[qemu.git] / HACKING

1. Preprocessor

For variadic macros, stick with this C99-like syntax:

#define DPRINTF(fmt, ...)                                       \
    do { printf("IRQ: " fmt, ## __VA_ARGS__); } while (0)

2. C types

It should be common sense to use the right type, but we have collected
a few useful guidelines here.

2.1. Scalars

If you're using "int" or "long", odds are good that there's a better type.
If a variable is counting something, it should be declared with an
unsigned type.

If it's host memory-size related, size_t should be a good choice (use
ssize_t only if required). Guest RAM memory offsets must use ram_addr_t,
but only for RAM, it may not cover whole guest address space.

If it's file-size related, use off_t.
If it's file-offset related (i.e., signed), use off_t.
If it's just counting small numbers use "unsigned int";
(on all but oddball embedded systems, you can assume that that
type is at least four bytes wide).

In the event that you require a specific width, use a standard type
like int32_t, uint32_t, uint64_t, etc.  The specific types are
mandatory for VMState fields.

Don't use Linux kernel internal types like u32, __u32 or __le32.

Use target_phys_addr_t for guest physical addresses except pcibus_t
for PCI addresses.  In addition, ram_addr_t is a QEMU internal address
space that maps guest RAM physical addresses into an intermediate
address space that can map to host virtual address spaces.  Generally
speaking, the size of guest memory can always fit into ram_addr_t but
it would not be correct to store an actual guest physical address in a
ram_addr_t.

Use target_ulong (or abi_ulong) for CPU virtual addresses, however
devices should not need to use target_ulong.

Of course, take all of the above with a grain of salt.  If you're about
to use some system interface that requires a type like size_t, pid_t or
off_t, use matching types for any corresponding variables.

Also, if you try to use e.g., "unsigned int" as a type, and that
conflicts with the signedness of a related variable, sometimes
it's best just to use the *wrong* type, if "pulling the thread"
and fixing all related variables would be too invasive.

Finally, while using descriptive types is important, be careful not to
go overboard.  If whatever you're doing causes warnings, or requires
casts, then reconsider or ask for help.

2.2. Pointers

Ensure that all of your pointers are "const-correct".
Unless a pointer is used to modify the pointed-to storage,
give it the "const" attribute.  That way, the reader knows
up-front that this is a read-only pointer.  Perhaps more
importantly, if we're diligent about this, when you see a non-const
pointer, you're guaranteed that it is used to modify the storage
it points to, or it is aliased to another pointer that is.

2.3. Typedefs
Typedefs are used to eliminate the redundant 'struct' keyword.

2.4. Reserved namespaces in C and POSIX
Underscore capital, double underscore, and underscore 't' suffixes should be
avoided.

3. Low level memory management

Use of the malloc/free/realloc/calloc/valloc/memalign/posix_memalign
APIs is not allowed in the QEMU codebase. Instead of these routines,
use the GLib memory allocation routines g_malloc/g_malloc0/g_new/
g_new0/g_realloc/g_free or QEMU's qemu_vmalloc/qemu_memalign/qemu_vfree
APIs.

Please note that g_malloc will exit on allocation failure, so there
is no need to test for failure (as you would have to with malloc).
Calling g_malloc with a zero size is valid and will return NULL.

Memory allocated by qemu_vmalloc or qemu_memalign must be freed with
qemu_vfree, since breaking this will cause problems on Win32 and user
emulators.

4. String manipulation

Do not use the strncpy function.  According to the man page, it does
*not* guarantee a NULL-terminated buffer, which makes it extremely dangerous
to use.  Instead, use functionally equivalent function:
void pstrcpy(char *buf, int buf_size, const char *str)

Don't use strcat because it can't check for buffer overflows, but:
char *pstrcat(char *buf, int buf_size, const char *s)

The same limitation exists with sprintf and vsprintf, so use snprintf and
vsnprintf.

QEMU provides other useful string functions:
int strstart(const char *str, const char *val, const char **ptr)
int stristart(const char *str, const char *val, const char **ptr)
int qemu_strnlen(const char *s, int max_len)

There are also replacement character processing macros for isxyz and toxyz,
so instead of e.g. isalnum you should use qemu_isalnum.

Because of the memory management rules, you must use g_strdup/g_strndup
instead of plain strdup/strndup.

5. Printf-style functions

Whenever you add a new printf-style function, i.e., one with a format
string argument and following "..." in its prototype, be sure to use
gcc's printf attribute directive in the prototype.

This makes it so gcc's -Wformat and -Wformat-security options can do
their jobs and cross-check format strings with the number and types
of arguments.
Commit	Line	Data
45fad878 BS	1	1. Preprocessor
	2
	3	For variadic macros, stick with this C99-like syntax:
	4
	5	#define DPRINTF(fmt, ...) \
	6	do { printf("IRQ: " fmt, ## __VA_ARGS__); } while (0)
84174436 BS	7
	8	2. C types
	9
	10	It should be common sense to use the right type, but we have collected
	11	a few useful guidelines here.
	12
	13	2.1. Scalars
	14
	15	If you're using "int" or "long", odds are good that there's a better type.
	16	If a variable is counting something, it should be declared with an
	17	unsigned type.
	18
	19	If it's host memory-size related, size_t should be a good choice (use
	20	ssize_t only if required). Guest RAM memory offsets must use ram_addr_t,
	21	but only for RAM, it may not cover whole guest address space.
	22
	23	If it's file-size related, use off_t.
	24	If it's file-offset related (i.e., signed), use off_t.
	25	If it's just counting small numbers use "unsigned int";
	26	(on all but oddball embedded systems, you can assume that that
	27	type is at least four bytes wide).
	28
	29	In the event that you require a specific width, use a standard type
	30	like int32_t, uint32_t, uint64_t, etc. The specific types are
	31	mandatory for VMState fields.
	32
	33	Don't use Linux kernel internal types like u32, __u32 or __le32.
	34
	35	Use target_phys_addr_t for guest physical addresses except pcibus_t
	36	for PCI addresses. In addition, ram_addr_t is a QEMU internal address
	37	space that maps guest RAM physical addresses into an intermediate
	38	address space that can map to host virtual address spaces. Generally
	39	speaking, the size of guest memory can always fit into ram_addr_t but
	40	it would not be correct to store an actual guest physical address in a
	41	ram_addr_t.
	42
	43	Use target_ulong (or abi_ulong) for CPU virtual addresses, however
	44	devices should not need to use target_ulong.
	45
	46	Of course, take all of the above with a grain of salt. If you're about
	47	to use some system interface that requires a type like size_t, pid_t or
	48	off_t, use matching types for any corresponding variables.
	49
	50	Also, if you try to use e.g., "unsigned int" as a type, and that
	51	conflicts with the signedness of a related variable, sometimes
	52	it's best just to use the wrong type, if "pulling the thread"
	53	and fixing all related variables would be too invasive.
	54
	55	Finally, while using descriptive types is important, be careful not to
	56	go overboard. If whatever you're doing causes warnings, or requires
	57	casts, then reconsider or ask for help.
	58
	59	2.2. Pointers
	60
	61	Ensure that all of your pointers are "const-correct".
	62	Unless a pointer is used to modify the pointed-to storage,
	63	give it the "const" attribute. That way, the reader knows
	64	up-front that this is a read-only pointer. Perhaps more
	65	importantly, if we're diligent about this, when you see a non-const
	66	pointer, you're guaranteed that it is used to modify the storage
	67	it points to, or it is aliased to another pointer that is.
	68
	69	2.3. Typedefs
	70	Typedefs are used to eliminate the redundant 'struct' keyword.
71
72	2.4. Reserved namespaces in C and POSIX
73	Underscore capital, double underscore, and underscore 't' suffixes should be
74	avoided.
54b2cc50 BS	75
	76	3. Low level memory management
	77
	78	Use of the malloc/free/realloc/calloc/valloc/memalign/posix_memalign
	79	APIs is not allowed in the QEMU codebase. Instead of these routines,
f603a687 PM	80	use the GLib memory allocation routines g_malloc/g_malloc0/g_new/
	81	g_new0/g_realloc/g_free or QEMU's qemu_vmalloc/qemu_memalign/qemu_vfree
	82	APIs.
54b2cc50	83
f603a687 PM	84	Please note that g_malloc will exit on allocation failure, so there
	85	is no need to test for failure (as you would have to with malloc).
	86	Calling g_malloc with a zero size is valid and will return NULL.
54b2cc50 BS	87
	88	Memory allocated by qemu_vmalloc or qemu_memalign must be freed with
	89	qemu_vfree, since breaking this will cause problems on Win32 and user
	90	emulators.
d241f143 BS	91
	92	4. String manipulation
	93
	94	Do not use the strncpy function. According to the man page, it does
	95	not guarantee a NULL-terminated buffer, which makes it extremely dangerous
	96	to use. Instead, use functionally equivalent function:
	97	void pstrcpy(char buf, int buf_size, const char str)
	98
	99	Don't use strcat because it can't check for buffer overflows, but:
	100	char pstrcat(char buf, int buf_size, const char *s)
	101
	102	The same limitation exists with sprintf and vsprintf, so use snprintf and
	103	vsnprintf.
	104
	105	QEMU provides other useful string functions:
	106	int strstart(const char str, const char val, const char **ptr)
	107	int stristart(const char str, const char val, const char **ptr)
	108	int qemu_strnlen(const char *s, int max_len)
	109
	110	There are also replacement character processing macros for isxyz and toxyz,
	111	so instead of e.g. isalnum you should use qemu_isalnum.
	112
145e21db	113	Because of the memory management rules, you must use g_strdup/g_strndup
d241f143	114	instead of plain strdup/strndup.
876f256b BS	115
	116	5. Printf-style functions
	117
	118	Whenever you add a new printf-style function, i.e., one with a format
	119	string argument and following "..." in its prototype, be sure to use
	120	gcc's printf attribute directive in the prototype.
	121
	122	This makes it so gcc's -Wformat and -Wformat-security options can do
	123	their jobs and cross-check format strings with the number and types
	124	of arguments.