It's cool that this framework is getting some attention. In our college senior design project, we built a small prototype using this framework during a trade study. We got a few small UI fixes pushed upstream to the main repo. Our team even got to meet up with the maintainers for a few days as they were showing off the framework. It was one of the most interesting and unique software projects I've worked on.
The framework itself is portable allowing for code sharing across multiple missions and hardware setups. According to the devs, in the space industry, software is so mission specific and intertwined that it's rarely reused. FPrime's "modules" create hard barriers between sections of the program, something I have mixed feelings about. Finally the "module" system allows for a very easy to use concurrency model, which I think is one of the strengths of the framework. (Though, take these words with a grain of salt as I was and still am wildly underqualified in the domain of embedded systems)
What do you think of the current equivalent software for satellites? NASA have a few options, there’s KubOS, and I’m sure there might be more I haven’t heard about. I’d love some insights and options from someone working on similarly “mission critical” software frameworks.
Disclaimer: I am an intern who recently joined the team
F' is actually quite older than all those systems. Several generations of scientists and engineers have worked on it and the code's current form is a result of countless iterations on generations of software. One interesting tidbit I caught recently was how programs generated using cFS acted up in the magnetic field on Mars due to the bit patters of the instructions in the final compiled executable. F' fixed that.
ROS stands for Robotic Operating System. It is a framework of different tools such as an abstraction layer, libraries, and a package manager that makes it easier to program/interface with different robotic systems/components. It basically simplifies a lot of work that you would be doing on your own. While it is extremely useful, it also has some flaws. For example, it is bloated, can be tricky to configure, and can be sometimes difficult in making it do what you want it to.
It's an absolute mess of a software, to get running and if you're not paying attention you'll install 15+GB of packages you won't need.
I've helped some friends with c++ assignments during college and with ROS they had to have dozens of terminal windows open running some command just to get things working.
It's a shame that ROS is getting this sort of reputation. It has it's merits, and is used by most robotics applications I have seen.
It is akin to the python ecosystem, where there is A LOT of good software and packages out there, but there is also A LOT of garbage out there.
The community is nice and supportive, and the framework has really matured recently, with ROS1 being "complete" and ROS2 getting off the ground with a lot of mature features like DDS
If they were planning to open-source this all along, I'm curious if Ardupilot [1] would have worked for this. The Ardupilot flight stack is quite mature for Earth-based aircraft, I suppose they could make it work for Mars with a few modifications.
But they don't really need 90% of the stuff in Ardupilot - driver support for a myriad of sensors and other peripherals, MAVLink protocol, OSD, RC control... All they need is the PID loop and ESC/motor control, and they are using a hardened CPU for that, so the low level interface has to be rewritten. And the visual navigation stuff that's running on Snapdragon doesn't exist in Ardupilot anyway..
Keep in mind that for this kind of project you want static analysis and formal verification (model checking for example) rather than just day-to-day safety features.
I.e. the Rust this, Rust that spam is a little naive to the task at hand, even though it would be a step up from C
NASA even has their own sound static analyzer for memory safety. If you use something like that, and depending on the context, there isn't even necessarily a memory safety advantage to using Rust over C or C++.
It was my understanding that when formal methods were used, they were used on very small subsets of code and not used in general. I do wonder about TLA+ and would love to hear more about how they use such tools.
I know I've seen an older document that specifically prohibited use of malloc that the risk was too great. Is that still the case?
Formal methods are indeed hard. They generally thrive on hardware, software is a wholly different kettle of fish in terms of the size of the problem (the actual methods are often similar, but hardware design generally encourages certain patterns that are easier to analyse)
I'm not related to this project or aerospace, so I can't divine more knowledge than anyone else, although I have seen many coding standards that forbid malloc after some critical time (e.g. no dynamic memory allocation after the plane is off the ground)
The problem is not the language, the problem are unbounded loops. Like linked lists vs vectors. Termination is theoretically impossible to prove, but practically you can handle it.
Parts of the STL were formally verified. cprover (with satabs and cbmc) can handle C, C++ or Java.
F' uses autogenerated classes, which helps a lot avoiding mistakes.
Case in point, while it is nice that Microsoft is now playing with Rust, it is quite far away from offering this to Windows developers, https://microsoft.github.io/microsoft-ui-xaml
Advocacy should always be tempered with a bit of hard reality check, otherwise one just ends up scaring possible adopters away.
Yes, but C is one of the languages with the very low amounts of inherent safety. So using a language/tooling that will be offering stricter possibilities of validations of behaviour/more safeguards against unsafe behaviour would likely catch a lot more bugs earlier when they are easier and cheaper to fix.
Probably once people have decades of experience with it and know every single trap or quirk perfectly.
Rust almost certainly could do the job now but stakes are so high no one would take that risk when its proven that C can do it and with enough auditing and conservatism, it can be done pretty safely.
I don't think the barrier is _people_ knowing the traps, as people are always fallible and any system relying on them knowing the "traps and quirks" is fundamentally pointless. I do think the barrier is, rather, _tools_ knowing the traps. Most systems in this class, FPrime included, rely extensively on code generation and model-to-code auditing, which, while usually not formally proven (unfortunately), is battle-tested.
Now, these sorts of systems should actually be _easier_, in the long-term, to build in Rust, since the type system can enable a class of proof which simply was not historically possible, but for the time being, the tooling doesn't exist yet.
I think the "safety" of "familiarity" vs pushing the envelope of what we can do technically are different things. We used to build brand new computers and operating systems from scratch specifically for these types of things.
The risks are indeed high for managerial staff. I worked at a large quasi-government place. "you won't ever get fired for using Microsoft, Oracle, etc" was a tagline we heard often in non-critical systems, so I imagine there would need to be some major technical reason to switch.
> Probably once people have decades of experience with it and know every single trap or quirk perfectly.
people were writing mission-critical C++ when C++ was new / only a few years old; with this in mind, rust is probably good to go with sufficient application/system testing
that said, since C++ & associated tooling exists, there is more of an opportunity cost since, in the context of today, there are more alternatives that could be considered
I think this is spot on. The tooling is there for C++, but human mistakes are much more prevalent, and the discipline to apply the tooling is not a given.
There should be an industry push for certified Rust tooling, it would save the aerospace and auto industry billions. Or you could use the unsexy but also very good ADA 2012, which is already certified.
iirc, SPARK has proof capabilities that outstrip the memory-safety guarantees of Rust. basically design by contract, where you can check loop invariants and statically verify complex preconditions and postconditions.
I suppose the workflow would be to flesh out and check the abstract design in something like Coq or (maybe) TLAPS, generate a refinement into the SPARK code contracts, then implement the functions. Since the toolchains are verified there shouldn't be much surface area for bugs left.
Iterator invalidation is a kind of use-after-free.
Mutating aliased objects is, of course, usually the desired outcome and not a bug. It becomes a bug when your program's concurrency logic is not thought through, and there are no easy solutions here.
The framework itself is portable allowing for code sharing across multiple missions and hardware setups. According to the devs, in the space industry, software is so mission specific and intertwined that it's rarely reused. FPrime's "modules" create hard barriers between sections of the program, something I have mixed feelings about. Finally the "module" system allows for a very easy to use concurrency model, which I think is one of the strengths of the framework. (Though, take these words with a grain of salt as I was and still am wildly underqualified in the domain of embedded systems)