[cap-talk] Claim: correct generic wrapping is not possible in principle

[David Wagner]

Thanks for your comments on embedded systems.  They're helpful.
Let me follow up on one point, for my own understanding:

David Hopwood writes:
>As it happens, the embedded system I'm working on at the moment (a printer)
>uses linked structures within a statically allocated array.

How does it help to allocate those structures from a statically allocated
array, instead of from the heap?  Isn't that statically allocated array
just a heap in disguise, making your code just malloc() in disguise?

Why would the resource exhaustion issues be significantly different for
linked structures within a statically allocated array (which sounds
to me like an open-coded malloc()), as compared to any other kind of
dynamic allocation (e.g., an explicit call to malloc())?

I'm sure you can specialize the behavior of your dynamic allocator for
this particular use, since you know it will only be used in this one way,
but it's still a dynamic allocator, so you still need to prove that
no dynamic allocation attempt will ever exceed the amount of storage
available in that statically allocated array.  I don't see why proving
that no memory allocation attempt will ever fail is any easier to do
when the program calls Hopwood_malloc() to allocate out of a statically
allocated array, than it would be if you called malloc() for that one
purpose.

Obviously, limiting the use of dynamic allocation to the bare minimum
necessary makes it far easier to reason about dynamic allocation.  But I
don't see why allocating out of a statically allocated array as opposed
to out of the heap would change anything.