diff options
author | Faheel Ahmad <faheel@live.in> | 2018-10-30 11:28:44 +0100 |
---|---|---|
committer | Faheel Ahmad <faheel@live.in> | 2018-10-30 11:28:44 +0100 |
commit | 82143987b35315efd8406082362ad18bb8ccaf29 (patch) | |
tree | 6564c1d97ccde64fa3686982c077834dbad49508 /docs/CODING_STYLE.md | |
parent | Merge pull request #10564 from evverx/lldp-fuzzer (diff) | |
download | systemd-82143987b35315efd8406082362ad18bb8ccaf29.tar.xz systemd-82143987b35315efd8406082362ad18bb8ccaf29.zip |
docs: Convert CODING_STYLE to Markdown
Also fix minor grammatical errors
Diffstat (limited to 'docs/CODING_STYLE.md')
-rw-r--r-- | docs/CODING_STYLE.md | 495 |
1 files changed, 495 insertions, 0 deletions
diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md new file mode 100644 index 0000000000..64f7a8cddf --- /dev/null +++ b/docs/CODING_STYLE.md @@ -0,0 +1,495 @@ +# Coding style + +- 8ch indent, no tabs, except for files in `man/` which are 2ch indent, + and still no tabs. + +- We prefer `/* comments */` over `// comments` in code you commit, please. This + way `// comments` are left for developers to use for local, temporary + commenting of code for debug purposes (i.e. uncommittable stuff), making such + comments easily discernable from explanatory, documenting code comments + (i.e. committable stuff). + +- Don't break code lines too eagerly. We do **not** force line breaks at 80ch, + all of today's screens should be much larger than that. But then again, don't + overdo it, ~119ch should be enough really. The `.editorconfig`, `.vimrc` and + `.dir-locals.el` files contained in the repository will set this limit up for + you automatically, if you let them (as well as a few other things). + +- Variables and functions **must** be static, unless they have a + prototype, and are supposed to be exported. + +- structs in `PascalCase` (with exceptions, such as public API structs), + variables and functions in `snake_case`. + +- The destructors always deregister the object from the next bigger + object, not the other way around. + +- To minimize strict aliasing violations, we prefer unions over casting. + +- For robustness reasons, destructors should be able to destruct + half-initialized objects, too. + +- Error codes are returned as negative `Exxx`. e.g. `return -EINVAL`. There + are some exceptions: for constructors, it is OK to return `NULL` on + OOM. For lookup functions, `NULL` is fine too for "not found". + + Be strict with this. When you write a function that can fail due to + more than one cause, it *really* should have an `int` as the return value + for the error code. + +- Do not bother with error checking whether writing to stdout/stderr + worked. + +- Do not log errors from "library" code, only do so from "main + program" code. (With one exception: it is OK to log with DEBUG level + from any code, with the exception of maybe inner loops). + +- Always check OOM. There is no excuse. In program code, you can use + `log_oom()` for then printing a short message, but not in "library" code. + +- Do not issue NSS requests (that includes user name and host name + lookups) from PID 1 as this might trigger deadlocks when those + lookups involve synchronously talking to services that we would need + to start up. + +- Do not synchronously talk to any other service from PID 1, due to + risk of deadlocks. + +- Avoid fixed-size string buffers, unless you really know the maximum + size and that maximum size is small. They are a source of errors, + since they possibly result in truncated strings. It is often nicer + to use dynamic memory, `alloca()` or VLAs. If you do allocate fixed-size + strings on the stack, then it is probably only OK if you either + use a maximum size such as `LINE_MAX`, or count in detail the maximum + size a string can have. (`DECIMAL_STR_MAX` and `DECIMAL_STR_WIDTH` + macros are your friends for this!) + + Or in other words, if you use `char buf[256]` then you are likely + doing something wrong! + +- Stay uniform. For example, always use `usec_t` for time + values. Do not mix `usec` and `msec`, and `usec` and whatnot. + +- Make use of `_cleanup_free_` and friends. It makes your code much + nicer to read (and shorter)! + +- Be exceptionally careful when formatting and parsing floating point + numbers. Their syntax is locale dependent (i.e. `5.000` in en_US is + generally understood as 5, while in de_DE as 5000.). + +- Try to use this: + + ```c + void foo() { + } + ``` + + instead of this: + + ```c + void foo() + { + } + ``` + + But it is OK if you do not. + +- Single-line `if` blocks should not be enclosed in `{}`. Use this: + + ```c + if (foobar) + waldo(); + ``` + + instead of this: + + ```c + if (foobar) { + waldo(); + } + ``` + +- Do not write `foo ()`, write `foo()`. + +- Please use `streq()` and `strneq()` instead of `strcmp()`, `strncmp()` where + applicable (i.e. wherever you just care about equality/inequality, not about + the sorting order). + +- Preferably allocate stack variables on the top of the block: + + ```c + { + int a, b; + + a = 5; + b = a; + } + ``` + +- Unless you allocate an array, `double` is always the better choice + than `float`. Processors speak `double` natively anyway, so this is + no speed benefit, and on calls like `printf()` `float`s get promoted + to `double`s anyway, so there is no point. + +- Do not mix function invocations with variable definitions in one + line. Wrong: + + ```c + { + int a = foobar(); + uint64_t x = 7; + } + ``` + + Right: + + ```c + { + int a; + uint64_t x = 7; + + a = foobar(); + } + ``` + +- Use `goto` for cleaning up, and only use it for that. i.e. you may + only jump to the end of a function, and little else. Never jump + backwards! + +- Think about the types you use. If a value cannot sensibly be + negative, do not use `int`, but use `unsigned`. + +- Use `char` only for actual characters. Use `uint8_t` or `int8_t` + when you actually mean a byte-sized signed or unsigned + integers. When referring to a generic byte, we generally prefer the + unsigned variant `uint8_t`. Do not use types based on `short`. They + *never* make sense. Use `int`, `long`, `long long`, all in + unsigned and signed fashion, and the fixed-size types + `uint8_t`, `uint16_t`, `uint32_t`, `uint64_t`, `int8_t`, `int16_t`, `int32_t` and so on, + as well as `size_t`, but nothing else. Do not use kernel types like + `u32` and so on, leave that to the kernel. + +- Public API calls (i.e. functions exported by our shared libraries) + must be marked `_public_` and need to be prefixed with `sd_`. No + other functions should be prefixed like that. + +- In public API calls, you **must** validate all your input arguments for + programming error with `assert_return()` and return a sensible return + code. In all other calls, it is recommended to check for programming + errors with a more brutal `assert()`. We are more forgiving to public + users than for ourselves! Note that `assert()` and `assert_return()` + really only should be used for detecting programming errors, not for + runtime errors. `assert()` and `assert_return()` by usage of `_likely_()` + inform the compiler that he should not expect these checks to fail, + and they inform fellow programmers about the expected validity and + range of parameters. + +- Never use `strtol()`, `atoi()` and similar calls. Use `safe_atoli()`, + `safe_atou32()` and suchlike instead. They are much nicer to use in + most cases and correctly check for parsing errors. + +- For every function you add, think about whether it is a "logging" + function or a "non-logging" function. "Logging" functions do logging + on their own, "non-logging" function never log on their own and + expect their callers to log. All functions in "library" code, + i.e. in `src/shared/` and suchlike must be "non-logging". Every time a + "logging" function calls a "non-logging" function, it should log + about the resulting errors. If a "logging" function calls another + "logging" function, then it should not generate log messages, so + that log messages are not generated twice for the same errors. + +- Avoid static variables, except for caches and very few other + cases. Think about thread-safety! While most of our code is never + used in threaded environments, at least the library code should make + sure it works correctly in them. Instead of doing a lot of locking + for that, we tend to prefer using TLS to do per-thread caching (which + only works for small, fixed-size cache objects), or we disable + caching for any thread that is not the main thread. Use + `is_main_thread()` to detect whether the calling thread is the main + thread. + +- Command line option parsing: + - Do not print full `help()` on error, be specific about the error. + - Do not print messages to stdout on error. + - Do not POSIX_ME_HARDER unless necessary, i.e. avoid `+` in option string. + +- Do not write functions that clobber call-by-reference variables on + failure. Use temporary variables for these cases and change the + passed in variables only on success. + +- When you allocate a file descriptor, it should be made `O_CLOEXEC` + right from the beginning, as none of our files should leak to forked + binaries by default. Hence, whenever you open a file, `O_CLOEXEC` must + be specified, right from the beginning. This also applies to + sockets. Effectively, this means that all invocations to: + + - `open()` must get `O_CLOEXEC` passed, + - `socket()` and `socketpair()` must get `SOCK_CLOEXEC` passed, + - `recvmsg()` must get `MSG_CMSG_CLOEXEC` set, + - `F_DUPFD_CLOEXEC` should be used instead of `F_DUPFD`, and so on, + - invocations of `fopen()` should take `e`. + +- We never use the POSIX version of `basename()` (which glibc defines it in + `libgen.h`), only the GNU version (which glibc defines in `string.h`). + The only reason to include `libgen.h` is because `dirname()` + is needed. Every time you need that please immediately undefine + `basename()`, and add a comment about it, so that no code ever ends up + using the POSIX version! + +- Use the bool type for booleans, not integers. One exception: in public + headers (i.e those in `src/systemd/sd-*.h`) use integers after all, as `bool` + is C99 and in our public APIs we try to stick to C89 (with a few extension). + +- When you invoke certain calls like `unlink()`, or `mkdir_p()` and you + know it is safe to ignore the error it might return (because a later + call would detect the failure anyway, or because the error is in an + error path and you thus couldn't do anything about it anyway), then + make this clear by casting the invocation explicitly to `(void)`. Code + checks like Coverity understand that, and will not complain about + ignored error codes. Hence, please use this: + + ```c + (void) unlink("/foo/bar/baz"); + ``` + + instead of just this: + + ```c + unlink("/foo/bar/baz"); + ``` + + Don't cast function calls to `(void)` that return no error + conditions. Specifically, the various `xyz_unref()` calls that return a `NULL` + object shouldn't be cast to `(void)`, since not using the return value does not + hide any errors. + +- Don't invoke `exit()`, ever. It is not replacement for proper error + handling. Please escalate errors up your call chain, and use normal + `return` to exit from the main function of a process. If you + `fork()`ed off a child process, please use `_exit()` instead of `exit()`, + so that the exit handlers are not run. + +- Please never use `dup()`. Use `fcntl(fd, F_DUPFD_CLOEXEC, 3)` + instead. For two reason: first, you want `O_CLOEXEC` set on the new `fd` + (see above). Second, `dup()` will happily duplicate your `fd` as 0, 1, + 2, i.e. stdin, stdout, stderr, should those `fd`s be closed. Given the + special semantics of those `fd`s, it's probably a good idea to avoid + them. `F_DUPFD_CLOEXEC` with `3` as parameter avoids them. + +- When you define a destructor or `unref()` call for an object, please + accept a `NULL` object and simply treat this as NOP. This is similar + to how libc `free()` works, which accepts `NULL` pointers and becomes a + NOP for them. By following this scheme a lot of `if` checks can be + removed before invoking your destructor, which makes the code + substantially more readable and robust. + +- Related to this: when you define a destructor or `unref()` call for an + object, please make it return the same type it takes and always + return `NULL` from it. This allows writing code like this: + + ```c + p = foobar_unref(p); + ``` + + which will always work regardless if `p` is initialized or not, and + guarantees that `p` is `NULL` afterwards, all in just one line. + +- Use `alloca()`, but never forget that it is not OK to invoke `alloca()` + within a loop or within function call parameters. `alloca()` memory is + released at the end of a function, and not at the end of a `{}` + block. Thus, if you invoke it in a loop, you keep increasing the + stack pointer without ever releasing memory again. (VLAs have better + behavior in this case, so consider using them as an alternative.) + Regarding not using `alloca()` within function parameters, see the + BUGS section of the `alloca(3)` man page. + +- Use `memzero()` or even better `zero()` instead of `memset(..., 0, ...)` + +- Instead of using `memzero()`/`memset()` to initialize structs allocated + on the stack, please try to use c99 structure initializers. It's + short, prettier and actually even faster at execution. Hence: + + ```c + struct foobar t = { + .foo = 7, + .bar = "bazz", + }; + ``` + + instead of: + + ```c + struct foobar t; + zero(t); + t.foo = 7; + t.bar = "bazz"; + ``` + +- When returning a return code from `main()`, please preferably use + `EXIT_FAILURE` and `EXIT_SUCCESS` as defined by libc. + +- The order in which header files are included doesn't matter too + much. systemd-internal headers must not rely on an include order, so + it is safe to include them in any order possible. + However, to not clutter global includes, and to make sure internal + definitions will not affect global headers, please always include the + headers of external components first (these are all headers enclosed + in <>), followed by our own exported headers (usually everything + that's prefixed by `sd-`), and then followed by internal headers. + Furthermore, in all three groups, order all includes alphabetically + so duplicate includes can easily be detected. + +- To implement an endless loop, use `for (;;)` rather than `while (1)`. + The latter is a bit ugly anyway, since you probably really + meant `while (true)`. To avoid the discussion what the right + always-true expression for an infinite while loop is, our + recommendation is to simply write it without any such expression by + using `for (;;)`. + +- Never use the `off_t` type, and particularly avoid it in public + APIs. It's really weirdly defined, as it usually is 64-bit and we + don't support it any other way, but it could in theory also be + 32-bit. Which one it is depends on a compiler switch chosen by the + compiled program, which hence corrupts APIs using it unless they can + also follow the program's choice. Moreover, in systemd we should + parse values the same way on all architectures and cannot expose + `off_t` values over D-Bus. To avoid any confusion regarding conversion + and ABIs, always use simply `uint64_t` directly. + +- Commit message subject lines should be prefixed with an appropriate + component name of some kind. For example "journal: ", "nspawn: " and + so on. + +- Do not use "Signed-Off-By:" in your commit messages. That's a kernel + thing we don't do in the systemd project. + +- Avoid leaving long-running child processes around, i.e. `fork()`s that + are not followed quickly by an `execv()` in the child. Resource + management is unclear in this case, and memory CoW will result in + unexpected penalties in the parent much, much later on. + +- Don't block execution for arbitrary amounts of time using `usleep()` + or a similar call, unless you really know what you do. Just "giving + something some time", or so is a lazy excuse. Always wait for the + proper event, instead of doing time-based poll loops. + +- To determine the length of a constant string `"foo"`, don't bother + with `sizeof("foo")-1`, please use `STRLEN()` instead. + +- If you want to concatenate two or more strings, consider using + `strjoin()` rather than `asprintf()`, as the latter is a lot + slower. This matters particularly in inner loops. + +- Please avoid using global variables as much as you can. And if you + do use them make sure they are static at least, instead of + exported. Especially in library-like code it is important to avoid + global variables. Why are global variables bad? They usually hinder + generic reusability of code (since they break in threaded programs, + and usually would require locking there), and as the code using them + has side-effects make programs non-transparent. That said, there are + many cases where they explicitly make a lot of sense, and are OK to + use. For example, the log level and target in `log.c` is stored in a + global variable, and that's OK and probably expected by most. Also + in many cases we cache data in global variables. If you add more + caches like this, please be careful however, and think about + threading. Only use static variables if you are sure that + thread-safety doesn't matter in your case. Alternatively, consider + using TLS, which is pretty easy to use with gcc's `thread_local` + concept. It's also OK to store data that is inherently global in + global variables, for example data parsed from command lines, see + below. + +- If you parse a command line, and want to store the parsed parameters + in global variables, please consider prefixing their names with + `arg_`. We have been following this naming rule in most of our + tools, and we should continue to do so, as it makes it easy to + identify command line parameter variables, and makes it clear why it + is OK that they are global variables. + +- When exposing public C APIs, be careful what function parameters you make + `const`. For example, a parameter taking a context object should probably not + be `const`, even if you are writing an otherwise read-only accessor function + for it. The reason is that making it `const` fixates the contract that your + call won't alter the object ever, as part of the API. However, that's often + quite a promise, given that this even prohibits object-internal caching or + lazy initialization of object variables. Moreover, it's usually not too useful + for client applications. Hence, please be careful and avoid `const` on object + parameters, unless you are very sure `const` is appropriate. + +- Make sure to enforce limits on every user controllable resource. If the user + can allocate resources in your code, your code must enforce some form of + limits after which it will refuse operation. It's fine if it is hard-coded (at + least initially), but it needs to be there. This is particularly important + for objects that unprivileged users may allocate, but also matters for + everything else any user may allocated. + +- `htonl()`/`ntohl()` and `htons()`/`ntohs()` are weird. Please use `htobe32()` and + `htobe16()` instead, it's much more descriptive, and actually says what really + is happening, after all `htonl()` and `htons()` don't operate on `long`s and + `short`s as their name would suggest, but on `uint32_t` and `uint16_t`. Also, + "network byte order" is just a weird name for "big endian", hence we might + want to call it "big endian" right-away. + +- You might wonder what kind of common code belongs in `src/shared/` and what + belongs in `src/basic/`. The split is like this: anything that uses public APIs + we expose (i.e. any of the sd-bus, sd-login, sd-id128, ... APIs) must be + located in `src/shared/`. All stuff that only uses external libraries from + other projects (such as glibc's APIs), or APIs from `src/basic/` itself should + be placed in `src/basic/`. Conversely, `src/libsystemd/` may only use symbols + from `src/basic`, but not from `src/shared/`. + + To summarize: + + `src/basic/` + - may be used by all code in the tree + - may not use any code outside of `src/basic/` + + `src/libsystemd/` + - may be used by all code in the tree, except for code in `src/basic/` + - may not use any code outside of `src/basic/`, `src/libsystemd/` + + `src/shared/` + - may be used by all code in the tree, except for code in `src/basic/`, `src/libsystemd/` + - may not use any code outside of `src/basic/`, `src/libsystemd/`, `src/shared/` + +- Our focus is on the GNU libc (glibc), not any other libcs. If other libcs are + incompatible with glibc it's on them. However, if there are equivalent POSIX + and Linux/GNU-specific APIs, we generally prefer the POSIX APIs. If there + aren't, we are happy to use GNU or Linux APIs, and expect non-GNU + implementations of libc to catch up with glibc. + +- Whenever installing a signal handler, make sure to set `SA_RESTART` for it, so + that interrupted system calls are automatically restarted, and we minimize + hassles with handling `EINTR` (in particular as `EINTR` handling is pretty broken + on Linux). + +- When applying C-style unescaping as well as specifier expansion on the same + string, always apply the C-style unescaping fist, followed by the specifier + expansion. When doing the reverse, make sure to escape `%` in specifier-style + first (i.e. `%` → `%%`), and then do C-style escaping where necessary. + +- It's a good idea to use `O_NONBLOCK` when opening 'foreign' regular files, i.e. + file system objects that are supposed to be regular files whose paths where + specified by the user and hence might actually refer to other types of file + system objects. This is a good idea so that we don't end up blocking on + 'strange' file nodes, for example if the user pointed us to a FIFO or device + node which may block when opening. Moreover even for actual regular files + `O_NONBLOCK` has a benefit: it bypasses any mandatory lock that might be in + effect on the regular file. If in doubt consider turning off `O_NONBLOCK` again + after opening. + +- When referring to a configuration file option in the documentation and such, + please always suffix it with `=`, to indicate that it is a configuration file + setting. + +- When referring to a command line option in the documentation and such, please + always prefix with `--` or `-` (as appropriate), to indicate that it is a + command line option. + +- When referring to a file system path that is a directory, please always + suffix it with `/`, to indicate that it is a directory, not a regular file + (or other file system object). + +- Don't use `fgets()`, it's too hard to properly handle errors such as overly + long lines. Use `read_line()` instead, which is our own function that handles + this much nicer. |