Menu

Subscribe

Code Reviews

Here are some of my favourite resources regarding code reviews:

From Karl Weigers’ book on the subject:
http://www.processimpact.com/reviews_book/chapter_2.pdf
http://www.processimpact.com/reviews_book/chapter_6.pdf

And a .NET specific list of security related things to look for in a review:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch21.asp

Proponents of code reviews say that when they are conducted properly they are one of the most cost-effective ways of finding defects. Does anyone else out there in .NET blog land have any experiences (positive or negative). The couple of times I’ve tried to get code reviews off the ground I’ve been told they are either too expensive, or I’ve got back fairly superficial and non-specific feedback.

Update: Chris Anderson with some brief info on the Avalon team’s code review process http://www.simplegeek.com/commentview.aspx/cf176ca9-1aec-4cb1-9d0f-796fce45d63a

Comments

Keith Patrick
I’ve been at only one company that did code reviews, and it was by far the most educational experience of on-the-job learning that I ever had, as they would break us into small groups and tell us how to make our code better. Learned a TON about using const and & in C++ that even to this day I wish I could use in .Net, as you get some pretty fine-grained control over what a method can change. Additionally, it truly did help track down bugs as well, and it really wasn’t nearly as time-consuming as I thought it would have been to read and scrutinize source code.
4/02/2004 11:39:00 PM
Marty Fried
My experience with code reviews has been a mixed bag. One of the problems seems to be that nobody wants to spend the time to really understand new code that does anything non-trivial, so the feedback is usually very general. But later, when someone is working on the code to either add functionality or fix bugs, they usually have lots of feedback (sometimes involving large hammers), but then it may be too late to be effective; the programmer may not even be around. I think it might be useful to have one anyway, but it’s hard to get a fellow progammer to tell his boss that another programmer did a bad job.


Maybe in the latter case, it’s better for the two programmers to have a discussion in private where suggestions can be made - maybe an informal feedback session, but one that is required so it doesn’t look like someone did a bad job.

I do think that code reviews are useful; it’s just that they have to be taken seriously enough to spend enough time to do it right. It’s especially useful with new programmers, to make sure they are on track and up to company standards.

Well, enough rambling.
6/02/2004 8:38:00 AM
Mark Levison
I’ve been running code inspections at several companies I worked at for about six years now. The affect has been fanatastic, we’ve found a number of bugs and greatly improved the readability of our code. I find thee problems with inspections:
1) Many developers don’t want to take the time to prepare their code for inspection.
2) Followup. Many time changes are recommended, but are not made.
3) Some developers are not interested in or able to change bad habits.

Important, but sometimes frustrating.
11/02/2004 7:19:00 AM
Chris Anderson - simplegeek
16/03/2004 9:33:00 PM