Correct generic exception handling (catch(Exception){ … })

A very nice comment tail is growing at the post “Why catch(Exception)/empty is bad” on the CLR team blog. I tend to agree but there are perfectly valid reason’s to do a generic catch but with a correct handler, an empty handler is *always* bad. For example to cleanup some resources that you have allocated or logging some state that could be helpful in reproducing this specific error condition. What my number one rule is regarding generic catches is that they always need to re-throw the catched exception.

void MyMethod(int myCoolNumber){
      // Doing cool stuff with my cool number!
   catch(Exception ex){
      // We could log about this condition and add the argument value.

If I see code that has a generic catch but doesn’t re-throw it or that wraps it then the code will be immediately corrected or be marked for refactoring.

Possible corrections:

  • specifying a specific Exception type(s) or
  • adding the throw keyword or
  • removing the wrapped exception after the throw or
  • removing the creation of a new exception without an inner exception

Why is the ErrorCode property of type int?

Once in a while you need to handle an framework exception that has an ErrorCode property. The HttpException and COMException classes for example have such a property. The problem here is that the Message property contains the ErrorCode in hex but the ErrorCode property is of type int which is signed. It is probably int to be CLS complaint or something but it always gives me a headache!

Everytime I do something like:

const int DISP_E_BADINDEX = 0x8002000B;  // Cannot assign uint to int

But that fails because 0x8002000B is an unsigned value but that value is just copied from the Message property text. So now you first need to convert it to a signed int like the following:

const int DISP_E_BADINDEX = (int)0x8002000B;  // Cannot cast uint to int use unchecked keyword.

*Sigh* doesn’t this give you a headache? So the final code is:

    const int DISP_E_BADINDEX = (int)0x8002000B;

But that is also not very neath as the constant int value can now only be used in one method while in most scenarios this value is declared as a constant data member. So now I just start Snippet compiler and dump the signed integer result of the cast and copy paste that in my code like the following line:

const int DISP_E_BADINDEX = -2147352565; // HRESULT 0x8002000B

No bloated code but this.. It would have been nice if it was possible to directly assign such a hex value to a int.

OT: Yamaha KX8 – My new DAW addition

In my free time I often play some notes on my E-MU X-Board 61. It has 16 controllers, direct patch select and 4 zones that can be layered. But yesterday I bought a new board. The Yamaha KX8 with has 88 weighted keys, just 4 controllers but they are digital and can be set with midi in which cannot be done with the X-Board.

The feel is really excellent especially for its price. I was comparing it with the Fatar/Studiologic SL990 XP/PRO, the CME UF80 and the M-Audio keystation 88 pro. If you are searching for a nice weighted board with loads of controllers then the keystation is the winner but it makes quite some noise and the feel doesn’t even come close to a real piano. The CME UF8 is also a very nice board but makes even more noise but has a much better piano feel.

The Yamaha KX8 won because:

  • Has a very good piano feel for its price
  • Its an Yamaha and they create quality digital piano’s so they know how a keybed should feel.
  • Has a black finish instead of the silver/aluminum
  • It is silent

I nice picture of the board in my computer room:

Yamaha KX8 past net

As you see there isn’t a lot of room left.

Long delay at service startup caused by WebRequest.DefaultWebProxy

Today I was resolving an issue where some of our services had a very long startup time which only occurs during booting and not at a service start/restart from the service snap-in. In other words, when I restart the service when the system is finished booting than we experience no delay.

After debugging through logging I found out that the System.Net.WebRequest.DefaultWebProxy was causing our delay of almost two minutes! The problem is that this is a property! Property access should be fast so this should have been System.Net.WebRequest.GetDefaultWebProxy().

After searching (aka. googling) it seems to be something related to WPAD which does automatic proxy server detection. I tried overriding the proxy configuration by adding the following to the app.config but without any success.

   <defaultProxy useDefaultCredentials=”True”>
      <proxy useSystemDefault=”False” autoDetect=”False”/>

Without retrieving the default configured .net proxy server the service starts very fast.

I guess I’m dependant on one or more services but didn’t find any except “Tcpip” and “Dnscache” and making our service dependant on these services didn’t help at all.

The conclusion is not to use “WebRequest.DefaultWebProxy” in a service as it will delay your service startup time. WebRequest.DefaultWebProxy is probably meant to be used in desktop applications.

I now created our own version of an IWebProxy locator that can be configured to use the WebRequest.DefaultWebProxy or any other implementation. For example, we have a couple or services where the settings should be saved between uninstalls, upgrades, etc. In our custom implementation we use a we use isolated storage for platform wide settings.

Abusing IsInRole(..) is not done

Rockford Lhotka has writen about permission-based authorization versus role-based authorization. He describes how he is abusing the principal IsInRole(..) method. This is definitely wrong and should never be implemented that way! Besides that it could result in serious performance issues! Image a system with a million objects then storing all permissions allowed to those objects as a role would become disastrous.

A user identity and its role(s) is a pretty lightweight set of a user in a certain domain. This is called authentication. The identity can even be an identity from an external source trusted within this domain.

The other set of data is which users or roles/groups are allowed to do what and is called authorization. An application can support one or more types of authentication for a single user to now who he or she is or what role it has. Often identify management is now managed within an application like for example usage of Windows users, OpenID, Microsoft Passport, etc. and which roles such an identity has depends on the provider. For example Windows roles are the Windows groups.

The .net ‘role’ should be seen as ‘group’ when the ‘role’ is an external managed entity or be seen as ‘role’ if its definition is defined within the application. With this in mind you get the following relation chain:

Identity <-> Group(s) <-> Roles <-> Tasks/Permissions

When the ‘group’ is managed within the application you often see that group and role are merged in one thus resulting in the .net role definition.

Most frameworks allow relations to be defined between all four entities.

  • Identity can be linked to a groups, roles and/or tasks
  • Groups can be linked to identities, roles and/or permissions
  • Roles can be linked to identities, groups and/or tasks
  • Tasks can be linked to identities, groups and/or roles

But this would be a very bad security design. Normally an application has a lot of defined tasks. On top of that roles can be defined

lets take entity manager that has four CRUD operations:

  • Administrator is allowed to do create, read, update and delete
  • Moderator is allowed to do read and update
  • Normal user is only allowed to do read.

Here we have four tasks that resulted in three application roles. These application roles can then be assigned to a user and/or a group.

So what to do in situations where you need a more fine graded solution like a file system having loads of entries and defining permissions that can differ between all those entries? Implement it like is also done in the file-system! Store that authorization information as part of your data.

Key to success here is to think about what features you need like:

  • permission inheritance
  • deny permissions
  • loops in your hierarchy.

Try not to add this meta data in the same data structure as the data that you store as this will make your security model not flexible for possible future requirements (and trust me, these WILL come!) but if performance is crucial then this is probably the only solution. But still always try to use something like the following pseudo code!

class BlogPost

enum BlogPostPermissions
    Create = 1,
    Delete = 2,
    Update = 4,
    Read = 8

interface BlogPostSecurityManager
          IIdentity identity,
          BlogPostDTO post,


Now we have clearly seperation of responsibilies. The blog post doesn’t contain any security related data.

COM Exceptions and the ErrorCode property

Today I fixed a nasty bug in one of our applications. The first version had something like the following code construction:


   Type t = Type.GetTypeFromProgID(“My.ComComponent”, serverName);
   var component = (ComThingie)Activator.CreateInstance(t);
   SubItem item = component.Indexer[itemName]

The application was throwing an COMException here that was catched in a general COMException like:

   SubItem item;
   try{ item = component.Indexer[itemName]; } catch(COMException cex) { item = null; }

But this would catch *all* COM exceptions so I altered it to the following code:

   SubItem item = null;
      item = component.Indexer[itemName];
   }catch(COMException cex) {
      if(cex.ErrorCode != 0x8002000B) throw; //DISP_E_BADINDEX

Code compiles fine but at runtime this fails and the question was why on earth is this failing? Turns out that the ErrorCode property is of type int and not uint that I expected. What happens now is that the negative value of ErrorCode is now compared with the positive value 0x8002000B. I needed to convert the value 0x8002000B to the int value -2147352565.

   const int DISP_E_BADINDEX = -2147352565;
   SubItem item = null;
      item = component.Indexer[itemName];
   }catch(COMException cex) {
      if(cex.ErrorCode != DISP_E_BADINDEX ) throw; //DISP_E_BADINDEX

Now the exception handling is working as expected.

Hope this helps a couple of souls 😉

Paging is not so easy as most developers think it is

A lot of websites use somekind of paging mechanish to limit the results shown. Either to save bandwidth where results are served in pages or because search criteria should be made more specific by not having paging but just limit the maximum records returned.

DataGrid paging

The datagrid supports paging but this paging mechanish first fetches all records from the database and then storing the datatable in the viewstate and only showing a subset of that data to the user.

Depending on the type of data either a table or index scan will be performed by the database. If you have a filter/where clause then hopefully you will have a matching index that is also ordered as expected.


  • Easy


  • Slow
  • A lot of network traphic between webserver and database
  • Large webpages because of the viewstate

A workaround to limit the viewstate is by reloading the dataset at each page hit and disabling viewstate on the datagrid.


Database paging

Instead of letting the database return all records we ask it to return only a subset of records. Most applications work with a current page and a page size. So when your page size is 10 and the current page is 2 then rows 20-29 should returned. Some databases have native support for paging like MySql with its LIMIT keyword but paging really is hell with older Microsoft SQL Server versions and with SQL 2005 you can easily hack paging in a query by using the ROW_NUMBER() function and AFAIK SQL 2008 does not add functionality to make paging just as easy as MySql’s LIMIT statement.

So what you actually want is to not be bothered with such code and the easiest way to do that is by either making use of linq to sql, the entity framework, nhibernate or any other database abstraction layer.


NHibernate for example has the SetMaxResults and the SetFirstResult methods. These are so easy to use to fetch a certain ‘page’.

   27             criteria

   28                 .SetFirstResult(currentPage*pageSize)

   29                 .SetMaxResults(pageSize)

   30                 .List();


Linq to sql

Linq to sql has the similar methods Skip and Take and work in the same way as NHibernates methods.

   27 IQueryable<T> source;

   28             …

   29             source

   30                 .Skip(currentPage*pageSize)

   31                 .Take(pageSize)

   32                 .ToList();



  • Quite fast if good indexed are available in the database.
  • Only the needed data is tranfered from the database to the webserver


  • Paging properties must be passed from front-end to back-end
  • Cannot use most ASP.NET controls that support paging

Paging issues

Index scan

But even this can have performance issues. Imagine a table that a contains billions of records. A query that performs an index scan will be slow too! So you have to be sure that your query will use one or more indexes but that it will not be performing an index scan. For example when you have a LIKE ‘%x%’ statement. Depending on the database you use this can even result in a table scan.

Out-of-date data

When for example you are viewing a log that results in paging a log table then it is highly imaginable that log rows are being added while you are browsing the log. So when you are watching page 0 and waiting for a couple of seconds and then viewing page two could result in even newer data being shown than on page 0 because data has been added. This is due to the results not being cached and the results ordered descending on creation data (or identity).

What you would like is that when you view page 0 that page 1 will contain older data (in this log example). Here paging like described previously will not work.

The first (0) page query would be something like:

    top 20 id, title, status
    id DESC

Then the query for the second page (1) would be needing the id value of the LAST row of the previous query result

    top 20 id, title, status
    id DESC

The solution here is not making use of a “page” but only a “next” set. This is exactly what you need in most situations and if you are not sure about this then I can refer to an excellent application that (I think) is making use of this mechanism, Google Reader. You scroll down and then data is fetched at the same time and all previous downloaded items are not removed.


  • Easy to implement
  • Fast
  • Page result is what you would expect


  • Sorting will always result in viewing the result at the first ‘page’
  • Requires unique indexes / combined columns


Supporting non unique indexes / order by clause

So what if your table does not have a unique index for the where ORDER clause that you specified? Imagine a result where the filter column is a “name”, the page size is 10 but you have 16 people sharing the same name. This would result in a page only showing the first 10 people and the next page showing people with another name. The viewer will miss 6 people! It is this reason that we want to see all ties in the result.

It could be that you do not want to extend the ORDER BY because that could result in a table scan because the ORDER BY needs data not available in the index.

This can be solved by making use of the sql keyword WITH TIES. This makes sure that the result will always contain all rows matching the where in combination with the order clause.

    top 10 WITH TIES name, dob, county, city, accountnr

This query will result in a page containing at least 16 people in the situation I described above. The page will be larger then 10 but this will not be a problem in an application that fetches data like google reader.


  • Very fast and most efficient usage of indexes.


  • There it not a standard SQL syntax. Most vendors support similar behaviour (see
  • Not supported natively by frameworks like NHibernate, Linq to sql, EF

What’s your worst day as a coder?

Jeremy has a nice post called what’s your worst day as a coder and I needed to post my own list:

  1. When I need to fix a bug in a module and opening a 7500+ LOC (non generated) class file (that really happened somewhere in the past).
  2. When I interview a candidate to find out he cannot reverse an array.
  3. When I’m using a designer for more then 10% of my time.
  4. Would forced to use sourcesafe.
  5. When I broke the build.
  6. Would not code a single line.

Just a brainflush. Will probably update the post in the near future 🙂

Profile / ProfileBase SetPropertyValue

Just fixed a very nasty bug in one of the applications I’m developing. In the database world there is a name for this bug which at the moment does not come up in my mind, I think it is called a ‘lost write’ but I’m not sure.

Somewhere in a class I did the following based on a passed username:

var profile = ProfileBase.Create(username);
profile.SetPropertyValue(“test”, value);

This code (by accident) was fired by the same user that requested the page. ASP.NET’s default behavior for profiles is that it loads the current user profile at page start and saves it at the end. And here lies my problem!

The code above first writes the updated “test” value but then the page overwrites it with the old version which looks like nothing had happened.

So the lesson learned today is to first check if the current user is the same user I want to modify the profile for and if so use the profile instance from HttpContext.Profile. Another lesson learned is that ASP.NET profiles don’t use optimistic concurrency control to prevent such write patterns.

WCF and http (gzip/deflate) compression and Silverlight

The last couple of days I’ve tried to see if it was possible to make use of standard http compression on WCF services as I had very good experiences with WSE and even asmx webservices that used http compression to save bandwidth – but more important – and have better response times for large xml messages.

  • Recent Posts
  • Recent Comments
  • Archives
  • Categories
  • Meta