They used SPARK instead:
SPARK is a formally defined computer programming language based on the Ada programming language,
intended for the development of high integrity software used in systems where predictable and
highly reliable operation is essential. It facilitates the development of applications that demand
safety, security, or business integrity.
I maintain conviction in my position that if AdaCore and/or other champions of Ada were to undertake a serious project (i.e. not an April Fools' Day joke blog post[1]) to ship a compiler that accepts a curly-braced dialect of the language[2][3], then there would be at least twice as many new, earnest users of the vulgar "skinned" form as there are programmers today using the existing language, and that this tripling would happen virtually overnight.
I'm not even talking about major revisions to the grammar. I'm saying fork the lexer to accept a different set of terminals, and leave the nonterminals alone.
Is this stupid and unreasonable and should programmers just get over themselves and use a language on the strength of its merits instead of being turned off by surface-level stuff? Yeah, it is, and yeah, they should. But people are fickle.
1. <https://blog.adacore.com/a-modern-syntax-for-ada>
Not related to Ada, but Dafny is a "Verification aware programming Language" where both Formal Specification and Verification are combined together in the same source language - https://dafny.org It uses curly braces and can generate code for a number of different languages at the backend (eg. Java, C#, Go, Python, Javascript, C++).
I haven't played with it yet but just from reading the documentation i really like this approach since you need learn only one language/toolchain for both formal specification/verification and implementation. But by giving one the flexibility to generate code to various mainstream languages you can slowly add verified code module by module to existing codebases.
You are right but the vhdl-like syntax is quite nice. It does some surprisingly modern things.
"is begin" and "end;" are the opposite of nice/modern
Nothing prevents anyone from creating a preprocessor that maps { to BEGIN and } to END.
Derivatives of Pascal such as Modula-2, Oberon, Lua, and Ada do not require BEGIN on IF, FOR, WHILE, LOOP or CASE statements, making the syntax much cleaner.
Nothing prevents anyone from trying to eat spaghetti with a spoon. (Or from modifying the lexer to accept a different set of terminals, even.)
> Kramer: "Yeah, well, I could do it. I don't wanna do it."
> Jerry: "We didn't bet if you wanted to do it. We bet on if it would be done."
> Kramer: "And― and it could be done."
> Jerry: "Well of course it COULD be done. Anything COULD be done. But it's only is done if it's done! Show me the levels! The bet is the levels!"
> Kramer: "I don't want the levels!"
> Jerry: "That's the bet!"
Spaghetti is eaten with spoon and fork…
Impelementing the grammar is the easiest 0.1% of programming language dissemination.
Adding explicit non-const to g++ would be so, so easy. But pointless.
I'm also desperate to stop Rust by any means, but I don't think you're correct; I think the sticking point for language adoption is the presence or absence of a big npm clone.
Alire has existed for a long time now; the oldest release on GitHub is 0.4 from 2018.
That would be a good start as the current syntax is absurd.
It's not absurd, it's just out of fashion. Ada syntax comes from the same heritage as Pascal, which was as popular as C during the 80s (and sometimes even more so).
Pascal died for several very good reasons.
That may well be, but syntax was not one of them. Someone who came into programming more recently and has only used curly-brace languages might not immediately understand what they are looking at, but that doesn't make it absurd - it's just different.
Pascal object code with runtime range checks could be slower than C object code without any such checks. Pascal strings typically were either statically bounded or included bounds information, while C strings typically did not.
Unfortunately C's lack of bounds checking made it very easy to create buffer overflows, which turned out to be a huge problem.
Ada doubled down on memory safety, which turned out to be a very good idea, especially if it can be combined with concurrency safety, formal checking (as with SPARK), etc.
Fortunately clang/llvm seem to be making some progress on memory safety; hopefully features like -fbounds-safety [1] will eventually bring C (and maybe C++) solidly into the 1980s.
[1] https://clang.llvm.org/docs/BoundsSafetyAdoptionGuide.html
Derivatives of Pascal such as Modula-2, Oberon, Lua, and Ada do not require BEGIN on IF, FOR, WHILE, LOOP or CASE statements, making the syntax cleaner and conciser than Pascal.
Article doesn't say what parts of Nvidia's stack use SPARK. Considering Nvidia is a huge software company with ~30,000 employees, "There are now over fifty developers trained and numerous components implemented in SPARK" doesn't inspire confidence.
IMO the realistic path towards formal verification is AI proof assistants that automate the tedious parts instead of forcing you to write your code in a weird way that's easier to prove
I'd also add that AI code generation in non-formally-verifiable languages, at places with concurrency requirements like Nvidia, might end up in the short-term creating more hard-to-spot concurrency bugs than before, as developers become incentivized to tab-complete code without fully thinking through the implications as they type.
But AI code generation for formally verifiable programs? And to assist in writing custom domain-specific verifiers? Now that's the sweet spot. The programming languages of the future, and the metaprogramming libraries on top of them, will look really, really cool.
Have you tried it for Rust, arguably a much lower bar than actually fully formally verifiable? Sorry to say but AI can't figure out the borrow checker. I'd speculate it does poor on a lot of things that are sort of implicit in the code / properties of the grand structure rather than incremental text things.
There is a podcast and blackhat? video about Nvidia choosing SPARK over Rust. Not because of formal verification at all but because it is a more developed prospect and offers better security even without any formal verification. This isn't mentioned but Ada is also far better at modelling registers or even network packets.
I might consider AI if it utilised SPARKs gnat prove but I wouldn't usw AI otherwise.
p4? Granted, that's not something that just compiles to a usable language.
Maybe better performance can be achieved with specialized models. There are some that were able to solve mathematical olympiad problems, e.g. AlphaProof.
AI means some future more rigorous system than today's Clippy++ LLMs.
At least that's what it should mean. It's not clear if that's going to happen.
> Sorry to say but AI can't figure out the borrow checker. I'd speculate it does poor on a lot of things that are sort of implicit in the code / properties of the grand structure rather than incremental text things.
I don’t really use AI tools, but in the past few weeks I’ve tried it with Rust and while it had problems, borrow checking errors were never part of them.
I fully agree that LLMs don’t “understand,” but people also really oversell the amount of thinking needed to satisfy borrowing in a lot of cases.
I had a production bug (caught in canary) introduced into Google Play in just this manner. The AI code review assist suggested switching a method to a more modern alternative, both the author and code reviewer thought the AI suggestion was a good one, the new alternative was documented as not being safe to use in the onCreate() method of an Android activity, the code in question was not in onCreate but was in a method transitively called by onCreate in a different Activity, boom goes an unrelated Activity. Would've been caught trivially by an expressive type system, but the LLM doesn't know that.
> But AI code generation for formally verifiable programs?
For verifiable domains, this really is the sweet spot.
An annoying aspect of verification-in-practice is that it is just really bulky—there's a lot to type in, and it's tedious.
LLMs, especially the latest crop of weak-reasoning models, are great for this.
I tested o3-mini yesterday, having it verify a bit-hack for "vectorizing" 8x8bit integer addition using a single 64 bit int value[0]. Suffice to say, I am not impressed. I asked it to give me a counter example that would make the function fail, or to tell me that it works if it does. It mentioned problems regarding endianness which weren't present, it mentioned carries that would spill over which couldn't happen. I had given it chances to give counter examples, but the counterexamples he gave didn't fail.
Only after telling it that I tested the code and that it works did it somewhat accept that the solution worked.
I think a deterministic, unambiguous process is a lot more valuable for formal verification.
[0] https://chatgpt.com/share/67aefb63-f60c-8002-bfc6-c7c45b4520...
> A limitation I see with AI for coding is that your problem must be mainstream to get decent results.
Or to phrase it another way, there must examples of the technique that you want to "generate" in the training set otherwise the horrifically overfitted model cannot work.
Probably a little bit too cynical but this is my experience asking LLMs "unusual" questions.
Perhaps I misread it then. I think that if you're at the point of using formal verification you're likely to be very meticulous in whatever you're writing, so an AI would be used quite carefully
> as developers become incentivized to tab-complete code without fully thinking through the implications as they type.
Is this true? There should always be a QA process and you should always carefully review when committing. The writing process doesn't influence that unless you're automating whole swaths you don't understand during reviews.
I’m not entirely sure they are writing any portion of their driver using SPARC the presentation they gave 5 years ago seems to indicate they are limiting the usage to firmware for their embedded RISC-V co-processor, they may have expanded the usage of it but I still think it’s predominantly firmware related with possibly some expansion to their automotive and robotics solutions.
https://www.slideshare.net/slideshow/securing-the-future-of-...
SPARC and SPARK are two entirely different things.
Indeed they are, the misspelling is on my end :)
It bears repeating that Nvidia is not strictly speaking a SW company. It is a semiconductors company. That 30k employees figure includes all Nvidia employees, not all of which are in software.
I am rather skeptical of AI in this context. Until you have verifiably correct AI assistants, you still need a highly skilled human in the loop to catch subtle errors in the proofs or the whole result is moot anyway.
And there _are_ tools out there capable of verifying C code, but for a greenfield project implementation/verification in a higher-level, formal language + verified compilation might make more sense.
> Article doesn't say what parts of Nvidia's stack use SPARK.
Their linked case study lists three examples and one category, https://www.adacore.com/uploads/techPapers/222559-adacore-nv...
- image authentication and integrity checks for the overall GPU firmware image
- BootROM and secure monitor firmware
- formally verified components of an isolation kernel for an embedded operating system
- In general, their targets tend to be smaller code bases that would benefit the most from SPARK’s strong typing, absence of runtime errors, and in some cases, rigorous formal verification of functional properties
> NVRISCV is NVIDIA’s implementation of the RISC-V ISA and Peregrine subsystem includes NVRISCV and multiple peripherals. They show how fine-grain access controls, formally verified for correctness, allow following the principle of least privilege for each partition. NVRISCV provides secure boot that starts with an immutable HW, the chain of trust extends to the Secure Monitor in SW, where partition policies are set up and isolation enforced using HW controls.. Boot and Secure Monitor software is implemented in SPARK.
The article seems fairly clear that it is the security folks within Nvidia that are spearheading this. 50 engineers on the security team doesn't seem unreasonable for a company of that size.
I don't believe that: https://news.ycombinator.com/item?id=43042166
I feel like it’s going to be a step further and we won’t write actual “code” but more like comprehensive tests and it generates the code . Sort of like the movement from assembly to C
Historically AI has been pretty bad with this. Machine learning is famous for finding solutions that pass all the test cases in out of the box ways but don't do what you want.
That hasn't been my experience. I've mostly seen fake stories along those lines. Eg https://gwern.net/tank
Writing comprehensive tests is the part we're weakest at IMHO.
That's the same paradigm as outsourcing development at some cheap place and doing acceptance tests against the result. It saves money but that's not how you'd build an airplane for instance...
> that's not how you'd build an airplane for instance...
Unless you want it going boing boing boeing.
Unfortunately humans will probably stay very bad at writing tests that covers all possible cases. And who's gonna test the tests ?
Totally agree that AI is going to have a huge impact on security of languages, and will change many paradigms.
No doubt, regardless of whether it fails epically or not.
lol good point.
formal verification is normally used on the most security critical code so even 50 programmers is a lot.
> doesn't inspire confidence.
Haha what?
What are you comparing this to?
Compared to the other 99.9% of the company that doesn't use SPARK. It's all tests and static analysis
There are probably 50 developers working on the actual drivers and several thousand on GeForce Experience.
Don't they release custom tuning patches for every single AAA game that comes out? Geforce Experience is basically just a spoonful of sugar to make sure people install new drivers.
After briefly skimming through their talk they mention they're a third party consultancy company making recommendations on safety for NVIDIA, so "Nvidia Security Team" take it how you will. Also I think these drastic changes moving towards a completely different language always bug me, especially when the syntax is also completely different.
Then there's like everything libraries wise and CUDA is all C/C++ if I'm not mistaken. In every large project I'm sure you're eventually going to find some exploit attack vector. Especially if the focus from what I believe for GPU/CUDA until recently wasn't mostly focused on security rather than performance and those are always trade-offs.
> After briefly skimming through their talk they mention they're a third party consultancy company making recommendations on safety for NVIDIA, so "Nvidia Security Team" take it how you will.
This is a marketing case study by the major Ada tools and training vendor, on years of engineering work done by their customer, Nvidia. It includes quotes from Nvidia employees and their blog references a Defcon video by the head of the Nvidia Offensive Security team, https://www.adacore.com/uploads/techPapers/222559-adacore-nv...
Principal Software Engineer
Manager, GPU Firmware Security
Senior Manager, GPU Software Security
VP, Software Security
At the conclusion of their initial POC at the end of 2018, NVIDIA had five developers trained in SPARK. By the second quarter of 2022, that number had grown to over fifty.. Several NVIDIA teams are now using SPARK for a wide range of applications that include image authentication and integrity checks for the overall GPU firmware image, BootROM and secure monitor firmware, and formally verified components of an isolation kernel for an embedded operating system.The focus of their work seems to be low-level firmware, and not CUDA or any kind of compute. It makes sense a lot there because you won't need as many libraries.
The syntax is really a red-herring especially when you get contracts, proof of absence of runtime errors and higher-lever functional proof, mostly automated, or assisted with annotations. If you're actually going with this effort, the lack of curly braces, ampersands shouldn't be a main concern.
Ada's refusal to make their language any more approachable is a problem.
What's unapproachable about it? And if your answer involves syntax, how do you explain Python?
You either write the main program in C and call Ada libaries, or you write the main program in Ada and call C libaries: https://learn.adacore.com/courses/intro-to-ada/chapters/inte...
(And this seems pretty general; you'd have to do roughly the same thing to mix C/Rust, C/Pascal, Rust/Python, ...)
I forget sometimes that the papers and talks issued by teams at most companies are for PR and resume-padding. They hype the findings that justify that team's budget, and bury any negatives.
The other funny thing I noticed is the formal verification just means the program implements the standard - it doesn't mean the standard doesn't have security holes! And sometimes the security holes are implementation-specific, like timing attacks, which can require weird low-level tricks to solve.
>bury any negatives
I was looking for the x86-specific rant, and did not find it. You'd think that team would have had something to say about architecture complexity.
Nvidia’s GPU root of trust, where they are using SPARK, is based on RISC-V, they have a talk about that choice, https://news.ycombinator.com/item?id=43045952
> moving towards a completely different language always bug me, especially when the syntax is also completely different.
Why do syntax differences bug you? I could understand most concerns about switching ecosystems, but surely the difference between e.g. C++ and Java and JavaScript are orders of magnitude larger than that between C++ and Ada. Syntax is the smallest piece of it all, as far as I'm concerned.
> Then there's like everything libraries wise and CUDA is all C/C++ if I'm not mistaken.
Ada has excellent C interop.
Maybe it's naive of me but I also don't really perceive much of a security imperative for NVIDIA. They make graphics cards and slop generator cards for the most part. What exactly is the threat model here that requires switching to prioritizing memory safety? Are there a lot of graphics card related codes that are being exploited in the wild?
NVIDIA GPU RISC-V root of trust is analogous to Apple T2 secure enclave, AMD PSP, or Intel ME, which all perform security-critical functions.
> What exactly is the threat model here
It probably varies by product, but one commercial possibility is protection of price premiums, e.g. enforce feature segmentation for different products or customers, while using common silicon. NVIDIA operating margin reached 50%, unusually high for a hardware company, https://www.macrotrends.net/stocks/charts/NVDA/nvidia/operat.... AMD margin is below 20%.
2021, https://www.youtube.com/watch?v=l7i1kfHvWNI
2024, https://static.sched.com/hosted_files/riscvsummit2024/fe/Key...
~1 Billion RISC-V cores shipping in 2024 NVIDIA chips
Unified embedded HW and SW across all NVIDIA products
• Eliminates replication in basic primitives (isolation, crypto etc.)
• Maximizes SW/HW leverage across NVIDIA
Configuration: pay only for what is needed
Custom extensions: additional functionality, security, and performance
Our HW and SW architecture enable differentiation
> don't really perceive much of a security imperative for NVIDIA
When countries start budgeting hundreds of billions of dollars for national investment in LLM-based AI based on GPUs, they may introduce new security requirements for the underlying infrastructure.
Yeah, there's a whole bunch of places where NVIDIA kit is used outside of "graphics cards and slop generators". I work on a drone system based around the Orin AGX and we definitely have "leverage the root of trust functionality to lock down the code that can run on the Orin" on the roadmap before we ever let the hardware end up directly in customers' hands. Root of trust -> Signed Bootloader -> Signed Kernel -> Signed Binaries. There's too much IP that we've spent too much money on to risk having end-users getting access to the raw TensorRT models involved.
Are you aware of how the nintendo switch got piracy?
In general, NVIDIA never had proper bug-free support in C for well over a decade (hidden de-allocation errors etc.), and essentially everyone focused on the cuda compiler with the C++ API.
To be honest, it still bothers me an awful GPU mailbox design is still the cutting-edge tech for modern computing. GPU rootkits are already a thing... Best of luck =3
GPU rootkits are sounds like misnomer unless they start getting rewritable persistent storage (maybe they do now and my knowledge is out of date).
If you've got malicious code in your GPU, shut it off wait a few seconds, turn it back on.
Actually looking at the definition, my understanding might be off or the definition has morphed over time. I used to think it wasn't a rootkit unless it survived reinstalling the OS.
These have direct access to the dma channel of your storage device, and POC have proven mmu/CPU bypass is feasible.
My point was the current architecture is a kludge built on a kludge... =3
> with the C++ API
The funny thing is that the "C++ API" is almost entirely C-like, foregoing almost everything beneficial and convenient about C++, while at the same time not being properly limited to C.
(which is why I wrote this: https://github.com/eyalroz/cuda-api-wrappers/ )
> an awful GPU mailbox design is still the cutting-edge tech
Can you elaborate on what you mean by a "mailbox design"?
Depends on which CUDA API one is looking to,
I meant the fundamental ones, mostly:
* CUDA Driver API: https://docs.nvidia.com/cuda/cuda-driver-api/index.html * NVRTC: https://docs.nvidia.com/cuda/nvrtc/index.html * (CUDA Runtime API, very popular but not entirely fundamental as it rests on the driver API)
the CUDA C++ library is a behemoth that sits on top of other things.
In general, a modern GPU must copy its workload into/out-of its own working area in vram regardless of the compute capability number, and thus is constrained by the same clock-domain-crossing performance bottleneck many times per transfer.
At least the C++ part of the systems were functional enough to build the current house of cards. Best of luck =3
Yeah, when I see the equivalent to slang written in Ada/Spark, I'll actually believe them.
i personaly find firmware in a fighter jet a little more impressive
ADA and SPARK are used in writing air traffic control systems. I find that impressive.
Yeah, it completely loses all weight when it’s an external consultancy suggesting it.
It’s easy to say “rewrite everything in X because Y” when you don’t have to deal with the burden of figuring out how to do that.
Flagged the article because the title is super misleading.
> Flagged the article because the title is super misleading
From the case study, the question was posed by Nvidia employees, before finding Ada/SPARK and Adacore, https://news.ycombinator.com/item?id=43043381
NVIDIA began to ask themselves, “Can we change our fundamental approach? And if so, which of these tools can we actually use?” They put these questions to their software security team. In reply, the security team came back with what Daniel Rohrer characterized as “a fairly heretical” proposition: “What if we just stopped using C?” This led to other questions, like, “What alternative languages and tools are available to support the use of formal methods?” In trying to answer those questions, NVIDIA discovered SPARK.The real problem is deeper than this. The actual question to ask is:
"What if we just stopped distributing and blindly executing untrusted binary blobs?"
A trusted compiler in the OS, and some set of intermediate representations for code distribution would solve a massive amount of security issues, increase compatibility, and allow for future performance increases and disallowing suspect code patterns (spectre, rowhammer, etc). Specializing programs at install time for the local hardware makes way more sense than being locked into hardware machine code compatibility.
That does nothing to fix the vast majority of security issues, which are caused by trusted but not memory safe programs running on untrusted input.
It's also an extremely unrealistic goal. First of all, you run into a massive problem with companies and copyright. Second of all, it will be very hard to convince users that it's normal for their Chrome installation to take half an hour or more while using their CPU at 100% the whole time.
I feel like you might as well ask "why not world peace"?
There are a huge number of practical issues to be solved to make that be viable.
could you list a few of the problems you predict?
The VST Lab at Princeton works on this sort of problem: https://vst.cs.princeton.edu/
"The Verified Software Toolchain project assures with machine-checked proofs that the assertions claimed at the top of the toolchain really hold in the machine-language program, running in the operating-system context."
Some of the same researchers worked on TAL (typed assembly language), which sounds like it could be one of the "intermediate representations" you mentioned.
For a while, Apple required apps to be submitted as bitcode (LLVM IR) to the App Store, where they would be converted to x86 or Arm machine code during device install. They stopped that a couple of years ago, after migration to Apple Silicon.
Apple used to require bitcode (LLVM IR) for App Store submissions.
Rest is interesting, nothing was done on install, it wasn't converted or anything to machine code.
In fact, in practice, it never ended up being used.
Well, that's not particularly relevant: the idea was never to do something on device anyway.
Really excellent post here summarizing that I can vouch for: https://stackoverflow.com/questions/72543728/xcode-14-deprec...
Thanks for the correction and link. Relevant to the comment above about binary blobs:
> The idea to have apps in a CPU neutral form available on the app store is not a bad one; that's why Android chose Java Byte Code (JBC). Yet JBC is a pretty stable representation that is well documented and understood, Bitcode isn't. Also on Android the device itself transforms JBC to CPU code (AOT nowadays).
Thanks for the additional detail, https://en.wikipedia.org/wiki/Dalvik_(software)
> Programs for Android are commonly written in Java and compiled to bytecode for the Java Virtual Machine, which is then translated to Dalvik bytecode.. The successor of Dalvik is Android Runtime (ART), which uses the same bytecode and .dex files (but not .odex files), with the succession aiming at performance improvements.
How did that work though ? Isn't bitcode tied to a target triplet ?
It didn’t. Bitcode was only used for watchOS compatibility.
Bitcode was never required for app submissions on macOS. It also was never portable across architectures.
There is a rule that if somebody poses this hypothetical with the word "just" in it, they have signed themselves up to go and implement it.
So, congratulations, take it and run with it.
> "What if we just stopped distributing and blindly executing untrusted binary blobs?"
You can do that right now with open source software and Bootstrappable Builds.
https://bootstrappable.org/ https://lwn.net/Articles/983340/
Pretty huge promotional opportunity for AdaCore. You can tell because this was written by AdaCore.
Still, I am a bit convinced. The NVIDIA name is increase the chance that I will evaluate SPARK sometime soon. I have to admit, other than knowing it exists, I am not super familiar with it. What I have seen before now has felt like them using the popularity of Rust as a platform for promotion. This, at least, appears to be a use case where they came in on their own merits.
> huge promotional opportunity
Right? Yet they published this customer case study in 2022 and it never reached HN. Found in 2025 search on GPU firmware security.
Already a year late, but this one made the rounds:
Thanks. Just three weeks before the ChatGPT launch that would accelerate Nvidia's fortunes!
Efficiency of Ada should be pretty close to C, but that strange thing Ada does where you define your own numeric types like
type Day_type is range 1 .. 31;
(Lately I was thinking about making a fantasy computer that could be hosted in Javascript which was going to be RISC but otherwise totally over the top, like there would be bitwise addressing like the PDP-10. First I wanted it to be 24 bit but then I figured I could pack 48 bits in a double so I might as well. It even would have a special instruction for unpacking UTF-8 characters and a video system intended for mixing latin and CJK characters. Still boils down to an 8-bit byte but like the PDP-10 it could cut out 11-bit slices or whatever you want. I was going to say screw C but then I figured out you could compile C for it)
Love that feature, along with derived types[1] and subtype predicates[2]. There's a special place in my heart partitioned for things that won't let you screw things up.
[1] https://learn.adacore.com/courses/intro-to-ada/chapters/stro...
[2] https://learn.adacore.com/courses/Ada_For_The_CPP_Java_Devel...
Alright, this is Hacker news, so I'm gonna nitpick...
> It even would have a special instruction for unpacking UTF-8 characters
From https://en.wikipedia.org/wiki/Reduced_instruction_set_comput... :
> The term "reduced" in that phrase was intended to describe the fact that the amount of work any single instruction accomplishes is reduced—at most a single data memory cycle—compared to the "complex instructions" of CISC CPUs that may require dozens of data memory cycles in order to execute a single instruction.
I don't think what you're describing is a RISC processor at all.
Whether accelerated UTF-8 decoding breaks RISC-ness is an interesting question, and not one with an obvious answer IMO.
Supposing we loaded 4 bytes into a register with a load instruction (quite RISC), we could then have a "decode UTF-8" instruction which could set two output registers: one receiving the decoded code point, and the other receiving the number of bytes consumed (1-4). That's another perfectly RISCy operation: read one input register, operate on it, update two output registers. Most RISC architectures also allow base+offset addressing at least, so you can chain this to another load using the output of that second register; worst case, you'd need to add base+offset in a dedicated instruction. No violations of RISC here.
However, you'd start running into problems with alignment. Loading 4 bytes into a register typically requires 4-byte alignment, but UTF-8 is a variable-length encoding (hence the desire to accelerate it in the first place!). Is unaligned load RISCy? Many architectures now support it, but they usually didn't start off with it. Then again, 64-bit architectures can just ignore the problem entirely, since they can load 8 bytes at a time, which will always be enough to fit an arbitrary 4-byte value at any alignment. You'd just need to shift the value in the register by the amount of the misalignment, which is another valid RISC operation.
If you wanted to sidestep the alignment issue, then an alternate solution would be to decode the UTF-8 sequence straight from memory, but that definitely feels more like CISC to me.
This doesn't strike me as that different than an enum.
Arithmetic is defined on range types. So day 30 + day 4 is 34, which if you then try to coerce into a day will throw an exception.
And... So? It seems you are saying Day_type + Integer is Integer, and Integer (in general) cannot safely be coerced into Day_type and... that’s logically correct?
`Day_type + Day_type` is also defined, and it overflows. That's like normal integers, and unlike enums.
Not only Ada?
Pascal is less esoteric and has had that forever.
My feelings about Pascal are pretty mixed.
Pedagogically oriented computer science profs circa 1980 were aghast that BASIC had become the standard for teaching young people to program. It was difficult to fit Pascal into a microcomputer then, so we were stuck with the atrocious UCSD Pascal [1] which used a virtual machine to make up for the weak instruction sets of many micros, particularly the 6502. Since the compiler ran inside the VM, compiling a small Pascal program was like compiling a large C++ program today.
Not long after that I got to use Pascal on a VAX which was not so bad, but pretty obviously not up to doing systems programming, particularly compared to C, which was starting to show up on micros such as Z-80s running CP/M and the TRS-80 Color Computer running OS-9.
Then I got a 80286 computer and I really liked Turbo Pascal because it added the (non-standard) facilities you need to do systems work, but went back to C when I went to school because it was portable to the 68k and SPARC based Sun machines we had.
> compared to C, which was starting to show up on micros such as Z-80s running CP/M
I had some very limited access to CP/M z80 machines. Probably somewhere between 86-90. All I remember about the C compiler they had is that I had to swap 2 or 3 floppies to produce a linked executable, so it sounds similar to this UCSD Pascal.
My first real contact with Pascal was Turbo Pascal, and that ran loops around any other compiler I had access to back then...
I had a Coco with 2 floppies, I could compile C without any swapping. OS-9 was a real multitasking operating system, I could log into it with the keyboard and mouse and two serial ports at the same time (one with a UART, another with the terrible bit banger) The latter wasn't too bad with the portable DEC printing terminal I got that that was surplus at a credit agency.
UCSD Pascal was one of very few compiled languages you could get for the Apple ][ and other 6502 machines because the virtual machine was an answer to problem of code generation for that terrible instruction set with insufficient registers and addressing modes.
Discussed at the time:
Nvidia Security Team: “What if we just stopped using C?” - https://news.ycombinator.com/item?id=33504206 - Nov 2022 (362 comments)
It's hard to tell what components are now written in spark. The driver is mostly c, and none of the open source repos are identified as spark.
Their PDF has a bit more detail, https://news.ycombinator.com/item?id=43043541
Any Spark compiler? I've found https://www.adacore.com/sparkpro which says request pricing - never good, any open ones suitable for playing with?
There's a GPL version of GNATprove, which you can install with Alire (https://alire.ada.dev). That's the version I use.
You wouldn't guess it from AdaCore's homepage, but SPARK tooling (including provers) and the GNAT Ada compiler are both made freely available, with the goal of attracting interest from FOSS projects.
Here's a page on this: https://blog.adacore.com/a-new-era-for-ada-spark-open-source...
ajxs is right to say that the way to get your hands on this tooling is to use the Alire package-manager. AdaCore no longer offer alternative means of distribution (except, presumably, to paying customers).
"Beware of bugs in the above code; I have only proved it correct, not tried it." - Donald Knuth
I've never used SPARK, but the Wikipedia page makes it seem pretty interesting.
For that matter, Ada seems interesting, I kind of wish it had caught on outside of the defense industry.
It failed to catch on outside the defense industry because that is where is started. It was long sneered at as a "language designed by committee".
In one programming class, in college, we used a text-book called "Oh my, Modula 3!". On the back they explained the title, saying "better 'Oh my, Modula 3!' than 'Oh no, Ada!'".
You mean, "Oh My! Modula-2!", not 3.
The title of that book was chosen as a reference to a previous book titled, "Oh! Pascal!".
Yeah, people have explained to me here before.
It's just too bad, because Ada looks like a language that should have gotten more popular. I was playing with some of the concurrency constructs built into it, and it was fairly pleasant, and it makes me think about the "what if?" universe where it caught on instead of C++ dominating the 90's and 2000's.
It would mean we need more RISC-V performant hardware. Because the real and honnest way out from C is assembly (with super high level languages with interpreters written in assembly). And it means a worldwide royalty free standard.
I guess we could get a middle ground with a simpler C dialect with the bits required for modern hardware architecture programming (no integer promotion, no implicit casts, only sized type, only one loop keyword, no switch...). The defining criteria for this language: it must be easy to get a real-life bootstrap compiler with one dev (reasonable amount of time, effort, etc).
I am currently coding many of my applications in RISC-V assembly, with a small interpreter to run them on x86_64, dodging complex macro-preprocessors (I use the basic features of a C preprocessor, I don't even use the RISC-V pseudo-ops).
The only thing keeping me on x86_64 are video games for linux and the fact that x86_64 micro-archs are mature, performant wise.
Why not just use a verifiable subset of C? https://compcert.org/compcert-C.html
Compcert guarantees that the executable that comes out does what the code that went in said, it doesn’t guarantee much about the code that went in.
There's also Frama-C, but having used both Frama-C and SPARK I can say I'd pick SPARK any day. Having a rich type system and not having to work with pointers makes proving a program so much easier.
Right, Frama-C can formally prove properties of C code.
There are also proprietary solutions that do something similar:
Is there really no speed difference between the 2? I can’t find any benchmarks and it’s quite a claim.
Yes, lets just use pascal. Who needs dynamic memory allocation and functions that can take strings of multiple length?
We are talking about firmware. I am just a web dev and dont know much about the embedded space, but my impression was that dynamic memory allocation is usually problematic in firmware in general.
Spark is Ada not Pascal.
Pascal strings used to have their actual length in a field at the beginning of the string. Imagine how many off by one errors and how many (even hidden) calls to strlen() that saves.
All they needed to modernize Pascal is some library code to resize the buffer if needed, just like curly brace languages. It may already be present in modern Pascal implementations, I haven't followed.
Pascal also has array bounds checking by default. Imagine how many out of bounds errors this could prevent.
But no, you have to have curly braces instead and build layers and layers of classes and languages over classes, all over the same impractical string representation.
Object Pascal and Delphi dialects have had open arrays for ages.
And this was even fixed in ISO Extended Pascal by 1990.
Not to mention that Wirth fixed this in Modula-2 in 1978, already, which everyone keeps forgeting it was actually designed for systems programming, while Pascal was originally designed in 1972 for teaching programming concepts.
But sure enough, lets complain about ISO Pascal from 1976.
SPARK supports both of these things.
Stuck in 1976 Pascal?
""Beware of bugs in the above code; I have only proved it correct, but didn't test it"
Imagine if "we" are OS/embedded dev folks.
I mean, for writing userland apps, various langs come and go. But for writing OS, after more than 4 decades, C is still there.
:D
Wow, was not expecting Boomer Rust to take center stage here. Awesome results by the security team.
Ada = Boomer Rust <==> Rust = Millennial Ada
I can imagine Boomers laughing but the Rustaceans not seeing the humour in it at all. I could be wrong...
Sadly, Rust still lacks some features that Ada has. For example, range types[1] (a narrow case of the dependent types).
[1] https://en.wikibooks.org/wiki/Ada_Programming/Types/range
In my talk I expounded on how people were concerned with safety even in the 80s, and how Ada provides tools to construct programs that were safe in many other ways besides just memory safety.
Millennials are getting old though. When is Gen Z going to build a language? They probably won't though, because it's hard to ask an AI to build a brand new Ada for you.
That's an incredible title!
Yeah, I gave a talk on Ada a few months back at a local meetup. Calling it "Boomer Rust" at the start helped break the ice, everyone laughed, and it also helped them get the gist of Ada's particular value-add while I went into details.
[flagged]
"Testing security is pretty much impossible. It’s hard to know if you’re ever done,”
"We wanted to emphasize provability over testing as a preferred verification method"
Yet another developer seeking a panacea that will allow them to keep their job while diminishing their workload.
For typical workers, it's a fact that work is infinite, so you put your 8 hours and then do it again the other day.
Whenever devs get put in this position they go for the nuclear option of going for the moon.
Man just keep finding bugs to the best of your ability, it will never be 100% secure, except insofar as you gerrymander what's a vulnerability and what is your responsibility.
Good luck. But if I have to put my chips in Nvidia's VP vs C, I put them in C. The list of C contenders has been long, and it seems more likely that the vp is at the peak of their life ala musk or altmann and they have their own delusions. Not sure whether going to mars is crazier or whether finally replacing C is.
TBH, this sounds like somewhat of a nothing-burger published by an organization with a motivation to overstate the use of Ada / Spark.
Specifically, the article does not claim that any significant bit of code at NVIDIA uses SPARK or Ada.
Significant bits of code at NVIDIA use SPARK. Small percentage of total code written, but in significant places.
> Significant bits of code at NVIDIA use SPARK.
That is a vacuous statement, because:
* We don't know what constitutes "significant"
* We don't know what it's significant _for_
* "code at NVIDIA" is an extremely wide definition.
Details, slides and video are in this HN discussion, linked from sibling response.
vacuous: Devoid of substance or meaning; vapid or inane.
disingenuous: Pretending to be unaware or unsophisticated; faux-naïf.
guarded: Cautious; restrained.The linked Nvidia case study names GPU firmware components, https://news.ycombinator.com/item?id=43043541
And then they invented their own language with security holes.
People who don't want to read the first line of the article, rejoice!
It sounds like a good decision though. Formal verification tends to make more sense in highly concurrent situations where there is a high-value stable API to be supported. That describes graphics cards and surrounding environments really well so it makes sense that Nvidia would find use cases.
Something more from the article is also that they made the decision with a pilot project that went well. It'd be nice to have more details about it; that sort of thing is important to do well and always interesting. Lo and behold, we do have more details about it! https://blog.adacore.com/when-formal-verification-with-spark... - there is a video in there that looks to be worth a watch.
Nothing in the article explained what SPARK is. I appreciated GP's comment.
I really wish there was more active development on SPARK.
It's largely untouched over the last 10-years.
https://github.com/AdaCore/spark2014
For those not aware, SPARK gives even more safeguards/guarantees than Rust (see below) ... and also does it at compile time (when not all of Rust safeguards are at compile time).
https://blog.adacore.com/should-i-choose-ada-spark-or-rust-o...
There's 27k commits. that's pretty active
They actually had to use the non-cutdown version of SPARK that this company sells, called SPARK Pro.
SPARK is free for all to use and is open source. They chose to pay for Adacores pro support services and verified pro Ada compiler over the FSF GCC/Gnat Ada compiler. Spark is actually part of the Gnat compiler (compatibility) but actually the slower analysis is done by gnatprove thereby keeping compilation and iterative development fast. Nvidia can certainly afford to do so of course.
AdaCore's pro support includes more recent releases and, in case of problems, wavefronts. That said, the free version is fairly recent, and you can get community (and sometimes vendor) support.
What are wavefronts? Not getting many search results on that, besides a few github issues mentioning them.
https://github.com/AdaCore/RecordFlux/issues/955
https://learn.adacore.com/search.html?q=wavefront&check_keyw... (nada)
https://docs.adacore.com/spark2014-docs/html/ug/search.html?... (nada)
https://github.com/AdaCore/spark2014/issues?q=wavefront%20 (nada)
SPARK has some adherents in spacecraft programming for its formal verifiability and safety features.
[flagged]
I'm with you in spirit, but NVIDIA Spark is a thing insofar as RAPIDS?
https://www.nvidia.com/en-us/deep-learning-ai/solutions/data...
Yes, but that has nothing to do with the Spark language that Nvidia is talking about in the OP: https://en.wikipedia.org/wiki/SPARK_(programming_language)
Seems like a great example of LLMs getting confused by language and lacking any actual understanding, although I haven't yet looked into this particular case.
And Nvidia never used the term "NVIDIA Spark". In fact those words probably never appeared together on the Internet.