www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

GNU Info

Info Node: (standards.info)Semantics

(standards.info)Semantics

Next: Libraries Up: Program Behavior
Enter node , (file) or (file)node 

Writing Robust Programs
=======================

   Avoid arbitrary limits on the length or number of _any_ data
structure, including file names, lines, files, and symbols, by
allocating all data structures dynamically.  In most Unix utilities,
"long lines are silently truncated".  This is not acceptable in a GNU
utility.

   Utilities reading files should not drop NUL characters, or any other
nonprinting characters _including those with codes above 0177_.  The
only sensible exceptions would be utilities specifically intended for
interface to certain types of terminals or printers that can't handle
those characters.  Whenever possible, try to make programs work
properly with sequences of bytes that represent multibyte characters,
using encodings such as UTF-8 and others.

   Check every system call for an error return, unless you know you
wish to ignore errors.  Include the system error text (from `perror' or
equivalent) in _every_ error message resulting from a failing system
call, as well as the name of the file if any and the name of the
utility.  Just "cannot open foo.c" or "stat failed" is not sufficient.

   Check every call to `malloc' or `realloc' to see if it returned
zero.  Check `realloc' even if you are making the block smaller; in a
system that rounds block sizes to a power of 2, `realloc' may get a
different block if you ask for less space.

   In Unix, `realloc' can destroy the storage block if it returns zero.
GNU `realloc' does not have this bug: if it fails, the original block
is unchanged.  Feel free to assume the bug is fixed.  If you wish to
run your program on Unix, and wish to avoid lossage in this case, you
can use the GNU `malloc'.

   You must expect `free' to alter the contents of the block that was
freed.  Anything you want to fetch from the block, you must fetch before
calling `free'.

   If `malloc' fails in a noninteractive program, make that a fatal
error.  In an interactive program (one that reads commands from the
user), it is better to abort the command and return to the command
reader loop.  This allows the user to kill other processes to free up
virtual memory, and then try the command again.

   Use `getopt_long' to decode arguments, unless the argument syntax
makes this unreasonable.

   When static storage is to be written in during program execution, use
explicit C code to initialize it.  Reserve C initialized declarations
for data that will not be changed.

   Try to avoid low-level interfaces to obscure Unix data structures
(such as file directories, utmp, or the layout of kernel memory), since
these are less likely to work compatibly.  If you need to find all the
files in a directory, use `readdir' or some other high-level interface.
These are supported compatibly by GNU.

   The preferred signal handling facilities are the BSD variant of
`signal', and the POSIX `sigaction' function; the alternative USG
`signal' interface is an inferior design.

   Nowadays, using the POSIX signal functions may be the easiest way to
make a program portable.  If you use `signal', then on GNU/Linux
systems running GNU libc version 1, you should include `bsd/signal.h'
instead of `signal.h', so as to get BSD behavior.  It is up to you
whether to support systems where `signal' has only the USG behavior, or
give up on them.

   In error checks that detect "impossible" conditions, just abort.
There is usually no point in printing any message.  These checks
indicate the existence of bugs.  Whoever wants to fix the bugs will have
to read the source code and run a debugger.  So explain the problem with
comments in the source.  The relevant data will be in variables, which
are easy to examine with the debugger, so there is no point moving them
elsewhere.

   Do not use a count of errors as the exit status for a program.
_That does not work_, because exit status values are limited to 8 bits
(0 through 255).  A single run of the program might have 256 errors; if
you try to return 256 as the exit status, the parent process will see 0
as the status, and it will appear that the program succeeded.

   If you make temporary files, check the `TMPDIR' environment
variable; if that variable is defined, use the specified directory
instead of `/tmp'.

   In addition, be aware that there is a possible security problem when
creating temporary files in world-writable directories.  In C, you can
avoid this problem by creating temporary files in this manner:

     fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, 0600);

or by using the `mkstemps' function from libiberty.

   In bash, use `set -C' to avoid this problem.
automatically generated by info2www version 1.2.2.9