Friday, December 3, 2010

Defensive programming: Fortran, Ada, C++, Java, ???

I've worked in the defense software industry for over 25 years, and lately I've been thinking about programming languages.

I'm concerned.

Now first off, the vast majority of defense systems take a long time to develop and deploy. No small part of that is because of what these systems are intended to do, which is to directly or indirectly destroy an opponent's equipment, infrastructure, and people, and prevent their weaponry from doing the same to you.

This is something you want to get right, and so a great deal of care is warranted.

There are perils endemic to a long, drawn-out, (justifiably) risk-averse development process. Such as working with and deploying old technology, requirements creep, bureaucracy, hierarchies of reviews and sign-offs, and expending lots of effort on a multitude of specification and management tasks and documents, far too few of which really have much to do with actually putting a weapon system in the field.

There's a number of issues that could be gone into about this industry and its development practices, but as a software guy, I want to focus on programming, specifically the issue of the succession of defense software implementation languages.

My characterization of programming language succession within the defense software industry from the early 80s to the present is that this industry lags about 10 years or so behind commercial practices. Sure, there are pockets of development that are concurrent with commercial development, but a programming language doesn't achieve widespread use--which means used on major program starts and upgrades--on DOD (Department of Defense) projects until at least ten years after its use is widespread in the commercial software industry. And the defense industry is pretty cocooned when it comes to programming language practices, i.e. for the most part developers and technical leads don't really realize just how far behind they are. (One software architect expressed shock when I told him that Perl was not considered one of the hottest technologies in software development, and the days when it was cool and leading edge to program in Perl were now many years in the past. Another co-worker was equally surprised to hear that Java is now often considered the language you have to program in for work.)

I entered the industry just when the defense industry was trying a new approach, at that time trying to deal with a proliferation of industry and system-specific programming languages (Fortran, JOVIAL, CMS-2, and numerous assembly languages). The Ada programming language was the result of a language competition and it was subsequently mandated for all defense system starts and major upgrades. For a variety of reasons, mostly involving politics, organizational resistance, and greed, the initiative failed. There were a few technical flaws in the language, but it was quite capable of meeting defense software requirements at the time (and did and does so in deployed systems today), but by the time the flaws and the greed were dealt with, the window of opportunity for mainstream acceptance of Ada had passed.

Commercial software development, which was starting to become the driver of computer technology innovation (rather than the military) was driving towards C and then C++ at this time, and with the Commercial Off-The-Shelf "COTS Initiative" and "best industry practices" becoming defense industry focuses, the defense industry began looking to the commercial world for its software development technologies.

By the mid-90s many (but not all :-) defense programmers were becoming disdainful of Ada, and it was not uncommon to hear laments about not being able to have C++ on one's resume.

I had the opportunity in the mid-90s to do a clean-sheet redesign of a poorly-designed and implemented command & control subsystem. It had been implemented in Ada, but the developers were skeptical of the language, and barred the use of features of the language that they didn't understand, sometimes very basic features (like subtyping, for those of you familiar with Ada). I had no such qualms, the team now supporting the system was well-versed in Ada (with only one of the original developers remaining), and so the redesign took advantage of Ada's strengths and capabilities, rather than fearing them.

My biggest obstacles were two system engineers, who were adamant that the reimplementation should be done in C++. One even went so far as to surreptitiously add a slide to my presentation the night before a customer review stating that while we were reimplementing in Ada now, the long term plan was to move to C++. It was not, and I had to explain this in front of the customer, because it was too late to pull the slides. (Still pissed about that? Why yes, I'm soaking in it.) These two were not in my management chain, from whom I had full confidence, but they lobbied the Chief Engineer to try to get him to mandate a language change, to no avail, and to his credit.

The point of this whole little rant of mine on this particular career event is what one of those "engineer's" put forth as a primary justification to use C++:

"C++ is where the market is going."

How silly does that sound today? Yes, there's a lot of C++ around, now mostly considered legacy stuff, and my sense is that young programmers seem to hold C++ with about the same disdain that defense programmers had for Ada in the mid-90s. The market changes, and committing large, long-lived system development to "where the market is going", as if that's where it's going to settle at for all time, is ridiculously naive and short-sighted.

Java is now all the rage in the defense software development industry, and while it is probably still the most widely used programming language for commercial software development, there's definitely the sense that it has passed its prime and has begun to wane in mindshare and interest. The reasons why aren't my point, my point is that it's hot in defense, while outside of that industry Java is now "your father's programming language" from 15 years ago.

There's been debate then about what "the next big programming language" is going to be. Javascript? Python? C#? Some other dark horse language (Erlang?) or some new up-and-comer?

I don't know, and that's the part that bothers me about where the defense software industry is heading.

The programming language that's grabbing the commercial industry now I would be expecting to be dominating defense software development in about 10 or 15 years. And, well, first off I don't perceive a dominating candidate yet, and the candidates that I do see lack an aspect I consider fundamental to safety- and mission-critical software systems.

That aspect is an intentional, well thought out, unifying principle, ideally envisioned by an individual or small team of language designers.

Ada was explicitly designed for safety-critical systems and was designed around a "type model". The original version was designed by Jean Ichbiah, and the first and only major revision of the language (Ada 95) was done by Tucker Taft. (Subsequent enhancements are essentially incrementally improving its capabilities.)

C is a "portable assembly language", designed by Kernighan & Ritchie.

While I think C++ is inappropriate for critical software outside of the hands of experts, it was consciously designed by Bjarne Stroustrop as "C with classes".

And I feel that the fundamental feature of James Gosling's Java is that it is designed around the "interface" concept and construct.

I don't get any sense of this kind of intentional, unified, design from the currently up-and-coming languages; they exist to make string handling easier, or programming easier, or Web development easier. That's all great, but is that foundation industrial strength enough that you'd trust it to guide and target a missile moving at Mach 2 that has to take out an incoming nuke?

Like I said at the beginning, I'm concerned. Maybe I'm just being a Luddite here, and VMs and programming language refinements will meet the requirements of the warfighter by the time the defense industry moves past Java.

There's just nothing jumping out at me right now, and given the iconoclasm and cocooning of defense software industry programmers, I am concerned about "where the market is going."


Gary Myers said...

Interesting. Is there a place between conventional commercial software development and defense ? Utilities sector maybe ? Airline industry ?

There's a difference between internet chatter on languages and what is getting used. TIOBE still has Java, C and C++ at the top with C# and Python as the up and coming.

But maybe there's more room for niche languages or at least not moving away from languages because they are old. If the innovation has shifted to a different focus (internet, scalability etc) then perhaps the current stuff just isn't broken.

Flado said...

Well, it's only anecdotal evidence, but I can testify that C (not ++) is very much alive and kicking in the industry. As in, a mission-critical system for a large automobile manufacturer I happen to work on. Sure, we use Java for the front-end, but the backbone is still plain old C (with a little help from Perl and PROLOG).
What is mostly talked about is NOT necessarily what is mostly being used, I guess.

Anonymous said...

I have work in the defense industry since '94; so, you have a few years on me. That said, I know for a fact that new languages are currently being investigated and funded by the defense industry. For example, Plaid is a 'safer' language from CMU that gets a portion of its funding from DARPA. My company, who happens to be a large defense corporation, spends a good amount of research funds on static analysis tools so that we may get the most out of the languages already in use. The point, nobody in this industry could know so much as to make blanket statements about an industry that works mostly in secret. The left hand most certainly does not know what the right hand is doing.

nixar said...

What about functional languages? They have existed for decades in academia, but they are just now gaining widespread acceptance in various industries.

You mention Erlang briefly; the reason why it's getting a tremendous amount of interest is because it answers beautifully two concerns of growing importance: distributed/multithreaded code (which it treats basically as the same thing), and resilience.

Erlang is not statically typed so it's probably missing on interesting capabilities. There are plenty of other languages that do, though; OCaml, Haskell, F#, Scala and so on. In any case Erlang fills an important niche. It makes implementing tools such as CouchDB or RabbitMQ much easier. CouchDB then uses JavaScript as its glue language. What I'm getting at is that the days of "one language fits all" are gone, and it's a good thing. These days DSL are all the rage, for good reason: they allow implementing the business logic clearly and with as little dependency on the technical side of things as possible.

blockcipher said...

I think you and I may be on the same page as I recently started work on a new language designed to make creating software safer. It's very conceptual and I'm not really expecting it to take off, however I just find it interesting that what you're describing and what I'm doing as a small side-project are similar.

Marc said...

@anonymous: Oh I know there's programming language oriented R&D efforts going on, and more power to them.

My area of concern is with large programs, say upwards of $100 million expenditures, with a significant software component. There's no sign that programs like that are ever going to come anywhere near a non-mainstream programming language again.

Also, I disagree with your contention that the defense industry works "mostly in secret". Developing a classified program rarely means that everything about that program, including what programming language it is being implemented in, is secret. I've worked the gamut from unclassified to black, and while the defense industry is in its own cocoon and has its idiosyncrasies, a decent amount of into is available for most programs via award notices, journals, conferences, seminars, etc.

Marc said...

@nixar, I've looked at Erlang and I think it's a really neat language, and I readily agree it has a good solid foundation.

But until is becomes a leading mainstream language, don't expect the DOD to use it on any significant program.

You may be right that the day of "one language fits all" is behind us. The defense industry, though, is *very* conservative when it comes to software technology, my experience indicates that program managers are isolated from current technology practices and trends, and are highly skeptical of bringing "untried technology" (untried by the defense industry--it's a chicken-and-egg problem) into a multi-million dollar project for which they're on the hook.

I think DSLs have a lot of potential, and they may be where the industry is going (heh :-), but adopting that practice is not as easy and clean (and low-risk) as settling on The New Programming Language For All Program Starts.

Anonymous said...

Haskell can be proven correct, has no side-effects (such as pointer errors to debug), and allows for very succinct expression. The less code, the fewer opportunities for error.

Galois works for the NSA on cryptographic products using Haskell for this very reason. Look up cryptol.

Marc said...

@anonymous: I have no argument with anything you're saying about Haskell.

My point in the post is simply observational; unless Haskell becomes widely used in the commercial marketplace, it is unlikely to become the language of choice for defense systems.

But keep up the advocacy, it won't hurt :-)

Anonymous said...

I left the defense industry not because of the complaints you express, I just couldn't sell my soul to the devil anymore knowing little children are dying from my work.

Anonymous said...

I say we should promote all world governments to use c and c++ for their weapons. Then if they start a world war 3 everything will fail and there will be world peace by default.

Anonymous said...

Ada is the best programming language there is, hands down.

Software Development London Blog said...

your creation will be useful for many generation to come. great job

Nelson said...

I know this is over a year late, but you have my Ada advocacy support.

Michael Yu said...

Your post is so interesting. and it is more useful and helpful for me. Thanks for share this valuable post.

karthick lp said...
This comment has been removed by a blog administrator.
awais kamran said...

I always feel more comfortable while coding in C++ rather in C only. C++ in Urdu