COMPMID-1730: Document best practices

Change-Id: I720a3beeb0c6503938f637b42fc45741e4aa1ab5
Signed-off-by: Michele Di Giorgio <michele.digiorgio@arm.com>
Reviewed-on: https://review.mlplatform.org/c/2263
Reviewed-by: Manuel Bottini <manuel.bottini@arm.com>
Comments-Addressed: Arm Jenkins <bsgcomp@arm.com>
Reviewed-by: Michalis Spyrou <michalis.spyrou@arm.com>
Tested-by: Arm Jenkins <bsgcomp@arm.com>

4 files changed, 416 insertions, 7 deletions

diff --git a/arm_compute/runtime/NEON/functions/NEActivationLayer.h b/arm_compute/runtime/NEON/functions/NEActivationLayer.h
index d383da4f32..a0517ba646 100644
--- a/arm_compute/runtime/NEON/functions/NEActivationLayer.h
+++ b/arm_compute/runtime/NEON/functions/NEActivationLayer.h
@@ -53,6 +53,7 @@ public:
     NEActivationLayer &operator=(const NEActivationLayer &) = delete;
     /** Default move assignment operator */
     NEActivationLayer &operator=(NEActivationLayer &&) = default;
+    /** [NEActivationLayer snippet] **/
     /** Set the input and output tensor.
      *
      * @note If the output tensor is a nullptr or is equal to the input, the activation function will be performed in-place
@@ -63,6 +64,7 @@ public:
      * @param[in]      activation_info Activation layer parameters.
      */
     void configure(ITensor *input, ITensor *output, ActivationLayerInfo activation_info);
+    /** [NEActivationLayer snippet] **/
     /** Static function to check if given info will lead to a valid configuration of @ref NEActivationLayer
      *
      * @param[in] input    Source tensor info. In case of @p output tensor info = nullptr, this tensor will store the result
diff --git a/docs/05_contribution_guidelines.dox b/docs/05_contribution_guidelines.dox
new file mode 100644
index 0000000000..7c919eb4fb
--- /dev/null
+++ b/docs/05_contribution_guidelines.dox
@@ -0,0 +1,406 @@
+///
+/// Copyright (c) 2019 ARM Limited.
+///
+/// SPDX-License-Identifier: MIT
+///
+/// Permission is hereby granted, free of charge, to any person obtaining a copy
+/// of this software and associated documentation files (the "Software"), to
+/// deal in the Software without restriction, including without limitation the
+/// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+/// sell copies of the Software, and to permit persons to whom the Software is
+/// furnished to do so, subject to the following conditions:
+///
+/// The above copyright notice and this permission notice shall be included in all
+/// copies or substantial portions of the Software.
+///
+/// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+/// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+/// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+/// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+/// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+/// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+/// SOFTWARE.
+///
+namespace arm_compute
+{
+/**
+@page contribution_guidelines Contribution guidelines
+
+@tableofcontents
+
+If you want to contribute to Arm Compute Library, be sure to review the following guidelines.
+
+The development is structured in the following way:
+- Release repository: https://github.com/arm-software/ComputeLibrary
+- Development repository: https://review.mlplatform.org/#/admin/projects/ml/ComputeLibrary
+- Please report issues here: https://github.com/ARM-software/ComputeLibrary/issues
+
+@section S5_1_coding_standards Coding standards and guidelines
+
+Best practices (as suggested by clang-tidy):
+
+- No uninitialised values
+
+Helps to prevent undefined behaviour and allows to declare variables const if they are not changed after initialisation. See http://clang.llvm.org/extra/clang-tidy/checks/cppcoreguidelines-pro-type-member-init.html
+
+@code{.cpp}
+const float32x4_t foo = vdupq_n_f32(0.f);
+const float32x4_t bar = foo;
+
+const int32x4x2_t i_foo = {{
+	vconvq_s32_f32(foo),
+    vconvq_s32_f32(foo)
+}};
+const int32x4x2_t i_bar = i_foo;
+@endcode
+
+- No C-style casts (in C++ source code)
+
+Only use static_cast, dynamic_cast, and (if required) reinterpret_cast and const_cast. See http://en.cppreference.com/w/cpp/language/explicit_cast for more information when to use which type of cast. C-style casts do not differentiate between the different cast types and thus make it easy to violate type safety. Also, due to the prefix notation it is less clear which part of an expression is going to be casted. See http://clang.llvm.org/extra/clang-tidy/checks/cppcoreguidelines-pro-type-cstyle-cast.html
+
+- No implicit casts to bool
+
+Helps to increase readability and might help to catch bugs during refactoring. See http://clang.llvm.org/extra/clang-tidy/checks/readability-implicit-bool-cast.html
+
+@code{.cpp}
+extern int *ptr;
+if(ptr){} // Bad
+if(ptr != nullptr) {} // Good
+
+extern int foo;
+if(foo) {} // Bad
+if(foo != 0) {} // Good
+@endcode
+
+- Use nullptr instead of NULL or 0
+
+The nullptr literal is type-checked and is therefore safer to use. See http://clang.llvm.org/extra/clang-tidy/checks/modernize-use-nullptr.html
+
+- No need to explicitly initialise std::string with an empty string
+
+The default constructor of std::string creates an empty string. In general it is therefore not necessary to specify it explicitly. See http://clang.llvm.org/extra/clang-tidy/checks/readability-redundant-string-init.html
+
+@code{.cpp}
+// Instead of
+std::string foo("");
+std::string bar = "";
+
+// The following has the same effect
+std::string foo;
+std::string bar;
+@endcode
+
+- Braces for all control blocks and loops (which have a body)
+
+To increase readability and protect against refactoring errors the body of control block and loops must be wrapped in braces. See http://clang.llvm.org/extra/clang-tidy/checks/readability-braces-around-statements.html
+
+For now loops for which the body is empty do not have to add empty braces. This exception might be revoked in the future. Anyway, situations in which this exception applies should be rare.
+
+@code{.cpp}
+Iterator it;
+while(it.next()); // No need for braces here
+
+// Make more use of it
+@endcode
+
+- Only one declaration per line
+
+Increase readability and thus prevent errors.
+
+@code{.cpp}
+int a, b; // BAD
+int c, *d; // EVEN WORSE
+
+int e = 0; // GOOD
+int *p = nullptr; // GOOD
+@endcode
+
+- Pass primitive types (and those that are cheap to copy or move) by value
+
+For primitive types it is more efficient to pass them by value instead of by const reference because:
+
+ - the data type might be smaller than the "reference type"
+ - pass by value avoids aliasing and thus allows for better optimisations
+ - pass by value is likely to avoid one level of indirection (references are often implemented as auto dereferenced pointers)
+
+This advice also applies to non-primitive types that have cheap copy or move operations and the function needs a local copy of the argument anyway.
+
+More information:
+
+ - http://stackoverflow.com/a/14013189
+ - http://stackoverflow.com/a/270435
+ - http://web.archive.org/web/20140113221447/http://cpp-next.com/archive/2009/08/want-speed-pass-by-value/
+
+@code{.cpp}
+void foo(int i, long l, float32x4_t f); // Pass-by-value for builtin types
+void bar(const float32x4x4_t &f); // As this is a struct pass-by-const-reference is probably better
+void foobar(const MyLargeCustomTypeClass &m); // Definitely better as const-reference except if a copy has to be made anyway.
+@endcode
+
+- Don't use unions
+
+Unions cannot be used to convert values between different types because (in C++) it is undefined behaviour to read from a member other than the last one that has been assigned to. This limits the use of unions to a few corner cases and therefor the general advice is not to use unions. See http://releases.llvm.org/3.8.0/tools/clang/tools/extra/docs/clang-tidy/checks/cppcoreguidelines-pro-type-union-access.html
+
+- Use pre-increment/pre-decrement whenever possible
+
+In contrast to the pre-incerement the post-increment has to make a copy of the incremented object. This might not be a problem for primitive types like int but for class like objects that overload the operators, like iterators, it can have a huge impact on the performance. See http://stackoverflow.com/a/9205011
+
+To be consistent across the different cases the general advice is to use the pre-increment operator unless post-increment is explicitly required. The same rules apply for the decrement operator.
+
+@code{.cpp}
+for(size_t i = 0; i < 9; i++); // BAD
+for(size_t i = 0; i < 9; ++i); // GOOD
+@endcode
+
+- Don't use uint in C/C++
+
+The C and C++ standards don't define a uint type. Though some compilers seem to support it by default it would require to include the header sys/types.h. Instead we use the slightly more verbose unsigned int type.
+
+- Don't use unsigned int in function's signature
+
+Unsigned integers are good for representing bitfields and modular arithmetic. The fact that unsigned arithmetic doesn't model the behavior of a simple integer, but is instead defined by the standard to model modular arithmetic (wrapping around on overflow/underflow), means that a significant class of bugs cannot be diagnosed by the compiler. Mixing signedness of integer types is responsible for an equally large class of problems.
+
+- No "Yoda-style" comparisons
+
+As compilers are now able to warn about accidental assignments if it is likely that the intention has been to compare values it is no longer required to place literals on the left-hand side of the comparison operator. Sticking to the natural order increases the readability and thus prevents logical errors (which cannot be spotted by the compiler). In the rare case that the desired result is to assign a value and check it the expression has to be surrounded by parentheses.
+
+@code{.cpp}
+if(nullptr == ptr || false == cond) // BAD
+{
+	//...
+}
+
+if(ptr == nullptr || cond == false) // GOOD
+{
+	//...
+}
+
+if(ptr = nullptr || cond = false) // Most likely a mistake. Will cause a compiler warning
+{
+	//...
+}
+
+if((ptr = nullptr) || (cond = false)) // Trust me, I know what I'm doing. No warning.
+{
+	//...
+}
+@endcode
+
+@subsection S5_1_1_rules Rules
+
+ - Use spaces for indentation and alignment. No tabs! Indentation should be done with 4 spaces.
+ - Unix line returns in all the files.
+ - Pointers and reference symbols attached to the variable name, not the type (i.e. char \&foo;, and not char& foo).
+ - No trailing spaces or tabs at the end of lines.
+ - No spaces or tabs on empty lines.
+ - Put { and } on a new line and increase the indentation level for code inside the scope (except for namespaces).
+ - Single space before and after comparison operators ==, <, >, !=.
+ - No space around parenthesis.
+ - No space before, one space after ; (unless it is at the end of a line).
+
+@code{.cpp}
+for(int i = 0; i < width * height; ++i)
+{
+	void *d = foo(ptr, i, &addr);
+	static_cast<uint8_t *>(data)[i] = static_cast<uint8_t *>(d)[0];
+}
+@endcode
+
+ - Put a comment after \#else, \#endif, and namespace closing brace indicating the related name
+
+@code{.cpp}
+namespace mali
+{
+#ifdef MALI_DEBUG
+	...
+#else // MALI_DEBUG
+	...
+#endif // MALI_DEBUG
+} // namespace mali
+@endcode
+
+- CamelCase for class names only and lower case words separated with _ (snake_case) for all the functions / methods / variables / arguments / attributes.
+
+@code{.cpp}
+class ClassName
+{
+    public:
+        void my_function();
+        int my_attribute() const; // Accessor = attribute name minus '_', const if it's a simple type
+    private:
+        int _my_attribute; // '_' in front of name
+};
+@endcode
+
+- Use quotes instead of angular brackets to include local headers. Use angular brackets for system headers.
+- Also include the module header first, then local headers, and lastly system headers. All groups should be separated by a blank line and sorted lexicographically within each group.
+- Where applicable the C++ version of system headers has to be included, e.g. cstddef instead of stddef.h.
+- See http://llvm.org/docs/CodingStandards.html#include-style
+
+@code{.cpp}
+#include "MyClass.h"
+
+#include "arm_cv/core/Helpers.h"
+#include "arm_cv/core/Types.h"
+
+#include <cstddef>
+#include <numeric>
+@endcode
+
+- Only use "auto" when the type can be explicitly deduced from the assignment.
+
+@code{.cpp}
+auto a = static_cast<float*>(bar); // OK: there is an explicit cast
+auto b = std::make_unique<Image>(foo); // OK: we can see it's going to be an std::unique_ptr<Image>
+auto c = img.ptr(); // NO: Can't tell what the type is without knowing the API.
+auto d = vdup_n_u8(0); // NO: It's not obvious what type this function returns.
+@endcode
+
+- OpenCL:
+    - Use __ in front of the memory types qualifiers and kernel: __kernel, __constant, __private, __global, __local.
+    - Indicate how the global workgroup size / offset / local workgroup size are being calculated.
+
+    - Doxygen:
+
+        - No '*' in front of argument names
+        - [in], [out] or [in,out] *in front* of arguments
+        - Skip a line between the description and params and between params and @return (If there is a return)
+        - Align params names and params descriptions (Using spaces), and with a single space between the widest column and the next one.
+        - Use an upper case at the beginning of the description
+
+@snippet arm_compute/runtime/NEON/functions/NEActivationLayer.h NEActivationLayer snippet
+
+@subsection S5_1_2_how_to_check_the_rules How to check the rules
+
+astyle (http://astyle.sourceforge.net/) and clang-format (https://clang.llvm.org/docs/ClangFormat.html) can check and help you apply some of these rules.
+
+@subsection S5_1_3_library_size_guidelines Library size: best practices and guidelines
+
+@subsubsection S5_1_3_1_template_suggestions Template suggestions
+
+When writing a new patch we should also have in mind the effect it will have in the final library size. We can try some of the following things:
+
+ - Place non-dependent template code in a different non-templated class/method
+
+@code{.cpp}
+template<typename T>
+class Foo
+{
+public:
+    enum { v1, v2 };
+    // ...
+};
+@endcode
+
+    can be converted to:
+
+@code{.cpp}
+struct Foo_base
+{
+    enum { v1, v2 };
+    // ...
+};
+
+template<typename T>
+class Foo : public Foo_base
+{
+public:
+    // ...
+};
+@endcode
+
+ - In some cases it's preferable to use runtime switches instead of template parameters
+
+ - Sometimes we can rewrite the code without templates and without any (significant) performance loss. Let's say that we've written a function where the only use of the templated argument is used for casting:
+
+@code{.cpp}
+template <typename T>
+void NETemplatedKernel::run(const Window &window)
+{
+...
+ *(reinterpret_cast<T *>(out.ptr())) = *(reinterpret_cast<const T *>(in.ptr()));
+...
+}
+@endcode
+
+The above snippet can be transformed to:
+
+@code{.cpp}
+void NENonTemplatedKernel::run(const Window &window)
+{
+...
+std::memcpy(out.ptr(), in.ptr(), element_size);
+...
+}
+@endcode
+
+@subsection S5_1_4_secure_coding_practices Secure coding practices
+
+@subsubsection S5_1_4_1_general_coding_practices General Coding Practices
+
+- **Use tested and approved managed code** rather than creating new unmanaged code for common tasks.
+- **Utilize locking to prevent multiple simultaneous requests** or use a synchronization mechanism to prevent race conditions.
+- **Protect shared variables and resources** from inappropriate concurrent access.
+- **Explicitly initialize all your variables and other data stores**, either during declaration or just before the first usage.
+- **In cases where the application must run with elevated privileges, raise privileges as late as possible, and drop them as soon as possible**.
+- **Avoid calculation errors** by understanding your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how your language handles numbers that are too large or too small for its underlying representation.
+- **Restrict users from generating new code** or altering existing code.
+
+
+@subsubsection S5_1_4_2_secure_coding_best_practices Secure Coding Best Practices
+
+- **Validate input**. Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Be suspicious of most external data sources, including command line arguments, network interfaces, environmental variables, and user controlled files.
+- **Heed compiler warnings**. Compile code using the default compiler flags that exist in the SConstruct file.
+- Use **static analysis tools** to detect and eliminate additional security flaws.
+- **Keep it simple**. Keep the design as simple and small as possible. Complex designs increase the likelihood that errors will be made in their implementation, configuration, and use. Additionally, the effort required to achieve an appropriate level of assurance increases dramatically as security mechanisms become more complex.
+- **Default deny**. Base access decisions on permission rather than exclusion. This means that, by default, access is denied and the protection scheme identifies conditions under which access is permitted
+- **Adhere to the principle of least privilege**. Every process should execute with the least set of privileges necessary to complete the job. Any elevated permission should only be accessed for the least amount of time required to complete the privileged task. This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privileges.
+- **Sanitize data sent to other systems**. Sanitize all data passed to complex subsystems such as command shells, relational databases, and commercial off-the-shelf (COTS) components. Attackers may be able to invoke unused functionality in these components through the use of various injection attacks. This is not necessarily an input validation problem because the complex subsystem being invoked does not understand the context in which the call is made. Because the calling process understands the context, it is responsible for sanitizing the data before invoking the subsystem.
+- **Practice defense in depth**. Manage risk with multiple defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense can prevent a security flaw from becoming an exploitable vulnerability and/or limit the consequences of a successful exploit. For example, combining secure programming techniques with secure runtime environments should reduce the likelihood that vulnerabilities remaining in the code at deployment time can be exploited in the operational environment.
+
+@section S5_2_how_to_submit_a_patch How to submit a patch
+
+To be able to submit a patch to our development repository you need to have a GitHub account. With that, you will be able to sign in to Gerrit where your patch will be reviewed.
+
+Next step is to clone the Compute Library repository:
+
+	git clone "ssh://<your-github-id>@review.mlplatform.org:29418/ml/ComputeLibrary"
+
+If you have cloned from GitHub or through HTTP, make sure you add a new git remote using SSH:
+
+	git remote add acl-gerrit "ssh://<your-github-id>@review.mlplatform.org:29418/ml/ComputeLibrary"
+
+After that, you will need to upload an SSH key to https://review.mlplatform.org/#/settings/ssh-keys
+
+Then, make sure to install the commit-msg Git hook in order to add a change-ID to the commit message of your patch:
+
+	cd "ComputeLibrary" && mkdir -p .git/hooks && curl -Lo `git rev-parse --git-dir`/hooks/commit-msg https://review.mlplatform.org/tools/hooks/commit-msg; chmod +x `git rev-parse --git-dir`/hooks/commit-msg)
+
+When your patch is ready, remember to sign off your contribution by adding a line with your name and e-mail address to every git commit message:
+
+	Signed-off-by: John Doe <john.doe@example.org>
+
+You must use your real name, no pseudonyms or anonymous contributions are accepted.
+
+You can add this to your patch with:
+
+	git commit -s --amend
+
+You are now ready to submit your patch for review:
+
+	git push acl-gerrit HEAD:refs/for/master
+
+@section S5_3_code_review Patch acceptance and code review
+
+Once a patch is uploaded for review, there is a pre-commit test that runs on a Jenkins server for continuos integration tests. In order to be merged a patch needs to:
+
+- get a "+1 Verified" from the pre-commit job
+- get a "+1 Comments-Addressed", in case of comments from reviewers the committer has to address them all. A comment is considered addressed when the first line of the reply contains the word "Done"
+- get a "+2" from a reviewer, that means the patch has the final approval
+
+At the moment, the Jenkins server is not publicly accessible and for security reasons patches submitted by non-whitelisted committers do not trigger the pre-commit tests. For this reason, one of the maintainers has to manually trigger the job.
+
+If the pre-commit test fails, the Jenkins job will post a comment on Gerrit with the details about the failure so that the committer will be able to reproduce the error and fix the issue, if any (sometimes there can be infrastructure issues, a test platform disconnecting for example, where the job needs to be retriggered).
+
+*/
+} // namespace arm_compute
diff --git a/docs/05_functions_list.dox b/docs/06_functions_list.dox
index 5c3634fa81..48016ed375 100644
--- a/docs/05_functions_list.dox
+++ b/docs/06_functions_list.dox
@@ -29,7 +29,7 @@ namespace arm_compute
 
 @tableofcontents
 
-@section S5_1 NEON functions
+@section S6_1 NEON functions
 
 - @ref IFunction
     - @ref INESimpleFunction
@@ -175,7 +175,7 @@ namespace arm_compute
     - @ref NEUpsampleLayer
     - @ref NEWinogradConvolutionLayer
 
-@section S5_2 OpenCL functions
+@section S6_2 OpenCL functions
 
 - @ref IFunction
     - @ref CLBatchNormalizationLayer
@@ -323,7 +323,7 @@ namespace arm_compute
         - @ref CLWinogradInputTransform
         - @ref CLYOLOLayer
 
-@section S5_3 GLES Compute functions
+@section S6_3 GLES Compute functions
 
 - @ref IFunction
     - @ref GCBatchNormalizationLayer
@@ -352,7 +352,7 @@ namespace arm_compute
         - @ref GCTensorShift
         - @ref GCTranspose
 
-@section S5_4 CPP functions
+@section S6_4 CPP functions
 
  - @ref IFunction
     - @ref CPPDetectionOutputLayer
diff --git a/docs/Doxyfile b/docs/Doxyfile
index 94a167bc90..36ef2bca58 100644
--- a/docs/Doxyfile
+++ b/docs/Doxyfile
@@ -769,11 +769,12 @@ WARN_LOGFILE           =
 # Note: If this tag is empty the current directory is searched.
 
 INPUT                  = ./docs/00_introduction.dox \
-                         ./docs/05_functions_list.dox \
                          ./docs/01_library.dox \
-                         ./docs/04_adding_operator.dox \
                          ./docs/02_tests.dox \
                          ./docs/03_scripts.dox \
+                         ./docs/04_adding_operator.dox \
+                         ./docs/05_contribution_guidelines.dox \
+                         ./docs/06_functions_list.dox \
                          ./arm_compute/ \
                          ./src/ \
                          ./examples/ \
@@ -996,7 +997,7 @@ INLINE_SOURCES         = YES
 # Fortran comments will always remain visible.
 # The default value is: YES.
 
-STRIP_CODE_COMMENTS    = YES
+STRIP_CODE_COMMENTS    = NO
 
 # If the REFERENCED_BY_RELATION tag is set to YES then for each documented
 # function all documented functions referencing it will be listed.