How SpaceX Uses Linux, Chromium, C++ and Open Source Libraries

Long-time Slashdot reader mrflash818 ("Linux geek since 1999") shared a ZDNet article pointing out that SpaceX's Falcon 9 rocket has an onboard operating system that's "a stripped-down Linux running on three ordinary dual-core x86 processors. The flight software itself runs separately on each processor and is written in C/C++."

Interestingly, back in 2018 a Slashdot headline asked whether C++ was "a really terrible language," and Elon Musk replied on Twitter with his single-word answer. "Yes."

ZDNet points out that "ordinary" processors are often needed because of the multi-year development time for the spacecraft they power. Their article notes that the International Space Station actually runs on 1988-vintage 20 MHz Intel 80386SX CPUs: Of course, while those ancient chips work for the station's command and control multiplexer/demultiplexer, they're not much good for anything else. For ordinary day-in and day-out work, astronauts use HP ZBook 15s running Debian Linux, Scientific Linux, and Windows 10. The Linux systems act as remote terminals to the control multiplexer/demultiplexer, while the Windows systems are used for email, the web, and fun.

Usually, though, chips that go into space aren't ordinary chips. CPUs that stay in space must be radiation-hardened. Otherwise, they tend to fail due to the effects of ionizing radiation and cosmic rays. These customized processors undergo years of design work and then more years of testing before they are certified for spaceflight. For instance, NASA expects its next-generation, general-purpose processor, an ARM A53 variant you may know from the Raspberry Pi 3, to be ready to run in 2021...

The Dragon spacecraft's touchscreen interface is rendered using Chromium and JavaScript. If something were to go wrong with the interface, the astronauts have physical buttons to control the spacecraft.
Today the SpaceX software team answered questions on Reddit, revealing they use Chromium with a reactive library developed in-house, and that "All of our on-board computers either run Linux (with the PREEMPT_RT patch) or are microcontrollers that run bare-metal code...." Later they emphasized that for the Falcon 9 and Dragon software, "All of the application-level autonomous software is written in C++. We generally use object oriented programming techniques from C++, although we like to keep things as simple as possible.

"We do use open source libraries, primarily the standard C++ library, plus some others. However, we limit our use of open source libraries to only extremely high quality ones, and often will opt to develop our own libraries when it is feasible so that we can control the code quality ourselves."

Another CPU consideration...

[Pollux]

"Ordinary" processors are often needed because of the multi-year development time for the spacecraft they power. Their article notes that the International Space Station actually runs on 1988-vintage 20 MHz Intel 80386SX CPUs...NASA expects its next-generation, general-purpose processor, an ARM A53 variant you may know from the Raspberry Pi 3, to be ready to run in 2021.

Both these CPUs also have another distinct advantage: low thermal output. It's hard to cool things in space when you're in a vacuum; here on Earth, air is pretty effective at radiating heat away, but there's none of that up there in space. Granted, it's pretty easy on a space station, because there is a capsule of air available in the main cabin. Heat from the electronics are transferred to cold plates, which conducts the heat into the main cabin, where the existing air dissipates the heat. On the other hand, satellites and other non-pressurized environments need more creative solutions [quora.com] put in place [tomshardware.com]. CPUs in space are usually throttled down to their bare-minimum operating voltages and frequencies to minimize heat generation, in addition to maximizing power efficiency.

Re: Another CPU consideration...

[BAReFO0t]

Yeah, but how does the heat from the air go then? Becaue you don't want cooked astronauts. That's how you get Shodan

Re:

[TheReaperD]

You do realize that it's a little chilly outside the door of the ISS, right?

Re:

[dunkelfalke]

You do realise that there is vacuum outside the door of the ISS, right? Heat doesn't dissipate so well in vacuum.

Re:

[tlhIngan]

You do realise that there is vacuum outside the door of the ISS, right? Heat doesn't dissipate so well in vacuum.

There are three methods of heat flow from a hot object to a cooler object - convection, conduction, and radiation.

Convection transfers heat using the surroundings- hot object to air, for instance.

Conduction uses some object in between - a piece of metal.

Radiation emits the heat using blackbody radiation.

In space, convection doesn't work because the lack of medium to transfer heat. That's why vacu

Re:Another CPU consideration...

[kot-begemot-uk]

The issue is not Vacuum, the issue is that convection does not work in zero gravity. As a result any heat generated in any part of the system will stay in the immediate vicinity of that part. We take the fact that hot air moves away from whatever heated it for granted. That is indeed the case in a gravity field. Zero-G - nope. It stays.

You have to dress the whole system in a heatsink and equip that with a fan to run anything with any significant thermal output. Otherwise it will end up roasted.

Reasonable approach.

[Gravis Zero]

Linux is a mature OS that is completely customizable and there many developers with knowledge of utilizing, customizing and debugging it. C++ is also a well developed language that enables a high level approach as well as hardware level manipulation. There approach to libraries is prudent though I wish they would release the libraries they wrote.

Frankly, it seems like being a matter of there being the most people and tools. Neither is perfect but perfect only exists as machine code.

Re:

[Anonymous Coward]

If anyone thinks he has anything but a superficial exposure to C++ I've got a bridge to sell you.

It's the same vein as when he calls himself an engineer. He's not, but no one will challenge him on it because the term has been watered down so much (e.g. "software engineer").

Note that this comment isn't about typical corporate CEO bullshit because that's what they're paid to do, bullshit. And Musk is an absolute genius at that. But when they try to sound authoritative on a topic that they're clearly not, t

Re:

[ShanghaiBill]

If anyone thinks he has anything but a superficial exposure to C++ I've got a bridge to sell you.

Mission-critical systems often use a subset of C++, rather than the full language.

Custom templates, operator-overloading, naked blocks, and "new" are often banned.

This is enforced with static analysis tools that detect violations. Sometimes the compiler will be modified, so non-conforming code won't even compile.

Re:

[K. S. Kyosuke]

Not only that - they often use a subset of C, don't they?

Re:

[ShanghaiBill]

Not only that - they often use a subset of C, don't they?

Yes, many mission-critical systems use MISRA_C [wikipedia.org].

MISRA C is more appropriate for small systems.

As systems get bigger, there are advantages to using C++, such as complexity encapsulation.

There is also a MISRA C++, but I don't know much about it.

Re:

[Joce640k]

Neither is perfect but perfect only exists as machine code.

Assuming there's no bugs in the CPU is folly. The only sure way is to use rad-hardened 74LS logic chips.

Re:

[K. S. Kyosuke]

C++ is also a well developed language that enables a high level approach as well as hardware level manipulation.

You forgot to mention that C++20 now includes the spaceship operator. Surely that has to count for something in this application.

Re:

[mobby_6kl]

You forgot to mention that C++20 now includes the spaceship operator. Surely that has to count for something in this application.

But you have to overloaded it to implement the docking procedures.

Re:

[K. S. Kyosuke]

The last time NASA people tried to overload something, they got a 1202 alarm. Let's hope things have improved since then.

Not useful?

[drinkypoo]

"Their article notes that the International Space Station actually runs on 1988-vintage 20 MHz Intel 80386SX CPUs:
Of course, while those ancient chips work for the station's command and control multiplexer/demultiplexer, they're not much good for anything else."

Now to be fair, I had a 386DX25, but I ran Slackware 2.0 (installed from floppy!) very successfully in 8MB RAM and with 120MB disk. And I ran X with Netscape. It would be worthless for web browsing today, but I had the full development set installed, and it was good for lots of things.

Re:Not useful?

[K. S. Kyosuke]

And the 80386 thing is not even true. The main DMS-R control computers run custom SPARCs.

Re:

[bill_mcgonigle]

I had a PS/2 with a 386SX 16MHz and it was terrible. IIRC the bus ran at only 8MHz. I was happier with the Apple ][ performance for daily work it was so bad.

I saved yardwork money for a year and got a 486DX 25MHz from Gateway and it was so dramatically better that it took me from DOS through Windows, OS/2 Warp and finally Linux (Slackware).

Re:

[TheReaperD]

The way they were designed sucked. The SX was restricted to 16-bit (for a 32-bit CPU ugh) causing a significant slow down and it's floating-point capability was atrocious. If they're using a 386 at all, they should be using the 386SL (low power edition primarily designed for laptops) which would be far more appropriate for their environment. The fact that the upgrade will be a Raspberry Pi s a really good choice.

Re:Not useful?

[kot-begemot-uk]

"Their article notes that the International Space Station actually runs on 1988-vintage 20 MHz Intel 80386SX CPUs: Of course, while those ancient chips work for the station's command and control multiplexer/demultiplexer, they're not much good for anything else."

Now to be fair, I had a 386DX25, but I ran Slackware 2.0 (installed from floppy!) very successfully in 8MB RAM and with 120MB disk. And I ran X with Netscape. It would be worthless for web browsing today, but I had the full development set installed, and it was good for lots of things.

1. SX25 with a good motherboard did not need any heatsink. It ran stone-cold. This is very important in an environment where any cooling has to be forced (convection does not work in zero G).

2. SX25 was manufactured using a 1uM process. That is radiation-hardened by birth. The lanes and gates are so wide that it should have minimal issues with background radiation. Throw in 3 systems and set them to "vote" on decisions and voila - you can happily run that for years in space. While at it, unless they get someone to custom manufacture them ARM at 100nM+ process, I do not see how they are going to harden it to space specs.

Re:

[account_deleted]

Comment removed based on user account deletion

C++ can be good or bad for this

[joe_frisch]

There are a lot of ways to write C++. It can be used as relatively minor extensions to C, to write simple code that can be very robust. Its also possible to write horribly tangled code in C++ that no sane person would ever let near a spacecraft.

SpaceX seem to know what they are doing, so I assume they hire quality coders

Re:

[gweihir]

That is exactly the point. The same is true, for example, for Python: In the hands of people that know what they are doing, it is a very powerful tool. Otherwise things tend to get out of hand and create the most incredibly tangles mess.

Essentially, all that criticism of C, C++, etc., and on a more abstract level, for example, Linux, comes from people that do not know what they are doing. And hence, like many poor craftsmen, they blame the tools.

Re: C++ can be good or bad for this

[BAReFO0t]

Yeah, and you CAN write secure, non-leaking memory-management-code-reusing code in C.
But as reality shows, nobody always does!
That is why languages with those properties built-in were developed. So you only have to get it right once. In the compiler. And the lack of those is literally the only reason C is ever faster.

And about C++: It should never be used. For anything. Ever. ;)
*ducks* :D

Re: C++ can be good or bad for this

[Joce640k]

Yeah, and you CAN write secure, non-leaking memory-management-code-reusing code in C.

You can do it in assembly language, too, but at the end of the day you'll develop a lot faster and have far fewer bugs if you get some help from a compiler.

And about C++: It should never be used. For anything. Ever. ;)

You can do it in C, too, but at the end of the day you'll develop a lot faster and have far fewer bugs if you get some help from a C++ compiler.

Re:

[AmiMoJo]

Vast amounts of secure, non-leaking code is written in C. It requires some skill and discipline but actually isn't that hard when you know how.

For example you statically allocate everything so that the only dynamic memory use is the stack. Avoid recursion entirely. You can then do static analysis to determine the maximum amount of stack space that will ever be needed. Static analysis tools rarely understand interrupts but you can ensure they never overlap themselves.

C++ has some useful stuff for organising

Re:

[loufoque]

In my experience, the main cause of bugs is bad development practices.
Using another language might remove some of the obvious symptoms of bad code, but ultimately it will still have flaws causing other problems.

Re:

[Joce640k]

Its also possible to write horribly tangled code in C++ that no sane person would ever let near a spacecraft.

That's possible in any language.

OTOH a language with a lot of static type checking and enough expressiveness to allow you to choose a sane coding style instead of being forced to adapt to a language's constraints can go a long way towards eliminating errors.

Pretty damning

[Kisai]

"However, we limit our use of open source libraries to only extremely high quality ones, and often will opt to develop our own libraries when it is feasible so that we can control the code quality ourselves."

Hear that OSS, stop setting the compiler flags to ignore warnings and start cleaning up your libraries.

Re: Pretty damning

[BAReFO0t]

OSS is Open Sound System.
A shittier competing precursor to shitty ALSA, that got an apparently superior successor that nobody uses because its creators had a stupid business model. ;)

Re:

[gweihir]

Not at all damning at all, in fact. It says that there are extremely high quality FOSS libraries out there.

That there is a lot of crap FOSS out there is easy to see, just look at systemd, for example. It is the standard picture when everybody is allowed to play: Some (few) are exceptionally good, a few more are reasonable, and most will just endeavor confirm Sturegon's law while considering themselves better than everybody else more often than not.

Re:

[Kisai]

I like to think that the best software would have no warnings when compiled out of the box, but that's rarely the case if you read a build log for just about anything. As an example with Visual C++, nearly every build environment puts _CRT_SECURE_NO_WARNINGS in just to keep plugging away like normal. On FreeBSD and Linux you often see pages and pages of warnings when you turn on -Wall.

It's not so much that developers write sloppy libraries all the time, but that sloppy things end up in the base OS, and then

Re:

[gweihir]

Well, my last larger C project (some custom Apache modules and an attached custom in-memory database) gets no warnings. Admittedly, if this software breaks a few 1000 people will unable to work, so it was developed with some care. Oh, and this is dual-platform Linux and Solaris with the platform compiler on Solaris, not gcc.

Re:

[jimtheowl]

" you often see pages and pages of warnings"

I find that if I try to read and understand the warnings, they are mostly irrelevant; so perhaps it is more about the compiler output than the language.

Re:

[gweihir]

Yes. But somebody careful would have cleaned them up anyways, so you can see any that may be important.

Re:

[Joce640k]

Compilers evolve, things that weren't warnings before can become warnings in new compiler versions.

It's not always possible to go back and rework huge code bases to eliminate them all.

Re:

[goose-incarnated]

I like to think that the best software would have no warnings when compiled out of the box, but that's rarely the case if you read a build log for just about anything. As an example with Visual C++, nearly every build environment puts _CRT_SECURE_NO_WARNINGS in just to keep plugging away like normal

That's because Visual C++ is non-conforming and:

changes the meaning (but not the type) of parameters to the standard functions, resulting in subtle bugs at runtime on other platforms

and

Generates "warnings" that are essentially messages to stop using standard functions and use instead the locked-in proprietary and non-portable Windows replacements.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Joce640k]

I'm betting he's not referring to stdlib, more to the stuff typically found on github.

Re:

[AmiMoJo]

It depends on the flags, especially on embedded systems. You can try for -Wall but then it will complain about C11 only stuff, about GCC extensions, about some kinds of type punning and overlays...

It's not ideal that GCC extensions have become a de-facto standard now (at least LLVM supports them) but they actually improve code quality so I'm happy to use them.

Re:

[K. S. Kyosuke]

Those two languages have a non-empty intersection, though. For example Lua is written in it.

Re: No such language called "C/C++"

[BAReFO0t]

Yes, and so do Java and JavaScript (to a smaller extent). Doesn't mean they should be considered the same languages anymore... It's like comparing assembly and Cthulhu.

Re:

[Joce640k]

Yes, and so do Java and JavaScript (to a smaller extent). Doesn't mean they should be considered the same languages anymore...

They were NEVER the same language.

JavaScript was called "Mocha" until Sun came along and put "Java" in the name for marketing reasons.

"JavaScript " is a trademark. What you're using in your web browser is actually called "ECMAScript", although that doesn't roll off the tongue very well.

Re:

[K. S. Kyosuke]

I never said they're the same languages. But formal languages define a set of valid words, and it doesn't seem like a stretch to label the set of words valid in both C and C++ as "C/C++".

Re:

[_merlin]

There are relatively few things that are outright incompatible between C and C++ and you can avoid most of them pretty easily to produce C that works when compiled with a C++ compiler. You need some more explicit casts (e.g. results of malloc, arguments to standard library functions that C++ adds overloads for), you can't use non-prototype function declarations, and you can't use C99/C11 features that aren't in C++ (yet). There are a few other things, but it's not very difficult to develop in a compatible

Finally

[bobstreo]

The Year of Linux on the Spaceship.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Finally

[Bearhouse]

Well played sir.

Re:

[mobby_6kl]

Unsurprisingly, it happend before the year of Linux on the desktop.

Cheap NASA

[Random361]

At least spring for a math coprocessor. ;)

Re:

[Proudrooster]

Just do integer math, it's faster. Who needs floating point math :)

Re:

[chill]

Pi is exactly 3!

Re: Cheap NASA

[BAReFO0t]

Ooh, look at you!
In astrophysics, you're lucky if pi doesn't equal 1! ;)

Re:

[TheReaperD]

Theoretical astrophysics unless you're dealing with quantum mechanics (which is still theoretical). For those of you who have no idea what we're talking about, in quantum mathematics 2+2 can equal between 2 and 6 (really). That's because 2 is equal to between 1.00000_1 and 2.999999_9. About 1/3 of all people who start taking quantum physics have mental breakdowns and are forced to drop out because you have to rewrite how you view reality.

Re:

[K. S. Kyosuke]

Why would pi be six?

A browser-based JS touchscreen spacecraft??

[BAReFO0t]

I almost threw up in my mouth.
LudditeTechie software design?
What could possibly go wrong? ;)

Re:

[Joce640k]

I'm guessing you don't know what AJAX is?

Re:

[loufoque]

I'm a C++ programmer and I also use web tech for my GUIs. It's much more clean and flexible than most toolkits.

Ultimately you have some kind of microservice layer between the system and its GUI which is nice encapsulation too.

Fun

[codeButcher]

... while the Windows systems are used for email, the web, and fun.

I've been using Linux for years now as my primary work and home OS, so I know there are tons of web browsers, email clients, video players, music players and games that run on it. Heck, even Kerbal... I really have to wonder what spacebois do for fun that require the level of masochism that Windows entails...

Re:

[cyberpunkrocker]

The astronauts have it backwards. They should have had education like: "Windows is dull, Linux is fun!". That is, unless the astronauts are masochists. Then the quote makes sense.

C++ is a HORRIBLE language

[WindBourne]

The problem is, like unix/linux, that nearly all of the other languages are worse.