Ada and SPARK enter the automotive ISO-26262 market with Nvidia
98 comments
·June 4, 2025atlgator
Wow. I developed in Ada in aerospace 17 years ago. I thought the industry would move toward Rust.
pjmlp
5 years ago NVidia did not consider Rust mature enough for their use cases.
This is the original announcement from 2020,
"SPARK/Ada Journey to Adoption"
https://youtu.be/DZSSyWlsb28?si=vh4gO-LT2N3Skaql
Also we are now on Ada 202x already, quite different from Ada83, that some Rust folks keep comparing their favourite language with.
You get all the niceties of a language more in line with Object Pascal productivity, formal proofs, a RAII approach safer than C++ (controlled types, automatic stack types, unbound collection types), industry baremetal profiles like Ravenscar, and the recent versions are in the process of having affine types as well (aka borrow checker).
DoingIsLearning
> industry baremetal profiles like Ravenscar
I understand the value proposition of Formal Verification with Spark.
But for me the killer features with Ada, thinking specifically of embedded systems is:
- The expressiveness you gain with Ada's Type System
- The Ravenscar profile (very impressive work from a small group of folks in the IRTAW group)
whytevuhuni
I don't know Ada / SPARK, and I've been trying to figure this out. Based on the hallucinations I got from ChatGPT, it seems Ada itself is nowhere near as powerful as Rust in safety, while Ada with SPARK disallows some things I was considering to be quite basic, such as shared aliasing of data.
For example, it seems it's not possible to get a sub-string slice reference to an original unbounded string. In rust, a &str -> &str signature is trivial.
So it seems Ada still relies on discipline, while SPARK does not have the zero-cost abstractions that C++ and Rust have.
If that's true (is it?), then I'd definitely choose C++/Rust over Ada any time, since performance is very important to me.
micronian2
A few days ago, I had ChatGPT compare Rust and Ada. It tended to penalize Ada for its runtime checks and access values (aka pointers). However, ChatGPT didn't account for the fact that many of Ada's runtime checks would need to be manually implemented by developers in other languages. An Ada compiler, can often optimizes these checks away, knowing where they're genuinely needed and where they can be removed. This often explains why speed comparisons between C and Ada code can be misleading, as they rarely factor in the extra manual effort required to make C code equivalently robust with necessary safety checks.
Regarding access values, I listed out some of Ada's various restrictions. Its scope rules prevent referencing objects at deeper levels, objects must be explicitly marked aliased to create an access value to them, and there's far less need for access values (for instance, no pointers are needed to pass parameters by reference). Additionally, Ada offers the ability to dynamically size some objects and reclaim their memory without explicit memory allocation.
After I highlighted these details, ChatGPT admitted it had unfairly evaluated Ada, concluding it's a very safe and robust language, albeit using different techniques than Rust.
Agingcoder
Both Ada and spark have zero costs abstractions, they’re designed to run on embedded platforms.
Spark is a different use case from rust - it’s a full prover, and the goal is formal verification, typically in contexts where human life is at stake ( say, you’re writing software for an artificial heart , to take an extreme example ). This comes at the cost of being less flexible, but they’ve been slowly evolving spark so that it can handle increasingly complex cases .
pjmlp
Less ChatGPT and more language reference manuals, ChatGPT isn't an ancient oracle knows it all, even though Microsoft's marketing sells it as such.
Ada has as much zero cost abstractions as C++ and Rust have, and one of the reasons of Ravenscar is even what to turn off for bare metal deployments, and real time OS deployments.
shakna
I don't think a single point there is true.
Ada has had shared aliases since 1995. Its had zero cost abstractions since before then.
Slicing memory from a string is in the intro manual, for example.
my_var(2 .. 6)
[0] https://blog.adacore.com/memory-safety-in-ada-and-spark-thro...
anthk
FFS, ChatGPT doesn't even has a clue on what is talking about.
cashsterling
Yeah... my intro CS class was in C and Ada95 (I'm not a CS guy btw, just took the class). I actually preferred Ada over C... but continued to program in C for other classes because of compiler availability; I had to do all my Ada programming on Sparc workstations at school.
I personally think that AdaCore, and friends, missed an opportunity in the early 2000's to fully embrace open source... they left a big gap which Rust has filled nicely.
I still think Ada is a great programming language. When a question comes up along the lines of: "what's the best programming language nobody's heard of?", or "what's the best programming language that is under used?" Ada is usually my first answer. I think other good answers include F#, <insert LISP flavor>, Odin, Prolog, Haxe, and Futhark (if you're into that sort of thing).
steveklabnik
Rust is also making inroads, probably the most famous example is there’s two models of Volvo shipping today that rely on it.
smokel
Ferrocene [1] apparently offers an ISO-26262 certified version of Rust. I am thoroughly confused about these certification processes, but it also seems that AdaCore itself [2] has adapted the Rust compiler to be certified as well.
[2] https://www.adacore.com/press/adacore-announces-the-first-qu...
AlotOfReading
Certification roughly means "we have a pile of paperwork to help convince auditors that you followed a reasonable process".
pfdietz
Are auto companies going with error correction in memory? I'm thinking of the Toyota unintended acceleration problem.
https://www.slideshare.net/slideshow/toyota-unintended-accel...
qznc
ECC RAM is normal for safety-critical stuff. Hard to argue for ISO26262 compliance without.
marze
Wasn't a correlation with elderly drivers and the unintended accretion found in the Toyota cases?
f1shy
Just because they could not handle it. It happened to many people, young people hndled that better.
pfdietz
How about a difference between Toyotas and non-Toyotas? It's not like elderly drivers are unique to Toyotas.
Also, unintended acceleration seems to have gone away. The control hardware has been changed; driver age, not so much.
marze
References?
nickpsecurity
It happened to me. I sure wasn't elderly. The only thing that stopped a crash was shifting into neutral and hitting the brakes.
Then, I was sitting there with the engine revving loudly for no reason. Car behind me started backing up. I decided to just shut it off and turn it back on. It went away.
Scary stuff. Especially since I had no idea why it happened.
null
FirmwareBurner
But why? The US military abandoned Ada for the F-35 and moved to C++ instead. Is it me or are they moving backwards?
seabird
Everything I've heard about it was that it was pressure from contractors because they didn't like training or finding Ada talent.
I get that there's more tools for C++ but first class formal verification support and a language that's generally designed to save you from yourself seems like something you would stand your ground on. Ada is supremely good at killing people and/or keeping them un-killed, there's a reason you still see it kicking around in defense and aerospace despite the common perception that it's a bygone relic.
zoom6628
THIS.
I knew someone a while back who worked on Patriot missile software. It was Ada. And Patriot still a formidable weapon.
FirmwareBurner
You mean the Patriot that ended up getting 28 people killed due to a SW bug?[1] That Patriot?
Let me repeat myself again, Ada won't save you from human bugs. If you hire bad programmers or have bad dev and test practices, there's no magic programming language that will save you from your calculation and logic mistakes. You can code in raw machine code like you're 1960's NASA, and still have less bugs than a clueless vibe coder in Ada/Rust/etc. if you know what you're doing and have the right test and verification processes.
[1] https://www.cs.unc.edu/~smp/COMP205/LECTURES/ERROR/lec23/nod...
FirmwareBurner
>Everything I've heard about it was that it was pressure from contractors because they didn't like training or finding Ada talent.
Do you think the auto industry will have a easier time finding Ada talent at their pay rates? Or that talent will want to specialize into Ada just to pigeonhole themselves into the Automotive jobs market?
seabird
I'm near Detroit which has a huge amount of auto industry, and engineering pay is good across pretty much all disciplines. It'll pay for a happy life and then some as long as relentless title climbing and job hopping isn't your definition of happiness.
Ada is not some exotic thing that requites SF comp. If it's such a major adjustment coming from C/C++ that it's actually causing you trouble, you have other problems.
It's comical bringing up the automotive industry considering that its responsible for AUTOSAR, which is simultaneously widely hated by engineers and completely useless outside the industry.
cmrdporcupine
As a Rust + C++ developer (in medical right now, and vehicle before that) I see no reason why I couldn't also pick up Ada as one of many skill sets. I have an Ada95 manual on my bookshelf from years ago that I bought out of curiosity -- frankly for senior level talent the language syntax is the easiest thing to pick up it's the intricacies of an existing code base and business domain that is the hard part of joining a new project and that is generally language independent.
Arguably picking up Rust -- with its frankly exotic value passing and ownership semantics -- is much harder than learning Ada.
johnnyjeans
you mean the plane plagued with software development issues[1][2]? even ignoring the obnoxious yellow journalism, i'm not sure it's a shining beacon of best practices. or that replacing one ancient language with an even more ancient language is "moving forwards."
particularly when the language you're replacing was explicitly designed for your domain, and the language you're replacing it with is an entropic event horizon from which no coherent thoughtform can escape.
[1] - https://www.dote.osd.mil/Portals/97/pub/reports/FY2024/other...
nabla9
It was not for technical reasons. They needed more programmers and C++ had larger user base.
Ada is technically better choice.
CivBase
It has more to do with tooling than programmers. C++ is used everywhere so there are many commercial tools to support it. Not so much for Ada.
Ada's developmemt tools are fewer, less featued, and more costly due to low demand.
pjmlp
There are 7 compiler vendors still in business, if anything Ada's domain is one of the fews where paying for tools one needs to do their job is still a thing, like in most professions.
johnisgood
> Ada's developmemt tools are fewer, less featued
Such as?
bb88
SPARK formal verification is a big win. Ada is also simpler than C++.
However, the tooling for Ada was never as good as C++ tooling.
firesteelrain
GNAT, AUnit, VectorCAST are all good. AUnit isn’t compatible with Ada 95 though
pjmlp
Ever wondered why F-35 is so famous for software bugs, including in-flight reboot from avionics?
fransje26
Since Lockheed struck a deal with the government allowing them to no longer communicate the number of issues encountered on the F-35 program, news reports have only been writing about how it has been the best thing since sliced bread. (Save for the mishaps happening from time to time..)
Which is entertaining, because until that point (2021, if memory serves?) it was encountering an ever increasing number of critical issues needing resolving, a double dozen of which would be lethal to the pilot flying. The backlog stood at 800+ issues at the time.
Some of the software issues were so serious that they were considered beyond salvageable at the time, despite having already gone through a full re-write from scratch cycle..
FirmwareBurner
Are those bugs because of C++, or because of bad programing skills and practices? No programming language can save you from bugs if you hire people who don't know what they're doing. I used to work in automotive when a lot of the critical safety SW was only assembly and the end product didn't have any critical bugs.
Maybe Lockheed just has shitty programmers who don't know what they're doing because the US defense industry is incompetent and the US SW jobs market top heavy where talent who does know how to use C++ right goes to big-tech and not on-site at some defense contractor? To me that's not the fault of C++.
tialaramex
Not all programming languages are equal when it comes to the skill needed to deliver correct software. Since a large project necessarily can expect only to bring merely ordinary skill to the problem if that's not enough they're in trouble, even if superlative skill would have succeeded that's not what they have.
C++ iterators are a big example of this problem. In the most skilled hands these are a very powerful technology, excellent performance yet tremendous flexibility - but they have a lot of footguns. So do you choose to accept the high defect rates when your ordinary programmers shoot themselves in the foot, or do you neuter this powerful technique to reduce those defects but suffer significant performance problems ?
cmrdporcupine
The C++ job market is full of two kinds of developers.
Mediocre talent that struggles with the language and continually make use after free bugs.
And elitist arrogant developers in love with the language, skilled in its use, who continually make use after free bugs.
anthk
C with underfined behaviours it's far worse than a proved embedded Forth. At least you will know how it will behave with the stack/dictionary and so on.
gneuromante
It was the US military who moved backwards.
firesteelrain
Language selection is no panacea for bad systems engineering or poor project management
anthk
It helps on security and correctness. Either you are a Forth like guy/gal stating how a firmware will work at every level (low, med, high, every one), cutting down every flaw by getting it as small and predictable as possible (even by ditching floats for rationals and decimal scaling), or a high level Lisp/CL/Java/C# guy with a garbage collector and some memory safety. And Java/C# and some Lisps aren't nowhere as strict on that as ADA.
firesteelrain
I have worked on safety crucial systems and applications that interact with safety critical systems in a non safety critical language. Each time it never had anything to do with the language and everything to do with systems engineering and project management. The projects that were successful had excellent systems engineering and project management. Language choice was never a factor.
Ada/SPARK root of trust anchors Nvidia GPU market segmentation licensing, 50% profit margin and $3T market cap.
"Nvidia Security Team: “What if we just stopped using C?”, 170 comments (2022), https://news.ycombinator.com/item?id=42998383