MERA and similar rules are about ensuring that code is provably correct. This is importantly when engineers are personally liable for the failure of life critical or safety critical systems. Avoiding dynamic allocations avoids non-deterministic effects and significantly reduces the complexity of formal proof of code correctness.fgtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbtbnqweASMH’
All of this stuff is not very relevant for Windows or any other virtual memory system as failures can happen at any point for reasons entirely beyond your control
Sent from Surface Pro
From: Maxim S. Shatskih
Sent: Tuesday, March 31, 2015 12:20 AM
To: Windows System Software Devs Interest List
Just one minor correction – if char DeviceName is inside of a block
then it is an automatic variable (stack allocated)
Oh yes, let’s overflow the stack
Stack-allocated variables are evil, at least in most OS kernels where you have very limited stack space. I doubt that embedded world have lesser strict stack size limit then Windows kernel.
The world is exactly vice versa to what MISRA suggests
hr = pDevEnum->CreateClassEnumerator(CLSID_VideoInputDeviceCategory, &pEnum, 0);
Don’t you understand that this line of code will do probably like 100 alloc/free calls in it?
In my opinion there is no point in allowing video capture (or any other
device) drivers to waste up to 64KB of memory per device attached.
Correct. That’s why dynamic allocations are here.
It is absolutely amazing (I would say it is the monthly greatest thread on this forum) to avoid dynamic allocations working with DirectShow on Windows, which are surely written to a paradigm perpendicular to what MISRA suggests?
symbolic links for devices with 32,767 Unicode characters is some sort
of “future proof” design?
Modern (i.e. 1990-up) OSes just avoid any such limits. The limit is “up to memory permits” or “up to datatype size permits” (as for strings).
The MAX_PATH limit in Windows is MS-DOS legacy from 1980ies, and native Windows layers are free from it.
Also suggestion to “just use CString” is bad because BSTR returned by
reading the property bag can contain embedded null characters
DirectShow device name (which is in turn PnP devinterface name) contains embedded NULLs?
could theoretically truncate the string and break your code.
At least the code will not crash miserably, as what MISRA-compliant code will do
The code will just fail on device open.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer