dynamic-allocationsafety-criticalmemory-safety

Alternatives to dynamic allocations in safety critical projects (C)


Safety critical projects do not recommend any dynamic allocations or freeing allocated memory. Only during elaboration/initialization phase of the program execution, it is allowed.

I know most of you will argue to implement SW in terms where it should do all static allocations only or do some justification in the code that dynamic allocations will not harm the overall program,etc but still, Is there any alternative to this problem? Is there any way or any example to kind of allocate some (heap) memory during program initialization/elaboration and allocate/deallocate memory from over there? Or any solutions/alternatives to this problem if we really want dynamic allocations in the (safety critical) project?


Solution

  • This type of question is asked most often by developers who want to be able to use dynamic memory allocation within a safety-related system without "undue" restrictions - which quite often seems to mean they are not prevented from dynamically allocating memory in amounts they choose, when they choose, and (possibly) releasing that memory when they choose.

    I'll address that question (can dynamic memory allocation be used in a critical system without restrictions?) first. Then I'll come back to options involving accepting some restrictions on how (when, or if) dynamic memory allocation is used.

    Within a "safety critical project", such a thing is generally not possible. Safety related systems generally have mandatory requirements concerned with mitigating or eliminating specified hazards. Failure to adequately mitigate or eliminate specified hazards (i.e. to meet the requirements) can result in harm - for example, death or injury of people. In such systems, it is generally necessary to determine, to some level of rigour, that the hazards are appropriately and reliably mitigated or eliminated. A consequence of this is typically a set of requirements related to determinism - the ability to determine, through appropriate analysis, that the system completes actions in a specified manner - where attributes like behaviour and timing are tightly specified.

    If dynamic memory allocation is used without restriction, it is difficult to determine if parts of the system behave as required. Types of problems include;

    All of these factors, and more, mean that unrestricted dynamic memory allocation does not work well within requirements for determinism of timing or resource usage of the system. Inherently, system requirements require some restrictions to be imposed and, depending on the system, enforced.

    If restrictions on dynamic memory allocation are acceptable, there are options. Generally, these techniques require support both in terms of policy constraints and technical solutions to encourage (preferably enforce, in high criticality systems) compliance with those policies. Policy enforcement may be technical (e.g. automated and manual design and code reviews, tailored development environments, compliance testing, etc etc) or organisational (e.g. dismissing developers who willfully work around key policies).

    Examples of techniques include;

    Some of these approaches can be used to support each other.