Go to the previous, next section.
Avoid arbitrary limits on the length or number of any data structure, including filenames, lines, files, and symbols, by allocating all data structures dynamically. In most Unix utilities, "long lines are silently truncated". This is not acceptable in a GNU utility.
Utilities reading files should not drop NUL characters, or any other nonprinting characters including those with codes above 0177. The only sensible exceptions would be utilities specifically intended for interface to certain types of printers that can't handle those characters.
Check every system call for an error return, unless you know you wish to
ignore errors. Include the system error text (from perror
or
equivalent) in every error message resulting from a failing
system call, as well as the name of the file if any and the name of the
utility. Just "cannot open foo.c" or "stat failed" is not
sufficient.
Check every call to malloc
or realloc
to see if it
returned zero. Check realloc
even if you are making the block
smaller; in a system that rounds block sizes to a power of 2,
realloc
may get a different block if you ask for less space.
In Unix, realloc
can destroy the storage block if it returns
zero. GNU realloc
does not have this bug: if it fails, the
original block is unchanged. Feel free to assume the bug is fixed. If
you wish to run your program on Unix, and wish to avoid lossage in this
case, you can use the GNU malloc
.
You must expect free
to alter the contents of the block that was
freed. Anything you want to fetch from the block, you must fetch before
calling free
.
Use getopt_long
to decode arguments, unless the argument syntax
makes this unreasonable.
When static storage is to be written in during program execution, use explicit C code to initialize it. Reserve C initialized declarations for data that will not be changed.
Try to avoid low-level interfaces to obscure Unix data structures (such
as file directories, utmp, or the layout of kernel memory), since these
are less likely to work compatibly. If you need to find all the files
in a directory, use readdir
or some other high-level interface.
These will be supported compatibly by GNU.
By default, the GNU system will provide the signal handling functions of BSD and of POSIX. So GNU software should be written to use these.
In error checks that detect "impossible" conditions, just abort. There is usually no point in printing any message. These checks indicate the existence of bugs. Whoever wants to fix the bugs will have to read the source code and run a debugger. So explain the problem with comments in the source. The relevant data will be in variables, which are easy to examine with the debugger, so there is no point moving them elsewhere.
Go to the previous, next section.