
Ivory: an embedded domain-specific language for safer systems programming - manaskarekar
https://ivorylang.org/ivory-introduction.html
======
nickpsecurity
Galois is essentially a commercial R&D lab for businesses and governments.
Although having trouble a while back, this business model plus talent at
solving problems has landed them steady contracts. Even better, they open
source lots of their tools they use for high-assurance software. Ivory's main
use that I know of is SMACCMPilot program for high-assurance drone. They give
details some of you want here:

[https://smaccmpilot.org/software/properties.html](https://smaccmpilot.org/software/properties.html)

Also, check out their blog, Github, and talks for lots of interesting stuff.
In case anyone wonders, I have no affiliation with them: just a high-assurance
researcher that gives props to those in field doing solid work, esp if FOSS-
friendly. :)

------
steveklabnik
Embedded.com ran a story about Ivory and Rust recently:
[https://www.embedded.com/electronics-blogs/say-
what-/4460422...](https://www.embedded.com/electronics-blogs/say-
what-/4460422/Achieving-memory-safety-without-compromise)

------
gmueckl
I have not dug into this, but I am curious: how would you write multiple
interacting, concurrent, timing-sensitive tasks with this? I am thinking about
things like multiple complex protocol stacks on top of different interrupt
driven I/o ports (uart, I2C, SPI) in parallel with a main application that is
supervised by a watchdog.

~~~
dennisdamenace
[https://ivorylang.org/tower-overview.html](https://ivorylang.org/tower-
overview.html)

> The Tower Language is an eDSL for composing Ivory programs into real-time
> systems. Tower programs specify communication channels, tasks, and signal
> handlers, and generate Ivory code which implements scheduling and
> communication for real-time operating systems.

~~~
gmueckl
Interesting! This seems to be in very early development. I do not fully
understamd the simple example, but somehow the basic idea and delarative
nature feels promising to me. I do not have a good enough understanding of
this. I fear that a single central declaration of all the tasks and
communication channels might get unwieldy for a system with realistic
complexity.

------
nine_k
In short: a DSL implemented in Haskell, allows to describe code with mutable
state and various static guarantees around it.

------
cabalamat
Their Hello World example has a lot of boilerplate.

------
Glawen
I do not understand the focus on memory corruption, it is not the major
problem in embedded development. In my experience, the vast majority of
problems were due to logic failures. Sometimes there was a buffer overflow
which was detected in an old function when something new was implemented
somewhere else..

For me the way to go are tools like matlab simulink to better figure out a
complex program, and not yet another language trying to catch memory
corruption bugs.

~~~
AlotOfReading
It's probably because memory issues are simultaneously one of the simplest,
most easily-defined issues to solve and also potentially quite severe.

The more important issues we face are also significantly more difficult to
solve with a simple tool, so there's correspondingly fewer solutions to even
look at and they're often more disruptive to test than a new language.

~~~
Glawen
Indeed.

Anyway i would love to have an open source Simulink-like IDE which generates C
code. There is currently not much choices in model based tool, and none are
open source.

------
isaachier
Sounds cool but hasn't been updated in months. Copyright still has 2017 for
end date. Sort of implies project is no longer maintained.

~~~
politelemon
It seems so - looking at their Github repo:
[https://github.com/GaloisInc/ivory/commits/master](https://github.com/GaloisInc/ivory/commits/master)

Have a look at the pull requests and issues, I'm wondering if this may be an
internal project from GaloisInc but not actively maintained externally.

~~~
justinjlynn
Indeed. Galois have a reputation, at least in the Haskell community, for
designing, building and releasing really cool stuff -- but then not
maintaining it for much longer than the internal project requires. Galois is
primarily a consulting firm and the amount of time they have for projects
depends greatly on how useful they are to their current consulting
arrangements. That said, I don't speak for them in any capacity -- these are
only my personal observations.

------
adamnemecek
The syntax really leaves something to be desired.

~~~
erric
It does seem quite a bit verbose for a simple print statement.

~~~
nickpsecurity
To add to other comment, the main goals of high assurance systems are twofold:

1\. Design systems that either never fail in field or fail safe. Many also
want recovery mechanisms that always work.

2\. Part many miss: convince other people from buyers to regulators they did
No 1.

One reason both Ada and formal specifications are so verbose is that lots of
detail that's implicit in lots of languages are explicit in them so they can
be reviewed. People overlooking detail due to verbosity is a common problem.
People in this industry are disciplined enough to look at stuff in detail,
though. So, the tradeoff of languages in this field is to optimize for
software being read by people who want no stone unturned.

Now, what I cant tell you is how much verbosity is due to it being embedded in
Haskell or just its own design. Verbosity doesnt surprise me, though.

~~~
AnimalMuppet
It really seems ironic to me for "embedded in Haskell" to lead to "verbose".

------
tmuir
Searching for embedded development jobs by the keyword "embedded" is already
an exercise in manually filtering out phlebotomist jobs, teaching positions,
histotechnologists, all sorts of people who think they're differentiating
their offered position by saying "embedded with a team", as if thats
functionally different from "working with people". Now weve added functional
programmers.

Yet it remains by far the most relevant keyword in my experience. I would
think "firmware" would be a better, or at least sufficient catch-all.

~~~
isaachier
Actually even the use of embedded here is somewhat ambiguous. Embedded as in
devices, or embedded as in embedded within another programming language. I
think it might mean the latter here.

~~~
richdougherty
You are correct. The first bullet point on the page defines what embedded
means for Ivory.

> Embedded: Ivory is implemented as a library of the Haskell programming
> language. Ivory programs are written using Haskell syntax and types.

An "embedded DSL" is written inside a host language. It is different from a
DSL which is parsed from characters using an interpreter or compiler.

I agree it's a confusing term in this context. I've also used the term
"hosted". Wikipedia also suggests "internal".
[https://en.wikipedia.org/wiki/Domain-
specific_language#Domai...](https://en.wikipedia.org/wiki/Domain-
specific_language#Domain-specific_language_topics)

