alt.hn

4/7/2026 at 10:25:12 AM

We found an undocumented bug in the Apollo 11 guidance computer code

 https://www.juxt.pro/blog/a-bug-on-the-dark-side-of-the-moon/

by henrygarner

4/7/2026 at 10:50:13 PM

Mike Stewart here! I led the restoration of the AGC documented on CuriousMarc's channel and co-administrate VirtualAGC. There is a lot to unpack here.

First: this is indeed a real bug in the AGC software. However, it did not go unnoticed for the whole program. It was discovered during level 3 testing of SATANCHE, and late development branch of the Command Module software COMANCHE. It was assigned anomaly number L-1D-02, and was fixed between Apollo 14 and 15. There are two known surviving copies of the L-1D-02 anomaly report:

* https://www.ibiblio.org/apollo/Documents/contents_of_luminar...

* https://www.ibiblio.org/apollo/Documents/contents_of_luminar...

The fix described in the article is partially complete, but as noted in the anomaly report there's a little bit more to it. Rather than just adding the two instructions to zero LGYRO, they restructured the code a bit and also cause it to wake up pending jobs. You can compare the relevant sections of the Apollo 14 and Apollo 15 LM software here:

* Apollo 14: https://github.com/virtualagc/virtualagc/blob/master/Luminar...

* Apollo 15: https://github.com/virtualagc/virtualagc/blob/master/Luminar...

The bug would not manifest silently in the way described in the article. For starters, LGYRO is also zeroed in STARTSB2, which is executed via GOPROG2 on any major program change: https://github.com/virtualagc/virtualagc/blob/master/Luminar...

This means that changing from any program to any other program would immediately resolve the issue. This is almost certainly a large part of why it took them so long to notice. Hitting BADEND while actively pulse-torquing is quite rare, and avoided by normal procedure. The scenario presented in the article can't happen since the act of starting P52 will zero LGYRO.

Moreover, in the very specific scenarios in which the bug can be triggered and remain, it results in multiple jobs stacking up attempting to torque the gyros. Eventually the computer runs out of space for new jobs -- similar to what happened on 11 -- and a 31202 (the Apollo 12+ equivalent of 1202) is triggered.

Since the issue was found before the flight of Apollo 14, a further description of how it might occur and what the recovery procedure should be was added to the Apollo 14 Program Notes: https://www.ibiblio.org/apollo/Documents/LUM159_text.pdf#pag...

Some other notes:

> Ken Shirriff has analysed it down to individual gates

I've done the bulk of the gate-level analysis. :)

> the Virtual AGC project runs the software in emulation, having confirmed the recovered source byte-for-byte against the original core rope dumps.

We've only been able to do that in very specific circumstances and only for subsections of assorted programs, but never for a full program. Most AGC software either comes from a program listing, from a core rope dump, or from reconstruction using changelogs and known memory bank checksums. We've disassembled all of the rope dumps into source files that assemble back into the same binary, but the comments and labels will be different from what was in the original listing. And to be extra clear: I've never had the opportunity to dump a module containing Apollo 11 software for either vehicle. Our sole source for both programs is a pair of printouts in the MIT Museum's collection.

> Margaret Hamilton (as “rope mother” for LUMINARY) approved the final flight programs before they were woven into core rope memory.

Jim Kernan was the rope mother for Luminary at least up through Apollo 11. Margaret was the rope mother for Comanche, the CM software, and was later promoted to lead the software division. Their positions at the time of 11 can be seen on this org chart: https://www.ibiblio.org/apollo/Documents/ApolloOrg-1969-02.p...

> Their priority scheduling saved the Apollo 11 landing when the 1202 alarms fired during descent, shedding low-priority tasks under load exactly as designed.

This is a huge topic on its own, but the AGC software was not designed to shed low-priority jobs. Ironically, the lowest priority job during the landing was the landing guidance itself, with high-priority jobs being reserved for things that needed quick response like antenna movements or display updates. If the computer were to shed the lowest-priority jobs, it would shed the landing guidance. This memo contains a list of all jobs active during the landing and their priorities: https://www.ibiblio.org/apollo/Documents/CherryApollo11Exege...

> For example, the ICD for the rendezvous radar specified that two 800 Hz power supplies would be frequency-locked but said nothing about phase synchronisation. The resulting phase drift made the antenna appear to dither, generating roughly 6,400 spurious interrupts per second per angle and consuming roughly 13% of the computer’s capacity during Apollo 11’s descent. This was the underlying cause of the 1202 alarms.

The frequency-lock prevents phase drift, so the phase is essentially fixed once the power supplies are up. Ironically, however, the bigger issue is that one reference was 28V while the other was 15V. Initial testing on actual Apollo hardware suggests that at least for Apollo 11, this voltage difference was the key contributor rather than the phase difference: https://www.youtube.com/watch?v=dT33c70EIYk

by thewonderidiot

4/8/2026 at 2:55:49 PM

Mike, thank you so much for such patient and thoughtful corrections. I've updated the article in response to each point you raised and added footnotes crediting you and Ron Burkey, who shared some of the same feedback via email. It's been extremely cool to learn more about the Apollo program lore in the process of pulling this all together.

Your experimental work on the voltage difference is fascinating, I appreciate you sharing the link to the demo. There's something about seeing results come off real hardware that you just don't get from computer simulation. Watching your setup brought back some of the excitement I felt driving my Makerbot via a stylus input 15 years ago (probably the last time I seriously engaged with hardware) [1]. Thanks!

[1] https://www.youtube.com/watch?v=RNvt9PGhnds

by henrygarner

4/8/2026 at 12:03:46 AM

The front page has moved on but this is pure gold, thanks for making the time to share all these details.

by password4321

4/8/2026 at 12:26:23 PM

Waiting patiently for the blog post to be edited as it's now clear it makes wrong claims starting with the subheading: "How a specification found what fifty-seven years of scrutiny missed."

by croemer

4/8/2026 at 4:02:17 PM

Update has happened

by croemer

4/8/2026 at 1:24:09 AM

I was hoping you'd comment here. Thank you. Amazing bits of lore.

by jacquesm

4/8/2026 at 3:44:44 AM

One of the coolest replies I've ever seen on HN for sure. Thanks for taking the time to write this out!

by replwoacause

4/7/2026 at 1:06:20 PM

For anyone who liked this, I highly suggest you take a look at the CuriousMarc youtube channel, where he chronicles lots of efforts to preserve and understand several parts of the Apollo AGC, with a team of really technically competent and passionate collaborators.

One of the more interesting things they have been working on, is a potential re-interpretation of the infamous 1202 alarm. It is, as of current writing, popularly described as something related to nonsensical readings of a sensor which could (and were) safely ignored in the actual moon landing. However, if I remember correctly, some of their investigation revealed that actually there were many conditions which would cause that error to have been extremely critical and would've likely doomed the astronauts. It is super fascinating.

by ChicagoBoy11

4/7/2026 at 1:10:44 PM

And that's why it's harder (or easier?) to make the same landing again -- we taking way less chances. Today we know of way more failure modes than back then.

by deepsun

4/7/2026 at 3:43:36 PM

They sent people up in a tin can with the bare minimum computational power to manage navigation and control sequencing. It was barely safer than taking a barrel over Niagara Falls. We do have much more capable and reliable technology.

by kevin_thibedeau

4/7/2026 at 3:53:28 PM

Buzz Aldrin (?) was quoted as recalling holding a pencil inside the capsule as they were out in space and thinking "that wall isn't very thick or strong, I could probably jam a pencil through it pretty easily..."

Death being a layer of aluminum away changes your mind.

by jvm___

4/7/2026 at 2:21:16 PM

It's a miracle nobody died in flight during the program. Exploding oxygen tank, rockets shaking themselves to pieces during launch, getting hit by lightning on top of a flying skyscraper full of kerosene and liquid oxygen....

by wat10000

4/7/2026 at 3:44:13 PM

Gus Grissom, Ed White, and Roger Chaffee died on the Apollo program. I feel it's not polite to ignore that fact even if you add an 'in flight' qualifier.

by djmips

4/7/2026 at 11:58:20 PM

And it's even more interesting in the fact that our rocket program started with the former rocket scientists from Nazi Germany who were brought over at the end of WW2 to work in the American rocket/missile program.

by vondur

4/7/2026 at 2:23:43 PM

Starting from the first test pilots, a lot of people died for us to get to the point to launch that flight. So while no one died on the flight, lots of people died just getting us there. If I recall, in The Right Stuff, it's mentioned that those early test pilots had something like a 25% mortality rate.

by thinkingtoilet

4/7/2026 at 2:32:50 PM

The early jet age was pretty nuts. Check the Wikipedia page for a random fighter from the era and you'll see figures like, 1,300 built, 50 lost in combat, 1,100 lost in accidents. And that's operational aircraft. Test pilots were in even more danger.

by wat10000

4/7/2026 at 3:01:49 PM

Some were pretty bad, but none were nearly that bad. The B-58 Hustler lost 22% of its airframes, the F7U Cutlass 25%, the F-104 Starfighter in German service lost 33%. And those were outliers.

by Quinner

4/7/2026 at 4:34:58 PM

You're right, those numbers are from the F-8 but include non-total-loss accidents.

I don't think the numbers you quoted are outliers, though. The F-100 lost ~900 out of 2,300. The F-106 lost ~120/342. That's a pretty big list of planes with a 1/5-1/3 loss rate.

by wat10000

4/7/2026 at 3:55:11 PM

You should go back even a little further, the USPS air mail service lost 31 of the first 40 pilots.

by jaggederest

4/7/2026 at 4:27:50 PM

Back in the days where the plan was "So we've built literal signal fires and giant concrete arrows and well, good luck, it won't help"

by mrguyorama

4/7/2026 at 7:09:17 PM

Have you ever listened to Robert Calvert's "Captain Lockheed and the Starfighters"?

by ErroneousBosh

4/7/2026 at 7:11:11 PM

Think about the "failure mode" of the aircraft that won World War II, the Supermarine Spitfire.

There was a fuel tank mounted between the engine and cockpit so if it took enough of a hit to puncture right through (not hard, in practice) the failure mode was that the cockpit was now full of a 350mph jet of burning petrol.

Still, it did the job.

by ErroneousBosh

4/7/2026 at 3:42:39 PM

"popularly described" and how it's currently understood are two different things. Because it's hard to explain to lay people, it's popularly described in a number of simplified ways, but it's well understood.

by russdill

4/7/2026 at 10:22:56 PM

Since we are on HN, I think it could be explained there (before it's all consumed by AI slop):

For complex reasons, available CPU time during landing was lower than expected (it was stolen by radar pointing peripheral). This caused regularly scheduled job to spawn before previous instance finished. As such, this caused two effects: job instances were suspended before finishing by new instances in the middle of the routine, and that pilling up of the old instances eventually exhausted resources and caused kernel to panic and reboot. Rebooting during landing sounds scary, but that actually was fine: such critical tasks were specifically designed to automatically restart from previously saved checkpoint data in the memory.

What was more dangerous, was the suspended tasks before restarts occured. First, it meant routine wasn't executing to the end, which in actual flight caused blanked displays (as updating the display was the last thing routine was doing). Any more CPU time stolen, and it could be interrupted even earlier, eg. before it sends the engine commands.

Another issue is that in case of fluctuating load, new instances could actually begin running to the end, and then previously suspended job instance could be resumed, potentially sending the stale data to the displays and engine.

And finally, while each job instance had it own core and VAC set properly managed by the kernel (think of it as modern kernel switching between task stacks), that particular routine wasn't designed to be reentrant. So it was using various global variables ("erasables") for its own purpose, that when interrupted in unluckly place might have caused very bad behavior.

How likely all of above is to occur, depends on the exact profile of fluctuating load caused by the confused radar peripheral. I guess that's why Mike Stewart is trying to replicate these issues with real CDU.

by garaetjjte

4/7/2026 at 1:20:25 PM

Still my all time favorite snippet of code.

    TC    BANKCALL    # TEMPORARY, I HOPE HOPE HOPE
    CADR  STOPRATE    # TEMPORARY, I HOPE HOPE HOPE
    TC    DOWNFLAG    # PERMIT X-AXIS OVERRIDE
https://github.com/chrislgarry/Apollo-11/blob/master/Luminar...

by buredoranna

4/7/2026 at 3:45:57 PM

Cadr here has no relation with lisp cadr, right?

by f1shy

4/7/2026 at 5:20:26 PM

Correct.

CADR is an AGC assembly directive defining a "complete address" including a memory bank, in this case a subroutine to be called by the preceding BANKCALL (TC = transfer control, i.e., store return address and jump to subroutine), which switches to the memory bank specified in the CADR before jumping to the address specified in the CADR.

For a brief explanation of AGC subroutine calls, see [1].

CAR and CDR in Lisp come from the original implementation on the IBM 704, where pointers to the two components of a cons cell were stored as the (C)ontents of the (A)ddress and (D)ecrement fields of a (R)egister (memory word).

(CADR x) is just shorthand for (CAR (CDR x)), i.e., a function that returns the second element of a list (assuming x is a well-formed list).

[1] https://epizodsspace.airbase.ru/bibl/inostr-yazyki/American_...

by jasomill

4/7/2026 at 2:21:06 PM

Can you explain this to me?

by donkeyboy

4/7/2026 at 2:45:56 PM

I think the point was the comments more than any of the code requiring explanation. There's nothing more permanent than a temporary solution

by dylan604

4/7/2026 at 6:03:29 PM

I'm having a really bad Mandala effect right now where I remember some XKCD that wrote a poem about this. Maybe I'm thinking of another comic.

by foxyv

4/7/2026 at 8:12:51 PM

Oh, it's Mandala effect now? I could swear it was Mandela before.

by watt

4/7/2026 at 11:56:02 PM

I think it was Madnela?

by foxyv

4/8/2026 at 1:38:17 AM

It was definitely Madalaine.

by mindcrime

4/7/2026 at 11:53:18 AM

Has someone verified this was an actual bug?

One of AI’s strengths is definitely exploration, f.e. in finding bugs, but it still has a high false positive rate. Depending on context that matters or it wont.

Also one has to be aware that there are a lot of bugs that AI won’t find but humans would

I don’t have the expertise to verify this bug actually happened, but I’m curious.

by jwpapi

4/7/2026 at 12:59:44 PM

It's not even clear if AI was used to find the bug: they mention modeling the software with an "ai native" language, whatever that means. What is not clear is how they found themselves modeling the gyros software of the apollo code to begin with.

But, I do think their explanation of the lock acquisition and the failure scenario is quite clear and compelling.

by throwaway27448

4/7/2026 at 2:06:21 PM

They have some spec language and here,

https://github.com/juxt/Apollo-11/tree/master/specs

have many thousands of lines of code in it.

Anyways, it seems it would take a dedicated professional serious work to understand if this bug is real. And considering this looks like an Ad for their business, I would be skeptical.

by ks2048

4/7/2026 at 1:13:44 PM

> It's not even clear if AI was used to find the bug: they mention modeling the software with an "ai native" language, whatever that means.

Could the "AI native language" they used be Apache Drools? The "when" syntax reminded me of it...

https://kie.apache.org/docs/10.0.x/drools/drools/language-re...

(Apache Drools is an open source rule language and interpreter to declaratively formulate and execute rule-based specifications; it easily integrates with Java code.)

by jll29

4/7/2026 at 1:15:04 PM

How did you pick out AI native and miss the rest of the SAME sentence?

> We found this defect by distilling a behavioural specification of the IMU subsystem using Allium, an AI-native behavioural specification language.

by caminante

4/7/2026 at 2:24:31 PM

That does not answer my confusion, especially when static analysis could reveal the same conclusion with that language. It's not clear what role ai played at all.

by throwaway27448

4/7/2026 at 1:09:10 PM

> It's not even clear if AI was used to find the bug

The intro says “We used Claude and Allium”. Allium looks like a tool they’ve built for Claude.

So the article is about how they used their AI tooling and workflow to find the bug.

by Aurornis

4/7/2026 at 2:26:09 PM

The article does not explain anything about how they used AI—it just has some relation with the behavioral model a human seems to have written (and an AI does not seem necessary to use!)

by throwaway27448

4/7/2026 at 3:52:39 PM

Sure it does.

They used their AI tool to extract the rules for the Apollo guidance system based on the source code.

Then they used Claude to check if all paths followed those rules.

by MBCook

4/7/2026 at 1:14:34 PM

>It's not even clear if AI was used to find the bug

It's not even clear you read the article

by Qwuke

4/7/2026 at 2:22:25 PM

Where do you think my confusion came from? All it says is that ai assists in resolving the gyroscope lock path, not why they decided to model the gyroscope lock path to begin with.

Please, keep your offensive comments to yourself when a clarifying comment might have sufficed.

by throwaway27448

4/7/2026 at 1:17:21 PM

Even worse, the other child comments are speculating (and didn't RTFA either) when the answer is clear in the article.

> We found this defect by distilling a behavioural specification of the IMU subsystem using Allium, an AI-native behavioural specification language.

by caminante

4/7/2026 at 2:24:41 PM

That's the opposite of clear to me.

by wat10000

4/7/2026 at 6:00:07 PM

Has the article been updated?

2nd paragraph starts with: "We used Claude and Allium"

And later on: "With that obligation written down, Claude traced every path that runs after gyros_busy is set to true"

by Spinnaker_

4/7/2026 at 1:40:57 PM

> distilling

A.k.a. as fabricating. No wonder they chose to use "AI".

by chrisjj

4/7/2026 at 3:55:54 PM

I think it's interesting that they found what seems to be a real bug (should be independantly verified by experts). However I find their story mode, dramatization of how it could have happened to be poorly researched and fully in the realm of fiction. An elbow bumping a switch, the command module astronaut unable to handle the issue with only a faux nod to the fact that a reset would have cleared up the problem and it was part of their training. So it's really just building tension and storytelling to make the whole post more edgy. And yes, this is 100% AI written prose which makes it even more distasteful to me.

by djmips

4/7/2026 at 7:16:25 PM

> An elbow bumping a switch [..] really just building tension and storytelling to make the whole post more edgy.

A guarded switch, no less.

But personally I'm trying to be more generous about this sort of thing: it is very very difficult to explain subtle bugs like this to non-technical people. If you don't give them a story for how it can actually happen, they tend to just assume it's not real. But then when you tell a nice story, all us dry aged curmudgeons tut tut about how irreverent and over the top it is :)

Finding the middle ground between a dry technical analysis and dramatization can be really hard when your audience is the entire internet.

by jcalvinowens

4/7/2026 at 4:23:24 PM

[flagged]

by retard4

4/7/2026 at 3:44:49 PM

I've had a look at the (vibe coded) repro linked in the article to see if it holds up: https://github.com/juxt/agc-lgyro-lock-leak-bug/blob/c378438...

The repro runs on my computer, that's positive.

However, Phase 5 (deadlock demonstration) is entirely faked. The script just prints what it _thinks_ would happen. It doesn't actually use the emulator to prove that its thinking is right. Classic Claude being lazy (and the vibe coder not verifying).

I've vibe coded a fix so that the demonstration is actually done properly on the emulator. And also added verification that the 2 line patch actually fixes the bug: https://github.com/juxt/agc-lgyro-lock-leak-bug/pull/1

by croemer

4/7/2026 at 7:44:45 PM

> However, Phase 5 (deadlock demonstration) is entirely faked. The script just prints what it _thinks_ would happen.

I see this a lot in AI slop, which I mostly get exposed to in the form of shitty pull requests.

You know when you're trying to explain Test-Driven Development to people and you want to explain how you write the simplest thing that passes the test and then improve the test, right? So you say "I want a routine that adds VAT onto a price, so I write a test that says £20+VAT is £24, and the simplest thing that can pass that test is just returning 24". Now you know and I know that the routine and its test will break if you feed it any value except £20, but we've proved we can write a routine and its test, and now we can make it more general.

Or maybe we don't care and we slap a big TODO: make this actually work on there because we don't need it to work properly now, we've got other things to do first, and every price coming up as £20+VAT is a useful indicator that we still have to make other bits work. It doesn't matter.

The problem is that AI slop code "generators" will just stop at that point and go "THERE LOOK IT'S DONE AND IT'S PERFECT!" and the people who believe in the usefulness of AI will just ship it.

by ErroneousBosh

4/7/2026 at 12:32:03 PM

Software that ran on 4KB of memory and got humans to the moon still has undiscovered bugs in it. That says something about the complexity hiding in even the smallest codebases.

by riverforest

4/7/2026 at 1:00:50 PM

My guess is that in such low memory regimes, program length is very loosely correlated with bug rate.

If anything, if you try to cram a ton of complexity into a few kb of memory, the likelihood of introducing bugs becomes very high.

by whiplash451

4/7/2026 at 1:23:40 PM

Yet here we are compounding the issues by adding more and more layers to these systems... The higher the level it becomes the more security risks we take.

by pooloo

4/7/2026 at 4:32:39 PM

Well you don't have room for a lot of "defensive" code. You write the program to function on expected inputs, and hope that all the "shouldn't happen" scenarios actually don't happen.

by SoftTalker

4/8/2026 at 1:36:24 AM

Also contrast with the busy beaver problem and how much can be done with a small handful of instructions.

by pvdebbe

4/7/2026 at 4:10:33 PM

^ This is slop. Typical platitude that really means nothing.

by airstrike

4/7/2026 at 1:13:01 PM

> The specs were derived from the code itself

Oh dear. I strongly suggest this author look specification up in a dictionary.

by chrisjj

4/7/2026 at 1:27:18 PM

It's (what they're describing is) just reverse engineering. That's what reverse engineering is.

by perching_aix

4/7/2026 at 3:03:58 PM

Fortunately reverse engineering too is in the dictionary - to help anyone mistaking it for spec generation.

by chrisjj

4/7/2026 at 4:42:42 PM

Implying that I did make such mistake, which I did not, unless you're willfully taking me overly literal.

Nor did they make any mistakes when they described how they produced a specification, (and indeed, that it is a specification) despite your insinuation otherwise, for a similar reason.

Maybe instead of pointing towards dictionaries, stop pretending that you lack reading comprehension, and get off of your high horse please.

by perching_aix

4/7/2026 at 7:45:28 PM

More likely the llm misinterpreted something and hallucinated an error. Just yesterday Claude code hallucinated itself an infinite loop.

by callamdelaney

4/7/2026 at 6:53:39 PM

Another CTO "published" an AI slop to get attention to their vibe-coded company that will disappear in two years. Tell me something new...

by bsoles

4/8/2026 at 10:43:25 AM

> We used Claude […]

Ughhhh… I know this is probably legit here, but reading these words make me lose interest sooo fast these days…

by thiht

4/7/2026 at 11:56:23 AM

Someone please amend the title and add "using claude code" because that's customary nowadays.

by wg0

4/7/2026 at 1:46:13 PM

Also add "AI can make mistakes". Thank you.

by chrisjj

4/7/2026 at 2:26:51 PM

Thank you for your attention to this matter.

by sgt

4/7/2026 at 3:33:22 PM

> Rust’s ownership system makes lock leaks a compile-time error.

Rust specifically does not forbid deadlocks, including deadlocks caused by resource leaks. There are many ways in safe Rust to deliberately leak memory - either by creating reference count cycles, or the explicit .leak() methods on various memory-allocating structures in std. It's also not entirely useless to do this - if you want an &'static from heap memory, Box.leak() does exactly that.

Now, that being said, actually writing code to hold a LockGuard forever is difficult, but that's mainly because the Rust type system is incomplete in ways that primarily inconvenience programmers but don't compromise the safety or meaning of programs. The borrow checker runs separately from type checking, so there's no way to represent a type that both owns and holds a lock at the same time. Only stacks and async types, both generated by compiler magic, can own a LockGuard. You would have to spawn a thread and have it hold the lock and loop indefinitely[0].

[0] Panicking in the thread does not deadlock the lock. Rust's std locks are designed to mark themselves as poisoned if a LockGuard is unwound by a panic, and any attempt to lock them will yield an error instead of deadlocking. You can, of course, clear the poison condition in safe Rust if you are willing to recover from potentially inconsistent data half-written by a panicked thread. Most people just unwrap the lock error, though.

by kmeisthax

4/7/2026 at 9:44:11 PM

This article is garbage.

>The Apollo Guidance Computer (AGC) is one of the most scrutinised codebases in history.

What? AGC programs were developed by relatively small team and pretty much left alone since then. Architecture is rather quirky when viewed with modern sensibilities. There's not much people that are familiar with it. Compare it to widely used software like libcurl or sqlite. Or perhaps to Super Mario Bros, which was extensively analyzed for competitive speedruns reasons. Surely that dwarfs amount of knowledge about Apollo code.

>2K of erasable RAM and a 1MHz clock. The AGC’s programs were stored in 74KB of core rope

How about picking a unit and staying with it? AGC has 2K words of RAM, where each word has 15 bits of usable data (physically it's 16 bits, but one bit is used for parity). Maximum amount of ROM that could be installed is 36K words. (but they switch to KB, which is not only inconsistent with previous sentence but the number is also wrong! It's 72 KiB, 73.728 KB or 67.5 KiB, 69.12 KB depending whether you include parity or not) (maximum of 64K ROM words could be addressed by architecture design, but isn't available in any real hardware)

And yes, there is 1.024 MHz clock in the system, which is revelant for peripherals, but you probably want to know how fast it executed instructions. One memory cycle takes 11.71875 μs (85 1/3 kHz), and most instructions take 2 such cycles (one for operation, second for fetching next instruction) (each memory cycle is long enough for read from ROM, or read and write to RAM. ROM speed was the limiting factor, by standard of core memories it wasn't particularly fast. AGS backup computer used core for both RAM and ROM and had memory cycle time of 5 μs) (in case you are confused, "core memory" and "core rope memory" refers to quite different things!).

If you think I'm nitpicking, try writing an emulator and wondering why you have to sift through all that slop. You could give the correct numbers, you know?

>“My secret terror for the last six months has been leaving them on the Moon and returning to Earth alone”, Collins later wrote of the rendezvous. A dead gyro system behind the Moon, with Armstrong and Aldrin on the surface waiting for a rendezvous burn that depends on a platform he can no longer align, is exactly that scenario. A hard reset would have cleared it. But the 1202 alarms during the lunar descent had been stressful enough with Mission Control on the line and Steve Bales making a snap abort-or-continue call. Behind the Moon, alone, with a computer that was accepting commands and doing nothing, Collins would have had to make that call by himself.

You know what an orbit is? That it goes around? That you could just wait for a while and speak with Mission Control? What even is this scenario? That your guidance system failed, and you for some inexplicable reason are considiering immediately leaving back for Earth right now leaving your pals behind? (with a manual burn, I guess, since guidance is dead?) You just wait for contact with Houston and tell them what happened. They pore over the program listings and find the bug. They radio you back appropiate VERB and NOUN commands for poking right values into memory. The End. And besides, spacecraft can be tracked and orbit determined from Earth, so even if the PGNCS did fail completely LM would just get necessary orbit information from Mission Control. (also in case guidance fails in either LM or CM, either one can have active role during rendezvous. And LM have extra backup system, the previously mentioned AGS)

The whole thing of "we found a minor deadlock bug in AGC program, what a shock!" is bizzare. It's not a small program. If you have any experience with software, of course you know it has bugs! They iterated on the software, releasing new software for most missions, adding new features, and, fixing bugs they found. What a concept!

by garaetjjte

4/7/2026 at 2:54:46 PM

An application of their specification language, https://juxt.github.io/allium/

It seems the difference between this and conventional specification languages is that Allium's specs are in natural language, and enforcement is by LLM. This places it in a middle ground between unstructured plan files, and formal specification languages. I can see this as a low friction way to improve code quality.

by esafak

4/7/2026 at 2:34:07 PM

Fascinating read. Well done. Everyone involved in the Apollo program was amazing and had many unsung heroes.

by iJohnDoe

4/7/2026 at 3:37:40 PM

is this bug the reason why the toilet malfunctioned?

by totalmarkdown

4/7/2026 at 5:07:10 PM

I don't think apollo 11's toilet malfunctioned, it was just not very good. Everything smelled like poop mixed with chemicals, and that was by design.

by dmoy