OMS-Stand C Programming Rules

O MS
Standard
C programming rules
OMS report number 2001-02

Standard
C programming rules
Version number: 1.2, November 20, 2002

Administrator: OMS Help Desk
Copyright: WL | Delft Hydraulics
Ministry of Transport, Public Works and Water Management
Programming Standard C
4 of 58 1.2, November 20, 2002

Preface
Preface
In the Netherlands two advanced integrated modelling systems are operational for the prediction of
flow and transport phenomena of water related problems. At the Dutch Rijkswaterstaat (RWS) the
SIMONA system has been developed, whereas Delft3D is the integrated flow and transport modelling
system of WL | Delft Hydraulics for the aquatic environment. Modules for hydrodynamics, water
quality, ecology, waves and morphology are available to examine phenomena in coastal, river and
estuarine areas. For example, these systems are currently being used in a system for determining the
consequences of a calamitous discharge of pollutants, in a system that calculates the result of changes
in the forelands of a river and in a system that operates the large storm surge barriers in the
Netherlands.
The functionality of both modelling systems is constantly improved and extended as a result of many
consultancy and research projects and of the feedback from its users. Both SIMONA and Delft3D now
exist for more than ten years. Both systems have become large and, more importantly, rather complex.
This is due to the large variety of functionality within the modules and to the many cross-links
between the modules in the two systems. It has been observed that both systems are lacking flexibility
to further improve the systems. Consequently, the costs of further development and maintenance of
these modelling systems are rapidly increasing, and will soon grow beyond the capabilities of one
organisation. This is the reason why Dutch Rijkswaterstaat and WL | Delft Hydraulics decided to co-
operate in a public private partnership to develop a new modelling system, which is called the Open
Modelling System (OMS).
In August 2000 an agreement between the Dutch Rijkswaterstaat and WL | Delft Hydraulics was
signed in order to migrate from their current modelling systems, being SIMONA and Delft3D,
respectively, to one Dutch Open Modelling System (OMS). Top priorities in the migration phase are
integrity and stability of intermediate releases and transparency of the migration to users of both
systems. The aim of this integration is to be able to meet future demands of users with respect to
functionality, flexibility, accessibility, modularity and performance.
The new Open Modelling System should be open to new functionality and developments, which is not
the case in the present systems SIMONA and Delft3D-FLOW. Moreover, the OMS system should
allow connectivity to standard software packages, such as GIS, database software and software for pre-
and post-processing and visualisation. The use of industrial standards for communication and data
storage should guarantee a better access to commercially available software. Summarising, the OMS
system will lead to a more flexible environment, both from developers' and from users' points of view.
In February 2001 two projects have started to realise the OMS system, namely for:
1. the first phase of the development of the OMS system
2. defining the OMS maintenance and support organisation
As part of the second project C programming rules are defined to guarantee the reliability and stability
of the OMS modelling suit. The aim of these C Programming rules is to meet future demands of users
with respect to functionality, flexibility, accessibility, modularity and performance.
1.2, November 20, 2002 5 of 58

Contents
Contents
1 DECLARATIONS ........................................................................................................... 11
1.1 Variables .............................................................................................................................. 11
1.2 Global (external) variables................................................................................................. 11
1.3 Constants.............................................................................................................................. 12
1.4 Type variables ..................................................................................................................... 12
1.5 Macros.................................................................................................................................. 13
1.6 Prototypes ............................................................................................................................ 13
1.7 Pointer prefix....................................................................................................................... 14
2 CONTROL STATEMENTS............................................................................................. 15
2.1 General ................................................................................................................................. 15
2.2 Loop constructs ................................................................................................................... 15

2.2.1 For-loops ..................................................................................................................... 16
2.2.2 While-loops................................................................................................................. 16
2.2.3 Do-while loops............................................................................................................ 17
2.2.4 Notes on the above ..................................................................................................... 17
2.2.5 Examples..................................................................................................................... 17
2.3 Selections via switch/case ................................................................................................... 18
2.4 Conditional statements ....................................................................................................... 18
2.5 Subroutines and functions.................................................................................................. 19
2.6 Error handling..................................................................................................................... 20
2.7 Using the C preprocessor ................................................................................................... 21
3 USING I/O ...................................................................................................................... 23
3.1 Opening and closing files.................................................................................................... 23
3.2 Standard input and output................................................................................................. 23
3.3 Reading and writing ........................................................................................................... 23
4 EXPRESSIONS AND ASSIGNMENTS.......................................................................... 27
4.1 Varargs................................................................................................................................. 27
4.2 True and false ...................................................................................................................... 27
1.2, November 20, 2002 7 of 58

4.3 Parentheses .......................................................................................................................... 27
4.4 Implicit assignments ........................................................................................................... 27
4.5 Conditional expressions...................................................................................................... 28
4.6 Loop conditions ................................................................................................................... 28
4.7 Token pasting....................................................................................................................... 29
4.8 Debug statements ................................................................................................................ 29
4.9 General ................................................................................................................................. 29
4.10 Errors and functions........................................................................................................... 29
4.11 Pointers and functions ........................................................................................................ 29
4.12 Type casting ......................................................................................................................... 30
4.13 NULL pointers..................................................................................................................... 30
5 FILE ORGANISATION ................................................................................................... 31
5.1 Source files ........................................................................................................................... 31
5.2 Include files .......................................................................................................................... 32
6 LAYOUT, INTERNAL DOCUMENTATION .................................................................... 35
6.1 Naming conventions............................................................................................................ 35
6.2 Language.............................................................................................................................. 35
6.3 Order of program text parts .............................................................................................. 35
6.4 Comment .............................................................................................................................. 36
6.5 Alignment of declarations .................................................................................................. 37
6.6 Statements ............................................................................................................................ 37
6.7 Assignments and expressions............................................................................................. 37
6.8 Letters................................................................................................................................... 37
6.9 Line length ........................................................................................................................... 38
6.10 File length............................................................................................................................. 38
6.11 Function length.................................................................................................................... 38
6.12 Spaces ................................................................................................................................... 38
8 of 58 1.2, November 20, 2002

Contents
6.13 Braces ................................................................................................................................... 38
6.14 Indentation........................................................................................................................... 39
6.15 Empty lines .......................................................................................................................... 39
6.16 Fileheader............................................................................................................................. 39
6.17 Function header................................................................................................................... 39
6.18 Functions and parameters.................................................................................................. 40
6.19 Variable/constant ................................................................................................................ 40
6.20 Version information............................................................................................................ 41
7 RECOMMENDATIONS .................................................................................................. 42
7.1 Source and include files ...................................................................................................... 42
7.2 Names of routines and functions ....................................................................................... 43
8 PROHIBITED STATEMENTS AND CONSTRUCTIONS ............................................... 45
8.1 Forbidden data types .......................................................................................................... 45
8.2 Null statement...................................................................................................................... 45
8.3 Forbidden standard functions ........................................................................................... 45
8.4 Illegal use of pre-processor constructs.............................................................................. 45
8.5 Illegal use of functions ........................................................................................................ 46
9 REFERENCES............................................................................................................... 49
APPENDIX A LOG SHEET ................................................................................................ 51
APPENDIX B SET/GET FUNCTIONS ............................................................................... 53
APPENDIX C EXAMPLES ................................................................................................. 55

C.1 Example C module (.c)........................................................................................................ 55
C.2 Example C header file (.h).................................................................................................. 58
1.2, November 20, 2002 9 of 58

Declarations
1 Declarations
1.1 Variables
Each variable must be declared on a separate line.
Each variable must be explained by means of a comment string. This comment string will be placed
directly after the declaration or definition and may be continued on one new line at the most.
Local variables must be declared at the beginning of a function and also at the beginning of a block.
All basic variables (int, float, char, long, short and double) are initialised at declaration. Don’t assume
the compiler will initialise variables at zero or blanks for you. Exceptions to this rule are static and
external variables, according to ANSI C they will always be initialised at zero. Mind the usage of
already defined functions.
Examples:
Compliant Not compliant

long lower = 0; /* Lower bound */ int lower, upper, step;
long upper = 300; /* Upper bound */ float eps;
long step = 20; /* Step size */ char c;
float eps = 1.0e-5; /* Smallest difference */
char c = ‘\\’; /* Escape char */
1.2 Global (external) variables

Global variables are inevitable from time to time:
• It may be necessary to keep the state of the program in a globally available structure, because in
most user-interfaces the callback functions that are typically used to handle window events do not
allow an arbitrary argument list.
• It may be necessary to pass information on to higher-level routines, for instance error conditions
and there is no way (because of third-party libraries) to handle this information flow via an
argument that is passed by reference.
• When using such tools as Yacc and Lex, information is mainly transferred via global variables, as
there is no other way.
Therefore we need an etiquette for the use of global variables. This etiquette is given below:
The use of global variables is forbidden (with or without the static attribute), unless they are contained
in a structure. The definition of this structure is contained in an include file as a separate user-defined
type (typedef).
Any routine seeking to use this globally available structure, should obtain a pointer to this structure
either via its argument list or via a function call:
1.2, November 20, 2002 11 of 58

In the include file:

/* Definition of the program state */
typedef struct _ProgramState {
…
} ProgramState, *ProgramStatePtr;
/* Auxiliary function - obtain the program state */

ProgramStatePtr *GetProgramState(void);
In some routine:
long routine( …, ProgramStatePtr statep, … )
{
…
/* Update the program state */
…
}
Or alternatively:
long routine( … )
{
ProgramStatePtr statep;
statep = GetProgramState();
/* Update the program state */

…
}
The global variables within this structure can best be updated via get/set routines, rather than direct
assignments to the individual fields, as this makes the application less susceptible to changes in the
structure.
One advantage of using structures and pointers to these structures is that, should it become necessary
to distinguish several such items, one can simply allocate a new structure of this type and fill it.
1.3 Constants
The best way to define constants is to declare them with the const qualifier. This way you specify
that its value will not be changed. Using the const qualifier for an array it says that the elements will
not be altered of when used for array arguments it indicates that the function does not change that
array. An advantage is the compiler checking of the variables that have been declared with the const
qualifier.
Examples:
const long number = 42; /* Crucial number */
const double e = 2.71828182845905; /* Math’s exp(1) */
const char msg [ ] = ”warning : ”; /* Prefix for messages */
long KeyValue( const char [ ] );
1.4 Type variables

Types play an important role in C programming. C provides a facility called typedef for creating
new data type names, to be used as more explanatory synonyms. Especially use typedef for multi-
dimensional arrays, pointers to functions or pointers to user-defined structures.
Caution:
The scope of some basic C-types is platform dependent or even compiler dependent. For that reason
porting an information system from one platform to another may cause adjustments to that information
12 of 58 1.2, November 20, 2002

Declarations
system. This is hardly avoidable in those cases where software layers are very close to the ANSI
library. Therefore the usage of typedef’s is depreciated for the ‘lower’ software layers.
Some examples type definitions:

typedef int Length; /* type declaration */
Length len; /* length of a word */
Length maxlen; /* maximum length */
typedef char * pString; /* type declaration */

pString p; /* local string */
pString lineptr[MAXLINES] /* string pointer array */
1.5 Macros
Use macros (#define) to define constants and only leave trivial constants (such as 0 and 1)
unchanged in the code. Preferably use a module prefix for a macro from a dedicated module.
Always use capitals when naming the macro and take care not to redefine a predefined macro like
BUFSIZ (defined in stdio.h) or M_PI (often defined in math.h)
Always use brackets in expressions in a macro. This will avoid an incorrect evaluation of the
expression.
Using a set of macro definitions where an enumerated type definition can be used is not allowed:

enum months { #define JAN 1
JAN = 1, #define FEB 2
FEB, …
… #define DEC 12
DEC };
Note: Beware of side effects when using a macro, for instance when increments might be used in the
parameters to the macro.
The description of a #define constant or macro has to placed before the definition, for example
(otherwise the comment might become part of the macro’s value):
/* Code for closing an experiment-object */

#define CLS_EXP_OBJ 100
1.6 Prototypes
When using an (external) function the existence of a declaration of the so-called function-prototype is
required. It is an error if the definition of a function or any uses of it do not agree with its prototype.
An important reason for function prototyping is the improving software maintenance and type
checking by a standard-compliant compiler.
Function prototypes have to be declared in a header (*.h) file. The usage of header files with function
prototypes needed may only be achieved with an #include statement. To be sure the function
prototypes and function definitions are the same the header file with function prototypes must also be
included in the .c file with the function definitions.
1.2, November 20, 2002 13 of 58

Use the const keyword for function parameters that will not change and the keyword void for a
function that returns no value. This will explain something about the parameter as well as the function
and, moreover, the compiler can check for certain errors that violate these constraints.
If a function has no parameters, the keyword void (instead of empty parentheses) has to be used.
Leaving out void means the list of parameters can be anything – checking by the compiler is then
impossible.
Note: The rules mentioned above concern all functions.
Example:
void GiveMessage (
long state,
long message_type,
char * text );
1.7 Pointer prefix

For naming of variables which will be used as pointers a type prefix ‘p’ is required. The prefix is the
first character must be placed before the variable name.
Examples:
double * pWlevel; /* waterlevel */
long * pMmax; /* size M-direction */
char ** pstrings; /* Array of strings */
14 of 58 1.2, November 20, 2002

Control statements
2 Control statements
2.1 General
Each language has its so-called idiom (cf. Kernighan and Pike, 1999). For C (and C-like languages,
such as C++ and Java) this includes:
• The way for-loops are normally set up
• The use of certain functions, especially the functions from the standard library
• The use of return values, such as 0 and 1
Knowing the idiom and using it is crucial: if you do not follow that style of programming, the readers
of your programs can very easily get confused and make mistakes that could have been avoided.
For instance, a function that is able to do its job will normally return zero to indicate this. So, using a
function that returns 1 instead to indicate everything was fine, goes against the grain. Similarly, it is
customary in C to use counters and indices that start at zero, rather than at 1. Use this and similar
conventions at all times. This chapter helps identifying the most common idiom and specifies several
additional constructions and keywords. All are meant to help creating robust and maintainable
programs.
A corollary to the above statements is: Use the standard functions whenever possible. This applies in
particular to string manipulation functions (such as strcmp()) and character type functions (such as
isalpha()). Besides the ones defined in the ISO C standard, we also define the following as part of the
OMS portability library:
• mkfilename() to construct the full path (directory and name) for a file from its parts
• strdup() to duplicate a string
Several general restrictions apply:

• Logical expressions must be kept simple
If the expression requires the evaluation of more than two sub-expressions (so at least two logical
operators), it must be split into parts (for instance, by assigning partial results to variables with a
meaningful name).
• None of the expressions may have side effects
The use of side effects, especially in compound logical expressions, can lead to difficult subtleties,
because C programs will evaluate such expressions in a lazy manner. Put simply: never use side
effects (increment operator etc.), unless explicitly allowed in special constructs by this standard.
• Keep the nesting depth within bounds
If you find that you need more than, say, four levels of nesting, you are probably better off putting
the inner constructions in a separate function or subroutine.
2.2 Loop constructs

C has three different loop constructs:
• for-loops to loop over a predefined set of values or items
• while-loops to loop until a certain condition is no longer valid
• do-while loops to loop at least once
1.2, November 20, 2002 15 of 58

2.2.1 For-loops
The for-loops have two common forms:
• Looping over a set of integers:

for ( i = 0; i < n; i ++ )
{
…
}
Crucial aspects are:

• The index starts at zero
• The index is incremented by 1 in the third part of the for-statement, using an increment operator
• The condition is that the index must be lower than a constant value
• Neither the index nor the upper bound are changed within the body of the loop
• You may get a variation to this type of loop by iterating backwards:
for ( i = n-1; i >= 0; i -- )
{
…
}
In all cases: observe the standard expressions
• Looping over a set of items (a linked list for instance):

for ( elem = get_first( list );
elem != NULL;
elem = get_next( list, elem ) )
{
…
}
Crucial aspects are:

• The initialisation part picks up the first element and the iteration part picks up the next one.
• The loop is continued as long as there are elements in the set that have not been visited yet.
• The set is not changed during the iteration, because this could lead to very awkward behaviour
(e.g. if you append a copy of the current element, the iteration would never end!)
2.2.2 While-loops
The while-loop has three acceptable forms, whereas the do-while loop has only one:
while ( some_condition )
{
…
}
with two special cases:
• Reading a file and the equivalent to the infinite for-loop):

while ( fgets( string, sizeof(string), infile ) != NULL )
{
…
}
The reason to allow this construction is that it is accepted idiom (cf. Kernighan and Pike) and that
alternatives would require more logic or a slightly awkward sequencing (reading the line at the end of
the loop for instance).
• The equivalent to the infinite for-loop:

while ( 1 )
{
…
}
16 of 58 1.2, November 20, 2002

Control statements
2.2.3 Do-while loops

Do-while loops are not allowed. Their effect can be achieved with ordinary while loops.
2.2.4 Notes on the above

• The condition should be used to terminate the loop whenever possible, instead of a break
statement.
• The choice for an infinite for-loop or an infinite while-loop is not a matter of taste within OMS.
Within OMS we have chosen for the infinite while-loop, as this is syntactically the clearest one.
• The idiom of the for-loop excludes the use of multiple assignments in the initialisation and
iteration.
• The index variable must be an integer. Reals, characters or pointers to characters are not
allowed. Otherwise, the iteration is not well defined.
2.2.5 Examples
Here are some examples of loops that are not allowed and their corrected alternatives:
• Multiple assignments in the various parts of the controlling part of the for-loop

j = 0; for ( i = 0, j = 0;
for ( i = 0; i < n; i++) i < n; i++, j++ )
{ {
… …
j ++; }
}
(Easy mistake, edited version of the above)
for ( i = 0, j = 0;
i < n; j++ )
{
…
}
The reason for this is that is very easy to make mistakes that are hard to spot (see the second
example above).
• Side effects are used to eliminate the while-loop’s body:

pstr = string; pstr = string;
while ( *pstr != ‘\0’ ) while (
{ (*pstr++ = toupper(*pstr))
*pstr = toupper( *pstr ); != ’\0’);
pstr ++;
}
1.2, November 20, 2002 17 of 58

2.3 Selections via switch/case

Switch statements should be used instead of if-else-if constructions if the condition involves the
values of a single integer or character. They are more efficient and, above all, much more readable
than long if-blocks.
We make the following notes:

• Each case must be terminated by a break statement or by a comment that a “fall-through” is
required, so that the lack of the break statement is clear.
• Do not try to be clever, a fall-through works best if the first case has only a few statements or,
preferably, none at all that are specific to the first case. The second case should have no code that
is exclusive for that case.
• All switch statements must have a default case. If this is not supposed to appear in practice, it
must contain a body with proper error handling to indicate that fact.
• Note the indentation: the switch, case, and default keywords should be vertically aligned.
• Use symbolic names as provided by the enum construct, rather than hardwired numbers.
Example:

enum { switch ( var )
CASE0, {
CASE1, case 0:
CASE2, case 1:
CASE3 printf( ”Typical cases\n” );
}; break;
switch ( var ) case 2:

{ pstr = ”Case 2”;
case CASE0: /* Fall through */
case CASE1: case 3:
printf( ”Typical cases\n” ); if ( var == 3 )
break; pstr = ”Case 3”;
case CASE2: printf( ”%s\n”, pstr );

pstr = ”Case 2”; break;
printf( ”%s\n”, pstr ); }
break;
case CASE3:
pstr = ”Case 3”;
printf( ”%s\n”, pstr );
break;
default :
fprintf( stderr,
”Impossible case!” );
break;
}
2.4 Conditional statements

General conditions can be applied in if-statements. There are a small number of restrictions, though:
• Do not make the if-blocks too long
Long if-blocks with several else-if statements will quickly become unmanageable. Limit them to at
most 30 lines (so half a page on paper).
• If-blocks with at least one else-if should always have an explicit else branch
Because the if-block is compound, one must catch the possibility that none of the conditions
holds. If there is no reason to assume this ever to be the case, then treat it just as the impossible
default case in a switch-statement.
18 of 58 1.2, November 20, 2002

Control statements
For example:
if ( strcmp( string1, string2 ) == 0 )
{
… /* First case */
}
else if ( strcmp( string1, string3 ) >= 0 )
{
… /* Second case */
}
else
{
… /* Default processing required! */
}
2.5 Subroutines and functions

All rules concerning the use of subroutines and functions could be summarised as:
Be as explicit as possible in defining the interface
More specifically:
• Use the keyword “const” to indicate that arguments will not change. This enables the compiler to
check illegal or unexpected changes.
• Do not locally change arguments that have been passed by value, even though the changes will
have no effect in the calling routine. It is bad programming.
• Consider the difference between *arg and arg[]. The first can be used as a synonym for passing
by reference or for passing an array. The second explicitly states that an array is expected.
• All subroutines and functions must have a proper prototype.
• Use the ISO style for defining the arguments, not the older K&R style:

long int sample( a, b, c )
sample( int *a;
long * a, /* Parameter a */ int b, c;
long b, /* Parameter b */ {
long c ) /* Parameter c */ …
{ }
…
}
• Use an explicit return statement if the function is supposed to return a value. Do not use an
explicit return if it does not:
1.2, November 20, 2002 19 of 58


longsample( int sample(
long a[], /* Array a */ int *a,
const long b, /* Param. B */ int b,
const long c ) /* Param. C */ int c )
{ {
long retval = 0; /* Return value: b = 2*b; /* b changed! */
0: OK; <0: error */ a[0] = b; /* a is array */
long b2; a[1] = c;
a[2] = 0;
b2 = 2*b; } /* returns no value! */
a[0] = b2 ;
a[1] = c ;
a[2] = 0 ;
return retval;
}
2.6 Error handling

The following rules apply:
• Check preconditions
Use the standard macro assert() to indicate crucial preconditions, both as a means of
documentation and to terminate the program, should there be no other solution (this requires the
use of the standard pre-processor macro NDEBUG).
• Use return codes and error parameters consistently

The protocol for the use of return codes and error parameters is summarised in the table below.
Type of return value Value in case of error Remarks

Integer (status) -1 The standard library uses the value zero
to indicate everything was okay and
values unequal to zero to indicate an
error.
Pointer NULL Routines that return a pointer to memory
can only return a NULL to indicate
something was wrong.
Other (also integers -- Always use an explicit error parameter to
that are not a status) communicate an error condition. If you
have a choice, choose a negative integer
value to indicate something went wrong.
• Do not use the external variable errno

The protocol concerning the variable errno is rather complicated. Proper use of this protocol
would assume that any function uses this protocol correctly and that all programmers understand
it. This is an illusion. Therefore use the protocol outlined above.
• Document what happens in case of an error

It is important to document what happens to the output arguments (if any) in case of an error. If a
programmer expects values to be set to a reasonable value and the arguments are simply not
touched, then problems will occur. Therefore the error handling must be made explicit.
20 of 58 1.2, November 20, 2002

Control statements
• Use the special macros __FILE__ and __LINE__ to communicate where “impossible” conditions
occurred
Via the referred macros it is possible to automatically include the position in the source code
where an impossible condition occurred. This does not carry the same information as a full stack
trace, but it saves searching for the right place:
default : /* Should never occur */
fprintf( stderr, ”Line %s in %s: Impossible case!”, __LINE__, __FILE__ );
Even better (the special macros are caught in a standard macro):

#define INVALID_STATE \
fprintf( stderr, ”Line %s in %s: Impossible case!”, __LINE__, __FILE__ );
default : /* Should never occur */

INVALID_STATE;
break;
2.7 Using the C preprocessor

The C preprocessor allows, in principle, many constructs that add power to the C programming
language. However, caution is required, as the conditional statements #if, #ifdef etc. essentially create
multiple versions of the source code in one single file. This means that the use of pre-processor
constructs should be restricted:
• Macros to define constant values are allowed

Statements like:
#define BUFFER_LENGTH 255
are allowed, but consider the following alternatives:

• Using the enum construction to define numerical constants by name (strictly speaking: enumerated
values are not integers)
• Using const variables
The advantage of these alternatives is that the compiler can produce better diagnostics if they are
used wrongly.
• Macros to define functions are not allowed

Macro functions like:
#define veclength(a,b) sqrt((a)*(a)+(b)*(b))
are not allowed, because there is virtually no advantage for these functions to ordinary functions,
and the compiler can not always check that the construction is correct. Debugging them is also
much more difficult.
• Creative use of the preprocessor, for example to avoid repetitive code, is allowed, provided this
type of use is well documented.
Practical examples of such use are:
• Interface definitions that have to take of platform-dependencies (the interfacing between Fortran
and C for instance)
• Set and get functions for the individual fields of large structures (see Appendix A):
#define set( ”name”, value) …
rather than a large number of functions like:1

void name_set( value ) { … }
1
This is to some extent a matter of taste. In OO environments the emphasis is very much on such small
individual set/get routines, rather than a single pair that selects a field.
1.2, November 20, 2002 21 of 58

• Conditional preprocessor statements should not be used, unless to capture platform dependencies
Such statements may certainly not be used to:
• Hide currently unused (old?) code fragments
/* Old code - should be removed one of these days */
#if 0
x = y*y;
#endif
• Select or deselect debugging statements
/* Debugging code - needs some reworking though */
#if DEBUGON
fprintf( stderr, ”x = %f\n”, x );
#endif
The reason is that such code would not get compiled and would not evolve with the rest. Hence
after a cycle or two of maintenance the code is outdated and it probably will not compile correctly.
A better solution in the context of OMS is to use an if-statement with a more or less trivial
condition:2
if ( debug_on )
{
… /* Debugging */
}
2
An alternative that does use a macro, is presented in Chapter 7.
22 of 58 1.2, November 20, 2002

Using I/O
3 Using I/O
The use of external files in C has very similar problems as in Fortran or Java: the files may or may not
exist, reading may or may not cause run-time errors and so on. Yet the details of these problems differs
from the other programming languages and this chapter means to help avoid them by imposing a
number of rules.
3.1 Opening and closing files

• Check that fopen() does not return NULL
If it does, the file could not be opened. Take proper action.
• Close the file in the same routine
Files opened in one routine should also be closed in that routine. If not, the file pointer must be
handed to the calling routine. Otherwise the file pointer will be lost and the file can never be
closed properly.
• Never use fixed file names
Put the names of the files in variables (not macros). These can be changed easily as they will be
found in one standard section of the source files.
• Compose directories and file names via a special routine
Rely on the OMS standard routine mkfilename() to take care of the platform-dependent issues
regarding the separator character and such.
• Use string variables of length PATH_MAX to store the filenames
The macro PATH_MAX is commonly defined to the maximum allowable size of a file name
including the directory etc. Using this length guarantees that the name will always fit.
3.2 Standard input and output

• Reopen stdout, stderr if necessary
Under MS Windows, graphical user-interfaces have no access to a useful console. Hence, use the
freopen() function to redirect output to some file.
• Use stdin only in non-GUI programs
If you need user interaction, consider using a graphical user-interface. Never combine stdin and a
graphical user-interface - this is very problematic under MS Windows.
• Use fgets() in stead of gets()
If you read from stdin, always use fgets(), because with this function you have control over the
length of the string to be read.
3.3 Reading and writing

• Read a file line by line using fgets()
If you use fscanf(), you face an almost insoluble problem with line ends: the file position will stay
on the previous line (if that is long enough), without the program being able to detect this. With
fgets(), you have the benefit of being able to check that the end-of-line has been reached or not.
Then use sscanf() to split it in the desired pieces.
• Check end-of-file with the feof() macro
Never use the EOF return value, because that is not reliable.
1.2, November 20, 2002 23 of 58

• Make sure the buffers used in sprintf() are large enough

As C does not provide any run-time checks on strings, you are yourself responsible for keeping
within the bounds of a buffer. This can be facilitated by avoiding “open-ended” formats like %f
and %s (see below).
• Use input format like %d and %f
To give the user the freedom he or she wants, use as unspecific a format as possible. The sscanf()
routine will make sure that it gets parsed correctly.
• Never use an output format like %f. Instead, %#13.6g and %#22.15g (or %12.6g, %21.15g if you
do not care for exact length) are preferred for float and double reals.
The problem with formats like %f is that large numbers are written with a lot of digits (see the
example). The alternative format uses the hash sign (#) to make sure that the decimal point is
always present and that trailing zeroes are maintained.
• Keep formats simple
The printf() family of routines defines a huge set of formats but not every programmer is familiar
with the possibilities. Hence stick to the mainstream, because otherwise others get confused (this
is especially true with formats like %*s). If you need to use the more sophisticated formats,
document their use via appropriate comments.
• Consider using automated tools like Yacc and Lex for reading files
Tools like Yacc and Lex can produce robust reading routines. Their use is especially
recommended if the input consists of more than simple numbers.
The example below shows what happens if you go against some of these rules:
The input file is:

A line of text
1.0 # One real value
1 # One integer value
The naïve implementation is:

#include <stdio.h>
#include <stdlib.h>
int main( int argc, char * argv[] )

{
FILE * infile ;
long ivalue ;
float rvalue ;
char string[100];
infile = fopen( "example.inp", "r" );
if ( infile != NULL )
{
fscanf( infile, "%s", string ); /* %s reads a single word */
fscanf( infile, "%f", &rvalue ); /* %f reads the next word! */
fscanf( infile, "%d", &ivalue ); /* %d reads the third word */
printf( "String: %s\n", string );

printf( "Real: %f\n", rvalue );
printf( "Integer: %d\n", ivalue );
rvalue = 1.0e20;
printf( "Big real: %f\n", rvalue ); /* %f uses as many positions as necessary*/
fclose(infile);
}
return 0;
}
which, on a SUN solaris machine results in the following output:

String: A
Real: 0.000000
Integer: -268440104
Big real: 100000002004087734272.000000
24 of 58 1.2, November 20, 2002

Using I/O
The explanation for this is simple:

• The format “%s” reads a string until a white space character is encountered, hence only “A” is
read. As the file position is not moved to the next line but left at the word “line”. This is then read
as a real value, which fails. The value for the integer variable may be the result of an implicit
conversion from characters to integers, as these two data types are closely related in C (for
historical reasons mostly, never use this fact implicitly!)
• The large real is written in decimal form, giving a very long string. This can not be controlled via
%12.3f or comparable formats.
The correct implementation, with the above rules, is:

#include <stdio.h>
#include <stdlib.h>
int main( int argc, char *argv[] )

{
FILE * infile ;
long ivalue ;
float rvalue ;
char buffer[100];
char string[100];
infile = fopen( "example.inp", "r" );
if ( infile != NULL )
{
fgets( buffer, sizeof(buffer), infile );
sscanf( buffer, "%s", string );

sscanf( buffer, "%f", &rvalue );

sscanf( buffer, "%d", &ivalue );
printf( "String: %s\n", string );

printf( "Real: %12.6g\n", rvalue );
printf( "Integer: %d\n", ivalue );
rvalue = 1.e20;
printf( "Big real: %12.6g\n", rvalue );
fclose(infile);
}
return 0;
}
which, again on a SUN workstation, results in the more expected output:

String: A
Real: 1
Integer: 1
Big real: 1e+20
1.2, November 20, 2002 25 of 58

Expressions and assignments
4 Expressions and assignments

In this chapter some requirements concerning C programming can be found in relation to expressions
and assignments. By eliminating complex constructions and constructions which are error prone the
chances to make errors will be reduced. Also some constructions in which the behaviour of C
programs are undefined are excluded. Uniform C code is more understandable and easier to maintain.
As a consequence porting the programs to other platforms becomes easier as well.
4.1 Varargs
Modules with a varying number of parameters must be avoided as much as possible. Only if there is
no other solution, are they allowed and then the use of varargs is required.
4.2 True and false

Normally the macros FALSE and TRUE are defined in a some sort of standard header file. If they are
not yet defined in some header, file define them like this (no other similar definitions may be used):
#if ! defined(FALSE)
#define FALSE (0)
#endif
#if ! defined(TRUE)
#define TRUE (1)
#endif
The constants TRUE and FALSE may only be used in assignments or in return value. The usage as
relational operand is not allowed.

return FALSE; return 0; /* 0 means logical FALSE */
if ( !islower(c) ) if ( islower(c) == FALSE )

{ {
… …
} }
Note: if possible, avoid negations, especially in compound logical expressions.
4.3 Parentheses
For readability reasons usage of parentheses in expressions is strongly recommended. On the other
hand using too many brackets can undo the readability. So handling with due care is needed.
4.4 Implicit assignments

Logical expressions with ‘and’ and ‘or’ may not contain implicit assignments. Due to short-circuiting
the evaluation, it may not be clear that the assignment will indeed take place.
1.2, November 20, 2002 27 of 58


if ( c[i] == ’ ’ && if ( c[i] == ’ ’ &&
c[i+1] != ’ ’ ) c[i++] != ’ ’ )
{ {
i ++; …
… }
}
In this example the index i may not be increased if c[i] turns out not to be a space, as the second part
of the logical expression will not be evaluated!
4.5 Conditional expressions

Using conditional expressions is strongly depreciated. It is far better to use normal if-then-else
constructions.

if ( a > b ) z = ( a > b ) ? a : b;
{
z = a
}
else
{
z = b
}
The conditional expression may seem very compact, but as soon as the expressions become more
complicated, it is very difficult to see what is going on.
The following are examples of valid uses:

#define MAX(a,b) ( (a) > (b) )? (a) : (b) )
fprintf( stderr, ”Value is %s\n”, ((debug_on != 0)? ”true” : ”false”) );
The reason that these examples are allowed is that they make it possible to abbreviate constructs
without obscuring the actual intent. In the first example the use of a macro allows one to hide the
complicated structure of the conditional expression. In the second example there is no need for an
extra if-statement and a variable to hold the strings “true” and “false”.3
4.6 Loop conditions

Do not misuse the expressions in a loop condition to make redundant the body of the loop. This can
very easily result in unreadable code.

for ( p = string; for ( p = string;
*p != ‘\0’; (*p) != ‘\0’;
p++ ) (*p++) = toupper(*p) );
{
*p = toupper( *p);
}
3
Actually, even in these cases other solutions may be preferable. See Chapter 7.
28 of 58 1.2, November 20, 2002

Expressions and assignments
4.7 Token pasting

Applying the so-called ‘token pasting’ technique (‘##’) when using macro’s is not allowed.
(none) #define cat(x,y) x # # y
4.8 Debug statements

Pieces of code that only become active when debugging are not allowed in production programs. An
example is code that gives extra debugging information when it is activated by setting specific macros
during the compilation. If it is necessary to be able to provide more detailed information about the
operation of the program, then use standardised tools (output logging and levels of reporting). This
type of output is more useful for the user, whereas debug output is solely useful for the programmer.
4.9 General
To avoid common errors and uncertainties, some general requirements about statements and
expressions are formulated:
• Do not use the increment (++) and decrement (--) operators in one single expression;
• Usage of the comma-operator is forbidden;
• On one line only one single assignment is allowed. Both operators ‘++’ and ‘- -‘ also are
assignments;
• An actual argument may not contain an assignment. Actual arguments are arguments of the
statements if, while, switch, return, do and for. Only one exception is allowed:
the while expression may contain one single assignment.
For example:
while ( (c = fgetc(infile)) != ‘\n’ )
• Using identical names for different variables in different blocks in the same function is not
allowed.
4.10 Errors and functions

Possible errors occurring in a function must be returned by means of a function parameter or a return
value. The possible values of this function parameter or return value indicate the error that occurred.
4.11 Pointers and functions

Functions are never allowed to return a pointer to a local non-static variable, it is a severe
programming error.
1.2, November 20, 2002 29 of 58


char * IO_GetNewName ( char * IO_GetNewName ( void )
char * nameBuffer, {
long sizeBuffer ) / char nameBuffer[80];
{
… ...
return nameBuffer; return nameBuffer;
} }
Or, alternatively:
char * IO_GetNewName ( void )
{
static char nameBuffer[80];
…
return nameBuffer;
}
Pointers to local non-static variables are valid only as long as the routine in which the variables are
defined is active. Upon return the memory is reclaimed and such pointers become invalid.
4.12 Type casting

When data types do not correspond, explicit type casting is required. This creates clarity and therefore
increases the maintainability of programs.

long level; int level;
double dbl ; double dbl ;
dbl = (double) (level * 4); dbl = level * 4;

dbl = (double) level * 4.0 dbl = level * 4.0
Note that real constants in C get the type double, unless they are suffixed with “f”. Integer constants
have the type int, unless they are suffixed with “L”:
Constant Type
4 int
4L long
4.0 double
4.0f float
4.13 NULL pointers

Use the special symbol NULL to check if pointers are null pointers. Do not use 0, because NULL
immediately indicates that a pointer is meant. Also do not use pointers as if they were logical
variables. Comparison to NULL must be explicit.
Pointers are often compared with NULL to determine the end of a data structure or test for validity. In
this case the comparison has to be explicit!

while ( ptr != (PntrType) NULL ) while ( ptr )
{ {
... ...
} }
30 of 58 1.2, November 20, 2002

File organisation
5 File organisation
Source files and include files must be organised in a standard manner, to increase readability and
maintainability of the source and include (header) files.
5.1 Source files

The organisation for source files that has been chosen for OMS has proven its usefulness over the
years and is quite common:
• The first lines contain a block of comments that describe the contents of the file and the context of
its routines. For instance: “these routines manipulate the dictionary of keywords as found in the
OMS input files”.
Then come the include files:
• Standard include files, such as “stdio.h”, get triangular brackets.4 They are listed first.
• Program-specific include files get quotation marks.
• Macros are defined next, as these are often needed in the specification of data types and function
prototypes. This is restricted to the macros that are private to the source file. More general
macros and data types must be put in an appropriate header file. Do not put comment after the
macro, it might be regarded as part of the macro’s value.
• The next section is the definition of specific data types. This is of course restricted to the types that
are private to the source file.
• Then come the global (both static and non-static) variables (sorted in alphabetic-lexicographical
order).
• Then come the prototypes for static functions and routines in this file. Prototypes are always
required for such functions and routines, even if due to their position in the file it is not strictly
necessary.
• The last section contains the functions and routines themselves. Routines and functions that are
not intended for use outside the source file, must be declared static. All others must have visible
prototypes in appropriate header files.
Example (illustrating the division in sections):

/* dictionary.c - Dictionary routines
(description of the content)
*/
#include <stdio.h>
#include <stdlib.h>
#include ”dictionary.h”
/* Macros:
INITIAL_SIZE - initial size for a dictionary
INCREMENT - amount by which to increment the array
*/
#define INITIAL_SIZE 20
#define INCREMENT 10
/* Data types:
Cursor, CursorPtr - used to keep track of search
*/
typedef struct _Cursor
{
...
} Cursor, * CursorPtr;
4
There is a subtle difference between these two types of include statements. The triangular brackets are
reserved for files in the standard include directories.
1.2, November 20, 2002 31 of 58

/* Static functions
*/
static int
_DictIndex(
DictionaryPtr dict,
char * keyword );
/* Global variables:
cursor - Cursor into the given dictionary
*/
static Cursor cursor;
/* Start of actual routines and functions */
static long
_DictIndex(
DictionaryPtr dict,
char * keyword )
{
... /* Body of routine */
}
char *
DictGetValue(
DictionaryPtr dict,
char * keyword )
{
... /* Body of routine */
}
5.2 Include files

For include files the set-up is almost the same:
• The first lines contain a block of comments that describe the contents of the file and the context of
its routines. For instance: “these routines manipulate the dictionary of keywords as found in the
OMS input files”.
• Then come the include files.
• Macros are defined next.
• The definitions of specific data types follow.
• Then come the global (both static and non-static) variables.
• Finally the prototypes for public functions are given.
• The last section contains the routines themselves.
To prevent problems with multiple inclusions the whole content is enclosed by an #ifndef
construction:
#ifndef FILENAME_H_INCLUDED
#define FILENAME_H_INCLUDED
/* Body of include file */
#endif /* FILENAME_H_INCLUDED */
Note:
The macro used to indicate this inclusion always has the above form (replace FILENAME by the
actual name in capitals).
Here is an example:
/* dictionary.h - Header file for dictionary routines
(description of the content)
*/
#ifndef DICTIONARY_H_INCLUDED
#define DICTIONARY_H_INCLUDED
32 of 58 1.2, November 20, 2002

File organisation
#include <stdio.h>
#include <stdlib.h>
/* Macros:
NOT_FOUND - return value to indicate the keyword was not found
*/
#define NOT_FOUND (char *)NULL
/* Data types:
Dictionary, DictionaryPtr - the structure to hold a dictionary
*/
typedef struct _Dictionary
{
...
} Dictionary, * DictionaryPtr;
/* Global variables:
None
*/
/* Public functions
*/
char *
DictGetValue(
DictionaryPtr dict,
char * keyword );
#endif /* DICTIONARY_H_INCLUDED */
The following additional rules must be adhered to:

• All routines and functions must have an explicit type. Thus the following declaration is forbidden:
/* Type ”int” is implicit */
static _DictIndex( DictionaryPtr dict, char *keyword );
• The include files must be arranged such that all routines and functions have an explicit prototype
before they are first used or defined.
• If a routine or function is supposed to be available outside the source file, then its prototype must
appear in an include file.
• If a routine or function is not supposed to be available outside the source file, then it must be
declared static and its prototype must appear in the source file.
• All prototypes for routines and functions in a particular source file must appear in the same
include file.
• There can be more than one routine or function in a source file, but one should keep the total
number of lines within limits and the routines and functions must be related, for instance, all
routines and function that manipulate a particular data type.
See the recommendations for further remarks about names for routines and functions and the names of
source and include files.
1.2, November 20, 2002 33 of 58

Layout, internal documentation
6 Layout, internal documentation

In this standard documentation means the complete information to be obtained from the user
documentation, source files and the system documentation. The user documentation contains all
information important to the user. The source files and the system documentation contain all
additional information important to the maintenance programmer. The emphasis is put on the
documentation (comments) in the source files - the system documentation will provide additional
information only. Good documentation of the source code is important for program maintenance. A
quick and correct understanding of the program text leads to quick and correct improvements and
additions.
This chapter is limited to the layout of and the documentation within the program text.
6.1 Naming conventions

A good understanding of a program text is important. Therefore clear naming conventions for the
identifiers are required:
• constants
• variables
• types
• macros
• functions
The following general conventions apply:
• The names have to be consistent, in other words: for the same meaning the same name has to be
used. (For the use of acronyms see chapter 7 “Recommendations”.)
• The names of identifiers can be up to 31 significant characters. So use descriptive names!
6.2 Language
All comments and other documentation have to be written in English without any exceptions.
6.3 Order of program text parts

For some parts of the program text the use of ordering rules is obligatory. Conforming strictly to this
ordering prevents many possible errors and makes it easier to find definitions.
The strict order of program text parts of a header file (.h) is:
• file header comment block with:
• file name
• programmer name
• version number, date and description
• copyright
• file description
• includes
• standard files
• project files
1.2, November 20, 2002 35 of 58

• defines
• constants
• macro's
• enums and typedefs
• enums
• typedefs
• external variable declarations
• external function prototypes
The required order of program text parts of a program file (.c) is:
• file comment header block with
• file name
• programmer name
• version number, date and description.
• copyright
• file description
• keywords
• includes
• standard files
• project files
• defines
• constants
• macros
• enums and typedefs
• enums
• typedefs
• external variable definitions
(are declared in header files)
• internal variable definitions
( static variables)
• static function prototypes
(external function prototypes are placed in header files)
• function definitions (global and local)
• for every function:
• function comment header block with:
• function name
• function description
• summary
• function heading (type, name, parameterlist)
• function body
6.4 Comment
To explain the functioning of a program, the program text has to be clear enough. This can be
achieved by adding comment text to the program text. The language of the comments is always
English.
Comment headers (the first line of a comment block) start with a slash (‘/’) at the first position
followed by between 40 and 80 asterisks (‘*’). Every continuing line (except the last line) starts with
36 of 58 1.2, November 20, 2002

an asterisk on the first position. The last line starts with between 40 and 80 asterisks, followed with a
slash.
Comments consisting of only one single line must be indented according to the surrounding program
text. Comments of more than one line may start at the left margin in order to make use of the full line.
Global comment preferably is placed before the function itself and detailed comment within the
function. Detailed comment blocks of more than 10 lines are preferably placed before the function or
else directly at the beginning of the function. The reason for this is to prevent large pieces of comment
statements that decrease the readability of the actual program text.
Short comment (comment behind program statements) may only be used in case the readability not
decreases.
6.5 Alignment of declarations

Consecutive declarations in the program text have to be aligned with each other. In case of pointer
declarations the type-specifier is separated from the pointer (one of more ‘*’) by one or more spaces,
whereas the pointer and identifier may be separated by one of more spaces.
Example:
long cntr;
char * string;
char opt;
char ** pString;
6.6 Statements
Only one statement per line is allowed. Statements should be consistently indented according to the
extended style:
if ( a > b )
{
z = a;
y = b;
}
6.7 Assignments and expressions

Around an assignment-sign (‘=’) spaces have to be placed. In expressions also spaces must be used.
However it is recommended not to use spaces with sub-expressions.
In order to clarify the sequence of evaluation of sub-expressions brackets must be used consistently.
Examples:
q2r = d / 2.0;
area = M_PI * (r * r); /* M_PI is used from math.h */
c = sqrt( a*a + b*b );
V0 = j0(M_E/t1) * (t1 – t0); /* M_E is used from math.h */
6.8 Letters
Small letters as well as capitals may be used in program text and comment lines.
1.2, November 20, 2002 37 of 58

6.9 Line length

Not more than 80 characters per line may be used. There are no exceptions. The reason is that printers
normally allow only 80 characters. Longer lines would either be wrapped or truncated.
6.10 File length

The length of a C source file may not exceed 3000 lines (all kind of lines). This is an absolute
maximum. Strongly recommended is a maximum of 1500 lines. Exceeding the limit of 1500 lines is
only permitted after consulting and getting permission from the maintenance team.
6.11 Function length

The length of a function may not exceed 300 lines (all kinds of lines). This is an absolute maximum.
Strongly recommended is a maximum of 150 lines. Exceeding the limit of 150 lines is only permitted
after consulting and getting permission of the maintenance team.
Note:
Besides the above mentioned limits the requirements of readability, easy reference, being structured,
modularity and cohesion of functions stay into effect.
6.12 Spaces
Spaces should be used to increase readability.

ind = 0; ind=0;
for (i = 0; i < 4; i++ ) for (i=0;i<4;i++)
{ {
sum += c1[i+ind] + 4*i; sum+=c1[i+ind]+4*i;
ind += 40; ind+=40;
} }
recalc_xyz( t, v, &x, &y, &z ); recalc_xyz(t,v,&x,&y,&z);
recalc_xyx ( t, min(v,w), recalc_xyx ( t , min( v , w ) ,

&x, &y, &z ); &x , &y , &z );
Notes:
• Using spaces in function calls is also clarifying:
• Don’t exaggerate the use of spaces. In the last example, the spaces around ‘v’ and ‘w’ are left out
for readability reasons.
6.13 Braces
Braces have to be used in combination with the if, for, while and do statement, even if only
one command is involved.
Both braces have to be placed straight above each other and directly beneath the related statement.
38 of 58 1.2, November 20, 2002

Example:
if (a > b)
{
a = b;
}
6.14 Indentation
From a readability point of view it is important to have a clear structure of the program text. This
structure must be achieved by indentations in case of nesting. Nesting one single level must be
accompanied by an indentation of 3 spaces. Indentations may not be achieved by using tab characters.
Also use indentation in case of a function call which consists of more than one line.
6.15 Empty lines

To introduce logical separations in the program code extra empty lines can be used. For example two
new lines before a function definition or one new line in block structures.
6.16 Fileheader
All C program files (.c, .h files) need to have a so-called file header block. For some simple examples
also see the paragraph “Examples”.
Every C-file must contain at least the following descriptions:

• The version information of the file. If possible this version information can be filled in by some
version control mechanism. See also paragraph “Version information” in this chapter;
• The copyright information. This must be placed in the COPYRIGHT comment block;
• A description of the connection of the functions in the file.
This means:
• which common functionality do these functions have;
• how these functions communicate with each other (allocate/free memory, open, read, close);
• which data structure is common for these functions;
• which part or layer of a system these functions are part of.
This description must be made in the FILE DESCRIPTION comment block.
These descriptions need to be in the top of the C-file in the same order.
6.17 Function header

All functions must have a so-called function header block. For some simple examples also see the
paragraph “Examples”.
All functions must contain the following items:

• The function target.
This means:
• what is the use of the function;
• in which cases the function can be used.
• This part has to be put in the FUNCTION DESCRIPTION comment block. The function description is
this block consists of a maximum of two lines preceded and followed by one empty line.
1.2, November 20, 2002 39 of 58

• How to use the function.

This means:
• which part of the software is responsible for the proper input of the function (pre condition). See
also the paragraph “Parameter” in this chapter;
• which software part is responsible for allocated memory;
• which function has to be called before this function of which function has to be called after this
function;
• what is the return value is this function.
• This description must be placed in the FUNCTION DESCRIPTION comment block.
• Which files will be approached in this function. Only the files given in full names are meant. This
description has to be put in then FILE I/O comment block. This comment block is optional.
These descriptions need to be in the top of the h-file in the same order.
6.18 Functions and parameters

In this paragraph some documentation aspects of functions and parameters are described.
Functions
When defining the function a description of the return value has to be given after the function heading
(type and name).
Example
long
ifac ( /* return value: faculty of integer number */
long inum) /* I integer number */
...
}
parameters
Of each function parameter the following aspects must be described:

• Whether it is an input and/or and output parameter
Output parameters optionally must have a description whether memory will be allocated and if the
calling function is responsible for the freeing of this memory.
• The meaning of the parameter.
This part can be skipped in case acronyms are used. For a description of the use of acronyms, see
chapter 7 “Recommendations”.
• The possible range of the parameter.
For example, this can be a list of possible values, a minimum or a maximum value.
All above-mentioned descriptions must be on the same line at the right of the definition.
6.19 Variable/constant
Like parameters, after each definition of variable or constant the meaning has to be described.
The description must be on the same line at right of the definition.
40 of 58 1.2, November 20, 2002

6.20 Version information

The version information lines, also mentioned in the paragraph “Fileheader” of this chapter consists of
the following parts:
• version number - a number which increases with every change;
• date - the date the change was performed in format dd-mmm-yyyy;
• programmer - the initials of the person who performed the last update.
Because of the fixed format of these version lines an automatic check can be done. The check consists
among other things of correct increase of the version number or a check whether a (proper) problem or
project identification is given.
1.2, November 20, 2002 41 of 58

7 Recommendations
Portability library:
• Define a function to compose directory and file name (mkfilename())
• Define a function strdup() if necessary
• Define wrappers for common routines like fopen() that are bound to require checking.
• Define a PATH_MAX macro, if not defined in the standard include file “limits.h”
• Define TRUE and FALSE as respectively 1 and 0. Check that these values are used if already
defined
• Define UNDEFINED_NAME as “--Undefined--”
• Define a set of routines for logging error messages
• Define a macro INVALID_STATE that prints a mesage to stderr about the program being in an
impossible or invalid state.
• Define a macro ON_DEBUG like this:
#define ON_DEBUG( level, code ) \
if ( _DebugLevel( level ) { code }
(This macro uses a function _DebugLevel to decide if debug output is required (given the level),
and if it is, then execute the given code. It is a flexible alternative to the code fragment presented
at the end of section 2.7
• Define macros MAX() and MIN() (functions are not possible because we would need to
distinguish between types)
• Define a function BooleanString() that returns “true” or “false” given the value of its (boolean)
argument. This makes the ?: construct in section 4.5 superfluous.
Data types:
• Restrict the use of unsigned integers
• Always use long integer (at least: do not try to be smart about short/int/long to save a few bytes)
• If you have to use << and >>, always on unsigned variables (only allowed when constructing
bitmasks?)
• Restrict the use of unions, hardly ever necessary.
• Bitmasks should only be used “symbolically”
• Know when to use size_t and sizeof()
Logical expressions:
• Use 0 == x instead of x == 0 (if == is typed as =, the first gives a compiler error!)
7.1 Source and include files

There are no generally valid rules for the arrangement of source and include files. In this section we
present two possible solutions:
• Have pairs of source and include files
• Have a limited number of include files that serve for several source files at once.
The first solution would involve:

• Prototypes and such for a source file a.c are put in an include file a.h
• Any source file depending on routines and functions in file a.c will include the file a.h.
• There are no include files that include other include files (so no global include file).
The advantages of this approach are that changes in an include file only affect the source files that
really use the routines and functions it declares. The disadvantage is that the list of include files in the
42 of 58 1.2, November 20, 2002

Recommendations
top part of each source file can become very long and unmanageable. Also the number of files to
maintain is twice the number of source files. This is especially annoying if the routines are rearranged
in other source files. What is more, the programmer will have to know which file defines which
routine.
The second solution would involve:

• Prototypes and such for several source files, a.c, b.c, c.c, d.c are put in an include file abcd.h
• Any source file depending on routines and functions in files a.c, b.c, c.c or d.c will include the file
abcd.h.
• There can be an include file that include other include files.
The advantages are that the list of include files will be short. The total number of files will be only
slightly larger than the number of source files. The disadvantage is that changes in prototypes for
routines found in a.c for instance, also affect files that include abcd.h but do not use these routines.
Our recommendation is the latter (see also chapter 10), as this seems more manageable and allows
header files for libraries rather than for individual source files. That is, define one header file per
library.
7.2 Names of routines and functions

Our recommendation is to use a common prefix for the names of functions and routines that have a
common task, e.g. the routines and functions in a particular library or the routines and functions that
manipulate a certain data structure.
The names of routines and functions must start with a capital if they are publicly useable, otherwise
they should have a name starting with a single underscore and then the same prefix. (Further
refinements are possible but not desirable).
For example:
The routines and function that manipulate a general hash table structure are found in two source files,
hash1.c and hash2.c, because of the total size of the routines. Then the following prefixes are
available:
• Hash Any publicly useful routine or function
• _Hash Private (both static and non-static) routines in hash1.c or hash2.c.
These routines may also be used in the other source file but are not meant for use beyond the hash
module. Via the underscore it is indicated that the non-static routines are not meant for use outside this
collection.
In all cases:
The names of routines and functions must indicate their proper use. Therefore:
• Use verbs that indicate the action
• Use forms like “Is” or “Has” to indicate that something is available or of the mentioned type.
These are examples of bad names:

/* Bad: returns a string, suggests a boolean */
char *DictIsAvailable( dict, keyword );
/* Bad: what does activate mean? */

void DictActivateKeyword( dict, keyword, value );
Better names and declarations:
1.2, November 20, 2002 43 of 58

/* Good: returns a boolean, as suggested by the name */

typedef long bool;
bool DictIsAvailable( dict, keyword );
/* Good: store the key-value pair */

void DictStoreKeyValue( dict, keyword, value );
44 of 58 1.2, November 20, 2002

Prohibited statements and constructions
8 Prohibited statements and constructions
8.1 Forbidden data types

Forbidden data types are:
Bit fields and register variables
8.2 Null statement

The null statement (‘;’), mostly found with for and while loops may not be used.
8.3 Forbidden standard functions

The standard C library contains a number of functions whose proper use is problematic or that cause
confusion. The table below lists these functions.
Function Reason for forbidding their use

I/O functions
fgetc() Unnecessary, the more useful alternative is fgets()
fputc() Unnecessary, the more useful alternative is fputs()
fscanf() It is near to impossible to get the end-of-line problem solved, use a
combination of fgets() and sscanf()
scanf() Ditto (Use fgets() and sscanf() instead)
gets() It is impossible to control the length of the string to be read, very long
input lines will cause a memory overflow. Use fgets() instead.
Miscellaneous
signal() The semantics of signals is very difficult. Their use is in the majority of
cases not necessary anyway.
setjmp()/longjmp() These routines cause a non-local jump and therefore lead to
unmanageable program control flows.
abort() When aborting the program, files are not properly closed
atexit() Registering call-backs is an unnecessary complication in most programs
atabort() Ditto
8.4 Illegal use of pre-processor constructs

Sometimes programmers use the pre-processor to hide C syntax or to hide fragments of code that are
only needed during testing or debugging. This is utterly forbidden. Other programmers are not familiar
with such replacements and get confused. This happens especially if you use macros to hide the
looping over certain variables (this is an actual example of how source code becomes almost
unmanageable!)
This horror has been illustrated below (note that the hidden variable “listp” becomes visible whenever
you want to do something with the elements of the list):
1.2, November 20, 2002 45 of 58

/* Define list variable here (used in macro below) */

ListPtr listp;
/* Define shorthand for iteration over list */

#define ScanList( list ) \
for ( listp = list; listp != NULL; \
listp = listp->next )
int main( int argc, char *argv[] )

{
/* Scan the list of titles, searching for the right value */

ScanList( titles )
{
if ( strcmp( listp->value, which_title ) == 0 )
{
printf( ”Found it!\n” );
}
}
A trivial example that attempts to introduce extra keywords (Pascal, Fortran, …) into C is this:
/* DO NOT USE THE PREPROCESSOR IN THIS WAY */
#define BEGIN {
#define END }
if ( x > 0 ) BEGIN
/* Do something */
END
There is no recommended alternative: always use the proper C syntax.
A similarly forbidden construct is this “function” that may be used to define debugging statements:
#define ON_DEBUG( a ) if ( _debug_ ) { a }
Instead simply use the if-construct directly:

if ( _debug_ )
{
/* Debug code */
}
Yet another example:

#if defined( DEBUG )
printf( ”Debug output: x = %d\n”, x );
#endif
The alternative here is the same as above: use a proper if-construct. The code will always be
compiled, yet there is little or no impact on the performance if it is not used, because the controlling
parameter is false.
Note:
The only exception to the rule of not hiding code constructions in macros is the standard assert()
macro. Using this macro is actually encouraged, to document the preconditions and post-conditions of
a function.
8.5 Illegal use of functions

Certain standard functions are frequently used in manners that cause confusion to the reader. This
section clarifies at least a number of such illegal uses.
• Functions that return integers or pointers are used in a logical context
One example of this is strcmp() in the following fragment:
46 of 58 1.2, November 20, 2002

Prohibited statements and constructions

if ( 0 != if ( strcmp( string1, string2 ) )
strcmp( string1, string2 ) {
{ fprintf( stderr,
fprintf( stderr, ”String does not match\n” );
”String does not match\n” ); }
}
The problem is that strcmp() return 0, -1 or 1, so not a logical value at all and that the check is
supposed to be “is string1 equal to string2? If not, return an error”. Because strcmp() returns a zero
(ordinarily a false value) when the two strings are equal, the form of the above fragment is as if the
strings have to be equal for the error message to be printed. This is confusing.
Another example:

infile = fopen( ”input.dat”,”r”); infile = fopen( ”input.dat”,”r”);
if ( infile != NULL ) if ( !infile )
{ {
fgets( ... ); fgets( ... );
} }
else else
{ {
fprintf( stderr, fprintf( stderr,
”Could not open file!\n” ); ”Could not open file!\n” );
} }
1.2, November 20, 2002 47 of 58

References
9 References
Les Hatton (1995)
Safer C, Developing Software for Hingh-intergrity and Safety-critical Systems
McGraw-Hill, 1995
Brian W. Kernighan, Dennis M. Ritchie (1988)

The C Programming Language,
Prentice-Hall, second edition, 1988
1.2, November 20, 2002 49 of 58

Log sheet
Appendix A Log sheet
Document date Changes with respect to the previous version

version
0.8 April 17, 2002 Document name changed
0.9 September 25, 2002 Changed due to review of Stef Hummel (some items)
1.1 November 20, 2002 Changes w.r.t. ‘long’ and ‘int’
1.2, November 20, 2002 51 of 58

Set/get functions
Appendix B Set/get functions

This appendix illustrates the use of specialised pre-processor macros to elegantly solve a maintenance
problem. The problem was that a set of Fortran routines needed access to data stored in a C structure,
both to set the fields and to get the current value.
By defining a large number of individual get and set routines, this can be solved in a straightforward
manner. However:
There were at least 30 fields involved, so this solution would require 60 individual set/get functions.
If the underlying structure changed, one would need to create new get and set functions or update the
existing ones.
Therefore a solution was sought and found in the following way (details have been left to clarify the
solution):
A generic set of macros was defined, one for each type of data items
The fields to be accessed formed an argument to these macros
The macros were embedded in a routine that could be called from Fortran where one of the arguments
is the name of the field (so a string!).
From the Fortran side, one can set a field “noparams” as:
call setpar( ’noparams’, noparams )
On the C side the code that is executed looks like this (*value because Fortran passes everything by
reference):
void setpar( char *field_name, long *value )
{
…
if ( strcmp( field_name, ”noparams” ) == 0 )
{
data->noparams = *value;
}
…
}
The if-construction is repeated for all relevant fields, but actually this is done via the following macro:
#define INT_VALUE( field ) \
if ( strcmp( field_name, #field ) == 0 ) \
{ \
data->field = *value; \
}
So, the C routine “setpar” can actually look like this:
void setpar( char *field_name, long *value )
{
…
INT_VALUE( noparams )
INT_VALUE( intopt )
INT_VALUE( nosubst )
…
}
1.2, November 20, 2002 53 of 58

Examples
Appendix C Examples
C.1 Example C module (.c)
/********************************************************************
*
* Filename owndef.c
* Programmer H.Hanzon
* Version 1.00 27-11-1994 First Edition
*
* COPYRIGHT
*
* Copyright (c) 1994 "Rijkswaterstaat"
* Permission to copy or distribute this software or documentation
* in hard copy or soft copy granted only by written license
* obtained from "Rijkswaterstaat".
* All rights reserved. No part of this publication may be
* reproduced, stored in a retrieval system (e.g., in memory, disk,
* or core) or be transmitted by any means, electronic, mechanical,
* photocopy, recording, or otherwise, without written permission
* from the publisher.
*
*********************************************************************
*
* FILE DESCRIPTION
*
* This file (module) contains functions to manage the traffic at a
* crossing.
*
* Warning!
* This example is for clarification purposes only.
* Each definition and declaration stands for itself.
* Together, they do not form a coherent program structure.
*
*********************************************************************
/* ----- includes ----- */
#include <stdio.h>
#include <math.h>
#include "owndef.h"
/* ----- definitions ----- */
/* traffic lights */
#define RED 1 /* red light */
#define ORANGE 2 /* orange light */
#define GREEN 3 /* green light */
#define BLINKING_ORANGE 10 /* warning light */
#define MACRO (bWhat,iThis,iThat) ((bWhat)?(iThis):(iThat))

/* conditional expression */
/* ----- enums and typedefs ----- */
enum hallo
{
Here,
There
}; /* enumeration (example) */
typedef struct complex

{
float fRe; /* real part of complex number */
float fIm; /* imaginary part of complex number */
} COMPLEX;
typedef char *WHY;
/* ----- external variable definitions ----- */ /* afgeraden */
WHY sMe="?"; /* global variable question mark */
/* ----- internal variable definitions -----*/
1.2, November 20, 2002 55 of 58

static float fHome; /* internal variable (automatically initialised) */
/* ----- static function prototypes ----- */
static long ChangeState ( /* return value: error code */

long * plState); /* o state of the light */
/* ----- function definitions ----- */
/********************************************************************
*
* FUNCTION NAME GiveMessage
*
* FUNCTION DESCRIPTION
*
* This function produces a message, depending on the state of the traffic
* light.
*
* Warning: the description of the function may be long, but it should always
* start with (at most) two lines with a summary of the full description.
* These two lines are preceded and followed by at least one blank line.
*
*********************************************************************
*
* PSEUDO CODE
*
* if the light is red then
* print "stop"
* elseif the light is orange then
* print "go or halt"
* elseif the light is green
* print "go"
* else
* print "watch out"
*
********************************************************************/
void GiveMessage ( /* no return value */

long lState, /* i state: state of the light */
long iClone, /* i clone of object */
float fTarget) /* i thing to hit */
{
long * piPointer = &iClone; /* pointer to object */
float * pfToTarget = NULL; /* pointer to target */
char * sMessage = sMe; /* pointer to message */
switch (lState)
{
case RED: /* the light is red */
printf ("stop\n");
break;
case ORANGE: /* the light is orange */

printf ("can you make it? then go, else stop/n");
break;
case GREEN: /* the light is green */

printf ("go on\n");
break;
default: /* something's wrong */

printf ("watch out\n");
break;
}
}
/********************************************************************
*
* FUNCTION NAME ChangeState
*
* FUNCTION DESCRIPTION
*
* This function changes the state of the light, depending on the incoming
* (current) state.
*
*********************************************************************
*
* PSEUDO CODE
*
* if the light is red then
* change light to green
56 of 58 1.2, November 20, 2002

Examples
* elseif the light is orange then

* change light to red
* else if light is green
* change light to orange
* else
* make the light blinking orange
*
******************************************************************/
static int ChangeState ( /* return value: error code */

long * plState) /* o state of the light */
{
long iReturnValue = 1; /* return value */
switch (*plState)
{
case RED: /* make it green */
*plState = GREEN;
break;
case ORANGE: /* make it red */

*plState = RED;
break;
case GREEN: /* make it orange */

*plState = ORANGE;
break;
default: /* make it blinking */

*plState = BLINKING_ORANGE;
break;
}
if (*plState == BLINKING_ORANGE)
{
iReturnValue = 1; /* error */
}
else
{
iReturnValue = 0; /* ok */
}
return iReturnValue;
}
1.2, November 20, 2002 57 of 58

C.2 Example C header file (.h)
/********************************************************************
*
* Filename h_exampl.h
* Programmer A.L. Weg
* Version 1.00 27-11-1994 New file
*
* COPYRIGHT
*
* Copyright (c) 1994 "Rijkswaterstaat"
* Permission to copy or distribute this software or documentation
* in hard copy or soft copy granted only by written license
* obtained from "Rijkswaterstaat".
* All rights reserved. No part of this publication may be
* reproduced, stored in a retrieval system (e.g., in memory, disk,
* or core) or be transmitted by any means, electronic, mechanical,
* photocopy, recording, or otherwise, without written permission
* from the publisher.
*
*********************************************************************
*
* FILE DESCRIPTION
*
* This is my own header file
*
********************************************************************/
/* ----- includes ----- */
#include <stdio.h>
#include "special.h"
/* ----- defines ----- */
#define STOP 0x100 /* constant for stop */

#define GO 0x200 /* constant for go */
/* ----- enums and typedefs ----- */
enum peer
{
to,
peer
}; /* enumeration example */
typedef union jack

{
char cRed; /* example of union variable */
char cWhite; /* example of union variable */
char cBlue; /* example of union variable */
} JACK;
typedef long SLINGER;
/* ----- external variable declarations ----- */ /* afgeraden */
extern long iOutside; /* example of external variable */

extern JACK Flash; /* example of external variable */
extern SLINGER iApi; /* example of external variable */
/* ----- function prototypes ----- */
double Trouble ( /* return value: amount of trouble */

long iOut); /* i control variable */
float * Boat ( /* return value: float value */

long lShot); /* i control variable */
void GiveMessage ( /* no return value */

long lState, /* i state: state of the light */
long iClone, /* i clone of object */
float fTarget); /* i thing to hit */
58 of 58 1.2, November 20, 2002

OMS-Stand C Programming Rules

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OMS-Stand C Programming Rules

Uploaded by

Copyright:

Available Formats

O MS

OMS report number 2001-02

Version number: 1.2, November 20, 2002

4 of 58 1.2, November 20, 2002

1. the first phase of the development of the OMS system

2. defining the OMS maintenance and support organisation

1.2, November 20, 2002 5 of 58

1.1 Variables .............................................................................................................................. 11

1.2 Global (external) variables................................................................................................. 11

1.4 Type variables ..................................................................................................................... 12

1.6 Prototypes ............................................................................................................................ 13

1.7 Pointer prefix....................................................................................................................... 14

2.1 General ................................................................................................................................. 15

2.2 Loop constructs ................................................................................................................... 15

2.3 Selections via switch/case ................................................................................................... 18

2.4 Conditional statements ....................................................................................................... 18

2.5 Subroutines and functions.................................................................................................. 19

2.6 Error handling..................................................................................................................... 20

2.7 Using the C preprocessor ................................................................................................... 21

3 USING I/O ...................................................................................................................... 23

3.1 Opening and closing files.................................................................................................... 23

3.2 Standard input and output................................................................................................. 23

3.3 Reading and writing ........................................................................................................... 23

4 EXPRESSIONS AND ASSIGNMENTS.......................................................................... 27

4.2 True and false ...................................................................................................................... 27

1.2, November 20, 2002 7 of 58

4.3 Parentheses .......................................................................................................................... 27

4.4 Implicit assignments ........................................................................................................... 27

4.5 Conditional expressions...................................................................................................... 28

4.6 Loop conditions ................................................................................................................... 28

4.7 Token pasting....................................................................................................................... 29

4.8 Debug statements ................................................................................................................ 29

4.9 General ................................................................................................................................. 29

4.10 Errors and functions........................................................................................................... 29

4.11 Pointers and functions ........................................................................................................ 29

4.12 Type casting ......................................................................................................................... 30

4.13 NULL pointers..................................................................................................................... 30

5 FILE ORGANISATION ................................................................................................... 31

5.1 Source files ........................................................................................................................... 31

5.2 Include files .......................................................................................................................... 32

6 LAYOUT, INTERNAL DOCUMENTATION .................................................................... 35

6.1 Naming conventions............................................................................................................ 35

6.3 Order of program text parts .............................................................................................. 35

6.4 Comment .............................................................................................................................. 36

6.5 Alignment of declarations .................................................................................................. 37

6.6 Statements ............................................................................................................................ 37

6.7 Assignments and expressions............................................................................................. 37

6.9 Line length ........................................................................................................................... 38

6.10 File length............................................................................................................................. 38

6.11 Function length.................................................................................................................... 38

6.12 Spaces ................................................................................................................................... 38

8 of 58 1.2, November 20, 2002

6.13 Braces ................................................................................................................................... 38

6.15 Empty lines .......................................................................................................................... 39

6.17 Function header................................................................................................................... 39

6.18 Functions and parameters.................................................................................................. 40

6.19 Variable/constant ................................................................................................................ 40

6.20 Version information............................................................................................................ 41

7.1 Source and include files ...................................................................................................... 42

7.2 Names of routines and functions ....................................................................................... 43

8 PROHIBITED STATEMENTS AND CONSTRUCTIONS ............................................... 45

8.1 Forbidden data types .......................................................................................................... 45

8.2 Null statement...................................................................................................................... 45