D
Don Y
Hi Ian,
And apparently have never considered someone else deploying
it in an UNCONSTRAINED manner (i.e., observing ONLY the
constraints that you have PUBLISHED for it).
Or, operated in a vanilla, "UMA-esque" environment.
And you quite obviously don't test in all the dark corners!
(since you can't *force* the function to operate in those
places without exercising control over the input conditions!)
*When* your heap ends up at 0xFFFFFFFF, *will* the code
work? Will it *know* that the address space "ends" at
that single byte? Will your pointer arithmetic just
silently wrap around and start treating "low memory"
(i.e., at 0x00000000) as the *real* part of the heap?
How will you know how your code behaves in that case?
How will you PROVE it to others?
Or, will you just wait until "fate" causes your heap
to move into some "risky place" that you hadn't
anticipated or accurately protected against in your
implementation?
Will your defense, in that situation, be "Well, you're
not supposed to put the heap *there*!"? Vaguely
reminiscent of folks complaining when users do things
they "aren't supposed to do"...?
I've watched all sorts of "portable" code fail because
of assumptions that the developers never made explicit.
Move the heap to 0x80000000 and suddenly nothing works!
("Ah, 0x80000000 looks like a 'negative' long and your
pointer math thinks of everything as unsigned...")
Pointers wrapping around the end (or *start*) of
memory, etc.
If you want to make assumptions, fine. But then you have
to put them in the contract so everyone else knows what
the rules are: "Don't try to use this allocator on a
64 bit machine because it can't handle chunks larger
than 4G (2G?)" "Don't use this allocator with heaps
that abut the end of memory because the pointer arithmetic
doesn't check for overflow/wraparound".
I prefer handling all cases -- and being able to *validate*
that compliance.
It hasn't stopped me in the past and I have quite a few (embedded)
allocators and (hosted) test suites.
And apparently have never considered someone else deploying
it in an UNCONSTRAINED manner (i.e., observing ONLY the
constraints that you have PUBLISHED for it).
Or, operated in a vanilla, "UMA-esque" environment.
No. I don't make assumptions about values.
And you quite obviously don't test in all the dark corners!
(since you can't *force* the function to operate in those
places without exercising control over the input conditions!)
*When* your heap ends up at 0xFFFFFFFF, *will* the code
work? Will it *know* that the address space "ends" at
that single byte? Will your pointer arithmetic just
silently wrap around and start treating "low memory"
(i.e., at 0x00000000) as the *real* part of the heap?
How will you know how your code behaves in that case?
How will you PROVE it to others?
Or, will you just wait until "fate" causes your heap
to move into some "risky place" that you hadn't
anticipated or accurately protected against in your
implementation?
Will your defense, in that situation, be "Well, you're
not supposed to put the heap *there*!"? Vaguely
reminiscent of folks complaining when users do things
they "aren't supposed to do"...?
I've watched all sorts of "portable" code fail because
of assumptions that the developers never made explicit.
Move the heap to 0x80000000 and suddenly nothing works!
("Ah, 0x80000000 looks like a 'negative' long and your
pointer math thinks of everything as unsigned...")
Pointers wrapping around the end (or *start*) of
memory, etc.
If you want to make assumptions, fine. But then you have
to put them in the contract so everyone else knows what
the rules are: "Don't try to use this allocator on a
64 bit machine because it can't handle chunks larger
than 4G (2G?)" "Don't use this allocator with heaps
that abut the end of memory because the pointer arithmetic
doesn't check for overflow/wraparound".
I prefer handling all cases -- and being able to *validate*
that compliance.