Is there a language protected from natural disasters?

From what I know¹, Ada is often used in mission-critical security systems.

Ada was originally aimed at embedded systems and real-time systems.

Known features of Ada include: strong typing, modular mechanisms (packages), runtime checking, parallel processing (tasks), exception processing and generics. Added Ada 95 support for object-oriented programming, including dynamic dispatch.

Ada supports run-time checks in order to protect against access to unallocated memory, buffer overflow errors, one-after-one errors, an array of access errors, and other detectable errors. These checks can be disabled in the interest of performance, but can often be compiled efficiently. It also includes a program check.

For these reasons, Ada is widely used in critical systems, where any anomaly can lead to very serious consequences, that is, accidental death or injury. Examples of systems in which Ada is used: avionics, weapon systems (including thermonuclear weapons) and spacecraft.

Programming the N version can also give you useful background reading.

¹What basically one acquaintance who writes embedded security-safe software

I doubt that the language features that you describe can be achieved.

And the reason is that it would be very difficult to determine the general and general failure modes and how to restore them. Think for a second about your example application - on some website with some logic and database access. And let's assume that we have a language that can detect a power outage and subsequent restart, and somehow recover from it. The problem is that it is impossible to learn how to restore the language.

Say your application is an online blog application. In this case, this may be enough to simply continue from the moment we failed, and everything will be all right. However, consider a similar scenario for an online bank. Suddenly he is no longer smarter just to continue from the same point. For example, if I tried to withdraw money from my account, and the computer died immediately after verification, but before he completed the withdrawal and then he returned in a week, he would give me money, even if my account is now negative.

In other words, there is no single correct recovery strategy, so this is not something that can be implemented in the language. In what language can you say when something goes wrong, but most languages ​​already support this with exception handling mechanisms. The rest is up to application designers.

There are many technologies that enable the development of fault tolerant applications. Database transactions, long message queues, clustering, hardware hot swap, and so on and on. But it all depends on the specific requirements and how much the end user is willing to pay for all this.

Most of these efforts, called " fault tolerance ," are hardware, not software.

An extreme example of this is Tandem , whose non-stop machines are completely redundant.

Implementing hardware-based fault tolerance is attractive because the software stack is usually made up of components sourced from different vendors — your highly available software can be installed next to some definitely shaky other applications and services on top of the operating system, it is rough and uses hardware device drivers which are clearly fragile.

But at the language level, almost all languages ​​offer tools for correct error checking. However, even with RAII, exceptions, restrictions, and transactions, these code codes are rarely checked correctly and rarely tested together in multiple failure scenarios, and usually in error handling code that hides errors. So this is more about understanding by the programmer, discipline and compromise than about the languages ​​themselves.

This brings us back to hardware resiliency. If you can avoid a crash in the database link, you can avoid using inconvenient error handling code in applications.

No , a language protected from natural disasters does not exist.

Edit:

Reliability means perfection. This is reminiscent of the images of a process that applies some intelligence to the logical solution of unknown, uncertain and unexpected conditions. There is no way that a programming language can do this. If you, as a programmer, cannot understand how your program will fail and how to repair it, then your program will also not be able to do this.

Poverty in terms of IT can arise in many models that no process can solve all these different problems. The idea that you could develop a language to solve all the ways in which something might go wrong is simply not true. Due to the abstraction from the hardware, many problems do not even make sense to handle the programming language; but they are still "disasters."

Of course, once you begin to limit the scope of the problem; then we can start talking about developing a solution for him. Therefore, when we stop talking about being poor and talking about recovering from unexpected power surges, it is much easier to develop a programming language to solve this problem, even if it may not make sense to consider this problem at such a high stack level. However, I dare to predict that as soon as you cover this with realistic implementations, it becomes uninteresting as a language, since it has become so specific. for example, use my scripting language to start batch processes overnight, which will recover after unexpected power surges and lost network connections (with some help from a person); this is not a convincing argument in favor of my mind.

Please do not get me wrong. There are some wonderful suggestions on this topic, but, in my opinion, they do not come up with anything, even remotely approaching the evidence of security.

Consider a system created from non-volatile memory. The program state is saved at any time, and if the processor stops for a while, it will resume at the moment when it will be restarted. Thus, your program is “evidence of natural disasters” to the extent that it can survive a power failure.

This is entirely possible, since other messages were presented when talking about software transactional memory and "fault tolerance," etc. It is curious that no one mentioned the “memristors", as they proposed future architecture with these properties and, possibly, von Neumann architecture completely.

Now imagine a system built of two such discrete systems - for a simple illustration, one of them is a database server, and the other is an application server for an online banking website.

If one pause, what does the other? How does he cope with the sudden inaccessibility of this employee?

It could be handled at the language level, but that would mean a lot of error handling, etc., and that complex code would become correct. This is almost no better than today, when machines are not tested, but languages ​​try to detect problems and ask the programmer to deal with them.

It can also stop - at the hardware level, they can be connected to each other, so from the point of view of power they represent one system. But this is hardly a good idea; higher availability will come from a fail-safe architecture with backup systems, etc.

Or we could use constant message queues between two machines. However, at some point, these messages are processed, and at this moment they may be too old! Only the application logic can really work on what to do in these circumstances, and we are back to languages ​​delegating the programmer again.

Thus, it seems that troubleshooting in the current form is better - uninterruptible power supplies, ready-to-use backup servers, numerous network routes between hosts, etc. And then we can only hope that our software is free!

The exact answer:

Ada and SPARK were designed to maximize fault tolerance and to move all errors that can be used for compilation rather than runtime. Ada was developed by the U.S. Department of Defense for military and aviation systems that run on embedded devices in things like airplanes. The spark is her descendant. There was another language used in the early US space program, HAL / S, designed to handle hardware failure and memory damage due to cosmic rays.

The practical answer:

I have never met anyone who could write Ada / Spark. For most users, the best answer is SQL options in a DBMS with automatic fault tolerance and server clustering. Integrity check guarantees security. Something like T-SQL or PL / SQL has complete transaction security, is the completion of Turing, and quite tolerant of problems.

The reason there is no better answer:

For performance reasons, you cannot provide longevity for every program operation. If you did, processing would slow down to the speed of your fastest memoryless storage. In the best case, your performance will decrease by a thousand or a million times, due to how much ANYTHING slower than processor or RAM caches is.

That would be the equivalent of moving from a Core 2 Duo CPU to an ancient 8086 processor - in most cases, you could do a couple of hundred operations per second. In addition, it will even be SLOWER.

In cases where there are frequent power cyclic or hardware failures, you use something like a DBMS, which guarantees an ACID for every important operation. Or you use hardware with fast non-volatile storage (like flash) - it's still a lot slower, but if the processing is simple, that's fine.

At best, your language gives you good compile-time security checks for errors, and will throw exceptions, not crashes. Exception handling is a function that consists of half the languages ​​used.

This question made me post this text

(He is quoted from HGTTG ​​from Douglas Adams :)

Click, hum.

A huge gray reconnaissance ship Grebulon quietly walked through the black void. He traveled at a fabulous, breathtaking speed, but still appeared, amid a flickering billion of distant stars that did not move at all. It was just one dark spot, frozen from the endless granularity of a bright night.

On board the ship, everything was as it was for millennia, deeply dark and quiet.

Click, hum.

At least almost everything.

Click, click, hum.

Click, hum, click, hum, click, hum.

Click, click, click, click, click, click.

Hmmm.

The low-level control program woke up the higher-level control program in the ship’s crazy cyber brain and informed him that whenever he clicked, all he got was a buzz.

The top-level surveillance program asked him what she should have received, and the low-level level control program said she couldn’t remember exactly, but thought that this was most likely a kind of distant contented sigh, right ?? He did not know what kind of hum. Click, hum, click, hum. That is all he got.

The top-level surveillance program considered this and did not like it. He asked the low-level control program what exactly it controlled, and the low-level control program said that she also couldn’t remember this, it was just that it was necessary to press, sigh every ten years or so, what usually happened without fail. He tried to consult his error search table, but could not find it, so he warned that a higher-level control program was suitable for this problem.

The tertiary education program consulted with one of its own reference tables to find out what the low-level supervisory program should have controlled.

Could not find lookup table.

Odd.

He looked again. All he got was an error message. He tried to find the error message in his error message table and could not find it. This allowed several nanoseconds to pass, until all this repeated. Then he woke up over his leader in an industry function.

An industry function supervisor was struck by immediate problems. He called him the supervisor, who also had problems. For several millionths of a second virtual circuits that lay dormant, some for years, some for centuries, flashed in life on the whole ship. Something, somewhere, was terribly wrong, but none of the supervisory programs could say what it was. At each level, there were no important instructions, and there were no instructions on what to do if important life instructions were discovered.

Small software modules - agents - moved along logical paths, grouping, consulting, regrouping. They quickly established that the memory of the ship, right up to the central module of the mission, was in rags. No survey could determine what happened. Even the central mission module itself was damaged.

This made the whole problem very simple. Replace the central mission module. There was another, backup, exact duplicate of the original. This had to be physically replaced because, for security reasons, there was no connection between the original and its backup. Once the central module of the mission was replaced, he himself could control the rest of the system in every detail, and everything would be fine.

The robots were instructed to bring the backup central mission module from the protected strong room where they were guarding it to the ship’s logical chamber for installation.

This is due to the long exchange of codes and emergency protocols, as robots interrogated agents regarding the authenticity of the instructions. Finally, the robots were satisfied that all procedures were correct. They unpacked the backup central mission module from their storage, pulled it out of the storage chamber, dropped out of the ship and went into the void.

This provided the first important clue to what it was, what was wrong.

Further research quickly established what happened. The meteorite knocked out a large hole on the ship. The ship had not previously discovered this, because the meteorite accurately knocked out that piece of equipment for processing the ship, which was to determine whether the ship was hit by a meteorite.

The first thing to do is try to seal the hole. This turned out to be impossible because ship sensors could not see that there was a hole, and managers who were supposed to say that the sensors were not working properly did not work properly and continued to say that the sensors were in order. The ship could only deduce the existence of the hole due to the fact that the robots clearly fell out of it, taking away a spare brain, which would allow him to see the hole with them.

The ship tried to reasonably think about it, failed, and then completely plunged. Of course, he did not understand that it was fading because it was fading. Just surprised that the stars are jumping. After the stars jumped onto the ship for the third time, they finally realized that it should go out and that it was time to make some serious decisions.

He relaxed.

Then he realized that he had not yet made serious decisions and did not panic. He went out a little. When he woke again, he secured all the bulkheads around the place where he knew that there should be an invisible hole.

He obviously didn’t get to his destination, he thought, but since he no longer had the slightest idea where his purpose was and how to reach it, there seemed to be little point in continuing. He consulted on what tiny fragments of instructions he could recover from the broken line of his central mission module.

"Yours !!!!!!!!!!!!!!!! year mission - !!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!, land !!!!!!!!!!!!!!!! safe distance !!!!!!!!!!! .......... ........., ground ............... monitor. !!!!!!!!!!!!!!!! ... "

Everything else was complete rubbish.

Before it is closed forever, the ship will have to transmit these instructions, for example, to its more primitive auxiliary systems.

He must also revive his entire crew.

Another problem has arisen. While the crew was in hibernation, the minds of all its members, their memories, their personality and understanding of what they did, were all transferred to the central module of the ship’s mission for safe storage. The crew would not have the slightest idea of ​​who they were or what they were doing there. Well.

Shortly before he went out for the last time, the ship realized that his engines also began to give out.

The ship and its revived and confused crew went under the control of their auxiliary automatic systems, which simply looked at the ground, wherever they were, to land and monitor what they could find for observation.

Try using an existing open source language and see if you can adapt its implementation to include some of these features. The default implementation of Python for Python includes a built-in lock (called GIL, Global Interpreter Lock), which is used to "handle" concurrency among Python threads by alternating each VM instruction "n". Perhaps you can connect to the same mechanism to check the status of the code.

For the program to continue working when it was turned off, if the machine lost power, not only had to save the state somewhere, the OS also had to “know” in order to resume it.

I suppose that the implementation of the "sleep mode" function in the language can be performed, but if it happens all the time in the background, so it is ready in case something bad sounds like an OS, in my opinion.

The main function, however, should be: if the power dies and the thing restarts, it takes the place where it stopped (therefore, it not only remembers where it was, but also remembers the states of the variables). Also, if it stopped in the middle of the file machine, it will also resume correctly. etc.

......

I have looked at erlang in the past. No matter how tolerant she is, he has ... He does not survive. When the code restarts, you have to pick up the pieces

If such a technology existed, it would be very interesting for me to read about it. However, the Erlang solution will have several nodes - ideally in different places - so if one place goes down, the other nodes can raise the slack. If all your nodes were in the same place and on the same power source (not a good idea for distributed systems), then you are out of luck, as you mentioned in the comments.

The Microsoft Robotics team introduced a set of libraries that seem to be applicable to your question.

What is Concurrency and Runtime Coordination (CCR)?

Concurrency and coordination lead time (CCR) provides a highly competitive programming model based on message passing using powerful orchestration primitives that allow data and work coordination without the use of manual threading, locks, semaphores, etc. CCR addresses the need for multi-core and parallel applications by providing a programming model that facilitates managing asynchronous operations, dealing with concurrency, using parallel hardware and partial failure processing.

What is Decentralized Software Services (DSS)?

Decentralized Software Services (DSS) provides a lightweight, state-oriented service model that combines representative state transfer (REST) ​​with a formalized composition and event notification architecture allowing for a systematic approach to building applications. In DSS, services are disclosed as resources that are accessible both programmatically and for user interface manipulation. By integrating a service composition, a structured state of manipulation and event notification with data isolation, DSS provides a single model for writing highly observable, loosely coupled applications running on a single node or over a network.

Most of the answers are general purpose languages. You might want to learn more specialized languages ​​that are used in embedded devices. A robot is a good example for thought. What do you want and / or expect from the robot when it recovers after a power failure?

In the embedded world, this can be achieved by interrupting the watchdog timer and battery-powered RAM. I wrote this.

Depending on your definition of disaster, it can range from “difficult” to “practically impossible” to delegate this responsibility to this language.

Other examples provided include saving the current state of the application in NVRAM after each statement is executed. This only works if the computer is not destroyed.

How does a language level function know to restart an application on a new host?

And in the situation of restoring the application to the host - what if a considerable time has passed, and previously made assumptions / checks were now invalid?

T-SQL, PL / SQL, and other transactional languages ​​are probably as close as you get to the "proof of disaster" - they either succeed (and the data is saved) or not. Excluding disabling transactional isolation, it is difficult (but probably not impossible, if you are really trying hard) to get into "unknown" states.

You can use methods such as SQL mirroring to ensure that records are stored in at least two places at the same time until the transaction is completed.

You still need to ensure that you maintain your state every time it is safe (commit).

If I understand your question correctly, I think you are asking if it is possible to guarantee that a particular algorithm (that is, a program plus any recovery options provided by the environment) will be completed (after any arbitrary number of restores / restarts).

If this is correct, I would like to address the stop problem :

Based on the description of the program and the final input, decide whether the program will end or run forever, given this input.

I think that classifying your question as an example of a stopping problem is fair, given that you would ideally want the language to be “evidence of a natural disaster,” that is, it will “perfect” any inadequate program or chaotic environment.

This classification reduces any combination of environment, language, and program to "program and final input."

If you agree with me, you will be disappointed that the problem with the stop is unsolvable. Thus, it cannot be proved that a language or compiler or environment without "distress" can be proved.

However, it is prudent to develop a language that provides recovery options for various common problems.

In the event of a power failure .. sounds like to me: "When your only tool is a hammer, every problem looks like a nail"

You do not solve the problem with turning off the power in the program. You solve this problem with redundant power supplies, batteries, etc.

There are several commercially available structures Veritas, Sun HA, IBM HACMP, etc. etc. which automatically tracks processes and starts them on another server in case of failure.

There is also expensive equipment, such as the HPs Tandem Nonstop range, which can withstand internal equipment failures.

However, software is built by nations, and nations love to make mistakes. Consider the cautionary history of the IEFBR14 program shipped with IBM MVS. This is basically a NOP mock program that allows you to declare a JCL bit without starting the program. This is the whole source code: -

IEFBR14 START BR 14 Return addr in R14 -- branch at it END 

Nothing is easier? Over its long life, this program actually collected a bug report with an error and is now on version 4.

Thats 1 error up to three lines of code, the current version is four times the size of the original.

Bugs will always creep, just make sure you can repair them.

If the failure mode is limited by hardware failure, VMware Fault Tolerance claims you want it. It runs a pair of virtual machines across multiple clusters and uses what they call vLockstep, the primary vm sends all states to the secondary vm in real time, so in the event of a primary failure, execution is transparently flipped to the secondary.

My guess is that this will not help a communication failure, which is more common than a hardware failure. For serious high availability, you should consider distributed systems such as the Birman team approach ( pdf paper or the book Reliable Distributed Systems: Technologies, Web Services, and Applications ).

The closest approximation is SQL. However, this is not a language problem; this is basically a VM problem. I could imagine a Java VM with these properties; this will be another matter.

A quick and approximate approximation is achieved using the application checkpoint. You lose the "die at any moment" property, but it is pretty close.

I think that his fundamental mistake for recovery will not be a significant design problem. Responsibility for the invincibility of the environment leads to the usual fragile solution, intolerable by internal malfunctions.

If it were me, I would invest in reliable equipment and develop software so that it can automatically recover from any possible state. For your example, database session maintenance should be handled automatically using a fairly high level API. If you need to manually connect, you are probably using the wrong API.

As others have noted, programming languages ​​embedded in modern RDBMS systems are the best you can get without using an exotic language.

Virtual machines are generally designed for this kind of thing. You can use the VM client APIs (vmware..et al) APIs to manage the periodic checkpoint in your application, if necessary.

In VMWare, in particular, there is a playback function (Enhanced Record Record), which records ALL and allows you to play in time. Obviously, this approach is a huge success, but it will meet the requirements. I would just make sure that your disks have a backup cache for writing.

You will most likely find similar solutions to run java bytecode inside the Java virtual machine. Google fault-tolerant JVM and virtual machine checkpoint.

If you want to save information about the program, where would you save it?

It must be saved, for example. to disk. But this would not help you if the disk failed, so it is no longer a disaster.

You will only get a certain level of detail in the saved state. If you want something like tihs, then probably the best approach is to determine the level of detail, in terms of what constitutes an atomic operation and storing the state in the database before each atomic operation. You can then restore the atomic operation to such an extent.

I do not know a single language that would do this automatically, because the cost of maintaining state for secondary storage is extremely high. Thus, there is a trade-off between the level of detail and efficiency, which is difficult to determine in an arbitrary application.

• First, run the fail-safe application. One, where, where, if you have 8 functions and 5 failure modes, you performed an analysis and test to demonstrate that all 40 combinations work as intended (and at the request of a specific client: two of them will most likely disagree) .
• second, add a scripting language on top of the supported set of fault tolerant functions. It should be as close as possible to a stateless person, so almost certainly something non-Turing is complete.
• finally, consider how to handle recovery and restoration of the state of a scripting language adapted to each failure mode.

And yes, this is pretty much rocket science .

Windows Workflow Foundation may solve your problem. It is based on .Net and is designed graphically as a workflow with states and actions.

This allows you to maintain the constancy of the database (automatically or upon request). You can do this between states / actions. This serializes the entire workflow instance in the database. It will be rehydrated, and execution will continue when any of several conditions are fulfilled (specific time, rehydrated by software, event fires, etc.)

When the WWF host starts up, it checks the save database and rehydrates any workflows stored there. Then it continues to be executed in terms of perseverance.

Even if you do not want to use aspects of the workflow, perhaps you can still use the save service.

As long as your steps are atomic, this should be enough, especially since I assume that you have a UPS, so it can track UPS events and enhance constancy if a power problem is detected.

If I decided to solve your problem, I would write a daemon (possibly in C) that did all the database interactions in transactions, so you will not get any bad data if it is interrupted. Then start the process of starting this daemon at startup.

Obviously, the development of web materials in C is much slower than in the scripting language, but it will work better and be more stable (if you write good code, of course :).

Actually, I would write it in Ruby (or PHP or something else) and something like a Delayed Job (or cron or any other scheduler) starts it every so often because I don’t need to update the clock cycle ever .

Hope this makes sense.

In my opinion, the concept of failure recovery in most cases is a problem for the business, and not a hardware or language problem.

Take an example: you have one level of user interface and one subsystem. The subsystem is not very reliable, but the client at the user interface level should perceive it as if it were.

Now imagine that somehow your subsystem crash, do you really think that the language you imagine might think about how to handle the user interface level depending on this subsystem?

Your user should clearly know that the subsystem is not reliable, if you use messaging to ensure high reliability, the client MUST know this (if he does not know, the user interface can simply freeze the waiting response, which may eventually come 2 weeks later). If he needs to know about it, that means that any abstractions to hide it will eventually flow.

By client, I mean the end user. And the user interface should reflect this insecurity and not hide it, the computer cannot think for you in this case.