Re: dynamic memory allocation

[Stephen Leake <Stephen.Leake@gsfc.nasa.gov>]

Robert Dewar wrote:
> 
> Stephen says
> 
> <<They are proposing a message passing scheme where sending tasks allocate
> buffers for each message from a heap, and receiving tasks deallocate. I
> have suggested that the heap could become fragmented (the buffers are
> NOT all the same size). They say "we'll just test it thoroughly".>>
> 
> In this case, thorough testing would have to mean that they will test all
> conceivable inputs and sequences of inputs. If they can do that, fine, but
> note that this is often difficult :-)

That is precisely my point; I do not believe they can adequately test
this system.

> In particular, for example, Intel could not or at least did not thoroughly
> test the divide on the Pentium (if you need an example in discussing this).

Good example.

> Obviously we have to assume this is non-critical software where it does
> not matter if it sometimes fails. We deduce that from the fact that someone
> thinks that testing is an adequate indicator of correctness. Often for
> non-critical software this is the case, and indeed such software does often
> use dynamic allocation.

Unfortunately, this is the "Safe" mode of a science satellite; it is
supposed to work no matter what. It is a VERY critical system! 

> For critical software however, where reliability and correctness are
> required, it is out of the question to use dynamic allocation unless
> you can prove that storage error cannot occur.

I whole-heartedly agree, but I don't carry enough weight around here to
change minds. And unfortunately, neither do newsgroup discussions.

So I repeat my query; can anyone provide references to authoritative
texts that discuss this issue? 
-- 
- Stephe