Code Review Checklist for C#

Microsoft Version 1.0

PAGE 1 of 11

Program Name Code Review Checklist C#

Reference to URD IDD
Author
Reviewer
Date of review (mm-dd-yyyy)

Checklist for Code Naming Conventions:

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

1 Do the class and the namespace have the same No Low

name?

2 Are conventions being used for capitalizing Yes Low

identifiers (Constant Variables) maintained
through out the application?. Underscore can be
used to separate meaningful names

3 Does the naming convention follow the rules as Yes Medium

listed in Appendix 1

4 Avoid using Underscore in method names to Yes Low

separate words other than .Net framework
methods and system generated event handling
methods

5 Are upper case letters for acronyms that are two Yes Medium
characters long or less and Pascal casing with
acronyms containing three or more characters.
For example:
System.IO
System.Web.UI
System.CodeDom

6 Are class names used with heavily used No High

namespaces?
For example, do not use any of the following for
a class name: System, Collections, Forms, UI

7 Are Identifiers conflicting with the keywords No High

listed in Appendix 2 used?

8 Are assembly files appropriately named Yes Low

describing their purpose?

9 Do all C# files have a default extension .cs? Yes Low

10 Are separate logical components separated with Yes Low

a dot? Does the first letter after the dot
capitalized?

11 Are all class names unique? Yes Low

12 Are derived class names suffixed with the most Yes Low
meaningful base class names?

For e.g. the IOException class is not named

IOSystemException even though it derives from
SystemException (which derives from
Exception).

13 Do namespaces contain company name followed Yes Low

by the technology name to maintain
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 2 of 11

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

uniqueness?

14 Each file should accommodate only one class, Yes Low

and the file name should exactly
be the same as the class name.

15 Are nouns, noun phrase or adjectives used to Yes Low

name interfaces?

16 Are identical names used while defining a class / Yes Medium

interface pair?
Example: public Interface IRemote
{ }
public class Remote:IRemote
{ }

17 Are nouns or noun phrases used to name a Yes Low

class?

18 Are custom attribute class’s suffixed with the Yes Low

word ‘Attribute’?

19 Are all property’s created with the same name Yes Low
as the underlying type?

20 Are noun-verb methods used for naming Yes Low

routines that perform actions on a given object?

21 Are verb used to name events? Are event Yes Low

argument class’s suffixed with EventArgs?

22 Does event handlers (delegate types) have Yes Medium

EventHandler suffix

23 Is ‘underscore’ used in the method names to No Medium

separate words other than .Net framework
methods?

24 Are prefix’s or suffix’s used on the event No Low

declaration on the type? Use Close instead of
OnClose

25 Check for the maximum length of identifies No Low

names. Is the length greater than 32
characters?

26 Are meaningful names used that may appear in Yes Low

only a few lines of code? Please x-check with the
standard types of identifiers as mentioned in the
coding guidelines.

27 Are Boolean variables starting with ‘is’? Yes Low

Checklists for Code Usage

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

28 Are all the namespaces have to be arranged Yes Low

based on the following guidelines:
a. Based on the number of child

_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 3 of 11

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

namespaces (the number of dots).

b. Sorted in an ascending alphabetical
manner.
For e.g.:
using System;
using System.Collections;
using System.Data;
using System.Drawing;
using System.Data.SqlClient;
using System.Windows.Forms;

29 Are properties with get and set property Yes Low

accessors used instead of public instance
variables?

30 Does event handlers use two parameters sender Yes Medium

and e where sender parameter represents the
object that raised the event and e represents the
state associated with the event

31 Can every part of the code executed by a non Yes High

administrator of that machine?
32 Is a C# class used as just a Data Structure with No Medium
no behavior?
Usage of structure is more appropriate as it is a
value type.
33 Does a class containing only static methods and Yes High
properties have a default private constructor?
34 Is Equals method overridden whenever Yes High
operator== is implemented and both are made
to do the same thing?
35 Are exceptions thrown from Equals(), No High
GetHashCode(), or operator== methods
36 IS Equals method overridden anytime a type
implements IComparable
37 Usage of class name to access static class Yes Medium
members instead of an object.
38 Usage of numerical constants directly, except for No Low
–1, 1 and 0.
39 Assignment of several variables to the same No Low
value in a single statement.
40 Are unary operators used instead of binary Yes High
operators wherever applicable
41 Embedded assignments such as D = (a = b + No Low
c) + r;
42 Are static methods and parameterized NO High
constructors exposed in libraries that that are
intended to expose functionality to COM?
43 Method parameters of the same type could be Yes Medium
packaged inside an array.
44 If the same piece of code is present in more Yes Low
than one place, use a helper function, to avoid
code redundancy
45 Are all input variables for a method validated Yes High
and checked for not null before use?

46 Is the arithmetic expression having an No Medium

embedded assignment?

_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 4 of 11

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

47 Is there any redundant code (cut & paste) rather No High

than making it as a callable module?
48 Are there any dead/unreachable code sections? No High

49 Are all member variables declared or initialize Yes Medium

being used by the class.

50 Does the code resemble the design doc or the Yes Medium
programmer implemented with a different logic
to carry out the same activity?
[This is to ensure the implementation logic. If
the reviewer sees a great difference in logic that
will be definitely brought out; in such case either
the design or code may have to undergo a
change.]

51 Are expressions broken into multiple lines to Yes Low

enhance readability?

52 Is hard coding used in any portion of the source No High

code?
(As mentioned in the section Guidelines, it has
been mentioned as “Do not hard code anything -
use constants”).
[Except for error codes and stored procedures
parameter length].

53 Is String builder used for long concatenations Yes High

instead of a += operator?

54 Are implicit casts made that could result in a loss No High

of precision.
For example: Double to Int32

55 Is there un-necessary BOXING of value types to No High

reference types made.

56 Does application use P/Invoke when there is a Yes High

requirement to call into un-managed code from
managed code?

57 Is marshalling used sparingly - for example Yes High

watch out for un-necessary overheads of
conversion from ASCII to UNICODE and vice
versa? In this case if the managed code agrees
on the format, we can cut down marshalling.
[This essentially boils down to the managed
code agreeing on the format with the
unmanaged code - in the event of unmanaged
code serializing the data as ASCII as opposed to
UNICODE, there will be a additional overhead of
conversion from ASCII to UNICODE when there
is requirement for marshalling as well (the cost
of overhead of conversion may be trivial if its
just a intra-app domain call (within the same
app domain), but here we are looking at getting
data from un-managed code which will require
marshalling data.]

58 Do operations perform explicit marshalling of Yes Medium

non-blittable types when receiving data from an

_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 5 of 11

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

un-managed code?

59 Does C# class(s) do a single initialization of Yes High

fields in a struct as opposed to multiple calls to
initialize the fields in a struct?
[Having multiple calls to initialize the each of the
fields in a struct may incur performance
overhead (network roundtrips) if those fields
incur inter-app domain calls (across app
domains will automatically require marshalling)
or uses P/Invoke or remoting for example. This
is viewed in perspective of a single initialization
mechanism that we can have to initialize all the
members in the struct in one shot.]

60 In a return statement, a variable is declared and Yes Medium

returned only if the return statement has a large
expression.

Checklist for Comments

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

61 Check for commenting standards in source files. Yes Low

62 Check if the XML documentation feature is used Yes Low

for commenting source code.

63 Check for the usage of the <summary> tag in Yes Medium

the source files.

64 Have all code segments been appropriately Yes Low

indented?

65 XML commenting tags supported by the C# Yes Low

compiler for creating code reports would be used
for commenting Class and Method headers.

a. The minimum tags used for

commenting a class header are
<summary>.
b. The minimum tags used for
commenting a method header are
<summary>, <remarks>, <param>
and <returns>.

66 Is the line length longer than 80 characters? No Low

67 Are expressions broken into multiple lines to Yes Low

enhance readability?

68 Is a space left before and after every operator? Yes Low

69 Is the indentation set to 4 characters across the Yes Low

source file? Comments should be placed after ‘//’
and a space

70 Are comments ended with full stops? No Low

71 Are there comments that are not relevant to the No Low

code?

_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 6 of 11

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

72 Does all comments start with an upper case Yes Low

Checklist for Memory Management

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

73 Does class(s) using unmanaged resources Yes High

implement IDisposable interface and uses
Finalization?
74 Does a class that does not own any unmanaged No High
resources, includes a Finalize method in its
definition.
75 Check for custom classes where objects of other No Medium
classes do not have Finalize() method
overridden when uses by a class that has
Finalize() overridden [objects that do not have
Finalize() overridden will be pushed to older
generations as well]
76 Does the class gives implementation for Dispose Yes High
as well as finalize, has a call to the
GC.SupressFinalize in its dispose
implementation.

77 Does the object's Finalize method executes code No High

that placed a pointer to the object in a global or
static variable.

78 Is the code executed in a Finalize method makes No High

any assumption about the thread that's
executing the code.
For example, accessing thread local storage in
the Finalize method.

79 Does the Close method of a class is implemented Yes High

such that the object can be reopened or reused
after it has been closed and the dispose method
being implementation completely destroys the
object.

80 Is the finalize method of the base class called No High

before calling the class’ finalize implementation.

Checklist for ADO .NET

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

81 Are all SQL keywords in uppercase and are Yes Low

database names in mixed case?

82 Is windows Authentication used for connecting to Yes High

the database?

83 Are inputs to SQL stored procedures used for Yes High

executing SQL queries with their input
parameters validated by using regular
expressions?
[For example: sqlstring= "SELECT hasshipped"
+ " FROM shipping WHERE id='" + Id + "'";

_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 7 of 11

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

If id is passed as "'1001' DROP table shipping

--",this SQL Statement would read:
SELECT hasshipped FROM
shipping WHERE id = '1001'
DROP table shipping -- ';
In this case, the table shipping would be
dropped. Hence, inputs are to be validated with
regular expressions.]

84 A connection to a database opened using Yes High

ADO.Net is closed using Close if a connection is
intended to be opened again with the same
connection object or disposed using the dispose
method if no more required.

85 Is the DataAdapter with a DataSet used under Yes High

the following circumstances:
1. To navigate between multiple discrete tables
of results.
2. To manipulate data from multiple sources
(for example, a mixture of data from more
than one database, from an XML file, and
from a spreadsheet).
3. Exchange data between tiers or using an
XML Web service.(This is because Unlike the
DataReader, the DataSet can be passed
to a remote client.)
4. Reuse the same set of rows to achieve a
performance gain by caching them (such as
for sorting, searching, or filtering the data).
5. Perform a large amount of processing per
row. (This is because extended processing
on each row returned using a DataReader
ties up the connection serving the
DataReader longer than necessary,
impacting performance.)
6. Manipulate data using XML operations such
as Extensible Stylesheet Language
Transformations (XSLT transformations) or
XPath queries.
Note: The DataAdapter uses the DataReader
when filling a DataSet. Therefore, the
performance gained by using the DataAdapter
instead of the DataSet is that you save on the
memory that the DataSet would consume and
the cycles it takes to populate the DataSet. This
performance gain is, for the most part, nominal.

86 Is the DataReader used under the following Yes High

circumstances:
1. Need to quickly access data once, in a
forward-only and read-only manner.
2. Do not need to cache the data.
3. Processing a set of results too large to fit
into memory.

_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 8 of 11

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

87 Is the use of the CommandBuilder limited to Yes High

design time or ad-hoc scenarios?
Reference:http://msdn.microsoft.com/
library/en-us/dnadonet/html/adonetbest.asp

88 Data sets should not be declared as static for Yes Medium

maintaining data across requests. Instead they
could be serialized and de-serialized
89 If the Connection is only used to return the Yes High
DataReader, close it immediately after closing
the DataReader.

90 Is the DataReader used where the data access is No High

remoted across tiers?

91 Is the CommandType property of the Yes High

SqlCommand is set while calling stored
procedures.

92 When accessing column data from a DataReader Yes High

are the specific typed accessors like GetString,
GetInt32, etc are used instead of using
GetValue() if the type of the columns are known
at design time.

93 While performing a single Fill or Update method Yes Medium

call, allow the Fill or Update method to open
and close the connection implicitly

94 Is a call to the Close or Dispose methods made No High

on a Connection, a DataReader, or any other
managed object in the Finalize method of your
class.

Checklist for Exception Handling

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

95 Does the function returns null for extremely Yes High

common error cases.
For example, File.Open returns null if the file is
not found, but throws an exception if the file is
locked.
96 Is an InvalidOperationException thrown if a Yes High
property set or method call is not appropriate
given the object's current state.
97 Is an ArgumentException or a class derived from Yes High
ArgumentException if bad parameters are
passed?
98 Are exceptions thrown instead of returning an Yes High
error code or HRESULT?
99 Are the intermediate results cleaned before Yes High
throwing an exception?
100 Are new exception types used in the place of No High
predefined exception types
101 Are custom exceptions used in the application? If Yes High
yes, does the name of the custom exception
class end with EXCEPTION?
102 Are grammatically correct error messages, Yes High
including ending punctuation used? Does each

_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 9 of 11

Sl # Check point Expected Remarks Yes / No / Severity

Result NA
sentence in a description string of an exception
ends with a period.
103 Do custom exceptions implement the following Yes High
three standard constructors?
- class()
- class(string message)
- class(string message, Exception inner)
104 Is the custom exception marked as Yes High
[SERIALIZABLE]?
105 Does the custom exception implement the Yes High
following deserialization constructor?
- class(Serialization Info, StreamingContext
context)
106 Are the exceptions caught in the catch block in Yes Medium
the order of specific to generic?
107 If the code needs to recover from some Yes Medium
exception, has it been made sure that only very
specific exceptions are caught?
108 Are classes designed in a manner that in normal Yes High
course of use, exceptions are never thrown?
109 Are exceptions thrown for implicit casts No High

110 Is the most specific exception possible thrown? Yes High

111 Are there ‘Try/Finally’ blocks used around the Yes High
codes that can potentially generate any
exception?

Checklist for Threading

Sl # Check point Expected Remarks Yes / No / Severity

Result NA

112 Is the Lock() statement used a lot and can the No High
use of the statement be avoided?
113 If more than one thread is accessing a common No High
resource like an array or a handle, is the code
that is accessing that resource within the scope
of a lock statement?
114 Is the thread method Static with a static thread No High
state?

[In common server scenarios, static state is

shared across requests, which means multiple
threads can execute that code at the same time.
This opens up the possibility for threading bugs.
Consider using a design pattern that
encapsulates data into instances that are not
shared across requests.]
115 Are there any deadlock situations where two No High
threads each other's resources?
116 Are there Sleep() statements in the code used to Yes Medium
synchronize threads?
117 Is every Abort() statement on a thread followed Yes High
by a Join() so that you are actually sure that the
thread that you have aborted has died before
you continue processing?

_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 10 of 11

Appendix 1
Type Case
Class PascalCase

Enumeration value PascalCase

Enumeration type PascalCase

Event PascalCase

Exception class PascalCase

Read-only static field PascalCase

Interface PascalCase

Method PascalCase

Namespace PascalCase

Property PascalCase

Public instance field PascalCase

Protected instance field camelCase

Parameter camelCase

Appendix 2:
AddHandler AddressOf Alias And Ansi
As Assembly Auto Base Boolean
ByRef Byte ByVal Call Case
Catch CBool CByte CChar CDate
CDec CDbl Char CInt Class
CLng CObj Const CShort CSng
CStr CType Date Decimal Declare
Default Delegate Dim Do Double
Each Else ElseIf End Enum
Erase Error Event Exit ExternalSource
False Finalize Finally Float
For Friend Function Get GetType
Goto Handles If Implements Imports
In Inherits Integer Interface Is
Let Lib Like Long Loop
Me Mod Module MustInherit MustOverride
MyBase MyClass Namespace New Next
Not Nothing NotInheritable NotOverridable Object
On Option Optional Or Overloads
Overridable Overrides ParamArray Preserve Private
Property Protected Public RaiseEvent ReadOnly
ReDim Region REM RemoveHandler Resume
Return Select Set Shadows Shared
Short Single Static Step Stop
String Structure Sub SyncLock Then
Throw To True Try TypeOf
Unicode Until volatile When While
With WithEvents WriteOnly Xor
References:
S.NO Topics Reference URL
_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.
 Microsoft Code Review Checklist for C#
Version 1.0 PAGE 11 of 11

1 Design Guidelines for Class http://msdn.microsoft.com/library/en-

Library developers
2 Exception Handling Best
Practices
3 ADO .NET Best Practices
4 Garbage Collection
5 Top Ten Security Tips
6 Security Coding Guidelines
for .NET Framework
us/cpgenref/html/cpconnetframeworkdesignguidelines.asp?frame=true
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/cpguide/html/cpconbestpracticesforhandlingexceptions.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnadonet/html/adonetbest.asp
http://msdn.microsoft.com/msdnmag/issues/1100/GCI/default.aspx
http://msdn.microsoft.com/msdnmag/issues/02/09/securitytips/default.aspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnnetsec/html/seccodeguide.asp

_________________________________________________________________________________________________
Note: If any of the items is marked complementary to the expected result, the item shall be recorded as a defect in the
Inspection / Review report.