9 - 8ch indent, no tabs, except for files in `man/` which are 2ch indent, and
10 still no tabs, and shell scripts, which are 4ch indent, and no tabs either.
12 - We prefer `/* comments */` over `// comments` in code you commit,
13 please. This way `// comments` are left for developers to use for local,
14 temporary commenting of code for debug purposes (i.e. uncommittable stuff),
15 making such comments easily discernible from explanatory, documenting code
16 comments (i.e. committable stuff).
18 - Don't break code lines too eagerly. We do **not** force line breaks at 80ch,
19 all of today's screens should be much larger than that. But then again, don't
20 overdo it, ~109ch should be enough really. The `.editorconfig`, `.vimrc` and
21 `.dir-locals.el` files contained in the repository will set this limit up for
22 you automatically, if you let them (as well as a few other things). Please
23 note that emacs loads `.dir-locals.el` automatically, but vim needs to be
24 configured to load `.vimrc`, see that file for instructions.
41 - Single-line `if` blocks should not be enclosed in `{}`. Write this:
56 - Do not write `foo ()`, write `foo()`.
58 ## Code Organization and Semantics
60 - Please name structures in `PascalCase` (with exceptions, such as public API
61 structs), variables and functions in `snake_case`.
63 - Avoid static variables, except for caches and very few other cases. Think
64 about thread-safety! While most of our code is never used in threaded
65 environments, at least the library code should make sure it works correctly
66 in them. Instead of doing a lot of locking for that, we tend to prefer using
67 TLS to do per-thread caching (which only works for small, fixed-size cache
68 objects), or we disable caching for any thread that is not the main
69 thread. Use `is_main_thread()` to detect whether the calling thread is the
72 - Do not write functions that clobber call-by-reference variables on
73 failure. Use temporary variables for these cases and change the passed in
74 variables only on success.
76 - The order in which header files are included doesn't matter too
77 much. systemd-internal headers must not rely on an include order, so it is
78 safe to include them in any order possible. However, to not clutter global
79 includes, and to make sure internal definitions will not affect global
80 headers, please always include the headers of external components first
81 (these are all headers enclosed in <>), followed by our own exported headers
82 (usually everything that's prefixed by `sd-`), and then followed by internal
83 headers. Furthermore, in all three groups, order all includes alphabetically
84 so duplicate includes can easily be detected.
86 - Please avoid using global variables as much as you can. And if you do use
87 them make sure they are static at least, instead of exported. Especially in
88 library-like code it is important to avoid global variables. Why are global
89 variables bad? They usually hinder generic reusability of code (since they
90 break in threaded programs, and usually would require locking there), and as
91 the code using them has side-effects make programs non-transparent. That
92 said, there are many cases where they explicitly make a lot of sense, and are
93 OK to use. For example, the log level and target in `log.c` is stored in a
94 global variable, and that's OK and probably expected by most. Also in many
95 cases we cache data in global variables. If you add more caches like this,
96 please be careful however, and think about threading. Only use static
97 variables if you are sure that thread-safety doesn't matter in your
98 case. Alternatively, consider using TLS, which is pretty easy to use with
99 gcc's `thread_local` concept. It's also OK to store data that is inherently
100 global in global variables, for example data parsed from command lines, see
103 - You might wonder what kind of common code belongs in `src/shared/` and what
104 belongs in `src/basic/`. The split is like this: anything that is used to
105 implement the public shared object we provide (sd-bus, sd-login, sd-id128,
106 nss-systemd, nss-mymachines, nss-resolve, nss-myhostname, pam_systemd), must
107 be located in `src/basic` (those objects are not allowed to link to
108 libsystemd-shared.so). Conversely, anything which is shared between multiple
109 components and does not need to be in `src/basic/`, should be in
115 - may be used by all code in the tree
116 - may not use any code outside of `src/basic/`
119 - may be used by all code in the tree, except for code in `src/basic/`
120 - may not use any code outside of `src/basic/`, `src/libsystemd/`
123 - may be used by all code in the tree, except for code in `src/basic/`,
124 `src/libsystemd/`, `src/nss-*`, `src/login/pam_systemd.*`, and files under
125 `src/journal/` that end up in `libjournal-client.a` convenience library.
126 - may not use any code outside of `src/basic/`, `src/libsystemd/`, `src/shared/`
128 - Our focus is on the GNU libc (glibc), not any other libcs. If other libcs are
129 incompatible with glibc it's on them. However, if there are equivalent POSIX
130 and Linux/GNU-specific APIs, we generally prefer the POSIX APIs. If there
131 aren't, we are happy to use GNU or Linux APIs, and expect non-GNU
132 implementations of libc to catch up with glibc.
134 ## Using C Constructs
136 - Preferably allocate local variables on the top of the block:
147 - Do not mix function invocations with variable definitions in one line. Wrong:
167 - Use `goto` for cleaning up, and only use it for that. i.e. you may only jump
168 to the end of a function, and little else. Never jump backwards!
170 - To minimize strict aliasing violations, we prefer unions over casting.
172 - Instead of using `memzero()`/`memset()` to initialize structs allocated on
173 the stack, please try to use c99 structure initializers. It's short, prettier
174 and actually even faster at execution. Hence:
192 - To implement an endless loop, use `for (;;)` rather than `while (1)`. The
193 latter is a bit ugly anyway, since you probably really meant `while
194 (true)`. To avoid the discussion what the right always-true expression for an
195 infinite while loop is, our recommendation is to simply write it without any
196 such expression by using `for (;;)`.
198 - To determine the length of a constant string `"foo"`, don't bother with
199 `sizeof("foo")-1`, please use `strlen()` instead (both gcc and clang optimize
200 the call away for fixed strings). The only exception is when declaring an
201 array. In that case use STRLEN, which evaluates to a static constant and
202 doesn't force the compiler to create a VLA.
204 - Please use C's downgrade-to-bool feature only for expressions that are
205 actually booleans (or "boolean-like"), and not for variables that are really
206 numeric. Specifically, if you have an `int b` and it's only used in a boolean
207 sense, by all means check its state with `if (b) …` — but if `b` can actually
208 have more than two semantic values, and you want to compare for non-zero,
209 then please write that explicitly with `if (b != 0) …`. This helps readability
210 as the value range and semantical behaviour is directly clear from the
211 condition check. As a special addition: when dealing with pointers which you
212 want to check for non-NULL-ness, you may also use downgrade-to-bool feature.
214 - Please do not use yoda comparisons, i.e. please prefer the more readable `if
215 (a == 7)` over the less readable `if (7 == a)`.
219 - The destructors always deregister the object from the next bigger object, not
220 the other way around.
222 - For robustness reasons, destructors should be able to destruct
223 half-initialized objects, too.
225 - When you define a destructor or `unref()` call for an object, please accept a
226 `NULL` object and simply treat this as NOP. This is similar to how libc
227 `free()` works, which accepts `NULL` pointers and becomes a NOP for them. By
228 following this scheme a lot of `if` checks can be removed before invoking
229 your destructor, which makes the code substantially more readable and robust.
231 - Related to this: when you define a destructor or `unref()` call for an
232 object, please make it return the same type it takes and always return `NULL`
233 from it. This allows writing code like this:
239 which will always work regardless if `p` is initialized or not, and
240 guarantees that `p` is `NULL` afterwards, all in just one line.
244 - Error codes are returned as negative `Exxx`. e.g. `return -EINVAL`. There are
245 some exceptions: for constructors, it is OK to return `NULL` on OOM. For
246 lookup functions, `NULL` is fine too for "not found".
248 Be strict with this. When you write a function that can fail due to more than
249 one cause, it *really* should have an `int` as the return value for the error
252 - Do not bother with error checking whether writing to stdout/stderr worked.
254 - Do not log errors from "library" code, only do so from "main program"
255 code. (With one exception: it is OK to log with DEBUG level from any code,
256 with the exception of maybe inner loops).
258 - In public API calls, you **must** validate all your input arguments for
259 programming error with `assert_return()` and return a sensible return
260 code. In all other calls, it is recommended to check for programming errors
261 with a more brutal `assert()`. We are more forgiving to public users than for
262 ourselves! Note that `assert()` and `assert_return()` really only should be
263 used for detecting programming errors, not for runtime errors. `assert()` and
264 `assert_return()` by usage of `_likely_()` inform the compiler that he should
265 not expect these checks to fail, and they inform fellow programmers about the
266 expected validity and range of parameters.
268 - When you invoke certain calls like `unlink()`, or `mkdir_p()` and you know it
269 is safe to ignore the error it might return (because a later call would
270 detect the failure anyway, or because the error is in an error path and you
271 thus couldn't do anything about it anyway), then make this clear by casting
272 the invocation explicitly to `(void)`. Code checks like Coverity understand
273 that, and will not complain about ignored error codes. Hence, please use
277 (void) unlink("/foo/bar/baz");
280 instead of just this:
283 unlink("/foo/bar/baz");
286 Don't cast function calls to `(void)` that return no error
287 conditions. Specifically, the various `xyz_unref()` calls that return a
288 `NULL` object shouldn't be cast to `(void)`, since not using the return value
289 does not hide any errors.
291 - When returning a return code from `main()`, please preferably use
292 `EXIT_FAILURE` and `EXIT_SUCCESS` as defined by libc.
296 - For every function you add, think about whether it is a "logging" function or
297 a "non-logging" function. "Logging" functions do logging on their own,
298 "non-logging" function never log on their own and expect their callers to
299 log. All functions in "library" code, i.e. in `src/shared/` and suchlike must
300 be "non-logging". Every time a "logging" function calls a "non-logging"
301 function, it should log about the resulting errors. If a "logging" function
302 calls another "logging" function, then it should not generate log messages,
303 so that log messages are not generated twice for the same errors.
305 - If possible, do a combined log & return operation:
310 return log_(error|warning|notice|...)_errno(r, "Failed to ...: %m");
313 If the error value is "synthetic", i.e. it was not received from
314 the called function, use `SYNTHETIC_ERRNO` wrapper to tell the logging
315 system to not log the errno value, but still return it:
318 n = read(..., s, sizeof s);
320 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to read ...");
325 - Always check OOM. There is no excuse. In program code, you can use
326 `log_oom()` for then printing a short message, but not in "library" code.
328 - Avoid fixed-size string buffers, unless you really know the maximum size and
329 that maximum size is small. They are a source of errors, since they possibly
330 result in truncated strings. It is often nicer to use dynamic memory,
331 `alloca()` or VLAs. If you do allocate fixed-size strings on the stack, then
332 it is probably only OK if you either use a maximum size such as `LINE_MAX`,
333 or count in detail the maximum size a string can have. (`DECIMAL_STR_MAX` and
334 `DECIMAL_STR_WIDTH` macros are your friends for this!)
336 Or in other words, if you use `char buf[256]` then you are likely doing
339 - Make use of `_cleanup_free_` and friends. It makes your code much nicer to
342 - Use `alloca()`, but never forget that it is not OK to invoke `alloca()`
343 within a loop or within function call parameters. `alloca()` memory is
344 released at the end of a function, and not at the end of a `{}` block. Thus,
345 if you invoke it in a loop, you keep increasing the stack pointer without
346 ever releasing memory again. (VLAs have better behavior in this case, so
347 consider using them as an alternative.) Regarding not using `alloca()`
348 within function parameters, see the BUGS section of the `alloca(3)` man page.
350 - If you want to concatenate two or more strings, consider using `strjoina()`
351 or `strjoin()` rather than `asprintf()`, as the latter is a lot slower. This
352 matters particularly in inner loops (but note that `strjoina()` cannot be
357 - Avoid leaving long-running child processes around, i.e. `fork()`s that are
358 not followed quickly by an `execv()` in the child. Resource management is
359 unclear in this case, and memory CoW will result in unexpected penalties in
360 the parent much, much later on.
362 - Don't block execution for arbitrary amounts of time using `usleep()` or a
363 similar call, unless you really know what you do. Just "giving something some
364 time", or so is a lazy excuse. Always wait for the proper event, instead of
365 doing time-based poll loops.
367 - Whenever installing a signal handler, make sure to set `SA_RESTART` for it,
368 so that interrupted system calls are automatically restarted, and we minimize
369 hassles with handling `EINTR` (in particular as `EINTR` handling is pretty
372 - When applying C-style unescaping as well as specifier expansion on the same
373 string, always apply the C-style unescaping fist, followed by the specifier
374 expansion. When doing the reverse, make sure to escape `%` in specifier-style
375 first (i.e. `%` → `%%`), and then do C-style escaping where necessary.
377 - Be exceptionally careful when formatting and parsing floating point
378 numbers. Their syntax is locale dependent (i.e. `5.000` in en_US is generally
379 understood as 5, while in de_DE as 5000.).
381 - Make sure to enforce limits on every user controllable resource. If the user
382 can allocate resources in your code, your code must enforce some form of
383 limits after which it will refuse operation. It's fine if it is hard-coded
384 (at least initially), but it needs to be there. This is particularly
385 important for objects that unprivileged users may allocate, but also matters
386 for everything else any user may allocated.
390 - Think about the types you use. If a value cannot sensibly be negative, do not
391 use `int`, but use `unsigned`.
393 - Use `char` only for actual characters. Use `uint8_t` or `int8_t` when you
394 actually mean a byte-sized signed or unsigned integers. When referring to a
395 generic byte, we generally prefer the unsigned variant `uint8_t`. Do not use
396 types based on `short`. They *never* make sense. Use `int`, `long`, `long
397 long`, all in unsigned and signed fashion, and the fixed-size types
398 `uint8_t`, `uint16_t`, `uint32_t`, `uint64_t`, `int8_t`, `int16_t`, `int32_t`
399 and so on, as well as `size_t`, but nothing else. Do not use kernel types
400 like `u32` and so on, leave that to the kernel.
402 - Stay uniform. For example, always use `usec_t` for time values. Do not mix
403 `usec` and `msec`, and `usec` and whatnot.
405 - Never use the `off_t` type, and particularly avoid it in public APIs. It's
406 really weirdly defined, as it usually is 64-bit and we don't support it any
407 other way, but it could in theory also be 32-bit. Which one it is depends on
408 a compiler switch chosen by the compiled program, which hence corrupts APIs
409 using it unless they can also follow the program's choice. Moreover, in
410 systemd we should parse values the same way on all architectures and cannot
411 expose `off_t` values over D-Bus. To avoid any confusion regarding conversion
412 and ABIs, always use simply `uint64_t` directly.
414 - Unless you allocate an array, `double` is always a better choice than
415 `float`. Processors speak `double` natively anyway, so there is no speed
416 benefit, and on calls like `printf()` `float`s get promoted to `double`s
417 anyway, so there is no point.
419 - Use the bool type for booleans, not integers. One exception: in public
420 headers (i.e those in `src/systemd/sd-*.h`) use integers after all, as `bool`
421 is C99 and in our public APIs we try to stick to C89 (with a few extension).
425 - Do not issue NSS requests (that includes user name and host name lookups)
426 from PID 1 as this might trigger deadlocks when those lookups involve
427 synchronously talking to services that we would need to start up.
429 - Do not synchronously talk to any other service from PID 1, due to risk of
434 - When you allocate a file descriptor, it should be made `O_CLOEXEC` right from
435 the beginning, as none of our files should leak to forked binaries by
436 default. Hence, whenever you open a file, `O_CLOEXEC` must be specified,
437 right from the beginning. This also applies to sockets. Effectively, this
438 means that all invocations to:
440 - `open()` must get `O_CLOEXEC` passed,
441 - `socket()` and `socketpair()` must get `SOCK_CLOEXEC` passed,
442 - `recvmsg()` must get `MSG_CMSG_CLOEXEC` set,
443 - `F_DUPFD_CLOEXEC` should be used instead of `F_DUPFD`, and so on,
444 - invocations of `fopen()` should take `e`.
446 - It's a good idea to use `O_NONBLOCK` when opening 'foreign' regular files,
447 i.e. file system objects that are supposed to be regular files whose paths
448 where specified by the user and hence might actually refer to other types of
449 file system objects. This is a good idea so that we don't end up blocking on
450 'strange' file nodes, for example if the user pointed us to a FIFO or device
451 node which may block when opening. Moreover even for actual regular files
452 `O_NONBLOCK` has a benefit: it bypasses any mandatory lock that might be in
453 effect on the regular file. If in doubt consider turning off `O_NONBLOCK`
458 - If you parse a command line, and want to store the parsed parameters in
459 global variables, please consider prefixing their names with `arg_`. We have
460 been following this naming rule in most of our tools, and we should continue
461 to do so, as it makes it easy to identify command line parameter variables,
462 and makes it clear why it is OK that they are global variables.
464 - Command line option parsing:
465 - Do not print full `help()` on error, be specific about the error.
466 - Do not print messages to stdout on error.
467 - Do not POSIX_ME_HARDER unless necessary, i.e. avoid `+` in option string.
471 - Variables and functions **must** be static, unless they have a prototype, and
472 are supposed to be exported.
474 - Public API calls (i.e. functions exported by our shared libraries)
475 must be marked `_public_` and need to be prefixed with `sd_`. No
476 other functions should be prefixed like that.
478 - When exposing public C APIs, be careful what function parameters you make
479 `const`. For example, a parameter taking a context object should probably not
480 be `const`, even if you are writing an otherwise read-only accessor function
481 for it. The reason is that making it `const` fixates the contract that your
482 call won't alter the object ever, as part of the API. However, that's often
483 quite a promise, given that this even prohibits object-internal caching or
484 lazy initialization of object variables. Moreover, it's usually not too
485 useful for client applications. Hence, please be careful and avoid `const` on
486 object parameters, unless you are very sure `const` is appropriate.
488 ## Referencing Concepts
490 - When referring to a configuration file option in the documentation and such,
491 please always suffix it with `=`, to indicate that it is a configuration file
494 - When referring to a command line option in the documentation and such, please
495 always prefix with `--` or `-` (as appropriate), to indicate that it is a
498 - When referring to a file system path that is a directory, please always
499 suffix it with `/`, to indicate that it is a directory, not a regular file
500 (or other file system object).
502 ## Functions to Avoid
504 - Use `memzero()` or even better `zero()` instead of `memset(..., 0, ...)`
506 - Please use `streq()` and `strneq()` instead of `strcmp()`, `strncmp()` where
507 applicable (i.e. wherever you just care about equality/inequality, not about
510 - Never use `strtol()`, `atoi()` and similar calls. Use `safe_atoli()`,
511 `safe_atou32()` and suchlike instead. They are much nicer to use in most
512 cases and correctly check for parsing errors.
514 - `htonl()`/`ntohl()` and `htons()`/`ntohs()` are weird. Please use `htobe32()`
515 and `htobe16()` instead, it's much more descriptive, and actually says what
516 really is happening, after all `htonl()` and `htons()` don't operate on
517 `long`s and `short`s as their name would suggest, but on `uint32_t` and
518 `uint16_t`. Also, "network byte order" is just a weird name for "big endian",
519 hence we might want to call it "big endian" right-away.
521 - Please never use `dup()`. Use `fcntl(fd, F_DUPFD_CLOEXEC, 3)` instead. For
522 two reason: first, you want `O_CLOEXEC` set on the new `fd` (see
523 above). Second, `dup()` will happily duplicate your `fd` as 0, 1, 2,
524 i.e. stdin, stdout, stderr, should those `fd`s be closed. Given the special
525 semantics of those `fd`s, it's probably a good idea to avoid
526 them. `F_DUPFD_CLOEXEC` with `3` as parameter avoids them.
528 - Don't use `fgets()`, it's too hard to properly handle errors such as overly
529 long lines. Use `read_line()` instead, which is our own function that handles
532 - Don't invoke `exit()`, ever. It is not replacement for proper error
533 handling. Please escalate errors up your call chain, and use normal `return`
534 to exit from the main function of a process. If you `fork()`ed off a child
535 process, please use `_exit()` instead of `exit()`, so that the exit handlers
538 - We never use the POSIX version of `basename()` (which glibc defines it in
539 `libgen.h`), only the GNU version (which glibc defines in `string.h`). The
540 only reason to include `libgen.h` is because `dirname()` is needed. Every
541 time you need that please immediately undefine `basename()`, and add a
542 comment about it, so that no code ever ends up using the POSIX version!
546 - Commit message subject lines should be prefixed with an appropriate component
547 name of some kind. For example "journal: ", "nspawn: " and so on.
549 - Do not use "Signed-Off-By:" in your commit messages. That's a kernel thing we
550 don't do in the systemd project.