root / HACKING @ a0595d9e
History | View | Annotate | Download (4.9 kB)
1 |
1. Preprocessor |
---|---|
2 |
|
3 |
For variadic macros, stick with this C99-like syntax: |
4 |
|
5 |
#define DPRINTF(fmt, ...) \ |
6 |
do { printf("IRQ: " fmt, ## __VA_ARGS__); } while (0) |
7 |
|
8 |
2. C types |
9 |
|
10 |
It should be common sense to use the right type, but we have collected |
11 |
a few useful guidelines here. |
12 |
|
13 |
2.1. Scalars |
14 |
|
15 |
If you're using "int" or "long", odds are good that there's a better type. |
16 |
If a variable is counting something, it should be declared with an |
17 |
unsigned type. |
18 |
|
19 |
If it's host memory-size related, size_t should be a good choice (use |
20 |
ssize_t only if required). Guest RAM memory offsets must use ram_addr_t, |
21 |
but only for RAM, it may not cover whole guest address space. |
22 |
|
23 |
If it's file-size related, use off_t. |
24 |
If it's file-offset related (i.e., signed), use off_t. |
25 |
If it's just counting small numbers use "unsigned int"; |
26 |
(on all but oddball embedded systems, you can assume that that |
27 |
type is at least four bytes wide). |
28 |
|
29 |
In the event that you require a specific width, use a standard type |
30 |
like int32_t, uint32_t, uint64_t, etc. The specific types are |
31 |
mandatory for VMState fields. |
32 |
|
33 |
Don't use Linux kernel internal types like u32, __u32 or __le32. |
34 |
|
35 |
Use target_phys_addr_t for guest physical addresses except pcibus_t |
36 |
for PCI addresses. In addition, ram_addr_t is a QEMU internal address |
37 |
space that maps guest RAM physical addresses into an intermediate |
38 |
address space that can map to host virtual address spaces. Generally |
39 |
speaking, the size of guest memory can always fit into ram_addr_t but |
40 |
it would not be correct to store an actual guest physical address in a |
41 |
ram_addr_t. |
42 |
|
43 |
Use target_ulong (or abi_ulong) for CPU virtual addresses, however |
44 |
devices should not need to use target_ulong. |
45 |
|
46 |
Of course, take all of the above with a grain of salt. If you're about |
47 |
to use some system interface that requires a type like size_t, pid_t or |
48 |
off_t, use matching types for any corresponding variables. |
49 |
|
50 |
Also, if you try to use e.g., "unsigned int" as a type, and that |
51 |
conflicts with the signedness of a related variable, sometimes |
52 |
it's best just to use the *wrong* type, if "pulling the thread" |
53 |
and fixing all related variables would be too invasive. |
54 |
|
55 |
Finally, while using descriptive types is important, be careful not to |
56 |
go overboard. If whatever you're doing causes warnings, or requires |
57 |
casts, then reconsider or ask for help. |
58 |
|
59 |
2.2. Pointers |
60 |
|
61 |
Ensure that all of your pointers are "const-correct". |
62 |
Unless a pointer is used to modify the pointed-to storage, |
63 |
give it the "const" attribute. That way, the reader knows |
64 |
up-front that this is a read-only pointer. Perhaps more |
65 |
importantly, if we're diligent about this, when you see a non-const |
66 |
pointer, you're guaranteed that it is used to modify the storage |
67 |
it points to, or it is aliased to another pointer that is. |
68 |
|
69 |
2.3. Typedefs |
70 |
Typedefs are used to eliminate the redundant 'struct' keyword. |
71 |
|
72 |
2.4. Reserved namespaces in C and POSIX |
73 |
Underscore capital, double underscore, and underscore 't' suffixes should be |
74 |
avoided. |
75 |
|
76 |
3. Low level memory management |
77 |
|
78 |
Use of the malloc/free/realloc/calloc/valloc/memalign/posix_memalign |
79 |
APIs is not allowed in the QEMU codebase. Instead of these routines, |
80 |
use the GLib memory allocation routines g_malloc/g_malloc0/g_new/ |
81 |
g_new0/g_realloc/g_free or QEMU's qemu_vmalloc/qemu_memalign/qemu_vfree |
82 |
APIs. |
83 |
|
84 |
Please note that g_malloc will exit on allocation failure, so there |
85 |
is no need to test for failure (as you would have to with malloc). |
86 |
Calling g_malloc with a zero size is valid and will return NULL. |
87 |
|
88 |
Memory allocated by qemu_vmalloc or qemu_memalign must be freed with |
89 |
qemu_vfree, since breaking this will cause problems on Win32 and user |
90 |
emulators. |
91 |
|
92 |
4. String manipulation |
93 |
|
94 |
Do not use the strncpy function. According to the man page, it does |
95 |
*not* guarantee a NULL-terminated buffer, which makes it extremely dangerous |
96 |
to use. Instead, use functionally equivalent function: |
97 |
void pstrcpy(char *buf, int buf_size, const char *str) |
98 |
|
99 |
Don't use strcat because it can't check for buffer overflows, but: |
100 |
char *pstrcat(char *buf, int buf_size, const char *s) |
101 |
|
102 |
The same limitation exists with sprintf and vsprintf, so use snprintf and |
103 |
vsnprintf. |
104 |
|
105 |
QEMU provides other useful string functions: |
106 |
int strstart(const char *str, const char *val, const char **ptr) |
107 |
int stristart(const char *str, const char *val, const char **ptr) |
108 |
int qemu_strnlen(const char *s, int max_len) |
109 |
|
110 |
There are also replacement character processing macros for isxyz and toxyz, |
111 |
so instead of e.g. isalnum you should use qemu_isalnum. |
112 |
|
113 |
Because of the memory management rules, you must use g_strdup/g_strndup |
114 |
instead of plain strdup/strndup. |
115 |
|
116 |
5. Printf-style functions |
117 |
|
118 |
Whenever you add a new printf-style function, i.e., one with a format |
119 |
string argument and following "..." in its prototype, be sure to use |
120 |
gcc's printf attribute directive in the prototype. |
121 |
|
122 |
This makes it so gcc's -Wformat and -Wformat-security options can do |
123 |
their jobs and cross-check format strings with the number and types |
124 |
of arguments. |