SPARK is a formally defined computer programming language based on the Ada programming language,
intended for the development of high integrity software used in systems where predictable and
highly reliable operation is essential. It facilitates the development of applications that demand
safety, security, or business integrity.
It sounds like a good decision though. Formal verification tends to make more sense in highly concurrent situations where there is a high-value stable API to be supported. That describes graphics cards and surrounding environments really well so it makes sense that Nvidia would find use cases.
Something more from the article is also that they made the decision with a pilot project that went well. It'd be nice to have more details about it; that sort of thing is important to do well and always interesting. Lo and behold, we do have more details about it! https://blog.adacore.com/when-formal-verification-with-spark... - there is a video in there that looks to be worth a watch.
It's largely untouched over the last 10-years.
https://github.com/AdaCore/spark2014
For those not aware, SPARK gives even more safeguards/guarantees than Rust (see below) ... and also does it at compile time (when not all of Rust safeguards are at compile time).
https://blog.adacore.com/should-i-choose-ada-spark-or-rust-o...
https://github.com/AdaCore/RecordFlux/issues/955
https://learn.adacore.com/search.html?q=wavefront&check_keyw... (nada)
https://docs.adacore.com/spark2014-docs/html/ug/search.html?... (nada)
https://github.com/AdaCore/spark2014/issues?q=wavefront%20 (nada)
https://www.nvidia.com/en-us/deep-learning-ai/solutions/data...
Seems like a great example of LLMs getting confused by language and lacking any actual understanding, although I haven't yet looked into this particular case.
I'm not even talking about major revisions to the grammar. I'm saying fork the lexer to accept a different set of terminals, and leave the nonterminals alone.
Is this stupid and unreasonable and should programmers just get over themselves and use a language on the strength of its merits instead of being turned off by surface-level stuff? Yeah, it is, and yeah, they should. But people are fickle.
1. <https://blog.adacore.com/a-modern-syntax-for-ada>
I haven't played with it yet but just from reading the documentation i really like this approach since you need learn only one language/toolchain for both formal specification/verification and implementation. But by giving one the flexibility to generate code to various mainstream languages you can slowly add verified code module by module to existing codebases.
> Kramer: "Yeah, well, I could do it. I don't wanna do it."
> Jerry: "We didn't bet if you wanted to do it. We bet on if it would be done."
> Kramer: "And― and it could be done."
> Jerry: "Well of course it COULD be done. Anything COULD be done. But it's only is done if it's done! Show me the levels! The bet is the levels!"
> Kramer: "I don't want the levels!"
> Jerry: "That's the bet!"
Adding explicit non-const to g++ would be so, so easy. But pointless.
Unfortunately C's lack of bounds checking made it very easy to create buffer overflows, which turned out to be a huge problem.
Ada doubled down on memory safety, which turned out to be a very good idea, especially if it can be combined with concurrency safety, formal checking (as with SPARK), etc.
Fortunately clang/llvm seem to be making some progress on memory safety; hopefully features like -fbounds-safety [1] will eventually bring C (and maybe C++) solidly into the 1980s.
[1] https://clang.llvm.org/docs/BoundsSafetyAdoptionGuide.html
IMO the realistic path towards formal verification is AI proof assistants that automate the tedious parts instead of forcing you to write your code in a weird way that's easier to prove
But AI code generation for formally verifiable programs? And to assist in writing custom domain-specific verifiers? Now that's the sweet spot. The programming languages of the future, and the metaprogramming libraries on top of them, will look really, really cool.
I might consider AI if it utilised SPARKs gnat prove but I wouldn't usw AI otherwise.
At least that's what it should mean. It's not clear if that's going to happen.
I don’t really use AI tools, but in the past few weeks I’ve tried it with Rust and while it had problems, borrow checking errors were never part of them.
I fully agree that LLMs don’t “understand,” but people also really oversell the amount of thinking needed to satisfy borrowing in a lot of cases.
For verifiable domains, this really is the sweet spot.
An annoying aspect of verification-in-practice is that it is just really bulky—there's a lot to type in, and it's tedious.
LLMs, especially the latest crop of weak-reasoning models, are great for this.
Only after telling it that I tested the code and that it works did it somewhat accept that the solution worked.
I think a deterministic, unambiguous process is a lot more valuable for formal verification.
[0] https://chatgpt.com/share/67aefb63-f60c-8002-bfc6-c7c45b4520...
In my experience, if I ask it to do web things in PHP or Java, data things in Python, ... it gives a good enough result. If I ask it a postgis question, I get an answer with hallucinated APIs, bugs, and something that doesn't even do what I want if it works.
I suspect the ADA/Spark world and the formal verification world are to small to decently train the AI.
Or to phrase it another way, there must examples of the technique that you want to "generate" in the training set otherwise the horrifically overfitted model cannot work.
Probably a little bit too cynical but this is my experience asking LLMs "unusual" questions.
I tried asking a LLM for a full code snippet for the first time yesterday (i've been using them as search engines better than google, which isn't saying much, before).
It produced code that compiled but failed to do anything because the 3rd api call it generated returned an error instead of doing what the LLM said it would do.
Didn't spend time on seeing what was wrong because we already had a library that did the same thing; I was more testing what the LLM can do.
Is this true? There should always be a QA process and you should always carefully review when committing. The writing process doesn't influence that unless you're automating whole swaths you don't understand during reviews.
https://www.slideshare.net/slideshow/securing-the-future-of-...
I am rather skeptical of AI in this context. Until you have verifiably correct AI assistants, you still need a highly skilled human in the loop to catch subtle errors in the proofs or the whole result is moot anyway.
And there _are_ tools out there capable of verifying C code, but for a greenfield project implementation/verification in a higher-level, formal language + verified compilation might make more sense.
Their linked case study lists three examples and one category, https://www.adacore.com/uploads/techPapers/222559-adacore-nv...
- image authentication and integrity checks for the overall GPU firmware image
- BootROM and secure monitor firmware
- formally verified components of an isolation kernel for an embedded operating system
- In general, their targets tend to be smaller code bases that would benefit the most from SPARK’s strong typing, absence of runtime errors, and in some cases, rigorous formal verification of functional properties
> NVRISCV is NVIDIA’s implementation of the RISC-V ISA and Peregrine subsystem includes NVRISCV and multiple peripherals. They show how fine-grain access controls, formally verified for correctness, allow following the principle of least privilege for each partition. NVRISCV provides secure boot that starts with an immutable HW, the chain of trust extends to the Secure Monitor in SW, where partition policies are set up and isolation enforced using HW controls.. Boot and Secure Monitor software is implemented in SPARK.
That's the same paradigm as outsourcing development at some cheap place and doing acceptance tests against the result. It saves money but that's not how you'd build an airplane for instance...
Unless you want it going boing boing boeing.
Haha what?
What are you comparing this to?
Then there's like everything libraries wise and CUDA is all C/C++ if I'm not mistaken. In every large project I'm sure you're eventually going to find some exploit attack vector. Especially if the focus from what I believe for GPU/CUDA until recently wasn't mostly focused on security rather than performance and those are always trade-offs.
This is a marketing case study by the major Ada tools and training vendor, on years of engineering work done by their customer, Nvidia. It includes quotes from Nvidia employees and their blog references a Defcon video by the head of the Nvidia Offensive Security team, https://www.adacore.com/uploads/techPapers/222559-adacore-nv...
Principal Software Engineer
Manager, GPU Firmware Security
Senior Manager, GPU Software Security
VP, Software Security
At the conclusion of their initial POC at the end of 2018, NVIDIA had five developers trained in SPARK. By the second quarter of 2022, that number had grown to over fifty.. Several NVIDIA teams are now using SPARK for a wide range of applications that include image authentication and integrity checks for the overall GPU firmware image, BootROM and secure monitor firmware, and formally verified components of an isolation kernel for an embedded operating system.The syntax is really a red-herring especially when you get contracts, proof of absence of runtime errors and higher-lever functional proof, mostly automated, or assisted with annotations. If you're actually going with this effort, the lack of curly braces, ampersands shouldn't be a main concern.
(And this seems pretty general; you'd have to do roughly the same thing to mix C/Rust, C/Pascal, Rust/Python, ...)
There are a few languages that interop with C++ at a deeper level, essentially building a small part of a C++ compiler into their runtime. But they're relatively obscure - Clasp, an implementation of Common Lisp, is probably the only one that can really take an arbitrary C++ object (say, an std::vector<std::list<int>>) as an input to a Common Lisp function and work with it.
The other approach is to compile to C++ source.
D is an exception - D supports C++ (I'm not sure how or how well, but they at least have some C++ ABI constructors). there are others (some languages running on the JVM usually work with java not C)
Interop between C and classic 3rd generation languages such as Fortran, Pascal, Basic, COBOL, Algol, PL/I, tends to not be that hard [0] – because their feature set is at roughly the same level as C's: just functions/procedures without polymorphism or inheritance, relatively simple (non-OO) data types, etc.
Whereas, C++/Go/Rust/Swift/Ada/etc all add lots of complex features on top, and it is when you use all those complex features, interop with C and classic 3GLs gets harder. Sometimes you can define a subset which omits many of those more complex features and makes interop easier, but then you lose out on the benefits those features bring
[0] one complexity, is for historical reasons, sometimes these languages use different calling conventions than C – but on platforms on which that is an issue, it isn't uncommon for C compilers to support those additional calling conventions as an extension, and newer implementations of those languages for newer platforms are generally converging to C's calling conventions. Another is that some of these languages have data types for which C lacks native support – e.g. many COBOL implementations feature BCD arithmetic – but it is easy to write a routine in C to convert BCD to binary and back.
The other funny thing I noticed is the formal verification just means the program implements the standard - it doesn't mean the standard doesn't have security holes! And sometimes the security holes are implementation-specific, like timing attacks, which can require weird low-level tricks to solve.
I was looking for the x86-specific rant, and did not find it. You'd think that team would have had something to say about architecture complexity.
Why do syntax differences bug you? I could understand most concerns about switching ecosystems, but surely the difference between e.g. C++ and Java and JavaScript are orders of magnitude larger than that between C++ and Ada. Syntax is the smallest piece of it all, as far as I'm concerned.
> Then there's like everything libraries wise and CUDA is all C/C++ if I'm not mistaken.
Ada has excellent C interop.
> What exactly is the threat model here
It probably varies by product, but one commercial possibility is protection of price premiums, e.g. enforce feature segmentation for different products or customers, while using common silicon. NVIDIA operating margin reached 50%, unusually high for a hardware company, https://www.macrotrends.net/stocks/charts/NVDA/nvidia/operat.... AMD margin is below 20%.
2021, https://www.youtube.com/watch?v=l7i1kfHvWNI
2024, https://static.sched.com/hosted_files/riscvsummit2024/fe/Key...
~1 Billion RISC-V cores shipping in 2024 NVIDIA chips
Unified embedded HW and SW across all NVIDIA products
• Eliminates replication in basic primitives (isolation, crypto etc.)
• Maximizes SW/HW leverage across NVIDIA
Configuration: pay only for what is needed
Custom extensions: additional functionality, security, and performance
Our HW and SW architecture enable differentiation
> don't really perceive much of a security imperative for NVIDIA
When countries start budgeting hundreds of billions of dollars for national investment in LLM-based AI based on GPUs, they may introduce new security requirements for the underlying infrastructure.
To be honest, it still bothers me an awful GPU mailbox design is still the cutting-edge tech for modern computing. GPU rootkits are already a thing... Best of luck =3
If you've got malicious code in your GPU, shut it off wait a few seconds, turn it back on.
Actually looking at the definition, my understanding might be off or the definition has morphed over time. I used to think it wasn't a rootkit unless it survived reinstalling the OS.
My point was the current architecture is a kludge built on a kludge... =3
The funny thing is that the "C++ API" is almost entirely C-like, foregoing almost everything beneficial and convenient about C++, while at the same time not being properly limited to C.
(which is why I wrote this: https://github.com/eyalroz/cuda-api-wrappers/ )
> an awful GPU mailbox design is still the cutting-edge tech
Can you elaborate on what you mean by a "mailbox design"?
* CUDA Driver API: https://docs.nvidia.com/cuda/cuda-driver-api/index.html * NVRTC: https://docs.nvidia.com/cuda/nvrtc/index.html * (CUDA Runtime API, very popular but not entirely fundamental as it rests on the driver API)
the CUDA C++ library is a behemoth that sits on top of other things.
At least the C++ part of the systems were functional enough to build the current house of cards. Best of luck =3
It’s easy to say “rewrite everything in X because Y” when you don’t have to deal with the burden of figuring out how to do that.
Flagged the article because the title is super misleading.
From the case study, the question was posed by Nvidia employees, before finding Ada/SPARK and Adacore, https://news.ycombinator.com/item?id=43043381
NVIDIA began to ask themselves, “Can we change our fundamental approach? And if so, which of these tools can we actually use?” They put these questions to their software security team. In reply, the security team came back with what Daniel Rohrer characterized as “a fairly heretical” proposition: “What if we just stopped using C?” This led to other questions, like, “What alternative languages and tools are available to support the use of formal methods?” In trying to answer those questions, NVIDIA discovered SPARK."What if we just stopped distributing and blindly executing untrusted binary blobs?"
A trusted compiler in the OS, and some set of intermediate representations for code distribution would solve a massive amount of security issues, increase compatibility, and allow for future performance increases and disallowing suspect code patterns (spectre, rowhammer, etc). Specializing programs at install time for the local hardware makes way more sense than being locked into hardware machine code compatibility.
It's also an extremely unrealistic goal. First of all, you run into a massive problem with companies and copyright. Second of all, it will be very hard to convince users that it's normal for their Chrome installation to take half an hour or more while using their CPU at 100% the whole time.
There are a huge number of practical issues to be solved to make that be viable.
"The Verified Software Toolchain project assures with machine-checked proofs that the assertions claimed at the top of the toolchain really hold in the machine-language program, running in the operating-system context."
Some of the same researchers worked on TAL (typed assembly language), which sounds like it could be one of the "intermediate representations" you mentioned.
Rest is interesting, nothing was done on install, it wasn't converted or anything to machine code.
In fact, in practice, it never ended up being used.
Well, that's not particularly relevant: the idea was never to do something on device anyway.
Really excellent post here summarizing that I can vouch for: https://stackoverflow.com/questions/72543728/xcode-14-deprec...
> The idea to have apps in a CPU neutral form available on the app store is not a bad one; that's why Android chose Java Byte Code (JBC). Yet JBC is a pretty stable representation that is well documented and understood, Bitcode isn't. Also on Android the device itself transforms JBC to CPU code (AOT nowadays).
Android did not choose Java bytecode, it chose Dalvik bytecode [1]. This was done for several reasons, but at a high level, Dalvik bytecode more closely matches how real computers work while Java bytecode targets a more abstract virtual machine. This result is that Dalvik bytecode is easier to transform into machine code, and more optimizations are done in the source code -> bytecode phase rather than the bytecode -> machine code phase, relative to Java bytecode.
[1]: https://source.android.com/docs/core/runtime/dalvik-bytecode
> Programs for Android are commonly written in Java and compiled to bytecode for the Java Virtual Machine, which is then translated to Dalvik bytecode.. The successor of Dalvik is Android Runtime (ART), which uses the same bytecode and .dex files (but not .odex files), with the succession aiming at performance improvements.
So, congratulations, take it and run with it.
You can do that right now with open source software and Bootstrappable Builds.
https://bootstrappable.org/ https://lwn.net/Articles/983340/
Still, I am a bit convinced. The NVIDIA name is increase the chance that I will evaluate SPARK sometime soon. I have to admit, other than knowing it exists, I am not super familiar with it. What I have seen before now has felt like them using the popularity of Rust as a platform for promotion. This, at least, appears to be a use case where they came in on their own merits.
Right? Yet they published this customer case study in 2022 and it never reached HN. Found in 2025 search on GPU firmware security.
type Day_type is range 1 .. 31;
(Lately I was thinking about making a fantasy computer that could be hosted in Javascript which was going to be RISC but otherwise totally over the top, like there would be bitwise addressing like the PDP-10. First I wanted it to be 24 bit but then I figured I could pack 48 bits in a double so I might as well. It even would have a special instruction for unpacking UTF-8 characters and a video system intended for mixing latin and CJK characters. Still boils down to an 8-bit byte but like the PDP-10 it could cut out 11-bit slices or whatever you want. I was going to say screw C but then I figured out you could compile C for it)
[1] https://learn.adacore.com/courses/intro-to-ada/chapters/stro...
[2] https://learn.adacore.com/courses/Ada_For_The_CPP_Java_Devel...
> It even would have a special instruction for unpacking UTF-8 characters
From https://en.wikipedia.org/wiki/Reduced_instruction_set_comput... :
> The term "reduced" in that phrase was intended to describe the fact that the amount of work any single instruction accomplishes is reduced—at most a single data memory cycle—compared to the "complex instructions" of CISC CPUs that may require dozens of data memory cycles in order to execute a single instruction.
I don't think what you're describing is a RISC processor at all.
Supposing we loaded 4 bytes into a register with a load instruction (quite RISC), we could then have a "decode UTF-8" instruction which could set two output registers: one receiving the decoded code point, and the other receiving the number of bytes consumed (1-4). That's another perfectly RISCy operation: read one input register, operate on it, update two output registers. Most RISC architectures also allow base+offset addressing at least, so you can chain this to another load using the output of that second register; worst case, you'd need to add base+offset in a dedicated instruction. No violations of RISC here.
However, you'd start running into problems with alignment. Loading 4 bytes into a register typically requires 4-byte alignment, but UTF-8 is a variable-length encoding (hence the desire to accelerate it in the first place!). Is unaligned load RISCy? Many architectures now support it, but they usually didn't start off with it. Then again, 64-bit architectures can just ignore the problem entirely, since they can load 8 bytes at a time, which will always be enough to fit an arbitrary 4-byte value at any alignment. You'd just need to shift the value in the register by the amount of the misalignment, which is another valid RISC operation.
If you wanted to sidestep the alignment issue, then an alternate solution would be to decode the UTF-8 sequence straight from memory, but that definitely feels more like CISC to me.
Pascal is less esoteric and has had that forever.
Pedagogically oriented computer science profs circa 1980 were aghast that BASIC had become the standard for teaching young people to program. It was difficult to fit Pascal into a microcomputer then, so we were stuck with the atrocious UCSD Pascal [1] which used a virtual machine to make up for the weak instruction sets of many micros, particularly the 6502. Since the compiler ran inside the VM, compiling a small Pascal program was like compiling a large C++ program today.
Not long after that I got to use Pascal on a VAX which was not so bad, but pretty obviously not up to doing systems programming, particularly compared to C, which was starting to show up on micros such as Z-80s running CP/M and the TRS-80 Color Computer running OS-9.
Then I got a 80286 computer and I really liked Turbo Pascal because it added the (non-standard) facilities you need to do systems work, but went back to C when I went to school because it was portable to the 68k and SPARC based Sun machines we had.
I had some very limited access to CP/M z80 machines. Probably somewhere between 86-90. All I remember about the C compiler they had is that I had to swap 2 or 3 floppies to produce a linked executable, so it sounds similar to this UCSD Pascal.
My first real contact with Pascal was Turbo Pascal, and that ran loops around any other compiler I had access to back then...
UCSD Pascal was one of very few compiled languages you could get for the Apple ][ and other 6502 machines because the virtual machine was an answer to problem of code generation for that terrible instruction set with insufficient registers and addressing modes.
Nvidia Security Team: “What if we just stopped using C?” - https://news.ycombinator.com/item?id=33504206 - Nov 2022 (362 comments)
Here's a page on this: https://blog.adacore.com/a-new-era-for-ada-spark-open-source...
ajxs is right to say that the way to get your hands on this tooling is to use the Alire package-manager. AdaCore no longer offer alternative means of distribution (except, presumably, to paying customers).
For that matter, Ada seems interesting, I kind of wish it had caught on outside of the defense industry.
In one programming class, in college, we used a text-book called "Oh my, Modula 3!". On the back they explained the title, saying "better 'Oh my, Modula 3!' than 'Oh no, Ada!'".
The title of that book was chosen as a reference to a previous book titled, "Oh! Pascal!".
It's just too bad, because Ada looks like a language that should have gotten more popular. I was playing with some of the concurrency constructs built into it, and it was fairly pleasant, and it makes me think about the "what if?" universe where it caught on instead of C++ dominating the 90's and 2000's.
I guess we could get a middle ground with a simpler C dialect with the bits required for modern hardware architecture programming (no integer promotion, no implicit casts, only sized type, only one loop keyword, no switch...). The defining criteria for this language: it must be easy to get a real-life bootstrap compiler with one dev (reasonable amount of time, effort, etc).
I am currently coding many of my applications in RISC-V assembly, with a small interpreter to run them on x86_64, dodging complex macro-preprocessors (I use the basic features of a C preprocessor, I don't even use the RISC-V pseudo-ops).
The only thing keeping me on x86_64 are video games for linux and the fact that x86_64 micro-archs are mature, performant wise.
There are also proprietary solutions that do something similar:
Pascal strings used to have their actual length in a field at the beginning of the string. Imagine how many off by one errors and how many (even hidden) calls to strlen() that saves.
All they needed to modernize Pascal is some library code to resize the buffer if needed, just like curly brace languages. It may already be present in modern Pascal implementations, I haven't followed.
Pascal also has array bounds checking by default. Imagine how many out of bounds errors this could prevent.
But no, you have to have curly braces instead and build layers and layers of classes and languages over classes, all over the same impractical string representation.
And this was even fixed in ISO Extended Pascal by 1990.
Not to mention that Wirth fixed this in Modula-2 in 1978, already, which everyone keeps forgeting it was actually designed for systems programming, while Pascal was originally designed in 1972 for teaching programming concepts.
But sure enough, lets complain about ISO Pascal from 1976.
I mean, for writing userland apps, various langs come and go. But for writing OS, after more than 4 decades, C is still there.
:D
I can imagine Boomers laughing but the Rustaceans not seeing the humour in it at all. I could be wrong...
[1] https://en.wikibooks.org/wiki/Ada_Programming/Types/range
"We wanted to emphasize provability over testing as a preferred verification method"
Yet another developer seeking a panacea that will allow them to keep their job while diminishing their workload.
For typical workers, it's a fact that work is infinite, so you put your 8 hours and then do it again the other day.
Whenever devs get put in this position they go for the nuclear option of going for the moon.
Man just keep finding bugs to the best of your ability, it will never be 100% secure, except insofar as you gerrymander what's a vulnerability and what is your responsibility.
Good luck. But if I have to put my chips in Nvidia's VP vs C, I put them in C. The list of C contenders has been long, and it seems more likely that the vp is at the peak of their life ala musk or altmann and they have their own delusions. Not sure whether going to mars is crazier or whether finally replacing C is.
Specifically, the article does not claim that any significant bit of code at NVIDIA uses SPARK or Ada.
That is a vacuous statement, because:
* We don't know what constitutes "significant"
* We don't know what it's significant _for_
* "code at NVIDIA" is an extremely wide definition.
vacuous: Devoid of substance or meaning; vapid or inane.
disingenuous: Pretending to be unaware or unsophisticated; faux-naïf.
guarded: Cautious; restrained.