Code Review

Lukas RyplTwitter: @LukasRypl

01/2014

What is code review?

● Systematic examination of source code ● Goals

– Identification of defects

– Better code quality

– Sharing of knowledge

● Also known as code inspection

How does it fit in our process

● After implementation, before testing● Dedicated task state in issue tracker● Author assigns it to different person

– We do not have any hierarchy, CR should be evenly shared among all team members

How should I do it?

● Notification from issue tracker● Check related svn commits

– (linked via refs #1234)

● See changes context in IDE

● Change reviewed code● Add @TODO CR● Add comments in issue tracker

● Assign it back to the author

Why we do it?

Software testing alone has limited effectiveness - the average defect detection rate is only 25 percent for unit testing, 35 percent for function testing, and 45 percent for integration testing. In contrast, the average effectiveness of design and code inspections are 55 and 60 percent.

(S. McConnell: Code Complete)

I believe that peer code reviews are the single biggest thing you can do to improve your code.

(J. Atwood: http://www.codinghorror.com/blog/2006/01/code-reviews-just-do-it.html)

Quality

Less Bugs

http://eugenedvorkin.com/engineering-culture-and-why-it-is-matter-for-business/

Better “Bus Factor”

● More people know the code

http://www.amazon.com/Tomorrow-Heres-Replace-Toilet-Paper/dp/1607552647

Code Review Types

● Formal● Tool-assisted● Email/VCS● Informal● Pair programming

Formal Code Review

● M. E. Fagan (IBM)● Code preparation → code review acceptance

criteria → committee with moderator → individual preparation for CR → review meeting → report with list of defects

● Group review finds only about 4% more defects than individual reviews [Cohen 2006]

● See http://en.wikipedia.org/wiki/Fagan_inspection

Tool-assisted review

● Github pull requests, Gerrit, Crucible, Review Board, SmartBear Code Collaborator …

● Comments attached to code, history

Email / VCS

● Please review the attached patch ….

● Better than nothing :)

Over-the-shoulder review

● Informal method● Suitable for small snippets

Pair programming

● Is it 100% code review?● Both are authors (inside the box)● Third pair of eyes should do CR

Any drawbacks?

Watch out! Feeling too safe?

http://www.bonkersworld.net/code-reviews/

Tips

Tip 1: Find the right person

http://www.jasonawesome.com/2010/06/01/executing-a-php-code-review/

Tip 2: Right amount of code

● max 200 lines of code, 60-90 minutes

http://smartbear.com/SmartBear/media/pdfs/best-kept-secrets-of-peer-code-review.pdf p.50

Tip 2: Right amount of code (cont.)

● Tradeoff – Smaller fragments hide systemic failures

– Very hard to detect defective details in larger pieces

Tip 3: Build your checklist

● Know your weak spots●

Tip 4: Be positive

● Review is about code● It is not about people who wrote it● Goal is overall improvement● No blame

http://vunvulearadu.blogspot.cz/2013/06/code-review-and-under-stress.html

Tip 5: Accepting Code Review

● Do not worry, everyone makes mistakes● Do not take it personally, it is only about code● Say Thank you :)

– maybe it saved you some unpleasant fixing of production code

More tips:

● If you don't understand the code, ask the author (and then write a comment/rename)

● Finding things that are missing is the hardest part (e.g. race condition)

● The sooner CR is done the better● Explain why something is bad (provide

reference)● Use FindBugs, Sonar

References

● Jason Cohen (2006). Best Kept Secrets of Peer Code Review (Modern Approach. Practical Advice.).

Available at Smartbearsoftware.com