From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,c70f02b79bc3d231 X-Google-Attributes: gid103376,public From: Stephen Leake Subject: Re: dynamic memory allocation Date: 1997/06/17 Message-ID: <33A6A38D.658B@gsfc.nasa.gov>#1/1 X-Deja-AN: 249081307 References: <33A55F1B.63FE@gsfc.nasa.gov> Organization: NASA Goddard Space Flight Center -- Greenbelt, Maryland USA Reply-To: Stephen.Leake@gsfc.nasa.gov Newsgroups: comp.lang.ada Date: 1997-06-17T00:00:00+00:00 List-Id: Robert Dewar wrote: > > Stephen says > > < buffers for each message from a heap, and receiving tasks deallocate. I > have suggested that the heap could become fragmented (the buffers are > NOT all the same size). They say "we'll just test it thoroughly".>> > > In this case, thorough testing would have to mean that they will test all > conceivable inputs and sequences of inputs. If they can do that, fine, but > note that this is often difficult :-) That is precisely my point; I do not believe they can adequately test this system. > In particular, for example, Intel could not or at least did not thoroughly > test the divide on the Pentium (if you need an example in discussing this). Good example. > Obviously we have to assume this is non-critical software where it does > not matter if it sometimes fails. We deduce that from the fact that someone > thinks that testing is an adequate indicator of correctness. Often for > non-critical software this is the case, and indeed such software does often > use dynamic allocation. Unfortunately, this is the "Safe" mode of a science satellite; it is supposed to work no matter what. It is a VERY critical system! > For critical software however, where reliability and correctness are > required, it is out of the question to use dynamic allocation unless > you can prove that storage error cannot occur. I whole-heartedly agree, but I don't carry enough weight around here to change minds. And unfortunately, neither do newsgroup discussions. So I repeat my query; can anyone provide references to authoritative texts that discuss this issue? -- - Stephe