From 82143987b35315efd8406082362ad18bb8ccaf29 Mon Sep 17 00:00:00 2001 From: Faheel Ahmad Date: Tue, 30 Oct 2018 15:58:44 +0530 Subject: [PATCH] docs: Convert CODING_STYLE to Markdown Also fix minor grammatical errors --- docs/CODING_STYLE | 464 ---------------------------------------- docs/CODING_STYLE.md | 495 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 495 insertions(+), 464 deletions(-) delete mode 100644 docs/CODING_STYLE create mode 100644 docs/CODING_STYLE.md diff --git a/docs/CODING_STYLE b/docs/CODING_STYLE deleted file mode 100644 index ca6e1cb693..0000000000 --- a/docs/CODING_STYLE +++ /dev/null @@ -1,464 +0,0 @@ -- 8ch indent, no tabs, except for files in man/ which are 2ch indent, - and still no tabs - -- We prefer /* comments */ over // comments in code you commit, please. This - way // comments are left for developers to use for local, temporary - commenting of code for debug purposes (i.e. uncommittable stuff), making such - comments easily discernable from explanatory, documenting code comments - (i.e. committable stuff). - -- Don't break code lines too eagerly. We do *not* force line breaks at 80ch, - all of today's screens should be much larger than that. But then again, don't - overdo it, ~119ch should be enough really. The .editorconfig, .vimrc and - .dir-locals.el files contained in the repository will set this limit up for - you automatically, if you let them (as well as a few other things). - -- Variables and functions *must* be static, unless they have a - prototype, and are supposed to be exported. - -- structs in MixedCase (with exceptions, such as public API structs), - variables + functions in lower_case. - -- The destructors always unregister the object from the next bigger - object, not the other way around - -- To minimize strict aliasing violations, we prefer unions over casting - -- For robustness reasons, destructors should be able to destruct - half-initialized objects, too - -- Error codes are returned as negative Exxx. e.g. return -EINVAL. There - are some exceptions: for constructors, it is OK to return NULL on - OOM. For lookup functions, NULL is fine too for "not found". - - Be strict with this. When you write a function that can fail due to - more than one cause, it *really* should have "int" as return value - for the error code. - -- Do not bother with error checking whether writing to stdout/stderr - worked. - -- Do not log errors from "library" code, only do so from "main - program" code. (With one exception: it is OK to log with DEBUG level - from any code, with the exception of maybe inner loops). - -- Always check OOM. There is no excuse. In program code, you can use - "log_oom()" for then printing a short message, but not in "library" code. - -- Do not issue NSS requests (that includes user name and host name - lookups) from PID 1 as this might trigger deadlocks when those - lookups involve synchronously talking to services that we would need - to start up - -- Do not synchronously talk to any other service from PID 1, due to - risk of deadlocks - -- Avoid fixed-size string buffers, unless you really know the maximum - size and that maximum size is small. They are a source of errors, - since they possibly result in truncated strings. It is often nicer - to use dynamic memory, alloca() or VLAs. If you do allocate fixed-size - strings on the stack, then it is probably only OK if you either - use a maximum size such as LINE_MAX, or count in detail the maximum - size a string can have. (DECIMAL_STR_MAX and DECIMAL_STR_WIDTH - macros are your friends for this!) - - Or in other words, if you use "char buf[256]" then you are likely - doing something wrong! - -- Stay uniform. For example, always use "usec_t" for time - values. Do not mix usec and msec, and usec and whatnot. - -- Make use of _cleanup_free_ and friends. It makes your code much - nicer to read (and shorter)! - -- Be exceptionally careful when formatting and parsing floating point - numbers. Their syntax is locale dependent (i.e. "5.000" in en_US is - generally understood as 5, while on de_DE as 5000.). - -- Try to use this: - - void foo() { - } - - instead of this: - - void foo() - { - } - - But it is OK if you do not. - -- Single-line "if" blocks should not be enclosed in {}. Use this: - - if (foobar) - waldo(); - - instead of this: - - if (foobar) { - waldo(); - } - -- Do not write "foo ()", write "foo()". - -- Please use streq() and strneq() instead of strcmp(), strncmp() where - applicable (i.e. wherever you just care about equality/inequality, not about - the sorting order). - -- Preferably allocate stack variables on the top of the block: - - { - int a, b; - - a = 5; - b = a; - } - -- Unless you allocate an array, "double" is always the better choice - than "float". Processors speak "double" natively anyway, so this is - no speed benefit, and on calls like printf() "float"s get promoted - to "double"s anyway, so there is no point. - -- Do not mix function invocations with variable definitions in one - line. Wrong: - - { - int a = foobar(); - uint64_t x = 7; - } - - Right: - - { - int a; - uint64_t x = 7; - - a = foobar(); - } - -- Use "goto" for cleaning up, and only use it for that. i.e. you may - only jump to the end of a function, and little else. Never jump - backwards! - -- Think about the types you use. If a value cannot sensibly be - negative, do not use "int", but use "unsigned". - -- Use "char" only for actual characters. Use "uint8_t" or "int8_t" - when you actually mean a byte-sized signed or unsigned - integers. When referring to a generic byte, we generally prefer the - unsigned variant "uint8_t". Do not use types based on "short". They - *never* make sense. Use ints, longs, long longs, all in - unsigned+signed fashion, and the fixed size types - uint8_t/uint16_t/uint32_t/uint64_t/int8_t/int16_t/int32_t and so on, - as well as size_t, but nothing else. Do not use kernel types like - u32 and so on, leave that to the kernel. - -- Public API calls (i.e. functions exported by our shared libraries) - must be marked "_public_" and need to be prefixed with "sd_". No - other functions should be prefixed like that. - -- In public API calls, you *must* validate all your input arguments for - programming error with assert_return() and return a sensible return - code. In all other calls, it is recommended to check for programming - errors with a more brutal assert(). We are more forgiving to public - users than for ourselves! Note that assert() and assert_return() - really only should be used for detecting programming errors, not for - runtime errors. assert() and assert_return() by usage of _likely_() - inform the compiler that he should not expect these checks to fail, - and they inform fellow programmers about the expected validity and - range of parameters. - -- Never use strtol(), atoi() and similar calls. Use safe_atoli(), - safe_atou32() and suchlike instead. They are much nicer to use in - most cases and correctly check for parsing errors. - -- For every function you add, think about whether it is a "logging" - function or a "non-logging" function. "Logging" functions do logging - on their own, "non-logging" function never log on their own and - expect their callers to log. All functions in "library" code, - i.e. in src/shared/ and suchlike must be "non-logging". Every time a - "logging" function calls a "non-logging" function, it should log - about the resulting errors. If a "logging" function calls another - "logging" function, then it should not generate log messages, so - that log messages are not generated twice for the same errors. - -- Avoid static variables, except for caches and very few other - cases. Think about thread-safety! While most of our code is never - used in threaded environments, at least the library code should make - sure it works correctly in them. Instead of doing a lot of locking - for that, we tend to prefer using TLS to do per-thread caching (which - only works for small, fixed-size cache objects), or we disable - caching for any thread that is not the main thread. Use - is_main_thread() to detect whether the calling thread is the main - thread. - -- Command line option parsing: - - Do not print full help() on error, be specific about the error. - - Do not print messages to stdout on error. - - Do not POSIX_ME_HARDER unless necessary, i.e. avoid "+" in option string. - -- Do not write functions that clobber call-by-reference variables on - failure. Use temporary variables for these cases and change the - passed in variables only on success. - -- When you allocate a file descriptor, it should be made O_CLOEXEC - right from the beginning, as none of our files should leak to forked - binaries by default. Hence, whenever you open a file, O_CLOEXEC must - be specified, right from the beginning. This also applies to - sockets. Effectively this means that all invocations to: - - a) open() must get O_CLOEXEC passed - b) socket() and socketpair() must get SOCK_CLOEXEC passed - c) recvmsg() must get MSG_CMSG_CLOEXEC set - d) F_DUPFD_CLOEXEC should be used instead of F_DUPFD, and so on - f) invocations of fopen() should take "e" - -- We never use the POSIX version of basename() (which glibc defines it in - libgen.h), only the GNU version (which glibc defines in string.h). - The only reason to include libgen.h is because dirname() - is needed. Every time you need that please immediately undefine - basename(), and add a comment about it, so that no code ever ends up - using the POSIX version! - -- Use the bool type for booleans, not integers. One exception: in public - headers (i.e those in src/systemd/sd-*.h) use integers after all, as "bool" - is C99 and in our public APIs we try to stick to C89 (with a few extension). - -- When you invoke certain calls like unlink(), or mkdir_p() and you - know it is safe to ignore the error it might return (because a later - call would detect the failure anyway, or because the error is in an - error path and you thus couldn't do anything about it anyway), then - make this clear by casting the invocation explicitly to (void). Code - checks like Coverity understand that, and will not complain about - ignored error codes. Hence, please use this: - - (void) unlink("/foo/bar/baz"); - - instead of just this: - - unlink("/foo/bar/baz"); - - Don't cast function calls to (void) that return no error - conditions. Specifically, the various xyz_unref() calls that return a NULL - object shouldn't be cast to (void), since not using the return value does not - hide any errors. - -- Don't invoke exit(), ever. It is not replacement for proper error - handling. Please escalate errors up your call chain, and use normal - "return" to exit from the main function of a process. If you - fork()ed off a child process, please use _exit() instead of exit(), - so that the exit handlers are not run. - -- Please never use dup(). Use fcntl(fd, F_DUPFD_CLOEXEC, 3) - instead. For two reason: first, you want O_CLOEXEC set on the new fd - (see above). Second, dup() will happily duplicate your fd as 0, 1, - 2, i.e. stdin, stdout, stderr, should those fds be closed. Given the - special semantics of those fds, it's probably a good idea to avoid - them. F_DUPFD_CLOEXEC with "3" as parameter avoids them. - -- When you define a destructor or unref() call for an object, please - accept a NULL object and simply treat this as NOP. This is similar - to how libc free() works, which accepts NULL pointers and becomes a - NOP for them. By following this scheme a lot of if checks can be - removed before invoking your destructor, which makes the code - substantially more readable and robust. - -- Related to this: when you define a destructor or unref() call for an - object, please make it return the same type it takes and always - return NULL from it. This allows writing code like this: - - p = foobar_unref(p); - - which will always work regardless if p is initialized or not, and - guarantees that p is NULL afterwards, all in just one line. - -- Use alloca(), but never forget that it is not OK to invoke alloca() - within a loop or within function call parameters. alloca() memory is - released at the end of a function, and not at the end of a {} - block. Thus, if you invoke it in a loop, you keep increasing the - stack pointer without ever releasing memory again. (VLAs have better - behaviour in this case, so consider using them as an alternative.) - Regarding not using alloca() within function parameters, see the - BUGS section of the alloca(3) man page. - -- Use memzero() or even better zero() instead of memset(..., 0, ...) - -- Instead of using memzero()/memset() to initialize structs allocated - on the stack, please try to use c99 structure initializers. It's - short, prettier and actually even faster at execution. Hence: - - struct foobar t = { - .foo = 7, - .bar = "bazz", - }; - - instead of: - - struct foobar t; - zero(t); - t.foo = 7; - t.bar = "bazz"; - -- When returning a return code from main(), please preferably use - EXIT_FAILURE and EXIT_SUCCESS as defined by libc. - -- The order in which header files are included doesn't matter too - much. systemd-internal headers must not rely on an include order, so - it is safe to include them in any order possible. - However, to not clutter global includes, and to make sure internal - definitions will not affect global headers, please always include the - headers of external components first (these are all headers enclosed - in <>), followed by our own exported headers (usually everything - that's prefixed by "sd-"), and then followed by internal headers. - Furthermore, in all three groups, order all includes alphabetically - so duplicate includes can easily be detected. - -- To implement an endless loop, use "for (;;)" rather than "while - (1)". The latter is a bit ugly anyway, since you probably really - meant "while (true)"... To avoid the discussion what the right - always-true expression for an infinite while() loop is our - recommendation is to simply write it without any such expression by - using "for (;;)". - -- Never use the "off_t" type, and particularly avoid it in public - APIs. It's really weirdly defined, as it usually is 64bit and we - don't support it any other way, but it could in theory also be - 32bit. Which one it is depends on a compiler switch chosen by the - compiled program, which hence corrupts APIs using it unless they can - also follow the program's choice. Moreover, in systemd we should - parse values the same way on all architectures and cannot expose - off_t values over D-Bus. To avoid any confusion regarding conversion - and ABIs, always use simply uint64_t directly. - -- Commit message subject lines should be prefixed with an appropriate - component name of some kind. For example "journal: ", "nspawn: " and - so on. - -- Do not use "Signed-Off-By:" in your commit messages. That's a kernel - thing we don't do in the systemd project. - -- Avoid leaving long-running child processes around, i.e. fork()s that - are not followed quickly by an execv() in the child. Resource - management is unclear in this case, and memory CoW will result in - unexpected penalties in the parent much, much later on. - -- Don't block execution for arbitrary amounts of time using usleep() - or a similar call, unless you really know what you do. Just "giving - something some time", or so is a lazy excuse. Always wait for the - proper event, instead of doing time-based poll loops. - -- To determine the length of a constant string "foo", don't bother - with sizeof("foo")-1, please use STRLEN() instead. - -- If you want to concatenate two or more strings, consider using - strjoin() rather than asprintf(), as the latter is a lot - slower. This matters particularly in inner loops. - -- Please avoid using global variables as much as you can. And if you - do use them make sure they are static at least, instead of - exported. Especially in library-like code it is important to avoid - global variables. Why are global variables bad? They usually hinder - generic reusability of code (since they break in threaded programs, - and usually would require locking there), and as the code using them - has side-effects make programs non-transparent. That said, there are - many cases where they explicitly make a lot of sense, and are OK to - use. For example, the log level and target in log.c is stored in a - global variable, and that's OK and probably expected by most. Also - in many cases we cache data in global variables. If you add more - caches like this, please be careful however, and think about - threading. Only use static variables if you are sure that - thread-safety doesn't matter in your case. Alternatively consider - using TLS, which is pretty easy to use with gcc's "thread_local" - concept. It's also OK to store data that is inherently global in - global variables, for example data parsed from command lines, see - below. - -- If you parse a command line, and want to store the parsed parameters - in global variables, please consider prefixing their names with - "arg_". We have been following this naming rule in most of our - tools, and we should continue to do so, as it makes it easy to - identify command line parameter variables, and makes it clear why it - is OK that they are global variables. - -- When exposing public C APIs, be careful what function parameters you make - "const". For example, a parameter taking a context object should probably not - be "const", even if you are writing an otherwise read-only accessor function - for it. The reason is that making it "const" fixates the contract that your - call won't alter the object ever, as part of the API. However, that's often - quite a promise, given that this even prohibits object-internal caching or - lazy initialization of object variables. Moreover it's usually not too useful - for client applications. Hence: please be careful and avoid "const" on object - parameters, unless you are very sure "const" is appropriate. - -- Make sure to enforce limits on every user controllable resource. If the user - can allocate resources in your code, your code must enforce some form of - limits after which it will refuse operation. It's fine if it is hard-coded (at - least initially), but it needs to be there. This is particularly important - for objects that unprivileged users may allocate, but also matters for - everything else any user may allocated. - -- htonl()/ntohl() and htons()/ntohs() are weird. Please use htobe32() and - htobe16() instead, it's much more descriptive, and actually says what really - is happening, after all htonl() and htons() don't operate on longs and - shorts as their name would suggest, but on uint32_t and uint16_t. Also, - "network byte order" is just a weird name for "big endian", hence we might - want to call it "big endian" right-away. - -- You might wonder what kind of common code belongs in src/shared/ and what - belongs in src/basic/. The split is like this: anything that uses public APIs - we expose (i.e. any of the sd-bus, sd-login, sd-id128, ... APIs) must be - located in src/shared/. All stuff that only uses external libraries from - other projects (such as glibc's APIs), or APIs from src/basic/ itself should - be placed in src/basic/. Conversely, src/libsystemd/ may only use symbols - from src/basic, but not from src/shared/. To summarize: - - src/basic/ → may be used by all code in the tree - → may not use any code outside of src/basic/ - - src/libsystemd/ → may be used by all code in the tree, except for code in src/basic/ - → may not use any code outside of src/basic/, src/libsystemd/ - - src/shared/ → may be used by all code in the tree, except for code in src/basic/, src/libsystemd/ - → may not use any code outside of src/basic/, src/libsystemd/, src/shared/ - -- Our focus is on the GNU libc (glibc), not any other libcs. If other libcs are - incompatible with glibc it's on them. However, if there are equivalent POSIX - and Linux/GNU-specific APIs, we generally prefer the POSIX APIs. If there - aren't, we are happy to use GNU or Linux APIs, and expect non-GNU - implementations of libc to catch up with glibc. - -- Whenever installing a signal handler, make sure to set SA_RESTART for it, so - that interrupted system calls are automatically restarted, and we minimize - hassles with handling EINTR (in particular as EINTR handling is pretty broken - on Linux). - -- When applying C-style unescaping as well as specifier expansion on the same - string, always apply the C-style unescaping fist, followed by the specifier - expansion. When doing the reverse, make sure to escape '%' in specifier-style - first (i.e. '%' → '%%'), and then do C-style escaping where necessary. - -- It's a good idea to use O_NONBLOCK when opening 'foreign' regular files, i.e - file system objects that are supposed to be regular files whose paths where - specified by the user and hence might actually refer to other types of file - system objects. This is a good idea so that we don't end up blocking on - 'strange' file nodes, for example if the user pointed us to a FIFO or device - node which may block when opening. Moreover even for actual regular files - O_NONBLOCK has a benefit: it bypasses any mandatory lock that might be in - effect on the regular file. If in doubt consider turning off O_NONBLOCK again - after opening. - -- When referring to a configuration file option in the documentation and such, - please always suffix it with "=", to indicate that it is a configuration file - setting. - -- When referring to a command line option in the documentation and such, please - always prefix with "--" or "-" (as appropriate), to indicate that it is a - command line option. - -- When referring to a file system path that is a directory, please always - suffix it with "/", to indicate that it is a directory, not a regular file - (or other file system object). - -- Don't use fgets(), it's too hard to properly handle errors such as overly - long lines. Use read_line() instead, which is our own function that handles - this much nicer. diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md new file mode 100644 index 0000000000..64f7a8cddf --- /dev/null +++ b/docs/CODING_STYLE.md @@ -0,0 +1,495 @@ +# Coding style + +- 8ch indent, no tabs, except for files in `man/` which are 2ch indent, + and still no tabs. + +- We prefer `/* comments */` over `// comments` in code you commit, please. This + way `// comments` are left for developers to use for local, temporary + commenting of code for debug purposes (i.e. uncommittable stuff), making such + comments easily discernable from explanatory, documenting code comments + (i.e. committable stuff). + +- Don't break code lines too eagerly. We do **not** force line breaks at 80ch, + all of today's screens should be much larger than that. But then again, don't + overdo it, ~119ch should be enough really. The `.editorconfig`, `.vimrc` and + `.dir-locals.el` files contained in the repository will set this limit up for + you automatically, if you let them (as well as a few other things). + +- Variables and functions **must** be static, unless they have a + prototype, and are supposed to be exported. + +- structs in `PascalCase` (with exceptions, such as public API structs), + variables and functions in `snake_case`. + +- The destructors always deregister the object from the next bigger + object, not the other way around. + +- To minimize strict aliasing violations, we prefer unions over casting. + +- For robustness reasons, destructors should be able to destruct + half-initialized objects, too. + +- Error codes are returned as negative `Exxx`. e.g. `return -EINVAL`. There + are some exceptions: for constructors, it is OK to return `NULL` on + OOM. For lookup functions, `NULL` is fine too for "not found". + + Be strict with this. When you write a function that can fail due to + more than one cause, it *really* should have an `int` as the return value + for the error code. + +- Do not bother with error checking whether writing to stdout/stderr + worked. + +- Do not log errors from "library" code, only do so from "main + program" code. (With one exception: it is OK to log with DEBUG level + from any code, with the exception of maybe inner loops). + +- Always check OOM. There is no excuse. In program code, you can use + `log_oom()` for then printing a short message, but not in "library" code. + +- Do not issue NSS requests (that includes user name and host name + lookups) from PID 1 as this might trigger deadlocks when those + lookups involve synchronously talking to services that we would need + to start up. + +- Do not synchronously talk to any other service from PID 1, due to + risk of deadlocks. + +- Avoid fixed-size string buffers, unless you really know the maximum + size and that maximum size is small. They are a source of errors, + since they possibly result in truncated strings. It is often nicer + to use dynamic memory, `alloca()` or VLAs. If you do allocate fixed-size + strings on the stack, then it is probably only OK if you either + use a maximum size such as `LINE_MAX`, or count in detail the maximum + size a string can have. (`DECIMAL_STR_MAX` and `DECIMAL_STR_WIDTH` + macros are your friends for this!) + + Or in other words, if you use `char buf[256]` then you are likely + doing something wrong! + +- Stay uniform. For example, always use `usec_t` for time + values. Do not mix `usec` and `msec`, and `usec` and whatnot. + +- Make use of `_cleanup_free_` and friends. It makes your code much + nicer to read (and shorter)! + +- Be exceptionally careful when formatting and parsing floating point + numbers. Their syntax is locale dependent (i.e. `5.000` in en_US is + generally understood as 5, while in de_DE as 5000.). + +- Try to use this: + + ```c + void foo() { + } + ``` + + instead of this: + + ```c + void foo() + { + } + ``` + + But it is OK if you do not. + +- Single-line `if` blocks should not be enclosed in `{}`. Use this: + + ```c + if (foobar) + waldo(); + ``` + + instead of this: + + ```c + if (foobar) { + waldo(); + } + ``` + +- Do not write `foo ()`, write `foo()`. + +- Please use `streq()` and `strneq()` instead of `strcmp()`, `strncmp()` where + applicable (i.e. wherever you just care about equality/inequality, not about + the sorting order). + +- Preferably allocate stack variables on the top of the block: + + ```c + { + int a, b; + + a = 5; + b = a; + } + ``` + +- Unless you allocate an array, `double` is always the better choice + than `float`. Processors speak `double` natively anyway, so this is + no speed benefit, and on calls like `printf()` `float`s get promoted + to `double`s anyway, so there is no point. + +- Do not mix function invocations with variable definitions in one + line. Wrong: + + ```c + { + int a = foobar(); + uint64_t x = 7; + } + ``` + + Right: + + ```c + { + int a; + uint64_t x = 7; + + a = foobar(); + } + ``` + +- Use `goto` for cleaning up, and only use it for that. i.e. you may + only jump to the end of a function, and little else. Never jump + backwards! + +- Think about the types you use. If a value cannot sensibly be + negative, do not use `int`, but use `unsigned`. + +- Use `char` only for actual characters. Use `uint8_t` or `int8_t` + when you actually mean a byte-sized signed or unsigned + integers. When referring to a generic byte, we generally prefer the + unsigned variant `uint8_t`. Do not use types based on `short`. They + *never* make sense. Use `int`, `long`, `long long`, all in + unsigned and signed fashion, and the fixed-size types + `uint8_t`, `uint16_t`, `uint32_t`, `uint64_t`, `int8_t`, `int16_t`, `int32_t` and so on, + as well as `size_t`, but nothing else. Do not use kernel types like + `u32` and so on, leave that to the kernel. + +- Public API calls (i.e. functions exported by our shared libraries) + must be marked `_public_` and need to be prefixed with `sd_`. No + other functions should be prefixed like that. + +- In public API calls, you **must** validate all your input arguments for + programming error with `assert_return()` and return a sensible return + code. In all other calls, it is recommended to check for programming + errors with a more brutal `assert()`. We are more forgiving to public + users than for ourselves! Note that `assert()` and `assert_return()` + really only should be used for detecting programming errors, not for + runtime errors. `assert()` and `assert_return()` by usage of `_likely_()` + inform the compiler that he should not expect these checks to fail, + and they inform fellow programmers about the expected validity and + range of parameters. + +- Never use `strtol()`, `atoi()` and similar calls. Use `safe_atoli()`, + `safe_atou32()` and suchlike instead. They are much nicer to use in + most cases and correctly check for parsing errors. + +- For every function you add, think about whether it is a "logging" + function or a "non-logging" function. "Logging" functions do logging + on their own, "non-logging" function never log on their own and + expect their callers to log. All functions in "library" code, + i.e. in `src/shared/` and suchlike must be "non-logging". Every time a + "logging" function calls a "non-logging" function, it should log + about the resulting errors. If a "logging" function calls another + "logging" function, then it should not generate log messages, so + that log messages are not generated twice for the same errors. + +- Avoid static variables, except for caches and very few other + cases. Think about thread-safety! While most of our code is never + used in threaded environments, at least the library code should make + sure it works correctly in them. Instead of doing a lot of locking + for that, we tend to prefer using TLS to do per-thread caching (which + only works for small, fixed-size cache objects), or we disable + caching for any thread that is not the main thread. Use + `is_main_thread()` to detect whether the calling thread is the main + thread. + +- Command line option parsing: + - Do not print full `help()` on error, be specific about the error. + - Do not print messages to stdout on error. + - Do not POSIX_ME_HARDER unless necessary, i.e. avoid `+` in option string. + +- Do not write functions that clobber call-by-reference variables on + failure. Use temporary variables for these cases and change the + passed in variables only on success. + +- When you allocate a file descriptor, it should be made `O_CLOEXEC` + right from the beginning, as none of our files should leak to forked + binaries by default. Hence, whenever you open a file, `O_CLOEXEC` must + be specified, right from the beginning. This also applies to + sockets. Effectively, this means that all invocations to: + + - `open()` must get `O_CLOEXEC` passed, + - `socket()` and `socketpair()` must get `SOCK_CLOEXEC` passed, + - `recvmsg()` must get `MSG_CMSG_CLOEXEC` set, + - `F_DUPFD_CLOEXEC` should be used instead of `F_DUPFD`, and so on, + - invocations of `fopen()` should take `e`. + +- We never use the POSIX version of `basename()` (which glibc defines it in + `libgen.h`), only the GNU version (which glibc defines in `string.h`). + The only reason to include `libgen.h` is because `dirname()` + is needed. Every time you need that please immediately undefine + `basename()`, and add a comment about it, so that no code ever ends up + using the POSIX version! + +- Use the bool type for booleans, not integers. One exception: in public + headers (i.e those in `src/systemd/sd-*.h`) use integers after all, as `bool` + is C99 and in our public APIs we try to stick to C89 (with a few extension). + +- When you invoke certain calls like `unlink()`, or `mkdir_p()` and you + know it is safe to ignore the error it might return (because a later + call would detect the failure anyway, or because the error is in an + error path and you thus couldn't do anything about it anyway), then + make this clear by casting the invocation explicitly to `(void)`. Code + checks like Coverity understand that, and will not complain about + ignored error codes. Hence, please use this: + + ```c + (void) unlink("/foo/bar/baz"); + ``` + + instead of just this: + + ```c + unlink("/foo/bar/baz"); + ``` + + Don't cast function calls to `(void)` that return no error + conditions. Specifically, the various `xyz_unref()` calls that return a `NULL` + object shouldn't be cast to `(void)`, since not using the return value does not + hide any errors. + +- Don't invoke `exit()`, ever. It is not replacement for proper error + handling. Please escalate errors up your call chain, and use normal + `return` to exit from the main function of a process. If you + `fork()`ed off a child process, please use `_exit()` instead of `exit()`, + so that the exit handlers are not run. + +- Please never use `dup()`. Use `fcntl(fd, F_DUPFD_CLOEXEC, 3)` + instead. For two reason: first, you want `O_CLOEXEC` set on the new `fd` + (see above). Second, `dup()` will happily duplicate your `fd` as 0, 1, + 2, i.e. stdin, stdout, stderr, should those `fd`s be closed. Given the + special semantics of those `fd`s, it's probably a good idea to avoid + them. `F_DUPFD_CLOEXEC` with `3` as parameter avoids them. + +- When you define a destructor or `unref()` call for an object, please + accept a `NULL` object and simply treat this as NOP. This is similar + to how libc `free()` works, which accepts `NULL` pointers and becomes a + NOP for them. By following this scheme a lot of `if` checks can be + removed before invoking your destructor, which makes the code + substantially more readable and robust. + +- Related to this: when you define a destructor or `unref()` call for an + object, please make it return the same type it takes and always + return `NULL` from it. This allows writing code like this: + + ```c + p = foobar_unref(p); + ``` + + which will always work regardless if `p` is initialized or not, and + guarantees that `p` is `NULL` afterwards, all in just one line. + +- Use `alloca()`, but never forget that it is not OK to invoke `alloca()` + within a loop or within function call parameters. `alloca()` memory is + released at the end of a function, and not at the end of a `{}` + block. Thus, if you invoke it in a loop, you keep increasing the + stack pointer without ever releasing memory again. (VLAs have better + behavior in this case, so consider using them as an alternative.) + Regarding not using `alloca()` within function parameters, see the + BUGS section of the `alloca(3)` man page. + +- Use `memzero()` or even better `zero()` instead of `memset(..., 0, ...)` + +- Instead of using `memzero()`/`memset()` to initialize structs allocated + on the stack, please try to use c99 structure initializers. It's + short, prettier and actually even faster at execution. Hence: + + ```c + struct foobar t = { + .foo = 7, + .bar = "bazz", + }; + ``` + + instead of: + + ```c + struct foobar t; + zero(t); + t.foo = 7; + t.bar = "bazz"; + ``` + +- When returning a return code from `main()`, please preferably use + `EXIT_FAILURE` and `EXIT_SUCCESS` as defined by libc. + +- The order in which header files are included doesn't matter too + much. systemd-internal headers must not rely on an include order, so + it is safe to include them in any order possible. + However, to not clutter global includes, and to make sure internal + definitions will not affect global headers, please always include the + headers of external components first (these are all headers enclosed + in <>), followed by our own exported headers (usually everything + that's prefixed by `sd-`), and then followed by internal headers. + Furthermore, in all three groups, order all includes alphabetically + so duplicate includes can easily be detected. + +- To implement an endless loop, use `for (;;)` rather than `while (1)`. + The latter is a bit ugly anyway, since you probably really + meant `while (true)`. To avoid the discussion what the right + always-true expression for an infinite while loop is, our + recommendation is to simply write it without any such expression by + using `for (;;)`. + +- Never use the `off_t` type, and particularly avoid it in public + APIs. It's really weirdly defined, as it usually is 64-bit and we + don't support it any other way, but it could in theory also be + 32-bit. Which one it is depends on a compiler switch chosen by the + compiled program, which hence corrupts APIs using it unless they can + also follow the program's choice. Moreover, in systemd we should + parse values the same way on all architectures and cannot expose + `off_t` values over D-Bus. To avoid any confusion regarding conversion + and ABIs, always use simply `uint64_t` directly. + +- Commit message subject lines should be prefixed with an appropriate + component name of some kind. For example "journal: ", "nspawn: " and + so on. + +- Do not use "Signed-Off-By:" in your commit messages. That's a kernel + thing we don't do in the systemd project. + +- Avoid leaving long-running child processes around, i.e. `fork()`s that + are not followed quickly by an `execv()` in the child. Resource + management is unclear in this case, and memory CoW will result in + unexpected penalties in the parent much, much later on. + +- Don't block execution for arbitrary amounts of time using `usleep()` + or a similar call, unless you really know what you do. Just "giving + something some time", or so is a lazy excuse. Always wait for the + proper event, instead of doing time-based poll loops. + +- To determine the length of a constant string `"foo"`, don't bother + with `sizeof("foo")-1`, please use `STRLEN()` instead. + +- If you want to concatenate two or more strings, consider using + `strjoin()` rather than `asprintf()`, as the latter is a lot + slower. This matters particularly in inner loops. + +- Please avoid using global variables as much as you can. And if you + do use them make sure they are static at least, instead of + exported. Especially in library-like code it is important to avoid + global variables. Why are global variables bad? They usually hinder + generic reusability of code (since they break in threaded programs, + and usually would require locking there), and as the code using them + has side-effects make programs non-transparent. That said, there are + many cases where they explicitly make a lot of sense, and are OK to + use. For example, the log level and target in `log.c` is stored in a + global variable, and that's OK and probably expected by most. Also + in many cases we cache data in global variables. If you add more + caches like this, please be careful however, and think about + threading. Only use static variables if you are sure that + thread-safety doesn't matter in your case. Alternatively, consider + using TLS, which is pretty easy to use with gcc's `thread_local` + concept. It's also OK to store data that is inherently global in + global variables, for example data parsed from command lines, see + below. + +- If you parse a command line, and want to store the parsed parameters + in global variables, please consider prefixing their names with + `arg_`. We have been following this naming rule in most of our + tools, and we should continue to do so, as it makes it easy to + identify command line parameter variables, and makes it clear why it + is OK that they are global variables. + +- When exposing public C APIs, be careful what function parameters you make + `const`. For example, a parameter taking a context object should probably not + be `const`, even if you are writing an otherwise read-only accessor function + for it. The reason is that making it `const` fixates the contract that your + call won't alter the object ever, as part of the API. However, that's often + quite a promise, given that this even prohibits object-internal caching or + lazy initialization of object variables. Moreover, it's usually not too useful + for client applications. Hence, please be careful and avoid `const` on object + parameters, unless you are very sure `const` is appropriate. + +- Make sure to enforce limits on every user controllable resource. If the user + can allocate resources in your code, your code must enforce some form of + limits after which it will refuse operation. It's fine if it is hard-coded (at + least initially), but it needs to be there. This is particularly important + for objects that unprivileged users may allocate, but also matters for + everything else any user may allocated. + +- `htonl()`/`ntohl()` and `htons()`/`ntohs()` are weird. Please use `htobe32()` and + `htobe16()` instead, it's much more descriptive, and actually says what really + is happening, after all `htonl()` and `htons()` don't operate on `long`s and + `short`s as their name would suggest, but on `uint32_t` and `uint16_t`. Also, + "network byte order" is just a weird name for "big endian", hence we might + want to call it "big endian" right-away. + +- You might wonder what kind of common code belongs in `src/shared/` and what + belongs in `src/basic/`. The split is like this: anything that uses public APIs + we expose (i.e. any of the sd-bus, sd-login, sd-id128, ... APIs) must be + located in `src/shared/`. All stuff that only uses external libraries from + other projects (such as glibc's APIs), or APIs from `src/basic/` itself should + be placed in `src/basic/`. Conversely, `src/libsystemd/` may only use symbols + from `src/basic`, but not from `src/shared/`. + + To summarize: + + `src/basic/` + - may be used by all code in the tree + - may not use any code outside of `src/basic/` + + `src/libsystemd/` + - may be used by all code in the tree, except for code in `src/basic/` + - may not use any code outside of `src/basic/`, `src/libsystemd/` + + `src/shared/` + - may be used by all code in the tree, except for code in `src/basic/`, `src/libsystemd/` + - may not use any code outside of `src/basic/`, `src/libsystemd/`, `src/shared/` + +- Our focus is on the GNU libc (glibc), not any other libcs. If other libcs are + incompatible with glibc it's on them. However, if there are equivalent POSIX + and Linux/GNU-specific APIs, we generally prefer the POSIX APIs. If there + aren't, we are happy to use GNU or Linux APIs, and expect non-GNU + implementations of libc to catch up with glibc. + +- Whenever installing a signal handler, make sure to set `SA_RESTART` for it, so + that interrupted system calls are automatically restarted, and we minimize + hassles with handling `EINTR` (in particular as `EINTR` handling is pretty broken + on Linux). + +- When applying C-style unescaping as well as specifier expansion on the same + string, always apply the C-style unescaping fist, followed by the specifier + expansion. When doing the reverse, make sure to escape `%` in specifier-style + first (i.e. `%` → `%%`), and then do C-style escaping where necessary. + +- It's a good idea to use `O_NONBLOCK` when opening 'foreign' regular files, i.e. + file system objects that are supposed to be regular files whose paths where + specified by the user and hence might actually refer to other types of file + system objects. This is a good idea so that we don't end up blocking on + 'strange' file nodes, for example if the user pointed us to a FIFO or device + node which may block when opening. Moreover even for actual regular files + `O_NONBLOCK` has a benefit: it bypasses any mandatory lock that might be in + effect on the regular file. If in doubt consider turning off `O_NONBLOCK` again + after opening. + +- When referring to a configuration file option in the documentation and such, + please always suffix it with `=`, to indicate that it is a configuration file + setting. + +- When referring to a command line option in the documentation and such, please + always prefix with `--` or `-` (as appropriate), to indicate that it is a + command line option. + +- When referring to a file system path that is a directory, please always + suffix it with `/`, to indicate that it is a directory, not a regular file + (or other file system object). + +- Don't use `fgets()`, it's too hard to properly handle errors such as overly + long lines. Use `read_line()` instead, which is our own function that handles + this much nicer.