How do you perform code reviews?

Question

How are code reviews performed on your development team?

I've been a developer for several years now in several different companies and I have noticed that there isn't a consistent approach to performing code reviews.

At my current company, code reviews are non-existent, which has led to a significant decrease in the quality of the code. At previous jobs, code reviews ranged from just making sure coding standards were enforced to nazi-like line by line reviews that took days to complete.

So I'm wondering what its like for everyone else out there. And in particular, what tools do you use to perform the reviews? And do you find that code reviews help rather than add to the length of time needed for a given project?

I'm all for code reviews as I believe they are an effective way of spotting problems early in the development cycle and they can help novice programmers become good programmers, good programmers become great programmers, great programmers become excellent programmers and so on and so forth.

Up until now, I've only seen code reviews done manually via comments in Word and Excel documents....but just recently, I saw an ad on this site for a product called Code Collaborator and it appears to be a much better way to do code reviews.... One nice feature I noticed is that it can force code reviews to be performed before code can be committed...

Has anyone on here ever used this product or a similar one? And if so, have you found it makes the process of doing code reviews easier?

Answer 1

http://www.amazon.com/Handbook-Walkthroughs-Inspections-Technical-Reviews/dp/0932633196

Don't bite off more than you can chew - start simple and involve those who are willing to try it. once you start publishing results and people start seeing good results then it will grow on its own. Don't force it or try to convince people it is a good idea. Educate, but don't expect or demand compliance.

Start with your own code - ask people to review it.

Good luck.

Let us know how it went.

I initiated it in a small group I managed - it turned around a group that was seen as the black sheep with bad process and poor quality into the leading group and one with no defects shipped to customers. We started getting asked what we did.

This was all due to the group agreeing to try it and work with it. We were flexible and kept the meeting short and productive.

Have fun with it.

Answer 2

We get all the relevant developers in a large conference room that has an overhead projector. Then the developer who wrote the code walks everyone through the use-case documentation (distributed so everyone has a copy). As he walks through the doucmentation, he walks through the corresponding application logic, showing what it does. At any point, other developers can raise issues, which are written down. Once the walkthrough's done, we debate the resultant issues, the head guy (boss/architect) makes some decisions, and we break for lunch.

Answer 3

I worked at a process-heavy organisation, and the basic overview of code inspections was like this:

• project manager identifies 4 people to do the inspection who are identified with the roles of Author, Leader, Scribe and Tester.
  • Author - person who wrote the code
  • Leader - person who organises the inspection meeting and "runs" the meeting (e.g.: gets things back on track if a side discussion takes over)
  • Scribe - person who writes down all the comments, takes notes on TODOs for the project manager, architect, etc.
  • Tester - representative from the test team
• Leader organises the inspection -- makes sure everyone has access to the correct version of the chunk of source code, along with all supporting artefacts (reqs, design docs, etc)
• Everyone prepares for inspection by reading through the code and making notes.
• All the obvious errors are collated offline (not in a meeting) so they don't have to be discussed during the inspection meeting (which would be a waste of time)
• If everyone agrees the code is ready for inspection then the meeting goes ahead
• Someone (not the author) reads through the code, everyone discusses bugs/design issues etc. Scribe writes everything down (we had a standard form for that).
• At the end of the meeting everyone agrees on a "disposition" for the code:
  • Passed - code is good to go
  • Passed with rework - code is good so long as small changes are fixed
  • Re-inspect - fix problems and have another inspection
• After the meeting the author fixes the mistakes and checks in the new version.
• If it's passed with rework then leader checks off the bugs that the scribe wrote down and makes sure they're all fixed.

There's loads more, but this is the basic jist of it. This was a CMM level 5 company, so they collected metrics on LoC-inspected-per-hour and used that to predict how much inspection time a new project would require.

Answer 4

Teams around Microsoft use a variety of different CR methiods. Some teams are very formal, others more informal. To my knoledge, all teams do one form of code review or another

Our team tends toward a more informal code review style. New chunks of code, large or complex changes first go through a face to face walk through. Several of us gather in a conference room and the author walks everyone through the changes. THe point is to ensure everyone understands why the author did things they way they did.

Before a walk through, participants are expected to have read any specs and other docs and gone through the code on their own. The walk through is more for answering questions and understanding than providing constructive feedback. As the dev manger, I really discourage comments on style in this meeting: our teams have well defined and documented coding standards that folks are expected to follow. We're not draconian about it, but we'll cancel a walk through if myself or one of the leads fels the code isn't ready for a walk through due to style issues.

After the walk through, other feedkback is handled via email. We don't formally track the feedback - email provides sufficient record.

We use developer branches for each person so folks actually check in changes into their branch before code review. This is easier than trying to keep changes out of our source code contorl system before it is reviewed.

Team members send changes based on code review feedback to other team members in what we call a "BBAPCK". This is a package of changes that can be viewed, diffed or temporarily applied to a local copy of the code base. Usually the lead will approve the final BBAPCK for integration into the parent code branch.

Incremental changes for bug fixes or small improvements are simply handled via mail. Or a quick "over the shoulder" code review.

In your question, you use the term 'force'. I suggest that if you have to force your team members to do anything by imposing tools and processes on them, then you have team culture, discipline, or leadership problems you need to fix.

For our team, the dev general has discretion on which changes he will make from CR feedback. But, the leads and senior devs can require some things. We don't have any rules on this - team culture drives this. We almost never have a disagreement about CR feedback. We have a culture of providing good constructive feedback. CR feedback is conditioned helpful; anything that makes the code better is goodness.

This light weight process works well for us: We have enough process to catch bugs in CRs, but its light weight enough for us to move quickly and be efficient.

Our biggest challenge is scheduling time for CRS... even though we do a lot by email, some CRs take significant time. This is hard to predict and schedule. But, we prioritize CRs highly - only rarely skipping them to meet schedule. Though that does happen.

I've worked at companies where code reviews absolutely sucked. We spent way more time arguing about style issues such as what to name variables, or where curly braces go that more substantial topics. OF course, consistent style is important, but focusing on correctness, reliability, performance, efficiency and maintainability is way more important than style.

We keep the code in the team style by encouraging people to do it: If somebody checks in a little "ugly" code, the lead simply fixes it.

I have one project where the code base (about 90K lines of code) has three distinct styles. This is due to a few things: 1) I had a team member (no longer with us) that just refused to follow the team style. We have not had the time to go re-format all his code. 2) Some of our code follows anoter teams style because it is based on their code.

My view on style is that it should be consistent in each module, and related modules, but its not too problematic if it varies a bit. This is true for one of my teams. The XPERF tools team is very different - it is very important to them that their code has a very consistent style for all modules. This works great for them.

As a dev manger; I find it important to be flexible here and leat teams (and some individuals) have the freedom to set their own coding guidelines and standards. Its important to developers and at the end of they day; devs that are not bent out of shape about coding guidlines enjoy their work better and get more work done.

Now, some things are not left up to teams or devs. In windows we have many practices and requirements that we follow with exacting discipline. For example, all product code must be fully localization. Many practices around security and reliability are always adhered to. Nobody gripes about these because we all know how important they are.

We check for these things using some very sophisticated tools - many of which now ship in Visual Studio 2008. Others are checked for in our code reviews.

I encourage everyone to work with their team to find a set of CR practices and habits that work well for the team. If you are a manger, I encourage you to take a 'light hand' with pushing what you feel may be the right thing over the objections of your team. Of course, you must exercise your judgment and bring your experience to the team; but fighitnt over CR practices and style issues can ruin a good team - I've seen it happen.

At the end of the day, focus on two thigns

1. Shipping great code that delivers what your customers want; is reliable, performs well and meets its other requirements.
2. Maintaining a fun and rewarding work environment for your team. After all, coding is fun after all. If its not, then your management team is horked.

Effective code review practices can be a very positive force for both of these goals.

Answer 5

You might not want to hear this but, in my humble opinion, code reviews go hand-in-hand with coding standards. If you conduct code reviews and you have no published standards, then the tone of the review can take on the feel of an inquisition.

Publish standards first. If someone makes a point in the review and it is not covered in the standard and everyone thinks that the point is valid, then you add it to the standard.

If coders know there's a standard and know that the standard will get enforced by the group, then coders will conclude that the process is fair and are more likely to follow the standard. Hopefully, it's a good standard. Not too detailed and not too vague. Overall quality should rise.

Answer 6

One of the organizations that I worked for had a home grown tool for code reviewing, which itself was a hindrance to do code reviews. In fact they were after some review metrics that were indicators to quality of code! So don't forget your objective here - improving code quality. It can horrendously become a road-bump in your development cycle.

While I used to believe in code reviews earlier, now I am convinced now that there are better ways to improve code quality. I think unit testing of the code has far more value than code reviews IMO. After reading and following what Michael Feathers describes in his "working effectively with Legacy Code", I believe unit testing is the best value for money in improving code quality.

But this doesn't mean that code reviews are useless, it needs to be a very light weight one that doesn't hinder. If it is becoming a heavy weight process, then you have some other problem that you need to fix first.

Answer 7

When I was working in previous company we were using Code Collaborator. Scenario was very simple: each piece of code must be reviewed before commiting to Subversion repository. There also some SVN hooks that check commit diff against diff from Code Collaborator. Commit is rejected if it doesn't match diff from CC.

Also I think that code reviewing tool is almost useless when it doesn't linked to version control system. There are MUST be some kind of links from commit message to corresponding review. Also it's a good idea to record commit stats, like number of lines of code commited without review, commited with review, rejected etc. It's another developer performance metric.

Another important moment—code review takes time. So you should explicitly specify how much time code review should take and what exactly should be checked (e.g. absence of debug code, major breaks of coding style etc). Everyone in the team must understand what and why he/she doing during code review.

Answer 8

In addition to Code Colaborator, you should also consider Crucible. (Big disclaimer: I'm one of Crucible's developers.)

There are a bunch of benefits to doing code reviews:

• Spot bugs early. The cost of fixing a bug typically increases with the time between when the bug was introduced and when it was detected.
• Mentoring. Code review is a good opportunity for senior developers to share their wisdom with junior developers.
• Learn by example. When a junior developer reviews a senior developer's code, they get the opportunity to see how the senior developer solves problems, etc.
• Better code knowledge (lower truck number). When everyone gets to see everyone else's code, the chance that only one person knows how a subsystem works is reduced.

At my current company, code reviews are non-existent

It can be easy to start a code-review culture in your company, because when code-reviews become painless they also become addictive. And using a tool can really help reduce that pain.