{"id":110121,"date":"2024-08-12T07:00:00","date_gmt":"2024-08-12T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=110121"},"modified":"2024-08-12T08:40:50","modified_gmt":"2024-08-12T15:40:50","slug":"20240812-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20240812-00\/?p=110121","title":{"rendered":"Embracing the power of the empty set in API design (and applying this principle to selectors and filters)"},"content":{"rendered":"

In mathematics, the empty set is a set with no members. This sounds totally useless, but it’s actually quite powerful.<\/p>\n

Suppose you have a Widget object and a method GetChildren()<\/code> that returns the child widgets. What should you do if the Widget has no children?<\/p>\n

Sometimes, teams try to be clever and say, “Oh, if there are no children, then I will just return a null pointer instead of a list of child elements.” For example, IShell\u00adFolder::Enum\u00adObjects<\/code> has the rule that if it returns S_FALSE<\/code>, then it is allowed to return a null pointer instead of an enumerator<\/a>.<\/p>\n

As a result, this code is subtly wrong:<\/p>\n

ComPtr<IEnumIDList> e;\r\nif (SUCCEEDED(shellFolder->EnumObjects(hwnd, SHCONTF_FOLDERS, &e)<\/span>) {\r\n    for (CComHeapPtr<IDLIST_RELATIVE> child;\r\n         e->Next(1, &child, nullptr) == S_OK;\r\n         child.Free()) {\r\n        \/\/ process the child folder\r\n    }\r\n}\r\n<\/pre>\n
The above code is at risk of crashing if there are no child folders: The IShellFolder<\/code> implementation may chose to use the special case carve-out and return S_FALSE<\/code> from the Enum\u00adObjects<\/code> method, and set e = nullptr<\/code>. If that happens, then the enumeration loop crashes on a null pointer.<\/p>\n
The correct code would have to check for this corner case and skip the enumeration loop. One way is to check for S_FALSE<\/code> explicitly:<\/p>\n
ComPtr<IEnumIDList> e;\r\nHRESULT hr = shellFolder->EnumObjects(hwnd, SHCONTF_FOLDERS, &e);<\/span>\r\nif (SUCCEEDED(hr) && (hr != S_FALSE)) {                          <\/span>\r\n    for (CComHeapPtr<IDLIST_RELATIVE> child;\r\n         e->Next(1, &child, nullptr) == S_OK;\r\n         child.Free()) {\r\n        \/\/ process the child folder\r\n    }\r\n}\r\n<\/pre>\n
Another is to check the enumerator object for null.<\/p>\n
ComPtr<IEnumIDList> e;\r\nif (SUCCEEDED(shellFolder->EnumObjects(hwnd, SHCONTF_FOLDERS, &e) && e<\/span>) {\r\n    for (CComHeapPtr<IDLIST_RELATIVE> child;\r\n         e->Next(1, &child, nullptr) == S_OK;\r\n         child.Free()) {\r\n        \/\/ process the child folder\r\n    }\r\n}\r\n<\/pre>\n
Another is to check the return value for S_OK<\/code> exactly:<\/p>\n
ComPtr<IEnumIDList> e;\r\nif (shellFolder->EnumObjects(hwnd, SHCONTF_FOLDERS, &e) == S_OK<\/span>) {\r\n    for (CComHeapPtr<IDLIST_RELATIVE> child;\r\n         e->Next(1, &child, nullptr) == S_OK;\r\n         child.Free()) {\r\n        \/\/ process the child folder\r\n    }\r\n}\r\n<\/pre>\n
Regardless of how you deal with the issue, it doesn’t hide the fact that this special case is an extra bit of hassle, and more importantly, it’s the sort of hassle that is easily overlooked<\/i> when writing code.<\/p>\n
The obvious-looking code is wrong. The weird-looking code is correct. This is the opposite of what we want: We want the natural code to be the correct one.<\/p>\n
The general rule for methods that return collections is therefore that if there are no items to return, then the methods should return empty collections, rather than null references. The empty set is a perfectly valid set, and existing algorithms operate properly on an empty set. For example, you iterate over an empty collection the same way as a nonempty collection.<\/p>\n
The empty set also follows mathematical rules when applied to union and intersection. If you have collection of sets that happens to be empty, then  mathematically<\/a>, the union of the elements of the empty set is another empty set. And the intersection of the elements of the empty set is the entire universe.<\/p>\n
When applied to functions, this means that if a method takes a set of criteria with the requirement that elements must match at least one of the criteria (a “selector” pattern), then an empty set selects no elements. On the other hand, if the requirement is that elements must match all<\/i> of the criteria (a “filter” pattern), then an empty set selects all elements.\u00b9<\/p>\n
For example, suppose we have a method that finds all widgets of the specified colors:<\/p>\n
IVectorView<Widget>\r\n    FindWidgetsOfColors(IIterable<Color> colors);\r\n<\/pre>\n
What should happen if you pass an empty list of colors?<\/p>\n
Well, since you didn’t specify any colors, then are no matching widgets, so mathematically speaking, this should return an empty vector. You might also choose to declare that choosing widgets by color must provide at least one color, so calling Find\u00adWidgets\u00adOf\u00adColors<\/code> with an empty set of colors is allowed to fail with E_INVALID\u00adARG<\/code>. But if you’re going to return something, you had better return the empty set. Do not design the function so that passing an empty list of colors returns all the widgets.<\/p>\n
Conversely, suppose you have a method that finds widgets subject to filter criteria:<\/p>\n
enum WidgetFilter\r\n{\r\n    Active,\r\n    Connected,\r\n};\r\n\r\nIVectorView<Widget>\r\n    FindWidgetsWithFilter(IIterable<WidgetFilter> filters);\r\n<\/pre>\n
What should happen if you pass an empty list of filters?<\/p>\n
Mathematically, an empty list of filters is an unfiltered query, and you should return all the widgets. Again, you might decide that a filtered query must provide at least one filter, but if you choose to allow an empty list of filters, it had better return all the widgets.<\/p>\n
These powers of the empty set mean that many operations have their natural meanings. For example, if you have a filter set and decide that you want to allow inactive widgets, you can remove Widget\u00adFilter.Active<\/code> from your filters. If Find\u00adWidgets\u00adWith\u00adFilter<\/code> treated an empty filter list as meaning “Return no widgets at all”, then you’d need a special case for the possibility that the Active<\/code> filter was the last filter.<\/p>\n
Bonus chatter<\/b>: Most programming languages understand the power of the empty set. For example, C++ std::all_of<\/code> and JavaScript Array.prototype.every<\/code> return true<\/code> when given an empty collection, whereas C++ std::any_of<\/code> and JavaScript Array.prototype.some<\/code> return false<\/code> when given an empty collection.<\/p>\n
\u00b9 This naming distinction between “selector” patterns (where each selector adds to the list of results) and “filter” patterns (where each filter shrinks the list of results) is my own and is not officially part of the Windows API design patterns.<\/p>\n
My proposal that was accepted is that filters should be named after what they allow to pass through, not by what they remove. For example, passing the Widget\u00adFilter.Active<\/code> filter means that you want the active widgets. It doesn’t mean that you want to filter out the active widgets (and return only the inactive ones). If you want a filter to remove active widgets, then the filter should be named something like Widget\u00adFilter.Inactive<\/code>. For adjectives that don’t have an obvious antonym, you can use the prefix Not<\/code>, as in Widget\u00adFilter.Not\u00adBlinking<\/code>.<\/p>\n
Bonus chatter<\/b>: We saw another application of this principle some time ago when we looked at  what a timeout of zero should mean<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
You got plenty of nothing.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-110121","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
You got plenty of nothing.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=110121"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110121\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=110121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=110121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=110121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}