![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to HACKING CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Qemu by Fabrice Bellard] / qemu|
Return to HACKING CVS log | Up to [Qemu by Fabrice Bellard] / qemu |
1.1 root 1: 1. Preprocessor
2:
3: For variadic macros, stick with this C99-like syntax:
4:
5: #define DPRINTF(fmt, ...) \
6: do { printf("IRQ: " fmt, ## __VA_ARGS__); } while (0)
7:
8: 2. C types
9:
10: It should be common sense to use the right type, but we have collected
11: a few useful guidelines here.
12:
13: 2.1. Scalars
14:
15: If you're using "int" or "long", odds are good that there's a better type.
16: If a variable is counting something, it should be declared with an
17: unsigned type.
18:
19: If it's host memory-size related, size_t should be a good choice (use
20: ssize_t only if required). Guest RAM memory offsets must use ram_addr_t,
21: but only for RAM, it may not cover whole guest address space.
22:
23: If it's file-size related, use off_t.
24: If it's file-offset related (i.e., signed), use off_t.
25: If it's just counting small numbers use "unsigned int";
26: (on all but oddball embedded systems, you can assume that that
27: type is at least four bytes wide).
28:
29: In the event that you require a specific width, use a standard type
30: like int32_t, uint32_t, uint64_t, etc. The specific types are
31: mandatory for VMState fields.
32:
33: Don't use Linux kernel internal types like u32, __u32 or __le32.
34:
35: Use target_phys_addr_t for guest physical addresses except pcibus_t
36: for PCI addresses. In addition, ram_addr_t is a QEMU internal address
37: space that maps guest RAM physical addresses into an intermediate
38: address space that can map to host virtual address spaces. Generally
39: speaking, the size of guest memory can always fit into ram_addr_t but
40: it would not be correct to store an actual guest physical address in a
41: ram_addr_t.
42:
43: Use target_ulong (or abi_ulong) for CPU virtual addresses, however
44: devices should not need to use target_ulong.
45:
46: Of course, take all of the above with a grain of salt. If you're about
47: to use some system interface that requires a type like size_t, pid_t or
48: off_t, use matching types for any corresponding variables.
49:
50: Also, if you try to use e.g., "unsigned int" as a type, and that
51: conflicts with the signedness of a related variable, sometimes
52: it's best just to use the *wrong* type, if "pulling the thread"
53: and fixing all related variables would be too invasive.
54:
55: Finally, while using descriptive types is important, be careful not to
56: go overboard. If whatever you're doing causes warnings, or requires
57: casts, then reconsider or ask for help.
58:
59: 2.2. Pointers
60:
61: Ensure that all of your pointers are "const-correct".
62: Unless a pointer is used to modify the pointed-to storage,
63: give it the "const" attribute. That way, the reader knows
64: up-front that this is a read-only pointer. Perhaps more
65: importantly, if we're diligent about this, when you see a non-const
66: pointer, you're guaranteed that it is used to modify the storage
67: it points to, or it is aliased to another pointer that is.
68:
69: 2.3. Typedefs
70: Typedefs are used to eliminate the redundant 'struct' keyword.
71:
72: 2.4. Reserved namespaces in C and POSIX
73: Underscore capital, double underscore, and underscore 't' suffixes should be
74: avoided.
75:
76: 3. Low level memory management
77:
78: Use of the malloc/free/realloc/calloc/valloc/memalign/posix_memalign
79: APIs is not allowed in the QEMU codebase. Instead of these routines,
1.1.1.4 ! root 80: use the GLib memory allocation routines g_malloc/g_malloc0/g_new/
! 81: g_new0/g_realloc/g_free or QEMU's qemu_vmalloc/qemu_memalign/qemu_vfree
! 82: APIs.
! 83:
! 84: Please note that g_malloc will exit on allocation failure, so there
! 85: is no need to test for failure (as you would have to with malloc).
! 86: Calling g_malloc with a zero size is valid and will return NULL.
1.1 root 87:
88: Memory allocated by qemu_vmalloc or qemu_memalign must be freed with
89: qemu_vfree, since breaking this will cause problems on Win32 and user
90: emulators.
91:
92: 4. String manipulation
93:
94: Do not use the strncpy function. According to the man page, it does
95: *not* guarantee a NULL-terminated buffer, which makes it extremely dangerous
96: to use. Instead, use functionally equivalent function:
97: void pstrcpy(char *buf, int buf_size, const char *str)
98:
99: Don't use strcat because it can't check for buffer overflows, but:
100: char *pstrcat(char *buf, int buf_size, const char *s)
101:
102: The same limitation exists with sprintf and vsprintf, so use snprintf and
103: vsnprintf.
104:
105: QEMU provides other useful string functions:
106: int strstart(const char *str, const char *val, const char **ptr)
107: int stristart(const char *str, const char *val, const char **ptr)
108: int qemu_strnlen(const char *s, int max_len)
109:
110: There are also replacement character processing macros for isxyz and toxyz,
111: so instead of e.g. isalnum you should use qemu_isalnum.
112:
1.1.1.3 root 113: Because of the memory management rules, you must use g_strdup/g_strndup
1.1 root 114: instead of plain strdup/strndup.
115:
116: 5. Printf-style functions
117:
118: Whenever you add a new printf-style function, i.e., one with a format
119: string argument and following "..." in its prototype, be sure to use
120: gcc's printf attribute directive in the prototype.
121:
122: This makes it so gcc's -Wformat and -Wformat-security options can do
123: their jobs and cross-check format strings with the number and types
124: of arguments.
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.