Re: dynamic memory allocation

[wheeler@ida.org (David Wheeler)]

Stephen Leake (Stephen.Leake@gsfc.nasa.gov) wrote:
: I'm trying to convince my project that dynamic memory allocation is a
: bad idea in an embedded software system (a satellite control system, in
: this case). 

: They are proposing a message passing scheme where sending tasks allocate
: buffers for each message from a heap, and receiving tasks deallocate. I
: have suggested that the heap could become fragmented (the buffers are
: NOT all the same size). They say "we'll just test it thoroughly".

"NASA Guidebook for Safety Critical Software" (NASA-GB-1740.13-96)
(see http://www.ivv.nasa.gov) says in 4.2.2.4 on page 47:

 Dynamic memory allocation: ensure adequate resources are available
 to accomodate usage of dynamic memory allocation, without conflicts.
 Identify and protect critical memory blocks. Poor memory management
 has been a leading factor in several critical failures.


Alsys' (now Aonix') "Safety-Critical Handbook" (sorry, I don't see
a year of publication), page 26, says:

 Heap Storage

 Use of heap storage presents a number of problems for certification...
 To minimize fragmentation, the runtime system typically uses algorithms
 to search for space availability ... As these searches are not
 deterministic, they are not permitted in safety critical systems.
 The use of the heap must be restricted to a predictable set of
 operations where the time and memory used can be determined by analysis,
 and verified by testing.



You might also wish to see:
"Assessing Traditional Verification's Effectiveness on Safety-Critical
Software Systems" by Gowen and Collofello, Journal of Systems Software,
1994:26:103-115.  In an experiment, testing failed to find key safety defects.






--- David A. Wheeler
    dwheeler@ida.org