]>
Commit | Line | Data |
---|---|---|
798d3a52 ZJS |
1 | - 8ch indent, no tabs, except for files in man/ which are 2ch indent, |
2 | and still no tabs | |
60918275 | 3 | |
c920e651 LP |
4 | - We prefer /* comments */ over // comments in code you commit, please. This |
5 | way // comments are left for developers to use for local, temporary | |
6 | commenting of code for debug purposes (i.e. uncommittable stuff), making such | |
7 | comments easily discernable from explanatory, documenting code comments | |
8 | (i.e. committable stuff). | |
2708526c | 9 | |
3fdbc820 LP |
10 | - Don't break code lines too eagerly. We do *not* force line breaks at |
11 | 80ch, all of today's screens should be much larger than that. But | |
1c4e4227 | 12 | then again, don't overdo it, ~119ch should be enough really. |
3fdbc820 | 13 | |
c170f3a4 | 14 | - Variables and functions *must* be static, unless they have a |
f168c273 | 15 | prototype, and are supposed to be exported. |
60918275 | 16 | |
d3a48513 LP |
17 | - structs in MixedCase (with exceptions, such as public API structs), |
18 | variables + functions in lower_case. | |
c170f3a4 LP |
19 | |
20 | - The destructors always unregister the object from the next bigger | |
60918275 LP |
21 | object, not the other way around |
22 | ||
8d0e0ddd | 23 | - To minimize strict aliasing violations, we prefer unions over casting |
60918275 | 24 | |
8d0e0ddd | 25 | - For robustness reasons, destructors should be able to destruct |
60918275 LP |
26 | half-initialized objects, too |
27 | ||
61f33134 | 28 | - Error codes are returned as negative Exxx. e.g. return -EINVAL. There |
8d0e0ddd JE |
29 | are some exceptions: for constructors, it is OK to return NULL on |
30 | OOM. For lookup functions, NULL is fine too for "not found". | |
c170f3a4 LP |
31 | |
32 | Be strict with this. When you write a function that can fail due to | |
33 | more than one cause, it *really* should have "int" as return value | |
34 | for the error code. | |
35 | ||
8e5edf8d | 36 | - Do not bother with error checking whether writing to stdout/stderr |
d3a48513 | 37 | worked. |
c170f3a4 LP |
38 | |
39 | - Do not log errors from "library" code, only do so from "main | |
8e5edf8d | 40 | program" code. (With one exception: it is OK to log with DEBUG level |
d3a48513 | 41 | from any code, with the exception of maybe inner loops). |
c170f3a4 | 42 | |
8e5edf8d | 43 | - Always check OOM. There is no excuse. In program code, you can use |
d3a48513 | 44 | "log_oom()" for then printing a short message, but not in "library" code. |
debf93a4 LP |
45 | |
46 | - Do not issue NSS requests (that includes user name and host name | |
d3a48513 LP |
47 | lookups) from PID 1 as this might trigger deadlocks when those |
48 | lookups involve synchronously talking to services that we would need | |
49 | to start up | |
debf93a4 | 50 | |
8e5edf8d | 51 | - Do not synchronously talk to any other service from PID 1, due to |
d3a48513 | 52 | risk of deadlocks |
c170f3a4 | 53 | |
45df8656 | 54 | - Avoid fixed-size string buffers, unless you really know the maximum |
c170f3a4 | 55 | size and that maximum size is small. They are a source of errors, |
45df8656 JE |
56 | since they possibly result in truncated strings. It is often nicer |
57 | to use dynamic memory, alloca() or VLAs. If you do allocate fixed-size | |
8e5edf8d | 58 | strings on the stack, then it is probably only OK if you either |
d3a48513 LP |
59 | use a maximum size such as LINE_MAX, or count in detail the maximum |
60 | size a string can have. (DECIMAL_STR_MAX and DECIMAL_STR_WIDTH | |
61 | macros are your friends for this!) | |
62 | ||
63 | Or in other words, if you use "char buf[256]" then you are likely | |
64 | doing something wrong! | |
c170f3a4 LP |
65 | |
66 | - Stay uniform. For example, always use "usec_t" for time | |
61f33134 | 67 | values. Do not mix usec and msec, and usec and whatnot. |
c170f3a4 LP |
68 | |
69 | - Make use of _cleanup_free_ and friends. It makes your code much | |
70 | nicer to read! | |
71 | ||
72 | - Be exceptionally careful when formatting and parsing floating point | |
73 | numbers. Their syntax is locale dependent (i.e. "5.000" in en_US is | |
74 | generally understood as 5, while on de_DE as 5000.). | |
75 | ||
76 | - Try to use this: | |
77 | ||
78 | void foo() { | |
79 | } | |
80 | ||
81 | instead of this: | |
82 | ||
83 | void foo() | |
84 | { | |
85 | } | |
86 | ||
8e5edf8d | 87 | But it is OK if you do not. |
c170f3a4 | 88 | |
61f33134 LP |
89 | - Single-line "if" blocks should not be enclosed in {}. Use this: |
90 | ||
91 | if (foobar) | |
92 | waldo(); | |
93 | ||
94 | instead of this: | |
95 | ||
96 | if (foobar) { | |
97 | waldo(); | |
98 | } | |
99 | ||
8e5edf8d | 100 | - Do not write "foo ()", write "foo()". |
c170f3a4 LP |
101 | |
102 | - Please use streq() and strneq() instead of strcmp(), strncmp() where applicable. | |
103 | ||
104 | - Please do not allocate variables on the stack in the middle of code, | |
105 | even if C99 allows it. Wrong: | |
106 | ||
107 | { | |
108 | a = 5; | |
109 | int b; | |
110 | b = a; | |
111 | } | |
112 | ||
113 | Right: | |
114 | ||
115 | { | |
116 | int b; | |
117 | a = 5; | |
118 | b = a; | |
119 | } | |
120 | ||
121 | - Unless you allocate an array, "double" is always the better choice | |
122 | than "float". Processors speak "double" natively anyway, so this is | |
45df8656 | 123 | no speed benefit, and on calls like printf() "float"s get promoted |
c170f3a4 LP |
124 | to "double"s anyway, so there is no point. |
125 | ||
42706f47 LP |
126 | - Do not mix function invocations with variable definitions in one |
127 | line. Wrong: | |
c170f3a4 LP |
128 | |
129 | { | |
130 | int a = foobar(); | |
131 | uint64_t x = 7; | |
132 | } | |
133 | ||
134 | Right: | |
135 | ||
136 | { | |
137 | int a; | |
138 | uint64_t x = 7; | |
139 | ||
140 | a = foobar(); | |
141 | } | |
142 | ||
143 | - Use "goto" for cleaning up, and only use it for that. i.e. you may | |
d3a48513 LP |
144 | only jump to the end of a function, and little else. Never jump |
145 | backwards! | |
c170f3a4 LP |
146 | |
147 | - Think about the types you use. If a value cannot sensibly be | |
8e5edf8d | 148 | negative, do not use "int", but use "unsigned". |
c170f3a4 | 149 | |
fa195fa7 LP |
150 | - Use "char" only for actual characters. Use "uint8_t" or "int8_t" |
151 | when you actually mean a byte-sized signed or unsigned | |
152 | integers. When referring to a generic byte, we generally prefer the | |
153 | unsigned variant "uint8_t". Do not use types based on "short". They | |
154 | *never* make sense. Use ints, longs, long longs, all in | |
155 | unsigned+signed fashion, and the fixed size types | |
156 | uint8_t/uint16_t/uint32_t/uint64_t/int8_t/int16_t/int32_t and so on, | |
157 | as well as size_t, but nothing else. Do not use kernel types like | |
158 | u32 and so on, leave that to the kernel. | |
d3a48513 LP |
159 | |
160 | - Public API calls (i.e. functions exported by our shared libraries) | |
161 | must be marked "_public_" and need to be prefixed with "sd_". No | |
162 | other functions should be prefixed like that. | |
163 | ||
8d0e0ddd | 164 | - In public API calls, you *must* validate all your input arguments for |
d3a48513 | 165 | programming error with assert_return() and return a sensible return |
8d0e0ddd | 166 | code. In all other calls, it is recommended to check for programming |
d3a48513 | 167 | errors with a more brutal assert(). We are more forgiving to public |
96d49011 | 168 | users than for ourselves! Note that assert() and assert_return() |
d3a48513 LP |
169 | really only should be used for detecting programming errors, not for |
170 | runtime errors. assert() and assert_return() by usage of _likely_() | |
8e5edf8d | 171 | inform the compiler that he should not expect these checks to fail, |
d3a48513 LP |
172 | and they inform fellow programmers about the expected validity and |
173 | range of parameters. | |
174 | ||
175 | - Never use strtol(), atoi() and similar calls. Use safe_atoli(), | |
176 | safe_atou32() and suchlike instead. They are much nicer to use in | |
177 | most cases and correctly check for parsing errors. | |
178 | ||
179 | - For every function you add, think about whether it is a "logging" | |
180 | function or a "non-logging" function. "Logging" functions do logging | |
181 | on their own, "non-logging" function never log on their own and | |
182 | expect their callers to log. All functions in "library" code, | |
06b643e7 | 183 | i.e. in src/shared/ and suchlike must be "non-logging". Every time a |
8d0e0ddd | 184 | "logging" function calls a "non-logging" function, it should log |
d3a48513 LP |
185 | about the resulting errors. If a "logging" function calls another |
186 | "logging" function, then it should not generate log messages, so | |
187 | that log messages are not generated twice for the same errors. | |
188 | ||
189 | - Avoid static variables, except for caches and very few other | |
190 | cases. Think about thread-safety! While most of our code is never | |
8d0e0ddd | 191 | used in threaded environments, at least the library code should make |
d3a48513 | 192 | sure it works correctly in them. Instead of doing a lot of locking |
8d0e0ddd | 193 | for that, we tend to prefer using TLS to do per-thread caching (which |
d3a48513 LP |
194 | only works for small, fixed-size cache objects), or we disable |
195 | caching for any thread that is not the main thread. Use | |
196 | is_main_thread() to detect whether the calling thread is the main | |
197 | thread. | |
601185b4 | 198 | |
7f8bf08f | 199 | - Command line option parsing: |
601185b4 ZJS |
200 | - Do not print full help() on error, be specific about the error. |
201 | - Do not print messages to stdout on error. | |
202 | - Do not POSIX_ME_HARDER unless necessary, i.e. avoid "+" in option string. | |
7f8bf08f LP |
203 | |
204 | - Do not write functions that clobber call-by-reference variables on | |
205 | failure. Use temporary variables for these cases and change the | |
206 | passed in variables only on success. | |
dd4540da LP |
207 | |
208 | - When you allocate a file descriptor, it should be made O_CLOEXEC | |
209 | right from the beginning, as none of our files should leak to forked | |
210 | binaries by default. Hence, whenever you open a file, O_CLOEXEC must | |
699eee62 LP |
211 | be specified, right from the beginning. This also applies to |
212 | sockets. Effectively this means that all invocations to: | |
213 | ||
214 | a) open() must get O_CLOEXEC passed | |
215 | b) socket() and socketpair() must get SOCK_CLOEXEC passed | |
216 | c) recvmsg() must get MSG_CMSG_CLOEXEC set | |
217 | d) F_DUPFD_CLOEXEC should be used instead of F_DUPFD, and so on | |
7f8a0d7b | 218 | f) invocations of fopen() should take "e" |
eef46c37 | 219 | |
11c9f1e4 SM |
220 | - We never use the POSIX version of basename() (which glibc defines it in |
221 | libgen.h), only the GNU version (which glibc defines in string.h). | |
222 | The only reason to include libgen.h is because dirname() | |
fc696d52 | 223 | is needed. Every time you need that please immediately undefine |
eef46c37 | 224 | basename(), and add a comment about it, so that no code ever ends up |
11c9f1e4 | 225 | using the POSIX version! |
ddb64d82 LP |
226 | |
227 | - Use the bool type for booleans, not integers. One exception: in public | |
228 | headers (i.e those in src/systemd/sd-*.h) use integers after all, as "bool" | |
229 | is C99 and in our public APIs we try to stick to C89 (with a few extension). | |
918315e4 LP |
230 | |
231 | - When you invoke certain calls like unlink(), or mkdir_p() and you | |
232 | know it is safe to ignore the error it might return (because a later | |
233 | call would detect the failure anyway, or because the error is in an | |
234 | error path and you thus couldn't do anything about it anyway), then | |
235 | make this clear by casting the invocation explicitly to (void). Code | |
236 | checks like Coverity understand that, and will not complain about | |
237 | ignored error codes. Hence, please use this: | |
238 | ||
239 | (void) unlink("/foo/bar/baz"); | |
240 | ||
241 | instead of just this: | |
242 | ||
243 | unlink("/foo/bar/baz"); | |
3dbafa39 | 244 | |
10c6258e LP |
245 | Don't cast function calls to (void) that return no error |
246 | conditions. Specifically, the various xyz_unref() calls that return a NULL | |
247 | object shouldn't be cast to (void), since not using the return value does not | |
248 | hide any errors. | |
249 | ||
3dbafa39 LP |
250 | - Don't invoke exit(), ever. It is not replacement for proper error |
251 | handling. Please escalate errors up your call chain, and use normal | |
252 | "return" to exit from the main function of a process. If you | |
253 | fork()ed off a child process, please use _exit() instead of exit(), | |
254 | so that the exit handlers are not run. | |
9ff3e22a LP |
255 | |
256 | - Please never use dup(). Use fcntl(fd, F_DUPFD_CLOEXEC, 3) | |
257 | instead. For two reason: first, you want O_CLOEXEC set on the new fd | |
258 | (see above). Second, dup() will happily duplicate your fd as 0, 1, | |
259 | 2, i.e. stdin, stdout, stderr, should those fds be closed. Given the | |
260 | special semantics of those fds, it's probably a good idea to avoid | |
261 | them. F_DUPFD_CLOEXEC with "3" as parameter avoids them. | |
ba780c11 LP |
262 | |
263 | - When you define a destructor or unref() call for an object, please | |
264 | accept a NULL object and simply treat this as NOP. This is similar | |
265 | to how libc free() works, which accepts NULL pointers and becomes a | |
266 | NOP for them. By following this scheme a lot of if checks can be | |
267 | removed before invoking your destructor, which makes the code | |
268 | substantially more readable and robust. | |
269 | ||
270 | - Related to this: when you define a destructor or unref() call for an | |
271 | object, please make it return the same type it takes and always | |
272 | return NULL from it. This allows writing code like this: | |
273 | ||
274 | p = foobar_unref(p); | |
275 | ||
276 | which will always work regardless if p is initialized or not, and | |
277 | guarantees that p is NULL afterwards, all in just one line. | |
42706f47 LP |
278 | |
279 | - Use alloca(), but never forget that it is not OK to invoke alloca() | |
280 | within a loop or within function call parameters. alloca() memory is | |
281 | released at the end of a function, and not at the end of a {} | |
282 | block. Thus, if you invoke it in a loop, you keep increasing the | |
283 | stack pointer without ever releasing memory again. (VLAs have better | |
284 | behaviour in this case, so consider using them as an alternative.) | |
285 | Regarding not using alloca() within function parameters, see the | |
286 | BUGS section of the alloca(3) man page. | |
a5ecb0ce LP |
287 | |
288 | - Use memzero() or even better zero() instead of memset(..., 0, ...) | |
289 | ||
290 | - Instead of using memzero()/memset() to initialize structs allocated | |
291 | on the stack, please try to use c99 structure initializers. It's | |
292 | short, prettier and actually even faster at execution. Hence: | |
293 | ||
294 | struct foobar t = { | |
295 | .foo = 7, | |
296 | .bar = "bazz", | |
297 | }; | |
298 | ||
299 | instead of: | |
300 | ||
301 | struct foobar t; | |
302 | zero(t); | |
303 | t.foo = 7; | |
304 | t.bar = "bazz"; | |
0fef704c LP |
305 | |
306 | - When returning a return code from main(), please preferably use | |
307 | EXIT_FAILURE and EXIT_SUCCESS as defined by libc. | |
1811232c LP |
308 | |
309 | - The order in which header files are included doesn't matter too | |
54c1f2d7 DH |
310 | much. systemd-internal headers must not rely on an include order, so |
311 | it is safe to include them in any order possible. | |
312 | However, to not clutter global includes, and to make sure internal | |
313 | definitions will not affect global headers, please always include the | |
314 | headers of external components first (these are all headers enclosed | |
315 | in <>), followed by our own exported headers (usually everything | |
316 | that's prefixed by "sd-"), and then followed by internal headers. | |
317 | Furthermore, in all three groups, order all includes alphabetically | |
318 | so duplicate includes can easily be detected. | |
cad69822 LP |
319 | |
320 | - To implement an endless loop, use "for (;;)" rather than "while | |
321 | (1)". The latter is a bit ugly anyway, since you probably really | |
322 | meant "while (true)"... To avoid the discussion what the right | |
323 | always-true expression for an infinite while() loop is our | |
324 | recommendation is to simply write it without any such expression by | |
325 | using "for (;;)". | |
59f448cf LP |
326 | |
327 | - Never use the "off_t" type, and particularly avoid it in public | |
328 | APIs. It's really weirdly defined, as it usually is 64bit and we | |
329 | don't support it any other way, but it could in theory also be | |
330 | 32bit. Which one it is depends on a compiler switch chosen by the | |
331 | compiled program, which hence corrupts APIs using it unless they can | |
332 | also follow the program's choice. Moreover, in systemd we should | |
333 | parse values the same way on all architectures and cannot expose | |
334 | off_t values over D-Bus. To avoid any confusion regarding conversion | |
335 | and ABIs, always use simply uint64_t directly. | |
8ac5aaa9 LP |
336 | |
337 | - Commit message subject lines should be prefixed with an appropriate | |
338 | component name of some kind. For example "journal: ", "nspawn: " and | |
339 | so on. | |
340 | ||
341 | - Do not use "Signed-Off-By:" in your commit messages. That's a kernel | |
342 | thing we don't do in the systemd project. | |
343 | ||
344 | - Avoid leaving long-running child processes around, i.e. fork()s that | |
345 | are not followed quickly by an execv() in the child. Resource | |
346 | management is unclear in this case, and memory CoW will result in | |
c7ddad51 | 347 | unexpected penalties in the parent much much later on. |
8ac5aaa9 LP |
348 | |
349 | - Don't block execution for arbitrary amounts of time using usleep() | |
350 | or a similar call, unless you really know what you do. Just "giving | |
351 | something some time", or so is a lazy excuse. Always wait for the | |
352 | proper event, instead of doing time-based poll loops. | |
c7ddad51 LP |
353 | |
354 | - To determine the length of a constant string "foo", don't bother | |
fbd0b64f | 355 | with sizeof("foo")-1, please use STRLEN() instead. |
041f793b LP |
356 | |
357 | - If you want to concatenate two or more strings, consider using | |
358 | strjoin() rather than asprintf(), as the latter is a lot | |
359 | slower. This matters particularly in inner loops. | |
ec566e4c LP |
360 | |
361 | - Please avoid using global variables as much as you can. And if you | |
362 | do use them make sure they are static at least, instead of | |
363 | exported. Especially in library-like code it is important to avoid | |
364 | global variables. Why are global variables bad? They usually hinder | |
365 | generic reusability of code (since they break in threaded programs, | |
366 | and usually would require locking there), and as the code using them | |
fc696d52 | 367 | has side-effects make programs non-transparent. That said, there are |
ec566e4c LP |
368 | many cases where they explicitly make a lot of sense, and are OK to |
369 | use. For example, the log level and target in log.c is stored in a | |
370 | global variable, and that's OK and probably expected by most. Also | |
371 | in many cases we cache data in global variables. If you add more | |
372 | caches like this, please be careful however, and think about | |
373 | threading. Only use static variables if you are sure that | |
374 | thread-safety doesn't matter in your case. Alternatively consider | |
375 | using TLS, which is pretty easy to use with gcc's "thread_local" | |
376 | concept. It's also OK to store data that is inherently global in | |
377 | global variables, for example data parsed from command lines, see | |
378 | below. | |
379 | ||
380 | - If you parse a command line, and want to store the parsed parameters | |
381 | in global variables, please consider prefixing their names with | |
382 | "arg_". We have been following this naming rule in most of our | |
383 | tools, and we should continue to do so, as it makes it easy to | |
384 | identify command line parameter variables, and makes it clear why it | |
385 | is OK that they are global variables. | |
d5af8eea LP |
386 | |
387 | - When exposing public C APIs, be careful what function parameters you make | |
388 | "const". For example, a parameter taking a context object should probably not | |
fc696d52 | 389 | be "const", even if you are writing an otherwise read-only accessor function |
d5af8eea LP |
390 | for it. The reason is that making it "const" fixates the contract that your |
391 | call won't alter the object ever, as part of the API. However, that's often | |
392 | quite a promise, given that this even prohibits object-internal caching or | |
393 | lazy initialization of object variables. Moreover it's usually not too useful | |
394 | for client applications. Hence: please be careful and avoid "const" on object | |
395 | parameters, unless you are very sure "const" is appropriate. | |
396 | ||
397 | - Make sure to enforce limits on every user controllable resource. If the user | |
398 | can allocate resources in your code, your code must enforce some form of | |
fc696d52 | 399 | limits after which it will refuse operation. It's fine if it is hard-coded (at |
d5af8eea LP |
400 | least initially), but it needs to be there. This is particularly important |
401 | for objects that unprivileged users may allocate, but also matters for | |
402 | everything else any user may allocated. | |
8e38570e LP |
403 | |
404 | - htonl()/ntohl() and htons()/ntohs() are weird. Please use htobe32() and | |
405 | htobe16() instead, it's much more descriptive, and actually says what really | |
fc696d52 | 406 | is happening, after all htonl() and htons() don't operate on longs and |
8e38570e LP |
407 | shorts as their name would suggest, but on uint32_t and uint16_t. Also, |
408 | "network byte order" is just a weird name for "big endian", hence we might | |
409 | want to call it "big endian" right-away. | |
0b81133f LP |
410 | |
411 | - You might wonder what kind of common code belongs in src/shared/ and what | |
9d372fe9 | 412 | belongs in src/basic/. The split is like this: anything that uses public APIs |
0b81133f LP |
413 | we expose (i.e. any of the sd-bus, sd-login, sd-id128, ... APIs) must be |
414 | located in src/shared/. All stuff that only uses external libraries from | |
415 | other projects (such as glibc's APIs), or APIs from src/basic/ itself should | |
416 | be placed in src/basic/. Conversely, src/libsystemd/ may only use symbols | |
417 | from src/basic, but not from src/shared/. To summarize: | |
418 | ||
419 | src/basic/ → may be used by all code in the tree | |
420 | → may not use any code outside of src/basic/ | |
421 | ||
0b81133f | 422 | src/libsystemd/ → may be used by all code in the tree, except for code in src/basic/ |
9d372fe9 LP |
423 | → may not use any code outside of src/basic/, src/libsystemd/ |
424 | ||
425 | src/shared/ → may be used by all code in the tree, except for code in src/basic/, src/libsystemd/ | |
426 | → may not use any code outside of src/basic/, src/libsystemd/, src/shared/ | |
0b81133f LP |
427 | |
428 | - Our focus is on the GNU libc (glibc), not any other libcs. If other libcs are | |
429 | incompatible with glibc it's on them. However, if there are equivalent POSIX | |
430 | and Linux/GNU-specific APIs, we generally prefer the POSIX APIs. If there | |
431 | aren't, we are happy to use GNU or Linux APIs, and expect non-GNU | |
432 | implementations of libc to catch up with glibc. | |
e28c7cd0 LP |
433 | |
434 | - Whenever installing a signal handler, make sure to set SA_RESTART for it, so | |
435 | that interrupted system calls are automatically restarted, and we minimize | |
436 | hassles with handling EINTR (in particular as EINTR handling is pretty broken | |
437 | on Linux). | |
35838def LP |
438 | |
439 | - When applying C-style unescaping as well as specifier expansion on the same | |
440 | string, always apply the C-style unescaping fist, followed by the specifier | |
441 | expansion. When doing the reverse, make sure to escape '%' in specifier-style | |
442 | first (i.e. '%' → '%%'), and then do C-style escaping where necessary. |