I found a really nice video lecture on JavaScript. I’m a JavaScript journeyman myself so I decided to review it to learn something new. I have written about JavaScript in the past — the previous post on JavaScript was “Learning JavaScript through Video Lectures“.

This lecture is given by JavaScript guru Doug Crockford. He’s the author of JSON, JSMin JavaScript minifier and JSLint.

The talk is based on Douglas’s recent book “JavaScript: The Good Parts“. It’s excellent.

The lecture begins with a brief intro of why JavaScript is the way it is and how it came to be so. An interesting point Doug makes is that JavaScript is basically Scheme, except with Java syntax. He talks about the bad and good parts of JavaScript and gives a few examples of common JavaScript problems, their solutions and patterns. Douglas also talks about how he discovered JSON. After the talk there is a 13 minute Q and A.

You’re welcome to watch the video lecture. It’s 1 hour long and it will definitely make your understanding of JavaScript better:

Here are some interesting points from the lecture:

[09:57] JavaScript was influenced by Scheme, Java and Perl. From Scheme it borrowed lambda functions and loose typing. From Java it took most of the syntax, and from Perl some of its regular expressions. And finally, it derived the idea of prototypal inheritance and dynamic objects from Self. See my previous post on JavaScript for explanation of prototypal inheritance.

[11:38] JavaScript bad parts:

• Global variables. Global variables make it harder to run independent subprograms in the same program. If the subprograms happen to have global variables that share the same names, then they will interfere with each other and likely fail, usually in difficult to diagnose ways.
• Newlines get converted into semicolons. JavaScript has a mechanism that tries to correct faulty programs by automatically inserting semicolons. It sometimes inserts semicolons in places where they are not welcome. For example:

  return
  {
      status: true
  };
  

  returns undefined because JavaScript inserts ‘;’ after return.

  Correct way:

  return {
      status: true
  };
  

• Operator typeof is not very helpful. For example, “typeof null” is “object”, “typeof [1,2,3]” is also “object”.
• Operator + adds numbers and concatenates. The + operator can add or concatenate. Which one it does depends on the types of the parameters. If either operand is an empty string, it produces the other operand converted to a string. If both operands are numbers, it produces the sum. Otherwise, it converts both operands to strings and concatenates them. This complicated behavior is a common source of bugs. If you intend + to add, make sure that both operands are numbers.
• Operators == and != do type coercion. Use of the === and !== operators is always preferred.
• Too many falsy values. 0, Nan, ” (empty string), false, null, undefined are all false.

[17:25] for … in operator mixes inherited functions with the desired data members (it does deep reflection). Use object.hasOwnProperty to filter out names that belong to object itself:

for (name in object) {
    if (object.hasOwnProperty(name)) {
        ...
    }
}

[22:00] Javascript good parts:

• Lambda. Enough said.
• Dynamic objects. Just add a property to an object, or remove it, no need for classes and derivation to create a similar object.
• Loose Typing. No need for type declarations.
• Object Literals. {} for object literals, [] for array literals and // for regexp literals.

[23:00] Two schools of inheritance - classical and prototypal. Prototypal inheritance means that objects can inherit properties directly from other objects. The language is class-free.

[24:35] Realization of prototypal inheritance in JavaScript:

if (typeof Object.create !== 'function') {
    Object.create = function (o) {
        function F() {}
        F.prototype = o;
        return new F();
    };
}

Now a newObject can be created by inheriting from oldObject:

newObject = Object.create(oldObject);

[26:05] Example of global variables and why they are bad and how to solve the problem by using closures.

var my_thing = function () {
    var names = ["zero", "one", ... ];
    return function(n) {
        return names[n];
    };
}();

[29:00] There are four ways to create a new object in JavaScript:

• Object literal — var object = { }.
• New — var object = new Object()
• Object.create — var object = Object.create(old_object).
• Call another constructor (use different inheritance model).

[42:42] JSLint. JSLint defines a professional subset of JavaScript. JSLint will hurt your feelings.

[52:00] Q/A: Does strict mode change the behavior or does it take things out? — Can’t have “with” in strict mode, changes the way eval() works, changes error handling.

[53:00] Q/A: What’s going on with DOM? — Ajax libraries fix DOM, these changes should be propagated back into DOM API.

[55:30] Q/A: How do you spell lambda in JavaScript? — function.

[55:54] Q/A: How to solve global variable problem? — Each of compilation unit should be isolated, but there should be a way how they can introduce (link) to each other.

[56:30] Q/A: How do JavaScript objects differ from hash tables, they seem the same to me?

[57:23] Q/A: What’s wrong with HTML 5 and web apps? — They are doing too much and there are way too many of them.

[59:10] Q/A: How come JSON and JavaScript have almost the same syntax? — Doug admits he forgot to include Unicode Line Separator (LS) and Paragraph Separator (PS) control codes as whitespace chars.

[01:00:32] Q/A: Why does JSON require quotes around the property names? — Three reasons: 1. Wanted to align with Python where quotes are required, 2. Wanted to make the grammar of standard simpler, 3. JavaScript has stupid reserved word policy.

[01:02:40] Q/A: Are there any prospects for adding concurrency to the language? — Definitely no threads. Could be some kind of a messaging model.

If you liked this talk, I recommend that you get Doug’s book:

Happy javascripting! ;)

I found a great video interview with Edsger Wybe Dijkstra. You have probably heard of Dijkstra’s algorithm. He invented it.

In the interview professor Edsger talks about his thoughts on software development. He compares two very different styles of programming - Mozart style of programming vs. Beethoven style of programming. When Mozart started to write, the composition was finished. He wrote manuscript in elegant handwriting in one go. Beethoven was a doubter and a struggler. He started writing before he finished the composition and then glued corrections onto the page. In one place he did it nine times. When they peeled them, the last version proved to be identical to the first one.

From the video one can understand that Edsger preferred Mozart’s style of programming. Not just programming, but Mozart style of doing things. He says that the most important thing has been the daily discipline of neatly writing down his thoughts.

His daily discipline lead to hundreds of crystal clear scientific papers, which have now been archived in EWD Archive.

You are welcome to watch interview with Edsger Dijkstra:

At the beginning of video Dijkstra criticizes current software release methodology. He says that version 1.0 of should be the finished product. I don’t think he’s right. It’s like Tannenbaum saying Torvalds that Linux is obsolete. Also see “Release Early, Release Often.”

Edsger Dijkstra’s quotes from video:

• Computer science is no more about computers than astronomy is about telescopes.
• The competent programmer is fully aware of the limited size of his own skull. He therefore approaches his task in full humility and avoids clever tricks like the plague.
• We should not introduce errors through sloppiness but systematically keep them out.
• Program testing can convincingly show the presence of bugs but it is hopelessly inadequate to show their absence.
• Elegance is not a dispensable luxury but a factor that decides between success and failure.

I found a funny poster of Dijkstra:

This is the third post in an article series about Python video lectures. The previous two posts covered learning basics of Python and learning Python design patterns.

This video lecture is given by Google’s “Über Tech Lead” Alex Martelli. In this video he talks about the most important language changes in each of the Python versions 2.2, 2.3, 2.4 and 2.5.

I am actually using an older version of Python, version 2.3.4. This lecture gave me a good insight of what new features to expect when I upgrade to a newer version of Python.

Here it is:

Interesting information from lecture:

• [01:30] There are many versions of Python - Jython, IronPython, pypy and CPython.
• [03:02] Python 2.2 was a backwards-compatible revolution. It introduced new-style objects, descriptors, iterators and generators, nested scopes, a lot of new modules in standard library.
• [04:12] New rule for introducing extra features: 2.N.* has not extra features with respect to 2.N.
• [04:32] Python 2.2 highlights: metaclasses, closures, generators and iterators.
• [05:35] Python 2.3 was a stable version of Python with no changes to the language.
• [06:05] Python 2.3 had a lot of optimizations, tweaks and fixes, such as import-from-zip, Karatsuba multiplication algorithm, and new stdlib modules - bz2, csv, datetime, heapq, itertools, logging, optparse, textwrap, timeit, and many others.
• [08:50] Python 2.3 highlights: zip imports, sum builtin, enumerate builtin, extended slices, universal newlines.
• [09:50] Python 2.4 added two new language features - generator expressions and decorators. New builtins were added - sorted, reversed and set, frozenset. New modules - collections, cookielib, decimal, subprocess.
• [13:00] Example of generator expressions and decorators
• [13:37] Example of sorted() and reversed() builtins.
• [16:40] Python 2.5 was also evolution of language. It came with full support for RAII (with statement), introduced two new builtins - any and all, unified exceptions and added a ternary operator. New modules - ctypes, xml.etree, functools, hashlib, sqlite3, wsgiref, and others.
• [18:40] Python 2.5 optimizations.
• [23:25] RAII - Resource Allocation is Initialization.
• [25:30] Examples of RAII.
• [31:05] Python RAII is better than C++’s. Python’s RAII can distinguish exception exits from normal ones.
• [33:29] Example of writing your own context manager.
• [36:30] Example of writing a RAII ready type with contextlib.
• [38:05] Following Python’s Zen, “Flat is better than nested”, use contextlib.nested for multiple resources.
• [40:40] Generator enhancements - yield can be inside a try clause, yield is now an expression (almost co-routines!).
• [44:50] Python 2.5 absolute/relative imports.
• [47:00] Joke - “If you exceed 200 dots when using relative imports, you have a serious psychological problem”.
• [47:45] Python 2.5 try/except/else/finally.
• [48:55] Python 2.5 if/else ternary operator.
• [49:35] Python 2.5 exceptions are new style.
• [51:15] Python 2.5 any and all builtins.
• [54:00] collections.defaultdict subclasses dict and overrides __missing__.
• [56:55] ctypes is probably the most dangerous addition to Python. One mistake and you crash.
• [01:01:30] hashlib replaces md5 and sha modules, and adds sha-(224|256|384|512). Uses OpenSSL as accelerator (if available).
• [01:02:29] Lecture got cut here but the presentation still had two slides on sqlite3 and wsgiref!

Here is the timeline of Python versions. I hope Alex doesn’t mind that I took it from his presentation. :)

If you don’t know what new-style objects are about, see these two tutorials:

• Python Types and Objects
• Python Attributes and Methods

Have fun writing better code in Python!

In this post I’ll cover a lecture on MySQL performance tuning.

This lecture is given by Jay Pipes. Jay works at MySQL and has written a book on MySQL. It’s called Pro MySQL and it covers intermediate and advanced features of the database. He also has an interesting blog, which I am long subscribed to - Jay Pipes blog.

In this lecture Mr. Pipes talks about core concepts of profiling and benchmarking, about the most common sources of performance problems, about indexing, schema, coding guidelines, and a little about server parameter tuning.

Here is his talk at Google:

The most interesting performance tuning tips from the video:

• [02:20] Don’t benchmark without a goal. Have a goal like “improve performance by 20%”. Otherwise you’ll waste a lot of time tuning milliseconds out of your application.
• [02:50] Change just one thing at a time and re-run the benchmarks.
• [03:40] Disable the query cache by setting the cache size to 0 when running MySQL benchmarks.
• [05:22] The best tool for profiling MySQL queries is the EXPLAIN command. Understand it!
• [06:40] Log slow queries and use mysqldumpshow to parse the log. It also has an option (–log-queries-not-using-indexes) of logging any query that does not use an index on a table.
• [07:40] Jeremy Zawodny wrote the mytop utility for monitoring the threads and overall performance of MySQL servers.
• [08:55 && 11:30] Repeated queries on an un-indexed field will kill your application faster than anything else.
• [09:30] Don’t de-normalize just because you think it will be faster. Start with normalized database schemes.
• [10:15] Server parameter tweaking is not a catch-all. Tuning server parameters can help but it’s very specific to certain situations.
• [12:05] If you use MyISAM storage engine, exploit covering indexes.
• [12:50] Ensure good selectivity on index fields.
• [14:45] On multi-column indexes, pay attention to order of fields within the index definition.
• [15:40] Be aware that as your database grows, the data in the indexed fields can gradate, deteriorating the usefulness of that index. As you data grows, always examine if the indexes you originally thought are still relevant to the data.
• [17:02] Example of a common index problem, where an index is created on multiple fields.
• [20:30] Use the smallest data types possible. Don’t use bigint, when int will do. Or, don’t use char(200), when a varchar or smaller char() would do. Using the right type will fit more records in memory or index key block, meaning fewer reads, resulting in faster performance.
• [21:30] Consider horizontally spitting many-columned tables if they contain a lot of NULLs or rarely used columns.
• [23:35] Get rid of surrogate keys (with example).
• [24:05 && 33:20] Be an SQL programmer who thinks in sets, not procedural programming paradigms.
• [24:35] InnoDB can’t optimize SELECT COUNT(*) queries. Use counter tables! That’s how to scale InnoDB.
• [27:20] Always try to isolate index fields on one side of condition in a query (with example).
• [28:20] Avoid using CURRENT_DATE() as it invalidates the cache.
• [29:34] Example of using calculated fields when searching on top level domain. Idea - put a reversed TLD in the table.
• [33:20] Avoid correlated subqueries. Think in sets not loops! Here is a great article on visualizing SQL joins.
• [34:50] Example of using derived tables to avoid correlated subqueries.
• [36:25] Be aware of global and per-thread server variables.
• [37:50] Enable query cache if your application is doing a lot more reads than writes!
• [28:50] MySQL uses MyISAM for internal data storage.
• [40:00] MySQL loves ram!
• [40:35] Q and A.

Jay recently published slides from his Join-Fu talk. Go get them!

I enjoyed this talk a lot. I am an intermediate MySQL user and I had not read his book. It was really informative!

If you want to learn more about MySQL, and don’t yet have his book, why not get his book:

Another great lecture from Google TechTalks.

This lecture is given by Neil Daswani, who has a Ph.D. from Stanford and currently works at Google as a security engineer. He is also an author of a book entitled “Foundations of Security: What Every Programmer Needs to Know“, which teaches you state-of-the-art software security design principles, methodology, and concrete programming techniques you need to build secure software systems.

Neil talks about top three web application vulnerabilities that cybercriminals use to steal money. These three vulnerabilities are:

• SQL Injection attacks,
• Cross-Site Request Forgery (XSRF) attacks, and
• Cross-Site Script Inclusion (XSSI) attacks.

I was surprised that he did not cover plain, old Cross-Site Scripting (XSS) attacks, but jumped right to dynamic XSS. You’ll have to get familiar with this type attack on your own. See the XSS Faq and XSS Cheat Sheet for more information!

Interesting points from the lecture:

• [01:48] Years ago cybercriminals were teenagers writing viruses and worms, today they are organized crime looking for stealing money.
• [03:19] Intermediate goals to stealing money are data theft, extortion and malware distribution.
• [04:02] Russian Business Network (RBN) is an example of organized cybercrime.
• [09:00] Attack #1: SQL Injection.
• [16:30] Preventing SQL injections.
• [17:00] Don’t blacklist (filter) characters in queries. Whitelist (allow) well-defined set of safe values for each field.
• [18:30] Take a look at mod_security if you use Apache web server. Mod_security is a Web Application Firewall. It allows you to define a set of rules the web application must follow.
• [19:30] Prepared statements and bind variables help to avoid SQL injections.
• [23:00] Other mitigations strategies include - limiting web application user’s privileges on the sql server, hardenining database server and host operating system.
• [23:45] Second order SQL injections (link to pdf) abuse data that is already in the database.
• [23:55] Blind SQL injection (link to pdf) is a technique to reverse engineer the structure of the database.
• [24:25] Attack #2: Cross-Site Request Forgery (XSRF).
• [26:00] How XSRF Works.
• [31:30] Drive-By-Pharming (pdf) is an XSRF technique where the attacker changes DNS settings of a users broadband router (fact - 50% of home users do not change default router password).
• [34:00] Preventing XSRF.
• [34:20] Check Referer HTTP header. That doesn’t always work because the user might be using a proxy.
• [36:15] Validate the user by asking him to provide his password or any other token only the user has knowledge of.
• [37:15] Validate requests via “Action Tokens” which add special tokens to forms to distinguish them from forged forms.
• [38:30] Attack #3: Cross-Site Script Inclusion (XSSI).
• [39:10] How XSSI works.
• [41:20] Dynamic script inclusion example.
• [47:25] Trends.
• [50:12] Open Web Application Security Project (OWASP) Top 10 vulnerabilities in 2007 (link).
• [53:55] Google has some material on Web Security at code.google.com/edu.

Happy hacking! (just kidding ;) )