C Language

An ANSI standard C compiler and library are assumed. Feel free to use any ANSI C feature.

Warnings

Given a reasonable set of things to warn about (e.g. -W -Wall for gcc), the goal is to compile with no warnings.

C Source Code

Copyright

All source files should have a copyright. The copyright year(s) should be kept current. The files and the copyright year(s) should be listed in util/copyrights.

Line Formatting

Indentation

Use tabs. Spaces are only allowed when needed to line up a continued expression. In the following example, spaces used for indentation are indicated with "_": 

	printf("this is going to be %s very long %s statement\n",
	_______"a", "printf");

Line Length

Lines should not be longer than 80 characters, even if it requires violating the indentation rules to do so.

Comments

Comments should be used anytime they improve the readability of the code.

Comments may be single-line or multiline. A single-line comment should be at the end of the line of there is other text on the line, and should start in the same column as other nearby end-of-line comments. The comment should be at the same indentation level as the text it is referring to. Multiline comments should start with "/*" on a line by itself. Subsequent lines should have " *" lined-up with the "*" above. The end of the comment should be " */" on a line by itself, again with the "*" lined-up with the one above. Comments should start with a capital letter and end with a period.

Good:


	/*
	 * Private variables.
	 */

	static int		a		/* Description of 'a'. */
	static int		b		/* Description of 'b'. */
	static char *		c		/* Description of 'c'. */
The following lint and lint-like comments should be used where appropriate: 

	/* ARGSUSED */
	/* FALLTHROUGH */
	/* NOTREACHED */
	/* VARARGS */

.h files

.h files should not rely on other files having been included. .h files should prevent multiple inclusion. The OS is assumed to prevent multiple inclusion of its .h files.

.h files that define modules should have a structure like the following:


/*
 * Copyright (C) 1998  Internet Software Consortium.
 * 
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
 * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
 * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
 * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
 * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
 * SOFTWARE.
 */

#ifndef ISC_WHATEVER_H
#define ISC_WHATEVER_H 1

/*****
 ***** Module Info
 *****/

/*
 * 
 *
 * 
 *
 * 
 *
 * MP:
 *	
 *
 * Reliability:
 *	
 *
 * Resources:
 *	
 *
 * Security:
 *	
 *
 * Standards:
 *	
 */

/***
 *** Imports
 ***/

/* <#includes here> */

/***
 *** Types
 ***/

/*  */

/***
 *** Functions
 ***/

#endif /* ISC_WHATEVER_H */

C Source

Including Interfaces (.h files)

The first file to be included must be config.h. Try to include only necessary files, not everything under the sun.

Operating-system-specific files should not be included by most modules.

Include UNIX "sys" .h files before ordinary C includes.

Statements

There should be at most one statement per line.

Bad:


	if (i > 0) {
		printf("yes\n"); i = 0; j = 0;
	}

Functions

The use of ANSI C function prototypes is required.

The return type of the function should be listed on a line by itself when specifying the implementation of the function. The opening curly brace should occur on the same line as the argument list, unless the argument list is more than one line long.

Good:

static inline void f(int i) { /* whatever */ } int g(int i, /* other args here */ int last_argument) { return (i * i); }

Curly Braces

Curly Braces do not get their own indentation. An opening brace does not start a new line. The statements enclosed by the braces should not be on the same line as the opening or closing brace. A closing brace should be the only thing on the line, unless it's part of an else clause.

Good:


static void
f(int i) {
	if (i > 0) {
		printf("yes\n");
		i = 0;
	} else
		printf("no\n");
}
Bad:


void f(int i)
  {
    if(i<0){i=0;printf("was negative\n");}
    if (i > 0)
      {
        printf("yes\n");
        i = 0;
      }}

Spaces

Return Values

If a function returns a value, it should be cast to (void) if you don't care what the value is. (Exception for printf()?)

All error conditions must be handled.

Mixing of error status and valid results within a single type should be avoided.

Good: 


	os_descriptor_t		s;
	os_result_t		result;

	result = os_socket_create(AF_INET, SOCK_STREAM, 0, &s);
	if (result != OS_R_SUCCESS) {
		/* Do something about the error. */
		return;
	}
Not so good: 

	int s;

	/*
	 * Obviously using interfaces like socket() (below) is allowed
	 * since otherwise you couldn't call operating system routines; the
	 * point is not to write more interfaces like them.
	 */
	s = socket(AF_INET, SOCK_STREAM, 0);
	if (s < 0) {
		/* Do something about the error using errno. */
		return;
	}

Integral Types

Careful thought should be given to whether an integral type should be signed or unsigned, and to whether a specific size is required. "int" should be used for generic variables (e.g. iteration counters, array subscripts). Other than for generic variables, if a negative value isn't meaningful, the variable should be unsigned. Assignments and comparisons between signed and unsigned integers should be avoided; suppressing the warnings with casts is not desireable.

Casting

Casting should be avoided when possible.

Clear Success or Failure

A function should report success or failure, and do so accurately. It should never fail silently. Use of Design by Contract can help here.

Testing Bits

Bit testing should be as follows:

Good: 


	/* Test if flag set. */
	if ((flags & FOO) != 0) {

	}
	/* Test if flag clear. */
	if ((flags & BAR) == 0) {

	}
	/* Test if both flags set. */
	if ((flags & (FOO|BAR)) == (FOO|BAR)) {

	}
Bad: 

	/* Test if flag set. */
	if (flags & FOO) {

	}
	/* Test if flag clear. */
	if (! (flags & BAR)) {

	}

Pointers

Null Pointer
The null pointer value should be referred to with "NULL", not with "0". Testing to see whether a pointer is NULL should be explicit.

Good: 


	char *c = NULL;

	/* ... */

	if (c == NULL) {
		/* Do something. */
	}
Invalidating Pointers
When the data a pointer points to has been freed, or is otherwise no longer valid, the pointer should be set to NULL unless the pointer is part of a structure which is itself going to be freed immediately.

Good: 


	char *text;

	/* text is initalized here. */

	free(text);
	text = NULL;

Testing for Zero or Non-zero

Explicit testing against zero is required for numeric, non-boolean variables.

Good: 


	int i = 10;

	/* ... */

	if (i != 0) {
		/* Do something. */
	}
Bad: 

	int i = 10;

	/* ... */

	if (i) {
		/* Do something. */
	}

Initialization

When an object is allocated from the heap, all fields in the object must be initialized.

Dead Code Pruning

Source which becomes obsolete should be removed, not just disabled with #if 0 ... #endif.