Recent searches
Search options
New blog post: on that time when I decided that if being able to panic one Rust program is good, then a feature that lets you panic _other_ programs would be better, right?
No, really, it's awesome. Here's Hubris's oddest syscall.
Edited this in a lovely coffee shop in Llano, TX, while waiting out the eclipse traffic -- because I really wanted to get it posted today, the kernel's fourth birthday!
Happy birthday kernel.
@cliffle Haven't finished reading yet but Chrome and Firefox are both not loading https://cliffle.com/blog/hubris-reply-fault/gimlet-graph.svg for me. I think it might be because it's being served with the `text/plain` content-type but I could be wrong.
@wezm Odd, it works in Firefox here. I'll check the mimetype settings, thanks!
@wezm Should be fixed now, thanks for pointing that out.
@cliffle Great, thanks. It’s working now.
@cliffle very cool syscall! Had a chance to briefly chat about it with Eliza as well. “Hostility to errors” is a very nice property in a high trust / high assurance context.
@cliffle thanks; very interesting read!
I don't think I've fully digested the implications of a world where sending a message implies giving the recipient the ability to terminate you. Gonna be mulling over that for awhile 
@esnyder It stems from the notion of "asymmetric trust" in synchronous IPC. You have to trust a function you call, because it might choose to simply never return to you - and so with synchronous IPC. Death is a lot like "never being resumed." There are some good papers on this if you're curious.
https://www.cs.vu.nl/~herbertb/papers/minix3ipc_prdc08.pdf
https://srl.cs.jhu.edu/courses/600.439/shap03vulnerabilities.pdf
(I think those are both linked from the Hubris reference manual bibliography too)
@cliffle ah, yes, in the strictly synchronous case that makes a lot more sense.
(Suddenly kind of want a 'Death is a lot like "never being resumed"' bumper sticker.)
@cliffle this is a really cool idea and I'm definitely going to have to start using this fail-fast idea in firmware
@cliffle @whitequark I love it. And I’m reminded of Charles Babbage:
“I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.”
I don’t think Babbage had people executed for asking though - good thing tasks don’t have feelings.
@thejpster @whitequark the irony here is that, when it comes to humans, I think patience and nonviolence are important.
At the same time I'm totally that "no smart devices, keeps a weapon by the printer in case it makes a noise" infosec stereotype.
@cliffle @thejpster i occupy an interesting middle ground here, where i don't consider myself human, and operate those and only those smart devices that can become a seamless extension of my will. which isn't many of them but it's a non-zero amount
@cliffle @thejpster patience is a really good way to achieve your goals; i think i wouldn't get far without it with most of my sociotechnical goals
at the same time i don't have any patience for, say, transphobes
@whitequark @thejpster Strictly speaking I'm a cyborg collective, I just restrict myself to including devices for which I wrote the firmware. And mostly built the PCBs. For similar reasons.
And, yes, patience should not become the "paradox of tolerance." My patience for bad-faith behavior is very limited -- much like the Hubris kernel's.
@cliffle @thejpster nice! I always find it fascinating how one's way of existence is reflected deeply in the code one writes
e.g. my Amaranth, Yosys, and general HDL toolchain work is intended to be comforting to those who have burned out repeatedly and completely; to the extent there is technical excellence beyond that, it is because it appeals to me aesthetically
@cliffle @thejpster (really it's less "reflected" and more "extension of the self (selves)"
@cliffle yep. And i understand the Erlang part. Erlang solve the problem by convention. Nearly everyone use the standard library supervisor and having logic in supervisors is frowned upon. But yeah I can see how you would find it too lax for your kind of environment.
But yeah, crashing a lot in isolated restartable components is something that we tend to not explore enough.
It forces a lot of good design on the code runnning there.
@cliffle I noticed the alt text on the IPC flow graph. Yeah, it sucks that a plain string isn't adequate for describing those kinds of images. FWIW, since that image is an SVG, there are ways of rendering it as a tactile graphic, if one has access to the right hardware (e.g. an embosser). There's even a tutorial on writing SVG by hand, targeted at blind people wanting to produce tactile graphics. https://blindsvg.com/
Anyway, thanks for thinking about describing the image.
@cliffle I hadn’t seen that Hubris’ debugger was called “Humility”, that’s lovely.