9 - 8ch indent, no tabs, except for files in `man/` which are 2ch indent, and
10 still no tabs, and shell scripts, which are 4ch indent, and no tabs either.
12 - We prefer `/* comments */` over `// comments` in code you commit,
13 please. This way `// comments` are left for developers to use for local,
14 temporary commenting of code for debug purposes (i.e. uncommittable stuff),
15 making such comments easily discernible from explanatory, documenting code
16 comments (i.e. committable stuff).
18 - Don't break code lines too eagerly. We do **not** force line breaks at 80ch,
19 all of today's screens should be much larger than that. But then again, don't
20 overdo it, ~109ch should be enough really. The `.editorconfig`, `.vimrc` and
21 `.dir-locals.el` files contained in the repository will set this limit up for
22 you automatically, if you let them (as well as a few other things). Please
23 note that emacs loads `.dir-locals.el` automatically, but vim needs to be
24 configured to load `.vimrc`, see that file for instructions.
41 - Single-line `if` blocks should not be enclosed in `{}`. Write this:
56 - Do not write `foo ()`, write `foo()`.
58 - Preferably allocate local variables on the top of the block:
71 - Variables and functions **must** be static, unless they have a
72 prototype, and are supposed to be exported.
74 - structs in `PascalCase` (with exceptions, such as public API structs),
75 variables and functions in `snake_case`.
77 - The destructors always deregister the object from the next bigger
78 object, not the other way around.
80 - To minimize strict aliasing violations, we prefer unions over casting.
82 - For robustness reasons, destructors should be able to destruct
83 half-initialized objects, too.
85 - Do not issue NSS requests (that includes user name and host name
86 lookups) from PID 1 as this might trigger deadlocks when those
87 lookups involve synchronously talking to services that we would need
90 - Do not synchronously talk to any other service from PID 1, due to
93 - Be exceptionally careful when formatting and parsing floating point
94 numbers. Their syntax is locale dependent (i.e. `5.000` in en_US is
95 generally understood as 5, while in de_DE as 5000.).
97 - Do not mix function invocations with variable definitions in one
118 - Use `goto` for cleaning up, and only use it for that. i.e. you may
119 only jump to the end of a function, and little else. Never jump
122 - Public API calls (i.e. functions exported by our shared libraries)
123 must be marked `_public_` and need to be prefixed with `sd_`. No
124 other functions should be prefixed like that.
126 - For every function you add, think about whether it is a "logging"
127 function or a "non-logging" function. "Logging" functions do logging
128 on their own, "non-logging" function never log on their own and
129 expect their callers to log. All functions in "library" code,
130 i.e. in `src/shared/` and suchlike must be "non-logging". Every time a
131 "logging" function calls a "non-logging" function, it should log
132 about the resulting errors. If a "logging" function calls another
133 "logging" function, then it should not generate log messages, so
134 that log messages are not generated twice for the same errors.
136 - If possible, do a combined log & return operation:
141 return log_(error|warning|notice|...)_errno(r, "Failed to ...: %m");
144 If the error value is "synthetic", i.e. it was not received from
145 the called function, use `SYNTHETIC_ERRNO` wrapper to tell the logging
146 system to not log the errno value, but still return it:
149 n = read(..., s, sizeof s);
151 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to read ...");
154 - Avoid static variables, except for caches and very few other
155 cases. Think about thread-safety! While most of our code is never
156 used in threaded environments, at least the library code should make
157 sure it works correctly in them. Instead of doing a lot of locking
158 for that, we tend to prefer using TLS to do per-thread caching (which
159 only works for small, fixed-size cache objects), or we disable
160 caching for any thread that is not the main thread. Use
161 `is_main_thread()` to detect whether the calling thread is the main
164 - Command line option parsing:
165 - Do not print full `help()` on error, be specific about the error.
166 - Do not print messages to stdout on error.
167 - Do not POSIX_ME_HARDER unless necessary, i.e. avoid `+` in option string.
169 - Do not write functions that clobber call-by-reference variables on
170 failure. Use temporary variables for these cases and change the
171 passed in variables only on success.
173 - When you define a destructor or `unref()` call for an object, please
174 accept a `NULL` object and simply treat this as NOP. This is similar
175 to how libc `free()` works, which accepts `NULL` pointers and becomes a
176 NOP for them. By following this scheme a lot of `if` checks can be
177 removed before invoking your destructor, which makes the code
178 substantially more readable and robust.
180 - Related to this: when you define a destructor or `unref()` call for an
181 object, please make it return the same type it takes and always
182 return `NULL` from it. This allows writing code like this:
188 which will always work regardless if `p` is initialized or not, and
189 guarantees that `p` is `NULL` afterwards, all in just one line.
191 - Instead of using `memzero()`/`memset()` to initialize structs allocated
192 on the stack, please try to use c99 structure initializers. It's
193 short, prettier and actually even faster at execution. Hence:
211 - The order in which header files are included doesn't matter too
212 much. systemd-internal headers must not rely on an include order, so
213 it is safe to include them in any order possible.
214 However, to not clutter global includes, and to make sure internal
215 definitions will not affect global headers, please always include the
216 headers of external components first (these are all headers enclosed
217 in <>), followed by our own exported headers (usually everything
218 that's prefixed by `sd-`), and then followed by internal headers.
219 Furthermore, in all three groups, order all includes alphabetically
220 so duplicate includes can easily be detected.
222 - To implement an endless loop, use `for (;;)` rather than `while (1)`.
223 The latter is a bit ugly anyway, since you probably really
224 meant `while (true)`. To avoid the discussion what the right
225 always-true expression for an infinite while loop is, our
226 recommendation is to simply write it without any such expression by
229 - Avoid leaving long-running child processes around, i.e. `fork()`s that
230 are not followed quickly by an `execv()` in the child. Resource
231 management is unclear in this case, and memory CoW will result in
232 unexpected penalties in the parent much, much later on.
234 - Don't block execution for arbitrary amounts of time using `usleep()`
235 or a similar call, unless you really know what you do. Just "giving
236 something some time", or so is a lazy excuse. Always wait for the
237 proper event, instead of doing time-based poll loops.
239 - To determine the length of a constant string `"foo"`, don't bother with
240 `sizeof("foo")-1`, please use `strlen()` instead (both gcc and clang optimize
241 the call away for fixed strings). The only exception is when declaring an
242 array. In that case use STRLEN, which evaluates to a static constant and
243 doesn't force the compiler to create a VLA.
245 - Please avoid using global variables as much as you can. And if you
246 do use them make sure they are static at least, instead of
247 exported. Especially in library-like code it is important to avoid
248 global variables. Why are global variables bad? They usually hinder
249 generic reusability of code (since they break in threaded programs,
250 and usually would require locking there), and as the code using them
251 has side-effects make programs non-transparent. That said, there are
252 many cases where they explicitly make a lot of sense, and are OK to
253 use. For example, the log level and target in `log.c` is stored in a
254 global variable, and that's OK and probably expected by most. Also
255 in many cases we cache data in global variables. If you add more
256 caches like this, please be careful however, and think about
257 threading. Only use static variables if you are sure that
258 thread-safety doesn't matter in your case. Alternatively, consider
259 using TLS, which is pretty easy to use with gcc's `thread_local`
260 concept. It's also OK to store data that is inherently global in
261 global variables, for example data parsed from command lines, see
264 - If you parse a command line, and want to store the parsed parameters
265 in global variables, please consider prefixing their names with
266 `arg_`. We have been following this naming rule in most of our
267 tools, and we should continue to do so, as it makes it easy to
268 identify command line parameter variables, and makes it clear why it
269 is OK that they are global variables.
271 - When exposing public C APIs, be careful what function parameters you make
272 `const`. For example, a parameter taking a context object should probably not
273 be `const`, even if you are writing an otherwise read-only accessor function
274 for it. The reason is that making it `const` fixates the contract that your
275 call won't alter the object ever, as part of the API. However, that's often
276 quite a promise, given that this even prohibits object-internal caching or
277 lazy initialization of object variables. Moreover, it's usually not too useful
278 for client applications. Hence, please be careful and avoid `const` on object
279 parameters, unless you are very sure `const` is appropriate.
281 - Make sure to enforce limits on every user controllable resource. If the user
282 can allocate resources in your code, your code must enforce some form of
283 limits after which it will refuse operation. It's fine if it is hard-coded (at
284 least initially), but it needs to be there. This is particularly important
285 for objects that unprivileged users may allocate, but also matters for
286 everything else any user may allocated.
288 - You might wonder what kind of common code belongs in `src/shared/` and what
289 belongs in `src/basic/`. The split is like this: anything that is used to
290 implement the public shared object we provide (sd-bus, sd-login, sd-id128,
291 nss-systemd, nss-mymachines, nss-resolve, nss-myhostname, pam_systemd), must
292 be located in `src/basic` (those objects are not allowed to link to
293 libsystemd-shared.so). Conversely, anything which is shared between multiple
294 components and does not need to be in `src/basic/`, should be in
300 - may be used by all code in the tree
301 - may not use any code outside of `src/basic/`
304 - may be used by all code in the tree, except for code in `src/basic/`
305 - may not use any code outside of `src/basic/`, `src/libsystemd/`
308 - may be used by all code in the tree, except for code in `src/basic/`,
309 `src/libsystemd/`, `src/nss-*`, `src/login/pam_systemd.*`, and files under
310 `src/journal/` that end up in `libjournal-client.a` convenience library.
311 - may not use any code outside of `src/basic/`, `src/libsystemd/`, `src/shared/`
313 - Our focus is on the GNU libc (glibc), not any other libcs. If other libcs are
314 incompatible with glibc it's on them. However, if there are equivalent POSIX
315 and Linux/GNU-specific APIs, we generally prefer the POSIX APIs. If there
316 aren't, we are happy to use GNU or Linux APIs, and expect non-GNU
317 implementations of libc to catch up with glibc.
319 - Whenever installing a signal handler, make sure to set `SA_RESTART` for it, so
320 that interrupted system calls are automatically restarted, and we minimize
321 hassles with handling `EINTR` (in particular as `EINTR` handling is pretty broken
324 - When applying C-style unescaping as well as specifier expansion on the same
325 string, always apply the C-style unescaping fist, followed by the specifier
326 expansion. When doing the reverse, make sure to escape `%` in specifier-style
327 first (i.e. `%` → `%%`), and then do C-style escaping where necessary.
331 - Error codes are returned as negative `Exxx`. e.g. `return -EINVAL`. There are
332 some exceptions: for constructors, it is OK to return `NULL` on OOM. For
333 lookup functions, `NULL` is fine too for "not found".
335 Be strict with this. When you write a function that can fail due to more than
336 one cause, it *really* should have an `int` as the return value for the error
339 - Do not bother with error checking whether writing to stdout/stderr worked.
341 - Do not log errors from "library" code, only do so from "main program"
342 code. (With one exception: it is OK to log with DEBUG level from any code,
343 with the exception of maybe inner loops).
345 - In public API calls, you **must** validate all your input arguments for
346 programming error with `assert_return()` and return a sensible return
347 code. In all other calls, it is recommended to check for programming errors
348 with a more brutal `assert()`. We are more forgiving to public users than for
349 ourselves! Note that `assert()` and `assert_return()` really only should be
350 used for detecting programming errors, not for runtime errors. `assert()` and
351 `assert_return()` by usage of `_likely_()` inform the compiler that he should
352 not expect these checks to fail, and they inform fellow programmers about the
353 expected validity and range of parameters.
355 - When you invoke certain calls like `unlink()`, or `mkdir_p()` and you know it
356 is safe to ignore the error it might return (because a later call would
357 detect the failure anyway, or because the error is in an error path and you
358 thus couldn't do anything about it anyway), then make this clear by casting
359 the invocation explicitly to `(void)`. Code checks like Coverity understand
360 that, and will not complain about ignored error codes. Hence, please use
364 (void) unlink("/foo/bar/baz");
367 instead of just this:
370 unlink("/foo/bar/baz");
373 Don't cast function calls to `(void)` that return no error
374 conditions. Specifically, the various `xyz_unref()` calls that return a
375 `NULL` object shouldn't be cast to `(void)`, since not using the return value
376 does not hide any errors.
378 - When returning a return code from `main()`, please preferably use
379 `EXIT_FAILURE` and `EXIT_SUCCESS` as defined by libc.
383 - Always check OOM. There is no excuse. In program code, you can use
384 `log_oom()` for then printing a short message, but not in "library" code.
386 - Avoid fixed-size string buffers, unless you really know the maximum size and
387 that maximum size is small. They are a source of errors, since they possibly
388 result in truncated strings. It is often nicer to use dynamic memory,
389 `alloca()` or VLAs. If you do allocate fixed-size strings on the stack, then
390 it is probably only OK if you either use a maximum size such as `LINE_MAX`,
391 or count in detail the maximum size a string can have. (`DECIMAL_STR_MAX` and
392 `DECIMAL_STR_WIDTH` macros are your friends for this!)
394 Or in other words, if you use `char buf[256]` then you are likely doing
397 - Make use of `_cleanup_free_` and friends. It makes your code much nicer to
400 - Use `alloca()`, but never forget that it is not OK to invoke `alloca()`
401 within a loop or within function call parameters. `alloca()` memory is
402 released at the end of a function, and not at the end of a `{}` block. Thus,
403 if you invoke it in a loop, you keep increasing the stack pointer without
404 ever releasing memory again. (VLAs have better behavior in this case, so
405 consider using them as an alternative.) Regarding not using `alloca()`
406 within function parameters, see the BUGS section of the `alloca(3)` man page.
408 - If you want to concatenate two or more strings, consider using `strjoina()`
409 or `strjoin()` rather than `asprintf()`, as the latter is a lot slower. This
410 matters particularly in inner loops (but note that `strjoina()` cannot be
415 - Think about the types you use. If a value cannot sensibly be negative, do not
416 use `int`, but use `unsigned`.
418 - Use `char` only for actual characters. Use `uint8_t` or `int8_t` when you
419 actually mean a byte-sized signed or unsigned integers. When referring to a
420 generic byte, we generally prefer the unsigned variant `uint8_t`. Do not use
421 types based on `short`. They *never* make sense. Use `int`, `long`, `long
422 long`, all in unsigned and signed fashion, and the fixed-size types
423 `uint8_t`, `uint16_t`, `uint32_t`, `uint64_t`, `int8_t`, `int16_t`, `int32_t`
424 and so on, as well as `size_t`, but nothing else. Do not use kernel types
425 like `u32` and so on, leave that to the kernel.
427 - Stay uniform. For example, always use `usec_t` for time values. Do not mix
428 `usec` and `msec`, and `usec` and whatnot.
430 - Never use the `off_t` type, and particularly avoid it in public APIs. It's
431 really weirdly defined, as it usually is 64-bit and we don't support it any
432 other way, but it could in theory also be 32-bit. Which one it is depends on
433 a compiler switch chosen by the compiled program, which hence corrupts APIs
434 using it unless they can also follow the program's choice. Moreover, in
435 systemd we should parse values the same way on all architectures and cannot
436 expose `off_t` values over D-Bus. To avoid any confusion regarding conversion
437 and ABIs, always use simply `uint64_t` directly.
439 - Unless you allocate an array, `double` is always a better choice than
440 `float`. Processors speak `double` natively anyway, so there is no speed
441 benefit, and on calls like `printf()` `float`s get promoted to `double`s
442 anyway, so there is no point.
444 - Use the bool type for booleans, not integers. One exception: in public
445 headers (i.e those in `src/systemd/sd-*.h`) use integers after all, as `bool`
446 is C99 and in our public APIs we try to stick to C89 (with a few extension).
450 - When you allocate a file descriptor, it should be made `O_CLOEXEC` right from
451 the beginning, as none of our files should leak to forked binaries by
452 default. Hence, whenever you open a file, `O_CLOEXEC` must be specified,
453 right from the beginning. This also applies to sockets. Effectively, this
454 means that all invocations to:
456 - `open()` must get `O_CLOEXEC` passed,
457 - `socket()` and `socketpair()` must get `SOCK_CLOEXEC` passed,
458 - `recvmsg()` must get `MSG_CMSG_CLOEXEC` set,
459 - `F_DUPFD_CLOEXEC` should be used instead of `F_DUPFD`, and so on,
460 - invocations of `fopen()` should take `e`.
462 - It's a good idea to use `O_NONBLOCK` when opening 'foreign' regular files,
463 i.e. file system objects that are supposed to be regular files whose paths
464 where specified by the user and hence might actually refer to other types of
465 file system objects. This is a good idea so that we don't end up blocking on
466 'strange' file nodes, for example if the user pointed us to a FIFO or device
467 node which may block when opening. Moreover even for actual regular files
468 `O_NONBLOCK` has a benefit: it bypasses any mandatory lock that might be in
469 effect on the regular file. If in doubt consider turning off `O_NONBLOCK`
472 ## Referencing Concepts
474 - When referring to a configuration file option in the documentation and such,
475 please always suffix it with `=`, to indicate that it is a configuration file
478 - When referring to a command line option in the documentation and such, please
479 always prefix with `--` or `-` (as appropriate), to indicate that it is a
482 - When referring to a file system path that is a directory, please always
483 suffix it with `/`, to indicate that it is a directory, not a regular file
484 (or other file system object).
486 ## Functions to Avoid
488 - Use `memzero()` or even better `zero()` instead of `memset(..., 0, ...)`
490 - Please use `streq()` and `strneq()` instead of `strcmp()`, `strncmp()` where
491 applicable (i.e. wherever you just care about equality/inequality, not about
494 - Never use `strtol()`, `atoi()` and similar calls. Use `safe_atoli()`,
495 `safe_atou32()` and suchlike instead. They are much nicer to use in most
496 cases and correctly check for parsing errors.
498 - `htonl()`/`ntohl()` and `htons()`/`ntohs()` are weird. Please use `htobe32()`
499 and `htobe16()` instead, it's much more descriptive, and actually says what
500 really is happening, after all `htonl()` and `htons()` don't operate on
501 `long`s and `short`s as their name would suggest, but on `uint32_t` and
502 `uint16_t`. Also, "network byte order" is just a weird name for "big endian",
503 hence we might want to call it "big endian" right-away.
505 - Please never use `dup()`. Use `fcntl(fd, F_DUPFD_CLOEXEC, 3)` instead. For
506 two reason: first, you want `O_CLOEXEC` set on the new `fd` (see
507 above). Second, `dup()` will happily duplicate your `fd` as 0, 1, 2,
508 i.e. stdin, stdout, stderr, should those `fd`s be closed. Given the special
509 semantics of those `fd`s, it's probably a good idea to avoid
510 them. `F_DUPFD_CLOEXEC` with `3` as parameter avoids them.
512 - Don't use `fgets()`, it's too hard to properly handle errors such as overly
513 long lines. Use `read_line()` instead, which is our own function that handles
516 - Don't invoke `exit()`, ever. It is not replacement for proper error
517 handling. Please escalate errors up your call chain, and use normal `return`
518 to exit from the main function of a process. If you `fork()`ed off a child
519 process, please use `_exit()` instead of `exit()`, so that the exit handlers
522 - We never use the POSIX version of `basename()` (which glibc defines it in
523 `libgen.h`), only the GNU version (which glibc defines in `string.h`). The
524 only reason to include `libgen.h` is because `dirname()` is needed. Every
525 time you need that please immediately undefine `basename()`, and add a
526 comment about it, so that no code ever ends up using the POSIX version!
530 - Commit message subject lines should be prefixed with an appropriate component
531 name of some kind. For example "journal: ", "nspawn: " and so on.
533 - Do not use "Signed-Off-By:" in your commit messages. That's a kernel thing we
534 don't do in the systemd project.