1.. _c_coding_guidelines: 2 3C Programming Language Coding Guidelines 4######################################## 5 6.. contents:: 7 :local: 8 9 10Preprocessor 11************ 12 13C-PP-01: ## or # operators shall be used with restrictions 14========================================================== 15 16``##`` or ``#`` operators shall only be used alone. The following cases shall 17not be allowed: 18 19a) The result from the ``##`` or ``#`` operation shall not be used as the 20 operands of another ``##`` or ``#`` operation. 21b) Mixed use of ``##`` or ``#`` operators shall not be allowed. 22 23Compliant example:: 24 25 #define CONCAT(x, y) x ## y 26 27 uint32_t ab = 32U; 28 printf("%d \n", CONCAT(a, b)); 29 30.. rst-class:: non-compliant-code 31 32 Non-compliant example:: 33 34 #define CONCAT(x, y, z) x ## y ## z 35 36 uint32_t abc = 32U; 37 printf("%d \n", CONCAT(a, b, c)); 38 39 40C-PP-02: Function-like MACRO shall be used with restrictions 41============================================================ 42 43Function-like MACRO shall be replaced with inline function if it is possible. 44 45Compliant example:: 46 47 static inline uint32_t func_showcase(uint32_t a, uint32_t b) 48 { 49 return a + b; 50 } 51 52.. rst-class:: non-compliant-code 53 54 Non-compliant example:: 55 56 #define SHOWCASE(a, b) ((a) + (b)) 57 58 59C-PP-03: Header file shall not be included multiple times 60========================================================= 61 62The content inside shall be protected with ``#ifndef``, ``#if 63!defined``, or ``#ifdef``. 64 65Compliant example:: 66 67 /* In `showcase.h`: */ 68 #ifndef SHOWCASE_H 69 #define SHOWCASE_H 70 71 /* header contents */ 72 uint32_t func_showcase(uint32_t param); 73 74 #endif /* SHOWCASE_H */ 75 76.. rst-class:: non-compliant-code 77 78 Non-compliant example:: 79 80 /* In `showcase.h`: */ 81 82 /* header contents without any protection */ 83 uint32_t func_showcase(uint32_t param); 84 85 86C-PP-04: Parentheses shall be used when referencing a MACRO parameter 87===================================================================== 88 89Compliant example:: 90 91 #define NEGATING(x) -(x) 92 93.. rst-class:: non-compliant-code 94 95 Non-compliant example:: 96 97 #define NEGATING(x) -x 98 99 100 101Compilation Units 102***************** 103 104C-CU-01: Only one assignment shall be on a single line 105====================================================== 106 107Multiple assignments on a single line are not allowed. 108 109Compliant example:: 110 111 a = d; 112 b = d; 113 c = d; 114 115.. rst-class:: non-compliant-code 116 117 Non-compliant example:: 118 119 int a = b = c = d; 120 121 122C-CU-02: Only one return statement shall be in a function 123========================================================= 124 125Multiple return statements in a function are not allowed. 126 127Compliant example:: 128 129 int32_t foo(char *ptr) 130 { 131 int32_t ret; 132 133 if (ptr == NULL) { 134 ret = -1; 135 } else { 136 ... 137 ret = 0; 138 } 139 140 return ret; 141 } 142 143.. rst-class:: non-compliant-code 144 145 Non-compliant example:: 146 147 int32_t foo(char *ptr) { 148 if (ptr == NULL) { 149 return -1; 150 } 151 ... 152 return 0; 153 } 154 155 156C-CU-03: All code shall be reachable 157==================================== 158 159Compliant example:: 160 161 uint32_t func_showcase(void) 162 { 163 uint32_t showcase = 32U; 164 165 printf("showcase: %d \n", showcase); 166 return showcase; 167 } 168 169.. rst-class:: non-compliant-code 170 171 Non-compliant example:: 172 173 uint32_t func_showcase(void) 174 { 175 uint32_t showcase = 32U; 176 177 return showcase; 178 printf("showcase: %d \n", showcase); 179 } 180 181 182C-CU-04: Cyclomatic complexity shall be less than 20 183==================================================== 184 185A function with cyclomatic complexity greater than 20 shall be split 186into multiple sub-functions to simplify the function logic. 187 188Compliant example:: 189 190 bool is_even_number(uint32_t param) 191 { 192 bool even = false; 193 194 if ((param & 0x1U) == 0U) { 195 even = true; 196 } 197 198 return even; 199 } 200 201 uint32_t func_showcase(uint32_t param) 202 { 203 uint32_t ret; 204 205 if (param >= 20U) { 206 ret = 20U; 207 } else if (is_even_number(param)) { 208 ret = 10U; 209 } else { 210 ret = 0U; 211 } 212 213 return ret; 214 } 215 216.. rst-class:: non-compliant-code 217 218 Non-compliant example:: 219 220 uint32_t func_showcase(uint32_t param) 221 { 222 uint32_t ret; 223 224 if (param >= 20U) { 225 ret = 20U; 226 } 227 228 if ((param == 0U) || (param == 2U) || (param == 4U) || (param == 6U) || 229 (param == 8U) || (param == 10U) || (param == 12U) || (param == 14U) || 230 (param == 16U) || (param == 18U)) { 231 ret = 10U; 232 } 233 234 if ((param == 1U) || (param == 3U) || (param == 5U) || (param == 7U) || 235 (param == 9U) || (param == 11U) || (param == 13U) || (param == 15U) || 236 (param == 17U) || (param == 19U)) { 237 ret = 0U; 238 } 239 240 return ret; 241 } 242 243 244 245Declarations and Initialization 246******************************* 247 248C-DI-01: Variable shall be used after its initialization 249======================================================== 250 251Compliant example:: 252 253 uint32_t a, b; 254 255 a = 0U; 256 b = a; 257 258.. rst-class:: non-compliant-code 259 260 Non-compliant example:: 261 262 uint32_t a, b; 263 264 b = a; 265 266 267C-DI-02: Function shall be called after its declaration 268======================================================= 269 270Compliant example:: 271 272 static void showcase_2(void) 273 { 274 /* main body */ 275 } 276 277 static void showcase_1(void) 278 { 279 showcase_2(void); 280 } 281 282.. rst-class:: non-compliant-code 283 284 Non-compliant example:: 285 286 static void showcase_1(void) 287 { 288 showcase_2(void); 289 } 290 291 static void showcase_2(void) 292 { 293 /* main body */ 294 } 295 296 297C-DI-03: The initialization statement shall not be skipped 298========================================================== 299 300Compliant example:: 301 302 uint32_t showcase; 303 304 showcase = 0U; 305 goto increment_ten; 306 showcase += 20U; 307 308 increment_ten: 309 showcase += 10U; 310 311.. rst-class:: non-compliant-code 312 313 Non-compliant example:: 314 315 uint32_t showcase; 316 317 goto increment_ten; 318 showcase = 0U; 319 showcase += 20U; 320 321 increment_ten: 322 showcase += 10U; 323 324 325C-DI-04: The initialization of a struct shall be enclosed with brackets 326======================================================================= 327 328Compliant example:: 329 330 struct struct_showcase_sub 331 { 332 uint32_t temp_1; 333 uint32_t temp_2; 334 }; 335 336 struct struct_showcase 337 { 338 uint32_t temp_3; 339 struct struct_showcase_sub temp_struct; 340 }; 341 342 struct struct_showcase showcase = {32U, {32U, 32U}}; 343 344.. rst-class:: non-compliant-code 345 346 Non-compliant example:: 347 348 struct struct_showcase_sub 349 { 350 uint32_t temp_1; 351 uint32_t temp_2; 352 }; 353 354 struct struct_showcase 355 { 356 uint32_t temp_3; 357 struct struct_showcase_sub temp_struct; 358 }; 359 360 struct struct_showcase showcase = {32U, 32U, 32U}; 361 362 363C-DI-05: The array size shall be specified explicitly 364===================================================== 365 366Compliant example:: 367 368 uint32_t showcase[2] = {0U, 1U}; 369 370.. rst-class:: non-compliant-code 371 372 Non-compliant example:: 373 374 uint32_t showcase[] = {0U, 1U}; 375 376 377C-DI-06: Global variables shall be declared only once 378===================================================== 379 380Global variables shall be declared only once with the following exception: 381A global variable may be declared twice if one declaration is in a header file 382with the ``extern`` specifier and the other one is in a source file *without* 383the ``extern`` specifier. 384 385Compliant example:: 386 387 /* In `showcase.h` */ 388 extern uint32_t showcase; 389 390 /* In `showcase.c`: */ 391 /* global variable */ 392 uint32_t showcase = 32U; 393 394 void func_showcase(void) 395 { 396 showcase++; 397 } 398 399.. rst-class:: non-compliant-code 400 401 Non-compliant example:: 402 403 /* In `showcase.c`: */ 404 /* global variable */ 405 uint32_t showcase; 406 uint32_t showcase = 32U; 407 408 void func_showcase(void) 409 { 410 showcase++; 411 } 412 413 414C-DI-07: An array shall be fully initialized 415============================================ 416 417Compliant example:: 418 419 uint32_t showcase_array[5] = {0, 1, 2, 3, 4}; 420 421.. rst-class:: non-compliant-code 422 423 Non-compliant example:: 424 425 uint32_t showcase_array[5] = {0, 1}; 426 427 428C-DI-08: An array declaration shall use a constant for the size 429=============================================================== 430 431Compliant example:: 432 433 uint32_t array_showcase[10]; 434 435.. rst-class:: non-compliant-code 436 437 Non-compliant example:: 438 439 uint32_t array_size = 10U; 440 uint32_t array_showcase[array_size]; 441 442 443 444Functions 445********* 446 447C-FN-01: A non-void function shall have a return statement 448========================================================== 449 450Compliant example:: 451 452 uint32_t showcase(uint32_t param) 453 { 454 printf("param: %d\n", param); 455 return param; 456 } 457 458.. rst-class:: non-compliant-code 459 460 Non-compliant example:: 461 462 uint32_t showcase(uint32_t param) 463 { 464 printf("param: %d\n", param); 465 } 466 467 468C-FN-02: A non-void function shall have a return value rather than empty return 469=============================================================================== 470 471Compliant example:: 472 473 uint32_t showcase(uint32_t param) 474 { 475 printf("param: %d\n", param); 476 return param; 477 } 478 479.. rst-class:: non-compliant-code 480 481 Non-compliant example:: 482 483 uint32_t showcase(uint32_t param) 484 { 485 printf("param: %d\n", param); 486 return; 487 } 488 489 490C-FN-03: A non-void function shall return a value on all paths 491============================================================== 492 493Compliant example:: 494 495 uint32_t showcase(uint32_t param) 496 { 497 if (param < 10U) { 498 return 10U; 499 } else { 500 return param; 501 } 502 } 503 504.. rst-class:: non-compliant-code 505 506 Non-compliant example:: 507 508 uint32_t showcase(uint32_t param) 509 { 510 if (param < 10U) { 511 return 10U; 512 } else { 513 return; 514 } 515 } 516 517 518C-FN-04: The return value of a void-returning function shall not be used 519======================================================================== 520 521Compliant example:: 522 523 void showcase_1(uint32_t param) 524 { 525 printf("param: %d\n", param); 526 } 527 528 void showcase_2(void) 529 { 530 uint32_t a; 531 532 showcase_1(0U); 533 a = 0U; 534 } 535 536.. rst-class:: non-compliant-code 537 538 Non-compliant example:: 539 540 void showcase_1(uint32_t param) 541 { 542 printf("param: %d\n", param); 543 } 544 545 void showcase_2(void) 546 { 547 uint32_t a; 548 549 a = showcase_1(0U); 550 } 551 552 553C-FN-05: A parameter passed by pointer to a function shall not be reassigned 554============================================================================ 555 556Compliant example:: 557 558 void func_showcase(uint32_t *param_ptr) 559 { 560 uint32_t *local_ptr = param_ptr; 561 562 local_ptr++; 563 printf("%d \n", *local_ptr); 564 } 565 566.. rst-class:: non-compliant-code 567 568 Non-compliant example:: 569 570 void func_showcase(uint32_t *param_ptr) 571 { 572 param_ptr++; 573 printf("%d \n", *param_ptr); 574 } 575 576 577C-FN-06: A parameter passed by value to a function shall not be modified directly 578================================================================================= 579 580Compliant example:: 581 582 void func_showcase(uint32_t param) 583 { 584 uint32_t local = param; 585 586 local++; 587 printf("%d \n", local); 588 } 589 590.. rst-class:: non-compliant-code 591 592 Non-compliant example:: 593 594 void func_showcase(uint32_t param) 595 { 596 param++; 597 printf("%d \n", param); 598 } 599 600 601C-FN-07: A non-static function shall be declared in a header file 602================================================================= 603 604Compliant example:: 605 606 /* In `showcase.h`: */ 607 uint32_t func_showcase(uint32_t param); 608 609 /* In `showcase.c`: */ 610 #include "showcase.h" 611 612 uint32_t func_showcase(uint32_t param) 613 { 614 return param; 615 } 616 617.. rst-class:: non-compliant-code 618 619 Non-compliant example:: 620 621 /* There is no `showcase.h`. */ 622 623 /* In `showcase.c`: */ 624 uint32_t func_showcase(uint32_t param) 625 { 626 return param; 627 } 628 629 630C-FN-08: All static functions shall be used within the file in which they are declared 631====================================================================================== 632 633Unlike global functions in C, access to a static function is restricted to the 634file where it is declared. Therefore, a static function shall be used in the 635file where it is declared, either called explicitly or indirectly via its 636address. Otherwise, the static function shall be removed. 637 638Compliant example:: 639 640 static void func_showcase(uint32_t param) 641 { 642 printf("param %d \n", param); 643 } 644 645 void main(void) 646 { 647 func_showcase(10U); 648 } 649 650.. rst-class:: non-compliant-code 651 652 Non-compliant example:: 653 654 /* func_showcase is not called explicitly or accessed via the address */ 655 static void func_showcase(uint32_t param) 656 { 657 printf("param %d \n", param); 658 } 659 660 661C-FN-09: The formal parameter name of a function shall be consistent 662==================================================================== 663 664The formal parameter name of a function shall be the same between its 665declaration and its definition. 666 667Compliant example:: 668 669 /* In `showcase.h`: */ 670 uint32_t func_showcase(uint32_t param); 671 672 /* In `showcase.c`: */ 673 #include "showcase.h" 674 675 uint32_t func_showcase(uint32_t param) 676 { 677 return param; 678 } 679 680.. rst-class:: non-compliant-code 681 682 Non-compliant example:: 683 684 /* In `showcase.h`: */ 685 uint32_t func_showcase(uint32_t param); 686 687 /* In `showcase.c`: */ 688 #include "showcase.h" 689 690 uint32_t func_showcase(uint32_t param_1) 691 { 692 return param_1; 693 } 694 695 696C-FN-10: The formal parameter type of a function shall be consistent 697==================================================================== 698 699The formal parameter type of a function shall be the same between its 700declaration and its definition. 701 702Compliant example:: 703 704 /* In `showcase.h`: */ 705 uint32_t func_showcase(uint32_t param); 706 707 /* In `showcase.c`: */ 708 #include "showcase.h" 709 710 uint32_t func_showcase(uint32_t param) 711 { 712 return param; 713 } 714 715.. rst-class:: non-compliant-code 716 717 Non-compliant example:: 718 719 /* In `showcase.h`: */ 720 uint32_t func_showcase(uint64_t param); 721 722 /* In `showcase.c`: */ 723 #include "showcase.h" 724 725 uint32_t func_showcase(uint32_t param) 726 { 727 return param; 728 } 729 730 731C-FN-11: The return type of a function shall be consistent 732========================================================== 733 734The return type of a function shall be the same between its declaration and its 735definition. 736 737Compliant example:: 738 739 /* In `showcase.h`: */ 740 uint32_t func_showcase(uint32_t param); 741 742 /* In `showcase.c`: */ 743 #include "showcase.h" 744 745 uint32_t func_showcase(uint32_t param) 746 { 747 return param; 748 } 749 750.. rst-class:: non-compliant-code 751 752 Non-compliant example:: 753 754 /* In `showcase.h`: */ 755 uint64_t func_showcase(uint64_t param); 756 757 /* In `showcase.c`: */ 758 #include "showcase.h" 759 760 uint32_t func_showcase(uint32_t param) 761 { 762 return param; 763 } 764 765 766C-FN-12: Banned functions shall not be used 767=========================================== 768 769The following cases shall be covered: 770 771a) These dynamic memory allocation functions shall not be used: ``calloc``, 772 ``malloc``, ``realloc``, and ``free``. Dynamic memory allocation shall be 773 replaced with static memory allocation. 774b) The functions ``va_arg``, ``va_start``, and ``va_end`` shall be used only 775 within variadic functions (functions taking a variable number of 776 parameters) such as ``printf``. 777 778Compliant example:: 779 780 uint32_t showcase_array[32]; 781 782.. rst-class:: non-compliant-code 783 784 Non-compliant example:: 785 786 uint32_t *showcase_ptr = (uint32_t *)malloc(32U * sizeof(uint32_t)); 787 788 789C-FN-13: All declared functions shall have a corresponding definition 790===================================================================== 791 792Compliant example:: 793 794 /* In `showcase.h`: */ 795 /* declaration */ 796 uint32_t func_showcase(uint32_t param); 797 798 /* In `showcase.c`: */ 799 #include "showcase.h" 800 801 /* definition */ 802 uint32_t func_showcase(uint32_t param) 803 { 804 return param; 805 } 806 807.. rst-class:: non-compliant-code 808 809 Non-compliant example:: 810 811 /* In `showcase.h`: */ 812 /* declaration */ 813 uint32_t func_showcase(uint32_t param); 814 815 /* There is no definition of `func_showcase` anywhere in the source files */ 816 817 818C-FN-14: All defined functions shall be used 819============================================ 820 821All defined functions shall be used, either called explicitly or indirectly 822via the address. Otherwise, the function shall be removed. The following case 823is an exception: Some extra functions may be kept in order to provide a more 824complete library of APIs. These functions may be implemented but not used. 825These functions will come in handy in the future. In this case, 826these functions may remain. 827 828Compliant example:: 829 830 /* In `showcase.h`: */ 831 uint32_t func_showcase(uint32_t param); 832 833 /* In `showcase.c`: */ 834 #include "showcase.h" 835 836 uint32_t func_showcase(uint32_t param) 837 { 838 return param; 839 } 840 841 /* In `main.c`: */ 842 #include "showcase.h" 843 844 void main(void) 845 { 846 uint32_t showcase; 847 848 showcase = func_showcase(32U); 849 } 850 851.. rst-class:: non-compliant-code 852 853 Non-compliant example:: 854 855 /* In `showcase.h`: */ 856 uint32_t func_showcase(uint32_t param); 857 858 /* In `showcase.c`: */ 859 #include "showcase.h" 860 861 /* There is no usage of `func_showcase` anywhere in all source files */ 862 uint32_t func_showcase(uint32_t param) 863 { 864 return param; 865 } 866 867 868C-FN-15: A function shall not return a pointer to a local object 869================================================================ 870 871A function shall not return a pointer to a local object, either directly or 872within a returned structure or array. 873 874Compliant example:: 875 876 struct struct_showcase 877 { 878 uint32_t temp_32; 879 uint64_t temp_64; 880 }; 881 882 struct struct_showcase func_showcase(void) 883 { 884 struct struct_showcase showcase; 885 uint32_t showcase_u32 = 32U; 886 uint64_t showcase_u64 = 64UL; 887 888 showcase.temp_32 = showcase_u32; 889 showcase.temp_64 = showcase_u64; 890 891 return showcase; 892 } 893 894.. rst-class:: non-compliant-code 895 896 Non-compliant example:: 897 898 struct struct_showcase 899 { 900 uint32_t *temp_32; 901 uint64_t *temp_64; 902 }; 903 904 struct struct_showcase func_showcase(void) 905 { 906 struct struct_showcase showcase; 907 uint32_t showcase_u32 = 32U; 908 uint64_t showcase_u64 = 64UL; 909 910 showcase.temp_32 = &showcase_u32; 911 showcase.temp_64 = &showcase_u64; 912 913 return showcase; 914 } 915 916 917 918C-FN-16: Mixed-use of C code and assembly code in a single function shall not be allowed 919======================================================================================== 920 921A function with mixed-use of C code and assembly code shall be split into 922multiple sub-functions to separate the usage of C code and assembly code. 923 924Compliant example:: 925 926 void asm_hlt(void) 927 { 928 asm volatile ("hlt"); 929 } 930 931 void func_showcase(void) 932 { 933 bool showcase_flag = true; 934 935 if (showcase_flag) { 936 asm_hlt(); 937 } 938 } 939 940.. rst-class:: non-compliant-code 941 942 Non-compliant example:: 943 944 void func_showcase(void) 945 { 946 bool showcase_flag = true; 947 948 if (showcase_flag) { 949 asm volatile ("hlt"); 950 } 951 } 952 953 954C-FN-17: The return value of a non-void function shall be either used or discarded 955================================================================================== 956 957The return value of a non-void function shall be either used or discarded 958explicitly via ``(void)``. If the return value contains the error code, this 959return value shall be checked in all possible paths. 960 961Compliant example:: 962 963 /** Indicates that argument is not valid. */ 964 #define EINVAL 22 965 966 int32_t func_showcase(uint32_t param) 967 { 968 int32_t error; 969 970 if (param < 32U) { 971 error = 0; 972 } else { 973 error = -EINVAL; 974 } 975 976 return error; 977 } 978 979 void main(uint32_t index) 980 { 981 int32_t error; 982 uint32_t test; 983 uint32_t array_showcase[32]; 984 985 error = func_showcase(index); 986 987 if (error == 0) { 988 test = array_showcase[index]; 989 } 990 } 991 992.. rst-class:: non-compliant-code 993 994 Non-compliant example:: 995 996 /** Indicates that argument is not valid. */ 997 #define EINVAL 22 998 999 int32_t func_showcase(uint32_t param) 1000 { 1001 int32_t error; 1002 1003 if (param < 32U) { 1004 error = 0; 1005 } else { 1006 error = -EINVAL; 1007 } 1008 1009 return error; 1010 } 1011 1012 void main(uint32_t index) 1013 { 1014 int32_t error; 1015 uint32_t test; 1016 uint32_t array_showcase[32]; 1017 1018 error = func_showcase(index); 1019 1020 test = array_showcase[index]; 1021 } 1022 1023 1024C-FN-18: The array size shall be valid if the array is a function input parameter 1025================================================================================= 1026 1027This is to guarantee that the destination array has sufficient space for the 1028operation, such as copy, move, compare, and concatenate. 1029 1030Compliant example:: 1031 1032 void showcase(uint32_t array_source[16]) 1033 { 1034 uint32_t array_destination[16]; 1035 1036 (void)memcpy(array_destination, array_source, 16U); 1037 } 1038 1039.. rst-class:: non-compliant-code 1040 1041 Non-compliant example:: 1042 1043 void showcase(uint32_t array_source[32]) 1044 { 1045 uint32_t array_destination[16]; 1046 1047 (void)memcpy(array_destination, array_source, 32U); 1048 } 1049 1050 1051C-FN-19: Recursion shall not be used in function calls 1052====================================================== 1053 1054Compliant example:: 1055 1056 uint32_t func_showcase(uint32_t param) { 1057 uint32_t mult = 1; 1058 uint32_t i; 1059 1060 for (i = param; i > 0U; i--) { 1061 mult = mult * i; 1062 } 1063 1064 return mult; 1065 } 1066 1067.. rst-class:: non-compliant-code 1068 1069 Non-compliant example:: 1070 1071 uint32_t func_showcase(uint32_t param) { 1072 uint32_t mult = 1; 1073 1074 if (param > 0U) { 1075 mult = param * func_showcase(param - 1); 1076 } 1077 1078 return mult; 1079 } 1080 1081 1082C-FN-20: Each function shall have at most 6 parameters 1083====================================================== 1084 1085Compliant example:: 1086 1087 void func_showcase(uint32_t param_1, uint32_t param_2, uint32_t param_3, 1088 uint32_t param_4, uint32_t param_5, uint32_t param_6) { 1089 ... 1090 } 1091 1092.. rst-class:: non-compliant-code 1093 1094 Non-compliant example:: 1095 1096 void func_showcase(uint32_t param_1, uint32_t param_2, uint32_t param_3, 1097 uint32_t param_4, uint32_t param_5, uint32_t param_6, 1098 uint32_t param_7) { 1099 ... 1100 } 1101 1102 1103Statements 1104********** 1105 1106C-ST-01: The condition of a selection or iteration statement shall not be constant 1107================================================================================== 1108 1109The condition of a selection or iteration statement shall not be constant with 1110the following exception: ``do { ... } while (0)`` shall be allowed if it is 1111used in a MACRO. 1112 1113Compliant example:: 1114 1115 void func_showcase(uint32_t param) 1116 { 1117 if (param != 0U) { 1118 printf("param %d \n", param); 1119 } 1120 } 1121 1122.. rst-class:: non-compliant-code 1123 1124 Non-compliant example:: 1125 1126 void func_showcase(uint32_t param) 1127 { 1128 if (false) { 1129 printf("param %d \n", param); 1130 } 1131 } 1132 1133 1134C-ST-02: The loop body shall be enclosed with brackets 1135====================================================== 1136 1137Compliant example:: 1138 1139 uint32_t i; 1140 1141 for (i = 0U; i < 5U; i++) { 1142 printf("count: %d \n", i); 1143 } 1144 1145.. rst-class:: non-compliant-code 1146 1147 Non-compliant example:: 1148 1149 uint32_t i; 1150 1151 for (i = 0U; i < 5U; i++) 1152 printf("count: %d \n", i); 1153 1154 1155C-ST-03: Infinite loop shall not exist 1156====================================== 1157 1158Every path in the iteration loop shall have the chance to exit. 1159 1160Compliant example:: 1161 1162 uint32_t count = 10U; 1163 bool showcase_flag = false; 1164 1165 while (count > 5U) 1166 { 1167 if (showcase_flag) { 1168 count--; 1169 } else { 1170 count = count - 2U; 1171 } 1172 } 1173 1174.. rst-class:: non-compliant-code 1175 1176 Non-compliant example:: 1177 1178 uint32_t count = 10U; 1179 bool showcase_flag = false; 1180 1181 while (count > 5U) 1182 { 1183 if (showcase_flag) { 1184 count--; 1185 } 1186 } 1187 1188 1189C-ST-04: The else statement shall not be empty if it is following an else if 1190============================================================================ 1191 1192Either a non-null statement or a comment shall be included in the ``else`` 1193statement. This is to guarantee that the developers have considered all of the 1194possible cases. 1195 1196Compliant example:: 1197 1198 uint32_t param, showcase; 1199 1200 if (param < 10U) { 1201 showcase = 10U; 1202 } else if (param < 20U) { 1203 showcase = 20U; 1204 } else { 1205 showcase = 30U; 1206 } 1207 1208.. rst-class:: non-compliant-code 1209 1210 Non-compliant example:: 1211 1212 uint32_t param, showcase; 1213 1214 if (param < 10U) { 1215 showcase = 10U; 1216 } else if (param < 20U) { 1217 showcase = 20U; 1218 } else { 1219 } 1220 1221 1222C-ST-05: A switch statement shall have the default statement 1223============================================================ 1224 1225This is to guarantee that the developers have considered all of the possible 1226cases. 1227 1228Compliant example:: 1229 1230 char showcase; 1231 1232 switch (showcase) { 1233 case 'a': 1234 /* do something */ 1235 break; 1236 case 'A': 1237 /* do something */ 1238 break; 1239 default: 1240 /* do something */ 1241 break; 1242 } 1243 1244.. rst-class:: non-compliant-code 1245 1246 Non-compliant example:: 1247 1248 char showcase; 1249 1250 switch (showcase) { 1251 case 'a': 1252 /* do something */ 1253 break; 1254 case 'A': 1255 /* do something */ 1256 break; 1257 } 1258 1259 1260C-ST-06: Every switch clause shall be terminated with a break statement 1261======================================================================= 1262 1263Falling through a case shall not be allowed. 1264 1265Compliant example:: 1266 1267 char showcase; 1268 1269 switch (showcase) { 1270 case 'a': 1271 /* do something */ 1272 break; 1273 case 'A': 1274 /* do something */ 1275 break; 1276 default: 1277 /* do something */ 1278 break; 1279 } 1280 1281.. rst-class:: non-compliant-code 1282 1283 Non-compliant example:: 1284 1285 char showcase; 1286 1287 switch (showcase) { 1288 case 'a': 1289 /* do something */ 1290 case 'A': 1291 /* do something */ 1292 default: 1293 /* do something */ 1294 break; 1295 } 1296 1297 1298C-ST-07: The for loop counter shall not be changed inside the loop body 1299======================================================================= 1300 1301Compliant example:: 1302 1303 uint32_t i; 1304 1305 for (i = 0U; i < 5U; i++) { 1306 printf("count: %d \n", i); 1307 } 1308 1309.. rst-class:: non-compliant-code 1310 1311 Non-compliant example:: 1312 1313 uint32_t i; 1314 1315 for (i = 0U; i < 5U; i++) { 1316 printf("count: %d \n", i); 1317 i++; 1318 } 1319 1320 1321C-ST-08: ``goto`` statement shall not be used 1322============================================== 1323 1324Compliant example:: 1325 1326 uint32_t showcase(uint32_t param) 1327 { 1328 uint32_t ret; 1329 1330 if (param < 10U) { 1331 ret = 10U; 1332 } else { 1333 ret = param; 1334 /* do something */ 1335 } 1336 1337 return ret; 1338 } 1339 1340.. rst-class:: non-compliant-code 1341 1342 Non-compliant example:: 1343 1344 uint32_t showcase(uint32_t param) 1345 { 1346 uint32_t ret; 1347 1348 if (param < 10U) { 1349 ret = 10U; 1350 goto done; 1351 } else { 1352 ret = param; 1353 } 1354 1355 /* do something */ 1356 1357 done: 1358 return ret; 1359 } 1360 1361 1362 1363Expressions 1364*********** 1365 1366C-EP-01: The initialization expression of a for loop shall be simple 1367==================================================================== 1368 1369The initialization expression of a for loop shall be used only to initialize 1370the loop counter. All other operations shall not be allowed. 1371 1372Compliant example:: 1373 1374 uint32_t i; 1375 1376 for (i = 0U; i < 5U; i++) { 1377 printf("count: %d \n", i); 1378 } 1379 1380.. rst-class:: non-compliant-code 1381 1382 Non-compliant example:: 1383 1384 uint32_t i; 1385 uint32_t showcase = 0U; 1386 1387 for (i = 0U, showcase = 10U; i < 5U; i++) { 1388 printf("count: %d \n", i); 1389 } 1390 1391 1392C-EP-02: The controlling expression of a for loop shall not be empty 1393==================================================================== 1394 1395Compliant example:: 1396 1397 uint32_t i; 1398 1399 for (i = 0U; i < 5U; i++) { 1400 printf("count: %d \n", i); 1401 } 1402 1403.. rst-class:: non-compliant-code 1404 1405 Non-compliant example:: 1406 1407 uint32_t i; 1408 1409 for (i = 0U; ; i++) { 1410 printf("count: %d \n", i); 1411 if (i > 4U) { 1412 break; 1413 } 1414 } 1415 1416 1417C-EP-03: The third expression of a for loop shall be simple 1418=========================================================== 1419 1420The third expression of a for loop shall be used only to increase or decrease 1421the loop counter with the following operators: ++, --, +=, or -=. All other 1422operations shall not be allowed. 1423 1424Compliant example:: 1425 1426 uint32_t i; 1427 1428 for (i = 0U; i < 5U; i++) { 1429 printf("count: %d \n", i); 1430 } 1431 1432.. rst-class:: non-compliant-code 1433 1434 Non-compliant example:: 1435 1436 uint32_t i; 1437 uint32_t showcase = 0U; 1438 1439 for (i = 0U; i < 5U; i++, showcase++) { 1440 printf("count: %d \n", i); 1441 } 1442 1443 1444C-EP-04: The evaluation order of an expression shall not influence the result 1445============================================================================= 1446 1447Compliant example:: 1448 1449 uint32_t showcase = 0U; 1450 uint32_t showcase_test = 10U; 1451 1452 showcase++; 1453 showcase_test = showcase_test + showcase; 1454 1455.. rst-class:: non-compliant-code 1456 1457 Non-compliant example:: 1458 1459 uint32_t showcase = 0U; 1460 uint32_t showcase_test = 10U; 1461 1462 showcase_test = showcase_test + ++showcase; 1463 1464 1465C-EP-05: Parentheses shall be used to set the operator precedence explicitly 1466============================================================================ 1467 1468Compliant example:: 1469 1470 uint32_t showcase_u32_1 = 0U; 1471 uint32_t showcase_u32_2 = 0xFFU; 1472 uint32_t showcase_u32_3; 1473 1474 showcase_u32_3 = showcase_u32_1 * (showcase_u32_2 >> 4U); 1475 1476.. rst-class:: non-compliant-code 1477 1478 Non-compliant example:: 1479 1480 uint32_t showcase_u32_1 = 0U; 1481 uint32_t showcase_u32_2 = 0xFU; 1482 uint32_t showcase_u32_3; 1483 1484 showcase_u32_3 = showcase_u32_1 * showcase_u32_2 >> 4U; 1485 1486 1487C-EP-06: Overflow shall not be allowed 1488====================================== 1489 1490Compliant example:: 1491 1492 uint8_t showcase = 255U; 1493 1494.. rst-class:: non-compliant-code 1495 1496 Non-compliant example:: 1497 1498 uint8_t showcase = 255U + 1U; 1499 1500 1501C-EP-07: Negation shall not be performed on an unsigned expression 1502================================================================== 1503 1504Compliant example:: 1505 1506 int32_t showcase = -10; 1507 1508.. rst-class:: non-compliant-code 1509 1510 Non-compliant example:: 1511 1512 int32_t showcase = -10U; 1513 1514 1515C-EP-08: The address of an object shall not be assigned to a different object with a longer lifetime 1516==================================================================================================== 1517 1518Compliant example:: 1519 1520 void func_showcase(void) 1521 { 1522 uint32_t showcase_local = 32U; 1523 uint32_t *showcase_ptr_local; 1524 1525 showcase_ptr_local = &showcase_local; 1526 printf("*showcase_ptr_local %d \n", *showcase_ptr_local); 1527 } 1528 1529.. rst-class:: non-compliant-code 1530 1531 Non-compliant example:: 1532 1533 uint32_t *showcase_ptr_global; 1534 1535 void func_showcase(void) 1536 { 1537 uint32_t showcase_local = 32U; 1538 uint32_t *showcase_ptr_local; 1539 1540 showcase_ptr_local = &showcase_local; 1541 showcase_ptr_global = showcase_ptr_local; 1542 } 1543 1544 void main(void) 1545 { 1546 func_showcase(); 1547 printf("*showcase_ptr_global %d \n", *showcase_ptr_global); 1548 } 1549 1550 1551C-EP-09: The sizeof operator shall not be used on an array function parameter 1552============================================================================= 1553 1554When an array is used as a function parameter, the array address is passed. 1555Thus, the return value of the sizeof operation is the pointer size rather than 1556the array size. 1557 1558Compliant example:: 1559 1560 #define SHOWCASE_SIZE 32U 1561 1562 void showcase(uint32_t array_source[SHOWCASE_SIZE]) 1563 { 1564 uint32_t num_bytes = SHOWCASE_SIZE * sizeof(uint32_t); 1565 1566 printf("num_bytes %d \n", num_bytes); 1567 } 1568 1569.. rst-class:: non-compliant-code 1570 1571 Non-compliant example:: 1572 1573 #define SHOWCASE_SIZE 32U 1574 1575 void showcase(uint32_t array_source[SHOWCASE_SIZE]) 1576 { 1577 uint32_t num_bytes = sizeof(array_source); 1578 1579 printf("num_bytes %d \n", num_bytes); 1580 } 1581 1582 1583C-EP-10: Argument of strlen shall end with a null character 1584=========================================================== 1585 1586Compliant example:: 1587 1588 uint32_t size; 1589 char showcase[3] = {'0', '1', '\0'}; 1590 1591 size = strlen(showcase); 1592 1593.. rst-class:: non-compliant-code 1594 1595 Non-compliant example:: 1596 1597 uint32_t size; 1598 char showcase[2] = {'0', '1'}; 1599 1600 size = strlen(showcase); 1601 1602 1603C-EP-11: Two strings shall not be copied to each other if they have memory overlap 1604================================================================================== 1605 1606Compliant example:: 1607 1608 char *str_source = "showcase"; 1609 char str_destination[32]; 1610 1611 (void)strncpy(str_destination, str_source, 8U); 1612 1613.. rst-class:: non-compliant-code 1614 1615 Non-compliant example:: 1616 1617 char *str_source = "showcase"; 1618 char *str_destination = &str_source[1]; 1619 1620 (void)strncpy(str_destination, str_source, 8U); 1621 1622 1623C-EP-12: memcpy shall not be performed on objects with overlapping memory 1624========================================================================= 1625 1626Compliant example:: 1627 1628 char *str_source = "showcase"; 1629 char str_destination[32]; 1630 1631 (void)memcpy(str_destination, str_source, 8U); 1632 1633.. rst-class:: non-compliant-code 1634 1635 Non-compliant example:: 1636 1637 char str_source[32]; 1638 char *str_destination = &str_source[1]; 1639 1640 (void)memcpy(str_destination, str_source, 8U); 1641 1642 1643C-EP-13: Assignment shall not be performed between variables with overlapping storage 1644===================================================================================== 1645 1646Compliant example:: 1647 1648 union union_showcase 1649 { 1650 uint8_t data_8[4]; 1651 uint16_t data_16[2]; 1652 }; 1653 1654 union union_showcase showcase; 1655 1656 showcase.data_16[0] = 0U; 1657 showcase.data_8[3] = (uint8_t)showcase.data_16[0]; 1658 1659.. rst-class:: non-compliant-code 1660 1661 Non-compliant example:: 1662 1663 union union_showcase 1664 { 1665 uint8_t data_8[4]; 1666 uint16_t data_16[2]; 1667 }; 1668 1669 union union_showcase showcase; 1670 1671 showcase.data_16[0] = 0U; 1672 showcase.data_8[0] = (uint8_t)showcase.data_16[0]; 1673 1674 1675C-EP-14: The destination object shall have sufficient space for operation 1676========================================================================= 1677 1678The destination object shall have sufficient space for operation, such as 1679copy, move, compare, and concatenate. Otherwise, data corruption may occur. 1680 1681Compliant example:: 1682 1683 uint32_t array_source[32]; 1684 uint32_t array_destination[32]; 1685 1686 (void)memcpy(array_destination, array_source, 32U); 1687 1688.. rst-class:: non-compliant-code 1689 1690 Non-compliant example:: 1691 1692 uint32_t array_source[32]; 1693 uint32_t array_destination[16]; 1694 1695 (void)memcpy(array_destination, array_source, 32U); 1696 1697 1698C-EP-15: The size param to memcpy/memset shall be valid 1699======================================================= 1700 1701The size param shall not be larger than either the source size or destination 1702size. Otherwise, data corruption may occur. 1703 1704Compliant example:: 1705 1706 #define SHOWCASE_BYTES (32U * sizeof(uint32_t)) 1707 1708 uint32_t array_source[32]; 1709 1710 (void)memset(array_source, 0U, SHOWCASE_BYTES); 1711 1712.. rst-class:: non-compliant-code 1713 1714 Non-compliant example:: 1715 1716 #define SHOWCASE_BYTES (32U * sizeof(uint32_t)) 1717 1718 uint32_t array_source[32]; 1719 1720 (void)memset(array_source, 0U, 2U * SHOWCASE_BYTES); 1721 1722 1723C-EP-16: The denominator of a divide shall not be zero 1724====================================================== 1725 1726The denominator of a divide shall be checked before use. 1727 1728Compliant example:: 1729 1730 uint32_t numerator = 32U; 1731 uint32_t denominator = 0U; 1732 1733 if (denominator != 0U) { 1734 uint32_t quotient = numerator / denominator; 1735 } 1736 1737.. rst-class:: non-compliant-code 1738 1739 Non-compliant example:: 1740 1741 uint32_t numerator = 32U; 1742 uint32_t denominator = 0U; 1743 1744 uint32_t quotient = numerator / denominator; 1745 1746 1747C-EP-17: A NULL pointer shall not be dereferenced 1748================================================= 1749 1750A pointer shall be checked before use. 1751 1752Compliant example:: 1753 1754 uint32_t *showcase_ptr = NULL; 1755 1756 if (showcase_ptr != NULL) { 1757 uint32_t showcase = *showcase_ptr; 1758 } 1759 1760.. rst-class:: non-compliant-code 1761 1762 Non-compliant example:: 1763 1764 uint32_t *showcase_ptr = NULL; 1765 1766 uint32_t showcase = *showcase_ptr; 1767 1768 1769C-EP-18: A string literal shall not be modified 1770=============================================== 1771 1772Compliant example:: 1773 1774 const char *showcase = "showcase"; 1775 1776 printf("%s \n", showcase); 1777 1778.. rst-class:: non-compliant-code 1779 1780 Non-compliant example:: 1781 1782 char *showcase = "showcase"; 1783 1784 showcase[0] = 'S'; 1785 printf("%s \n", showcase); 1786 1787 1788C-EP-19: ++ or -- operation shall be used with restrictions 1789============================================================ 1790 1791Only the following cases shall be allowed: 1792 1793a) ++ or -- operation shall be allowed if it is used alone in the expression. 1794b) ++ or -- operation shall be allowed if it is used as the third expression 1795 of a for loop. 1796 1797Compliant example:: 1798 1799 uint32_t showcase = 0U; 1800 1801 showcase++; 1802 1803.. rst-class:: non-compliant-code 1804 1805 Non-compliant example:: 1806 1807 uint32_t showcase = 0U; 1808 uint32_t showcase_test; 1809 1810 showcase_test = showcase++; 1811 1812 1813C-EP-20: Array indexing shall be in-bounds 1814========================================== 1815 1816An array index value shall be between zero (for the first element) and the 1817array size minus one (for the last element). Out-of-bounds array references 1818are an undefined behavior and shall be avoided. 1819 1820Compliant example:: 1821 1822 char showcase_array[4] = {'s', 'h', 'o', 'w'}; 1823 1824 char showcase = showcase_array[0]; 1825 1826.. rst-class:: non-compliant-code 1827 1828 Non-compliant example:: 1829 1830 char showcase_array[4] = {'s', 'h', 'o', 'w'}; 1831 1832 char showcase = showcase_array[10]; 1833 1834 1835C-EP-21: The comma operator shall not be used 1836============================================= 1837 1838Compliant example:: 1839 1840 uint32_t showcase_a = 10U; 1841 uint32_t showcase_b = 20U; 1842 1843 showcase_a++; 1844 showcase_b++; 1845 1846.. rst-class:: non-compliant-code 1847 1848 Non-compliant example:: 1849 1850 uint32_t showcase_a = 10U; 1851 uint32_t showcase_b = 20U; 1852 1853 showcase_a++, showcase_b++; 1854 1855 1856C-EP-22: Magic numbers shall be used with restrictions 1857====================================================== 1858 1859Only the following cases shall be allowed: 1860 1861a) The magic number is defined as a MACRO with a name clearly indicating its 1862 meaning. 1863b) The meaning of the magic number is clearly documented in the comments 1864 before its usage. 1865c) The meaning of the magic number is straightforward in the specific context. 1866 1867Compliant example:: 1868 1869 #define APIC_ID_MASK 0xff000000U 1870 1871 uint32_t showcase = APIC_ID_MASK; 1872 1873.. rst-class:: non-compliant-code 1874 1875 Non-compliant example:: 1876 1877 uint32_t showcase = 0xff000000U; 1878 1879 1880C-EP-23: Pointer arithmetic shall be used with restrictions 1881=========================================================== 1882 1883Pointer arithmetic shall be performed on an array if it is possible. If not, 1884the data type and the value range of this pointer shall be checked before 1885access to ensure that the pointer reference is within the correct 1886address space. 1887 1888Compliant example:: 1889 1890 #define SHOWCASE_SIZE 32U 1891 1892 uint32_t showcase_arr[SHOWCASE_SIZE]; 1893 uint32_t i; 1894 1895 for (i = 0U; i < SHOWCASE_SIZE; i++) { 1896 showcase_arr[i] = i; 1897 } 1898 1899.. rst-class:: non-compliant-code 1900 1901 Non-compliant example:: 1902 1903 #define SHOWCASE_SIZE 32U 1904 1905 uint32_t *showcase_ptr; 1906 uint32_t i; 1907 1908 for (i = 0U; i < SHOWCASE_SIZE; i++) { 1909 *showcase_ptr = i; 1910 showcase_ptr = showcase_ptr + 1U; 1911 } 1912 1913 1914 1915Types 1916***** 1917 1918C-TY-01: The function return value shall be consistent with the declared return type 1919==================================================================================== 1920 1921Compliant example:: 1922 1923 uint32_t func_showcase(uint32_t param) 1924 { 1925 if (param < 10U) { 1926 return 10U; 1927 } else { 1928 return 20U; 1929 } 1930 } 1931 1932.. rst-class:: non-compliant-code 1933 1934 Non-compliant example:: 1935 1936 uint32_t func_showcase(uint32_t param) 1937 { 1938 if (param < 10U) { 1939 return 10U; 1940 } else { 1941 return -1; 1942 } 1943 } 1944 1945 1946C-TY-02: The operands of bit operations shall be unsigned 1947========================================================= 1948 1949Compliant example:: 1950 1951 uint32_t showcase = 32U; 1952 uint32_t mask = 0xFU; 1953 1954 showcase = showcase & mask; 1955 1956.. rst-class:: non-compliant-code 1957 1958 Non-compliant example:: 1959 1960 uint32_t showcase = 32U; 1961 int32_t mask = -1; 1962 1963 showcase = showcase & mask; 1964 1965 1966C-TY-03: Mixed-use of Boolean values and integers shall not be allowed 1967====================================================================== 1968 1969Some detailed rules are listed below: 1970 1971a) The operands of the arithmetic operation shall be integers. 1972b) The operands of the logical operation shall be Boolean values. 1973c) The controlling expression of a selection or iteration statement shall be 1974 Boolean. 1975d) A Boolean type expression shall be used where Boolean is expected. 1976 1977Compliant example:: 1978 1979 bool showcase_flag = true; 1980 uint32_t exp = 32U; 1981 uint32_t cond_exp = 64U; 1982 1983 uint32_t showcase = showcase_flag ? exp : cond_exp; 1984 1985.. rst-class:: non-compliant-code 1986 1987 Non-compliant example:: 1988 1989 uint32_t showcase_flag = 1U; 1990 uint32_t exp = 32U; 1991 uint32_t cond_exp = 64U; 1992 1993 uint32_t showcase = showcase_flag ? exp : cond_exp; 1994 1995 1996C-TY-04: The enum shall not be used for arithmetic operations 1997============================================================= 1998 1999Only the following operations on enum shall be allowed: 2000 2001a) enum assignment shall be allowed if the operands of = operation have the 2002 same enum type. 2003b) enum comparison shall be allowed, including the operators ==, !=, >, <, >=, 2004 and <=. 2005 2006Compliant example:: 2007 2008 enum enum_showcase { 2009 ENUM_SHOWCASE_0, 2010 ENUM_SHOWCASE_1 2011 }; 2012 2013 enum enum_showcase showcase_0 = ENUM_SHOWCASE_0; 2014 enum enum_showcase showcase_1 = showcase_0; 2015 2016.. rst-class:: non-compliant-code 2017 2018 Non-compliant example:: 2019 2020 enum enum_showcase { 2021 ENUM_SHOWCASE_0, 2022 ENUM_SHOWCASE_1 2023 }; 2024 2025 enum enum_showcase showcase_0 = ENUM_SHOWCASE_0; 2026 enum enum_showcase showcase_1 = showcase_0 + 1U; 2027 2028 2029C-TY-05: static keyword shall not be used in an array index declaration 2030======================================================================= 2031 2032Compliant example:: 2033 2034 char showcase[2] = {'0', '1'}; 2035 char chr; 2036 2037 chr = showcase[1]; 2038 2039.. rst-class:: non-compliant-code 2040 2041 Non-compliant example:: 2042 2043 char showcase[2] = {'0', '1'}; 2044 char chr; 2045 2046 chr = showcase[static 1]; 2047 2048 2049C-TY-06: A pointer shall point to a const object if the object is not modified 2050============================================================================== 2051 2052Compliant example:: 2053 2054 void func_showcase(const uint32_t *ptr) 2055 { 2056 printf("value: %d \n", *ptr); 2057 } 2058 2059.. rst-class:: non-compliant-code 2060 2061 Non-compliant example:: 2062 2063 void func_showcase(uint32_t *ptr) 2064 { 2065 printf("value: %d \n", *ptr); 2066 } 2067 2068 2069C-TY-07: The expressions type in a ternary operation shall be consistent 2070======================================================================== 2071 2072Compliant example:: 2073 2074 bool showcase_flag = true; 2075 uint32_t exp = 32U; 2076 uint32_t cond_exp = 64U; 2077 2078 uint32_t showcase = showcase_flag ? exp : cond_exp; 2079 2080.. rst-class:: non-compliant-code 2081 2082 Non-compliant example:: 2083 2084 bool showcase_flag = true; 2085 int32_t exp = -1; 2086 uint32_t cond_exp = 64U; 2087 2088 uint32_t showcase = showcase_flag ? exp : cond_exp; 2089 2090 2091C-TY-08: The struct field type shall be consistent 2092================================================== 2093 2094The struct field type shall be consistent between its definition and 2095initialization. 2096 2097Compliant example:: 2098 2099 struct struct_showcase 2100 { 2101 uint32_t temp_32; 2102 uint64_t temp_64; 2103 }; 2104 2105 struct struct_showcase showcase = {32U, 64UL}; 2106 2107.. rst-class:: non-compliant-code 2108 2109 Non-compliant example:: 2110 2111 struct struct_showcase 2112 { 2113 uint32_t temp_32; 2114 uint64_t temp_64; 2115 }; 2116 2117 struct struct_showcase showcase = {32U, -1}; 2118 2119 2120C-TY-09: The type used in a switch statement shall be consistent 2121================================================================ 2122 2123The type shall be consistent between the case expression and the controlling 2124expression of switch statement. 2125 2126Compliant example:: 2127 2128 enum enum_showcase { 2129 ENUM_SHOWCASE_0, 2130 ENUM_SHOWCASE_1, 2131 ENUM_SHOWCASE_2 2132 }; 2133 2134 enum enum_showcase showcase; 2135 2136 switch (showcase) { 2137 case ENUM_SHOWCASE_0: 2138 /* showcase */ 2139 break; 2140 case ENUM_SHOWCASE_1: 2141 /* showcase */ 2142 break; 2143 default: 2144 /* showcase */ 2145 break; 2146 } 2147 2148.. rst-class:: non-compliant-code 2149 2150 Non-compliant example:: 2151 2152 enum enum_showcase { 2153 ENUM_SHOWCASE_0, 2154 ENUM_SHOWCASE_1, 2155 ENUM_SHOWCASE_2 2156 }; 2157 2158 enum enum_showcase showcase; 2159 2160 switch (showcase) { 2161 case ENUM_SHOWCASE_0: 2162 /* showcase */ 2163 break; 2164 case 1U: 2165 /* showcase */ 2166 break; 2167 default: 2168 /* showcase */ 2169 break; 2170 } 2171 2172 2173C-TY-10: const qualifier shall not be discarded in a cast operation 2174=================================================================== 2175 2176Compliant example:: 2177 2178 const uint32_t *showcase_const; 2179 const uint32_t *showcase = showcase_const; 2180 2181.. rst-class:: non-compliant-code 2182 2183 Non-compliant example:: 2184 2185 const uint32_t *showcase_const; 2186 uint32_t *showcase = (uint32_t *)showcase_const; 2187 2188 2189C-TY-11: A variable shall be declared as static if it is used only in the file where it is declared 2190=================================================================================================== 2191 2192Compliant example:: 2193 2194 /* In `showcase.c`: */ 2195 /* `showcase` is only in `showcase.c` */ 2196 static uint32_t showcase; 2197 2198.. rst-class:: non-compliant-code 2199 2200 Non-compliant example:: 2201 2202 /* In `showcase.c`: */ 2203 /* `showcase` is only in `showcase.c` */ 2204 uint32_t showcase; 2205 2206 2207C-TY-12: All type conversions shall be explicit 2208=============================================== 2209 2210Implicit type conversions shall not be allowed. 2211 2212Compliant example:: 2213 2214 uint32_t showcase_u32; 2215 uint64_t showcase_u64 = 64UL; 2216 2217 showcase_u32 = (uint32_t)showcase_u64; 2218 2219.. rst-class:: non-compliant-code 2220 2221 Non-compliant example:: 2222 2223 uint32_t showcase_u32; 2224 uint64_t showcase_u64 = 64UL; 2225 2226 showcase_u32 = showcase_u64; 2227 2228 2229C-TY-13: Cast shall be performed on operands rather than arithmetic expressions 2230=============================================================================== 2231 2232Compliant example:: 2233 2234 uint32_t showcase_u32_1 = 10U; 2235 uint32_t showcase_u32_2 = 10U; 2236 uint64_t showcase_u64; 2237 2238 showcase_u64 = (uint64_t)showcase_u32_1 + (uint64_t)showcase_u32_2; 2239 2240.. rst-class:: non-compliant-code 2241 2242 Non-compliant example:: 2243 2244 uint32_t showcase_u32_1 = 10U; 2245 uint32_t showcase_u32_2 = 10U; 2246 uint64_t showcase_u64; 2247 2248 showcase_u64 = (uint64_t)(showcase_u32_1 + showcase_u32_2); 2249 2250 2251C-TY-14: A complex integer expression shall not be cast to types other than integer 2252=================================================================================== 2253 2254Compliant example:: 2255 2256 /* 0x61 is 'a' in ASCII Table */ 2257 uint32_t showcase_u32; 2258 char showcase_char; 2259 2260 showcase_u32 = 0x61U + 1U; 2261 showcase_char = (char)showcase_u32; 2262 2263.. rst-class:: non-compliant-code 2264 2265 Non-compliant example:: 2266 2267 /* 0x61 is 'a' in ASCII Table */ 2268 uint32_t showcase_u32; 2269 char showcase_char; 2270 2271 showcase_u32 = 0x61U; 2272 showcase_char = (char)(showcase_u32 + 1U); 2273 2274 2275C-TY-15: Integer shall not be used when a character is expected 2276=============================================================== 2277 2278Compliant example:: 2279 2280 char showcase; 2281 2282 switch (showcase) { 2283 case 'a': 2284 /* do something */ 2285 break; 2286 case 'A': 2287 /* do something */ 2288 break; 2289 default: 2290 break; 2291 } 2292 2293.. rst-class:: non-compliant-code 2294 2295 Non-compliant example:: 2296 2297 char showcase; 2298 2299 switch (showcase) { 2300 /* 0x61 is 'a' in ASCII Table */ 2301 case 0x61: 2302 /* do something */ 2303 break; 2304 case 'A': 2305 /* do something */ 2306 break; 2307 default: 2308 break; 2309 } 2310 2311 2312C-TY-16: A pointer shall not be cast to any other types 2313======================================================= 2314 2315Compliant example:: 2316 2317 uint64_t *showcase_ptr; 2318 2319 uint64_t showcase = *showcase_ptr; 2320 2321.. rst-class:: non-compliant-code 2322 2323 Non-compliant example:: 2324 2325 uint64_t *showcase_ptr; 2326 2327 uint64_t showcase = (uint64_t)showcase_ptr; 2328 2329 2330C-TY-17: A pointer shall not be cast from any other types 2331========================================================= 2332 2333Only the following pointer assignment shall be allowed: 2334 2335a) Assignment shall be allowed via the address operator ``&``. 2336b) Assignment shall be allowed if the objects pointed to by the two pointers 2337 are of the same type. 2338 2339Compliant example:: 2340 2341 uint64_t showcase = 10UL; 2342 2343 uint64_t *showcase_ptr = &showcase; 2344 2345.. rst-class:: non-compliant-code 2346 2347 Non-compliant example:: 2348 2349 uint64_t showcase = 10UL; 2350 2351 uint64_t *showcase_ptr = (uint64_t *)showcase; 2352 2353 2354C-TY-18: All types declared by typedef shall be used 2355==================================================== 2356 2357Typedefs that are not used shall be deleted. 2358 2359Compliant example:: 2360 2361 typedef unsigned int uint32_t; 2362 2363 uint32_t showcase; 2364 2365.. rst-class:: non-compliant-code 2366 2367 Non-compliant example:: 2368 2369 typedef unsigned int uint32_t; 2370 /* uint32_t_backup is not being used anywhere */ 2371 typedef unsigned int uint32_t_backup; 2372 2373 uint32_t showcase; 2374 2375 2376C-TY-19: Array indexing shall be performed only on array type 2377============================================================= 2378 2379Compliant example:: 2380 2381 char showcase[4] = {'s', 'h', 'o', 'w'}; 2382 2383 char chr = showcase[1]; 2384 2385.. rst-class:: non-compliant-code 2386 2387 Non-compliant example:: 2388 2389 char *showcase = "show"; 2390 2391 char chr = showcase[1]; 2392 2393 2394C-TY-20: The actual parameter type shall be the same as the formal parameter type 2395================================================================================= 2396 2397Compliant example:: 2398 2399 void func_showcase(uint32_t formal_param) 2400 { 2401 printf("formal_param: %d \n", formal_param); 2402 } 2403 2404 void main(void) 2405 { 2406 uint32_t actual_param = 32U; 2407 2408 func_showcase(actual_param); 2409 } 2410 2411.. rst-class:: non-compliant-code 2412 2413 Non-compliant example:: 2414 2415 void func_showcase(uint32_t formal_param) 2416 { 2417 printf("formal_param: %d \n", formal_param); 2418 } 2419 2420 void main(void) 2421 { 2422 uint64_t actual_param = 32UL; 2423 2424 func_showcase(actual_param); 2425 } 2426 2427 2428C-TY-21: A bit-field shall be a signed integer, unsigned integer, or bool 2429========================================================================= 2430 2431All the other types shall not be allowed. 2432 2433Compliant example:: 2434 2435 struct struct_showcase 2436 { 2437 uint8_t function : 3; 2438 uint8_t device : 5; 2439 uint8_t bus; 2440 }; 2441 2442.. rst-class:: non-compliant-code 2443 2444 Non-compliant example:: 2445 2446 struct struct_showcase 2447 { 2448 int function : 3; 2449 int device : 5; 2450 int bus; 2451 }; 2452 2453 2454C-TY-22: Cast shall not be performed on pointers with different object types 2455============================================================================ 2456 2457Compliant example:: 2458 2459 struct struct_showcase 2460 { 2461 uint32_t *temp_32; 2462 uint64_t *temp_64; 2463 }; 2464 2465 uint32_t *showcase_ptr_u32; 2466 struct struct_showcase *showcase_ptr_struct; 2467 2468 showcase_ptr_u32 = showcase_ptr_struct->temp_32; 2469 2470.. rst-class:: non-compliant-code 2471 2472 Non-compliant example:: 2473 2474 struct struct_showcase 2475 { 2476 uint32_t *temp_32; 2477 uint64_t *temp_64; 2478 }; 2479 2480 uint32_t *showcase_ptr_u32; 2481 struct struct_showcase *showcase_ptr_struct; 2482 2483 showcase_ptr_u32 = (uint32_t *)showcase_ptr_struct; 2484 2485 2486C-TY-23: Assignment on function pointers shall be performed with the same type 2487============================================================================== 2488 2489Compliant example:: 2490 2491 typedef void (*func_ptr_t)(void); 2492 2493 func_ptr_t func_ptr_a; 2494 func_ptr_t func_ptr_b; 2495 2496 func_ptr_a = func_ptr_b; 2497 2498.. rst-class:: non-compliant-code 2499 2500 Non-compliant example:: 2501 2502 typedef void (*func_ptr_a_t)(void); 2503 typedef uint32_t (*func_ptr_b_t)(uint32_t param); 2504 2505 func_ptr_a_t func_ptr_a; 2506 func_ptr_b_t func_ptr_b; 2507 2508 func_ptr_a = func_ptr_b; 2509 2510 2511C-TY-24: Cast shall not be performed on a function pointer 2512========================================================== 2513 2514Compliant example:: 2515 2516 typedef uint32_t (*func_ptr_t)(uint32_t param); 2517 2518 uint32_t func_showcase(uint32_t param) 2519 { 2520 return param; 2521 } 2522 2523 func_ptr_t func_ptr_showcase; 2524 func_ptr_showcase = func_showcase; 2525 2526.. rst-class:: non-compliant-code 2527 2528 Non-compliant example:: 2529 2530 typedef uint32_t (*func_ptr_t)(uint32_t param); 2531 2532 void func_showcase(uint32_t param) 2533 { 2534 printf("param: %d \n", param); 2535 } 2536 2537 func_ptr_t func_ptr_showcase; 2538 func_ptr_showcase = (func_ptr_t)func_showcase; 2539 2540 2541C-TY-25: A string literal shall be used only as a const object 2542============================================================== 2543 2544The following operations shall be covered: 2545 2546a) If a string literal is assigned to a variable, this variable shall be 2547 declared with const qualifier. 2548b) If a string literal is passed as a function parameter, this function 2549 parameter shall be declared with the ``const`` qualifier. 2550c) If a string literal is used as the return value of a function, this 2551 function return type shall be declared with the ``const`` qualifier. 2552 2553Compliant example:: 2554 2555 const char *showcase = "showcase"; 2556 2557.. rst-class:: non-compliant-code 2558 2559 Non-compliant example:: 2560 2561 char *showcase = "showcase"; 2562 2563 2564C-TY-26: The basic numerical types shall not be used other than in typedefs 2565=========================================================================== 2566 2567The typedef name shall be used to replace the usage of basic numerical types. 2568This is to guarantee the code portability between different compilers and 2569platforms. 2570 2571Compliant example:: 2572 2573 typedef unsigned int uint32_t; 2574 2575 uint32_t showcase = 32U; 2576 2577.. rst-class:: non-compliant-code 2578 2579 Non-compliant example:: 2580 2581 unsigned int showcase = 32U; 2582 2583 2584C-TY-27: The operands of an assignment operator shall be the same type 2585====================================================================== 2586 2587Compliant example:: 2588 2589 uint32_t showcase = 32U; 2590 2591.. rst-class:: non-compliant-code 2592 2593 Non-compliant example:: 2594 2595 uint32_t showcase = 32UL; 2596 2597 2598C-TY-28: The operands of arithmetic operations shall be the same type 2599===================================================================== 2600 2601Compliant example:: 2602 2603 uint16_t showcase_u16 = 16U; 2604 uint32_t showcase_u32 = 32U; 2605 uint64_t showcase_u64 = 64UL; 2606 2607 uint32_t test = (uint32_t)showcase_u16 + showcase_u32 + (uint32_t)showcase_u64; 2608 2609.. rst-class:: non-compliant-code 2610 2611 Non-compliant example:: 2612 2613 uint16_t showcase_u16 = 16U; 2614 uint32_t showcase_u32 = 32U; 2615 uint64_t showcase_u64 = 64UL; 2616 2617 uint32_t test = showcase_u16 + showcase_u32 + showcase_u64; 2618 2619 2620C-TY-29: The "U" suffix shall be used for unsigned integer constants 2621==================================================================== 2622 2623For 8-bit, 16-bit, and 32-bit unsigned integer constants, the "U" suffix shall 2624be used. For 64-bit unsigned integer constants, the "UL" suffix shall be used. 2625 2626Compliant example:: 2627 2628 uint8_t showcase_u8 = 8U; 2629 uint16_t showcase_u16 = 16U; 2630 uint32_t showcase_u32 = 32U; 2631 2632 uint64_t showcase_u64 = 64UL; 2633 2634.. rst-class:: non-compliant-code 2635 2636 Non-compliant example:: 2637 2638 uint8_t showcase_u8 = 8; 2639 uint16_t showcase_u16 = 16; 2640 uint32_t showcase_u32 = 32; 2641 2642 uint64_t showcase_u64 = 64; 2643 2644 2645 2646Identifiers 2647*********** 2648 2649C-ID-01: A parameter name shall not be the same as the name of struct, union, enum, variable, or function 2650========================================================================================================= 2651 2652Compliant example:: 2653 2654 struct struct_showcase 2655 { 2656 char *str_source; 2657 char *str_destination; 2658 }; 2659 2660 void func_showcase(uint32_t showcase) 2661 { 2662 /* main body */ 2663 } 2664 2665.. rst-class:: non-compliant-code 2666 2667 Non-compliant example:: 2668 2669 struct showcase 2670 { 2671 char *str_source; 2672 char *str_destination; 2673 }; 2674 2675 void func_showcase(uint32_t showcase) 2676 { 2677 /* main body */ 2678 } 2679 2680 2681C-ID-02: A member name shall not be the same as the name of struct, union, or enum 2682================================================================================== 2683 2684Compliant example:: 2685 2686 struct struct_showcase_1 2687 { 2688 char *str_source; 2689 char *str_destination; 2690 }; 2691 2692 struct struct_showcase_2 2693 { 2694 uint32_t showcase_1; 2695 uint32_t showcase_2; 2696 }; 2697 2698.. rst-class:: non-compliant-code 2699 2700 Non-compliant example:: 2701 2702 struct showcase_1 2703 { 2704 char *str_source; 2705 char *str_destination; 2706 }; 2707 2708 struct showcase_2 2709 { 2710 uint32_t showcase_1; 2711 uint32_t showcase_2; 2712 }; 2713 2714 2715C-ID-03: A global variable name shall be unique 2716=============================================== 2717 2718A global variable name shall not be the same as the name of struct, union, 2719enum, typedef, function, function parameter, macro, member, enum constant, 2720local variable, or other global variables. 2721 2722Compliant example:: 2723 2724 struct struct_showcase 2725 { 2726 char *str_source; 2727 char *str_destination; 2728 }; 2729 2730 /* global variable */ 2731 uint32_t showcase; 2732 2733 void func_showcase(void) 2734 { 2735 showcase++; 2736 } 2737 2738.. rst-class:: non-compliant-code 2739 2740 Non-compliant example:: 2741 2742 struct showcase 2743 { 2744 char *str_source; 2745 char *str_destination; 2746 }; 2747 2748 /* global variable */ 2749 uint32_t showcase; 2750 2751 void func_showcase(void) 2752 { 2753 showcase++; 2754 } 2755 2756 2757C-ID-04: A local variable name shall not be the same as a global variable name 2758============================================================================== 2759 2760Compliant example:: 2761 2762 /* global variable */ 2763 uint32_t showcase; 2764 2765 void func_showcase(void) 2766 { 2767 uint32_t showcase_local; 2768 2769 showcase_local = 32U; 2770 } 2771 2772.. rst-class:: non-compliant-code 2773 2774 Non-compliant example:: 2775 2776 /* global variable */ 2777 uint32_t showcase; 2778 2779 void func_showcase(void) 2780 { 2781 uint32_t showcase; 2782 2783 showcase = 32U; 2784 } 2785 2786 2787C-ID-05: The function name shall be unique 2788========================================== 2789 2790The function name shall not be the same as the name of struct, union, enum, 2791typedef, macro, member, enum constant, variable, function parameter, or other 2792functions. 2793 2794Compliant example:: 2795 2796 /* global variable */ 2797 uint32_t showcase; 2798 2799 void func_showcase(void) 2800 { 2801 /* main body */ 2802 } 2803 2804.. rst-class:: non-compliant-code 2805 2806 Non-compliant example:: 2807 2808 /* global variable */ 2809 uint32_t showcase; 2810 2811 void showcase(void) 2812 { 2813 /* main body */ 2814 } 2815 2816 2817C-ID-06: The typedef name shall be unique 2818========================================= 2819 2820The typedef name shall be unique and not be used for any other purpose. 2821 2822Compliant example:: 2823 2824 typedef unsigned int uint32_t; 2825 2826 uint32_t showcase; 2827 2828.. rst-class:: non-compliant-code 2829 2830 Non-compliant example:: 2831 2832 typedef unsigned int uint32_t; 2833 2834 uint32_t uint32_t; 2835 2836 2837C-ID-07: Names defined by developers shall not start with underscore 2838==================================================================== 2839 2840All names starting with one or two underscores are reserved for use by the 2841compiler and standard libraries to eliminate potential conflicts with 2842user-defined names. 2843 2844Compliant example:: 2845 2846 uint32_t showcase; 2847 2848.. rst-class:: non-compliant-code 2849 2850 Non-compliant example:: 2851 2852 uint32_t __showcase; 2853 2854 2855C-ID-08: A variable name shall not be the same as a struct, union, or enum 2856========================================================================== 2857 2858Compliant example:: 2859 2860 struct struct_showcase 2861 { 2862 char *str_source; 2863 char *str_destination; 2864 }; 2865 2866 uint32_t showcase; 2867 2868.. rst-class:: non-compliant-code 2869 2870 Non-compliant example:: 2871 2872 struct showcase 2873 { 2874 char *str_source; 2875 char *str_destination; 2876 }; 2877 2878 uint32_t showcase; 2879 2880 2881C-ID-09: The typedef name of a numerical type shall indicate the number of bits 2882=============================================================================== 2883 2884Compliant example:: 2885 2886 typedef unsigned short uint16_t; 2887 2888.. rst-class:: non-compliant-code 2889 2890 Non-compliant example:: 2891 2892 typedef unsigned short ushort_t; 2893 2894 2895C-ID-10: A C keyword shall not be re-defined by a MACRO 2896======================================================= 2897 2898Compliant example:: 2899 2900 typedef _Bool bool; 2901 2902.. rst-class:: non-compliant-code 2903 2904 Non-compliant example:: 2905 2906 #define _Bool bool 2907 2908 2909Coding Style 2910************ 2911 2912 2913C-CS-01: Each line shall contain at most 120 characters 2914======================================================= 2915 2916No more than 120 characters shall be on a line, with tab stops every 8 2917characters. Statements longer than this limit shall be broken into multiple 2918lines with proper alignment. 2919 2920Compliant example:: 2921 2922 cpuid(CPUID_EXTEND_FEATURE, &unused, 2923 &boot_cpu_data.cpuid_leaves[FEAT_7_0_EBX], 2924 &boot_cpu_data.cpuid_leaves[FEAT_7_0_ECX], 2925 &boot_cpu_data.cpuid_leaves[FEAT_7_0_EDX]); 2926 2927.. rst-class:: non-compliant-code 2928 2929 Non-compliant example:: 2930 2931 cpuid(CPUID_EXTEND_FEATURE, &unused, &boot_cpu_data.cpuid_leaves[FEAT_7_0_EBX], &boot_cpu_data.cpuid_leaves[FEAT_7_0_ECX], &boot_cpu_data.cpuid_leaves[FEAT_7_0_EDX]); 2932 2933 2934C-CS-02: Each line shall contain only one statement 2935=================================================== 2936 2937Compliant example:: 2938 2939 if (condition) { 2940 do_a(); 2941 } else { 2942 do_b(); 2943 } 2944 2945.. rst-class:: non-compliant-code 2946 2947 Non-compliant example:: 2948 2949 if (condition) { do_a();} else {do_b();} 2950 2951 2952C-CS-03: Tabs shall be used for code indentation 2953================================================ 2954 2955Spaces are allowed only for indenting comments or aligning statements that 2956span multiple lines. 2957 2958Compliant example:: 2959 2960 if (condition) { 2961 do_a(); 2962 } else { 2963 do_b(); 2964 } 2965 2966.. rst-class:: non-compliant-code 2967 2968 Non-compliant example:: 2969 2970 if (condition) { 2971 do_a(); 2972 } else { 2973 do_b(); 2974 } 2975 2976 2977C-CS-04: Tabs shall be 8 characters wide 2978======================================== 2979 2980A tab character shall be considered 8-character wide when limiting the line 2981width. 2982 2983 2984C-CS-05: Trailing whitespace shall not be allowed at the end of lines 2985===================================================================== 2986 2987This rule applies to both spaces and tabs at the end of a line. 2988 2989Compliant example:: 2990 2991 uint32_t a; 2992 uint32_t b; 2993 uint32_t c; 2994 2995.. rst-class:: non-compliant-code 2996 2997 Non-compliant example:: 2998 2999 /* 3000 * The example here uses the char ~ to stand for the space at the end of the line 3001 * in order to highlight the non-compliant part. 3002 */ 3003 uint32_t a;~~~~ 3004 uint32_t b;~~~~ 3005 uint32_t c;~~~~ 3006 3007 3008C-CS-06: A single space shall exist between non-function-like keywords and opening brackets 3009=========================================================================================== 3010 3011A single space shall exist between a non-function-like keyword and the opening 3012bracket (either a brace or a parenthesis) that follows. This rule applies to 3013the keywords ``if``, ``else``, ``for``, ``do``, ``while``, ``switch``, and 3014``return``. 3015 3016Compliant example:: 3017 3018 uint32_t showcase; 3019 3020 if (showcase == 0U) { 3021 showcase = 32U; 3022 } 3023 3024.. rst-class:: non-compliant-code 3025 3026 Non-compliant example:: 3027 3028 uint32_t showcase; 3029 3030 if(showcase == 0U){ 3031 showcase = 32U; 3032 } 3033 3034 3035C-CS-07: A space shall not exist between the function identifier and the following open-parenthesis 3036=================================================================================================== 3037 3038Compliant example:: 3039 3040 size_t entry_size = sizeof(struct vcpuid_entry); 3041 3042.. rst-class:: non-compliant-code 3043 3044 Non-compliant example:: 3045 3046 size_t entry_size = sizeof (struct vcpuid_entry); 3047 3048 3049C-CS-08: A space shall not exist right after opening brackets and right before closing ones 3050=========================================================================================== 3051 3052Brackets in this rule refer to parenthesis, braces, and square brackets. 3053 3054Compliant example:: 3055 3056 size_t entry_size = sizeof(struct vcpuid_entry); 3057 3058.. rst-class:: non-compliant-code 3059 3060 Non-compliant example:: 3061 3062 size_t entry_size = sizeof( struct vcpuid_entry ); 3063 3064 3065C-CS-09: The ``*`` characters used for pointers shall be right before the function or variable identifiers 3066========================================================================================================== 3067 3068The following cases shall be covered: 3069 3070a) For declaration of variables of a pointer type, the ``*`` character shall 3071 be right before the variable identifier with no space in between. 3072b) For functions whose return value is of a pointer type, the ``*`` character 3073 shall be right before the function identifier with no spaces in between in 3074 the function prototype. 3075 3076Compliant example:: 3077 3078 uint32_t *showcase_ptr; 3079 uint32_t *showcase_func(void); 3080 3081.. rst-class:: non-compliant-code 3082 3083 Non-compliant example:: 3084 3085 uint32_t* showcase_ptr; 3086 uint32_t* showcase_func(void); 3087 3088 3089C-CS-10: A single space shall exist around binary and ternary operators 3090======================================================================= 3091 3092This rule applies to all binary arithmetic, bit-wise, logical, relational, 3093equality, and assignment operators, as well as the ternary conditional 3094operator. 3095 3096Compliant example:: 3097 3098 uint32_t showcase = 32U; 3099 3100 showcase = showcase * 2U; 3101 3102.. rst-class:: non-compliant-code 3103 3104 Non-compliant example:: 3105 3106 uint32_t showcase=32U; 3107 3108 showcase=showcase*2U; 3109 3110 3111C-CS-11: Space shall not exist after unary operator 3112=================================================== 3113 3114There shall be no space between a unary operator and its operand. This rule 3115applies to member accesses, prefix or postfix increments and decrements, 3116address and indirection operators. 3117 3118Compliant example:: 3119 3120 int *x; 3121 int y = y + *x; 3122 int a = b->member; 3123 3124.. rst-class:: non-compliant-code 3125 3126 Non-compliant example:: 3127 3128 int * x; 3129 int y = y + * x; 3130 int a = b ->member; 3131 3132 3133C-CS-12: A single space shall exist right after semicolons in for-loop headers 3134============================================================================== 3135 3136A single space shall exist right after semicolons that separate the different 3137expressions in for-loop headers. 3138 3139Compliant example:: 3140 3141 uint32_t i; 3142 3143 for (i = 0U; i < 5U; i++) { 3144 printf("count: %d \n", i); 3145 } 3146 3147.. rst-class:: non-compliant-code 3148 3149 Non-compliant example:: 3150 3151 uint32_t i; 3152 3153 for (i = 0U;i < 5U;i++) { 3154 printf("count: %d \n", i); 3155 } 3156 3157 3158C-CS-13: Braces after if/switch/for/do/while shall be on the same line 3159====================================================================== 3160 3161The statement after if/switch/for/do/while shall always be a compound 3162statement with its opening brace on the same line as the keyword. 3163 3164Compliant example:: 3165 3166 uint32_t numerator = 32U; 3167 uint32_t denominator = 0U; 3168 uint32_t quotient; 3169 3170 if (denominator != 0U) { 3171 quotient = numerator / denominator; 3172 } 3173 3174.. rst-class:: non-compliant-code 3175 3176 Non-compliant example:: 3177 3178 uint32_t numerator = 32U; 3179 uint32_t denominator = 0U; 3180 uint32_t quotient; 3181 3182 if (denominator != 0U) 3183 { 3184 quotient = numerator / denominator; 3185 } 3186 3187 3188C-CS-14: A function body shall start with a line containing a single opening brace 3189================================================================================== 3190 3191Compliant example:: 3192 3193 uint32_t func_showcase(uint32_t param) 3194 { 3195 return param; 3196 } 3197 3198.. rst-class:: non-compliant-code 3199 3200 Non-compliant example:: 3201 3202 uint32_t func_showcase(uint32_t param) { 3203 return param; 3204 } 3205 3206 3207C-CS-15: A ``switch`` statement and its subordinate ``case`` shall be aligned 3208============================================================================= 3209 3210Compliant example:: 3211 3212 switch(suffix) { 3213 case 'u': 3214 do_something(); 3215 break; 3216 default: 3217 do_something_else(); 3218 break; 3219 } 3220 3221.. rst-class:: non-compliant-code 3222 3223 Non-compliant example:: 3224 3225 switch(suffix) { 3226 case 'u': 3227 do_something(); 3228 break; 3229 default: 3230 do_something_else(); 3231 break; 3232 } 3233 3234 3235C-CS-16: Function parameters shall be aligned 3236============================================= 3237 3238When function call parameters are not in single line, the parameters shall be 3239aligned only with tabs. Mixed-use of spaces and tabs shall not be allowed. The 3240number of tabs could be decided by the developers based on each case and it 3241shall be the same for one case. 3242 3243Compliant example:: 3244 3245 uint32_t showcase; 3246 3247 showcase = func(param_1, 3248 param_2, 3249 param_3); 3250 3251.. rst-class:: non-compliant-code 3252 3253 Non-compliant example:: 3254 3255 uint32_t showcase; 3256 3257 showcase = func(param_1, 3258 param_2, 3259 param_3); 3260 3261 3262C-CS-17: ``//`` shall not be used for single-line comments 3263=========================================================== 3264 3265``/* */`` shall be used to replace ``//`` for single-line comments. 3266 3267Compliant example:: 3268 3269 /* This is a comment */ 3270 3271.. rst-class:: non-compliant-code 3272 3273 Non-compliant example:: 3274 3275 // This is a comment 3276 3277 3278C-CS-18: Function information shall be documented with doxygen-style comments 3279============================================================================= 3280 3281Some detailed rules are listed below to illustrate the comments format for 3282each function: 3283 32841) The comments block shall start with ``/**`` (slash-asterisk-asterisk) in a 3285 single line. 32862) The comments block shall end with :literal:`\ */` (space-asterisk-slash) in 3287 a single line. 32883) Other than the first line and the last line, every line inside the comments 3289 block shall start with :literal:`\ *` (space-asterisk). It also applies to 3290 the line which is used to separate different paragraphs. We'll call it a 3291 blank line for simplicity. 32924) For each function, following information shall be documented: 3293 brief description, detailed description, parameters description, 3294 pre-conditions, post-conditions, return value description, and comments 3295 explaining the actual return values. We'll call each block of information 3296 a paragraph for simplicity. A paragraph may be removed from the list if it 3297 is not applicable for that function. 32985) Each line shall only contain the description for one parameter, or one 3299 pre-condition, or one post-condition, or one actual return value. We'll 3300 call each of these an element for simplicity. 33016) A blank line shall separate different paragraphs. Inside each paragraph, a 3302 blank line is not required to separate each element. 33037) The brief description of the function shall be documented with the format 3304 ``@brief <brief description>``. 33058) No specific format is required for the detailed description of the 3306 function. 33079) The description of the function parameter shall be documented with the 3308 format ``@param <parameter name> <parameter description>``. 330910) The pre-condition of the function shall be documented with the format 3310 ``@pre <pre-condition description>``. 331111) The post-condition of the function shall be documented with the format 3312 ``@post <post-condition description>``. 331312) The brief description of the function return value shall be documented 3314 with the format ``@return <brief description of return value>``. 331513) A void-returning function shall not be documented with ``@return``. 331614) The comments explaining the actual return values shall be documented with 3317 the format ``@retval <return value> <return value explanation>``. 331815) If the description of one element needs to span multiple lines, each line 3319 shall be aligned to the start of the description in the first line for 3320 that element. 332116) The comments block shall appear immediately before the function 3322 definition/declaration in the C source file or header file. 3323 3324Compliant example:: 3325 3326 /** 3327 * @brief Brief description of the function. 3328 * 3329 * Detailed description of the function. Detailed description of the function. Detailed description of the 3330 * function. Detailed description of the function. 3331 * Application Constraints: Detailed description of application constraint. 3332 * 3333 * @param param_1 Parameter description for param_1. 3334 * @param param_2 Parameter description for param_2. 3335 * @param param_3 Parameter description for param_3. Parameter description for param_3. Parameter description 3336 * for param_3. Parameter description for param_3. Parameter description for param_3. Parameter 3337 * description for param_3. 3338 * 3339 * @pre param_1 != NULL 3340 * @pre param_2 <= 255U 3341 * 3342 * @post retval <= 0 3343 * 3344 * @return Brief description of the return value. 3345 * 3346 * @retval 0 Success to handle specific case. 3347 * @retval -EINVAL Fail to handle specific case because the argument is invalid. 3348 * @retval -EBUSY Fail to handle specific case because the target is busy. 3349 * 3350 */ 3351 int32_t func_showcase(uint32_t *param_1, uint32_t param_2, uint32_t param_3); 3352 3353.. rst-class:: non-compliant-code 3354 3355 Non-compliant example:: 3356 3357 /* Brief description of the function. 3358 Detailed description of the function. Detailed description of the function. Detailed description of the 3359 function. Detailed description of the function. 3360 3361 @param param_1 Parameter description for param_1. @param param_2 Parameter description for param_2. 3362 @param param_3 Parameter description for param_3. Parameter description for param_3. Parameter description 3363 for param_3. Parameter description for param_3. Parameter description for param_3. Parameter 3364 description for param_3. 3365 3366 pre-conditions: param_1 != NULL, param_2 <= 255U 3367 post-conditions: retval <= 0 3368 3369 Brief description of the return value. */ 3370 int32_t func_showcase(uint32_t *param_1, uint32_t param_2, uint32_t param_3); 3371 3372 3373C-CS-19: Legal entity shall be documented in every file 3374======================================================= 3375 3376Legal entity shall be documented in a separate comments block at the start of 3377every file. The following information shall be included: 3378 3379a) Copyright 3380b) License (using an `SPDX-License-Identifier <https://spdx.org/licenses/>`_) 3381 3382Compliant example:: 3383 3384 /* Legal entity shall be placed at the start of the file. */ 3385 -------------File Contents Start After This Line------------ 3386 3387 /* 3388 * Copyright (C) 2019-2022 Intel Corporation. 3389 * 3390 * SPDX-License-Identifier: BSD-3-Clause 3391 */ 3392 3393 /* Coding or implementation related comments start after the legal entity. */ 3394 #include <types.h> 3395 3396.. rst-class:: non-compliant-code 3397 3398 Non-compliant example:: 3399 3400 /* Neither copyright nor license information is included in the file. */ 3401 -------------------File Contents Start After This Line------------------ 3402 3403 /* Coding or implementation related comments start directly. */ 3404 #include <types.h> 3405 3406 3407Naming Convention 3408***************** 3409 3410 3411C-NC-01: Object-like MACRO shall be named with full upper case 3412============================================================== 3413 3414Compliant example:: 3415 3416 #define MAX_CONFIG_NAME_SIZE 32U 3417 3418.. rst-class:: non-compliant-code 3419 3420 Non-compliant example:: 3421 3422 #define max_config_name_size 32U 3423 3424 3425C-NC-02: Mixed-use of lower case and upper case in function-like MACRO shall not be allowed 3426=========================================================================================== 3427 3428Function-like MACRO shall be named with either full lower case or full upper 3429case. Mixed-use of lower case and upper case shall not be allowed. 3430 3431Compliant example:: 3432 3433 #define max(x, y) ((x) < (y)) ? (y) : (x) 3434 3435.. rst-class:: non-compliant-code 3436 3437 Non-compliant example:: 3438 3439 #define Max(x, y) ((x) < (y)) ? (y) : (x) 3440 3441 3442C-NC-03: Data structures exposed to external components shall be named with prefix ``acrn_`` 3443============================================================================================ 3444 3445The data structure types include struct, union, and enum. This rule applies to 3446the data structure with all the following properties: 3447 3448a) The data structure is used by multiple modules. 3449b) The corresponding resource is exposed to external components, such as the 3450 Service VM or a User VM. 3451c) The name meaning is simplistic or common, such as vcpu or vm. 3452 3453Compliant example:: 3454 3455 struct acrn_vcpu { 3456 ... 3457 }; 3458 3459.. rst-class:: non-compliant-code 3460 3461 Non-compliant example:: 3462 3463 struct vcpu { 3464 ... 3465 }; 3466 3467 3468C-NC-04: Data structures only used by hypervisor shall be named with prefix ``hv_`` 3469=================================================================================== 3470 3471The data structure types include struct, union, and enum. This rule applies to 3472the data structure with all the following properties: 3473 3474a) The data structure is used by multiple modules. 3475b) The corresponding resource is only used by hypervisor. 3476c) The name meaning is simplistic or common, such as timer. 3477 3478Compliant example:: 3479 3480 struct hv_timer { 3481 ... 3482 }; 3483 3484.. rst-class:: non-compliant-code 3485 3486 Non-compliant example:: 3487 3488 struct timer { 3489 ... 3490 }; 3491 3492 3493C-NC-05: Data structures only used by one module shall be named with the module name as prefix 3494============================================================================================== 3495 3496The data structure types include struct, union, and enum. This rule applies to 3497the data structure with all the following properties: 3498 3499a) The data structure is only used by one module. 3500b) The name meaning is simplistic or common, such as context. 3501 3502Compliant example:: 3503 3504 struct instr_emul_ctxt { 3505 ... 3506 }; 3507 3508.. rst-class:: non-compliant-code 3509 3510 Non-compliant example:: 3511 3512 struct ctxt { 3513 ... 3514 }; 3515 3516 3517C-NC-06: Data structures related to hardware resource shall be named with the resource name as suffix 3518===================================================================================================== 3519 3520The data structure types include struct, union, and enum. For example: 3521 3522a) The data structure related to register shall be named with suffix ``reg``. 3523b) The data structure related to segment selector shall be named with suffix 3524 ``sel``. 3525 3526Compliant example:: 3527 3528 struct lapic_reg { 3529 ... 3530 }; 3531 3532.. rst-class:: non-compliant-code 3533 3534 Non-compliant example:: 3535 3536 struct lapic { 3537 ... 3538 }; 3539 3540 3541C-NC-07: Function pointer shall be named with suffix ``fn`` 3542=========================================================== 3543 3544Compliant example:: 3545 3546 struct firmware_operations { 3547 void (*init_fn)(void); 3548 void *(*get_rsdp_fn)(void); 3549 }; 3550 3551.. rst-class:: non-compliant-code 3552 3553 Non-compliant example:: 3554 3555 struct firmware_operations { 3556 void (*init)(void); 3557 void *(*get_rsdp)(void); 3558 }; 3559 3560 3561C-NC-08: Function name shall be descriptive 3562=========================================== 3563 3564Function name shall be descriptive and clearly indicate the purpose of the 3565function. Some detailed rules are listed below: 3566 35671) If the function is performing actions, it shall be named with one of the 3568 following formats: 3569 3570 a) ``<verb>_<nouns>``, such as ``init_vmcs``. 3571 b) ``<verb>_<adjective>_<nouns>``, such as ``init_primary_pcpu``. 35722) If the function is doing checks, it shall be named with one of the 3573 following formats: 3574 3575 a) ``is_<nouns>``, such as ``is_space``. 3576 b) ``is_<nouns>_<adjective>``, such as ``is_pcpu_active``. 35773) If the function is doing conversions, it shall be named with one of the 3578 following formats: 3579 3580 a) ``<nouns>_to_<nouns>``, such as ``irq_to_vector``. 3581 b) ``<nouns>2<nouns>``, such as ``gva2gpa``. 35824) If the function is specific for one module and the name is not descriptive 3583 enough with prior rules, it shall be named with the module name as prefix, 3584 such as ``vie_read_mmio``. 35855) If the function is a wrapper of inline Assembly codes, it shall be named 3586 with one of the following formats: 3587 3588 a) ``asm_<Assembly instruction mnemonic>``, such as ``asm_pause``. 3589 b) If the Assembly instruction mnemonic does not clearly indicate the 3590 purpose of the function or the function includes multiple Assembly 3591 instruction statements, the function shall be named with ``asm_`` as 3592 prefix and apply the other non-assembly function naming rules. 35936) ``<nouns>`` mentioned in prior rules may either be one noun or multiple 3594 nouns, as long as it could clearly illustrate the object. 3595 3596Compliant example:: 3597 3598 uint32_t init_vmcs(uint32_t param); 3599 3600 uint32_t init_primary_pcpu(uint32_t param); 3601 3602 bool is_space(uint32_t param); 3603 3604 bool is_pcpu_active(uint32_t param); 3605 3606 uint32_t vie_read_mmio(uint32_t param); 3607 3608 uint32_t irq_to_vector(uint32_t param); 3609 3610 uint32_t gva2gpa(uint32_t param); 3611 3612 uint32_t asm_pause(uint32_t param); 3613 3614.. rst-class:: non-compliant-code 3615 3616 Non-compliant example:: 3617 3618 uint32_t vmcs_init(uint32_t param); 3619 3620 uint32_t primary_pcpu_init(uint32_t param); 3621 3622 bool space(uint32_t param); 3623 3624 bool pcpu_active(uint32_t param); 3625 3626 uint32_t vie_mmio_read(uint32_t param); 3627 3628 uint32_t from_irq_to_vector(uint32_t param); 3629 3630 uint32_t get_gpa_based_on_gva(uint32_t param); 3631 3632 uint32_t pause(uint32_t param); 3633 3634 3635Implementation-Specific Behaviors 3636********************************* 3637 3638 3639C-IB-01: All characters in an identifier are significant initial characters 3640=========================================================================== 3641 3642The number of significant initial characters in an identifier is 3643implementation-defined, according to J.3.3 item 2 in C99. For ACRN hypervisor, 3644all characters in an identifier are significant initial characters. 3645 3646C-IB-02: The number of bits in a byte is 8 3647========================================== 3648 3649The number of bits in a byte is implementation-defined, according to J.3.4 3650item 1 in C99. For ACRN hypervisor, the number of bits in a byte is 8. 3651 3652C-IB-03: The values of the members of the execution character set depends on ASCII Table 3653======================================================================================== 3654 3655The values of the members of the execution character set is 3656implementation-defined, according to J.3.4 item 2 in C99. For ACRN hypervisor, 3657characters are encoded in ASCII. This rule applies to the source code that is 3658being compiled. Non-ASCII characters are allowed in comments, such as the 3659author name. 3660 3661C-IB-04: ``plain char`` is equivalent to ``signed char`` 3662======================================================== 3663 3664The underlying type of ``plain char`` is implementation-defined, according to 3665J.3.4 item 5 in C99. For ACRN hypervisor, ``plain char`` is equivalent to 3666``signed char``. 3667 3668C-IB-05: Signed integers are represented in two's complement 3669============================================================ 3670 3671Whether signed integer types are represented using sign and magnitude, two's 3672complement, or ones' complement is implementation-defined, according to J.3.5 3673item 2 in C99. For ACRN hypervisor, signed integers are represented in two's 3674complement. 3675 3676C-IB-06: The integer type compatible with each enumerated type is case by case 3677============================================================================== 3678 3679The integer type compatible with each enumerated type is 3680implementation-defined, according to J.3.9 item 6 in C99. For ACRN hypervisor, 3681if the enum has no negative underlying values, unsigned int is used; 3682otherwise, int is used. 3683 3684C-IB-07: The number of bytes in an object is specified 3685====================================================== 3686 3687The number of bytes in an object is implementation-defined, according to 3688J.3.13 item 2 in C99. For ACRN hypervisor, char is 1 byte, short is 2 bytes, 3689int is 4 bytes, long is 8 bytes, and long long is not used. 3690 3691Language Extensions 3692******************* 3693 3694Refer to the `GCC 8.3 Manual, Section 6 Extensions to the C Language Family <https://gcc.gnu.org/onlinedocs/gcc-8.3.0/gcc/C-Extensions.html#C-Extensions/>`_. 3695 3696 3697C-LE-01: Use of inline Assembly language in C code is allowed 3698============================================================= 3699 3700This feature refers to section 6.45 in GCC 8.3 Manual. 3701 3702C-LE-02: Use of builtin-type ``__builtin_va_list`` is allowed 3703============================================================= 3704 3705This feature refers to section 6.20 in GCC 8.3 Manual. 3706 3707C-LE-03: Use of extended type attributes is allowed 3708=================================================== 3709 3710This rule applies to the following type attributes: 3711 3712a) ``aligned``, refers to section 6.33.1 in GCC 8.3 Manual. 3713b) ``packed``, refers to section 6.33.1 in GCC 8.3 Manual. 3714c) ``unused``, refers to section 6.33.1 in GCC 8.3 Manual. 3715d) ``section``, refers to section 6.32.1 in GCC 8.3 Manual. 3716 3717C-LE-04: Use of extended builtin-function is allowed 3718==================================================== 3719 3720This rule applies to the following builtin-functions: 3721 3722a) ``__builtin_va_arg``, refers to section 6.20 in GCC 8.3 Manual. 3723b) ``__builtin_va_start``, refers to section 6.20 in GCC 8.3 Manual. 3724c) ``__builtin_va_end``, refers to section 6.20 in GCC 8.3 Manual. 3725d) ``__builtin_offsetof``, refers to section 6.51 in GCC 8.3 Manual. 3726 3727C-LE-05: Use of extended designated initializers is allowed 3728=========================================================== 3729 3730This rule applies to the following designated initializer: writing 3731``[first ... last] = value`` to initialize a range of elements 3732to the same value, refers to section 6.27 in GCC 8.3 Manual. 3733