3 - 8ch indent, no tabs, except for files in `man/` which are 2ch indent,
6 - We prefer `/* comments */` over `// comments` in code you commit, please. This
7 way `// comments` are left for developers to use for local, temporary
8 commenting of code for debug purposes (i.e. uncommittable stuff), making such
9 comments easily discernible from explanatory, documenting code comments
10 (i.e. committable stuff).
12 - Don't break code lines too eagerly. We do **not** force line breaks at 80ch,
13 all of today's screens should be much larger than that. But then again, don't
14 overdo it, ~119ch should be enough really. The `.editorconfig`, `.vimrc` and
15 `.dir-locals.el` files contained in the repository will set this limit up for
16 you automatically, if you let them (as well as a few other things).
18 - Variables and functions **must** be static, unless they have a
19 prototype, and are supposed to be exported.
21 - structs in `PascalCase` (with exceptions, such as public API structs),
22 variables and functions in `snake_case`.
24 - The destructors always deregister the object from the next bigger
25 object, not the other way around.
27 - To minimize strict aliasing violations, we prefer unions over casting.
29 - For robustness reasons, destructors should be able to destruct
30 half-initialized objects, too.
32 - Error codes are returned as negative `Exxx`. e.g. `return -EINVAL`. There
33 are some exceptions: for constructors, it is OK to return `NULL` on
34 OOM. For lookup functions, `NULL` is fine too for "not found".
36 Be strict with this. When you write a function that can fail due to
37 more than one cause, it *really* should have an `int` as the return value
40 - Do not bother with error checking whether writing to stdout/stderr
43 - Do not log errors from "library" code, only do so from "main
44 program" code. (With one exception: it is OK to log with DEBUG level
45 from any code, with the exception of maybe inner loops).
47 - Always check OOM. There is no excuse. In program code, you can use
48 `log_oom()` for then printing a short message, but not in "library" code.
50 - Do not issue NSS requests (that includes user name and host name
51 lookups) from PID 1 as this might trigger deadlocks when those
52 lookups involve synchronously talking to services that we would need
55 - Do not synchronously talk to any other service from PID 1, due to
58 - Avoid fixed-size string buffers, unless you really know the maximum
59 size and that maximum size is small. They are a source of errors,
60 since they possibly result in truncated strings. It is often nicer
61 to use dynamic memory, `alloca()` or VLAs. If you do allocate fixed-size
62 strings on the stack, then it is probably only OK if you either
63 use a maximum size such as `LINE_MAX`, or count in detail the maximum
64 size a string can have. (`DECIMAL_STR_MAX` and `DECIMAL_STR_WIDTH`
65 macros are your friends for this!)
67 Or in other words, if you use `char buf[256]` then you are likely
68 doing something wrong!
70 - Stay uniform. For example, always use `usec_t` for time
71 values. Do not mix `usec` and `msec`, and `usec` and whatnot.
73 - Make use of `_cleanup_free_` and friends. It makes your code much
74 nicer to read (and shorter)!
76 - Be exceptionally careful when formatting and parsing floating point
77 numbers. Their syntax is locale dependent (i.e. `5.000` in en_US is
78 generally understood as 5, while in de_DE as 5000.).
95 But it is OK if you do not.
97 - Single-line `if` blocks should not be enclosed in `{}`. Use this:
112 - Do not write `foo ()`, write `foo()`.
114 - Please use `streq()` and `strneq()` instead of `strcmp()`, `strncmp()` where
115 applicable (i.e. wherever you just care about equality/inequality, not about
118 - Preferably allocate stack variables on the top of the block:
129 - Unless you allocate an array, `double` is always the better choice
130 than `float`. Processors speak `double` natively anyway, so this is
131 no speed benefit, and on calls like `printf()` `float`s get promoted
132 to `double`s anyway, so there is no point.
134 - Do not mix function invocations with variable definitions in one
155 - Use `goto` for cleaning up, and only use it for that. i.e. you may
156 only jump to the end of a function, and little else. Never jump
159 - Think about the types you use. If a value cannot sensibly be
160 negative, do not use `int`, but use `unsigned`.
162 - Use `char` only for actual characters. Use `uint8_t` or `int8_t`
163 when you actually mean a byte-sized signed or unsigned
164 integers. When referring to a generic byte, we generally prefer the
165 unsigned variant `uint8_t`. Do not use types based on `short`. They
166 *never* make sense. Use `int`, `long`, `long long`, all in
167 unsigned and signed fashion, and the fixed-size types
168 `uint8_t`, `uint16_t`, `uint32_t`, `uint64_t`, `int8_t`, `int16_t`, `int32_t` and so on,
169 as well as `size_t`, but nothing else. Do not use kernel types like
170 `u32` and so on, leave that to the kernel.
172 - Public API calls (i.e. functions exported by our shared libraries)
173 must be marked `_public_` and need to be prefixed with `sd_`. No
174 other functions should be prefixed like that.
176 - In public API calls, you **must** validate all your input arguments for
177 programming error with `assert_return()` and return a sensible return
178 code. In all other calls, it is recommended to check for programming
179 errors with a more brutal `assert()`. We are more forgiving to public
180 users than for ourselves! Note that `assert()` and `assert_return()`
181 really only should be used for detecting programming errors, not for
182 runtime errors. `assert()` and `assert_return()` by usage of `_likely_()`
183 inform the compiler that he should not expect these checks to fail,
184 and they inform fellow programmers about the expected validity and
187 - Never use `strtol()`, `atoi()` and similar calls. Use `safe_atoli()`,
188 `safe_atou32()` and suchlike instead. They are much nicer to use in
189 most cases and correctly check for parsing errors.
191 - For every function you add, think about whether it is a "logging"
192 function or a "non-logging" function. "Logging" functions do logging
193 on their own, "non-logging" function never log on their own and
194 expect their callers to log. All functions in "library" code,
195 i.e. in `src/shared/` and suchlike must be "non-logging". Every time a
196 "logging" function calls a "non-logging" function, it should log
197 about the resulting errors. If a "logging" function calls another
198 "logging" function, then it should not generate log messages, so
199 that log messages are not generated twice for the same errors.
201 - If possible, do a combined log & return operation:
206 return log_(error|warning|notice|...)_errno(r, "Failed to ...: %m");
209 If the error value is "synthetic", i.e. it was not received from
210 the called function, use `SYNTHETIC_ERRNO` wrapper to tell the logging
211 system to not log the errno value, but still return it:
214 n = read(..., s, sizeof s);
216 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to read ...");
219 - Avoid static variables, except for caches and very few other
220 cases. Think about thread-safety! While most of our code is never
221 used in threaded environments, at least the library code should make
222 sure it works correctly in them. Instead of doing a lot of locking
223 for that, we tend to prefer using TLS to do per-thread caching (which
224 only works for small, fixed-size cache objects), or we disable
225 caching for any thread that is not the main thread. Use
226 `is_main_thread()` to detect whether the calling thread is the main
229 - Command line option parsing:
230 - Do not print full `help()` on error, be specific about the error.
231 - Do not print messages to stdout on error.
232 - Do not POSIX_ME_HARDER unless necessary, i.e. avoid `+` in option string.
234 - Do not write functions that clobber call-by-reference variables on
235 failure. Use temporary variables for these cases and change the
236 passed in variables only on success.
238 - When you allocate a file descriptor, it should be made `O_CLOEXEC`
239 right from the beginning, as none of our files should leak to forked
240 binaries by default. Hence, whenever you open a file, `O_CLOEXEC` must
241 be specified, right from the beginning. This also applies to
242 sockets. Effectively, this means that all invocations to:
244 - `open()` must get `O_CLOEXEC` passed,
245 - `socket()` and `socketpair()` must get `SOCK_CLOEXEC` passed,
246 - `recvmsg()` must get `MSG_CMSG_CLOEXEC` set,
247 - `F_DUPFD_CLOEXEC` should be used instead of `F_DUPFD`, and so on,
248 - invocations of `fopen()` should take `e`.
250 - We never use the POSIX version of `basename()` (which glibc defines it in
251 `libgen.h`), only the GNU version (which glibc defines in `string.h`).
252 The only reason to include `libgen.h` is because `dirname()`
253 is needed. Every time you need that please immediately undefine
254 `basename()`, and add a comment about it, so that no code ever ends up
255 using the POSIX version!
257 - Use the bool type for booleans, not integers. One exception: in public
258 headers (i.e those in `src/systemd/sd-*.h`) use integers after all, as `bool`
259 is C99 and in our public APIs we try to stick to C89 (with a few extension).
261 - When you invoke certain calls like `unlink()`, or `mkdir_p()` and you
262 know it is safe to ignore the error it might return (because a later
263 call would detect the failure anyway, or because the error is in an
264 error path and you thus couldn't do anything about it anyway), then
265 make this clear by casting the invocation explicitly to `(void)`. Code
266 checks like Coverity understand that, and will not complain about
267 ignored error codes. Hence, please use this:
270 (void) unlink("/foo/bar/baz");
273 instead of just this:
276 unlink("/foo/bar/baz");
279 Don't cast function calls to `(void)` that return no error
280 conditions. Specifically, the various `xyz_unref()` calls that return a `NULL`
281 object shouldn't be cast to `(void)`, since not using the return value does not
284 - Don't invoke `exit()`, ever. It is not replacement for proper error
285 handling. Please escalate errors up your call chain, and use normal
286 `return` to exit from the main function of a process. If you
287 `fork()`ed off a child process, please use `_exit()` instead of `exit()`,
288 so that the exit handlers are not run.
290 - Please never use `dup()`. Use `fcntl(fd, F_DUPFD_CLOEXEC, 3)`
291 instead. For two reason: first, you want `O_CLOEXEC` set on the new `fd`
292 (see above). Second, `dup()` will happily duplicate your `fd` as 0, 1,
293 2, i.e. stdin, stdout, stderr, should those `fd`s be closed. Given the
294 special semantics of those `fd`s, it's probably a good idea to avoid
295 them. `F_DUPFD_CLOEXEC` with `3` as parameter avoids them.
297 - When you define a destructor or `unref()` call for an object, please
298 accept a `NULL` object and simply treat this as NOP. This is similar
299 to how libc `free()` works, which accepts `NULL` pointers and becomes a
300 NOP for them. By following this scheme a lot of `if` checks can be
301 removed before invoking your destructor, which makes the code
302 substantially more readable and robust.
304 - Related to this: when you define a destructor or `unref()` call for an
305 object, please make it return the same type it takes and always
306 return `NULL` from it. This allows writing code like this:
312 which will always work regardless if `p` is initialized or not, and
313 guarantees that `p` is `NULL` afterwards, all in just one line.
315 - Use `alloca()`, but never forget that it is not OK to invoke `alloca()`
316 within a loop or within function call parameters. `alloca()` memory is
317 released at the end of a function, and not at the end of a `{}`
318 block. Thus, if you invoke it in a loop, you keep increasing the
319 stack pointer without ever releasing memory again. (VLAs have better
320 behavior in this case, so consider using them as an alternative.)
321 Regarding not using `alloca()` within function parameters, see the
322 BUGS section of the `alloca(3)` man page.
324 - Use `memzero()` or even better `zero()` instead of `memset(..., 0, ...)`
326 - Instead of using `memzero()`/`memset()` to initialize structs allocated
327 on the stack, please try to use c99 structure initializers. It's
328 short, prettier and actually even faster at execution. Hence:
346 - When returning a return code from `main()`, please preferably use
347 `EXIT_FAILURE` and `EXIT_SUCCESS` as defined by libc.
349 - The order in which header files are included doesn't matter too
350 much. systemd-internal headers must not rely on an include order, so
351 it is safe to include them in any order possible.
352 However, to not clutter global includes, and to make sure internal
353 definitions will not affect global headers, please always include the
354 headers of external components first (these are all headers enclosed
355 in <>), followed by our own exported headers (usually everything
356 that's prefixed by `sd-`), and then followed by internal headers.
357 Furthermore, in all three groups, order all includes alphabetically
358 so duplicate includes can easily be detected.
360 - To implement an endless loop, use `for (;;)` rather than `while (1)`.
361 The latter is a bit ugly anyway, since you probably really
362 meant `while (true)`. To avoid the discussion what the right
363 always-true expression for an infinite while loop is, our
364 recommendation is to simply write it without any such expression by
367 - Never use the `off_t` type, and particularly avoid it in public
368 APIs. It's really weirdly defined, as it usually is 64-bit and we
369 don't support it any other way, but it could in theory also be
370 32-bit. Which one it is depends on a compiler switch chosen by the
371 compiled program, which hence corrupts APIs using it unless they can
372 also follow the program's choice. Moreover, in systemd we should
373 parse values the same way on all architectures and cannot expose
374 `off_t` values over D-Bus. To avoid any confusion regarding conversion
375 and ABIs, always use simply `uint64_t` directly.
377 - Commit message subject lines should be prefixed with an appropriate
378 component name of some kind. For example "journal: ", "nspawn: " and
381 - Do not use "Signed-Off-By:" in your commit messages. That's a kernel
382 thing we don't do in the systemd project.
384 - Avoid leaving long-running child processes around, i.e. `fork()`s that
385 are not followed quickly by an `execv()` in the child. Resource
386 management is unclear in this case, and memory CoW will result in
387 unexpected penalties in the parent much, much later on.
389 - Don't block execution for arbitrary amounts of time using `usleep()`
390 or a similar call, unless you really know what you do. Just "giving
391 something some time", or so is a lazy excuse. Always wait for the
392 proper event, instead of doing time-based poll loops.
394 - To determine the length of a constant string `"foo"`, don't bother with
395 `sizeof("foo")-1`, please use `strlen()` instead (both gcc and clang optimize
396 the call away for fixed strings). The only exception is when declaring an
397 array. In that case use STRLEN, which evaluates to a static constant and
398 doesn't force the compiler to create a VLA.
400 - If you want to concatenate two or more strings, consider using `strjoina()`
401 or `strjoin()` rather than `asprintf()`, as the latter is a lot slower. This
402 matters particularly in inner loops (but note that `strjoina()` cannot be
405 - Please avoid using global variables as much as you can. And if you
406 do use them make sure they are static at least, instead of
407 exported. Especially in library-like code it is important to avoid
408 global variables. Why are global variables bad? They usually hinder
409 generic reusability of code (since they break in threaded programs,
410 and usually would require locking there), and as the code using them
411 has side-effects make programs non-transparent. That said, there are
412 many cases where they explicitly make a lot of sense, and are OK to
413 use. For example, the log level and target in `log.c` is stored in a
414 global variable, and that's OK and probably expected by most. Also
415 in many cases we cache data in global variables. If you add more
416 caches like this, please be careful however, and think about
417 threading. Only use static variables if you are sure that
418 thread-safety doesn't matter in your case. Alternatively, consider
419 using TLS, which is pretty easy to use with gcc's `thread_local`
420 concept. It's also OK to store data that is inherently global in
421 global variables, for example data parsed from command lines, see
424 - If you parse a command line, and want to store the parsed parameters
425 in global variables, please consider prefixing their names with
426 `arg_`. We have been following this naming rule in most of our
427 tools, and we should continue to do so, as it makes it easy to
428 identify command line parameter variables, and makes it clear why it
429 is OK that they are global variables.
431 - When exposing public C APIs, be careful what function parameters you make
432 `const`. For example, a parameter taking a context object should probably not
433 be `const`, even if you are writing an otherwise read-only accessor function
434 for it. The reason is that making it `const` fixates the contract that your
435 call won't alter the object ever, as part of the API. However, that's often
436 quite a promise, given that this even prohibits object-internal caching or
437 lazy initialization of object variables. Moreover, it's usually not too useful
438 for client applications. Hence, please be careful and avoid `const` on object
439 parameters, unless you are very sure `const` is appropriate.
441 - Make sure to enforce limits on every user controllable resource. If the user
442 can allocate resources in your code, your code must enforce some form of
443 limits after which it will refuse operation. It's fine if it is hard-coded (at
444 least initially), but it needs to be there. This is particularly important
445 for objects that unprivileged users may allocate, but also matters for
446 everything else any user may allocated.
448 - `htonl()`/`ntohl()` and `htons()`/`ntohs()` are weird. Please use `htobe32()` and
449 `htobe16()` instead, it's much more descriptive, and actually says what really
450 is happening, after all `htonl()` and `htons()` don't operate on `long`s and
451 `short`s as their name would suggest, but on `uint32_t` and `uint16_t`. Also,
452 "network byte order" is just a weird name for "big endian", hence we might
453 want to call it "big endian" right-away.
455 - You might wonder what kind of common code belongs in `src/shared/` and what
456 belongs in `src/basic/`. The split is like this: anything that is used to
457 implement the public shared object we provide (sd-bus, sd-login, sd-id128,
458 nss-systemd, nss-mymachines, nss-resolve, nss-myhostname, pam_systemd), must
459 be located in `src/basic` (those objects are not allowed to link to
460 libsystemd-shared.so). Conversely, anything which is shared between multiple
461 components and does not need to be in `src/basic/`, should be in
467 - may be used by all code in the tree
468 - may not use any code outside of `src/basic/`
471 - may be used by all code in the tree, except for code in `src/basic/`
472 - may not use any code outside of `src/basic/`, `src/libsystemd/`
475 - may be used by all code in the tree, except for code in `src/basic/`,
476 `src/libsystemd/`, `src/nss-*`, `src/login/pam_systemd.*`, and files under
477 `src/journal/` that end up in `libjournal-client.a` convenience library.
478 - may not use any code outside of `src/basic/`, `src/libsystemd/`, `src/shared/`
480 - Our focus is on the GNU libc (glibc), not any other libcs. If other libcs are
481 incompatible with glibc it's on them. However, if there are equivalent POSIX
482 and Linux/GNU-specific APIs, we generally prefer the POSIX APIs. If there
483 aren't, we are happy to use GNU or Linux APIs, and expect non-GNU
484 implementations of libc to catch up with glibc.
486 - Whenever installing a signal handler, make sure to set `SA_RESTART` for it, so
487 that interrupted system calls are automatically restarted, and we minimize
488 hassles with handling `EINTR` (in particular as `EINTR` handling is pretty broken
491 - When applying C-style unescaping as well as specifier expansion on the same
492 string, always apply the C-style unescaping fist, followed by the specifier
493 expansion. When doing the reverse, make sure to escape `%` in specifier-style
494 first (i.e. `%` → `%%`), and then do C-style escaping where necessary.
496 - It's a good idea to use `O_NONBLOCK` when opening 'foreign' regular files, i.e.
497 file system objects that are supposed to be regular files whose paths where
498 specified by the user and hence might actually refer to other types of file
499 system objects. This is a good idea so that we don't end up blocking on
500 'strange' file nodes, for example if the user pointed us to a FIFO or device
501 node which may block when opening. Moreover even for actual regular files
502 `O_NONBLOCK` has a benefit: it bypasses any mandatory lock that might be in
503 effect on the regular file. If in doubt consider turning off `O_NONBLOCK` again
506 - When referring to a configuration file option in the documentation and such,
507 please always suffix it with `=`, to indicate that it is a configuration file
510 - When referring to a command line option in the documentation and such, please
511 always prefix with `--` or `-` (as appropriate), to indicate that it is a
514 - When referring to a file system path that is a directory, please always
515 suffix it with `/`, to indicate that it is a directory, not a regular file
516 (or other file system object).
518 - Don't use `fgets()`, it's too hard to properly handle errors such as overly
519 long lines. Use `read_line()` instead, which is our own function that handles