From nobody Wed Nov 5 18:46:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1535899652337677.6829143255994; Sun, 2 Sep 2018 07:47:32 -0700 (PDT) Received: from localhost ([::1]:41135 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fwTeu-0005iX-63 for importer@patchew.org; Sun, 02 Sep 2018 10:47:24 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52860) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fwTa4-0001X0-OA for qemu-devel@nongnu.org; Sun, 02 Sep 2018 10:42:40 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fwTZR-0007bG-C9 for qemu-devel@nongnu.org; Sun, 02 Sep 2018 10:42:19 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:44512 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fwTZR-0007ak-04 for qemu-devel@nongnu.org; Sun, 02 Sep 2018 10:41:45 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C893C4021706 for ; Sun, 2 Sep 2018 12:36:24 +0000 (UTC) Received: from localhost.localdomain (unknown [10.35.206.70]) by smtp.corp.redhat.com (Postfix) with ESMTP id ADC392166BA1; Sun, 2 Sep 2018 12:36:23 +0000 (UTC) From: Yoni Bettan To: qemu-devel@nongnu.org Date: Sun, 2 Sep 2018 15:36:07 +0300 Message-Id: <20180902123608.124586-4-ybettan@redhat.com> In-Reply-To: <20180902123608.124586-1-ybettan@redhat.com> References: <20180902123608.124586-1-ybettan@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Sun, 02 Sep 2018 12:36:24 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Sun, 02 Sep 2018 12:36:24 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'ybettan@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 3/4] HACKING.md : Reformatted to fit the Markdown (.md) format. X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Yoni Bettan , ehabkost@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Signed-off-by: Yoni Bettan --- HACKING =3D> HACKING.md | 186 ++++++++++++++++++++++-------------------- 1 file changed, 97 insertions(+), 89 deletions(-) rename HACKING =3D> HACKING.md (53%) diff --git a/HACKING b/HACKING.md similarity index 53% rename from HACKING rename to HACKING.md index 0fc3e0fc04..f9d7631e64 100644 --- a/HACKING +++ b/HACKING.md @@ -1,86 +1,90 @@ -1. Preprocessor +## Preprocessor =20 -1.1. Variadic macros +### Variadic macros =20 For variadic macros, stick with this C99-like syntax: =20 +``` #define DPRINTF(fmt, ...) \ do { printf("IRQ: " fmt, ## __VA_ARGS__); } while (0) +``` =20 -1.2. Include directives +### Include directives =20 Order include directives as follows: =20 +``` #include "qemu/osdep.h" /* Always first... */ #include <...> /* then system headers... */ #include "..." /* and finally QEMU headers. */ +``` =20 -The "qemu/osdep.h" header contains preprocessor macros that affect the beh= avior -of core system headers like . It must be the first include so t= hat +The `qemu/osdep.h` header contains preprocessor macros that affect the beh= avior +of core system headers like ``. It must be the first include so= that core system headers included by external libraries get the preprocessor ma= cros that QEMU depends on. =20 -Do not include "qemu/osdep.h" from header files since the .c file will have +Do not include `qemu/osdep.h` from header files since the .c file will have already included it. =20 -2. C types +## C types =20 It should be common sense to use the right type, but we have collected a few useful guidelines here. =20 -2.1. Scalars +### Scalars =20 -If you're using "int" or "long", odds are good that there's a better type. -If a variable is counting something, it should be declared with an -unsigned type. +If you're using `int` or `long`, odds are good that there's a better type. +If a variable is counting something, it should be declared with +`unsigned `. =20 -If it's host memory-size related, size_t should be a good choice (use -ssize_t only if required). Guest RAM memory offsets must use ram_addr_t, +If it's host memory-size related, `size_t` should be a good choice (use +`ssize_t` only if required). Guest RAM memory offsets must use `ram_addr_t= `, but only for RAM, it may not cover whole guest address space. =20 -If it's file-size related, use off_t. -If it's file-offset related (i.e., signed), use off_t. -If it's just counting small numbers use "unsigned int"; +If it's file-size related, use `off_t`. +If it's file-offset related (i.e., signed), `use off_t`. +If it's just counting small numbers use `unsigned int`; (on all but oddball embedded systems, you can assume that that type is at least four bytes wide). =20 In the event that you require a specific width, use a standard type -like int32_t, uint32_t, uint64_t, etc. The specific types are +like `int32_t`, `uint32_t`, `uint64_t`, etc. The specific types are mandatory for VMState fields. =20 -Don't use Linux kernel internal types like u32, __u32 or __le32. +Don't use Linux kernel internal types like `u32`, `__u32` or `__le32`. =20 -Use hwaddr for guest physical addresses except pcibus_t -for PCI addresses. In addition, ram_addr_t is a QEMU internal address +Use `hwaddr` for guest physical addresses except `pcibus_t` +for PCI addresses. In addition, `ram_addr_t` is a QEMU internal address space that maps guest RAM physical addresses into an intermediate address space that can map to host virtual address spaces. Generally -speaking, the size of guest memory can always fit into ram_addr_t but +speaking, the size of guest memory can always fit into `ram_addr_t` but it would not be correct to store an actual guest physical address in a -ram_addr_t. +`ram_addr_t`. =20 For CPU virtual addresses there are several possible types. -vaddr is the best type to use to hold a CPU virtual address in +`vaddr` is the best type to use to hold a CPU virtual address in target-independent code. It is guaranteed to be large enough to hold a virtual address for any target, and it does not change size from target to target. It is always unsigned. -target_ulong is a type the size of a virtual address on the CPU; this means +`target_ulong` is a type the size of a virtual address on the CPU; this me= ans it may be 32 or 64 bits depending on which target is being built. It should therefore be used only in target-specific code, and in some performance-critical built-per-target core code such as the TLB code. -There is also a signed version, target_long. -abi_ulong is for the *-user targets, and represents a type the size of -'void *' in that target's ABI. (This may not be the same as the size of a +There is also a signed version, `target_long`. +`abi_ulong` is for the `*-user` targets, and represents a type the size of +`void *` in that target's ABI. (This may not be the same as the size of a full CPU virtual address in the case of target ABIs which use 32 bit point= ers -on 64 bit CPUs, like sparc32plus.) Definitions of structures that must mat= ch +on 64 bit CPUs, like `sparc32plus`.) Definitions of structures that must m= atch the target's ABI must use this type for anything that on the target is def= ined -to be an 'unsigned long' or a pointer type. -There is also a signed version, abi_long. +to be an `unsigned long` or a pointer type. +There is also a signed version, `abi_long`. =20 Of course, take all of the above with a grain of salt. If you're about -to use some system interface that requires a type like size_t, pid_t or -off_t, use matching types for any corresponding variables. +to use some system interface that requires a type like `size_t`, `pid_t` or +`off_t`, use matching types for any corresponding variables. =20 -Also, if you try to use e.g., "unsigned int" as a type, and that +Also, if you try to use e.g., `unsigned int` as a type, and that conflicts with the signedness of a related variable, sometimes it's best just to use the *wrong* type, if "pulling the thread" and fixing all related variables would be too invasive. @@ -89,83 +93,86 @@ Finally, while using descriptive types is important, be= careful not to go overboard. If whatever you're doing causes warnings, or requires casts, then reconsider or ask for help. =20 -2.2. Pointers +### Pointers =20 Ensure that all of your pointers are "const-correct". Unless a pointer is used to modify the pointed-to storage, -give it the "const" attribute. That way, the reader knows +give it the `const` attribute. That way, the reader knows up-front that this is a read-only pointer. Perhaps more importantly, if we're diligent about this, when you see a non-const pointer, you're guaranteed that it is used to modify the storage it points to, or it is aliased to another pointer that is. =20 -2.3. Typedefs -Typedefs are used to eliminate the redundant 'struct' keyword. +### Typedefs +Typedefs are used to eliminate the redundant `struct` keyword. =20 -2.4. Reserved namespaces in C and POSIX -Underscore capital, double underscore, and underscore 't' suffixes should = be +### Reserved namespaces in C and POSIX +`_`, `__`, and underscore `*_t` suffixes should be avoided. =20 -3. Low level memory management +## Low level memory management =20 -Use of the malloc/free/realloc/calloc/valloc/memalign/posix_memalign +Use of the `malloc/free/realloc/calloc/valloc/memalign/posix_memalign` APIs is not allowed in the QEMU codebase. Instead of these routines, -use the GLib memory allocation routines g_malloc/g_malloc0/g_new/ -g_new0/g_realloc/g_free or QEMU's qemu_memalign/qemu_blockalign/qemu_vfree +use the GLib memory allocation routines `g_malloc/g_malloc0/g_new/ +g_new0/g_realloc/g_free or QEMU's qemu_memalign/qemu_blockalign/qemu_vfree` APIs. =20 -Please note that g_malloc will exit on allocation failure, so there +Please note that `g_malloc` will exit on allocation failure, so there is no need to test for failure (as you would have to with malloc). -Calling g_malloc with a zero size is valid and will return NULL. +Calling `g_malloc` with a zero size is valid and will return `NULL`. =20 -Prefer g_new(T, n) instead of g_malloc(sizeof(T) * n) for the following +Prefer `g_new(T, n)` instead of `g_malloc(sizeof(T) * n)` for the following reasons: =20 - a. It catches multiplication overflowing size_t; - b. It returns T * instead of void *, letting compiler catch more type + a. It catches multiplication overflowing `size_t`; + b. It returns `T *` instead of `void *`, letting compiler catch more type errors. =20 -Declarations like T *v =3D g_malloc(sizeof(*v)) are acceptable, though. +Declarations like `T *v =3D g_malloc(sizeof(*v))` are acceptable, though. =20 -Memory allocated by qemu_memalign or qemu_blockalign must be freed with -qemu_vfree, since breaking this will cause problems on Win32. +Memory allocated by `qemu_memalign` or `qemu_blockalign` must be freed with +`qemu_vfree`, since breaking this will cause problems on Win32. =20 -4. String manipulation +## String manipulation =20 -Do not use the strncpy function. As mentioned in the man page, it does *n= ot* +Do not use the `strncpy` function. As mentioned in the man page, it does = *not* guarantee a NULL-terminated buffer, which makes it extremely dangerous to = use. It also zeros trailing destination bytes out to the specified length. Ins= tead, use this similar function when possible, but note its different signature: -void pstrcpy(char *dest, int dest_buf_size, const char *src) +`void pstrcpy(char *dest, int dest_buf_size, const char *src)` =20 -Don't use strcat because it can't check for buffer overflows, but: -char *pstrcat(char *buf, int buf_size, const char *s) +Don't use `strcat` because it can't check for buffer overflows, but: +`char *pstrcat(char *buf, int buf_size, const char *s)` =20 -The same limitation exists with sprintf and vsprintf, so use snprintf and -vsnprintf. +The same limitation exists with `sprintf` and `vsprintf`, so use `snprintf= ` and +`vsnprintf`. =20 QEMU provides other useful string functions: + +``` int strstart(const char *str, const char *val, const char **ptr) int stristart(const char *str, const char *val, const char **ptr) int qemu_strnlen(const char *s, int max_len) +``` =20 -There are also replacement character processing macros for isxyz and toxyz, -so instead of e.g. isalnum you should use qemu_isalnum. +There are also replacement character processing macros for `isxyz` and `to= xyz`, +so instead of e.g. `isalnum` you should use `qemu_isalnum`. =20 -Because of the memory management rules, you must use g_strdup/g_strndup -instead of plain strdup/strndup. +Because of the memory management rules, you must use `g_strdup/g_strndup` +instead of plain `strdup/strndup`. =20 -5. Printf-style functions +## Printf-style functions =20 Whenever you add a new printf-style function, i.e., one with a format -string argument and following "..." in its prototype, be sure to use +string argument and following `...` in its prototype, be sure to use gcc's printf attribute directive in the prototype. =20 -This makes it so gcc's -Wformat and -Wformat-security options can do +This makes it so gcc's `-Wformat` and `-Wformat-security` options can do their jobs and cross-check format strings with the number and types of arguments. =20 -6. C standard, implementation defined and undefined behaviors +## C standard, implementation defined and undefined behaviors =20 C code in QEMU should be written to the C99 language specification. A copy of the final version of the C99 standard with corrigenda TC1, TC2, and TC3 @@ -181,37 +188,38 @@ argument...) However there are a few areas where we a= llow ourselves to assume certain behaviors because in practice all the platforms we care abo= ut behave in the same way and writing strictly conformant code would be painful. These are: - * you may assume that integers are 2s complement representation - * you may assume that right shift of a signed integer duplicates - the sign bit (ie it is an arithmetic shift, not a logical shift) + +* you may assume that integers are 2s complement representation +* you may assume that right shift of a signed integer duplicates + the sign bit (ie it is an arithmetic shift, not a logical shift) =20 In addition, QEMU assumes that the compiler does not use the latitude -given in C99 and C11 to treat aspects of signed '<<' as undefined, as +given in C99 and C11 to treat aspects of signed `<<` as undefined, as documented in the GNU Compiler Collection manual starting at version 4.0. =20 -7. Error handling and reporting +## Error handling and reporting =20 -7.1 Reporting errors to the human user +### Reporting errors to the human user =20 -Do not use printf(), fprintf() or monitor_printf(). Instead, use -error_report() or error_vreport() from error-report.h. This ensures the +Do not use `printf()`, `fprintf()` or `monitor_printf()`. Instead, use +`error_report()` or `error_vreport()` from `error-report.h`. This ensures= the error is reported in the right place (current monitor or stderr), and in a uniform format. =20 -Use error_printf() & friends to print additional information. +Use `error_printf()` & friends to print additional information. =20 -error_report() prints the current location. In certain common cases +`error_report()` prints the current location. In certain common cases like command line parsing, the current location is tracked -automatically. To manipulate it manually, use the loc_*() from -error-report.h. +automatically. To manipulate it manually, use the `loc_*()` from +`error-report.h`. =20 -7.2 Propagating errors +### Propagating errors =20 An error can't always be reported to the user right where it's detected, but often needs to be propagated up the call chain to a place that can handle it. This can be done in various ways. =20 -The most flexible one is Error objects. See error.h for usage +The most flexible one is Error objects. See `error.h` for usage information. =20 Use the simplest suitable method to communicate success / failure to @@ -220,26 +228,26 @@ error, non-negative / -errno, non-null / null, or Err= or objects. =20 Example: when a function returns a non-null pointer on success, and it can fail only in one way (as far as the caller is concerned), returning -null on failure is just fine, and certainly simpler and a lot easier on -the eyes than propagating an Error object through an Error ** parameter. +`NULL` on failure is just fine, and certainly simpler and a lot easier on +the eyes than propagating an Error object through an `Error ** parameter`. =20 Example: when a function's callers need to report details on failure -only the function really knows, use Error **, and set suitable errors. +only the function really knows, use `Error **`, and set suitable errors. =20 Do not report an error to the user when you're also returning an error for somebody else to handle. Leave the reporting to the place that consumes the error returned. =20 -7.3 Handling errors +### Handling errors =20 -Calling exit() is fine when handling configuration errors during +Calling `exit()` is fine when handling configuration errors during startup. It's problematic during normal operation. In particular, -monitor commands should never exit(). +monitor commands should never `exit()`. =20 -Do not call exit() or abort() to handle an error that can be triggered +Do not call `exit()` or `abort()` to handle an error that can be triggered by the guest (e.g., some unimplemented corner case in guest code translation or device emulation). Guests should not be able to terminate QEMU. =20 -Note that &error_fatal is just another way to exit(1), and &error_abort -is just another way to abort(). +Note that `&error_fatal` is just another way to `exit(1)`, and `&error_abo= rt` +is just another way to `abort()`. --=20 2.17.1