From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,c70f02b79bc3d231 X-Google-Attributes: gid103376,public From: wheeler@ida.org (David Wheeler) Subject: Re: dynamic memory allocation Date: 1997/06/18 Message-ID: <5o9436$qlo@news.ida.org>#1/1 X-Deja-AN: 249367474 References: <33A55F1B.63FE@gsfc.nasa.gov> Organization: IDA, Alexandria, Virginia Reply-To: dwheeler@ida.org Newsgroups: comp.lang.ada Date: 1997-06-18T00:00:00+00:00 List-Id: Stephen Leake (Stephen.Leake@gsfc.nasa.gov) wrote: : I'm trying to convince my project that dynamic memory allocation is a : bad idea in an embedded software system (a satellite control system, in : this case). : They are proposing a message passing scheme where sending tasks allocate : buffers for each message from a heap, and receiving tasks deallocate. I : have suggested that the heap could become fragmented (the buffers are : NOT all the same size). They say "we'll just test it thoroughly". "NASA Guidebook for Safety Critical Software" (NASA-GB-1740.13-96) (see http://www.ivv.nasa.gov) says in 4.2.2.4 on page 47: Dynamic memory allocation: ensure adequate resources are available to accomodate usage of dynamic memory allocation, without conflicts. Identify and protect critical memory blocks. Poor memory management has been a leading factor in several critical failures. Alsys' (now Aonix') "Safety-Critical Handbook" (sorry, I don't see a year of publication), page 26, says: Heap Storage Use of heap storage presents a number of problems for certification... To minimize fragmentation, the runtime system typically uses algorithms to search for space availability ... As these searches are not deterministic, they are not permitted in safety critical systems. The use of the heap must be restricted to a predictable set of operations where the time and memory used can be determined by analysis, and verified by testing. You might also wish to see: "Assessing Traditional Verification's Effectiveness on Safety-Critical Software Systems" by Gowen and Collofello, Journal of Systems Software, 1994:26:103-115. In an experiment, testing failed to find key safety defects. --- David A. Wheeler dwheeler@ida.org