简体繁体 English

嵌入式应用程序中的内存管理资源

[英]Resources for memory management in embedded application

原文 2010-03-18 12:54:28 5 7 c/ memory-management/ embedded/ malloc/ do178-b

How should I manage memory in my mission critical embedded application? 我应该如何管理关键任务嵌入式应用程序中的内存？

I found some articles with google, but couldn't pinpoint a really useful practical guide. 我发现了谷歌的一些文章，但无法确定一个非常有用的实用指南。

The DO-178b forbids dynamic memory allocations, but how will you manage the memory then? DO-178b禁止动态内存分配，但是如何管理内存呢？ Preallocate everything in advance and send a pointer to each function that needs allocation? 提前预先分配所有内容并发送指向需要分配的每个函数的指针？ Allocate it on the stack? 在堆栈上分配它？ Use a global static allocator (but then it's very similar to dynamic allocation)? 使用全局静态分配器（但它与动态分配非常相似）？

Answers can be of the form of regular answer, reference to a resource, or reference to good opensource embedded system for example. 例如，答案可以是常规答案，对资源的引用或对良好的开源嵌入式系统的引用。

clarification: The issue here is not whether or not memory management is availible for the embedded system. 澄清：这里的问题不在于内存管理是否适用于嵌入式系统。 But what is a good design for an embedded system, to maximize reliability. 但是什么是嵌入式系统的优秀设计，以最大限度地提高可靠性。

I don't understand why statically preallocating a buffer pool, and dynamically getting and dropping it, is different from dynamically allocating memory. 我不明白为什么静态预分配缓冲池，并动态地获取和删除它，与动态分配内存不同。

7 个解决方案

As someone who has dealt with embedded systems, though not to such rigor so far (I have read DO-178B, though): 作为处理过嵌入式系统的人，虽然到目前为止还没有这么严格（但我已经读过DO-178B）：

If you look at the u-boot bootloader, a lot is done with a globally placed structure. 如果你看一下u-boot bootloader，就可以通过全局放置的结构完成很多工作。 Depending on your exact application, you may be able to get away with a global structure and stack. 根据您的具体应用，您可以摆脱全局结构和堆栈。 Of course, there are re-entrancy and related issues there that don't really apply to a bootloader but might for you. 当然，那里有重新进入和相关的问题并不真正适用于引导加载程序，但可能适合您。
Preallocate, preallocate, preallocate. 预分配，预分配，预分配。 If you can at design-time bind the size of an array/list structure/etc, declare it as a global (or static global -- look Ma, encapsulation). 如果您可以在设计时绑定数组/列表结构/ etc的大小，则将其声明为全局（或静态全局 - 外观Ma，封装）。
The stack is very useful, use it where needed -- but be careful, as it can be easy to keep allocating off of it until you have no stack space left. 堆栈非常有用，在需要的地方使用它 - 但要小心，因为在没有剩余堆栈空间之前可以很容易地分配它。 Some code I once found myself debugging would allocate 1k buffers for string management in multiple functions...occasionally, the usage of the buffers would hit another program's stack space, as the default stack size was 4k. 我曾经发现自己调试的一些代码会在多个函数中为字符串管理分配1k缓冲区...偶尔，缓冲区的使用会触及另一个程序的堆栈空间，因为默认堆栈大小为4k。
The buffer pool case may depend on exactly how it's implemented. 缓冲池情况可能取决于它的实现方式。 If you know you need to pass around fixed-size buffers of a size known at compile time, dealing with a buffer pool is likely more easy to demonstrate correctness than a complete dynamic allocator. 如果您知道需要传递编译时已知大小的固定大小的缓冲区，那么处理缓冲池可能比完整的动态分配器更容易证明正确性。 You just need to verify buffers cannot be lost, and validate your handling won't fail. 您只需要验证缓冲区不会丢失，并验证您的处理不会失败。 There seem to be some good tips here: http://www.cotsjournalonline.com/articles/view/101217 这里似乎有一些很好的提示： http ： //www.cotsjournalonline.com/articles/view/101217

Really, though, I think your answers might be found in joining http://www.do178site.com/ 但实际上，我认为您的答案可能会在加入http://www.do178site.com/时找到。

I've worked in a DO-178B environment (systems for airplanes). 我曾在DO-178B环境（飞机系统）工作过。 What I have understood, is that the main reason for not allowing dynamic allocation is mainly certification. 我所理解的是，不允许动态分配的主要原因主要是认证。 Certification is done through tests (unitary, coverage, integration, ...). 认证通过测试（单一，覆盖，集成......）完成。 With those tests you have to prove that you the behavior of your program is 100% predictable, nearly to the point that the memory footprint of your process is the same from one execution to the next. 通过这些测试，您必须证明您的程序行为是100％可预测的，几乎到了从一个执行到下一个执行的过程的内存占用量相同的程度。 As dynamic allocation is done on the heap (and can fail) you can not easily prove that (I imagine it should be possible if you master all the tools from the hardware to any piece of code written, but ...). 由于动态分配是在堆上完成的（并且可能失败），因此您无法轻易证明（我认为如果您掌握从硬件到编写的任何代码的所有工具，但是......）应该是可能的。 You have not this problem with static allocation. 静态分配没有这个问题。 That also why C++ was not used at this time in such environments. 这也是为什么此类环境中此时不使用C ++的原因。 (it was about 15 years ago, that might have changed ...) （大约15年前，这可能已经改变了......）

Practically, you have to write a lot of struct pools and allocation functions that guarantee that you have something deterministic. 实际上，你必须编写很多结构池和分配函数，以保证你有一些确定性的东西。 You can imagine a lot of solutions. 你可以想象很多解决方案。 The key is that you have to prove (with TONS of tests) a high level of deterministic behavior. 关键是你必须证明（通过TONS测试）高水平的确定性行为。 It's easier to prove that your hand crafted developpement work deterministically that to prove that linux + gcc is deterministic in allocating memory. 更容易证明你的手工制作开发工作确定性地证明linux + gcc在分配内存方面是确定性的。

Just my 2 cents. 只需2美分。 It was a long time ago, things might have changed, but concerning certification like DO-178B, the point is to prove your app will work the same any time in any context. 很久以前，事情可能已经发生了变化，但是关于像DO-178B这样的认证，关键在于证明你的应用程序在任何情况下都可以随时工作。

Real-time, long running, mission critical systems should not dynamically allocate and free memory from heap. 实时，长时间运行，关键任务系统不应动态分配和释放堆中的内存。 If you need and cannot design around it to then write your own allocated and fixed pool management scheme. 如果您需要并且无法围绕它进行设计，那么请编写自己的分配和固定池管理方案。 Yes, allocated fixed ahead of time whenever possible. 是的，尽可能提前分配固定。 Anything else is asking for eventual trouble. 还有其他事情要求最终的麻烦。

Disclaimer: I've not worked specifically with DO-178b, but I have written software for certified systems. 免责声明：我没有专门使用DO-178b，但我已经为认证系统编写了软件。

On the certified systems for which I have been a developer, ... 在我作为开发人员的认证系统上，......

Dynamic memory allocation was acceptable ONLY during the initialization phase. 仅在初始化阶段，动态内存分配是可接受的。
Dynamic memory de-allocation was NEVER acceptable. 动态内存解除分配绝对不可接受。

This left us with the following options ... 这给我们留下了以下选择......

Use statically allocated structures. 使用静态分配的结构。
Create a pool of structures and then get/release them from/back to the pool. 创建一个结构池，然后从/向池中获取/释放它们。
For flexibility, we could dynamically allocate the size of the pools or number of structures during the initialization phase. 为了灵活性，我们可以在初始化阶段动态分配池的大小或结构的数量。 However, once past that init phase, we were stuck with what we had. 但是，一旦超过初始阶段，我们就会陷入困境。

Our company found that pools of structures and then get/releasing from/back into the pool was most useful. 我们公司发现，结构池然后从/返回池中获取/释放是最有用的。 We were able to keep to the model, and keep things deterministic with minimal problems. 我们能够保持模型，并以最小的问题保持确定性。

Hope that helps. 希望有所帮助。

Allocating everything from stack is commonly done in embedded systems or elsewhere where the possibility of an allocation failing is unacceptable. 从堆栈中分配所有内容通常在嵌入式系统或其他地方进行，其中分配失败的可能性是不可接受的。 I don't know what DO-178b is, but if the problem is that malloc is not available on your platform, you can also implement it yourself (implementing your own heap), but this still may lead to an allocation failing when you run out of space, of course. 我不知道DO-178b是什么，但是如果问题是你的平台上没有malloc，你也可以自己实现它（实现你自己的堆），但这仍然可能导致你运行时分配失败当然，没有太空了。

There's no way to be 100% sure. 没有办法百分百肯定。

You may look at FreeRTOS' memory allocators examples. 您可以查看FreeRTOS的内存分配器示例。 Those use static pool, if i'm not mistaken. 那些使用静态池，如果我没有弄错的话。

You might find this question interesting as well, dynamic allocation is often prohibited in space hardened settings (actually, core memory is still useful there). 您可能会发现此问题也很有趣，在空间强化设置中通常禁止动态分配（实际上，核心内存在那里仍然有用）。

Typically, when malloc() is not available, I just use the stack. 通常，当malloc（）不可用时，我只使用堆栈。 As Tronic said, the whole reason behind not using malloc() is that it can fail. 正如Tronic所说，不使用malloc（）背后的全部原因是它可能会失败。 If you are using a global static pool, it is conceivable that your internal malloc() implementation could be made fail proof. 如果您使用的是全局静态池，则可以想象您的内部malloc（）实现可以进行故障验证。

It really, really, really depends on the task at hand and what the board is going to be exposed to. 它真的，真的，真的，取决于手头的任务以及董事会将要接触到的内容。