and are qualified. It's their output that should comply with DO-178.
steveklabnik•12h ago
pjmlp•1d ago
fransje26•1d ago
Which is entertaining, because until that point (2021, if memory serves?) it was encountering an ever increasing number of critical issues needing resolving, a double dozen of which would be lethal to the pilot flying. The backlog stood at 800+ issues at the time.
Some of the software issues were so serious that they were considered beyond salvageable at the time, despite having already gone through a full re-write from scratch cycle..
FirmwareBurner•1d ago
Maybe Lockheed just has shitty programmers who don't know what they're doing because the US defense industry is incompetent and the US SW jobs market top heavy where talent who does know how to use C++ right goes to big-tech and not on-site at some defense contractor? To me that's not the fault of C++.
tialaramex•22h ago
C++ iterators are a big example of this problem. In the most skilled hands these are a very powerful technology, excellent performance yet tremendous flexibility - but they have a lot of footguns. So do you choose to accept the high defect rates when your ordinary programmers shoot themselves in the foot, or do you neuter this powerful technique to reduce those defects but suffer significant performance problems ?
FirmwareBurner•21h ago
Bigger than coding in assembly?
>when your ordinary programmers shoot themselves in the foot
Then don't hire non-name foot shooting programmers off the street. Hire versed engineers with background in programing for safety critical systems, then have them train the code monkey engineers on the right way to think and work. Like I said, skill issue, not language issue.
anthk•21h ago
FirmwareBurner•21h ago
Just because something is sometimes better doesn't mean it's also more economical in production. You're still limited by budget constrains. With that budget you need to hire and/or train SW developer. It doesn't matter that X language might be better if you can't find and/or train people with experience on it. So you're better off using C with safety.
cmrdporcupine•21h ago
Mediocre talent that struggles with the language and continually make use after free bugs.
And elitist arrogant developers in love with the language, skilled in its use, who continually make use after free bugs.
FirmwareBurner•21h ago
cmrdporcupine•20h ago
C++ is a language seemingly designed with footguns built in on purpose. Even worse it has a community full of elitism and obscurantism.
Rust isn't perfect (I have my gripes), but it has the right idea with ownership management at the static type system level. Ada has its own positives around explicitness and bounds checking etc
C++ for new projects in safety critical sectors makes zero sense to me.
bb88•6h ago
I've never experienced that per se, I have experienced it in other fields or orgs where the bar to entry is super high. And keeping the bar to entry is often the goal of those that are elitist. Google interviews were that way 15 years ago.
I think the issue I keep coming back to with type safety is how do you make sure a value in meters is not mistakenly used as feet without some kind of translation. If you're going to have type safety, I feel the language should prevent that.
And if it can't prevent that, then it's not really "typesafe".
FirmwareBurner•2h ago
Sorry but I' can't entertain such broad generalizations of people. That's like hearing a woman saying all men are trash.
I agree with comments on the technicality of the language but if you start attacking people, I'm out.