4
Type Design Guidelines
From the CLR perspective, there are only two categories of types— reference types and value types—but for the purpose of discussing framework design, we divide types into more logical groups, each with its own specific design rules. Figure 4-1 shows these logical groups.
Figure 4-1: The logical grouping of types
Classes are the general case of reference types. They make up the bulk of types in the majority of frameworks. Classes owe their popularity to the rich set of object-oriented features they support and to their general applicability. Base classes and abstract classes are special logical groups related to extensibility. Extensibility and base classes are covered in Chapter 6.
Interfaces are types that can be implemented by both reference types and value types. As a consequence, they serve as roots of polymorphic hierarchies of reference types and value types. In addition, interfaces can be used to simulate multiple inheritance, which is not natively supported by the CLR.
Structs are the general case of value types and should be reserved for small, simple types, similar to language primitives.
Enums are a special case of value types used to define short sets of values, such as days of the week, console colors, and so on.
Static classes are types intended to be containers for static members. They are commonly used to provide shortcuts to other operations.
Delegates, exceptions, attributes, arrays, and collections are all special cases of reference types intended for specific uses. Guidelines for their design and usage are discussed elsewhere in this book.
DO ensure that each type is a well-defined set of related members, not just a random collection of unrelated functionality.
It is important that a type can be described in one simple sentence. A good definition should also rule out functionality that is only tangentially related.
Brad Abrams
If you have ever managed a team of people, you know that they don’t do well without a crisp set of responsibilities. Well, types work the same way. I have noticed that types without a firm and focused scope tend to be magnets for more random functionality, which over time makes a small problem a lot worse. It becomes more difficult to justify why the next member with even more random functionality does not belong in the type. As the focus of the members in a type blurs, the developer’s ability to predict where to find a given functionality is impaired, and therefore so is productivity.
Rico Mariani
Good types are like good diagrams: What has been omitted is as important to clarity and usability as what has been included. Every additional member you add to a type starts at a net negative value; only by proven usefulness does it go from there to positive. If you add too much in an attempt to make the type more useful to some users, you are just as likely to make the type useless to everyone.
Jeffrey Richter
When I was learning OOP back in the early 1980s, I was taught a mantra that I still honor today: If things get too complicated, make more types. Sometimes I find that I am thinking really hard trying to define a good set of methods for a type. When I start to feel that I’m spending too much time on this or when things just don’t seem to fit together well, I remember my mantra and I define more, smaller types, where each type has well-defined functionality. This has worked extremely well for me over the years.
On the flip side, sometimes types do end up being dumping grounds for various loosely related functions. .NET offers several types like this, such as Marshal, GC, Console, Math, and Application. You will note that all members of these types are static, so it is not possible to create any instances of these types. Programmers seem to be OK with this. Fortunately, these types’ methods are separated a bit into separate types. It would be awful if all these methods were defined in just one type!
4.1 Types and Namespaces
You should decide how to factor your functionality into a set of functional areas represented by namespaces when you design a large framework. This kind of top-down architectural design is important because it ensures a coherent set of namespaces containing types that work well together. The namespace design process is iterative, of course, and it should be expected that the design will have to be tweaked as types are added to the namespaces over the course of several releases. This philosophy leads to the following guidelines.
DO use namespaces to organize types into a hierarchy of related feature areas.
The hierarchy should be optimized for developers browsing the framework for desired APIs.
Krzysztof Cwalina
This is an important guideline. Contrary to popular belief, the main purpose of namespaces is not to help in resolving naming conflicts between types with the same name. As the guideline states, the main purpose of namespaces is to organize types in a hierarchy that is coherent, easy to navigate, and easy to understand.
I consider type-name conflicts in a single framework to indicate sloppy design. Types with identical names should either be merged to allow for better integration between parts of the library or be renamed to improve code readability and searchability.
AVOID very deep namespace hierarchies. Such hierarchies are difficult to browse because the user has to backtrack often.
AVOID having too many namespaces.
Users of a framework should not have to import many namespaces in the most common scenarios. Types that are used together in common scenarios should reside in a single namespace if at all possible. This guideline does not mean “have only one namespace,” but instead urges you to seek balance. The types used by developers and the types used by code generators or IDE designers to help the developers are two different concepts and should be in different, but related, namespaces.
Jeffrey Richter
As an example of a problem, the runtime serializer types are defined under the System.Runtime.Serialization namespace and its subnamespaces. However, the Serializable and NonSerialized attributes are incorrectly defined in the System namespace. Because these types are not in the same namespace, developers don’t realize that they are closely related. In fact, I have run into many developers who apply the Serializable attribute to a class that they are serializing with the System.Xml. Serialization’s XmlSerializer type. However, the XmlSerializer completely ignores the Serializable attribute; applying the attribute gives no value and just bloats your assembly’s metadata.
AVOID having types designed for advanced scenarios in the same namespace as types intended for common programming tasks.
This makes it easier to understand the basics of the framework and to use the framework in the common scenarios.
Brad Abrams
One of the best features of Visual Studio is Intelli-Sense, which provides a drop-down list for your likely next type or member usage. The benefit of this feature is inversely proportional to the number of options. That is, if there are too many items in the list, it takes longer to find the one you are looking for. Following this guideline to split out advanced functionality into a separate namespace enables developers to see the smallest number of types possible in the common case.
Brian Pepin
One thing we’ve learned is that most programmers live or die by IntelliSense. If something isn’t listed in the drop-down list, most programmers won’t believe it exists. But, as Brad says, too much of a good thing can be bad, and having too much stuff in the drop-down list dilutes its value. If you have functionality that should be in the same namespace but you don’t think it needs to be shown all the time to users, you can use the EditorBrowsable attribute.
Rico Mariani
Don’t go crazy adding members for every exotic thing someone might want to do with your type. You’ll make fatter, uglier assemblies that are hard to grasp. Provide good primitives with understandable limitations. A great example of this is the urge people get to duplicate functionality that is already easy to use via Interop to native. Interop is there for a reason—it’s not an unwanted stepchild. When wrapping anything, be sure you are adding plenty of value. Otherwise, the value added by not implementing the type and therefore being smaller would make your assembly more helpful to more people.
Jeffrey Richter
I agree with this guideline, but I’d like to further add that the more advanced classes should be in a namespace that is under the namespace that contains the simple types. For example, the simple types might be in System.Mail, and the more advanced types should be in System.Mail.Advanced.
DO NOT define types without specifying their namespaces.
This practice organizes related types in a hierarchy and can help resolve potential type name collisions. Of course, the fact that namespaces can help resolve name collisions does not mean that such collisions should be introduced. See section 3.4.1 for details.
Brad Abrams
It is important to realize that namespaces cannot actually prevent naming collisions; however, they can significantly reduce them. I could define a class called MyNamespace.MyType in an assembly called MyAssembly and define a class with precisely the same name in another assembly. I could then build an application that uses both of these assemblies and types. The CLR would not get confused because the type identity in the CLR is based on the strong name (which includes the fully qualified assembly name) rather than just the namespace and type name. This fact can be seen by looking at the C# and ILASM of code creating an instance of MyType.
C#: new MyType(); IL: IL_ʘʘʘʘ: newobj instance void [MyAssembly]MyNamespace.MyType::.ctor()
Notice that the C# compiler adds a reference to the assembly that defines the type, of the form [MyAssembly], so the runtime always has a disambiguated, fully qualified name to work with.
Rico Mariani
Namespaces are a language thing. The CLR doesn’t know anything about them, really. As far as the CLR is concerned, the name of the class really is something like MyNameSpace.MyOtherNameSpace.MyAmazingType. The compilers give you syntax (e.g., “using”) so that you don’t have to type those long class names all the time. So the CLR is never confused about class names because everything is always fully qualified.
4.2 Choosing Between Class and Struct
One of the basic design decisions every framework designer faces is whether to design a type as a class (a reference type) or as a struct (a value type). Good understanding of the differences in the behavior of reference types and value types is crucial in making this choice.
The first difference between reference types and value types we will consider is that reference types are allocated on the heap and garbage-collected, whereas value types are allocated either on the stack or inline in containing types and deallocated when the stack unwinds or when their containing type gets deallocated. Therefore, allocations and deallocations of value types are generally cheaper than allocations and deallocations of reference types.
Next, arrays of reference types are allocated out-of-line, meaning the array elements are just references to instances of the reference type residing on the heap. Value type arrays are allocated inline, meaning that the array elements are the actual instances of the value type. Therefore, allocations and deallocations of value type arrays are much cheaper than allocations and deallocations of reference type arrays. In addition, in a majority of cases value type arrays exhibit much better locality of reference.
Rico Mariani
The preceding is often true, but it’s a very broad generalization that I would be very careful about. Whether or not you get better locality of reference when value types get boxed when cast to an array of value types will depend on how much of the value type you use, how much searching you have to do, how much data reuse there could have been with equivalent array members (sharing a pointer), the typical array access patterns, and probably other factors I can’t think of at the moment. Your mileage might vary, but value type arrays are a great tool for your toolbox.
Chris Sells
I find the restrictions of value types to be painful and therefore prefer reference types. Custom value types are often used for performance improvements, so I would recommend profiling large-scale anticipated usage of your library and changing reference types to value types based on actual data instead of on some anticipated problem that may never manifest itself in real-world conditions.
The next difference is related to memory usage. Value types get boxed when they are cast to a reference type or one of the interfaces they implement. They get unboxed when they are cast back to the value type. Because boxes are objects that are allocated on the heap and are garbage-collected, too much boxing and unboxing can have a negative impact on the heap, the garbage collector, and ultimately the performance of the application. In contrast, no such boxing occurs when reference types are cast.
Next, reference type assignments copy the reference, whereas value type assignments copy the entire value. Therefore, assignments of large reference types are cheaper than assignments of large value types.
Finally, reference types are passed by reference, whereas value types default to being passed by value. Changes to an instance of a reference type affect all references pointing to that instance. Value type instances are copied when they are passed by value. When an instance of a value type is changed, it does not affect any of its copies. Because the copies are not created explicitly by the user but rather are created implicitly when arguments are passed or return values are returned, value types that can be changed can be confusing to many users. Therefore, value types should be immutable.1
1. Immutable types are types that don’t have any public members that can modify this instance. For example, System.String is immutable. Its members, such as ToUpper, do not modify the string on which they are called, but rather return a new modified string instead and leave the original string unchanged.
Rico Mariani
If you make your value type mutable, you will find that you end up having to pass it by reference a lot to get the semantics you want (using, for example, “out” syntax in C#). This might be important in cases in which the value type is expected to be embedded in a variety of other objects that are themselves reference types or embedded in arrays. The biggest trouble from having mutable value types arises when they look like independent entities such as complex numbers. Value types that have a mission in life of being an accumulator of sorts or a piece of a reference type have fewer pitfalls for mutability.
The downside to this technique is that you don’t get garbage collection on elements in your array. Thus, this technique should be used only when that is not an issue (e.g., when you have a large read-only array of small structures).
As a rule of thumb, the majority of types in a framework should be classes. There are, however, some situations in which the characteristics of a value type make it more appropriate to use structs.
CONSIDER defining a struct instead of a class if instances of the type are small and commonly short-lived or are commonly embedded in other objects, especially arrays.
AVOID defining a struct unless the type has all of the following characteristics:
It logically represents a single value, similar to primitive types (
int,double, etc.).It has an instance size less than 24 bytes.
It is immutable.
It will not have to be boxed frequently.
In all other cases, you should define your types as classes.
Jeffrey Richter
In my opinion, a value type should be defined for types with a size of approximately 16 bytes or less. Value types can be more than 16 bytes if you don’t intend to pass them to other methods or copy them to and from a collection class (like an array). I would also define a value type if you expect instances of the type to be used for short periods of time (usually they are created in a method and no longer needed after a method returns). I used to discourage defining value types if you thought that instances of them would be placed in a collection due to all the boxing that would have to be done. But, fortunately, newer versions of the CLR, C#, and other languages support generics so that boxing is no longer necessary when putting value type instances in a collection.
Joe Duffy
I frequently struggle with the reference versus value type decision. Although these rules are very black-and-white, there is a fairly large cliff you jump off when you decide to implement a reference type. This decision means you will pay the cost of heap allocation for each instance—which can impact scalability on multiprocessor machines due to the shared heap and cost of collections—in addition to at least a pointer of overhead (due to the object header) and a level of indirection to each access (due to the need to go through an object reference). That said, my experience has shown that whenever I attempt to be clever and break any of these rules, it usually comes back to bite me.
Jeremy Barton
Whether a struct or a class is better for performance depends on usage characteristics, which themselves depend on the split between your library code and the calling code from your user. When a struct is passed into a method by value, the details of memory layout and expense differ by runtime OS and CPU architecture—so a struct with three Int64 fields isn’t always the same as a struct with six Int32 fields. Since the usage characteristics cannot be readily known, the size guideline is a general approximation.
Private types have the flexibility of using performance analysis data to change from a struct to a class, or vice versa, from build to build. But for public types, you have to make a decision and stick with it.
4.3 Choosing Between Class and Interface
In general, classes are the preferred construct for exposing abstractions.
The main drawback of interfaces is that they are much less flexible than classes when it comes to allowing for evolution of APIs. After you ship an interface, the set of its members is largely fixed forever. Any additions to the interface would break existing types that implement the interface.
Jeremy Barton
C# 8.0 added a feature, Default Interface Methods, which allows creating new methods on an interface without necessarily resulting in compile failures in downstream assemblies. While this feature can be useful for adding a simplified overload for an existing method, it usually can’t introduce a new concept without a compile-time failure or a runtime exception. Because new concepts can’t be introduced to an interface and Just Work, we still consider the interface to be effectively fixed once it ships.
There isn’t any guidance for Default Interface Methods in the third edition because we haven’t yet learned where things really go wrong. The best proto-guideline we have is “DO NOT use Default Interface Methods to provide an implementation for a member from a base interface,” so as to avoid the “diamond problem.”
A class offers much more flexibility. You can add members to classes that have already shipped. As long as the method is not abstract (i.e., as long as you provide a default implementation of the method), any existing derived classes continue to function unchanged.
Let’s illustrate the concept with a real example from .NET. The System.IO.Stream abstract class shipped in .NET Framework 1.0 without any support for timing out pending I/O operations. In version 2.0, several members were added to Stream to allow subclasses to support timeout-related operations, even when accessed through their base class APIs.
public abstract class Stream {
public virtual bool CanTimeout {
get { return false; }
}
public virtual int ReadTimeout{
get {
throw new InvalidOperationException(...);
}
set {
throw new InvalidOperationException(...);
}
}
}
public class FileStream : Stream {
public override bool CanTimeout {
get { return true; }
}
public override int ReadTimeout{
get {
...
}
set {
...
}
}
}
The only general way to evolve interface-based APIs without runtime or compile-time errors is to add a new interface with the additional members. This might seem like a good option, but it suffers from several problems. Let’s illustrate this with a hypothetical IStream interface. Let’s assume we had shipped the following APIs in .NET Framework 1.0.
public interface IStream {
...
}
public class FileStream : IStream {
...
}
If we wanted to add support for timeouts to streams in version 2.0, we would have to do something like the following:
public interface ITimeoutEnabledStream : IStream {
int ReadTimeout{ get; set; }
}
public class FileStream : ITimeoutEnabledStream {
public int ReadTimeout{
get{
...
{
set {
...
}
}
}
But now we would have a problem with all the existing APIs that consume and return IStream. For example, StreamReader has several constructor overloads and a property typed as Stream.
public class StreamReader {
public StreamReader(IStream stream){ ... }
public IStream BaseStream { get { ... } }
}
How would we add support for ITimeoutEnabledStream to StreamReader? We would have several options, each with substantial development cost and usability issues:
Leave the
StreamReaderas is, and ask users who want to access the timeout-related APIs on the instance returned fromBaseStreamproperty to use a dynamic cast and query for theITimeoutEnabled Streaminterface.StreamReader reader = GetSomeReader(); var stream = reader.BaseStream as ITimeoutEnabledStream; if(stream != null){ stream.ReadTimeout = 1ʘʘ; }Unfortunately, this option does not perform well in usability studies. The fact that some streams can now support the new operations is not immediately apparent to the users of
StreamReaderAPIs. Also, some developers have difficulty understanding and using dynamic casts.Add a new property to
StreamReaderthat would returnITimeoutEnabledStreamif one is passed to the constructor ornullifIStreamis passed.StreamReader reader = GetSomeReader(); var stream = reader.TimeoutEnabledBaseStream; if(stream != null){ stream.ReadTimeout = 1ʘʘ; }Such APIs are only marginally better in terms of usability. It’s really not obvious to the user that the
TimeoutEnabledBaseStreamproperty getter might returnnull, which results in confusing and often unexpectedNullReferenceExceptions. Jeremy BartonThe C# 8.0 Nullable Reference Types feature allows library authors to indicate that an API can (or won’t) return a null value, which would seem to negate the surprising
NullReferenceExceptionscenario. But, if a developer has never seenTimeoutEnabledBaseStreamreturnnullthe developer might decide the metadata is incorrect, only to have their code fail when interacting with a newIStreamtype.We’ve learned that developers frequently exhibit the human characteristic of trusting their personal experience more than documentation.
Add a new type called
TimeoutEnabledStreamReaderthat would takeITimeoutEnabledStreamparameters to the constructor overloads and returnITimeoutEnabledStreamfrom theBaseStreamproperty.The problem with this approach is that every additional type in the framework adds complexity for the users. What’s worse, the solution usually creates more problems like the one it is trying to solve.
StreamReaderitself is used in other APIs. These other APIs will now need new versions that can operate on the newTimeoutEnabledStreamReader.The .NET streaming APIs are based on an abstract class. This allowed for an addition of timeout functionality in version 2.0 of the Framework. The addition is straightforward, is discoverable, and had little impact on other parts of the framework.
StreamReader reader = GetSomeReader(); if(reader.BaseStream.CanTimeout){ reader.BaseStream.ReadTimeout = 1ʘʘ; }
One of the most common arguments in favor of interfaces is that they allow for separating the contract from the implementation. However, this argument incorrectly assumes that you cannot separate contracts from implementation using classes. Abstract classes residing in a separate assembly from their concrete implementations are a great way to achieve such separation. For example, the contract of IList<T> says that when an item is added to a collection, the Count property is incremented by one. Such a simple contract can be expressed—and, more importantly, locked— for all subtypes, using the following abstract class:
public abstract class CollectionContract<T> : IList<T> {
public void Add(T item){
AddCore(item);
_count++;
}
public int Count {
get { return _count; }
}
protected abstract void AddCore(T item);
private int _count;
}
Krzysztof Cwalina
I often hear people saying that interfaces specify contracts. I believe this is a dangerous myth. Interfaces, by themselves, do not specify much beyond the syntax required to use an object. The interface-as-contract myth causes people to do the wrong thing when trying to separate contracts from implementation, which is indeed a great engineering practice. Interfaces separate syntax from implementation, which is not that useful, and the myth provides a false sense of doing the right engineering. In reality, the contract is both syntax and semantics, and these can be better expressed with abstract classes.
COM exposed APIs exclusively through interfaces, but you should not assume that COM did this because interfaces were superior. COM did it because COM is an interface standard that was intended to be supported on many execution environments. CLR is an execution standard, and it provides a great benefit for libraries that rely on portable implementation.
DO favor defining classes over interfaces.
Class-based APIs can be evolved with much greater ease than interface-based APIs because it is possible to add members to a class without breaking existing code.
Krzysztof Cwalina
I have talked about this guideline with quite a few developers on our team. Many of them, including those who initially disagreed with the guideline, have said that they regret having shipped some API as an interface. I have not heard of even one case in which somebody regretted that they shipped a class.
Jeffrey Richter
I agree with Krzysztof in general. However, you do need to think about some other things. There are some special base classes, such as MarshalByRefObject. If your library type provides an abstract base class that isn’t itself derived from MarshalByRefObject, then types that derive from your abstract base class cannot live in a different AppDomain.
DO use abstract classes instead of interfaces to decouple the contract from implementations.
Abstract classes, if designed correctly, allow for the same degree of decoupling between contract and implementation.
Chris Anderson
Here is one instance in which the design guideline, if followed too strictly, can paint you into a corner. Abstract types do version much better, and allow for future extensibility, but they also burn your one and only one base type. Interfaces are appropriate when you are really defining a contract between two objects that is invariant over time. Abstract base types are better for defining a common base for a family of types. When we did .NET, there was somewhat of a backlash against the complexity and strictness of COM—interfaces, GUIDs, variants, and IDL were all seen as bad things. I believe today that we have a more balanced view of this. All of these COM-isms have their place, and in fact you can see interfaces coming back as a core concept in WCF.
Brian Pepin
One thing I’ve started doing is to actually bake as much contract into my abstract class as possible. For example, I might want to have four overloads to a method, where each overload offers an increasingly complex set of parameters. The best way to do this is to provide a nonvirtual implementation of these methods on the abstract class and have the implementations all route to a protected abstract method that provides the actual implementation. By doing this, you can write all the boring argument-checking logic once. Developers who want to implement your class will thank you.
Jeremy Barton
What Brian is describing here is the Template Method Pattern, discussed more in section 9.9.
DO define an interface if you need to provide a polymorphic hierarchy of value types.
Value types cannot inherit from other types, but they can implement interfaces. For example, IComparable, IFormattable, and IConvertible are all interfaces, so value types such as Int32, Int64, and other primitives can all be comparable, formattable, and convertible.
public struct Int32 : IComparable, IFormattable, IConvertible {
...
}
public struct Int64 : IComparable, IFormattable, IConvertible {
...
}
Rico Mariani
Good interface candidates often have this “mix in” feel to them. All sorts of objects can be IFormattable—it isn’t restricted to a certain subtype. It’s more like a type attribute. Other times we have interfaces that look more like they should be classes—IFormatProvider springs to mind. The fact that the interface’s name ended in “er” speaks volumes.
Brian Pepin
Another sign that you’ve got a well-defined interface is that the interface does exactly one thing. If you have an interface that has a grab bag of functionality, that’s a warning sign. You’ll end up regretting it because in the next version of your product you’ll want to add new functionality to this rich interface, but you can’t.
CONSIDER defining interfaces to achieve a similar effect to that of multiple inheritance.
For example, System.IDisposable and System.ICloneable are both interfaces, so types, like System.Drawing.Image, can be both disposable and cloneable yet still inherit from the System.MarshalByRefObject class.
public class Image : MarshalByRefObject, IDisposable, ICloneable {
...
}
Jeffrey Richter
When a class is derived from a base class, I say that the derived class has an “is a” relationship with the base. For example, a FileStream “is a” Stream. However, when a class implements an interface, I say that the implementing class has a “can-do” relationship with the interface. For example, a FileStream “can-do” disposing because it implements the IDisposable.
Jeremy Barton
One hint that Jeffrey’s “can-do” paradigm is being followed is when the interface ends in the suffix “able.” For example, IDisposable can be loosely rewritten “a thing that can do Dispose.”
If we compare this to ICryptoTransform, that interface isn’t describing a capability; it’s instead defining a set of related actions. When we added System.Span<T> in .NET Core 2.0, we found that we couldn’t add Span support to symmetric cryptography because we used an interface instead of an abstract base class. It may have taken 15 years to realize that it was a mistake to have that type as an interface, but it was nonetheless a mistake.
4.4 Abstract Class Design
DO NOT define public or protected internal constructors in abstract types.
Constructors should be public only if users will need to create instances of the type. Because you cannot create instances of an abstract type, an abstract type with a public constructor is incorrectly designed and misleading to the users.2
2. This also applies to protected internal constructors.
// bad design
public abstract class Claim {
public Claim() {
}
}
// good design
public abstract class Claim {
protected Claim() {
}
}
DO define a protected or an internal constructor in abstract classes.
A protected constructor is more common and simply allows the base class to do its own initialization when subtypes are created.
public abstract class Claim {
protected Claim() {
...
}
}
An internal constructor can be used to limit concrete implementations of the abstract class to the assembly defining the class.
public abstract class Claim {
internal Claim() {
...
}
}
Brad Abrams
Many languages (such as C#) will insert a protected constructor if you do not. It is a good practice to define the constructor explicitly in the source so that it can be more easily documented and maintained over time.
DO provide at least one concrete type that inherits from each abstract class that you ship.
Doing this helps to validate the design of the abstract class. For example, System.IO.FileStream is an implementation of the System.IO.Stream abstract class.
Brad Abrams
I have seen countless examples of a “well-designed” base class or interface where the designers spent hundreds of hours debating and tweaking the design, only to have it be blown out of the water when the first real-world client came to use the design. Far too often these real-world clients come too late in the product cycle to allow time for the correct fix. Forcing yourself to provide at least one concrete implementation reduces the chances of finding a new problem late in the product cycle.
Chris Sells
My rule of thumb for testing a type or set of types is to have three people write three apps against it based on scenarios you hope to support. If the client code is pretty in all three cases, you’ve done a good job. Otherwise, you should consider refactoring until pretty happens.
4.5 Static Class Design
A static class is defined as a class that contains only static members (of course, besides the instance members inherited from System.Object and possibly a private constructor). Some languages provide built-in support for static classes. In C# 2.0 and later, when a class is declared to be static, it is sealed, abstract, and no instance members can be overridden or declared.
public static class File {
...
}
If your language does not have built-in support for static classes, you can declare such classes manually, as shown in the following C++ example:
public class File abstract sealed {
...
}
Static classes are a compromise between pure object-oriented design and simplicity. They are commonly used to provide shortcuts to other operations (such as System.IO.File), holders of extension methods, or functionality for which a full object-oriented wrapper is unwarranted (such as System.Environment).
DO use static classes sparingly.
Static classes should be used only as supporting classes for the object-oriented core of the framework.
DO NOT treat static classes as a miscellaneous bucket.
There should be a clear charter for each class. When your description of the class involves “and” or a new sentence, you need another class.
DO NOT declare or override instance members in static classes.
This is enforced by the C# compiler.
DO declare static classes as sealed, abstract, and add a private instance constructor if your programming language does not have built-in support for static classes.
Brian Grunkemeyer
In .NET Framework 1.0, I wrote the code for the System.Environment class, which is an excellent example of a static class. I messed up and accidentally added a property to this class that wasn’t static (HasShutdownStarted). Because it was an instance method on a class that could never be instantiated, no one could call it. We didn’t discover the problem early enough in the product cycle to fix it before releasing version 1.0.
If I were inventing a new language, I would explicitly add the concept of a static class into the language to help people avoid falling into this trap. And in fact, C# 2.0 did add support for static classes!
Jeffrey Richter
Make sure that you do not attempt to define a static structure, because structures (value types) can always be instantiated, no matter what. Only classes can be static.
4.6 Interface Design
Although most APIs are best modeled using classes and structs, there are some cases in which interfaces are more appropriate or are the only option.
The CLR does not support multiple inheritance (i.e., CLR classes cannot inherit from more than one base class), but it does allow types to implement one or more interfaces in addition to inheriting from a base class. Therefore, interfaces are often used to achieve the effect of multiple inheritance. For example, IDisposable is an interface that allows types to support disposability independent of any other inheritance hierarchy in which they want to participate.
public class Component : MarshalByRefObject, IDisposable, IComponent {
...
}
The other situation in which defining an interface is appropriate is in creating a common interface that can be supported by several types, including some value types. Value types cannot inherit from types other than System.ValueType, but they can implement interfaces, so using an interface is the only option to provide a common base type.
public struct Boolean : IComparable {
...
}
public class String: IComparable {
...
}
DO define an interface if you need some common API to be supported by a set of types that includes value types.
CONSIDER defining an interface if you need to support its functionality on types that already inherit from some other type.
AVOID using marker interfaces (interfaces with no members).
If you need to mark a class as having a specific characteristic (marker), in general, use a custom attribute rather than an interface.
// Avoid
public interface IImmutable {} // empty interface
public class Key: IImmutable {
...
}
// Consider
[Immutable]
public class Key {
...
}
Methods can be implemented to reject parameters that are not marked with a specific attribute, as follows:
public void Add(Key key, object value){
if(!key.GetType().IsDefined(typeof(ImmutableAttribute), false)){
throw new ArgumentException("The argument must be declared
[Immutable]","key");
}
...
}
Rico Mariani
Of course, any kind of marking like this has a cost. Attribute testing is a lot more costly than type checking. You might find that it’s necessary to use the marker interface approach for performance reasons—measure and see. My own experience is that true markers (with no members) don’t come up very often. Most of the time, you need a no-kidding-around interface with actual functionality to do the job, in which case there is no choice to make.
The problem with this approach is that the check for the custom attribute can occur only at runtime. Sometimes it is very important that the check for the marker be done at compile-time. For example, a method that can serialize objects of any type might be more concerned with verifying the presence of the marker than with type verification at compile-time. Using marker interfaces might be acceptable in such situations. The following example illustrates this design approach:
public interface ITextSerializable {} // empty interface
public void Serialize(ITextSerializable item){
// use reflection to serialize all public properties
...
}
DO provide at least one type that is an implementation of an interface.
Doing this helps to validate the design of the interface. For example, System.Collections.Generic.List<T> is an implementation of the System.Collections.Generic.IList<T> interface.
DO provide at least one API that consumes each interface you define (a method taking the interface as a parameter or a property typed as the interface).
Doing this helps to validate the interface design. For example, List<T>.Sort consumes the IComparer<T> interface.
DO NOT add members to an interface that has previously shipped.
Doing so would break implementations of the interface. You should create a new interface to avoid versioning problems.
Except for the situations described in these guidelines, you should, in general, choose classes rather than interfaces in designing managed code reusable libraries.
4.7 Struct Design
The general-purpose value type is most often referred to as a struct, its C# keyword. This section provides guidelines for general struct design. Section 4.8 presents guidelines for the design of a special case of value type, the enum.
DO NOT provide a default constructor for a struct.
Many CLR languages do not allow developers to define default constructors on value types. Users of these languages are often surprised to learn that default(SomeStruct) and new SomeStruct() don’t necessarily produce the same value. Even if your language does allow defining a default constructor on a value type, it probably isn’t worth the confusion it would cause if you did it.
DO NOT define mutable value types.
Mutable value types have several problems. For example, when a property getter returns a value type, the caller receives a copy. Because the copy is created implicitly, developers might not be aware that they are mutating the copy, not the original value. Also, some languages (dynamic languages, in particular) have problems using mutable value types because even local variables, when dereferenced, cause a copy to be made.
// bad design
public struct ZipCode {
public int FiveDigitCode { get; set; } // get/set properties
public int PlusFourExtension { get; set; }
}
// good design
public struct ZipCode {
public ZipCode(int fiveDigitCode, int plusFourExtension){...}
public ZipCode(int fiveDigitCode):this(fiveDigitCode,ʘ){}
public int FiveDigitCode { get; } // get-only properties
public int PlusFourExtension { get; }
}
DO declare immutable value types with the readonly modifier.
Newer compiler understand the readonly modifier on a value type and avoid making extra value copies on operations such as invoking a method on a field declared with the readonly modifier.
public readonly struct ZipCode {
public ZipCode(int fiveDigitCode, int plusFourExtension){...}
public ZipCode(int fiveDigitCode):this(fiveDigitCode,ʘ){}
public int FiveDigitCode { get; } // get-only properties
public int PlusFourExtension { get; }
public override string ToString() {
...
}
}
public partial class Other {
private readonly ZipCode _zipCode;
...
private void Work() {
// Because ZipCode is declared as "readonly struct" the
// ToString() method call does not involve a defensive copy
string zip = _zipCode.ToString();
...
}
}
Jan Kotas
Be careful when marking an existing struct as readonly. Existing structs that appear to be immutable may be mutable in very subtle ways. We learned this lesson hard way when Nullable<T> was marked as readonly in .NET Core. We quickly found that it broke existing code that depended on the GetHashCode and Equals methods mutating the T for caching, and the change was rolled back.
DO declare nonmutating methods on mutable value types with the readonly modifier.
For better or worse, there are public mutable value types in .NET. As mentioned in the guidance against having mutable value types, when a mutable value type is stored in a field declared with the readonly modifier, any method or property invocation is performed on a copy of the value. Like the readonly modifier at the type level, the readonly modifier on a method allows the compiler to skip copying the value before invoking the method.
When the type is declared with the readonly modifier, there is no additional benefit from specifying the modifier on each method.
The C# compiler automatically applies the readonly modifier to the get method of a property declared using the auto-implemented property syntax.
// Using the "bad design" mutable version of ZipCode
public struct ZipCode {
private int _plusFour;
// This get method is implicitly readonly
public int FiveDigitCode { get; set; }
// This one needs it explicitly
public int PlusFourExtension {
readonly get => _plusFour;
set {
if (value > 9999) {
value = -1;
}
_plusFour = value;
}
}
// Any methods also need the readonly modifier
// (if they don't mutate)
public override readonly string ToString() { ... }
}
DO ensure that a state where all instance data is set to zero, false, or null (as appropriate) is valid.
This prevents accidental creation of invalid instances when an array of the structs is created. For example, the following struct is incorrectly designed. The parameterized constructor is meant to ensure a valid state, but the constructor is not executed when an array of the struct is created. Thus, the instance field value gets initialized to 0, which is not a valid value for this type.
// bad design
public struct PositiveInteger {
private int value;
public PositiveInteger(int value) {
if (value <= ʘ) throw new ArgumentException(...);
_value = value;
}
public override string ToString() {
return _value.ToString();
}
}
The problem can be fixed by ensuring that the default state (in this case, the value field equal to 0) is a valid logical state for the type.
// good design
public struct PositiveInteger {
private int _value; // the logical value is value+1
public PositiveInteger(int value) {
if (value <= ʘ) throw new ArgumentException(...);
_value = value-1;
}
public override string ToString() {
return (_value+1).ToString();
}
}
DO NOT define ref-like value types (ref struct types), other than for specialized low-level purposes where performance is critical.
A ref struct type is an advanced concept that comes with several restrictions. Values from a ref struct type are allowed to exist only on the stack, and can never be boxed into the heap. Consequently, a ref struct type cannot be used as the type for a field in another type, except for other ref struct types, and cannot be used in asynchronous methods generated with the async keyword.
These usability limitations are a source of confusion and frustration for less advanced developers, and should generally be avoided.
Jeremy Barton
I’ve found myself saying, “Yeah, but ref structs break all the rules,” when discussing certain inconsistencies in the guidelines in this book compared to some features from .NET Core 2.0 (when ref structs were first introduced) and beyond. This doesn’t mean that the ref-like value types have a free license to ignore the guidance, but that the restrictions placed on them can sometimes force a compromise between strict compliance and the target scenario.
The usability concerns and occasional inconsistency with the rest of the platform are why ref structs have a “DO NOT” guidance, and almost every one of them involves long discussion in API review.
DO implement IEquatable<T> on value types.
The Object.Equals method on value types causes boxing, and its default implementation is not very efficient, because it uses reflection. IEquatable<T>.Equals can have much better performance and can be implemented so that it will not cause boxing. See section 8.6 for guidelines on implementing IEquatable<T>.
DO NOT explicitly extend System.ValueType. In fact, most languages prevent this.
In general, structs can be very useful, but they should be used only for small, single, immutable values that will not be boxed frequently.
4.8 Enum Design
Enums are a special kind of value type. There are two kinds of enums: simple enums and flag enums.
Simple enums represent small closed sets of choices. A common example of the simple enum is a set of colors such as the following:
public enum Color {
Red,
Green,
Blue,
...
}
Flag enums are designed to support bitwise operations on the enum values. A common example of the flags enum is a list of options like the following:
[Flags]
public enum AttributeTargets {
Assembly = ʘxʘʘʘ1,
Module = ʘxʘʘʘ2,
Cass = ʘxʘʘʘ4,
Struct = ʘxʘʘʘ8,
...
}
Brad Abrams
We had some debates about what to call enums that are designed to be bitwise OR-ed together. We considered bitfields, bitflags, and even bitmasks—but ultimately decided to use flag enums because the term is clear, simple, and approachable.
Steven Clarke
I’m sure that less experienced developers will be able to understand bitwise operations on flags. The real question, though, is whether they would expect to have to do this. Most of the APIs that I have run through the labs don’t require them to perform such operations, so I have a feeling that they would have the same experience that we observed during a recent study—it’s just not something that they are used to doing, so they might not even think about it.
Where it could get worse, I think, is that if less advanced developers don’t realize they are working with a set of flags that can be combined with one another, they might just look at the list available and think that is all the functionality they can access. As we’ve seen in other studies, if an API makes it look to them as though a specific scenario or requirement isn’t immediately possible, it’s likely that they will change the requirement and do what does appear to be possible, rather than being motivated to spend time investigating what they need to do to achieve the original goal.
Historically, many APIs (e.g., Win32 APIs) represented sets of values using integer constants. Enums make such sets more strongly typed, thereby improving compile-time error checking, usability, and readability. For example, use of enums allows development tools to know the possible choices for a property or a parameter.
DO use an enum to strongly type parameters, properties, and return values that represent sets of values.
DO favor using an enum instead of static constants.
IntelliSense provides support for specifying arguments to members with enum parameters. It does not have similar support for static constants.
// Avoid the following
public static class Color {
public static int Red = ʘ;
public static int Green = 1;
public static int Blue = 2;
...
}
// Favor the following
public enum Color {
Red,
Green,
Blue,
...
}
Jeffrey Richter
An enum is a structure with a set of static constants. The reason to follow this guideline is because you will get some additional compiler and reflection support if you define an enum versus manually defining a structure with static constants.
DO NOT use an enum for open sets (such as the operating system version, names of your friends, etc.).
DO NOT provide reserved enum values that are intended for future use.
You can always simply add values to the existing enum at a later stage. Section 4.8.2 provides more details on adding values to enums. Reserved values just pollute the set of real values and tend to lead to user errors.
public enum DeskType {
Circular,
Oblong,
Rectangular,
// the following two values should not be here
ReservedForFutureUse1,
ReservedForFutureUse2,
}
AVOID publicly exposing enums with only one value.
A common practice for ensuring future extensibility of C APIs is to add reserved parameters to method signatures. Such reserved parameters can be expressed as enums with a single default value. This practice should not be followed in managed APIs. Method overloading allows adding parameters in future releases.
// bad design
public enum SomeOption {
DefaultOption
// we will add more options in the future
}
...
// The option parameter is not needed.
// It can always be added in the future
// to an overload of SomeMethod().
public void SomeMethod(SomeOption option) {
...
}
Vance Morrison
While I agree that this example is not a good practice, I think it is OK to define enums with no values (or just one “sentinel” value). The key question is whether the type safety (not being allowed to “accidentally” use an int) is valuable. If you pass out int values as “handles” to your structure, passing them out as an enum rather than an int is a REALLY good thing because it prevents mistakes and makes the intent of the API clear (What can I do with this “handle” you returned to me?). When you do this, you may be defining enums with no values or maybe just one (a “null” value).
Jeremy Barton
I agree with Vance that using a strong type instead of int or string provides value for the case “I gave this to you, and need you to give this back to me,” but I would advise using a custom struct rather than an enum. A custom struct can evolve better (such as gaining extra fields, or being IDisposable).
Joe Duffy
Although having enums with one value is a bad idea, enums with just two values are far more common. If you have a Boolean parameter and suspect that the choice may have a third possible value sometime in the future, it’s usually a good idea to proactively add the parameter to a two-valued enum. This can help to avoid versioning problems down the road.
Brad Abrams
Like Joe, I believe an enum with just two values is a fine and common practice. I much prefer this to a Boolean argument. The main reason is for code readability. For example, consider:
FileStream f = File.Open ("foo.txt", true, false);
This call gives you no context whatsoever for understanding the meaning behind true and false. Now consider if the call were:
FileStream f = File.Open ("foo.txt", CasingOptions.CaseSensitive,
FileMode.Open)
DO NOT include sentinel values in enums.
Although they are sometimes helpful to framework developers, sentinel values are confusing to users of the framework. They are used to track the state of the enum rather than being one of the values from the set represented by the enum. The following example shows an enum with an additional sentinel value used to identify the last value of the enum, which is intended for use in range checks. This is bad practice in framework design.
public enum DeskType {
Circular = 1,
Oblong = 2,
Rectangular = 3,
LastValue = 3 // this sentinel value should not be here
}
public void OrderDesk(DeskType desk){
if((desk > DeskType.LastValue){
throw new ArgumentOutOfRangeException(...);
}
...
}
Rather than relying on sentinel values, framework developers should perform the check using one of the real enum values.
public void OrderDesk(DeskType desk){
if(desk > DeskType.Rectangular || desk < DeskType.Circular){
throw new ArgumentOutOfRangeException(...);
}
...
}
Rico Mariani
You can get yourself into a lot of trouble by trying to be too clever with enums. Sentinel values are a great example of this: People write code like the example shown, but they use the sentinel value LastValue instead of Rectangular, as recommended. When a new value comes along and LastValue is updated, their program “automatically” does the right thing and accepts the new input value without giving an ArgumentOutOfRangeException. That sounds grand except for all that we didn’t show—the part that’s doing the actual work and that might not yet expect or even handle the new value. By avoiding sentinel values you will be forced to revisit all the right places to ensure that the new value really is going to work. The few minutes you spend visiting those call sites will be more than repaid in time you save avoiding bugs.
DO provide a value of zero on simple enums.
Consider calling the value something like “None.” If such a value is not appropriate for this particular enum, the most common default value for the enum should be assigned the underlying value of zero.
public enum Compression {
None = ʘ,
GZip,
Deflate,
}
public enum EventType {
Error = ʘ,
Warning,
Information,
...
}
Jeremy Barton
Remember that class and struct fields are initialized to their zero-value by default. When it would be hard to describe a “default” state, or when it’s important that the caller express an intentional value, consider naming the zero value “Undefined” and treating it as an invalid value.
CONSIDER using Int32 (the default in most programming languages) as the underlying type of an enum unless any of the following is true:
The enum is a flags enum and you have more than 32 flags, or expect to have more in the future.
The underlying type needs to be different than
Int32for easier interoperability with unmanaged code expecting different-size enums. Rico MarianiDid you know that the CLR supports enums with an underlying type of
floatordoubleeven though most languages don’t choose to expose it? This is very handy for strongly typed constants that happen to be floating point (e.g., a set of canonical conversion factors for different measuring systems). It’s in the ECMA standard.A smaller underlying type would result in substantial savings in space. If you expect the enum to be used mainly as an argument for flow of control, the size makes little difference. The size savings might be significant if:
You expect the enum to be used as a field in a very frequently instantiated structure or class.
You expect users to create large arrays or collections of the enum instances.
You expect a large number of instances of the enum to be serialized.
For in-memory usage, be aware that managed objects are always DWORD-aligned. So, you effectively need multiple enums or other small structures in an instance to pack a smaller enum with in order to make a difference, because the total instance size will always be rounded up to a DWORD.
Brad Abrams
Keep in mind that it is a binary breaking change to change the size of the enum type once you have shipped, so choose wisely— with an eye toward the future. Our experience has been that Int32 is usually the right choice; thus we made it the default.
DO name flag enums with plural nouns or noun phrases and simple enums with singular nouns or noun phrases.
See section 3.5.3 for details.
DO NOT extend System.Enum directly.
System.Enum is a special type used by the CLR to create user-defined enumerations. Most programming languages provide a programming element that gives you access to this functionality. For example, in C# the enum keyword is used to define an enumeration.
Simple enums works well for a closed set of alternatives. When multiple values need to be expressed concurrently, consider a flag enum (section 4.8.1). When the set of alternatives should be open to allow for derived types to add new capabilities, consider the strongly typed string approach discussed in section 4.11.
4.8.1 Designing Flag Enums
Jeffrey Richter
I use flag enums quite frequently in my own programming. They are stored very efficiently in memory, and manipulation is very fast. In addition, they can be used with interlocked operations, making them ideal for solving thread synchronization problems. I’d love to see the System.Enum type offer a bunch of additional methods that could be easily inlined by the JIT compiler and that would make source code easier to read and maintain. Here are some of the methods I’d like to see added to System.Enum: IsExactlyOneBitSet, CountOnBits, AreAllBitsOn, AreAnyBitsOn, and TurnBitsOnOff.
DO apply the System.FlagsAttribute to flag enums. Do not apply this attribute to simple enums.
[Flags]
public enum AttributeTargets {
...
}
DO use powers of 2 for the flag enum values so they can be freely combined using the bitwise OR operation.
[Flags]
public enum WatcherChangeTypes {
None = ʘ,
Created = ʘxʘʘʘ2,
Deleted = ʘxʘʘʘ4,
Changed = ʘxʘʘʘ8,
Renamed = ʘxʘʘ1ʘ,
}
Jeremy Barton
I often find it clearer, when writing, to use the left-shift operator when defining flag enum values to show I’ve set only one bit and I’m going in bit order.
[Flags]
public enum WatcherChangeTypes {
None = ʘ,
// No value is defined for 1 (ʘx1, 1 << ʘ)
Created = 1 << 1,
Deleted = 1 << 2,
Changed = 1 << 3,
Renamed = 1 << 4,
}
Since I find hexadecimal nicer when matching the values against file contents or memory views, I’ll usually have my IDE do a value replacement before committing the code.
CONSIDER providing special enum values for commonly used combinations of flags.
Bitwise operations are an advanced concept and should not be required for simple tasks. FileAccess.ReadWrite is an example of such a special value.
[Flags]
public enum FileAccess {
Read = 1,
Write = 2,
ReadWrite = Read | Write
}
AVOID creating flag enums where certain combinations of values are invalid.
The System.Reflection.BindingFlags enum is an example of an incorrect design of this kind. The enum tries to represent many different concepts, such as visibility, staticness, member kind, and so on.
[Flags]
public enum BindingFlags {
Default = ʘ,
Instance = ʘx4,
Static = ʘx8,
Public = ʘx1ʘ,
NonPublic = ʘx2ʘ,
CreateInstance = ʘx2ʘʘ,
GetField = ʘx4ʘʘ,
SetField = ʘx8ʘʘ,
GetProperty = ʘx1ʘʘʘ,
SetProperty = ʘx2ʘʘʘ,
InvokeMethod = ʘx1ʘʘ,
...
}
Certain combinations of the values are not valid. For example, the Type.GetMembers method accepts this enum as a parameter, but the documentation for the method warns users, “You must specify either BindingFlags.Instance or BindingFlags.Static in order to get a return.” Similar warnings apply to several other values of the enum.
If you have an enum with this problem, you should separate the values of the enum into two or more enums or other types. For example, the Reflection APIs could have been designed as follows:
[Flags]
public enum Visibilities {
None = ʘ,
Public = ʘx1ʘ,
NonPublic = ʘx2ʘ,
}
[Flags]
public enum MemberScopes {
None = ʘ,
Instance = ʘx4,
Static = ʘx8,
}
[Flags]
public enum MemberKinds {
None = ʘ,
Constructor = 1 << ʘ,
Field = 1 << 1,
PropertyGetter = 1 << 2,
PropertySetter = 1 << 3,
Method = 1 << 4,
}
public class Type {
public MemberInfo[] GetMembers(MemberKinds members,
Visibilities visibility,
MemberScopes scope);
}
AVOID using flag enum values of zero unless the value represents “all flags are cleared” and is named appropriately, as prescribed by the next guideline.
The following example shows a common implementation of a check that programmers use to determine if a flag is set (see the if-statement in the example). The check works as expected for all flag enum values except the value of zero, where the Boolean expression always evaluates to true.
[Flags]
public enum SomeFlag {
ValueA = ʘ, // this might be confusing to users
ValueB = 1,
ValueC = 2,
ValueBAndC = ValueB | ValueC,
}
SomeFlag flags = GetValue();
if ((flags & SomeFlag.ValueA) == SomeFlag.ValueA) {
...
}
Anders Hejlsberg
Note that in C# the literal constant 0 implicitly converts to any enum type, so you could just write:
if (Foo.SomeFlag == ʘ)...
We support this special conversion in order to provide programmers with a consistent way of writing the default value of an enum type, which by CLR decree is “all bits zero” for any value type.
DO name the zero value of flag enums None. For a flag enum, the value must always mean “all flags are cleared.”
[Flags]
public enum BorderStyle {
Fixed3D = ʘx1,
FixedSingle = ʘx2,
None = ʘxʘ
}
if (foo.BorderStyle == BorderStyle.None)....
Vance Morrison
Note that the zero value is special in that it is the default value that will be assigned if no other assignment is made. Thus, it has the potential to be the most common value. Your design should accommodate this situation. In particular, the zero value should be either of the following:
A very good default value (when there is such a default)
An error value that is checked by your APIs (when there is no good default value and you want to ensure that users set something)
4.8.2 Adding Values to Enums
It is very common to discover that you need to add values to an enum after you have already shipped it. A potential application compatibility problem arises when the newly added value is returned from an existing API, because poorly written applications might not handle the new value correctly. Documentation, samples, and code analysis tools encourage application developers to write robust code that can help applications deal with unexpected values. Therefore, it is generally acceptable to add values to enums, but—as with most guidelines—there might be exceptions to the rule based on the specifics of the framework.
CONSIDER adding values to enums, despite a small compatibility risk.
If you have real data about application incompatibilities caused by additions to an enum, consider adding a new API that returns the new and old values, and deprecate the old API, which should continue returning just the old values. This will ensure that your existing applications remain compatible.
Clemens Szyperski
Adding a value to an enum presents a very real possibility of breaking a client. Before the addition of the new enum value, a client that was throwing unconditionally in the default case presumably never actually threw the exception, and the corresponding catch path is likely untested. Now that the new enum value can pop up, the client will throw an exception and likely fold.
The biggest concern with adding values to enums is that you don’t know whether clients perform an exhaustive switch over an enum or a progressive case analysis across wider-spread code. Even with these FxCop rules in place, and even when it is assumed that client apps pass FxCop without warnings, we still would not know about code that performs things like if (myEnum == someValue) ... in various places.
Clients might instead perform pointwise case analyses across their code, resulting in fragility under enum versioning. It is important to provide specific guidelines to developers of enum client code, detailing what they need to do to survive the addition of new elements to enums they use. Developing with the suspected future versioning of an enum in mind is the required attitude.
Anthony Moore
Enum values that have a usage pattern of method or property return values should usually not be changed (even by addition) after being shipped because of usage in switch or enum statements. DateTimeKind is an example of this.
It is generally safe to add members to enums that are primarily used as input arguments, because code that has followed the argument validation guidelines will at worst throw an ArgumentException if it encounters the new value. FileAccess on FileStream is an example of this.
In general, it is safe to add members to flag enums. Compared to regular enums, it is much harder to write code against them that would be broken by the presence of new values.
4.9 Nested Types
A nested type is a type defined within the scope of another type, which is called the enclosing type. A nested type has access to all members of its enclosing type. For example, it has access to private fields defined in the enclosing type and to protected fields defined in all ascendants of the enclosing type.
// enclosing type
public class OuterType {
private string _name;
// nested type
public class InnerType {
public InnerType(OuterType outer){
// the _name field is private, but it works just fine
Console.WriteLine(outer._name);
}
}
}
In general, nested types should be used sparingly, for several reasons. Some developers are not fully familiar with the concept. These developers might, for example, have problems with the syntax of declaring variables of nested types. Nested types are also very tightly coupled with their enclosing types, and as such are not suited to be general-purpose types.
Nested types are best suited for modeling implementation details of their enclosing types. The end user should rarely have to declare variables of a nested type, and should almost never have to explicitly instantiate nested types. For example, the enumerator of a collection can be a nested type of that collection. Enumerators are usually instantiated by their enclosing type, and because many languages support the foreach statement, enumerator variables rarely have to be declared by the end user.
DO use nested types when the relationship between the nested type and its outer type is such that member-accessibility semantics are desirable.
For example, the nested type needs to have access to private members of the outer type.
public OrderCollection : IEnumerable<Order> {
private Order[] _data = ...;
public IEnumerator<Order> GetEnumerator(){
return new OrderEnumerator(this);
}
// This nested type will have access to the data array
// of its outer type.
private class OrderEnumerator : IEnumerator<Order> {
}
}
DO NOT use public nested types as a logical grouping construct; use namespaces for this purpose.
AVOID publicly exposed nested types. The only exception to this guideline is if variables of the nested type need to be declared only in rare scenarios such as subclassing or other advanced customization scenarios.
Krzysztof Cwalina
The main motivation for this guideline is that many beginner developers don’t understand why some type names have dots in them and some don’t. As long as they don’t have to type in the type name, they don’t care. But the moment you ask them to declare a variable of a nested type, they get lost. Therefore, in general, we avoid nested types and use them only in places where developers almost never have to declare variables of that type (e.g., collection enumerators).
Jeremy Barton
The main scenario where we expose nested types in the Base Class Libraries is for struct-based enumerators (which also violate the guideline of not making mutable structs). We feel that these are generally OK because (a) they help with performance by avoiding heap-based allocation and interface dispatch and (b) they’re almost always used in a foreach statement and most callers aren’t aware that a struct enumerator was involved.
DO NOT use nested types if the type is likely to be referenced outside of the containing type.
For example, an enum passed to a method defined on a class should not be defined as a nested type in the class.
DO NOT use nested types if they need to be instantiated by client code.
If a type has a public constructor, it probably should not be nested.
If a type can be instantiated, that seems to indicate the type has a place in the framework on its own (you can create it, work with it, and destroy it without ever using the outer type), and thus should not be nested. Inner types should not be widely reused outside of the outer type without any relationship whatsoever to the outer type.
DO NOT define a nested type as a member of an interface. Many languages do not support such a construct.
In general, use nested types sparingly, and avoid their exposure as public types.
4.10 Types and Assembly Metadata
Types reside in assemblies, which in most cases are packaged in the form of DLLs or executables (EXEs). Several important attributes should be applied to assemblies that contain public types. This section describes guidelines related to these attributes.
DO apply the CLSCompliant(true) attribute to assemblies with public types.
[assembly:CLSCompliant(true)]
The attribute is a declaration that the types contained in the assembly are CLS3 compliant and so can be used by all .NET languages.4 Some languages, such as C#, verify compliance5 with the standard if the attribute is applied.
3. The CLS standard is an interoperability agreement between framework developers and language developers as to what subset of the CLR type system can be used in framework APIs so that these APIs can be used by all CLS-compliant languages.
4. All that support the CLS standard—and almost all of the CLR languages do.
5. C# verifies compliance with most of the CLS rules. Some rules are not automatically verifiable. For example, the standard does not say that an assembly cannot have non-compliant APIs. Instead, it says only that noncompliant APIs must be marked with CLSCompliant(false) and that a compliant alternative must exist. But, of course, the existence of an alternative to a noncompliant API cannot be verified automatically.
For example, unsigned integers are not in the CLS subset. Therefore, if you add an API that uses UInt32 (for example), C# will generate a compilation warning. To comply with the CLS standard, the assembly must provide a compliant alternative and explicitly declare the noncompliant API as CLSCompliant(false).
public static class Console {
[CLSCompliant(false)]
public void Write(uint value); // not CLS compliant
public void Write(long value); // CLS-compliant alternative
}
DO apply AssemblyVersionAttribute to assemblies with public types.
[assembly:AssemblyVersion(...)]
DO apply the following informational attributes to assemblies. These attributes are used by tools, such as Visual Studio, to inform the user of the assembly about its contents.
[assembly:AssemblyTitle("System.Core.dll")]
[assembly:AssemblyCompany("Microsoft Corporation")]
[assembly:AssemblyProduct("Microsoft .NET Framework")]
[assembly:AssemblyDescription(...)]
CONSIDER applying ComVisible(false) to your assembly. COM-callable APIs need to be designed explicitly. As a rule of thumb, .NET assemblies should not be visible to COM. If you do design the APIs to be COM-callable, you can apply ComVisible(true) either to the individual APIs or to the whole assembly.
CONSIDER applying AssemblyFileVersionAttribute and Assembly-CopyrightAttribute to provide additional information about the assembly.
CONSIDER using the format <V>.<S>.<B>.<R> for the assembly file version, where V is the major version number, S is the servicing number, B is the build number, and R is the build revision number.
For example, this is how the version attribute is applied in System.Core.dll, which shipped as part of .NET Framework 3.5:
[assembly:AssemblyFileVersion("3.5.21022.8")]
4.11 Strongly Typed Strings
Enums generally provide compile-time assurance that an input option is valid.6 The IntelliSense-enhanced feature discovery that enums enable comes at a cost of extensibility: Derived types have no way of supporting additional options using the API provided by the base class.
6. A caller can sometimes specify a disallowed option, or end up in a situation where a library was not aware of a new enum value. But usually if an enum compiles, it’s a valid value.
The most extensible input types are Object and String, but both types suffer from a difficulty in callers’ understanding of legal input values.
public partial class RSACryptoServiceProvider {
// What are the legal input values for "halg"?
//
// It turns out, it's some string values, some Type values,
// and some HashAlgorithm values ... but most string values,
// most Type values, and about half of the built-in
// HashAlgorithm types' values are invalid.
public byte[] SignData(byte[] buffer, object halg) { ... }
}
Between the flexible (but hard for callers to reason about) string input type, and the inflexible (but easy for callers to reason about) enum-based input type is the “strongly typed string.” A strongly typed string is a string, wrapped in a value type, with static properties providing the most common values.
namespace System.Security.Cryptography {
public readonly struct HashAlgorithmName :
IEquatable<HashAlgorithmName> {
public static HashAlgorithmName MD5 { get; } =
new HashAlgorithmName("MD5");
public static HashAlgorithmName SHA1 { get; } = ...;
public static HashAlgorithmName SHA256 { get; } = ...;
public static HashAlgorithmName SHA384 { get; } = ...;
public static HashAlgorithmName SHA512 { get; } = ...;
public HashAlgorithmName(string name) {
// Note: No validation because we have to deal with
// default(HashAlgorithmName) regardless.
Name = name;
}
public string Name { get; }
public override string ToString() {
return Name ?? String.Empty;
}
public override bool Equals(object obj) {
return obj is HashAlgorithmName &&
Equals((HashAlgorithmName)obj);
}
public bool Equals(HashAlgorithmName other) {
// NOTE: Intentionally case-sensitive ordinal, matches OS.
return Name == other.Name;
}
public override int GetHashCode() {
return Name == null ? ʘ : Name.GetHashCode();
}
public static bool operator ==(
HashAlgorithmName left,
HashAlgorithmName right) {
return left.Equals(right);
}
public static bool operator !=(
HashAlgorithmName left,
HashAlgorithmName right) {
return !(left == right);
}
}
}
CONSIDER defining a strongly typed string value type when a base class supports a fixed set of inputs but a derived type could support more.
When a strongly typed string is used only by a sealed type hierarchy, there is little to no value in supporting values other than the predefined ones, and an enum is a more consistent type choice.
A strongly typed string provides the most benefit when most code treats it as if it were an enum, such as HTTP header names or cryptographic digest algorithms. When the number of possible values is too large, such as all possible filenames, the value in a strongly typed string is reduced to just parameter consistency via type checking.
A variation of strongly typed strings is used in .NET for the JsonEncodedText type, where the type indicates that the value has already been processed by a string escaping/normalization process. This is a valuable approach, but does not represent a strongly typed string.
DO declare a strongly typed string as an immutable value type (struct) with a string constructor.
The strongly typed string type should follow other guidance for immutable value types, such as using the readonly modifier on the type and implementing IEquatable<T>.
DO override ToString() on a strongly typed string to return the underlying string value.
CONSIDER exposing the underlying string value from a strongly typed string in a get-only property.
ToString() should be overridden because the underlying string value provides an obvious “interesting human-readable string” to return, per the guidelines on overriding ToString().
Since ToString() is used for debugging and display purposes, rather than runtime decisions, exposing the underlying string value from the property presents a better general pattern to callers when the value is required—such as interoperating with libraries that use the same string values without using the wrapping type.
If callers will only rarely, or never, need the underlying string value, then not having the property allows the type to look more like an enum to IntelliSense.
There is not a prescriptive guideline for the name of the property. If no obvious name presents itself, remember that “Value” is preferred to “String” (section 3.2.3).
For more information on overloading ToString(), see section 8.9.3.
DO override equality operators for strongly typed string types.
Overriding the equality operators allows for a strongly typed string type to syntactically look like either a string or an enum in common code patterns.
Strongly typed strings should use ordinal string equality by default. However, when a specific domain represents case-insensitive content, the IEquatable<T> behavior can be based on other string comparisons.
DO allow null inputs to the constructor of a strongly typed string.
Because value types can always be zero-initialized, the constructor of a strongly typed string should not disallow null inputs. This ensures that code logically equivalent to a copy constructor will function.
// This should always succeed. HashAlgorithmName newName = new HashAlgorithmName(cur.Name);
DO declare known values for a strongly typed string via static get-only properties on the type.
The enum-like IntelliSense experience is a very strong motivator for strongly typed string types.
AVOID creating overloads across System.String and a strongly typed string, unless the System.String overload was released in a previous version.
The existence of an overload that accepts a System.String instance instead of a strongly typed string can save a few characters at the call site for callers that have only the underlying string value available, but it forces developers new to your API to understand the difference between the two methods.
If you have recently defined a strongly typed string type to help clarify valid inputs to a method, adding an overload that accepts the strongly typed string provides value. In that case, consider marking the original System.String-based overload as [EditorBrowsable(EditorBrowsableState.Advanced)], [EditorBrowsable(EditorBrowsableState. Never)], or [Obsolete].
Summary
This chapter presented guidelines that describe when and how to design classes, structs, and interfaces. The next chapter goes to the next level in type design—the design of members.