Posts by fg_swe

Hamburger Computing

Hamburger computing is to focus on cost and execution speed only. Disregarding safety and security.

Like eating fast food and being amazed about cost efficiency, while wondering where all the health issues come from.

Null Pointers Are Not The Worst

A null pointer will result in a deterministic crash. What is much worse is heap corruption from invalid pointers, which can modify program heap in all sorts of weird ways. Attackers also love these pointers.

Production Runtime Bugs

Typically, programs can not be exposed to all theoretically possible inputs during the test+validation phase. So some programming errors will only show up during productive runtime. For example, when little Ivan from Tomsk enumerates all possible inputs.

See Sir Tony Hoare on the issue of runtime checking.

Re: Very Expensive Approach / Details

If I understand the ARM concept correctly, they need very fat pointers to store all the safety information.

Compared to that, a Sappeur program needs just the native pointer size(can be anything from 16 to 64 bits) plus a reference counter(typically 4 octets plus pthread_mutex for multithreaded objects) at the targeted object.

ARM seems to consume 16 octets for a safe pointer. That is a lot of cache bloat and a lot of excess memory transfer bandwidth spent.

Compile this sample to see it yourself: http://gauss.ddnss.de/

Pointers Are Fine For Code Generators

...but very bad for 100% of human developers. See the CVE database and all the exploits in the code developed by "seasoned" kernel developers. Or Mozilla, Oracle, MSFT, QNX, ...

ICL, UNISYS, MOSCOW

They all had mainframe computers with plenty of runtime checking. Then came the "cheap" Unix+C. "presented" like a Trojan Horse to the computing world.

https://en.wikipedia.org/wiki/ICL_2900_Series

https://en.wikipedia.org/wiki/Burroughs_large_systems

https://en.wikipedia.org/wiki/Elbrus_(computer)

Sir Tony Hoare

We already had very nice Algol mainframes completely with lots of runtime checks. Then came the Hamburger Approach to computing in the form of Unix+C.

https://www.infoq.com/presentations/Null-References-The-Billion-Dollar-Mistake-Tony-Hoare/

Valgrind

A valgrind program execution takes 10 to 100 times more CPU time. Use an efficient memory safe language such as Sappeur and the penalty will be in the order of 10%.

Re: Pointers to failure

Smart pointers cant help you in case of multithreaded race bugs. A proper programming language can. See my other post.

Uranium

Everybody burns U235 and some a bit of Plutonium. The U235 is usually mixed with U238. The greenies and their lackeys from CDU to SPD disabled the Uranium based power generation without organizing a methane replacement.

You point was ?

Compared to Boeing

At least they did not kill 250 people.

Server Load

Shifting load from client to server is probably in many cases advantageous, as the server computers are shared between the entire user population. Sharing will drive up utlilization rates on this server CPU+RAM.

Running an app on the client side means the clients must be powerful, but the client hardware will be unused more often than used.

From a national economic point of view, this means that much more expensive (read: consumed loads of energy+CO2 to produce) semiconductors must be produced.

And The Consequences Are ?

1.) Don't recycle cars as early. Spend more effort and money into repairing old cars. Do we really need the chrome blink as much as we think ? This maintains very good jobs in every local economy.

2.) Boneheaded Auto Managers should use their brains and dont shut down their demand of components totally. This would signal the components/chips/resistor/etc producers that this business is real. If there is not enough money in a crisis, go to national leaders and demand special credit for this purpose from banks like KFW.

3.) The enormous monetary expansion we had in the last 15 years will create "shortages" at the "current" price points. Who would have thunken that ?

4.) Instead of throwing more CPUs and more RAM at any problem, maybe we developers should aim for better algorithms and generally more efficient approaches. Ditch PHP, use Sappeur, Rust. https://sappeur.ddnss.de

5.) Due to monetary expansion, raw materials such as sand for concrete is running out. Yes, sand running out. Maybe we should not expand money at that breakneck speed ?

6.) When fuel is getting short/expensive (as it has been in the last months), maybe we should all take local vacations instead of a flight to Mallorca or Florida ? Airbus and Boeing are going to hate this idea, but these corporations are there to serve the public and not the other way around. Maybe they also should do more repairs than crazy production numbers.

7.) In general, a well-managed money system will handle any shortage. People will become very creative when something (say a CPU) increases in its price tenfold. Then they will tell the engineer to use a more efficient programming language (see 4.)

Re: The People ARE The System.

Given the 787 battery debacle (which was a near miss to hundreds of passengers killed), it seems the FAA and EASA is a bunch of useless whimps. Somebody should have walked straight into jail.

Re: In Case of MCAS: Logical Reasoning, Calculus

I come from the auto side of things and we cannot have large numbers of sensors, if anyhow possible.

So, two sensors are mostly OK:

[numbers guessed]

Rate of failure of one AA sensor: 1/100 000 [1/flight-hours]

Rate of failure of two AA sensors at same time : 1/100 000 * 1/100 000 = 1E-10 [1/flight-hours]

That 1E-10 is already a very "good" number.

Now, the really interesting number is

"Rate of double AA sensor failure with identical reading" = (rationally thinking, guessing) = 1E-13 [1/flight-hours]

That is prolly already small enough to be an acceptable risk according to methods such as (A)SIL or DO178.

This is how the auto folks think and it seems it is a quite reliable method.

No

They already had two sensors and two computers. Only SOFTWARE was missing to check both sensors against each other. Disable MCAS in case of implausible reading. And another little piece of SW to display the malfunction to the pilot.

What this means is that entire coporations can come into a state of deep dysfunction, due to corporate psychological failure aka. GroupThink.

There was no money to save from hardware and there prolly was not enough balls in the engineering side of the corporation.

In Case of MCAS: Logical Reasoning, Calculus

Depending on a single sensor (or any other component) to make the potentially life-threating decision to steer the aircraft into ground direction, is a rookie mistake. There exist well-established methods of statistical analysis down to the level of single components such as a resistor, to calculate the total failure rate of a system. There also exist threshholds about total failure rates. E.g. see the "SIL" approach.

Single components, and especially exposed sensors will fail. Think of bird strikes, debris blown over the runway, cables corroding etc.

This type of problem must be caught by functional safety engineers.

It would also have helped to perform simulations with a faulty sensor, but that requires the intution that the sensor WILL fail, too.

The fix is also quite obvious: have a second sensor to check the first one and disable the system if sensor readings dont match. Signal problem to pilot or another strategy to work around the failure mode.

FALSE

In the IBM Cloud you can also rent x86 and Power machines.

Power still seems to be a highly competitive CPU architecture in terms of raw performance and they still invest in it.

Smart customers will not put all their eggs into the Amazon basket, but have multiple service providers. Then they cannot be blackmailed by one vendor.

Apple ARM Performance

Apple has thrown their huge money and manpower behind ARM and have created the world's fastest (publicly know) CPU. ARM was slow in the past because it came from the phone world, where you can waste so much Joules as in the data center or the always power connected PC world.

Automotive MCUs

The auto world already uses plenty of different instruction sets: Power, ARM, Aurix, STM 16 bit, japanese Hitachi-PDP11 (no joking), japanese Mitsubish and probably 25 other instruction sets. It looks like the japanese now switch to ARM and use these controllers also in cameras, TVs etc.

That is possible, because automotive control units are custom-developed from pcb to housing to connectors to software. There is now some standardization from the AUTOSAR operating system, which is typically delivered in source by Vector Informatik. Modern auto software is fully done in C and is (to 99,99% of code) only a recompile away from a new mikrocontroller, if Vector Informatik has ported the OS to this MCU. Drivers are a different story, of course as they must fit to the MCU registers.

The control unit developer company must then demonstrate that the unit will meet all requirements defined by the auto company for the unit (including timing requirements). Unit and software testing should be done on the new controller to see that the compiler and the processor dont have funny behaviour. There is no additional effort for a new instruction set to perform this. Rather, the big effort is to define, create and debug all of these test cases.

In the IT sphere, a properly developed C++, Rust or Sappeur program will simply rebuild and run nicely on any major POSIX platfrom and CPU. If not, it is almost always due to a hidden bug. I have done this with great success from SPARC to ARM to ELBRUS:

http://sappeur.ddnss.de/

http://gauss.ddnss.de/

For example, the ELRBUS instruction set is a secret, but there exists a nice tcc C++ compiler. I never bothered to look at the generated binary code, it just runs quite nicely at approx RPI speed.

Re: 80-100 per cent faster than what you can do with static compilation

That was exactly the original posters point.

Diversion

You are saying we can forget the high-grade security risks because there are plenty of incompetent people around ?

On page 3 of this you can find why this is a very weak argument. The weapons-grade actors will use exactly such weaknesses to flatten entire corporations, complete with dedicated, full time IT security staff.

MTAs, Email programs, EDI systems, web servers, TCP/IP stacks - they are exposed to ALL bad guys of the planet. As soon as they have a foot inside your intranet, all the funny service ports of your PCs (of services mostly running inside the kernel) will be exposed too. And all the half baked database listener processes.

Plus

You can always perform an assembly code review of the most critical subroutines (e.g. those that are ASIL-D) and thereby gain confidence in the correctness of the compiler.

Embedded developers do indeed look at generated assembly code very often.

Re: Standardization?

The optimizing C compilers used in automotive, medical, aerospace and rail are being "qualified" for use by large test code batteries and essentially "old age" and "widespread use with small problems".

There have been cases of compiler and MCU bugs, because the approach above is NOT mathematical correctness proof.

The same can soon be said about the Rust compiler.

Also, functional safety requires very extensive test efforts including unit tests for each subroutine, which would most likely expose compiler bugs.

In the end, there is no absolute safety, but only a "best effort, according to state of the art".

Re: Is it just me ?

1.) Nobody forces you to use Rust.

2.) Cyber Security (more precisely: a lack of) is a very real problem. Memory safe languages are an important security measure. See presentation

3.) As stated in the presentation above "Other measures such as proper scanners, parsers and strict input validation are still required"

Re: earlier statements from Microsoft

They have grown smarter by now.

Non Trivial C programs

..do indeed have exploitable memory bugs. That is what the CVE database tells us.

Multithreaded Memory Safety in Rust, Sappeur and Go

1.) Sappeur and Rust will force the software engineer to think about thread-shared data at compile time. Go does nothing of the like.

2.) Go assures the integrity of the heap, just like Sappeur and Rust do. C++ does not.

3.) You can have nasty data races in Go at a low level. For example, you can create a global counter and attempt to update it from many threads. Result will be undefined. With Sappeur, you will get the accurate value, because the compiler forces you to create a "multithreaded" class* for the counter.

4.) Go will typically consume 2x the RAM of an equivalent C++, Sappeur or Rust program, assuming something now trivial which performs heap allocations in a loop.

*each method of such a calls is protected by mutexes

No

The main reason for the creation of Sappeur and Rust was to eliminate the nasty bugs which come from a lack of memory safety. Also in multithreaded programs.

As cyber crime/war is now a very real thing, memory safety is an additional, very valuable security measure.

Alternative Clouds

Hetzner

OVH

1und1

Scaleway (Apple M1 !)

Oracle (x86, ARM, SPARC)

siteox (AIX, HPUX, Solaris)

IBM

Microsoft

Just to name a few. User should not shackle themselves to one corporation.