C# code review checklist

 
My current client uses PSP extensively, so I've been putting together a checklist for reviewing C# code for use on our new project.  Your comments or additions appreciated:
  1. Are exceptions used to indicate error rather than returning status or error codes?
  2. Are all classes and public methods commented with .NET style comments?  Note that <summary> comments should discuss the "what" of public methods.  Discussion of "how" should be in <remarks> blocks or in-line with the code in question.
  3. Are method arguments validated and rejected with an exception if they are invalid?
  4. Are Debug.Asserts used to verify assumptions about the functioning of the code?  Comments like, "j will be positive" should be rewritten as Asserts. 
  5. Do classes that should not be instantiated have a private constructor?
  6. Are classes declared as value types only infrequently used as method parameters, returned from methods or stored in Collections?
  7. Are classes, methods and events that are specific to an assembly marked as internal?
  8. Are singletons that may be accessed by multiple threads instantiated correctly?  See the Enterprise Solution Patterns book, p. 263.
  9. Are methods that must be overriden by derived classes marked as abstract?
  10. Are classes that should not be overriden marked as sealed?
  11. Is "as" used for possibly incorrect downcasts? 
  12. Do classes override ToString instead of defining a Dump method for outputting the object's state?
  13. Are log messages sent to the logging component instead of Console?
  14. Are finally blocks used for code that must execute following a try? 
  15. Is foreach used in preference to the for(int i...) construct?
  16. Are properties used instead of implementing getter and setter methods?
  17. Are readonly variables used in preference to properties without setters?
  18. Is the override keyword used on all methods that are overriden by derived classes?
  19. Are interface classes used in preference to abstract classes?
  20. Is code written against an interface rather than an implementing class?
  21. Do all objects that represent "real-world" or expensive resources implement the IDisposable pattern?
  22. Are all objects that implement IDisposable instantiated in a using block?
  23. Is the lock keyword used in preference to the Monitor.Enter construct?
  24. Are threads awakened from wait states by events or the Pulse construct, rather than "active" waiting such as Sleep()?
  25. If equals is overridden, is it done correctly?  The rules for overriding equals are complex, see Richter p153-160 for details.
  26. If == and != are overridden, so they redirect to Equals?
  27. Do all objects that override Equals also provide an overloaded version of GetHashCode that provides the same semantics as Equals?  Note that overrides to GetHashCode should take advantage of the object's member variables, and must return an unchanging hash code.
  28. Do all exception classes have a constructor that takes a string and and another constructor that takes a string and an exception?
  29. Do all exception classes derive from the base Matrix exceptions and fit correctly into the exception hierarchy?
  30. Are all classes that will be marshaled or remoted marked with the Serializable attribute?
  31. Do all classes marked with the Serializable attribute have a default constructor?  This includes Exception and EventArgs classes.
  32. Do all classes that explicitly implement ISerializable provide both the required GetObjectData and the implied constructor that takes a SerializationInfo and a StreamingContext?
  33. When doing floating point calculations, are all constants doubles rather than integers?
  34. Do all delegates have a void return type and avoid using output or ref parameters?
  35. Do all delegates send the sender (publisher) as the first argument?  This allows the subscriber to tell which publisher fired the event. 
  36. Are all members of derived EventArg classes read-only?  This prevents one subscriber from modifying the EventArgs, which would affect the other subscribers.
  37. Are delegates published as events?  This prevents the subscribers from firing the event, see Lowy, p. 102 for details.
  38. Is common setup and teardown nUnit code isolated in Setup and Teardown methods that are marked with the appropriate attribute?
  39. Do negative nUnit tests use the ExpectedException attribute to indicate that an exception must be thrown?
References:
Juval Lowy, "Programming .NET Components"
Jeffrey Richter, "Applied Microsoft .NET Framework Programming"
"Enterprise Solution Patterns using Microsoft .NET" - available in published form or as a free pdf
Published 19 December 2003 03:56 PM by Ted_Graham
Filed under: ,

Comments

# Suresh said on 19 December, 2003 06:19 PM
Thanks for this list ..hope u add more in near future...

Suresh
# Adam Weigert said on 19 December, 2003 07:12 PM
Change for #23 ... if you check the most recent guidelines for class library designers they suggest you use the System.Threading.Interlocked class. Its actually quite interesting and they say it is MUCH better for performance and locking ...
# Josh said on 19 December, 2003 09:24 PM
I personally do not like coding standards in the form of a question. It is not always clear whether you want the answer to be positive or negative. Usually they are written so that the desired response is postive which helps alleviate the issue, but I've seen them intermixed.

The best C# coding standards document I've found (and adopted at work) is at:

http://www.tiobe.com/standards/gemrcsharpcs.pdf

It's mostly based on the MSDN guidelines, but I like their format. It leans more towards a "standards", whereas your seems to include more "best practices" (which is fine).
# Darrell said on 19 December, 2003 10:18 PM
Josh, this is not a coding standard. Ted is doing this for the Personal Software Process (PSP). This would be used *in addition to* a coding standard.

The checklist is supposed to be a list of the most common mistakes that a programmer often makes. During a code review, all these items are checked, supposedly capturing the vast majority of mistakes.
# Scott said on 20 December, 2003 12:45 AM
"Is foreach used in preference to the for(int i...) construct?"

This is an interesting one.

Referencing this article http://www.c-sharpcorner.com/Code/2003/April/IterationsInNet.asp
it would seem to be that the for(int i...) is faster than a foreach. I've always found anecdotatl evidence that a foreach is slower than a for(int i...) loop. What is your experience using the two and why do you prefer foreach?
# SrinathV said on 20 December, 2003 11:57 AM
Our last project had detail security checklist broken down by App. life-cycle and technologies....

Arch & Design security review:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh05.asp

Security code Review: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh21.asp

Index of Checklists (related to security):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/CL_Index_Of.asp
# TrackBack said on 20 December, 2003 05:24 PM
# TrackBack said on 26 August, 2004 02:35 PM
# JG Vimalan said on 22 August, 2007 10:34 AM

Thanks Ted. Informative.

# Chris Tolleson said on 06 September, 2007 12:11 PM

Thanks for the checklist - covers some items I hadn't put on my PSP C# checklist.

# Roiy Zysman said on 09 January, 2008 03:28 PM

Code reviews are generally underrated. From my perspective and experience , if they are being conducted

# nemo said on 23 July, 2008 11:10 AM

This one is not too bad either: (it seems like a comprehensive security checklist)

iase.disa.mil/.../dot-net-checklist-v1r2-1.pdf

Nima

//---------------------------------------------------------

Information Security Software Tools

cryptoexperts.blogspot.com

//---------------------------------------------------------

# Vijay said on 22 October, 2008 06:24 AM

Thanks. I would like to add Refactoring also in this checklist.

# fabiola-mr said on 28 November, 2008 06:34 AM

<a href= http://fasster.angelfire.com >baltimore and convention center and headquarters</a> <a href= http://gertui.angelfire.com >nasdaq 100 tennis tournament</a>

# fabiola-bx said on 28 November, 2008 01:38 PM

<a href= http://fairra.angelfire.com >landls end</a> <a href= http://vonucshka.angelfire.com >chancellor internal med</a>

# fabiola-vj said on 28 November, 2008 06:43 PM

<a href= http://chkola.angelfire.com >avlastkey</a> <a href= http://bustersw.angelfire.com >how to start a strawberry patch in alabama</a>

# fabiola-px said on 28 November, 2008 11:47 PM

<a href= http://kustur.angelfire.com >dad vail regatta</a> <a href= http://trututa.angelfire.com >ratings apartments eagle ridge alabama</a>

# Albina-yv said on 26 December, 2008 06:25 AM

<a href= membres.lycos.fr/maffals >genetic disorters</a>

# Talent Certificartion said on 12 January, 2009 12:46 PM

"Is foreach used in preference to the for(int i...) construct?"

This is an interesting one.

Referencing this article www.c-sharpcorner.com/.../IterationsInNet.asp

it would seem to be that the for(int i...) is faster than a foreach. I've always found anecdotatl evidence that a foreach is slower than a for(int i...) loop. What is your experience using the two and why do you prefer foreach?

# No More Hacks said on 12 February, 2009 06:10 AM

I like the points, but I think as a checklist there are too many items here. I might know all these things as an expert developer, but as an aide-memoir a check list need to be short enough so that every item can be covered and, if need be, signed off with consuming hours for ever code review.

My own checklist is much shorter: nomorehacks.wordpress.com/.../code-review-checklist

# Albina-po said on 28 February, 2009 11:17 PM

<a href= adultpersonalsfinder.com >singles</a>

# Sanjay said on 09 June, 2009 09:43 AM

Hi Thanks a lot!

I am not OIK with point # 17 : Are readonly variables used in preference to properties without setters?

Don't you think this violets encapsulation?

# Andrey Sanches - MVP ASP/ASP.NET said on 28 June, 2009 08:11 PM

Que bacana !!!! Procurando por um checklist para fazer um Code Review de um projeto que estou atuando

# saurabh said on 03 February, 2010 02:24 AM

Thanks for the checklist

Leave a Comment

(required) 
(required) 
(optional)
(required)