Todd Schiller - Hungarian Notationhttps://toddschiller.com/2014-12-08T00:00:00-05:00Human ✘ Artificial IntelligenceMaking Wrong Code... Wrong2014-12-08T00:00:00-05:002014-12-08T00:00:00-05:00Todd Schillertag:toddschiller.com,2014-12-08:/blog/java-hungarian-notation-checker.html<p>Joel Spolsky has a popular post from 2005 on
"<a href="http://www.joelonsoftware.com/articles/Wrong.html">Making Wrong Code Look Wrong</a>".
In this post, I'll address his suggestion to use
<a href="https://en.wikipedia.org/wiki/Hungarian_notation">Hungarian Notation</a>.
It turns out we can now do better: we can make wrong code... <em>wrong!</em></p>
<p>Hungarian Notation is a naming scheme that conveys information about
methods …</p><p>Joel Spolsky has a popular post from 2005 on
"<a href="http://www.joelonsoftware.com/articles/Wrong.html">Making Wrong Code Look Wrong</a>".
In this post, I'll address his suggestion to use
<a href="https://en.wikipedia.org/wiki/Hungarian_notation">Hungarian Notation</a>.
It turns out we can now do better: we can make wrong code... <em>wrong!</em></p>
<p>Hungarian Notation is a naming scheme that conveys information about
methods and variables. For example, we might use the prefix "us" to
denote variables that hold unsafe values, e.g., user input. This
notation makes it easy to notice the
<a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>
vulnerability in the following code:</p>
<div class="highlight"><pre><span></span><code><span class="n">String</span><span class="w"> </span><span class="n">usUser</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">getUserInput</span><span class="p">();</span>
<span class="n">executeSqlQuery</span><span class="p">(</span><span class="s">"SELECT * FROM users WHERE user='"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">usUser</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"'"</span><span class="p">);</span>
</code></pre></div>
<p>The problem with Hungarian Notation is that you still have to manually
inspect the code. For real projects, manual inspection is insufficient
because of overloading, overridding, threading, version control
merges, etc. Testing is also insufficient because it can
<a href="ttps://www.cs.utexas.edu/users/EWD/transcriptions/EWD02xx/EWD268.html">"show the presence of bugs, but never show their absence."</a></p>
<h2>Type Qualifiers</h2>
<p>Hungarian Notation typically doesn't convey arbitrary information
about a variable/parameter. Rather, the notation describes the set of
values an expression may or may not have. In the example above, the
"us" prefix tells us that <code>usUser</code> is not just a <code>String</code>, but a
<em>potentially unsafe</em> <code>String</code>. The prefix is "qualifying" the
variable's type.</p>
<p>Java 8 brought language support for user-defined Type
Qualifiers. Instead of using naming schemes, we can now define custom
Type Qualifiers that we can use in method signatures:</p>
<div class="highlight"><pre><span></span><code><span class="kd">public</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="nf">executeSqlQuery</span><span class="p">(</span><span class="nd">@Safe</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">query</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="p">...</span><span class="w"> </span><span class="p">}</span>
<span class="kd">public</span><span class="w"> </span><span class="nd">@Unsafe</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="nf">getUserInput</span><span class="p">()</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="p">...</span><span class="w"> </span><span class="p">}</span>
</code></pre></div>
<p>and method bodies:</p>
<div class="highlight"><pre><span></span><code><span class="nd">@Unsafe</span><span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">usUser</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">getUserInput</span><span class="p">();</span>
<span class="n">executeSqlQuery</span><span class="p">(</span><span class="s">"SELECT * FROM users WHERE user='"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">usUser</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"'"</span><span class="p">);</span>
</code></pre></div>
<h2>Enforcing Type Qualifiers</h2>
<p>Type Qualifiers are easier to read than Hungarian Notation because you
don't have to parse (possibly multiple) prefixes and suffixes. In some
cases, however, Type Qualifiers are harder to reason about. Using
Type Qualifiers, the qualifier is typically only written on
declarations. Using Hungarian Notation, the qualifier appears at every
occurence of the variable.</p>
<p>Luckily, there are tools that can reason about Type Qualifiers for us,
just like the Java compiler reasons about types. One such tool is the
<a href="http://checkerframework.org">Checker Framework</a>. Using the Checker
Framework, we can define a checker that issues a warning wherever an
<code>@Unsafe</code> expression is used where a <code>@Safe</code> expression is
required. It's as simple as telling the Checker Framework that <code>@Safe</code>
is a subtype of <code>@Unsafe</code> — a safe value can be used wherever an
<code>@Unsafe</code> value is expected, but not vice versa:</p>
<div class="highlight"><pre><span></span><code><span class="nd">@TypeQualifier</span>
<span class="nd">@SubtypeOf</span><span class="p">({})</span>
<span class="nd">@DefaultQualifierInHierarchy</span><span class="w"> </span><span class="c1">// By default, expressions are potentially unsafe</span>
<span class="nd">@Target</span><span class="p">({</span><span class="w"> </span><span class="n">ElementType</span><span class="p">.</span><span class="na">TYPE_USE</span><span class="p">,</span><span class="w"> </span><span class="n">ElementType</span><span class="p">.</span><span class="na">TYPE_PARAMETER</span><span class="w"> </span><span class="p">})</span>
<span class="kd">public</span><span class="w"> </span><span class="nd">@interface</span><span class="w"> </span><span class="n">Unsafe</span><span class="w"> </span><span class="p">{}</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="nd">@TypeQualifier</span>
<span class="nd">@SubtypeOf</span><span class="p">({</span><span class="w"> </span><span class="n">Unsafe</span><span class="p">.</span><span class="na">class</span><span class="w"> </span><span class="p">})</span><span class="w"> </span><span class="c1">// @Safe is a subtype of @Unsafe</span>
<span class="nd">@Target</span><span class="p">({</span><span class="w"> </span><span class="n">ElementType</span><span class="p">.</span><span class="na">TYPE_USE</span><span class="p">,</span><span class="w"> </span><span class="n">ElementType</span><span class="p">.</span><span class="na">TYPE_PARAMETER</span><span class="w"> </span><span class="p">})</span>
<span class="kd">public</span><span class="w"> </span><span class="nd">@interface</span><span class="w"> </span><span class="n">Safe</span><span class="w"> </span><span class="p">{}</span>
</code></pre></div>
<p>What makes the Checker Framework particularly effective is its
flow-sensitivity. Checkers can reason about the type of a variable
throughout the method:</p>
<div class="highlight"><pre><span></span><code><span class="n">String</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">getUserInput</span><span class="p">();</span>
<span class="c1">// WARNING: user is known to be @Unsafe</span>
<span class="n">executeSqlQuery</span><span class="p">(</span><span class="s">"SELECT * FROM users WHERE user='"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"'"</span><span class="p">);</span>
<span class="c1">// encode has return type @Safe String</span>
<span class="n">user</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">encode</span><span class="p">(</span><span class="n">user</span><span class="p">);</span>
<span class="c1">// SAFE: user is known to be @Safe</span>
<span class="n">executeSqlQuery</span><span class="p">(</span><span class="s">"SELECT * FROM users WHERE user='"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">"'"</span><span class="p">);</span>
</code></pre></div>
<p>In practice, flow-sensitivity means that you rarely have to annotate
local variables.</p>
<p>For a more thorough introduction to Type Qualifiers in Java 8, check out
<a href="http://www.infoq.com/articles/Type-Annotations-in-Java-8">my article on InfoQ</a>
. Complete
instructions for creating your own checker can be found in the
<a href="http://types.cs.washington.edu/checker-framework/current/checker-framework-manual.html#writing-a-checker">Checker Framework documentation</a>.</p>
<h2>Enforcing Hungarian Notation</h2>
<p>As we've seen, Hungarian Notation and Type Qualifiers are both
techniques for qualifying types. Therefore, it should come as no
surprise that we can leverage Type Qualifiers and the Checker Framework
to automatically enforce Hungarian Notation.</p>
<p>To do so, we just need to have the Checker Framework read names as if
we were reasoning about the code ourselves. For our running example,
we have the following "type introduction" rule:</p>
<blockquote>
<p>If the name of a variable or parameter has the prefix "s", add a
<code>@Safe</code> annotation to its type.</p>
</blockquote>
<p>We implement the rule by adding logic to the <code>AnnotatedTypeFactory</code>
for our checker. The following method adds the <code>@Safe</code> qualifier to
local variables:</p>
<div class="highlight"><pre><span></span><code><span class="kd">private</span><span class="w"> </span><span class="n">Pattern</span><span class="w"> </span><span class="n">safeRegex</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Pattern</span><span class="p">.</span><span class="na">compile</span><span class="p">(</span><span class="s">"s[A-Z_].*"</span><span class="p">);</span>
<span class="kd">private</span><span class="w"> </span><span class="n">AnnotationMirror</span><span class="w"> </span><span class="n">SAFE</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">AnnotationUtils</span><span class="p">.</span><span class="na">fromClass</span><span class="p">(</span><span class="n">elements</span><span class="p">,</span><span class="w"> </span><span class="n">Safe</span><span class="p">.</span><span class="na">class</span><span class="p">);</span>
<span class="nd">@Override</span>
<span class="kd">public</span><span class="w"> </span><span class="n">Void</span><span class="w"> </span><span class="nf">visitVariable</span><span class="p">(</span><span class="n">VariableTree</span><span class="w"> </span><span class="n">node</span><span class="p">,</span><span class="w"> </span><span class="n">AnnotatedTypeMirror</span><span class="w"> </span><span class="n">type</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">safeRegex</span><span class="p">.</span><span class="na">matcher</span><span class="p">(</span><span class="n">node</span><span class="p">.</span><span class="na">getName</span><span class="p">()).</span><span class="na">matches</span><span class="p">())</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">type</span><span class="p">.</span><span class="na">replaceAnnotation</span><span class="p">(</span><span class="n">SAFE</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kd">super</span><span class="p">.</span><span class="na">visitVariable</span><span class="p">(</span><span class="n">node</span><span class="p">,</span><span class="w"> </span><span class="n">type</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p>The logic is the same for parameters and fields. You can find a full
implementation of the checker <a href="https://github.com/twschiller/hungarian-checker">on GitHub</a>.</p>
<p>The result is a system that combines the conciceness of Hungarian
Notation with the safety of compile-time checking:</p>
<div class="highlight"><pre><span></span><code><span class="c1">// Parameter sQuery is given the @Safe annotation</span>
<span class="kd">public</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="nf">executeSqlQuery</span><span class="p">(</span><span class="n">String</span><span class="w"> </span><span class="n">sQuery</span><span class="p">){</span><span class="w"> </span><span class="p">...</span><span class="w"> </span><span class="p">}</span>
<span class="c1">// WARNING: sUser is given the @Safe annotation</span>
<span class="n">String</span><span class="w"> </span><span class="n">sUser</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">getUserInput</span><span class="p">();</span>
</code></pre></div>
<h2>Summary</h2>
<p>This post demonstrated how Type Qualifiers and the Checker Framework
can enforce Hungarian Notation at compile-time. Compile-time checking
makes wrong code not just <em>look</em> wrong, but actually wrong!</p>
<p>The source code for the checker is available on GitHub
at: <a href="https://github.com/twschiller/hungarian-checker">https://github.com/twschiller/hungarian-checker</a>.</p>
<p><em>This post was inspired by a talk that
<a href="https://en.wikipedia.org/wiki/Charles_Simonyi">Charles Simonyi</a> gave
on May 10, 2012 at the University of Washington about the importance
of notation.</em></p>