Debugging The Spirit Rover

icebike writes "eeTimes has a story on how the Mars Rover was essentially reprogrammed from millions of miles away. 'How do you diagnose an embedded system that has rendered itself unobservable? That was the riddle a Jet Propulsion Laboratory team had to solve when the Mars rover Spirit capped a successful landing on the Martian surface with a sequence of stunning images and then, darkness.' The outcome strikes me as an extremely Lucky Hack, and the rover could have just as likely been lost forever. Are there lessons here that we can use here on the third rock for recovery of our messed up machines which we manage from afar via ssh?"

Oh, sure...

[inertia187]

Are there lessons here that we can use here on the third rock for recovery of our messed up machines which we manage from afar via ssh?

As a former co-worker (hi, jwalker!) used to say when people tried to draw ridiculous analogies, "It's exactly like that...only different."

Re:Oh, sure...

[JWSmythe]

It sounded like the same type questions non-technical bosses always ask about technical matters.

"We're ordering this brand new hardware that you've never tested before. Can you guarantee it will never crash?"

"Will this database server handle the load of our brand new project?" (without an accurate growth estimate)

"A server 2000 miles away just went down. What happened?" (no ping, no nothing) Hmmm.. Power/NIC/CPU/CPU fan/hard disks?

It really sounds like they did some decent advanced planning on those probes, but from other stories I read, the were shooting for 90 days of reliability, which in itself was a hard one to do. What if it turns the antenna the wrong way and looses connectivity? What if it gets hit by lightning? What if it falls in a hole? (go Beagle!)

Sure, relate this to your web server colocated somewhere you're not. Cross your fingers, hold your breath, and hope there aren't a few fatal systems failures, or a bit of human error. I've been responsible for a bit of that in the past, but at least my equipment wasn't a few million miles away.

Re:Oh, sure...

[FrostedWheat]

What if it turns the antenna the wrong way and looses connectivity? What if it gets hit by lightning? What if it falls in a hole? (go Beagle!)

There is a low gain omni-directional antenna that can be used as backup. Infact I think they use it most of the time for commands and just use the high-gain for data transfer back to Earth. Which makes sense, they never need to send large amounts of data to the rover.

No lightning has ever been detected on Mars. Tho it's not impossible, it is very very unlikely. No proper observations of the night side of Mars has been done tho, so they may just be missing it.

And Opportunity did fall into a hole :)

How'd they do it?

[alwaystheretrading]

That must have been some feat to get the arm on the rover to press Ctrl, Alt and Delete at the same time!

Re:How'd they do it?

[oohgodyeah]

Maybe it's all lies and the Martians hit Ctrl+Alt+Del...

Re:How'd they do it?

[rjamestaylor]

Actually, a friend of mine is a system admin with JPL and he had to drive out to the San Bernadino soundstage [216.239.53.104] where the rovers are being filmed and reboot the computer a 4AM. The funny thing is he left a tool chest and sleeping bag [nasa.gov] (he was using it to minimize footprints and body impression, not sleep on the job!) where the Opportunity rover was scheduled to peek over the horizon and the ensuing photo of the tool chest / sleeping bag on the horizon had to be quickly -- and deftly, I must say -- explained away [msss.com] as being Opportunity's back shell and parachuete.

Just another day in the life of a sys admin!

Re:Oh, sure...

[sjames]

Actually though, it's not too bad an analogy. While Earth based servers aren't absolutely unreachable like SPirit, they are often remote, and there are expenses associated with visiting them in person.

Various schemes now exist to help deal with that. Many boards have a small management processor (bmc, server management board, IPMI, whatever) that is used for remote diagnostics and reconfiguration when the main board won't even boot.

Meanwhile, LinuxBIOS supports two complete BIOS images. One 'old reliable' that once working is never changed, and one that can be upgraded freely. Coupled with a watchdog card or timer, it's decently managable in the field. That work is continuing.

Meanwhile, IBM is pushing the 'blue button' that forces a software reload from an image partition.

In that sense, the problem is strongly analogous. Most of us will not, however, encounter the exact problem that Spirit had, though some embedded device developers just might.

Re:One reasonable anology

[zcat_NZ]

If you're really worried about your remote server being unreachable, here's what I would suggest doing:

Have a hardware watchdog. If the machine is lost or confused, it reboots itself.

Have it come up in a known state, fire off a few broadcast packets to the sysadmins, and run sshd but basically nothing else. Stay there for a minute or so.

If nobody's tried to log in and halt the boot process, carry on booting. With luck the problem was transient. Worst case the problem still exists, you reboot, and the admins get another chance to log in.

From the description of how they got Spirit back, it looks like this is exactly how it was set up.

Who'da thunk it!!

Re:One reasonable anology

[Fallen_Knight]

considering the distance i'd say a while, couple hours doesn't make much diffrence when you got a billion $$ probe on another planet, it surviveing is more important then a fast boot time heh. and you can always login and tell it to continue booting

Re:One reasonable anology

[sjames]

well, this presupposes that what caused the problem in the first place also didn't mess up the hardware watchdog as well.

Nothing's perfect. It also presupposes that the sun didn't explode and vaporize the Earth and that God didn't get ticked off and squish it with his thumb, So What?

A watchdog is a VERY simple device. A simple countdown timer, a control register with associated address decode, etc. It's quite unlikely to fail. When the timer hits zero, it strobes reset. Any access to the port address resets the countdown timer.

Some dual processor boards are even set up to alternate which is the boot processor, so they can come up with a single failed CPU.

There is always some sort of problem that precludes recovery. No amount of software or clever design can help you if the device is destroyed. However, that doesn't mean don't even try.

Local Debugging

[webmaestro]

Man, I have a hard enough time debugging programs running on my local machine.

Re:Local Debugging

[srichand]

In other news stories, the Microsoft Corporation decided to sue NASA, apparently since the right to crash systems was only theirs. Not to be left behind, SCO insisted that the code that caused the failure was unethically copied from their source repositories. This has indeed caused a flutter in the space communities

I dont know about learning much....

[detritus`]

I dont think i want to learn too much from this as the solution was the equivalent of rm -rf... On a side note i wonder when the 40 min ssh delay jokes will begin again

They didn't just randomly delete stuff

[enosys]

From the article:

Using the low- level commands, about a thousand files and their directories -- the leftovers from the initial launch load -- were removed.

I think that means they deleted the useless stuff they wanted to delete anyways but didn't get to delete before the crash. I also remember news about science data from before the crash that was received after they got the rover working again.

As for how critical it is, well yeah, it seems the rover didn't need the contents of the flash file system. The operating system and other software was in the same flash memory but I assume that any sane designer would put in some hardware write protect interlock that's not easy to defeat accidentally.

well

[whackco]

at least it wasn't a blue screen?

Like this?

[The Human Cow]

man rover?

Remote debugging?

[Nimloth]

I don't get it, couldn't NASA afford the on-site warranty?

Re:Remote debugging?

[kfg]

Yeah, but they thought they could save a few bucks and got the Gateway consumer version.

"Oh, you've got the on-site warranty, huh? Ok, first thing you have to do is ship it to South Dakota. . ."

Oh, hey, looks just like Mars.

KFG

rebooting on mars...

[segment]

Interesting reading:

Rebooting on Mars

By Matthew Fordahl, The Associated Press

It's a PC user's nightmare: You're almost done with a lengthy e-mail, or about to finish a report at the office, and the computer crashes for no apparent reason. It tries to restart but never quite finishes booting. Then it crashes again. And again.

Getting caught in such a loop is frustrating enough on Earth. But imagine what it's like when the computer is 200 million miles away on Mars. That's what mission controllers faced when the Mars rover Spirit stopped communicating last month.

...

Tech support for an $820 million mission is a cautious affair. Tools to recover from and fix any problem must be built into the system before launch. The systems' behaviors need to be completely understood and predictable.

"Luckily, during the design period, we anticipated that we might get into a situation like this," said Glenn Reeves, who oversees the software aboard the Mars rovers Sprit and Opportunity at NASA's Jet Propulsion Laboratory.

For stability, reliability and predictability, mission designers did not bust the budget and design the hardware or software from scratch. Instead, they turned to hardware and software that's been used in space before and has a proven track record on Earth as well.

"The advantage of using commercial software is it's well-known, and it's well deployed," said Mike Deliman, an engineer at Alameda-based Wind River Systems Inc., which made the rovers' operating system. "It has been used throughout the world in hundreds of thousands of applications."

The operating system, VxWorks, has its roots in software developed to help Francis Ford Coppola gain more control over a film editing system. But the developers, David Wilner and Jerry Fiddler, saw a greater potential and eventually formed Wind River, named for the mountains in Wyoming. VxWorks became a formal product in 1987.

rest of article [securityfocus.com]

Re:rebooting on mars...

[JWSmythe]

I wonder how many Microsoft salesmen were pushing for putting WinXP on it.. :)

lots of mem of an embedded system

[millette]

Wow, I didn't expect the rover had 128MiB of RAM, or 256MiB of flash. Funny to think they had to run chkdsk from so far away :)

Re:OT:lots of mem of an embedded system

[millette]

I'm serious. http://physics.nist.gov/cuu/Units/binary.html [nist.gov] for all the groovy details. If anything, it's a move away from the hd manufacturers lingo.

Re:lots of mem of an embedded system

[You're All Wrong]

Vx-Works

A highly respected embedded OS.

YAW.

Space Technology

[superpulpsicle]

That's the thing that amaze me. Any technology having to do with space seem that much more advanced.

Here on earth we can't even build cars that require no maintainance and last more than 10 years.

Re:Space Technology

[beeplet]

Actually any technology making it into space is more likely to be 10 years out of date... Getting anything certified for space is a long process. The technology in space isn't more advanced, just much better documented and well-understood.

Re:Space Technology

[kfg]

Ten years out of date, but ten years more reliable for the effort.

Sort of like Debian.

Cutting edge ain't always what it's cracked up to be.

KFG

Re:Space Technology

[alwaystheretrading]

Here's an example of the Mars Rover's 10 year old networking technology:

Ring, Ring, Ring....
"Welcome to the Mars Rover answering system. For English press 1, Para Espanol prensa 2"
BEEP

"You selected English. To leave a message for Spirit press 1. To leave a message for Opportunity press 2"
BEEP

"You selected Spirit. Transfering now." CLICK "I'm sorry, Spirit is unavailable at this time. To leave a message press 1. To return to the main menu press 2"
BEEP

"Hi this is the Spirit rover. I can't come to the

Re:Space Technology

[DerekLyons]

That's the thing that amaze me. Any technology having to do with space seem that much more advanced.

Here on earth we can't even build cars that require no maintainance and last more than 10 years.

Most of the stuff in space that lasts ten years usually has no moving parts, which is what generates much of the maintenace requirements on your car. Nor does it have parts to get fouled, corroded, or otherwise mucked up by the enviroment of or the operation of the car.

And frankly, if your car isn't lasting ten years, then you bought junk in the first place. Of the four cars I've owned, not one has had a lifetime of less than ten years. Three of them were already older than that when then they came to me, and none lasted me less than four years. (Other than the one that got re-possesed, but I had that one three years.) But then I invest in regular maintenance, don't leadfoot, etc...

Re:Space Technology

[Billly Gates]

The Japanese started that.

They make alot of money from loyal customers. But I admit my 13 year old 91 honda civic with 140k miles is getting on my nerves with repair costs. WOuld a 91 ford escort still be running today? I think not.

I will buy only Toyatas and Honda's for that reason.

It amazes me consumers are too stupid to read consumer reports and buy cars on looks. Repair costs for things like Cadallacs and BMW's are not cheap for TCO! Yes consumer products have TCO too and we and not just businesses should look at that as well.

Re:Space Technology

[Zakabog]

I have a 90 ford mustang you insensitive clod. Still runs strong today, has like 107,000 miles on it and I'm sure it'd destroy your civic in a race ;-P. The only money I've really been spending is on a tune up, and new tires (old tires were crappy and leaking air.) And besides when someone buys a Cadillac or BMW (and god damn it it's Toyota, what the hell is Toyata) they don't care about the price. When you're going to spend $30,000 on a "cheap" BMW 3 series you're not gonna care that it's going to cost

Re:Space Technology

[kfg]

No. You can't make a mechanical device like a car that requires no maintainence. Bearings wear out. Hoses and belts have a limited lifespan even you never drive the car, etc. This is the real world. We will obey the laws of thermodynamics. Entropy always wins.

What you can do is make it require less maintainence, make that maintainence cheaper to perform, and make the car last until you hit something really hard so long as you maintain it. You should be able to hand your car down to your kids.

Other than that you're bang on though.

I wonder what we can learn from that about maintaining our computers?

KFG

do they use SSH ?

[Anonymous Coward]

I hope they use SSH or something .. who's to say a future mission ..some hax0r doesnt grab control of a space probe and have it send goatse.cx pics back??

All it takes is a transmitter out in the middle of nowhere africa or some island .. after all the probe communicates using known frequencies. There may be probs picking up the return signal without an expensive antenna i suppose. But then again maybe some hax0r can build one cheaply and or do what captin midnight did ( www.signaltonoise.net/library/captmidn.htm ).

I wouldnt worry about signal jamming though as that will probably be discovered easily.

Re:do they use SSH ?

[mcbridematt]

I don't think they would bother using anything to do with TCP. Anything you do send you will have to wait 9 minutes for. Just imagine the ping times:

Pinging mars-rover with 32 bytes of data:
request timed out
request timed out
request timed out
64 bytes from mars-rover: icmp_seq=0 ttl=64 time=32400ms :(

If it has anything to do with current internet protocols, it would be UDP.

Re:do they use SSH ?

[AhBeeDoi]

ttl=64
I realize that Mars is a long way away, but how many routers do you think exist between here and there?

Re:do they use SSH ?

[Anonymous Coward]

UDP would be even worse. Interplanetary transmission is difficult, so some packet loss is likely. Under UDP the packets would just disappear-it's an unreliable protocol. TCP would of course be too inefficient. I'd expect them to use a custom protocol designed for the specific application, since their situation is totally unlike anything you'll face on Earth.

Pissed Martians

[Tablizer]

The Martians are pissed that the repair labor was outsourced to Earth.

What's the big deal??

[prakslash]

Unless you are a lay person, I don't understand what the big deal is .

If it was the hardware that got fried and they miraculously fixed that, I would understand but this was just a software glitch.

I routinely reboot and reprogram machines in our data-center that is 2000 miles away from me.

As long as all hardware components are working and there is connectivity to the machine, it doesn't matter whether the machine is a few miles away or a million miles away.

Re:What's the big deal??

[Gizzmonic]

I routinely reboot and reprogram machines in our data-center that is 2000 miles away from me.

As long as all hardware components are working and there is connectivity to the machine, it doesn't matter whether the machine is a few miles away or a million miles away.


You are too humble, friend. What you do routinely and without thinking, is nothing less than a miracle of modern science. A miracle that you take part in every day. And because of men like you, we don't have to rely on the abacus anymore. We sent a pentium to the Moon, and soon, Mars will be colonized by G5s. America salutes you, for all the things that you do.....

Like a rock! I was strong as I could be be!

Ooooooohh! Like a rock!

Re:What's the big deal??

[dellis78741]

The tricky part here was that the 'hardware connectivity' depended on 'software functionality'. Try maintaining machine a block away if the commnication link requires both ends to point a satellite dish at an orbiting satellite and that pointing relied of software functioning correctly.

Re:What's the big deal??

[FTL]

I routinely reboot and reprogram machines in our data-center that is 2000 miles away from me.

As long as all hardware components are working and there is connectivity to the machine, it doesn't matter whether the machine is a few miles away or a million miles away.

There are some fundamental differences, my friend:

• If you screw up leaving the computer unbootable, you get local tech support to check the console and fix it. NASA on the other hand doesn't have tech support on Mars.
• If you hose the server, it means a day's worth of reinstallation. If NASA hoses their rover, they just lost $300,000,000.
• You can poke around the system and see what's wrong. NASA has a harder time since their lag time is 20 minutes.
• You can download core dumps, NASA were operating on the low-bandwidth antenna which meant looking at file sizes, time stamps, selected lines, but not file contents.
• You have your boss breathing down your neck (hoping for success), NASA have the international media breathing down their necks (hoping for a disaster).

Re:What's the big deal??

[jelle]

But at NASA, you have a local replica of the whole system sitting in the lab next door, you're in a team of professionals that if necessary can calculate the most probable results of particular radiation hitting your system under a given angle, or can tell you the power usage and temperature effect of the system components given a particular subroutine, or can dream low-level correct assembly for the platform under study, plus the vendor has a couple of on-line support guys sitting in chairs in the corner of your office waiting for your activation command (which is the word "huh?")...

Re:What's the big deal??

[updog]

There is a big difference between this, and your example of forcing a controlled reboot of your remote machines.

Spirit was in a constant reboot cycle, and the fact that they could even communicate with it long enough to bypass the problem was an accomplishment (and lucky).

It would be more similar to your remote data-center machine suddenly going offline and you have no idea why, and you are unable to ssh to it, and you fix it by running through potential scenarios and finding that the problem could have been due to mounting a certain partition, then discovering that there's an exploit in ICMP that allows you to hack to kernel so it doesn't mount that partition.

Re:What's the big deal??

[Matrix9180]

Did you RTFA? The rover was rebooting over and over because it was using up all of it's memory... then eventually the batteries were low so it went into a sort of 'safe mode' where only the absolute minimum was loaded, and that's when NASA was able to communicate with it again...

It was nothing like what you described, just a VERY well designed system (though it would have been somewhat better had the system been able to go straight to "safe mode" after the initial critical error (running out of memory))

Did the people with mod points RTFA? Score 5 Insightful?

And no, I'm not new to /. ;)

Re:What's the big deal??

[amRadioHed]

Are you forgetting that the latency when communicationg with mars averages around 1200000 ms? I'd say that when you have to wait 20 minutes to see the result of anything you do you're going to have to substantially change your debugging strategy.

Re:What's the big deal??

[cookiepus]

I'd say that when you have to wait 20 minutes to see the result of anything you do you're going to have to substantially change your debugging strategy.

Please! Back in the day people would write programs on paper, mail them in an envelope to a computing center somewhere, and get results weeks later.

THAT was pressure not to fuck up.

Re:What's the big deal??

[You're All Wrong]

There was also pressure not to drop your stack of punched cards in those days!

(hint - draw a diagonal line across their top edges so you can get them in order again quickly.)

Some people seem to no know why "batch" files were so-called, it seems.

YAW.

Re:What's the big deal??

[afidel]

Actually I remember NASA doing a hardware repair from most of the way across the solar system. One of the deep space probes was starting to have a problem sending signals, some bright mind at NASA looked at the circuit diagram and figured out that a single component (resistor, cap, can't remember) was starting to fail, they figured out that there was a way to recondition the part. So they came up with a program that basically intentionally overstressed that component path and the extra energy heated up the part an reconditioned it so that the unit was back to working condition.

Re:What's the big deal??

[NymblZ]

As long as all hardware components are working and there is connectivity to the machine, it doesn't matter whether the machine is a few miles away or a million miles away.

That's just it - consider the stress those rovers are enduring or might encounter: subzero tempatures down to -200f, out-of-the-blue (red?) sandstorms, gamma radiation, and who knows what else out there that could suddenly fsck with the systems or scramble internal data ? Your average Dell rack will never have to deal with any of thos

Bud Light Presents...Real Men of Genius.

[Blaede]

Today we salute YOU, Mr. Super Wizard Windows Reinstaller.

Only YOU can fully appreciate the difficulty of running a format c: command, while swilling a room temperature can of Red Bull.

"Hey this stuff is hard now!"

While NASA is too preoccupied with things like farway rovers, you take your vocational tech school fueled arrogance directly to the place where it will make the absolute least possible impact: A Slashdot discussion thread.

"Loggin' on now!"

Your unique eye for obviousness allows you to sling turds of obtuseness every which way, and then brag about how you were RIGHT as soon as one of your pronouncements hit true - regardless of how many times you were wrong before.

"See I told you sooooooo!!"

And if some idiot rocket scientist has the unmitigated gall to not bow down to your obvious Geniusdom, you unleash your fury down upon him with all the tenacity and mercilessness of a rabid pit bull with a tender buttock locked in its jaws.

"Total anonymity!"

So keep clicking away, oh Marauder of the Mousepad. Because when the results you so desire finally come about years from now, you can say it was because YOU demanded it."

"How come they haven't fired that dumbass head of NASA yet yet?"

(Bud Light Beer, Anheuser Busch, St. Louis Missouri.)

Uh-oh

[z0ink]

"We recognized early in the planning process that the flash file system had a limited capacity for files."

Sounds like NASA forgot to empty the rover's recycle bin. =)

Re:Uh-oh

[LnxAddct]

I've thought long and hard on this topic and yes on windows it is accurately called the recycle bin because you dont get rid of the junk you put in there, it gets reused in some other part of your system. You put junk in, the junk is modified into other junk and then sent back to create new system dlls. In linux(and I believe macs) it is accurately called the trash can because what we put in there is thrown out for good, we don't have our junk recycled to create more, but different, junk:)
Regards,
Steve

Re:Uh-oh

[brendan_orr]

Nah, Linux, Mac OS X, *BSD, and other *nix users have /dev/null as a trash can.

Re:Uh-oh

[AhBeeDoi]

Nah, Linux, Mac OS X, *BSD, and other *nix users have /dev/null as a trash can.
Trash can? More like a neutron star, 'cause anything you put in it is totally and absolutely gone.

The proper fix...

[Dan East]

...would have been to have "fixed" the problem before the hardware left earth. This "bug" (or more accurately, known limitation of the filesystem) should have been discovered here on earth if the rover had been properly tested.

The only real bug was the inability of the system to properly handle running out of file entries (or more specifically, consuming too much RAM as the number of file entries increased). However the software should have never have stressed the filesystem to that degree in the first place.

Dan East

Re:The proper fix...

[Chester K]

The only real bug was the inability of the system to properly handle running out of file entries (or more specifically, consuming too much RAM as the number of file entries increased). However the software should have never have stressed the filesystem to that degree in the first place.

When you can write an embedded operating system that can gracefully and automatically recover from every possible thing that might ever go wrong, perhaps you should send your resume to NASA.

Re:The proper fix...

[KewlPC]

Score: -1, Didn't Read Article

The rovers were extensively tested before launch. For example, NASA took about 100000 pictures with the test panoramic cameras under varying conditions to see how they would react. NASA put a test rover on a tilting platform to see how far over the rover tilt before it capsized, to find out at what angle the electric motors could no longer drive the rover up a hill, etc.

This limitation of the filesystem was known about ahead of time. If you had read the article, you'd have known that. They had a utility to clean out the rover's filesystem, but a storm at the Deep Space Network site that was supposed to transmit it prevented the second half of the utility from being uploaded to the rover. And before you say anything else, the article also mentioned that the people involved had thought of this possibility ahead of time.

Hindsight

[FTL]

The article (I know, I know, this is Slashdot) is really good. It contains everything that is missing from traditional media. The story, the background, technical details, and follow through.

Granted mainstream media have to keep their coverage dumbed down if Joe Public are going to read it. But what really bugs me is the lack of follow-up. We hear about poorly understood events as they are unfolding, then never heard about them later when they are completely understood.

A recent example is the gangway between ship and shore at the QM2's drydock. It collapsed killing lots of people, an investigation was launched. Why did it collapse? At the time it wasn't known. I'm sure it's known now, but there's been absolutely no followup.

This article about the rover is great not so much because of the level of detail but because it reports on an event with the benefit of hindsight.

Re:Hindsight

[Jeremy Erwin]

I'm sure there will be at least some mention of the results of the investigation when it is completed and various persons are prosecuted. In the meantime, here's a relatively recent article [yahoo.com] on the investigation into the collapse.

Re:Hindsight

[Anonymous Coward]

I'm a journalism undergrad at a large university. One of the points I brought up with some of our administrators is that the innumeracy and scientific illiteracy of the graduates of our program is appalling. I think this is one reason why many important stories don't get reported accurately or in depth: the writers simply don't understand the story, and don't want to understand the story. They actually feel that math and science are somehow beneath them, and that the average reader doesn't need to be bothered with the facts. So we get vagueness instead of specifics in the articles we read.

I suggested we allow j-students to substitute math or hard science minors in place of the foreign language requirement. Most graduates of college foreign language programs don't translate at a level any higher than Babelfish. It seems wasteful to force people to spend so much time learning a language that most will never use, when that time could be more productively spent introducing them to the languages of math and science, which they will undoubtedly use in the future. We'd get better reporting that way, and isn't that what going to j-school is all about? Science and technology are too important to our day-to-day lives and governance to be left to illiterates.

Re:Hindsight

[addaon]

I think this is exactly what he means. We get the beginning of the story, but then, no followup!

What the article doesn't say

[Mr2cents]

What filesystem is used? Is wear leveling being used? The directory structure is apparently stored in RAM during the day (why else would it use so much RAM?), that is a good thing for reducing wear on the flash system. But what's the number of writes on the flash chips? When will that number be reached?

Re:What the article doesn't say

[afidel]

Never, the rovers are only going to operate for ~100 days, the number of writes for modern flash ram is 100K cycles minimum, over a million typical. So unless they are really screwing something up that shouldn't be a limitation, also distributing file placement shouldn't be a software function, good CF cards do it in the controller logic.

Mod this "redundant"

[Penguinshit]

'How do you diagnose an embedded system that has rendered itself unobservable?'

The way you do this is by having an exact duplicate of the remote system so you can set up a test with conditions as close to those under which the remote system is currently operating. You can then do a series of carefully controlled test solutions to determine the optimum prior to trying it on the "live" system.

This is the way I set up all my production systems and, barring catastrophic hardware failure (self-immolating disks and a router which just folded when its power supply burped) I've had perfect uptime.

(well, ok.. there was that one time, late at night, when I typed "reboot" in the wrong window.. but that happens...)

Lucky Hack?

[electromaggot]

"The outcome strikes me as an extremely Lucky Hack..."

The outcome does not strike me as a "Lucky Hack." They made the system flexible, that flexibility got them into some trouble, and it's also what got them out of it. Anyone else agree?

Yes, see my post

[SuperKendall]

I had pretty much the same post - the originator of the story confuses luck with skill, a mistake a find very annoying and committed all too frequently. I'll fully admit when I've been lucky, but I also went recognition for foresight when I've had some! NASA deserves at least that much respect.

All these worlds....

[dmeranda]

"The irony of it was that the operating system was doing exactly what we'd told it to do," Klemm lamented.

Yeah, that was HAL's excuse too.

Seriously, hats off to all the JPL programmers. Proving to the Martians that there is indeed intelligent life on Earth, very intelligent.

Remote debugging pet peeve

[Peter McC]

My pet peeve when I'm doing remote troubleshooting is 'ifconfig eth0 down'...oops. At least NASA is smarter than that.

Peter.

Lucky Hack?

[SuperKendall]

Your post is the only thing that strikes me as a "Lucky Hack" here. They included the ability in the design to remotely disable booting from flash and upload new boot images, in what way is that a "hack"? All this is just foresight in design to include as many possible recovery modes as they could.

Basically, they rebooted from a recovery image (sent via radio) and then proceeded to do low-level fixes on Flash memory and they a chkdisk. If I do something similar via recovery disk or CD, I don't get a lot of people telling me that it was a "Lucky Hack" that I could boot off of CD!!!

NASA Rocks!

[blueZhift]

Great article! This is just the sort of thing that has always impressed me about NASA and the JPL. Just when mere mortals might give it up and walk away, they figure out the problem. I can only imagine how wild the party must have been after they fixed Spirit, the scientists and engineers I've worked with in the pass could really put away the booze.

Seriously though, the key lessons to take away from this are.

1) Gather all of the clues you can.

2) Take those clues and build a model.

With luck and care, the model should get you closer to what may have gone wrong. And in this case it apparently did just that. Now that's geek cool!

BTW, I know that generally you want to prevent this sort of thing from happening. But in reality most software ships with bugs and launch windows to Mars are non-negotiable.

Remote safe mode

[Megane]

The first thing needed to achieve remote maintainability on the order of space probes is some way to access a machine remotely when it's not running the full OS. A KVM switch isn't going to work over long distances. The BIOS needs a way to run over the network. Same for the kernel boot messages. Whether it's through a serial console and SSH server, or through the BIOS running TCP/IP, what we have now isn't enough. A separate console server could also control a power cycle/reset switch circuit.

There also needs to be a way to load bootstrap code remotely. For instance, having a TCP/IP enabled BIOS be able to run TFTP or some other protocol to load a netboot floppy image. Then you could give it a LILO command instructing it where to find a boot image, preferably one on a server in the same hosting center.

whoops

[usillyman]

Operating System not found. Press any key to continue.
Damn! Left the floppy in!

Could an earthbout 'twin' computer help?

[AaronStJ]

What surprises me is that they don't have a 'twin' of the rover's computer system set up on earth. When commands are run on the rover, the same commands could be run on the computer system on earth. Then, if the rover's software, fails (as it did), the software on earth would (theoretically) fail in a similar way, and be MUCH easier to debug. Of course, the systems wouldn't be identical (without building an entire duplicate and expensive rover), and the data gatehred wouldn't be identical, but if the twin was carefully planned and fed dummy data that aproximately mirrored that data the rover was gathering. For example, the twin could be fed dummy pictures about as often as the rover took a real picture.

From the article "[The] transmission that uploaded the utility was a partial failure: Only one of the utility program's two parts was received successfully. The second part was not received, and so in accordance with the communications protocol it was scheduled for retransmission on sol 19." NASA could have simulated a half failed transfer on the twin copmuter on earth, and then watched carefully using traditional debugging tools to make sure the failed transmission didn't cause a software failure (which it did).

Again, from the article "The data management team's calculations had not made any provision for leftover directories from a previous load still sitting in the flash file system." However, if they had a twin computer system to watch, they would have seen that the failure occur on earth as it did in space. Debugging a system you can hook a serial debugger to is bound to much easier than debugging a system a million miles away.

Re:Could an earthbout 'twin' computer help?

[Anonymous Coward]

Uhmm... we DID build a 'twin' of the rover, hardware and all. Give us a bit more credit, will ya? :-P What you may not realize is that exposure to radiation on the surface of Mars, solar wind while in transit and other factors such as thermal expansion / contraction, etc. are slowly degrading the rovers in nondeterministic ways. It is not nearly as simple as 'running the commands in the testbed' at JPL to diagnose any problems which occur.

Re:Could an earthbout 'twin' computer help?

[Gogo Dodo]

They do have a twin system here, but having one here isn't quite the same as the two on Mars. You can't replicate everything on the two Mars rovers such as the science data files.

When Spirit was turned around on it's lander, they tested the moves on it's twin here, hence the long delay getting off the lander.

Brilliant!

[frenchs]

They could have set it up out in my backyard to take pictures of the piles of crap and rocks out there and if they wanted to simulate the solar radiation, they could have my girlfriend give it one of her famous looks... cause those are leathal enough to burn a hole in your soul.

-SF

There is a significant lesson to learn, here ..

[Anonymous Coward]

.. namely, "Do Not Use VxWorks". Use something stable instead. eCos [planetmirror.com] comes to mind. So does everyone's favorite OS these days [kernel.org], which has RTOS support. Having been a frustrated VxWorks user in the past, I'd no more entrust my mission-critical services to it than I would to Microsoft. -- TTK

Does Microsoft know about this?

[superyooser]

The operating system is Wind River Systems' Vx-Works version 5.3.1, used with its flash file system extension.

First wxWindows [slashdot.org], now Vx-works?

Great trick for ssh administration

[nsayer]

Before doing something risky, type this:

sleep 600 && reboot &

Now if your risky maneuver makes the ssh session unusable, just wait 5 minutes for the machine to reboot.

This is great for fiddling with firewalls by remote control... through the firewall. :-)

Oh... You say you're not using a POSIX-like system? That's not supported. Sorry. :-)

Verifying the software !!!

[vinit79]

What really surprises me is that NASA did not verify the software. Software verification [google.com] is essentially mathematically proving the software. It is tedious and expensive but we are talking about NASA and the Mars. Infact even beloved MS formally verifies device drivers [microsoft.com] before use ( believe it or not !!) If the original program was correct they wouldnt have to reupload it and the entire problem ...gone.

Re:Verifying the software !!!

[WayneConrad]

Software verification is essentially mathematically proving the software....

I've been hearing how great formal verification is since I started this gig. Three decades later, it's still not what Yourdon and his buddies thought it would be. When the first computer scientists were budded from mathematics departments, their mathematical discipline allowed them to do wonderful things, some of which we're still catching up with. But it also gave them some disturbing habits, the worst of which is the insistence that formal verification is the best way to write code, and anyone not doing so must be a fool.

Formal verification is a powerful tool, but as you say, it is expensive and applies to only a limited set of problems. If it were so cheap and so widely applicable, we'd be using it everywhere.

We've poured decades of funding into formal verification, but the useful tools keep coming from other avenues of research. I think it's time to stop beating the formal verification drum.

The only reason nasa got it back to work

[PipoDeClown]

is because when the batteries got drained the os went into a stable "safe mode" state. If they made a long lasting powersupply this project was doomed(.f) and they never found out what the real problem was.

What we can learn:

[sakusha]

It appears that we still haven't learned the biggest lesson of all. I still remember back around 1970, there was a big sign on the wall next to the IBM 370s at my university, written on a primitive pen plotter, it said:

Computers never make mistakes, they do exactly what humans tell them to do. All "computer errors" are human errors.

Re:What we can learn:

[ColaMan]

Unless you own an early pentium.

JPL

[EachLennyAPenny]

The JPL is a pretty viral license. It forces you to spread their space probes from your planet to all your customer's planets. This is un-solar systematic! What's next? Calling GNUpiter Jupiter instead?

Hmmmm

[ziggy_zero]

"The irony of it was that the operating system was doing exactly what we'd told it to do"

Funny, that's how it was explained to me by my computer science teacher my freshman year in high school. He said, "The problem with computers is that they do exactly what we tell them to."

Discovered a system log ?

[thrill12]

"We discovered a system log in which the problem was documented,"
Those guys are running a very expensive experiment, are logging it and they have no idea what and where they are logging??

Logging should not be limited ?

[thrill12]

Seriously, from a developer viewpoint, that is all wrong.
I have worked on projects in which there was simply too much logging going on that you couldn't tell head from toe anymore. When a problem arrived, scanning the logfiles proved very cumbersome indeed. Every developer had his own stuff logged, which sometimes proved interesting, sometimes proved utter crap (noone wants to know variable XYZ is increased by 1 for 24943 times).

You should develop a well-thought logging strategy that increases the logging verbosity on a problem-basis, not simply log everything that happens and hoping you get some useful information.

Launching with incomplete code is common

[rarose]

The enroute time for Cassini to get to Saturn was 7 years; rather than push back an already long mission they launched with feature-incomplete code. They knew they had 7 years to get the software fully functional and debugger; they've updated it remotely from millions of miles away a number of times now.

I'm sure the rovers did the same thing... Develop the launch/cruise software before you launch (and of course try to get as much of the entry/landing code done as you can!), and then uplink the final code before it's needed. Therefore it doesn't surprise me one bit that the JPL engineer knew there were shortcomings in the launch software.

Hell, I develop BIOS for servers and we do it all the time. The BIOS image we give the hardware engineers for initial bringup is usually *way* short of features that will be there when it actually gets used by the customers!

you, too, can have this capability on earth...

[sommerfeld]

It's not that hard to pull off off this sort of seemingly amazing remote recovery with pure off-the-shelf tech if you plan for it in advance and are willing to pay a modest premium.

You need remote serial console access -- ideally including firmware/bios serial console access -- and remote power cycling, controlled by a small embedded system, either in separate units (APC masterswitch, terminal servers) or as part of the system unit (common on Sun gear as "LOM"/"ALOM"/etc.; some of this is also creeping into x86 mobos). All this lets you regain control of the system remotely.

Then it becomes a matter of hardening the system to let you recover from various other insults. Never let go with both hands: Mirrored disks (protecting against hardware failure) and multiple bootable partitions (protecting against software or human error) can both be used; netbooting is also a nice capability to have when you've got a bunch of servers in the same place.

Disclaimer: I bet you can do much of the above with other people's gear, but I work for Sun and I know it works for me...

not really...

[rebelcool]

on projects such as this, the design specs would've been frozen several years ago, and then would've been conservative for the time, using proven technology.

Another factor in this is the safety of the flash ram. It is rad-hardened and built with tons of extra error correction which again, requires years of testing and special design considerations. And is extremely expensive.

Re:only 120 megs ram?

[KewlPC]

You realize that the onboard computer is basically the same one as used on the Mars Pathfinder lander, right? Same CPU, same amount of RAM, even the same OS. I wouldn't be surprised if they used the same (or similar) circuit diagrams for certain things.

The point is to use well known and well tested hardware. The whole point of Mars Pathfinder was to develop a system whose design could be re-used for other Mars landers and rovers.

Lastly, what exactly are you going to do with greater flash capacity? The point of having any flash memory on the rovers at all is not for long term storage, but rather just to hold onto data until it can be transmitted to Earth, after which it gets deleted.

Despite what some idiot posted a few posts up, they did NOT run out of room on the flash drive. Rather, the problem is more akin to running out of i-nodes. Mounting the flash filesystem, reading all its metadata and whatnot, took up more RAM than was allocated for it, due to the high number of files it had to deal with (most of which were accumulated on the way to Mars, and were going to be deleted).

Re:NASA should have simulated...

[updog]

The fact that they filled up the flash memory with too many files that were accumulated during the cruise phase of the mission between earth and mars was something that they should have known would happen. Apparently you didn't read the article. Because of a communication failure, a utility that was supposed to delete the old files didn't get completely uploaded. The utility was scheduled for retransmission, but the filesystem filled up before it got re-transmitted.

Re:NASA should have simulated...

[KewlPC]

You realize that missions to Mars can only be launched once every two years, right? If they miss their launch window, they've got to wait two years before they can launch again.

You also realize that NASA did do a test mission, right? They built a test rover and put it out in a desert somewhere. They used the mission to test the hardware, test the software, and to help train the team.

Ran out of INODES. No really.

[dorko]

If you RTFA you will realize that I'm not lying in the least when I say that, effectively, they ran out of flash-based "disk" space!

Well, I did read the article and I wouldn't say it quite like that. The article says: "Spirit attempted to allocate more files than the RAM-based directory structure could accommodate." Furthermore, the article says that the low-level file manipulation commands "worked directly on the flash memory without mounting the volume or building the directory table in RAM ."

To me, if this were a Unix-like system, it sounds like they ran out of inodes [webopedia.com]. Running out of inodes is very different than running out of disk space.

If you think runing out of disk space can be hard to trouble shoot, try running out of inodes.

Re:Ran out of INODES. No really.

[Concerned Onlooker]

If you think runing out of disk space can be hard to trouble shoot, try running out of inodes.

That's why I always keep a spare bag or two of inodes on hand, just in case. They're small so they don't take up too much space in the closet. I store them next to those f-stops I used to use for photography.

Re:Ran out of flash disk space. No, really.

[SiliconEntity]

Here's what happened according to the article. They launched the ship with an OS image in flash, and soon realized that they needed to update it. So shortly after launch they sent another complete OS image. They knew they'd have to delete the first image, but they didn't do it right away. At that point there was plenty of room in the flash memory so having two OS images was not a problem.

After a few days on Mars, they were starting to fill up the flash, so they planned to go ahead and delete the old la

Re:Ran out of flash disk space. No, really.

[dorko]

[T]hey are running out of flash space. ... The flash memory was exhausted.

No, no, NO!

It was the inability to build the RAM-based directory structure of the files in the Flash memory.

Why couldn't they build the directory structure? They had too many files, the size of the files doesn't matter here, only the number of files.

In other words, they ran out of RAM, not Flash.

Exercise left for the readers: Why can a Unix file system that is out of inodes have much less than 100% disk usage and still not be able to create a file?

Re:WindRiver's fault

[KewlPC]

Actually, they used VxWorks because it was the same OS used for the lander on the Mars Pathfinder mission. Since they were using the same CPU and same basic computer design as the Mars Pathfinder lander, they probably figured, "Why not use the same OS?"

Re:WindRiver's fault

[KewlPC]

WindRiver may give JPL large discounts, but I doubt that's the only reason VxWorks is running on the MERs.

Years ago, when JPL was designing the Mars Pathfinder mission, they asked Wind River to do an "affordable" port of VxWorks to the RAD6000 (a radiation-hardened RS6000), and they agreed. Since the computers on the two MERs are very similar to the computer on the Mars Pathfinder lander, it makes sense that they'd use the same OS that they used on the MPF lander.

I would think the fact that JPL knows VxWorks very well by now would be a major factor in deciding to use VxWorks for the MERs.

Except just one thing:

[Chemisor]

> What on earth (or on Mars) could we possibly take away from this experience?

Rule 3: Never ignore the return value from open.