Using dynamic allocations in a mission-critical / life-critical software [closed]
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
开发者_开发知识库Closed 4 years ago.
Improve this questionIs it safe to use dynamic allocations in a mission-critical / life-critical system, or should it be avoided?
If you are writing this sort of software you ought to have a big book for the specification you are conforming to (FAA, NATO, FDA, whatever) of what you can and cannot do, and it will tell you.
In general, however; no, since the systems you describe are very hard to prove correct. Although in life critical software normally there has to be hardware responsible to restarting the software if an error condition is signalled (ie, a watchdog timer that the software has to reset evert 100ms to prevent a hardware reset)
With critical software you want your system to have as deterministic behaviour as possible.
Dynamic memory, memory fragmentation, possible leaks, and in some corner cases (not too rare) misbehaviour of malloc will make it that much harder to gain 100% determinism.
That said, if part of your program (say an algorithm) requires dynamic allocation and you can prove that your memory allocation and de-allocation (free) will be deterministic (see valuable notes by RickNZ) then you're closer to having a deterministic system.
One approach I've used when I can't completely avoid dynamic allocation in "can't fail" type applications is to allocate the buffers and other data structures I need only once, when the app first starts -- so they never need to be freed. It's loops and frees/deletes that don't correspond with news/allocs that tend to cause problems...
When that's not enough, another trick I've used is to run with my own custom version of malloc and free, with code that takes special care to check for common error conditions, like freeing something that's already been freed, regularly verifying freelist pointer integrity, looking to see if total memory use is increasing over time, etc.
All the trading systems and other banking software I've ever worked on use dynamic allocation very heavily, and they are mission critical for the IBs that use them. I prefer to avoid working on life-critical systems, so can't speak for them.
I am new to c++; but since everything is on memory; you are going to use it somehow. so; why should a programmer avoid it?
PS:informative comments are appreciated. :)
Better avoid it. The smallest memory leak in your system will with time make your system crash. For example life critical system like car and air plane do not use dynamic allocation.
I feel you could definitely use dynamic memory allocation in mission critical apps, MC apps, need not necessarily be RT Apps, they just mean they are critical for business functioning. When dynamic memory allocation constructs are used, it always essential to have large stress tests, which can display memory leaks, when real customer environment is simulated, that way you would understand the impact of dynamic memory allocation, is it had one.
In embedded systems and life & mission critical applications, the objective is to reduce the reliance on dynamic memory allocation. Generally, dynamic memory is needed when the number of instances cannot be determined during run-time. For example, dynamic memory is used when obtaining input from the user.
When reading data from sensors and obtaining real-time data from other sources, dynamic memory is not used. Many applications use a queue and retain only the current data.
The embedded systems, when using dynamic memory allocation, will have some sort of memory reclamation algorithm, whether it be Garbage Collection (GC) or the memory is consolidated upon allocation. If there is no memory available, many multi-thread and multi-tasking systems will either force garbage collection, deletion of unnecessary variables or wait for a duration and try the allocation again.
In the event that there is absolutely no available memory (and all efforts to reclaim memory have been exhausted) it is time to refer to the requirements spec and see what it says.
I thinks it will be very hard to write any reasonably large system without dynamic memory allocation.
But the default memory management is a general memory manager with only very limited guarantees.
If you have specific requirements then you should have written a specialized memory management library that conforms to the requirements that you need.
Sure, there is no problem with this. HOWEVER: failure of an allocation should not cause your program to fail.
This principle extends to real-time programs. A real-time malloc should have an upper time bound; there might be cases in which memory is simply not available in time and it has to return NULL.
Now, one might wonder why a mission-critical system can work when a memory allocation fails. This is simple: "working" is typically not a black-and-white condition. Any interesting mission-critical system has a mix of "SHALL" and "SHOULD" requirements. Dynamic memory allocation can be used when a failure to allocate memory violates a "SHOULD" requirement. E.g. "the system SHALL support 200 widgets and SHOULD support 400" - statically allocate the first 200 widgets and dynamically allocate the next 200.
Well, you can't avoid dynamic allocation. Somehow, somewhere, your stack has to get allocated at the very least. Usually when people start to worry excessively about whether something is on the stack or the heap it's a sign they've gone a bit funny. You can have just as many or more stack related errors as heap related but you can catch the heap related ones pretty easily in testing so long as you avoid libs that use their own memory management. But then C++ is hardly the best language for this sort of app in the first place.
加载中,请稍侯......
精彩评论