coding_style.md
1 # Coding Style 2 3 This document describes the preferred C coding style for the 4 coreboot project. It is in many ways exactly the same as the Linux 5 kernel coding style. In fact, most of this document has been copied from 6 the [Linux kernel coding style](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/Documentation/process/4.Coding.rst) 7 8 The guidelines in this file should be seen as a strong suggestion, and 9 should overrule personal preference. They may be ignored in individual 10 instances when there are good practical reasons to do so, and reviewers 11 are in agreement. 12 13 Any style questions that are not mentioned in here should be decided 14 between the author and reviewers on a case-by-case basis. When modifying 15 existing files, authors should try to match the prevalent style in that 16 file -- otherwise, they should generally match similar existing files in 17 coreboot. 18 19 Bulk style changes to existing code ("cleanup patches") should avoid 20 changing existing style choices unless they actually violate this style 21 guide, or there is broad consensus that the new version is an 22 improvement. By default the style choices of the original author should 23 be honored. (Note that `checkpatch.pl` is not part of this style guide, 24 and neither is `clang-format`. These tools can be useful to find 25 potential issues or simplify formatting in new submissions, but they 26 were not designed to directly match this guide and may have false 27 positives. They should not be bulk-applied to change existing code 28 except in cases where they directly match the style guide.) 29 30 ## Indentation 31 32 Tabs are 8 characters, and thus indentations are also 8 characters. 33 There are heretic movements that try to make indentations 4 (or even 2!) 34 characters deep, and that is akin to trying to define the value of PI to 35 be 3. 36 37 Rationale: The whole idea behind indentation is to clearly define where 38 a block of control starts and ends. Especially when you've been looking 39 at your screen for 20 straight hours, you'll find it a lot easier to 40 see how the indentation works if you have large indentations. 41 42 Now, some people will claim that having 8-character indentations makes 43 the code move too far to the right, and makes it hard to read on a 44 80-character terminal screen. The answer to that is that if you need 45 more than 3 levels of indentation, you're screwed anyway, and should 46 fix your program. Note that coreboot has expanded the 80 character 47 limit to 96 characters to allow for modern wider screens. 48 49 In short, 8-char indents make things easier to read, and have the added 50 benefit of warning you when you're nesting your functions too deep. 51 Heed that warning. 52 53 The preferred way to ease multiple indentation levels in a switch 54 statement is to align the "switch" and its subordinate "case" labels 55 in the same column instead of "double-indenting" the "case" labels. 56 E.g.: 57 58 ```c 59 switch (suffix) { 60 case 'G': 61 case 'g': 62 mem <<= 30; 63 break; 64 case 'M': 65 case 'm': 66 mem <<= 20; 67 break; 68 case 'K': 69 case 'k': 70 mem <<= 10; 71 __fallthrough; 72 default: 73 break; 74 } 75 ``` 76 77 Don't put multiple statements on a single line unless you have 78 something to hide: 79 80 ```c 81 if (condition) do_this; 82 do_something_everytime; 83 ``` 84 85 Don't put multiple assignments on a single line either. Kernel coding 86 style is super simple. Avoid tricky expressions. 87 88 Outside of comments, documentation and except in Kconfig, spaces are 89 never used for indentation, and the above example is deliberately 90 broken. 91 92 Get a decent editor and don't leave whitespace at the end of lines. This 93 will actually keep the patch from being tested in the CI, so patches 94 with ending whitespace cannot be merged. 95 96 ## Breaking long lines and strings 97 98 Coding style is all about readability and maintainability using commonly 99 available tools. 100 101 The limit on the length of lines is 96 columns and this is a strongly 102 preferred limit. 103 104 Statements longer than 96 columns will be broken into sensible chunks, 105 unless exceeding 96 columns significantly increases readability and does 106 not hide information. Descendants are always substantially shorter than 107 the parent and are placed substantially to the right. The same applies 108 to function headers with a long argument list. However, never break 109 user-visible strings such as printk messages, because that breaks the 110 ability to grep for them. 111 112 ## Placing Braces and Spaces 113 114 The other issue that always comes up in C styling is the placement of 115 braces. Unlike the indent size, there are few technical reasons to 116 choose one placement strategy over the other, but the preferred way, as 117 shown to us by the prophets Kernighan and Ritchie, is to put the opening 118 brace last on the line, and put the closing brace first, thusly: 119 120 ```c 121 if (x is true) { 122 we do y 123 } 124 ``` 125 126 This applies to all non-function statement blocks (if, switch, for, 127 while, do). E.g.: 128 129 ```c 130 switch (action) { 131 case KOBJ_ADD: 132 return "add"; 133 case KOBJ_REMOVE: 134 return "remove"; 135 case KOBJ_CHANGE: 136 return "change"; 137 default: 138 return NULL; 139 } 140 ``` 141 142 However, there is one special case, namely functions: they have the 143 opening brace at the beginning of the next line, thus: 144 145 ```c 146 int function(int x) 147 { 148 body of function 149 } 150 ``` 151 152 Heretic people all over the world have claimed that this inconsistency 153 is ... well ... inconsistent, but all right-thinking people know that 154 (a) K&R are _right_ and (b) K&R are right. Besides, functions are 155 special anyway (you can't nest them in C). 156 157 Note that the closing brace is empty on a line of its own, _except_ in 158 the cases where it is followed by a continuation of the same statement, 159 ie a "while" in a do-statement or an "else" in an if-statement, like 160 this: 161 162 ```c 163 do { 164 body of do-loop 165 } while (condition); 166 ``` 167 168 and 169 170 ```c 171 if (x == y) { 172 .. 173 } else if (x > y) { 174 ... 175 } else { 176 .... 177 } 178 ``` 179 180 Rationale: K&R. 181 182 Also, note that this brace-placement also minimizes the number of empty 183 (or almost empty) lines, without any loss of readability. Thus, as the 184 supply of new-lines on your screen is not a renewable resource (think 185 25-line terminal screens here), you have more empty lines to put 186 comments on. 187 188 Do not unnecessarily use braces where a single statement will do. 189 190 ```c 191 if (condition) 192 action(); 193 ``` 194 195 and 196 197 ```c 198 if (condition) 199 do_this(); 200 else 201 do_that(); 202 ``` 203 204 This does not apply if only one branch of a conditional statement is a 205 single statement; in the latter case use braces in both branches: 206 207 ```c 208 if (condition) { 209 do_this(); 210 do_that(); 211 } else { 212 otherwise(); 213 } 214 ``` 215 216 ### Spaces 217 218 Linux kernel style for use of spaces depends (mostly) on 219 function-versus-keyword usage. Use a space after (most) keywords. The 220 notable exceptions are sizeof, typeof, alignof, and __attribute__, 221 which look somewhat like functions (and are usually used with 222 parentheses in Linux, although they are not required in the language, as 223 in: "sizeof info" after "struct fileinfo info;" is declared). 224 225 So use a space after these keywords: 226 227 ``` 228 if, switch, case, for, do, while 229 ``` 230 231 but not with sizeof, typeof, alignof, or __attribute__. E.g., 232 233 ```c 234 s = sizeof(struct file); 235 ``` 236 237 Do not add spaces around (inside) parenthesized expressions. This 238 example is 239 240 - bad*: 241 242 ```c 243 s = sizeof( struct file ); 244 ``` 245 246 When declaring pointer data or a function that returns a pointer type, 247 the preferred use of '*' is adjacent to the data name or function 248 name and not adjacent to the type name. Examples: 249 250 ```c 251 char *linux_banner; 252 unsigned long long memparse(char *ptr, char **retptr); 253 char *match_strdup(substring_t *s); 254 ``` 255 256 Use one space around (on each side of) most binary and ternary 257 operators, such as any of these: 258 259 ``` 260 = + - < > * / % | & ^ <= >= == != ? : 261 ``` 262 263 but no space after unary operators: 264 265 ``` 266 & * + - ~ ! sizeof typeof alignof __attribute__ defined 267 ``` 268 269 no space before the postfix increment & decrement unary operators: 270 271 ``` 272 ++ -- 273 ``` 274 275 no space after the prefix increment & decrement unary operators: 276 277 ``` 278 ++ -- 279 ``` 280 281 and no space around the '.' and "->" structure member operators. 282 283 Do not leave trailing whitespace at the ends of lines. Some editors with 284 "smart" indentation will insert whitespace at the beginning of new 285 lines as appropriate, so you can start typing the next line of code 286 right away. However, some such editors do not remove the whitespace if 287 you end up not putting a line of code there, such as if you leave a 288 blank line. As a result, you end up with lines containing trailing 289 whitespace. 290 291 Git will warn you about patches that introduce trailing whitespace, and 292 can optionally strip the trailing whitespace for you; however, if 293 applying a series of patches, this may make later patches in the series 294 fail by changing their context lines. 295 296 ### Naming 297 298 C is a Spartan language, and so should your naming be. Unlike Modula-2 299 and Pascal programmers, C programmers do not use cute names like 300 ThisVariableIsATemporaryCounter. A C programmer would call that variable 301 "tmp", which is much easier to write, and not the least more difficult 302 to understand. 303 304 HOWEVER, while mixed-case names are frowned upon, descriptive names for 305 global variables are a must. To call a global function "foo" is a 306 shooting offense. 307 308 GLOBAL variables (to be used only if you _really_ need them) need to 309 have descriptive names, as do global functions. If you have a function 310 that counts the number of active users, you should call that 311 "count_active_users()" or similar, you should _not_ call it 312 "cntusr()". 313 314 Encoding the type of a function into the name (so-called Hungarian 315 notation) is brain damaged - the compiler knows the types anyway and can 316 check those, and it only confuses the programmer. No wonder MicroSoft 317 makes buggy programs. 318 319 LOCAL variable names should be short, and to the point. If you have some 320 random integer loop counter, it should probably be called "i". Calling 321 it "loop_counter" is non-productive, if there is no chance of it 322 being mis-understood. Similarly, "tmp" can be just about any type of 323 variable that is used to hold a temporary value. 324 325 If you are afraid to mix up your local variable names, you have another 326 problem, which is called the function-growth-hormone-imbalance syndrome. 327 See chapter 6 (Functions). 328 329 ## Typedefs 330 331 Please don't use things like "vps_t". 332 333 It's a _mistake_ to use typedef for structures and pointers. When you 334 see a 335 336 ```c 337 vps_t a; 338 ``` 339 340 in the source, what does it mean? 341 342 In contrast, if it says 343 344 ```c 345 struct virtual_container *a; 346 ``` 347 348 you can actually tell what "a" is. 349 350 Lots of people think that typedefs "help readability". Not so. They 351 are useful only for: 352 353 (a) totally opaque objects (where the typedef is actively used to 354 _hide_ what the object is). 355 356 Example: "pte_t" etc. opaque objects that you can only access using 357 the proper accessor functions. 358 359 NOTE! Opaqueness and "accessor functions" are not good in themselves. 360 The reason we have them for things like pte_t etc. is that there really 361 is absolutely _zero_ portably accessible information there. 362 363 (b) Clear integer types, where the abstraction _helps_ avoid confusion 364 whether it is "int" or "long". 365 366 u8/u16/u32 are perfectly fine typedefs, although they fit into category 367 (d) better than here. 368 369 NOTE! Again - there needs to be a _reason_ for this. If something is 370 "unsigned long", then there's no reason to do 371 372 ```c 373 typedef unsigned long myflags_t; 374 ``` 375 376 but if there is a clear reason for why it under certain circumstances 377 might be an "unsigned int" and under other configurations might be 378 "unsigned long", then by all means go ahead and use a typedef. 379 380 (c) when you use sparse to literally create a _new_ type for 381 type-checking. 382 383 (d) New types which are identical to standard C99 types, in certain 384 exceptional circumstances. 385 386 Although it would only take a short amount of time for the eyes and 387 brain to become accustomed to the standard types like 'uint32_t', 388 some people object to their use anyway. 389 390 Therefore, the Linux-specific 'u8/u16/u32/u64' types and their signed 391 equivalents which are identical to standard types are permitted -- 392 although they are not mandatory in new code of your own. 393 394 When editing existing code which already uses one or the other set of 395 types, you should conform to the existing choices in that code. 396 397 (e) Types safe for use in userspace. 398 399 In certain structures which are visible to userspace, we cannot require 400 C99 types and cannot use the 'u32' form above. Thus, we use __u32 401 and similar types in all structures which are shared with userspace. 402 403 Maybe there are other cases too, but the rule should basically be to 404 NEVER EVER use a typedef unless you can clearly match one of those 405 rules. 406 407 In general, a pointer, or a struct that has elements that can reasonably 408 be directly accessed should _never_ be a typedef. 409 410 ## Functions 411 412 Functions should be short and sweet, and do just one thing. They should 413 fit on one or two screenfuls of text (the ISO/ANSI screen size is 80x24, 414 as we all know), and do one thing and do that well. 415 416 The maximum length of a function is inversely proportional to the 417 complexity and indentation level of that function. So, if you have a 418 conceptually simple function that is just one long (but simple) 419 case-statement, where you have to do lots of small things for a lot of 420 different cases, it's OK to have a longer function. 421 422 However, if you have a complex function, and you suspect that a 423 less-than-gifted first-year high-school student might not even 424 understand what the function is all about, you should adhere to the 425 maximum limits all the more closely. Use helper functions with 426 descriptive names (you can ask the compiler to in-line them if you think 427 it's performance-critical, and it will probably do a better job of it 428 than you would have done). 429 430 Another measure of the function is the number of local variables. They 431 shouldn't exceed 5-10, or you're doing something wrong. Re-think the 432 function, and split it into smaller pieces. A human brain can generally 433 easily keep track of about 7 different things, anything more and it gets 434 confused. You know you're brilliant, but maybe you'd like to 435 understand what you did 2 weeks from now. 436 437 In source files, separate functions with one blank line. If the function 438 is exported, the EXPORT* macro for it should follow immediately after 439 the closing function brace line. E.g.: 440 441 ```c 442 int system_is_up(void) 443 { 444 return system_state == SYSTEM_RUNNING; 445 } 446 EXPORT_SYMBOL(system_is_up); 447 ``` 448 449 In function prototypes, include parameter names with their data types. 450 Although this is not required by the C language, it is preferred in 451 Linux because it is a simple way to add valuable information for the 452 reader. 453 454 ## Centralized exiting of functions 455 456 Albeit deprecated by some people, the equivalent of the goto statement 457 is used frequently by compilers in form of the unconditional jump 458 instruction. 459 460 The goto statement comes in handy when a function exits from multiple 461 locations and some common work such as cleanup has to be done. If there 462 is no cleanup needed then just return directly. 463 464 The rationale is: 465 466 - unconditional statements are easier to understand and follow 467 - nesting is reduced 468 - errors by not updating individual exit points when making 469 modifications are prevented 470 - saves the compiler work to optimize redundant code away ;) 471 472 ```c 473 int fun(int a) 474 { 475 int result = 0; 476 char *buffer = kmalloc(SIZE); 477 478 if (buffer == NULL) 479 return -ENOMEM; 480 481 if (condition1) { 482 while (loop1) { 483 ... 484 } 485 result = 1; 486 goto out; 487 } 488 ... 489 out: 490 kfree(buffer); 491 return result; 492 } 493 ``` 494 495 ## Commenting 496 497 Comments are good, but there is also a danger of over-commenting. NEVER 498 try to explain HOW your code works in a comment: it's much better to 499 write the code so that the _working_ is obvious, and it's a waste of 500 time to explain badly written code. 501 502 Generally, you want your comments to tell WHAT your code does, not HOW. 503 Also, try to avoid putting comments inside a function body: if the 504 function is so complex that you need to separately comment parts of it, 505 you should probably go back to chapter 6 for a while. You can make small 506 comments to note or warn about something particularly clever (or ugly), 507 but try to avoid excess. Instead, put the comments at the head of the 508 function, telling people what it does, and possibly WHY it does it. 509 510 coreboot style for comments is the C89 "/* ... */" style. You may also 511 use C99-style "// ..." comments for single-line comments. 512 513 The preferred style for *short* (multi-line) comments is: 514 515 ```c 516 /* This is the preferred style for short multi-line 517 comments in the coreboot source code. 518 Please use it consistently. */ 519 ``` 520 521 The preferred style for *long* (multi-line) comments is: 522 523 ```c 524 /* 525 * This is the preferred style for multi-line 526 * comments in the coreboot source code. 527 * Please use it consistently. 528 * 529 * Description: A column of asterisks on the left side, 530 * with beginning and ending almost-blank lines. 531 */ 532 ``` 533 534 It's also important to comment data, whether they are basic types or 535 derived types. To this end, use just one data declaration per line (no 536 commas for multiple data declarations). This leaves you room for a small 537 comment on each item, explaining its use. 538 539 ## You've made a mess of it 540 That's OK, we all do. You've probably been told by your long-time Unix user 541 helper that "GNU emacs" automatically formats the C sources for you, and 542 you've noticed that yes, it does do that, but the defaults it uses are less 543 than desirable (in fact, they are worse than random typing - an infinite 544 number of monkeys typing into GNU emacs would never make a good program). 545 546 So, you can either get rid of GNU emacs, or change it to use saner values. 547 To do the latter, you can stick the following in your .emacs file: 548 549 ```lisp 550 (defun c-lineup-arglist-tabs-only (ignored) 551 "Line up argument lists by tabs, not spaces" 552 (let* ((anchor (c-langelem-pos c-syntactic-element)) 553 (column (c-langelem-2nd-pos c-syntactic-element)) 554 (offset (- (1+ column) anchor)) 555 (steps (floor offset c-basic-offset))) 556 (* (max steps 1) 557 c-basic-offset))) 558 559 (add-hook 'c-mode-common-hook 560 (lambda () 561 ;; Add kernel style 562 (c-add-style 563 "linux-tabs-only" 564 '("linux" (c-offsets-alist 565 (arglist-cont-nonempty 566 c-lineup-gcc-asm-reg 567 c-lineup-arglist-tabs-only)))))) 568 569 (add-hook 'c-mode-hook 570 (lambda () 571 (let ((filename (buffer-file-name))) 572 ;; Enable kernel mode for the appropriate files 573 (when (and filename 574 (string-match (expand-file-name "~/src/linux-trees") 575 filename)) 576 (setq indent-tabs-mode t) 577 (c-set-style "linux-tabs-only"))))) 578 ``` 579 580 This will make emacs go better with the kernel coding style for C files 581 below ~/src/linux-trees. Obviously, this should be updated to match 582 your own paths for coreboot. 583 584 But even if you fail in getting emacs to do sane formatting, not 585 everything is lost: use "indent". 586 587 Now, again, GNU indent has the same brain-dead settings that GNU emacs 588 has, which is why you need to give it a few command line options. 589 However, that's not too bad, because even the makers of GNU indent 590 recognize the authority of K&R (the GNU people aren't evil, they are 591 just severely misguided in this matter), so you just give indent the 592 options "-kr -i8" (stands for "K&R, 8 character indents"), or use 593 "scripts/Lindent", which indents in the latest style. 594 595 "indent" has a lot of options, and especially when it comes to comment 596 re-formatting you may want to take a look at the man page. But remember: 597 "indent" is not a fix for bad programming. 598 599 ## Kconfig configuration files 600 601 For all of the Kconfig* configuration files throughout the source tree, 602 the indentation is somewhat different. Lines under a "config" 603 definition are indented with one tab, while help text is indented an 604 additional two spaces. Example: 605 606 ```kconfig 607 config AUDIT 608 bool "Auditing support" 609 depends on NET 610 help 611 Enable auditing infrastructure that can be used with another 612 kernel subsystem, such as SELinux (which requires this for 613 logging of avc messages output). Does not do system-call 614 auditing without CONFIG_AUDITSYSCALL. 615 ``` 616 617 Seriously dangerous features (such as write support for certain 618 filesystems) should advertise this prominently in their prompt string: 619 620 ```kconfig 621 config ADFS_FS_RW 622 bool "ADFS write support (DANGEROUS)" 623 depends on ADFS_FS 624 ... 625 ``` 626 627 For full documentation on the configuration files, see the file 628 Documentation/kbuild/kconfig-language.txt. 629 630 Macros, Enums and RTL 631 --------------------- 632 633 Names of macros defining constants and labels in enums are capitalized. 634 635 ```c 636 #define CONSTANT 0x12345 637 ``` 638 639 Enums are preferred when defining several related constants. 640 641 CAPITALIZED macro names are appreciated but macros resembling functions 642 may be named in lower case. 643 644 Generally, inline functions are preferable to macros resembling 645 functions. 646 647 Macros with multiple statements should be enclosed in a do - while 648 block: 649 650 ```c 651 #define macrofun(a, b, c) \ 652 do { \ 653 if (a == 5) \ 654 do_this(b, c); \ 655 } while (0) 656 ``` 657 658 Things to avoid when using macros: 659 660 1) macros that affect control flow: 661 662 ```c 663 #define FOO(x) \ 664 do { \ 665 if (blah(x) < 0) \ 666 return -EBUGGERED; \ 667 } while(0) 668 ``` 669 670 is a *very* bad idea. It looks like a function call but exits the 671 "calling" function; don't break the internal parsers of those who 672 will read the code. 673 674 2) macros that depend on having a local variable with a magic name: 675 676 ```c 677 #define FOO(val) bar(index, val) 678 ``` 679 680 might look like a good thing, but it's confusing as hell when one reads 681 the code and it's prone to breakage from seemingly innocent changes. 682 683 3) macros with arguments that are used as l-values: FOO(x) = y; will 684 bite you if somebody e.g. turns FOO into an inline function. 685 686 4) forgetting about precedence: macros defining constants using 687 expressions must enclose the expression in parentheses. Beware of 688 similar issues with macros using parameters. 689 690 ```c 691 #define CONSTANT 0x4000 692 #define CONSTEXP (CONSTANT | 3) 693 ``` 694 695 The cpp manual deals with macros exhaustively. The gcc internals manual 696 also covers RTL which is used frequently with assembly language in the 697 kernel. 698 699 Printing coreboot messages 700 ------------------------ 701 702 coreboot developers like to be seen as literate. Do mind the spelling of 703 coreboot messages to make a good impression. Do not use crippled words 704 like "dont"; use "do not" or "don't" instead. Make the messages 705 concise, clear, and unambiguous. 706 707 coreboot messages do not have to be terminated with a period. 708 709 Printing numbers in parentheses (%d) adds no value and should be 710 avoided. 711 712 Allocating memory 713 ----------------- 714 715 coreboot provides a single general purpose memory allocator: malloc() 716 717 The preferred form for passing a size of a struct is the following: 718 719 ```c 720 p = malloc(sizeof(*p)); 721 ``` 722 723 The alternative form where struct name is spelled out hurts readability 724 and introduces an opportunity for a bug when the pointer variable type 725 is changed but the corresponding sizeof that is passed to a memory 726 allocator is not. 727 728 Casting the return value which is a void pointer is redundant. The 729 conversion from void pointer to any other pointer type is guaranteed by 730 the C programming language. 731 732 You should contain your memory usage to stack variables whenever 733 possible. Only use malloc() as a last resort. In ramstage, you may also 734 be able to get away with using static variables. Never use malloc() 735 outside of ramstage. 736 737 Since coreboot only runs for a very short time, there is no memory 738 deallocator, although a corresponding free() is offered. It is a no-op. 739 Use of free() is not required though it is accepted. It is useful when 740 sharing code with other codebases that make use of free(). 741 742 The inline disease 743 ------------------ 744 745 There appears to be a common misperception that gcc has a magic "make 746 me faster" speedup option called "inline". While the use of inlines 747 can be appropriate (for example as a means of replacing macros, see 748 Chapter 12), it very often is not. 749 750 A reasonable rule of thumb is to not put inline at functions that have 751 more than 3 lines of code in them. An exception to this rule are the 752 cases where a parameter is known to be a compile time constant, and as a 753 result of this constantness you *know* the compiler will be able to 754 optimize most of your function away at compile time. For a good example 755 of this later case, see the kmalloc() inline function. 756 757 Often people argue that adding inline to functions that are static and 758 used only once is always a win since there is no space tradeoff. While 759 this is technically correct, gcc is capable of inlining these 760 automatically without help, and the maintenance issue of removing the 761 inline when a second user appears outweighs the potential value of the 762 hint that tells gcc to do something it would have done anyway. 763 764 Function return values and names 765 -------------------------------- 766 767 Functions can return values of many different kinds, and one of the most 768 common is a value indicating whether the function succeeded or failed. 769 Such a value can be represented as an error-code integer (`CB_ERR_xxx` 770 (negative number) = failure, `CB_SUCCESS` (0) = success) or a "succeeded" 771 boolean (0 = failure, non-zero = success). 772 773 Mixing up these two sorts of representations is a fertile source of 774 difficult-to-find bugs. If the C language included a strong distinction 775 between integers and booleans then the compiler would find these 776 mistakes for us... but it doesn't. To help prevent such bugs, always 777 follow this convention: 778 779 If the name of a function is an action or an imperative command, 780 the function should return an error-code integer. If the name 781 is a predicate, the function should return a "succeeded" boolean. 782 783 For example, "add work" is a command, and the `add_work()` function 784 returns 0 for success or `CB_ERR` for failure. In the same way, "PCI 785 device present" is a predicate, and the `pci_dev_present()` function 786 returns 1 if it succeeds in finding a matching device or 0 if it 787 doesn't. 788 789 Functions whose return value is the actual result of a computation, 790 rather than an indication of whether the computation succeeded, are not 791 subject to this rule. Generally they indicate failure by returning some 792 out-of-range result. Typical examples would be functions that return 793 pointers; they use NULL to report failure. 794 795 Error handling, assertions and die() 796 ----------------------------- 797 798 As firmware, coreboot has no means to let the user interactively fix things when 799 something goes wrong. We either succeed to boot or the device becomes a brick 800 that must be recovered through complicated external means (e.g. a flash 801 programmer). Therefore, coreboot code should strive to continue booting 802 wherever possible. 803 804 In most cases, errors should be handled by logging a message of at least 805 `BIOS_ERR` level, returning out of the function stack for the failed feature, 806 and then continuing execution. For example, if a function reading the EDID of an 807 eDP display panel encounters an I2C error, it should print a "cannot read EDID" 808 message and return an error code. The calling display initialization function 809 knows that without the EDID there is no way to initialize the display correctly, 810 so it will also immediately return with an error code without running its 811 remaining code that would initialize the SoC's display controller. Execution 812 returns further up the function stack to the mainboard initialization code 813 which continues booting despite the failed display initialization, since 814 display functionality is non-essential to the system. (Code is encouraged but 815 not required to use `enum cb_err` error codes to return these errors.) 816 817 coreboot also has the `die()` function that completely halts execution. `die()` 818 should only be used as a last resort, since it results in the worst user 819 experience (bricked system). It is generally preferrable to continue executing 820 even after a problem was encountered that might be fatal (e.g. SPI clock 821 couldn't be configured correctly), because a slight chance of successfully 822 booting is still better than not booting at all. The only cases where `die()` 823 should be used are: 824 825 1. There is no (simple) way to continue executing. For example, when loading the 826 next stage from SPI flash fails, we don't have any more code to execute. When 827 memory initialization fails, we have no space to load the ramstage into. 828 829 2. Continuing execution would pose a security risk. All security features in 830 coreboot are optional, but when they are configured in the user must be able 831 to rely on them. For example, if CBFS verification is enabled and the file 832 hash when loading the romstage doesn't match what it should be, it is better 833 to stop execution than to jump to potentially malicious code. 834 835 In addition to normal error logging with `printk()`, coreboot also offers the 836 `assert()` macro. `assert()` should be used judiciously to confirm that 837 conditions are true which the programmer _knows_ to be true, in order to catch 838 programming errors and incorrect assumptions. It is therefore different from a 839 normal `if ()`-check that is used to actually test for things which may turn 840 out to be true or false based on external conditions. For example, anything 841 that involves communicating with hardware, such as whether an attempt to read 842 from SPI flash succeeded, should _not_ use `assert()` and should instead just 843 be checked with a normal `if ()` and subsequent manual error handling. Hardware 844 can always fail for various reasons and the programmer can never 100% assume in 845 advance that it will work as expected. On the other hand, if a function takes a 846 pointer parameter `ctx` and the contract for that function (as documented in a 847 comment above its declaration) specifies that this parameter should point to a 848 valid context structure, then adding an `assert(ctx)` line to that function may 849 be a good idea. The programmer knows that this function should never be called 850 with a NULL pointer (because that's how it is specified), and if it was actually 851 called with a NULL pointer that would indicate a programming error on account of 852 the caller. 853 854 `assert()` can be configured to either just print an error message and continue 855 execution (default), or call `die()` (when `CONFIG_FATAL_ASSERTS` is set). 856 Developers are encouraged to always test their code with this option enabled to 857 make assertion errors (and therefore bugs) more easy to notice. Since assertions 858 thus do not always stop execution, they should never be relied upon to be the 859 sole guard against conditions that really _need_ to stop execution (e.g. 860 security guarantees should never be enforced only by `assert()`). 861 862 Headers and includes 863 --------------- 864 865 Headers should always be included at the top of the file. Includes should 866 always use the `#include <file.h>` notation, except for rare cases where a file 867 in the same directory that is not part of a normal include path gets included 868 (e.g. local headers in mainboard directories), which should use `#include 869 "file.h"`. Local "file.h" includes should always come separately after all 870 <file.h> includes. Headers that can be included from both assembly files and 871 .c files should keep all C code wrapped in `#ifndef __ASSEMBLER__` blocks, 872 including includes to other headers that don't follow that provision. Where a 873 specific include order is required for technical reasons, it should be clearly 874 documented with comments. This should not be the norm. 875 876 Files should generally include every header they need a definition from 877 directly (and not include any unnecessary extra headers). Excepted from 878 this are certain headers that intentionally chain-include other headers 879 which logically belong to them and are just factored out into a separate 880 location for implementation or organizatory reasons. This could be 881 because part of the definitions is generic and part SoC-specific (e.g. 882 `<gpio.h>` chain-including `<soc/gpio.h>`), architecture-specific (e.g. 883 `<device/mmio.h>` chain-including `<arch/mmio.h>`), separated out into 884 commonlib[/bsd] for sharing/license reasons (e.g. `<cbfs.h>` 885 chain-including `<commonlib/bsd/cbfs_serialized.h>`) or just split out 886 to make organizing subunits of a larger header easier. This can also 887 happen when certain definitions need to be in a specific header for 888 legacy POSIX reasons but we would like to logically group them together 889 (e.g. `uintptr_t` is in `<stdint.h>` and `size_t` in `<stddef.h>`, but 890 it's nicer to be able to just include `<types.h>` and get all the common 891 type and helper function stuff we need everywhere). 892 893 The headers `<kconfig.h>`, `<rules.h>` and `<commonlib/bsd/compiler.h>` 894 are always automatically included in all compilation units by the build 895 system and should not be included manually. 896 897 Don't re-invent common macros 898 ----------------------------- 899 900 The header file `src/commonlib/bsd/include/commonlib/bsd/helpers.h` 901 contains a number of macros that you should use, rather than explicitly 902 coding some variant of them yourself. For example, if you need to 903 calculate the length of an array, take advantage of the macro 904 905 ```c 906 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) 907 ``` 908 909 Editor modelines and other cruft 910 -------------------------------- 911 912 Some editors can interpret configuration information embedded in source 913 files, indicated with special markers. For example, emacs interprets 914 lines marked like this: 915 916 ``` 917 -*- mode: c -*- 918 ``` 919 920 Or like this: 921 922 ``` 923 /* 924 Local Variables: 925 compile-command: "gcc -DMAGIC_DEBUG_FLAG foo.c" 926 End: 927 */ 928 ``` 929 930 Vim interprets markers that look like this: 931 932 ``` 933 /* vim:set sw=8 noet */ 934 ``` 935 936 Do not include any of these in source files. People have their own 937 personal editor configurations, and your source files should not 938 override them. This includes markers for indentation and mode 939 configuration. People may use their own custom mode, or may have some 940 other magic method for making indentation work correctly. 941 942 Inline assembly 943 --------------- 944 945 In architecture-specific code, you may need to use inline assembly to 946 interface with CPU or platform functionality. Don't hesitate to do so 947 when necessary. However, don't use inline assembly gratuitously when C 948 can do the job. You can and should poke hardware from C when possible. 949 950 Consider writing simple helper functions that wrap common bits of inline 951 assembly, rather than repeatedly writing them with slight variations. 952 Remember that inline assembly can use C parameters. 953 954 Large, non-trivial assembly functions should go in .S files, with 955 corresponding C prototypes defined in C header files. The C prototypes 956 for assembly functions should use "asmlinkage". 957 958 You may need to mark your asm statement as volatile, to prevent GCC from 959 removing it if GCC doesn't notice any side effects. You don't always 960 need to do so, though, and doing so unnecessarily can limit 961 optimization. 962 963 When writing a single inline assembly statement containing multiple 964 instructions, put each instruction on a separate line in a separate 965 quoted string, and end each string except the last with nt to 966 properly indent the next instruction in the assembly output: 967 968 ```c 969 asm ("magic %reg1, #42nt" 970 "more_magic %reg2, %reg3" 971 : /* outputs */ : /* inputs */ : /* clobbers */); 972 ``` 973 974 GCC extensions 975 -------------- 976 977 GCC is the only officially-supported compiler for coreboot, and a 978 variety of its C language extensions are heavily used throughout the 979 code base. There have been occasional attempts to add clang as a second 980 compiler option, which is generally compatible to the same language 981 extensions that have been long-established by GCC. 982 983 Some GCC extensions (e.g. inline assembly) are basically required for 984 proper firmware development. Others enable more safe or flexible 985 coding patterns than can be expressed with standard C (e.g. statement 986 expressions and `typeof()` to avoid double evaluation in macros like 987 `MAX()`). Yet others just add some simple convenience and reduce 988 boilerplate (e.g. `void *` arithmetic). 989 990 Since some GCC extensions are necessary either way, there is no gain 991 from avoiding other GCC extensions elsewhere. The use of all official 992 GCC extensions is expressly allowed within coreboot. In cases where an 993 extension can be replaced by a 100% equivalent C standard feature with 994 no extra boilerplate or loss of readability, the C standard feature 995 should be preferred (this usually only happens when GCC retains an 996 older pre-standardization extension for backwards compatibility, e.g. 997 the old pre-C99 syntax for designated initializers). But if there is 998 any advantage offered by the GCC extension (e.g. using GCC zero-length 999 arrays instead of C99 variable-length arrays because they don't inhibit 1000 `sizeof()`), there is no reason to deprive ourselves of that, and "this 1001 is not C standard compliant" should not be a reason to argue against 1002 its use in reviews. 1003 1004 This rule only applies to explicit GCC extensions listed in the 1005 "Extensions to the C Language Family" section of the GCC manual. Code 1006 should never rely on incidental GCC translation behavior that is not 1007 explicitly documented as a feature and could change at any moment. 1008 1009 Refactoring 1010 ----------- 1011 Because refactoring existing code can add bugs to tested code, any 1012 refactors should be done only with serious consideration. Refactoring 1013 for style differences should only be done if the existing style 1014 conflicts with a documented coreboot guideline. If you believe that the 1015 style should be modified, the pros and cons can be discussed on the 1016 mailing list and in the coreboot leadership meeting. 1017 1018 Similarly, the original author should be respected. Changing working 1019 code simply because of a stylistic disagreement is *prohibited*. This is 1020 not saying that refactors that are objectively better (simpler, faster, 1021 easier to understand) are not allowed, but there has to be a definite 1022 improvement, not simply stylistic changes. 1023 1024 Basically, when refactoring code, there should be a clear benefit to 1025 the project and codebase. The reviewers and submitters get to make the 1026 call on how to interpret this. 1027 1028 When refactoring, adding unit tests to verify that the post-change 1029 functionality matches or improves upon pre-change functionality is 1030 encouraged. 1031 1032 References 1033 ---------- 1034 1035 The C Programming Language, Second Edition by Brian W. Kernighan and 1036 Dennis M. Ritchie. Prentice Hall, Inc., 1988. ISBN 0-13-110362-8 1037 (paperback), 0-13-110370-9 (hardback). URL: 1038 <https://duckduckgo.com/?q=isbn+0-13-110362-8> or 1039 <https://www.google.com/search?q=isbn+0-13-110362-8> 1040 1041 1042 The Practice of Programming by Brian W. Kernighan and Rob Pike. 1043 Addison-Wesley, Inc., 1999. ISBN 0-201-61586-X. URL: 1044 <https://duckduckgo.com/?q=ISBN+0-201-61586-X> or 1045 <https://www.google.com/search?q=ISBN+0-201-61586-X> 1046 1047 GNU manuals - where in compliance with K&R and this text - for cpp, gcc, 1048 gcc internals and indent, all available from 1049 <http://www.gnu.org/manual/> 1050 1051 WG14 is the international standardization working group for the 1052 programming language C, URL: <http://www.open-std.org/JTC1/SC22/WG14/> 1053 1054 Kernel CodingStyle, by greg@kroah.com at OLS 2002: 1055 <http://www.kroah.com/linux/talks/ols_2002_kernel_codingstyle_talk/html/>