Making Wrong Code Be Wrong

I was recently perusing when I came across a link to a Joel Spolsky blog post. In it, he describes how a form of Hungarian notation can be used to make wrong code look wrong. In the process, he describes the interesting history of how Hungarian notation came to be, and how the common use of it today was not the way it was originally intended.

He describes how Hungarian notation was created to convey application-level information about a variable. It could be used to distinguish between two different types of dimensions that might both be typed as ints. He termed this Apps Hungarian. While the compiler could not tell them apart, the human eye would be able to with a cursory glance. Later, the notation was instead conflated with the type that the compiler saw. An int iWidth carried redundant information that could actually get in the way if the type ever needed to change. He termed this Systems Hungarian.

He gives several examples in the post. Notably, he describes how Apps Hungarian can be used to distinguish between unsafe strings from user input, and safe strings that have been sanitized or strings that are in the code. So String usName = Request("usName") would represent an unsafe string provided by a user through a form. And String sName = Encode(usName) would represent a string that has been sanitized. These names are Hungarian because they use one- or two-letter prefixes to provide additional information, but we could change them slightly. The names unsafeName and safeName use full, descriptive words in place of the prefixes. We could say they just have longer prefixes, but more generally I think we'd agree that these variables are just named well.

The problem with Apps Hungarian is that it still requires a human eye. Whatever their names, safeName and unsafeName are still just strings to the compiler. We can still make subtle mistakes, even with the conventions in mind. Can we do better than relying on human vigilance? The issue with Systems Hungarian is that it duplicates type information. Perhaps Apps Hungarian is doing the same in a way. What if it is still encoding type information, but for types we haven't created yet?

Using the HTTP request example (and modifying it to make it more correct Java), we would have the following with Apps Hungarian:


// I am making up a web framework, so this isn't exactly any particular API.
public void doPost(HTTPRequest request, HTTPResponse response) {
    String usName = request.getData("usName");

    // Do some stuff...

    names.save(usName);

    // Do some more stuff...

    String sName = HTML.encode(usName);

    // Do even more stuff...

    response.write(usName);
}

Now the quick eye will note that I made a mistake in the last line. I am printing out the unsafe string rather than the safe one. Once this gets to code review, someone should spot this pretty quickly. Getting to code review is a comparatively long way away from the moment when this code was written, though. Can we get the code to be wrong sooner? Why don't we start by creating a small type for unsafe strings:


public class UnsafeString {
    private final String unsafeString;

    public UnsafeString(final String unsafeString) {
        this.unsafeString = unsafeString;
    }

    public String toString() {
        return unsafeString;
    }

    public String toSafeString() {
        return HTML.encode(unsafeString);
    }
}

Now the above code looks like:


public void doPost(HTTPRequest request, HTTPResponse response) {
    UnsafeString usName = new UnsafeString(request.getData("usName"));

    // Do some stuff...

    names.save(usName.toString());

    // Do some more stuff...

    String sName = usName.toSafeString();

    // Do even more stuff...

    response.write(usName); // Compiler error!!
    response.write(sName); // But this is fine
}

Instead of having to wait until code review to see that I used the wrong variable, the compiler immediately complains because the type of the parameter is incorrect. The response.write method is expecting a String, but is getting an UnsafeString. We are using the power of the compiler and the type system to find our bugs for us automatically. Now, though, we could forget to wrap every user input in an UnsafeString, leading us back down the wrong path. What if we have the request.getData method always return us an UnsafeString?


public class SafeHTTPRequest {
    private final HTTPRequest request;

    public SafeHTTPRequest(final HTTPRequest request) {
        this.request = request;
    }

    public UnsafeString getData(final String name) {
        return new UnsafeData(request.getData(name));
    }

    // Other delegate methods to emulate an HTTPRequest
}

And our code changes to:


public void doPost(SafeHTTPRequest request, HTTPResponse response) {
    UnsafeString usName = request.getData("usName");

    // Do some stuff...

    names.save(usName.toString());

    // Do some more stuff...

    String sName = usName.toSafeString();

    // Do even more stuff...

    response.write(usName); // Compiler error!!
    response.write(sName); // But this is fine
}

Now the code makes it much more difficult for us to do the wrong thing. We must handle the unsafeness of the string. We are still making some assumptions, though. We are correctly assuming that an UnsafeString is unsafe, but we are implicitly assuming that a plain String is always safe. This may be a good assumption, or it may not be. Rather than assume the best, let's make things explicit. We will add a counterpart SafeString type:


public class SafeString {
    private final String safeString;

    public SafeString(final String safeString) {
        this.safeString = safeString;
    }

    public String toString() {
        return safeString;
    }
}

We change UnsafeString to convert to a SafeString instead of a String:


public class UnsafeString {
    private final String unsafeString;

    public UnsafeString(final String unsafeString) {
        this.unsafeString = unsafeString;
    }

    public String toString() {
        return unsafeString;
    }

    public SafeString toSafeString() {
        return new SafeString(HTML.encode(unsafeString));
    }
}

And our top-level code looks like:


public void doPost(SafeHTTPRequest request, HTTPResponse response) {
    UnsafeString usName = request.getData("usName");

    // Do some stuff...

    names.save(usName.toString());

    // Do some more stuff...

    SafeString sName = usName.toSafeString();

    // Do even more stuff...

    response.write(usName); // Compiler error!!
    response.write(sName); // Also a compiler error!!
}

Now we have a problem that we can no longer write anything out without converting it using toString, and doing that would defeat the compiler checks we purposely put in place. Since we've already customized the request to give us UnsafeStrings, we can customize the response to take only SafeStrings:


public class SafeHTTPResponse {
    private final HTTPResponse response;

    public SafeHTTPResonse(final HTTPResponse response) {
        this.response = response;
    }

    public void write(final SafeString value) {
        response.write(value.toString());
    }

    // Other delegate methods to emulate an HTTPResponse
}

Our top-level code now takes a SafeHTTPResponse:


public void doPost(SafeHTTPRequest request, SafeHTTPResponse response) {
    UnsafeString usName = request.getData("usName");

    // Do some stuff...

    names.save(usName.toString());

    // Do some more stuff...

    SafeString sName = usName.toSafeString();

    // Do even more stuff...

    response.write(usName); // Compiler error!!
    response.write(sName); // This is now assuredly fine
}

We now have the compiler doing all of the error-finding for us. This is the ideal position to be in. It will detect our errors, and the wrong code will be wrong, immediately. These small objects save the day for us by making explicit what once was implicit in a variable name. Now, the prefixes have become redundant with the type, transforming from Apps Hungarian to Systems Hungarian. We can continue to use the type system to clean this up more. We could add an overload write(UnsafeString) to SafeHTTPResponse that would convert the parameter to a SafeString before writing it. Then we'd only ever need the single value and we could pass it without any error everywhere, while still having strong assurances that it is doing the right thing.

Comments

Post a Comment

Popular posts from this blog

The Timeline of Errors

Image
As software developers, we see errors every day. They manifest as exceptions or segfaults or error codes, telling us that our code has gotten into a state we didn't expect. Their appearance often portends bugs. Though we groan at an unexpected stack trace, we should see an error as a form of automated feedback . Feedback can be fast or slow. We can put the discovery of errors onto a timeline. Errors appear at many points over the lifetime of the code, starting at the moment it is compiled. The further to the right that an error appears, the longer it takes for the feedback to appear. Compile time Compile time is the earliest we can receive feedback about an error. The compiler automatically does a number of checks to make sure the code makes some semblance of sense. The most powerful tool for compile-time feedback is the type-checker. The type-checker makes sure that only values of the expected type are passed around to the places that expect them. This guards
Read more

Magic Numbers, Semantics, and Compiler Errors

Image
Magic numbers are considered such a scourge upon code bases that there tools out there to automatically find them and root them out. After all, who knows what setValue(6); really means? There are also many approaches to giving better names to magic numbers. Not all of them are good, though. For example, we have a callback that sets a completion percentage on a status: void callback(Status status) { status.updateProgress(0, "Starting"); // Do some stuff... status.updateProgress(25, "Some stuff done"); // Do some more stuff status.updateProgress(50, "More stuff done"); // Reticulating splines status.updateProgress(75, "Splines reticulated"); // Validate everything status.updateProgress(100, "Complete"); } Those percentages would get flagged as magic numbers by the automatic tools. The developer would need to extract those out to constants to make that tool happy. A thoughtful developer would create
Read more

Assuming Debugging

Bugs are bad assumptions . Debugging is the process of testing our assumptions until we discover the invalid one(s). Once found, we can then correct those bad assumptions. The following code generates blog post author statistics for a popular blog site. The statistics show which days of the week authors are making posts. Most of the authors post every day, and extra on Fridays and Saturdays to capture the weekend audience. It has at least one bug. @GET @Path("/authors/{email}/weekly-stats") public UserWeeklyStats calculateWeeklyStats(@PathParam("email") final String email) { final User user = this.userService.byEmail(email); final Map<LocalDate, List<Post>> postsByDate = this.postService.thisWeekGroupedByDateFor(user.id()); if (postsByDate.isEmpty()) { return null; } final Map<DayOfWeek, List<Post>> postsByDayOfWeek = new HashMap<>(); postsByDate.forEach((date, post) -> post
Read more