[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4. Program Behavior for All Programs

This node describes conventions for writing robust software. It also describes general standards for error messages, the command line interface, and how libraries should behave.

4.1 Writing Robust Programs  Writing robust programs
4.2 Library Behavior  Library behavior
4.3 Formatting Error Messages  Formatting error messages
4.4 Standards for Interfaces Generally  Standards about interfaces generally
4.5 Standards for Graphical Interfaces  Standards for graphical interfaces
4.6 Standards for Command Line Interfaces  Standards for command line interfaces
4.7 Table of Long Options  Table of long options
4.8 Memory Usage  When and how to care about memory needs
4.9 File Usage  Which files to use, and where

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.1 Writing Robust Programs

Avoid arbitrary limits on the length or number of any data structure, including file names, lines, files, and symbols, by allocating all data structures dynamically. In most Unix utilities, "long lines are silently truncated". This is not acceptable in a GNU utility.

Utilities reading files should not drop NUL characters, or any other nonprinting characters including those with codes above 0177. The only sensible exceptions would be utilities specifically intended for interface to certain types of terminals or printers that can't handle those characters. Whenever possible, try to make programs work properly with sequences of bytes that represent multibyte characters, using encodings such as UTF-8 and others.

Check every system call for an error return, unless you know you wish to ignore errors. Include the system error text (from perror or equivalent) in every error message resulting from a failing system call, as well as the name of the file if any and the name of the utility. Just "cannot open foo.c" or "stat failed" is not sufficient.

Check every call to malloc or realloc to see if it returned zero. Check realloc even if you are making the block smaller; in a system that rounds block sizes to a power of 2, realloc may get a different block if you ask for less space.

In Unix, realloc can destroy the storage block if it returns zero. GNU realloc does not have this bug: if it fails, the original block is unchanged. Feel free to assume the bug is fixed. If you wish to run your program on Unix, and wish to avoid lossage in this case, you can use the GNU malloc.

You must expect free to alter the contents of the block that was freed. Anything you want to fetch from the block, you must fetch before calling free.

If malloc fails in a noninteractive program, make that a fatal error. In an interactive program (one that reads commands from the user), it is better to abort the command and return to the command reader loop. This allows the user to kill other processes to free up virtual memory, and then try the command again.

Use getopt_long to decode arguments, unless the argument syntax makes this unreasonable.

When static storage is to be written in during program execution, use explicit C code to initialize it. Reserve C initialized declarations for data that will not be changed.

Try to avoid low-level interfaces to obscure Unix data structures (such as file directories, utmp, or the layout of kernel memory), since these are less likely to work compatibly. If you need to find all the files in a directory, use readdir or some other high-level interface. These are supported compatibly by GNU.

The preferred signal handling facilities are the BSD variant of signal, and the POSIX sigaction function; the alternative USG signal interface is an inferior design.

Nowadays, using the POSIX signal functions may be the easiest way to make a program portable. If you use signal, then on GNU/Linux systems running GNU libc version 1, you should include `bsd/signal.h' instead of `signal.h', so as to get BSD behavior. It is up to you whether to support systems where signal has only the USG behavior, or give up on them.

In error checks that detect "impossible" conditions, just abort. There is usually no point in printing any message. These checks indicate the existence of bugs. Whoever wants to fix the bugs will have to read the source code and run a debugger. So explain the problem with comments in the source. The relevant data will be in variables, which are easy to examine with the debugger, so there is no point moving them elsewhere.

Do not use a count of errors as the exit status for a program. That does not work, because exit status values are limited to 8 bits (0 through 255). A single run of the program might have 256 errors; if you try to return 256 as the exit status, the parent process will see 0 as the status, and it will appear that the program succeeded.

If you make temporary files, check the TMPDIR environment variable; if that variable is defined, use the specified directory instead of `/tmp'.

In addition, be aware that there is a possible security problem when creating temporary files in world-writable directories. In C, you can avoid this problem by creating temporary files in this manner:

fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, 0600);

or by using the mkstemps function from libiberty.

In bash, use set -C to avoid this problem.

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.2 Library Behavior

Try to make library functions reentrant. If they need to do dynamic storage allocation, at least try to avoid any nonreentrancy aside from that of malloc itself.

Here are certain name conventions for libraries, to avoid name conflicts.

Choose a name prefix for the library, more than two characters long. All external function and variable names should start with this prefix. In addition, there should only be one of these in any given library member. This usually means putting each one in a separate source file.

An exception can be made when two external symbols are always used together, so that no reasonable program could use one without the other; then they can both go in the same file.

External symbols that are not documented entry points for the user should have names beginning with `_'. The `_' should be followed by the chosen name prefix for the library, to prevent collisions with other libraries. These can go in the same files with user entry points if you like.

Static functions and variables can be used as you like and need not fit any naming convention.

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.3 Formatting Error Messages

Error messages from compilers should look like this:

source-file-name:lineno: message

If you want to mention the column number, use this format:

source-file-name:lineno:column: message

Line numbers should start from 1 at the beginning of the file, and column numbers should start from 1 at the beginning of the line. (Both of these conventions are chosen for compatibility.) Calculate column numbers assuming that space and all ASCII printing characters have equal width, and assuming tab stops every 8 columns.

Error messages from other noninteractive programs should look like this:

program:source-file-name:lineno: message

when there is an appropriate source file, or like this:

program: message

when there is no relevant source file.

If you want to mention the column number, use this format:

program:source-file-name:lineno:column: message

In an interactive program (one that is reading commands from a terminal), it is better not to include the program name in an error message. The place to indicate which program is running is in the prompt or with the screen layout. (When the same program runs with input from a source other than a terminal, it is not interactive and would do best to print error messages using the noninteractive style.)

The string message should not begin with a capital letter when it follows a program name and/or file name. Also, it should not end with a period.

Error messages from interactive programs, and other messages such as usage messages, should start with a capital letter. But they should not end with a period.

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.4 Standards for Interfaces Generally

Please don't make the behavior of a utility depend on the name used to invoke it. It is useful sometimes to make a link to a utility with a different name, and that should not change what it does.

Instead, use a run time option or a compilation switch or both to select among the alternate behaviors.

Likewise, please don't make the behavior of the program depend on the type of output device it is used with. Device independence is an important principle of the system's design; do not compromise it merely to save someone from typing an option now and then. (Variation in error message syntax when using a terminal is ok, because that is a side issue that people do not depend on.)

If you think one behavior is most useful when the output is to a terminal, and another is most useful when the output is a file or a pipe, then it is usually best to make the default behavior the one that is useful with output to a terminal, and have an option for the other behavior.

Compatibility requires certain programs to depend on the type of output device. It would be disastrous if ls or sh did not do so in the way all users expect. In some of these cases, we supplement the program with a preferred alternate version that does not depend on the output device type. For example, we provide a dir program much like ls except that its default output format is always multi-column format.

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.5 Standards for Graphical Interfaces

When you write a program that provides a graphical user interface, please make it work with X Windows and the GTK toolkit unless the functionality specifically requires some alternative (for example, "displaying jpeg images while in console mode").

In addition, please provide a command-line interface to control the functionality. (In many cases, the graphical user interface can be a separate program which invokes the command-line program.) This is so that the same jobs can be done from scripts.

Please also consider providing a CORBA interface (for use from GNOME), a library interface (for use from C), and perhaps a keyboard-driven console interface (for use by users from console mode). Once you are doing the work to provide the functionality and the graphical interface, these won't be much extra work.

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.6 Standards for Command Line Interfaces

It is a good idea to follow the POSIX guidelines for the command-line options of a program. The easiest way to do this is to use getopt to parse them. Note that the GNU version of getopt will normally permit options anywhere among the arguments unless the special argument `--' is used. This is not what POSIX specifies; it is a GNU extension.

Please define long-named options that are equivalent to the single-letter Unix-style options. We hope to make GNU more user friendly this way. This is easy to do with the GNU function getopt_long.

One of the advantages of long-named options is that they can be consistent from program to program. For example, users should be able to expect the "verbose" option of any GNU program which has one, to be spelled precisely `--verbose'. To achieve this uniformity, look at the table of common long-option names when you choose the option names for your program (see section 4.7 Table of Long Options).

It is usually a good idea for file names given as ordinary arguments to be input files only; any output files would be specified using options (preferably `-o' or `--output'). Even if you allow an output file name as an ordinary argument for compatibility, try to provide an option as another way to specify it. This will lead to more consistency among GNU utilities, and fewer idiosyncracies for users to remember.

All programs should support two standard options: `--version' and `--help'.

This option should direct the program to print information about its name, version, origin and legal status, all on standard output, and then exit successfully. Other options and arguments should be ignored once this is seen, and the program should not perform its normal function.

The first line is meant to be easy for a program to parse; the version number proper starts after the last space. In addition, it contains the canonical name for this program, in this format:

GNU Emacs 19.30

The program's name should be a constant string; don't compute it from argv[0]. The idea is to state the standard or canonical name for the program, not its file name. There are other ways to find out the precise file name where a command is found in PATH.

If the program is a subsidiary part of a larger package, mention the package name in parentheses, like this:

emacsserver (GNU Emacs) 19.30

If the package has a version number which is different from this program's version number, you can mention the package version number just before the close-parenthesis.

If you need to mention the version numbers of libraries which are distributed separately from the package which contains this program, you can do so by printing an additional line of version info for each library you want to mention. Use the same format for these lines as for the first line.

Please do not mention all of the libraries that the program uses "just for completeness"---that would produce a lot of unhelpful clutter. Please mention library version numbers only if you find in practice that they are very important to you in debugging.

The following line, after the version number line or lines, should be a copyright notice. If more than one copyright notice is called for, put each on a separate line.

Next should follow a brief statement that the program is free software, and that users are free to copy and change it on certain conditions. If the program is covered by the GNU GPL, say so here. Also mention that there is no warranty, to the extent permitted by law.

It is ok to finish the output with a list of the major authors of the program, as a way of giving credit.

Here's an example of output that follows these rules:

GNU Emacs 19.34.5
Copyright (C) 1996 Free Software Foundation, Inc.
GNU Emacs comes with NO WARRANTY,
to the extent permitted by law.
You may redistribute copies of GNU Emacs
under the terms of the GNU General Public License.
For more information about these matters,
see the files named COPYING.

You should adapt this to your program, of course, filling in the proper year, copyright holder, name of program, and the references to distribution terms, and changing the rest of the wording as necessary.

This copyright notice only needs to mention the most recent year in which changes were made--there's no need to list the years for previous versions' changes. You don't have to mention the name of the program in these notices, if that is inconvenient, since it appeared in the first line.

This option should output brief documentation for how to invoke the program, on standard output, then exit successfully. Other options and arguments should be ignored once this is seen, and the program should not perform its normal function.

Near the end of the `--help' option's output there should be a line that says where to mail bug reports. It should have this format:

Report bugs to mailing-address.

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.7 Table of Long Options

Here is a table of long options used by GNU programs. It is surely incomplete, but we aim to list all the options that a new program might want to be compatible with. If you use names not already in the table, please send bug-standards@gnu.org a list of them, with their meanings, so we can update the table.

`-N' in tar.

`-a' in du, ls, nm, stty, uname, and unexpand.

`-a' in diff.

`-A' in ls.

`-a' in etags, tee, time; `-r' in tar.

`-a' in cp.

`-n' in shar.

`-l' in m4.

`-a' in diff.

`-v' in gawk.

`-W' in Make.

`-o' in Make.

`-a' in recode.

`-a' in wdiff.

`-A' in ptx.

`-n' in wdiff.

For server programs, run in the background.

`-B' in ctags.

`-f' in shar.

Used in GDB.

Used in GDB.

`-b' in tac.

`-b' in cpio and diff.

`-b' in shar.

Used in cpio and tar.

`-b' in head and tail.

`-b' in ptx.

Used in various programs to make output shorter.

`-c' in head, split, and tail.

`-C' in etags.

`-A' in tar.

Used in various programs to specify the directory to use.

`-c' in chgrp and chown.

`-F' in ls.

`-c' in recode.

`-c' in su; `-x' in GDB.

`-d' in tar.

Used in gawk.

`-Z' in tar and shar.

`-A' in tar.

`-w' in tar.

Used in diff.

`-W copyleft' in gawk.

`-C' in ptx, recode, and wdiff; `-W copyright' in gawk.

Used in GDB.

`-q' in who.

`-l' in du.

Used in tar and cpio.

`-c' in shar.

`-x' in ctags.

`-d' in touch.

`-d' in Make and m4; `-t' in Bison.

`-D' in m4.

`-d' in Bison and ctags.

`-D' in tar.

`-L' in chgrp, chown, cpio, du, ls, and tar.

`-D' in du.

Specify an I/O device (special file name).

`-d' in recode.

`-d' in look.

`-d' in tar.

`-n' in csplit.

Specify the directory to use, in various programs. In ls, it means to show directories themselves rather than their contents. In rm and ln, it means to not treat links to directories specially.

`-x' in strip.

`-X' in strip.

`-n' in Make.

`-e' in diff.

`-z' in csplit.

`-x' in wdiff.

`-z' in wdiff.

`-N' in diff.

`-e' in Make.

`-e' in xargs.

Used in GDB.

Used in makeinfo.

`-o' in m4.

`-b' in ls.

`-X' in tar.

Used in GDB.

`-x' in xargs.

`-e' in unshar.

`-t' in diff.

`-e' in sed.

`-g' in nm.

`-i' in cpio; `-x' in tar.

`-f' in finger.

`-f' in su.

`-E' in m4.

`-f' in info, gawk, Make, mt, and tar; `-n' in sed; `-r' in touch.

`-F' in gawk.

`-b' in Bison.

`-F' in ls.

`-T' in tar.

Used in makeinfo.

`-F' in ptx.

`-y' in Bison.

`-f' in tail.

Used in makeinfo.

`-f' in cp, ln, mv, and rm.

`-F' in shar.

For server programs, run in the foreground; in other words, don't do anything special to run the server in the background.

Used in ls, time, and ptx.

`-F' in m4.

Used in GDB.

`-g' in ptx.

`-x' in tar.

`-i' in ul.

`-g' in recode.

`-g' in install.

`-z' in tar and shar.

`-H' in m4.

`-h' in objdump and recode

`-H' in who.

Used to ask for brief usage information.

`-d' in shar.

`-q' in ls.

In makeinfo, output HTML.

`-u' in who.

`-D' in diff.

`-I' in ls; `-x' in recode.

`-w' in diff.

`-B' in ls.

`-B' in diff.

`-f' in look and ptx; `-i' in diff and wdiff.

`-i' in Make.

`-i' in ptx.

`-I' in etags.

`-f' in Oleo.

`-i' in tee.

`-I' in diff.

`-b' in diff.

`-i' in tar.

`-i' in etags; `-I' in m4.

`-I' in Make.

`-G' in tar.

`-i', `-l', and `-m' in Finger.

In some programs, specify the name of the file to read as the user's init file.

`-i' in expand.

`-T' in diff.

`-i' in ls.

`-i' in cp, ln, mv, rm; `-e' in m4; `-p' in xargs; `-w' in tar.

`-p' in shar.

Used in date

`-j' in Make.

`-n' in Make.

`-k' in Make.

`-k' in csplit.

`-k' in du and ls.

`-l' in etags.

`-l' in wdiff.

`-g' in shar.

`-C' in split.

Used in split, head, and tail.

`-l' in cpio.

Used in gawk.

`-t' in cpio; `-l' in recode.

`-t' in tar.

`-N' in ls.

`-l' in Make.

Used in su.

No listing of which programs already use this; someone should check to see if any actually do, and tell gnu@gnu.org.

`-M' in ptx.

`-m' in hello and uname.

`-d' in cpio.

`-f' in Make.

Used in GDB.

`-n' in xargs.

`-n' in xargs.

`-l' in xargs.

`-l' in Make.

`-P' in xargs.

`-T' in who.

`-T' in who.

`-d' in diff.

`-M' in shar.

`-m' in install, mkdir, and mkfifo.

`-m' in tar.

`-M' in tar.

`-a' in Bison.

`-L' in m4.

`-a' in shar.

`-W' in Make.

`-r' in Make.

`-w' in shar.

`-x' in shar.

`-3' in wdiff.

`-c' in touch.

`-D' in etags.

`-1' in wdiff.

`-d' in cp.

`-2' in wdiff.

`-S' in Make.

`-l' in Bison.

`-P' in shar.

`-e' in gprof.

`-R' in etags.

`-p' in nm.

Used in makeinfo.

`-a' in gprof.

`-E' in gprof.

`-m' in shar.

Used in makeinfo.

Used in emacsclient.

Used in various programs to inhibit warnings.

`-n' in info.

`-n' in uname.

`-f' in cpio.

`-n' in objdump.

`-0' in xargs.

`-n' in cat.

`-b' in cat.

`-n' in nm.

`-n' in cpio and ls.

Used in GDB.

`-o' in tar.

`-o' in Make.

`-l' in tar, cp, and du.

`-o' in ptx.

`-f' in gprof.

`-F' in gprof.

`-o' in getopt, fdlist, fdmount, fdmountd, and fdumount.

In various programs, specify the output file name.

`-o' in shar.

`-o' in rm.

`-c' in unshar.

`-o' in install.

`-l' in diff.

Used in makeinfo.

`-p' in mkdir and rmdir.

`-p' in ul.

`-p' in cpio.

`-P' in finger.

`-c' in cpio and tar.

Used in gawk.

`-P' in m4.

`-f' in csplit.

Used in tar and cp.

`-p' in su.

`-m' in cpio.

`-s' in tar.

`-p' in tar.

`-l' in diff.

`-L' in cmp.

`-p' in Make.

`-w' in Make.

`-o' in nm.

`-s' in nm.

`-p' in wdiff.

`-p' in ed.

Specify an HTTP proxy.

`-X' in shar.

`-q' in Make.

Used in many programs to inhibit the usual output. Every program accepting `--quiet' should accept `--silent' as a synonym.

`-Q' in shar

`-Q' in ls.

`-n' in diff.

Used in gawk.

`-B' in tar.

Used in GDB.

`-n' in Make.

`-R' in tar.

Used in chgrp, chown, cp, ls, diff, and rm.

Used in makeinfo.

`-r' in ptx.

`-r' in tac and etags.

`-r' in uname.

`-R' in m4.

`-r' in objdump.

`-r' in cpio.

`-i' in xargs.

`-s' in diff.

`-a' in cpio.

`-r' in ls and nm.

`-f' in diff.

`-R' in ptx.

`-s' in tar.

`-p' in tar.

`-g' in stty.

Used in GDB.

`-S' in ptx.

`-S' in du.

`-s' in tac.

Used by recode to chose files or pipes for sequencing passes.

`-s' in su.

`-A' in cat.

`-p' in diff.

`-E' in cat.

`-F' in diff.

`-T' in cat.

Used in many programs to inhibit the usual output. Every program accepting `--silent' should accept `--quiet' as a synonym.

`-s' in ls.

Specify a file descriptor for a network server to use for its socket, instead of opening and binding a new socket. This provides a way to run, in a nonpriveledged process, a server that normally needs a reserved port number.

Used in ls.

`-W source' in gawk.

`-S' in tar.

`-H' in diff.

`-E' in unshar.

`-L' in shar.

`-s' in cat.

`-w' in wdiff.

`-y' in wdiff.

Used in tar and diff to specify which file within a directory to start processing with.

`-s' in wdiff.

`-S' in shar.

`-S' in Make.

`-s' in recode.

`-s' in install.

`-s' in strip.

`-S' in strip.

`-s' in shar.

`-S' in cp, ln, mv.

`-b' in csplit.

`-s' in gprof.

`-s' in du.

`-s' in ln.

Used in GDB and objdump.

`-s' in m4.

`-s' in uname.

`-t' in expand and unexpand.

`-T' in ls.

`-T' in tput and ul. `-t' in wdiff.

`-a' in diff.

`-T' in shar.

Used in ls and touch.

Specify how long to wait before giving up on some operation.

`-O' in tar.

`-c' in du.

`-t' in Make, ranlib, and recode.

`-t' in m4.

`-t' in hello; `-W traditional' in gawk; `-G' in ed, m4, and ptx.

Used in GDB.

`-t' in ctags.

`-T' in ctags.

`-t' in ptx.

`-z' in tar.

`-u' in cpio.

`-U' in m4.

`-u' in nm.

`-u' in cp, ctags, mv, tar.

Used in gawk; same as `--help'.

`-B' in shar.

`-V' in shar.

Print more information about progress. Many programs support this.

`-W' in tar.

Print the version number.

`-V' in cp, ln, mv.

`-v' in ctags.

`-V' in tar.

`-W' in Make.

`-l' in shar.

`-w' in ls and ptx.

`-W' in ptx.

`-T' in who.

`-z' in gprof.

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.8 Memory Usage

If a program typically uses just a few meg of memory, don't bother making any effort to reduce memory usage. For example, if it is impractical for other reasons to operate on files more than a few meg long, it is reasonable to read entire input files into core to operate on them.

However, for programs such as cat or tail, that can usefully operate on very large files, it is important to avoid using a technique that would artificially limit the size of files it can handle. If a program works by lines and could be applied to arbitrary user-supplied input files, it should keep only a line in memory, because this is not very hard and users will want to be able to operate on input files that are bigger than will fit in core all at once.

If your program creates complicated data structures, just make them in core and give a fatal error if malloc returns zero.

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.9 File Usage

Programs should be prepared to operate when `/usr' and `/etc' are read-only file systems. Thus, if the program manages log files, lock files, backup files, score files, or any other files which are modified for internal purposes, these files should not be stored in `/usr' or `/etc'.

There are two exceptions. `/etc' is used to store system configuration information; it is reasonable for a program to modify files in `/etc' when its job is to update the system configuration. Also, if the user explicitly asks to modify one file in a directory, it is reasonable for the program to store other files in the same directory.

[ << ] [ >> ]           [Top] [Contents] [Index] [ ? ]

This document was generated by XEmacs Webmaster on August, 3 2012 using texi2html