Object Role Stereotypes

In this article published in MSDN August, Jeremy Miller talked about Responsibility-Driven Design(RDD) and used some examples to demonstrate how we may apply RDD in designing objects.

RDD is closely related to CRC(Class/Responsiblity/Collaborator) card, a modeling tool for designing software. The RDD design principle starts with defining class's role in a program, list its responsibilities to fulfill the role and the interactions with other classes to accomplish it's responsibilities.

RDD categorizes 6 stereotypes in a program.

1. Information Holder: Knows things and provides information. May make calculations from the data that it holds.
2. Structurer: Knows the relationships between other objects.
3. Controller: Controls and directs the actions of other objects. Decides what other objects should do.
4. Coordinator: Reacts to events and relays the events to other objects.
5. Service Provider: Does a service for other objects upon request.
6. Interfacer: Objects that provide a means to communicate with other parts of the system, external systems or infrastructure, or end users.

Though I don't know RDD before, but it seems to me that these stereotypes have covered most of the objects in my programs. That is, I have been applying RDD tacitly in my programs already. For example, a data access object in my code is an Information Holder or a Structure. The facade pattern in my code is an interfacer. In my program, Controllers delegate requests from clients to Service Providers. An Event Handler in C# is equivalent to a Coordinator in RDD.

Good naming can be of great help when designing and maintaining software. RDD provides guidelines for me to group my objects. If a team has RDD in mind, it's easy to communicate software design among team members. If coders and maintainers share the same mindset, source code is pretty much self-documented. It's good to have such a tool in a programmer's toolbox.

WinUnit: A Unit Testing Tool for Native C++ Applications

In this MSDN article, the author introduced WinUnit, a unit testing tool for Native C++ applications on Windows platform.

To use this tool, users need to call a set of macros the author provided to write test programs, compile test programs into Dlls and run test programs against WinUnit, a DOS program. Because there is no reflection capability built in C++ language, the author took advantage of DLL exports to invoke test functions in WinUnit program.

Several references were mentioned in the article.

• Articles
  
• The Humble Dialog Box
• Registration-Free Activation of COM Components
• Creating and Using a Dynamic Link Library (C++)
• An In-Depth Look into the Win32 Portable Executable File Format, Part2
  
  
• Books
• Working Effectively with Legacy Code
• Pragmatic Unit Testing with C# in NUnit
• Debugging Applications for Microsoft .NET and Microsoft Windows

Links for 2008-01-24

• Beautiful Code
• Chapter 26 - Labor-Saving Architecture: An Object-Oriented Framework for Networked Software :
  
• The authors demonstrated how a logging framework can be built in an object-oriented way by following commonality/variability analysis methodology.
  
• The commonality was achieved by adopting Template Method pattern. That is, common steps in a logging server were defined in the Logging_server base class's run() method, deferring specialization of individual steps of its operation to hook methods in derived classes.
• The variability was achieved by adopting Wrapper Facade pattern. That is, the variability of semantic and syntactic differences, such as synchronization and IPC mechanisms, was hidden into base classes, such as Acceptor and Mutex . Then using C++ template feature, Logging_server could choose the appropriate Acceptor and Mutex subclasses in a parameterized way.
  
  

Review Code for Security Defects

In a limited time constraint, what should we look for when reviewing code for security bugs? In this MSDN article, the author suggested to check for the following bugs in code review.

Buffer Overruns in C/C++

void function(char *p) {
char buff[16];
...
strcpy(buff,p);
...
}

When see code like this, trace the variable p back to its source. If it came from an untrusted input, or is not checked for validity close to the point at which it's copied, then it's a security bug.

while (*s != '\\')
*d++ = *s++;

The loop will stop when pointer s hits '\', but pointer d is not checked. The buffer to which pointer d points may be overrun.

Integer Overflows in C/C++

void function(char *b1, size_t c1, char *b2, size_t c2) {
const size_t MAX = 48;
if (c1+c2 > MAX) return;
char *pBuff = new char[MAX];
memcpy(pBuff, b1, c1);
memcpy(pBuff+c1, b2, c2);
}

We may have an integer overflow bug, when the sum of c1 and c2 could exceed the maximum of an integer, i.e., 2^32-1. A rule of thumb is suggested: if you perform a mathematical operation in an expression that is used in a comparison, then you have a potential to overflow and underflow data.

Data Access Code
Don't hard code passwords in connection strings or connect to database using administrative accounts. Also, A database query using string concatenation is a potential security defect and should be fixed by using parameterized queries.

Web Page Code

Hello, <% Response.Write(Request.QueryString("Name")) %>

For code like this, be aware of cross-site scripting issues.

Secrets and Cryptography
Don't store secret data in code, such as passwords and cryptographic keys. Don't create one's own magic cryptographic algorithms, like using an embedded key to XOR a data stream.

Links for 2007-11-24

Web site:

1. A Windows Forms FAQ site - A good place to start with for Windows Forms questions.
2. Open Flash Chart(via Larkware News) - An open source google-style charting tool for web pages.

Blog:
10 Absolute "Nos!" for Freelancers - Informative for anyone who wants to be a freelancer but I agreed with some of the responses in the post, that you don't have to reject these requests directly. Instead, charge a price so high that it's meaningless for clients to ask.

Articles:

1. Algorithms are a human’s best friend - An article published in 2005. Five algorithmic trading strategies were mentioned. And strategies could be hybridized by combining other constraints or varying parameters.
   
• Volumn-Weighted Average Price(VWAP)
  
• Time-Weighted Average Price(TWAP)
• Market-on-Close(MOC)
• Implementation Shortfall(IS)
• Participation
2. Volume Weighted Average Price (VWAP) - An implementation of Volume Weighted Moving Average, but not a trading strategy as mentioned above.
   

Links for 2007-11-17

Blogs:

1. 7 of the Hardest Things I Learned About Writing Software:
• Make choices - Don't make program too complicated. Make it work first.
  
• Delete code
• NIH (not invented here) - Reminds me things, such as Reinventing the wheel, Standing on the shoulders of giants, etc.
• UI is more important than code
  
• Solve Problems - Users don't care how you write your code. (That doesn't mean nobody care. Think about maintainability. But solving problems always come first.)
  
• You Are Different - Reminds me of this book.
  
• Documentation - If your program is so complex as that users have to read your manual to figure out, something is wrong with your program.
2. 1000 Lines Of Code - A rule of thumb following "Make choices" in the above post.

Sample chapter:

1. The Berkeley DB Book
   
• Chapter 1 - Introduction to Berkeley DB