1 - 8ch indent, no tabs, except for files in man/ which are 2ch indent,
4 - We prefer /* comments */ over // comments, please. This is not C++, after
5 all. (Yes we know that C99 supports both kinds of comments, but still,
8 - Don't break code lines too eagerly. We do *not* force line breaks at
9 80ch, all of today's screens should be much larger than that. But
10 then again, don't overdo it, ~140ch should be enough really.
12 - Variables and functions *must* be static, unless they have a
13 prototype, and are supposed to be exported.
15 - structs in MixedCase (with exceptions, such as public API structs),
16 variables + functions in lower_case.
18 - The destructors always unregister the object from the next bigger
19 object, not the other way around
21 - To minimize strict aliasing violations, we prefer unions over casting
23 - For robustness reasons, destructors should be able to destruct
24 half-initialized objects, too
26 - Error codes are returned as negative Exxx. e.g. return -EINVAL. There
27 are some exceptions: for constructors, it is OK to return NULL on
28 OOM. For lookup functions, NULL is fine too for "not found".
30 Be strict with this. When you write a function that can fail due to
31 more than one cause, it *really* should have "int" as return value
34 - Do not bother with error checking whether writing to stdout/stderr
37 - Do not log errors from "library" code, only do so from "main
38 program" code. (With one exception: it is OK to log with DEBUG level
39 from any code, with the exception of maybe inner loops).
41 - Always check OOM. There is no excuse. In program code, you can use
42 "log_oom()" for then printing a short message, but not in "library" code.
44 - Do not issue NSS requests (that includes user name and host name
45 lookups) from PID 1 as this might trigger deadlocks when those
46 lookups involve synchronously talking to services that we would need
49 - Do not synchronously talk to any other service from PID 1, due to
52 - Avoid fixed-size string buffers, unless you really know the maximum
53 size and that maximum size is small. They are a source of errors,
54 since they possibly result in truncated strings. It is often nicer
55 to use dynamic memory, alloca() or VLAs. If you do allocate fixed-size
56 strings on the stack, then it is probably only OK if you either
57 use a maximum size such as LINE_MAX, or count in detail the maximum
58 size a string can have. (DECIMAL_STR_MAX and DECIMAL_STR_WIDTH
59 macros are your friends for this!)
61 Or in other words, if you use "char buf[256]" then you are likely
62 doing something wrong!
64 - Stay uniform. For example, always use "usec_t" for time
65 values. Do not mix usec and msec, and usec and whatnot.
67 - Make use of _cleanup_free_ and friends. It makes your code much
70 - Be exceptionally careful when formatting and parsing floating point
71 numbers. Their syntax is locale dependent (i.e. "5.000" in en_US is
72 generally understood as 5, while on de_DE as 5000.).
85 But it is OK if you do not.
87 - Single-line "if" blocks should not be enclosed in {}. Use this:
98 - Do not write "foo ()", write "foo()".
100 - Please use streq() and strneq() instead of strcmp(), strncmp() where applicable.
102 - Please do not allocate variables on the stack in the middle of code,
103 even if C99 allows it. Wrong:
119 - Unless you allocate an array, "double" is always the better choice
120 than "float". Processors speak "double" natively anyway, so this is
121 no speed benefit, and on calls like printf() "float"s get promoted
122 to "double"s anyway, so there is no point.
124 - Do not mix function invocations with variable definitions in one
141 - Use "goto" for cleaning up, and only use it for that. i.e. you may
142 only jump to the end of a function, and little else. Never jump
145 - Think about the types you use. If a value cannot sensibly be
146 negative, do not use "int", but use "unsigned".
148 - Use "char" only for actual characters. Use "uint8_t" or "int8_t"
149 when you actually mean a byte-sized signed or unsigned
150 integers. When referring to a generic byte, we generally prefer the
151 unsigned variant "uint8_t". Do not use types based on "short". They
152 *never* make sense. Use ints, longs, long longs, all in
153 unsigned+signed fashion, and the fixed size types
154 uint8_t/uint16_t/uint32_t/uint64_t/int8_t/int16_t/int32_t and so on,
155 as well as size_t, but nothing else. Do not use kernel types like
156 u32 and so on, leave that to the kernel.
158 - Public API calls (i.e. functions exported by our shared libraries)
159 must be marked "_public_" and need to be prefixed with "sd_". No
160 other functions should be prefixed like that.
162 - In public API calls, you *must* validate all your input arguments for
163 programming error with assert_return() and return a sensible return
164 code. In all other calls, it is recommended to check for programming
165 errors with a more brutal assert(). We are more forgiving to public
166 users then for ourselves! Note that assert() and assert_return()
167 really only should be used for detecting programming errors, not for
168 runtime errors. assert() and assert_return() by usage of _likely_()
169 inform the compiler that he should not expect these checks to fail,
170 and they inform fellow programmers about the expected validity and
173 - Never use strtol(), atoi() and similar calls. Use safe_atoli(),
174 safe_atou32() and suchlike instead. They are much nicer to use in
175 most cases and correctly check for parsing errors.
177 - For every function you add, think about whether it is a "logging"
178 function or a "non-logging" function. "Logging" functions do logging
179 on their own, "non-logging" function never log on their own and
180 expect their callers to log. All functions in "library" code,
181 i.e. in src/shared/ and suchlike must be "non-logging". Every time a
182 "logging" function calls a "non-logging" function, it should log
183 about the resulting errors. If a "logging" function calls another
184 "logging" function, then it should not generate log messages, so
185 that log messages are not generated twice for the same errors.
187 - Avoid static variables, except for caches and very few other
188 cases. Think about thread-safety! While most of our code is never
189 used in threaded environments, at least the library code should make
190 sure it works correctly in them. Instead of doing a lot of locking
191 for that, we tend to prefer using TLS to do per-thread caching (which
192 only works for small, fixed-size cache objects), or we disable
193 caching for any thread that is not the main thread. Use
194 is_main_thread() to detect whether the calling thread is the main
197 - Command line option parsing:
198 - Do not print full help() on error, be specific about the error.
199 - Do not print messages to stdout on error.
200 - Do not POSIX_ME_HARDER unless necessary, i.e. avoid "+" in option string.
202 - Do not write functions that clobber call-by-reference variables on
203 failure. Use temporary variables for these cases and change the
204 passed in variables only on success.
206 - When you allocate a file descriptor, it should be made O_CLOEXEC
207 right from the beginning, as none of our files should leak to forked
208 binaries by default. Hence, whenever you open a file, O_CLOEXEC must
209 be specified, right from the beginning. This also applies to
210 sockets. Effectively this means that all invocations to:
212 a) open() must get O_CLOEXEC passed
213 b) socket() and socketpair() must get SOCK_CLOEXEC passed
214 c) recvmsg() must get MSG_CMSG_CLOEXEC set
215 d) F_DUPFD_CLOEXEC should be used instead of F_DUPFD, and so on
217 - We never use the POSIX version of basename() (which glibc defines it in
218 libgen.h), only the GNU version (which glibc defines in string.h).
219 The only reason to include libgen.h is because dirname()
220 is needed. Everytime you need that please immediately undefine
221 basename(), and add a comment about it, so that no code ever ends up
222 using the POSIX version!
224 - Use the bool type for booleans, not integers. One exception: in public
225 headers (i.e those in src/systemd/sd-*.h) use integers after all, as "bool"
226 is C99 and in our public APIs we try to stick to C89 (with a few extension).
228 - When you invoke certain calls like unlink(), or mkdir_p() and you
229 know it is safe to ignore the error it might return (because a later
230 call would detect the failure anyway, or because the error is in an
231 error path and you thus couldn't do anything about it anyway), then
232 make this clear by casting the invocation explicitly to (void). Code
233 checks like Coverity understand that, and will not complain about
234 ignored error codes. Hence, please use this:
236 (void) unlink("/foo/bar/baz");
238 instead of just this:
240 unlink("/foo/bar/baz");
242 - Don't invoke exit(), ever. It is not replacement for proper error
243 handling. Please escalate errors up your call chain, and use normal
244 "return" to exit from the main function of a process. If you
245 fork()ed off a child process, please use _exit() instead of exit(),
246 so that the exit handlers are not run.
248 - Please never use dup(). Use fcntl(fd, F_DUPFD_CLOEXEC, 3)
249 instead. For two reason: first, you want O_CLOEXEC set on the new fd
250 (see above). Second, dup() will happily duplicate your fd as 0, 1,
251 2, i.e. stdin, stdout, stderr, should those fds be closed. Given the
252 special semantics of those fds, it's probably a good idea to avoid
253 them. F_DUPFD_CLOEXEC with "3" as parameter avoids them.
255 - When you define a destructor or unref() call for an object, please
256 accept a NULL object and simply treat this as NOP. This is similar
257 to how libc free() works, which accepts NULL pointers and becomes a
258 NOP for them. By following this scheme a lot of if checks can be
259 removed before invoking your destructor, which makes the code
260 substantially more readable and robust.
262 - Related to this: when you define a destructor or unref() call for an
263 object, please make it return the same type it takes and always
264 return NULL from it. This allows writing code like this:
268 which will always work regardless if p is initialized or not, and
269 guarantees that p is NULL afterwards, all in just one line.
271 - Use alloca(), but never forget that it is not OK to invoke alloca()
272 within a loop or within function call parameters. alloca() memory is
273 released at the end of a function, and not at the end of a {}
274 block. Thus, if you invoke it in a loop, you keep increasing the
275 stack pointer without ever releasing memory again. (VLAs have better
276 behaviour in this case, so consider using them as an alternative.)
277 Regarding not using alloca() within function parameters, see the
278 BUGS section of the alloca(3) man page.
280 - Use memzero() or even better zero() instead of memset(..., 0, ...)
282 - Instead of using memzero()/memset() to initialize structs allocated
283 on the stack, please try to use c99 structure initializers. It's
284 short, prettier and actually even faster at execution. Hence:
298 - When returning a return code from main(), please preferably use
299 EXIT_FAILURE and EXIT_SUCCESS as defined by libc.
301 - The order in which header files are included doesn't matter too
302 much. systemd-internal headers must not rely on an include order, so
303 it is safe to include them in any order possible.
304 However, to not clutter global includes, and to make sure internal
305 definitions will not affect global headers, please always include the
306 headers of external components first (these are all headers enclosed
307 in <>), followed by our own exported headers (usually everything
308 that's prefixed by "sd-"), and then followed by internal headers.
309 Furthermore, in all three groups, order all includes alphabetically
310 so duplicate includes can easily be detected.
312 - To implement an endless loop, use "for (;;)" rather than "while
313 (1)". The latter is a bit ugly anyway, since you probably really
314 meant "while (true)"... To avoid the discussion what the right
315 always-true expression for an infinite while() loop is our
316 recommendation is to simply write it without any such expression by
319 - Never use the "off_t" type, and particularly avoid it in public
320 APIs. It's really weirdly defined, as it usually is 64bit and we
321 don't support it any other way, but it could in theory also be
322 32bit. Which one it is depends on a compiler switch chosen by the
323 compiled program, which hence corrupts APIs using it unless they can
324 also follow the program's choice. Moreover, in systemd we should
325 parse values the same way on all architectures and cannot expose
326 off_t values over D-Bus. To avoid any confusion regarding conversion
327 and ABIs, always use simply uint64_t directly.
329 - Commit message subject lines should be prefixed with an appropriate
330 component name of some kind. For example "journal: ", "nspawn: " and
333 - Do not use "Signed-Off-By:" in your commit messages. That's a kernel
334 thing we don't do in the systemd project.
336 - Avoid leaving long-running child processes around, i.e. fork()s that
337 are not followed quickly by an execv() in the child. Resource
338 management is unclear in this case, and memory CoW will result in
339 unexpected penalties in the parent much much later on.
341 - Don't block execution for arbitrary amounts of time using usleep()
342 or a similar call, unless you really know what you do. Just "giving
343 something some time", or so is a lazy excuse. Always wait for the
344 proper event, instead of doing time-based poll loops.
346 - To determine the length of a constant string "foo", don't bother
347 with sizeof("foo")-1, please use strlen("foo") directly. gcc knows
348 strlen() anyway and turns it into a constant expression if possible.
350 - If you want to concatenate two or more strings, consider using
351 strjoin() rather than asprintf(), as the latter is a lot
352 slower. This matters particularly in inner loops.
354 - Please avoid using global variables as much as you can. And if you
355 do use them make sure they are static at least, instead of
356 exported. Especially in library-like code it is important to avoid
357 global variables. Why are global variables bad? They usually hinder
358 generic reusability of code (since they break in threaded programs,
359 and usually would require locking there), and as the code using them
360 has side-effects make programs intransparent. That said, there are
361 many cases where they explicitly make a lot of sense, and are OK to
362 use. For example, the log level and target in log.c is stored in a
363 global variable, and that's OK and probably expected by most. Also
364 in many cases we cache data in global variables. If you add more
365 caches like this, please be careful however, and think about
366 threading. Only use static variables if you are sure that
367 thread-safety doesn't matter in your case. Alternatively consider
368 using TLS, which is pretty easy to use with gcc's "thread_local"
369 concept. It's also OK to store data that is inherently global in
370 global variables, for example data parsed from command lines, see
373 - If you parse a command line, and want to store the parsed parameters
374 in global variables, please consider prefixing their names with
375 "arg_". We have been following this naming rule in most of our
376 tools, and we should continue to do so, as it makes it easy to
377 identify command line parameter variables, and makes it clear why it
378 is OK that they are global variables.