Serena Software, current owners of the TeamTrack system we use for defect and enhancement request management, has priced itself out of a customer. Serena bought out the original developers, TeamShare, a couple of years ago, figuring that the workflow management system they had could bring a higher price if targeted at larger enterprises. Evidently they’ve been successful, since they’ve raised our maintenance to the point that our bill for this year would have totaled nearly 50% of the original, reasonable purchase price. I’m as sympathetic a customer as Serena will ever find, but we’re just not getting that much value out of the software.
So I find myself looking for greener bug-tracking pastures. We don’t need fancy workflow or even a lot of custom data tracking, and “cheap” and “easy to use” are pretty high on the list. Other things it should do. So far I’ve identified FogBugz and BugZero as candidates…anybody got any other suggestions? Though Bugzilla certainly meets the “cheap” criterion (at least in terms of purchase price), in my experience it doesn’t score so well on the ease of use scale.

WinINet is the name of the Windows API for making URL-based network connections.
Maximum number of simultaneous HTTP 1.0 connections that Wininet allows to a single server: 4
Maximum number of HTTP 1.1 connections: 2
Times this limitation is mentioned in the Wininet documentation: 0
ID of the Microsoft Knowlege Base Article describing this limitation: 183110
Hours we’ve spent over the last few months debugging intermittent performance problems caused by this limitation: I don’t want to think about it.
Time it took to find the KB article after Googling for just “wininet”: about 15 seconds
If I weren’t so happy to have solved the problem, I’d be really upset right now.

If you’re developing for IE as a browser client, I highly recommend the beta IE Dev Toolbar. It’s like the Firefox DOM explorer, but more featureful. The element outlining and window resizing are especially handy when you’re trying to get your element positioning just right.
Now, if they’d just give me a standalone Javascript debugger, I’d be all set.

Folks, I’m ticked. I’ve recently lost several hours to correcting some third-party Java code that did a terrible job of managing object allocation, and therefore used a lot of memory in a very short period of time. Apparently there are some programmers out there who aren’t aware that memory allocation remains a concern even in a garbage-collecting runtime like the JVM. While Java may not require you to think about every byte allocated and deallocated, sparing a couple of moments to think about memory can yield tremendous performance benefits.

Continue reading →

Tonight I tried Skype for the first time, and I’m impressed. It has excellent voice quality, using full-spectrum sound as opposed to the ~2.5KHz band of a normal telephone. We had a few drops but not any worse than my cell phone. If you can get used to talking to your computer instead of a phone handset, this can replace the phone for a lot of situations. Oh, and it’s free. As far as I can tell, though, Skype does not encrypt the voice channels so I wouldn’t use it for sensitive communications.

Windows file system compression doesn’t have a beneficial effect on large SQL Server databases. Hard to believe, I know, but it’s true. Trust me.

Another lesson learned the hard way today: the J2EE declarative security model doesn’t apply when the application forwards the user request to another URL using a RequestDispatcher or an include. This means that your web application can (intentionally or not) bypass an HTTP authorization security constraint by forwarding the user request from a non-protected URL. The servlet spec does not dwell on the point, but section SRV.12.2 does say as much.
At best, this is inflexible. Having a property on the RequestDispatcher that specifies whether or not to perform auth checks would at least allow the programmer to state his intentions. At worst, it’s a security problem. If your application has a forward URL that’s not protected by HTTP authentication (not a particularly smart thing to do, but it happens), a malicious user could use that to gain access to protected parts of your application. So far I haven’t been able to use this techique between two webapps on the same server. When I try to forward a request to a protected URL in another webapp, I get a 404 error – not quite what I expected, but better that no protection whatsoever.
HTTP auth is not commonly used as an authentication strategy application-wide but sometimes we use it to protect administrative features, such as application management consoles. Having this misfeature in-place and not well-explained in the documentation sets programmers up for security problems. Sun, you can do better than that.

Recently I tripped over another stupid mistake – just among us, I’m still waiting for the day when I stop making stupid mistakes and start making the smart ones – in a Java project. This time I spent about 20 minutes in the debugger, watching a paricular method call. One of the arguments in the call was a direct reference to a static final String defined in a class from another package. I had just changed the value and recompiled the class in which it was defined. However, the old value was still being passed in this method call. I stepped through it in the debugger; inspecting the value before the method call showed that the new value was indeed assigned to the variable. However, as soon as I stepped into the method, the old value popped up.
After a while I had a colleague look at the decompiled source, and then it hit us: the -O flag in the java compiler will inline references to static final variables. I not only needed to recompile the class where the variable was defined, I needed to recompile any class that referred to it. You C/C++ types out there are probably screaming about makedepend right now, and you’re right…sorta. Java does not have a popular makedepend-like tool. Thinking briefly about why this is so, I attribute it to the greater complexities of dependencies in Java than #include in C and the relative cheapness of compiling Java classes to bytecode. Couple those with considerations like JVM startup overhead at compile time, and you wind up with the conclusion that it’s cheaper to recompile all the classes all the time than to try to maintain a dependency tree.
Yet another twist on Hoare’s Dictum: “Premature optimization is the root of all evil.” During development, it’s probably best to leave optimization off.
Anyway, that’s not the gripe, just the moral. It’s a good thing we remembered the optimization flag, because I went looking for docs and found…nothing. The javac optimization flag is not in the Sun tool documentation, or any other place I could think to look. That’s the gripe. What else don’t I know about javac?

I think I have the comment registration working now. You’ll need to register at www.typekey.com but once you do, this website will recognize you and allow you to post without having to go through moderation (if I so choose…)
The templates might be a bit cockeyed but everything should be readable, so that’s enough for now.

It occurred to me the other day that Google (as well as Overture and anybody else with a search engine) is probably sitting on an Olympus Mons-sized pile of search metadata. Google’s zeitgeist exposes some choice pop-culture tidbits, but there’s much more to be had. Imagine if you could track the popularity of an arbitrary keyword or show the top n phrases containing a given keyword. I’m sure there are marketeers who would pay to know such things, and perhaps Google offers that service without promoting it. If they are, I’m surprised I haven’t heard about it from somebody.