Based on kernel version 4.9. Page generated on 2016-12-21 14:28 EST.
1 .. _development_coding: 2 3 Getting the code right 4 ====================== 5 6 While there is much to be said for a solid and community-oriented design 7 process, the proof of any kernel development project is in the resulting 8 code. It is the code which will be examined by other developers and merged 9 (or not) into the mainline tree. So it is the quality of this code which 10 will determine the ultimate success of the project. 11 12 This section will examine the coding process. We'll start with a look at a 13 number of ways in which kernel developers can go wrong. Then the focus 14 will shift toward doing things right and the tools which can help in that 15 quest. 16 17 18 Pitfalls 19 --------- 20 21 Coding style 22 ************ 23 24 The kernel has long had a standard coding style, described in 25 Documentation/CodingStyle. For much of that time, the policies described 26 in that file were taken as being, at most, advisory. As a result, there is 27 a substantial amount of code in the kernel which does not meet the coding 28 style guidelines. The presence of that code leads to two independent 29 hazards for kernel developers. 30 31 The first of these is to believe that the kernel coding standards do not 32 matter and are not enforced. The truth of the matter is that adding new 33 code to the kernel is very difficult if that code is not coded according to 34 the standard; many developers will request that the code be reformatted 35 before they will even review it. A code base as large as the kernel 36 requires some uniformity of code to make it possible for developers to 37 quickly understand any part of it. So there is no longer room for 38 strangely-formatted code. 39 40 Occasionally, the kernel's coding style will run into conflict with an 41 employer's mandated style. In such cases, the kernel's style will have to 42 win before the code can be merged. Putting code into the kernel means 43 giving up a degree of control in a number of ways - including control over 44 how the code is formatted. 45 46 The other trap is to assume that code which is already in the kernel is 47 urgently in need of coding style fixes. Developers may start to generate 48 reformatting patches as a way of gaining familiarity with the process, or 49 as a way of getting their name into the kernel changelogs - or both. But 50 pure coding style fixes are seen as noise by the development community; 51 they tend to get a chilly reception. So this type of patch is best 52 avoided. It is natural to fix the style of a piece of code while working 53 on it for other reasons, but coding style changes should not be made for 54 their own sake. 55 56 The coding style document also should not be read as an absolute law which 57 can never be transgressed. If there is a good reason to go against the 58 style (a line which becomes far less readable if split to fit within the 59 80-column limit, for example), just do it. 60 61 62 Abstraction layers 63 ****************** 64 65 Computer Science professors teach students to make extensive use of 66 abstraction layers in the name of flexibility and information hiding. 67 Certainly the kernel makes extensive use of abstraction; no project 68 involving several million lines of code could do otherwise and survive. 69 But experience has shown that excessive or premature abstraction can be 70 just as harmful as premature optimization. Abstraction should be used to 71 the level required and no further. 72 73 At a simple level, consider a function which has an argument which is 74 always passed as zero by all callers. One could retain that argument just 75 in case somebody eventually needs to use the extra flexibility that it 76 provides. By that time, though, chances are good that the code which 77 implements this extra argument has been broken in some subtle way which was 78 never noticed - because it has never been used. Or, when the need for 79 extra flexibility arises, it does not do so in a way which matches the 80 programmer's early expectation. Kernel developers will routinely submit 81 patches to remove unused arguments; they should, in general, not be added 82 in the first place. 83 84 Abstraction layers which hide access to hardware - often to allow the bulk 85 of a driver to be used with multiple operating systems - are especially 86 frowned upon. Such layers obscure the code and may impose a performance 87 penalty; they do not belong in the Linux kernel. 88 89 On the other hand, if you find yourself copying significant amounts of code 90 from another kernel subsystem, it is time to ask whether it would, in fact, 91 make sense to pull out some of that code into a separate library or to 92 implement that functionality at a higher level. There is no value in 93 replicating the same code throughout the kernel. 94 95 96 #ifdef and preprocessor use in general 97 ************************************** 98 99 The C preprocessor seems to present a powerful temptation to some C 100 programmers, who see it as a way to efficiently encode a great deal of 101 flexibility into a source file. But the preprocessor is not C, and heavy 102 use of it results in code which is much harder for others to read and 103 harder for the compiler to check for correctness. Heavy preprocessor use 104 is almost always a sign of code which needs some cleanup work. 105 106 Conditional compilation with #ifdef is, indeed, a powerful feature, and it 107 is used within the kernel. But there is little desire to see code which is 108 sprinkled liberally with #ifdef blocks. As a general rule, #ifdef use 109 should be confined to header files whenever possible. 110 Conditionally-compiled code can be confined to functions which, if the code 111 is not to be present, simply become empty. The compiler will then quietly 112 optimize out the call to the empty function. The result is far cleaner 113 code which is easier to follow. 114 115 C preprocessor macros present a number of hazards, including possible 116 multiple evaluation of expressions with side effects and no type safety. 117 If you are tempted to define a macro, consider creating an inline function 118 instead. The code which results will be the same, but inline functions are 119 easier to read, do not evaluate their arguments multiple times, and allow 120 the compiler to perform type checking on the arguments and return value. 121 122 123 Inline functions 124 **************** 125 126 Inline functions present a hazard of their own, though. Programmers can 127 become enamored of the perceived efficiency inherent in avoiding a function 128 call and fill a source file with inline functions. Those functions, 129 however, can actually reduce performance. Since their code is replicated 130 at each call site, they end up bloating the size of the compiled kernel. 131 That, in turn, creates pressure on the processor's memory caches, which can 132 slow execution dramatically. Inline functions, as a rule, should be quite 133 small and relatively rare. The cost of a function call, after all, is not 134 that high; the creation of large numbers of inline functions is a classic 135 example of premature optimization. 136 137 In general, kernel programmers ignore cache effects at their peril. The 138 classic time/space tradeoff taught in beginning data structures classes 139 often does not apply to contemporary hardware. Space *is* time, in that a 140 larger program will run slower than one which is more compact. 141 142 More recent compilers take an increasingly active role in deciding whether 143 a given function should actually be inlined or not. So the liberal 144 placement of "inline" keywords may not just be excessive; it could also be 145 irrelevant. 146 147 148 Locking 149 ******* 150 151 In May, 2006, the "Devicescape" networking stack was, with great 152 fanfare, released under the GPL and made available for inclusion in the 153 mainline kernel. This donation was welcome news; support for wireless 154 networking in Linux was considered substandard at best, and the Devicescape 155 stack offered the promise of fixing that situation. Yet, this code did not 156 actually make it into the mainline until June, 2007 (2.6.22). What 157 happened? 158 159 This code showed a number of signs of having been developed behind 160 corporate doors. But one large problem in particular was that it was not 161 designed to work on multiprocessor systems. Before this networking stack 162 (now called mac80211) could be merged, a locking scheme needed to be 163 retrofitted onto it. 164 165 Once upon a time, Linux kernel code could be developed without thinking 166 about the concurrency issues presented by multiprocessor systems. Now, 167 however, this document is being written on a dual-core laptop. Even on 168 single-processor systems, work being done to improve responsiveness will 169 raise the level of concurrency within the kernel. The days when kernel 170 code could be written without thinking about locking are long past. 171 172 Any resource (data structures, hardware registers, etc.) which could be 173 accessed concurrently by more than one thread must be protected by a lock. 174 New code should be written with this requirement in mind; retrofitting 175 locking after the fact is a rather more difficult task. Kernel developers 176 should take the time to understand the available locking primitives well 177 enough to pick the right tool for the job. Code which shows a lack of 178 attention to concurrency will have a difficult path into the mainline. 179 180 181 Regressions 182 *********** 183 184 One final hazard worth mentioning is this: it can be tempting to make a 185 change (which may bring big improvements) which causes something to break 186 for existing users. This kind of change is called a "regression," and 187 regressions have become most unwelcome in the mainline kernel. With few 188 exceptions, changes which cause regressions will be backed out if the 189 regression cannot be fixed in a timely manner. Far better to avoid the 190 regression in the first place. 191 192 It is often argued that a regression can be justified if it causes things 193 to work for more people than it creates problems for. Why not make a 194 change if it brings new functionality to ten systems for each one it 195 breaks? The best answer to this question was expressed by Linus in July, 196 2007: 197 198 :: 199 200 So we don't fix bugs by introducing new problems. That way lies 201 madness, and nobody ever knows if you actually make any real 202 progress at all. Is it two steps forwards, one step back, or one 203 step forward and two steps back? 204 205 (http://lwn.net/Articles/243460/). 206 207 An especially unwelcome type of regression is any sort of change to the 208 user-space ABI. Once an interface has been exported to user space, it must 209 be supported indefinitely. This fact makes the creation of user-space 210 interfaces particularly challenging: since they cannot be changed in 211 incompatible ways, they must be done right the first time. For this 212 reason, a great deal of thought, clear documentation, and wide review for 213 user-space interfaces is always required. 214 215 216 Code checking tools 217 ------------------- 218 219 For now, at least, the writing of error-free code remains an ideal that few 220 of us can reach. What we can hope to do, though, is to catch and fix as 221 many of those errors as possible before our code goes into the mainline 222 kernel. To that end, the kernel developers have put together an impressive 223 array of tools which can catch a wide variety of obscure problems in an 224 automated way. Any problem caught by the computer is a problem which will 225 not afflict a user later on, so it stands to reason that the automated 226 tools should be used whenever possible. 227 228 The first step is simply to heed the warnings produced by the compiler. 229 Contemporary versions of gcc can detect (and warn about) a large number of 230 potential errors. Quite often, these warnings point to real problems. 231 Code submitted for review should, as a rule, not produce any compiler 232 warnings. When silencing warnings, take care to understand the real cause 233 and try to avoid "fixes" which make the warning go away without addressing 234 its cause. 235 236 Note that not all compiler warnings are enabled by default. Build the 237 kernel with "make EXTRA_CFLAGS=-W" to get the full set. 238 239 The kernel provides several configuration options which turn on debugging 240 features; most of these are found in the "kernel hacking" submenu. Several 241 of these options should be turned on for any kernel used for development or 242 testing purposes. In particular, you should turn on: 243 244 - ENABLE_WARN_DEPRECATED, ENABLE_MUST_CHECK, and FRAME_WARN to get an 245 extra set of warnings for problems like the use of deprecated interfaces 246 or ignoring an important return value from a function. The output 247 generated by these warnings can be verbose, but one need not worry about 248 warnings from other parts of the kernel. 249 250 - DEBUG_OBJECTS will add code to track the lifetime of various objects 251 created by the kernel and warn when things are done out of order. If 252 you are adding a subsystem which creates (and exports) complex objects 253 of its own, consider adding support for the object debugging 254 infrastructure. 255 256 - DEBUG_SLAB can find a variety of memory allocation and use errors; it 257 should be used on most development kernels. 258 259 - DEBUG_SPINLOCK, DEBUG_ATOMIC_SLEEP, and DEBUG_MUTEXES will find a 260 number of common locking errors. 261 262 There are quite a few other debugging options, some of which will be 263 discussed below. Some of them have a significant performance impact and 264 should not be used all of the time. But some time spent learning the 265 available options will likely be paid back many times over in short order. 266 267 One of the heavier debugging tools is the locking checker, or "lockdep." 268 This tool will track the acquisition and release of every lock (spinlock or 269 mutex) in the system, the order in which locks are acquired relative to 270 each other, the current interrupt environment, and more. It can then 271 ensure that locks are always acquired in the same order, that the same 272 interrupt assumptions apply in all situations, and so on. In other words, 273 lockdep can find a number of scenarios in which the system could, on rare 274 occasion, deadlock. This kind of problem can be painful (for both 275 developers and users) in a deployed system; lockdep allows them to be found 276 in an automated manner ahead of time. Code with any sort of non-trivial 277 locking should be run with lockdep enabled before being submitted for 278 inclusion. 279 280 As a diligent kernel programmer, you will, beyond doubt, check the return 281 status of any operation (such as a memory allocation) which can fail. The 282 fact of the matter, though, is that the resulting failure recovery paths 283 are, probably, completely untested. Untested code tends to be broken code; 284 you could be much more confident of your code if all those error-handling 285 paths had been exercised a few times. 286 287 The kernel provides a fault injection framework which can do exactly that, 288 especially where memory allocations are involved. With fault injection 289 enabled, a configurable percentage of memory allocations will be made to 290 fail; these failures can be restricted to a specific range of code. 291 Running with fault injection enabled allows the programmer to see how the 292 code responds when things go badly. See 293 Documentation/fault-injection/fault-injection.txt for more information on 294 how to use this facility. 295 296 Other kinds of errors can be found with the "sparse" static analysis tool. 297 With sparse, the programmer can be warned about confusion between 298 user-space and kernel-space addresses, mixture of big-endian and 299 small-endian quantities, the passing of integer values where a set of bit 300 flags is expected, and so on. Sparse must be installed separately (it can 301 be found at https://sparse.wiki.kernel.org/index.php/Main_Page if your 302 distributor does not package it); it can then be run on the code by adding 303 "C=1" to your make command. 304 305 The "Coccinelle" tool (http://coccinelle.lip6.fr/) is able to find a wide 306 variety of potential coding problems; it can also propose fixes for those 307 problems. Quite a few "semantic patches" for the kernel have been packaged 308 under the scripts/coccinelle directory; running "make coccicheck" will run 309 through those semantic patches and report on any problems found. See 310 Documentation/coccinelle.txt for more information. 311 312 Other kinds of portability errors are best found by compiling your code for 313 other architectures. If you do not happen to have an S/390 system or a 314 Blackfin development board handy, you can still perform the compilation 315 step. A large set of cross compilers for x86 systems can be found at 316 317 http://www.kernel.org/pub/tools/crosstool/ 318 319 Some time spent installing and using these compilers will help avoid 320 embarrassment later. 321 322 323 Documentation 324 ------------- 325 326 Documentation has often been more the exception than the rule with kernel 327 development. Even so, adequate documentation will help to ease the merging 328 of new code into the kernel, make life easier for other developers, and 329 will be helpful for your users. In many cases, the addition of 330 documentation has become essentially mandatory. 331 332 The first piece of documentation for any patch is its associated 333 changelog. Log entries should describe the problem being solved, the form 334 of the solution, the people who worked on the patch, any relevant 335 effects on performance, and anything else that might be needed to 336 understand the patch. Be sure that the changelog says *why* the patch is 337 worth applying; a surprising number of developers fail to provide that 338 information. 339 340 Any code which adds a new user-space interface - including new sysfs or 341 /proc files - should include documentation of that interface which enables 342 user-space developers to know what they are working with. See 343 Documentation/ABI/README for a description of how this documentation should 344 be formatted and what information needs to be provided. 345 346 The file Documentation/kernel-parameters.txt describes all of the kernel's 347 boot-time parameters. Any patch which adds new parameters should add the 348 appropriate entries to this file. 349 350 Any new configuration options must be accompanied by help text which 351 clearly explains the options and when the user might want to select them. 352 353 Internal API information for many subsystems is documented by way of 354 specially-formatted comments; these comments can be extracted and formatted 355 in a number of ways by the "kernel-doc" script. If you are working within 356 a subsystem which has kerneldoc comments, you should maintain them and add 357 them, as appropriate, for externally-available functions. Even in areas 358 which have not been so documented, there is no harm in adding kerneldoc 359 comments for the future; indeed, this can be a useful activity for 360 beginning kernel developers. The format of these comments, along with some 361 information on how to create kerneldoc templates can be found in the file 362 Documentation/kernel-documentation.rst. 363 364 Anybody who reads through a significant amount of existing kernel code will 365 note that, often, comments are most notable by their absence. Once again, 366 the expectations for new code are higher than they were in the past; 367 merging uncommented code will be harder. That said, there is little desire 368 for verbosely-commented code. The code should, itself, be readable, with 369 comments explaining the more subtle aspects. 370 371 Certain things should always be commented. Uses of memory barriers should 372 be accompanied by a line explaining why the barrier is necessary. The 373 locking rules for data structures generally need to be explained somewhere. 374 Major data structures need comprehensive documentation in general. 375 Non-obvious dependencies between separate bits of code should be pointed 376 out. Anything which might tempt a code janitor to make an incorrect 377 "cleanup" needs a comment saying why it is done the way it is. And so on. 378 379 380 Internal API changes 381 -------------------- 382 383 The binary interface provided by the kernel to user space cannot be broken 384 except under the most severe circumstances. The kernel's internal 385 programming interfaces, instead, are highly fluid and can be changed when 386 the need arises. If you find yourself having to work around a kernel API, 387 or simply not using a specific functionality because it does not meet your 388 needs, that may be a sign that the API needs to change. As a kernel 389 developer, you are empowered to make such changes. 390 391 There are, of course, some catches. API changes can be made, but they need 392 to be well justified. So any patch making an internal API change should be 393 accompanied by a description of what the change is and why it is 394 necessary. This kind of change should also be broken out into a separate 395 patch, rather than buried within a larger patch. 396 397 The other catch is that a developer who changes an internal API is 398 generally charged with the task of fixing any code within the kernel tree 399 which is broken by the change. For a widely-used function, this duty can 400 lead to literally hundreds or thousands of changes - many of which are 401 likely to conflict with work being done by other developers. Needless to 402 say, this can be a large job, so it is best to be sure that the 403 justification is solid. Note that the Coccinelle tool can help with 404 wide-ranging API changes. 405 406 When making an incompatible API change, one should, whenever possible, 407 ensure that code which has not been updated is caught by the compiler. 408 This will help you to be sure that you have found all in-tree uses of that 409 interface. It will also alert developers of out-of-tree code that there is 410 a change that they need to respond to. Supporting out-of-tree code is not 411 something that kernel developers need to be worried about, but we also do 412 not have to make life harder for out-of-tree developers than it needs to 413 be.