santosh wrote, On 27/04/08 16:37:
I think the point that Flash is making is that malloc *can* fail. In a
fault-intolerant environment, you want to keep chances of failures to a
minimum.
You also need to be able to prove with a certain degree of rigour (which
varies depending on how safety critical the SW is and what else there is
to prevent injury or loss of life).
In a important section of code, what should be done if malloc
returns NULL due to some reason or the other, like say memory
fragmentation?
Or simply a bug in the malloc/free implementation. So you would have to
either get the library provider to get their library tested to the
relevant standards (such testing is expensive, even more so if it was
not designed to meet those standards in the first place) or you have to
take responsibility for it and prove the library.
The options open to desktop or general purpose programs
(like calling exit, abort etc.) may not be acceptable at in some
contexts.
Indeed. How do you fancy being in (or under) a military jet flying at
night 30 feet above the ground when the pilots night vision system
decides to reboot? You could be dead in under a second.
Recursion *can* be used safely, but again it simply opens up
the program to more chances of failure and consumes excessive resources
in a very likely resource constrained environment.
Even if it is not tightly constrained (where I worked there was a
standard requirement of 50% free resources to allow for future
enhancements) it still makes it harder to *prove* that it is safe.
So I would say that for certain limited types of applications Flash's
recommendations are entirely sensible.
There are a lot of applications where it makes sense, and a lot more
where it doesn't make sense. Safety critical (and it was someone else
who mentioned "life depending on it") would be at the top of my list of
things where it makes sense.
I would be interested to here what the MISRA standard said about
allocated memory and recursion, I suspect it might be forbidden or at
least highly constrained there too.
Oh, and when I worked in the defence industry we had these restrictions.
For the type of applications I worked on it was not a problem and even
without the restrictions there was only one application in 15 years
where I might have considered using malloc, and I can't think of any
where recursion would have been appropriate.
For "normal" applications (like those I work on now) I will happily use
malloc/realloc/free, I might consider garbage collection if it was part
of the standard, and I think nothing of mutually recursive functions (we
have very good reason for a() calls b() calls c() calls a() and even
more complex things).