Slashdot Mirror
Are You Too Good For Code Reviews?
theodp writes "Why do some programmers,' asks Chris Hemedinger, 'place little value on code reviews?' This apparently includes even Programming Greats like Ken 'C' Thompson, who quipped, 'we were all pretty good coders' when asked about the importance of code reviews in his work. Hemedinger, on the other hand, subscribes to the school of thought that peer code reviews are Things Everyone Should Do. Not only do reviews keep you on your toes, Hemedinger says, they also 'improve quality, ensure continuity, and keep it fresh. Who can argue against that?'"
And some of that needs to testers who are NOT coders or people who are not mainly doing programming.
Anyone who is anti-code review is an arrogant snot. No one is perfect, and we all have the capacity to overlook things.
I have worked in places with and without code reviews. Yes code reviews can be painful especially if you work with some douchebags. But overall getting new eyeballs looking at your code often brings up things you hadn't thought about, etc. It doesn't make you or the other people bad, it's just how it is. Drop the ego and take some constructive feedback.
Hold up, wait a minute, let me put some pimpin in it
... code is good enough.
There are times when code reviews make sense and times where they don't, having the wisdom to know the difference is key.
I love code reviews; I usually like doing them and I really want my code reviewed too. But it can be like pulling teeth to get co-workers to do them in a timely manner. So yeah, I commit unreviewed code unless it feels risky.
Terrorist, bomb, al Qaeda, nuclear, yellowcake, kill, assassinate. Carnivore is dead... long live Echelon.
When you're in a team of all around good coders, there's very little gained from periodically telling each other that basically everything is OK. Code reviews can lead to modification-pressure: You can't leave a good thing alone because then what would be the point of reviewing? In that case, coders get rightfully annoyed because nothing passes uncriticized. All in all, if you don't have code quality problems, why would you do code reviews?
(An intellectual is someone whose mind watches itself. Intellectual coders don't need external control.)
Perhaps peer code reviews were less important 30 years ago. The constraints around running code were much tighter. There were fewer layers in the stack where bugs could lurk. Memory was scarce, instruction sets were limited. Computer applications were like my 1973 AMC Gremlin: fewer moving parts, so it was easier to see which parts weren't working correctly and predict when they would fail.
Welcome to the industry, Chris. This might have been the funniest thing I read all week.
Because not everyone is Ken Thompson =)
You can quip that quality pays for itself, but tell that to clients and especially employers. If no one pays us to take the time to do code reviews, no one will. No, it is not just another cost of doing business, at least not to those who write the checks. We have a hard enough time persuading people to do testing still after piles of research. Automated unit tests are a hard sell for a lot of people.
Most clients and employers just want to have programmers spend the least amount of time possible on any given task and move on to a new one, quality be damned. In an ideal situation with consulting, this hopefully billed to the client as "fixes" or a new "version." In the case of products, it takes the form of patches, versions, or never gets fixed at all.
I'm all for TDD, peer programming, code reviews, etc. being someone who's favorite language is Smalltalk (allows true TDD IMO - coding TDD inside the debugger is amazing). The reality is people don't always do the right thing, such as picking the best language for the task, let alone allowing you to do something that would arguably save them money in the end. Code like hell, profits be damned.
Welcome to the real world. If you believe otherwise, you will have a rude awakening. I know of firms or places I've worked that do code reviews and the related TDD, extreme programming, etc. These places seem great, but usually they don't last, especially if your competitors are seemingly pumping out things faster, bugs or not.
I'm too busy for code reviews.
Development schedules are almost always ridiculously compressed. There's no time in the schedule for code reviews. Just like there's no time for thorough testing.
But the software only has to be 'good enough' for people to buy it, so there's no ammunition for developers to use to get a better schedule.
I'm a C++ programmer surrounded by C programmers (pretending to be C++ programmers). Criticism from them is like Neanderthals criticizing Cro-magnon. These people still use FILE* x = fopen.....
I don't know how else to put it.
Code reviews are certainly not a magic bullet. Maybe they are applicable to a situation, maybe not.
Code reviewers are human, so are subject to all the potential problems there. I've seen code quality dragged down by code reviews because the reviewers either could not or chose not to (for various reasons, including inter-department politics) to understand a piece of code (even when it could be shown that it was the 'standard' or best current practice solution.) Ultimately the code was degraded down to the level the reviewer wanted it at just to get things done.
... I'm too stubborn. I think people avoid them b/c they don't like arguing or defending their own particular style, not that they think they're infallible.
Also, not to perpetuate a stereotype, but programmers don't always like working with people.
Because code reviews end up being an enabler for OCD coworkers to tell me how to indent.
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
If I had all the time in the world, I would test more thoroughly, and do more post-production audits too.
But I don't have all the time in the world, so I do what I can given the time that I've been given to get work done. I consult my peers often enough that reviewing all the code all the time is a waste of both my time and theirs.
It shouldn't be necessary to review every scrap of code. I think I've written enough that I have the basics down pretty well. And when I get into new subjects, I always talk it over with someone to see if we can find an optimal way of doing something.
If two people have already agreed on the best way to code a specific task, having them review each others work all the time is a waste of time.
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
The problem is that the need for code reviews is driven by lax, sloppy developers who don't see regression testing as a requirement, and who foist crappy, untested code that, in many cases, they haven't even tested.
As a consulting exec (experience side) who oversees software delivery I can't even begin to express the stunning crap that I see developers submit for "qa/review". Crap that doesn't even WORK correctly in the first place is submitted for testing, with the QA feedback often "Does not work". Aside from the hours of UE and QA resources this burns with useless testing, it highlights what I think is both an increasing lack of accountability and a lack of professionalism within the development community in general.
What's driving this I have no idea... less formal CS training? Looser languages? Web-centric apps? Lower end standards? Higher demand = more crappy resources? Whatever it is I'm seeing it everywhere, and it's driving me nuts. The lack of an appreciate for regression testing is absolutely insane... code reviews are just symptomatic of a larger problem, which is a lack of quality and skill.
-rt
Hemedinger says, they also 'improve quality, ensure continuity, and keep it fresh. Who can argue against that?'"
You mean besides the hordes of contrarian Slashdotters looking for the word Insightful to appear next to their posts? Heh.
Well, I wouldn't bother trying to argue with that. I know that I'm more apt to design and implement my scripts a little more thoughtfully when I know somebody else is likely to pick them up and work on them. Unless you suffer from 'code fright' it's difficult to picture a scenario where this wouldn't be preferred.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
http://troll.me/images/the-most-interesting-man-in-the-world/i-dont-always-test-my-code-but-when-i-do-i-do-it-in-production.jpg That says it all for me.
If you are too good for code reviews, you should still do it. It will teach your reviewers how to write better code. Yeah, that's why you should.
ID: the nose did not occur naturally, how would we wear glasses otherwise? (apologies to Voltaire)
I tend to use code reviews as a method for showing other team members the work that I have done so they will know about the changes. I work with a large number of geographically disperse people and having 1:1 conversations about every little change can be tiresome and wasteful. Code reviews are an excellent way to get around this problem.
Another bonus for code reviews, along the same lines - is in teaching people new to a platform about the kinds of bugs to expect when working on the platform.
It also keeps me honest, did I just add a debug, or do I also need to add trace? If I forgot the trace, code review will pick that up.
Having another pair of eyes on your code is a very good idea but this whole concept of everybody getting together and put somebody's work to shame is bad for team dynamics and a waste of time.
I rather have a team dynamic where any developer can pick up a task involving work on somebody else's code, this way code reviews just happen naturally.
HTML is obsolete. It's time for a new, simpler and richer markup language.
In the time we all spend reviewing my code, we could have each fixed separate bugs in the software or completed a new feature. Not only does the code review practically halve my productivity, it halves everyone else's.
:(){
Longer answer: Code Reviews are a "best practice" that really needs to be driven by management and ingrained in the culture as "one of those things that you do" like showing up on time every day (even if that time is 10am), participating in Scrum, turning in your timesheet, etc.
If management is lax and doesn't require code reviews on a regular basis (or, even worse, does them "as needed"), then it is an awkward unpleasant process that can become counterproductive.
So, most places I have worked have treated code review in the "as needed" category, they come up once every year or so, and it feels like more of a flogging for the coder who is being reviewed than a productive forum for learning. Apparently, in 20 years of coding, my management hasn't ever felt the need to review my code. Regulatory agencies have demanded verification and validation, but that is an entirely different thing from programmer to programmer review of how code works.
When I have been in the management chair, I pushed to have some kind of meaningful code review at least every 3 months. That's not often enough, but the places where I was in management were usually of a cultural mindset that code review was a waste of time.
That belief that code reviews are a waste of time seems to be most dearly held by the people who either a) are not confident programmers, b) confident programmers who aren't really that good, c) have (or take) no responsibility for quality and maintenance of a significant code base, or d) don't understand programming at all.
Having other intelligent and experienced developers look at code is always helpful. Heck, this is one of the principles behind open-source.
However, sitting in a meeting with a bunch of dullard cow-orkers struggling to grasp basic ideas is a waste of everyone's time. The good ones could be off doing something useful, and the rest could be off eating Cheetos, watching "Two and a Half Men", picking nits out of their hair, or whatever.
Why yes, I am glad I don't work at my previous job anymore.
Well, I can speak from experience as a QA manager for a major publishing company, once we instituted a formal unit testing and code review program, the defect count went way down. The apps came to us in much better shape from the start.
I've rarely seen code reviews find anything useful. They mostly turn into nit-pick sessions about naming conventions while real bugs slip right through. And they're always done at the last minute, so finding out that a developer isn't following design standards doesn't matter because it's too late to do anything about it.
Effective code review would take a huge amount of hours and the customer just isn't going to pay for it. It ends up just a show so we can check off that box on the CMMI audit.
Godaddy is a scam and a ripoff.
I've been a programmer for over a quarter of a century; but despite all the experience, I still find myself making simple mistakes once in a while. Maybe I'm just not brain-wired for coding as well as those uber-graybeards or teenage geniuses who can write a rock solid kernel by themselves in a fortnight....but even if I were....then all it proves is it works *under my interpretation of the specifications and my knowledge of development*. My co-worker John Doe who is a savvy C# developer could review my code and say "Check out this MSDN article; it shows a better, more robust way to do what you're doing."
And I agree with Joe_Dragon. We have non-developers, rookie developers and senior developers all reviewing each others' software changes and code reviewing where applicable. I can safely say that every permutation of "[non-dev/rookie/senior] finding a bug in [rookie/senior]'s code" has been met.
wtfs per second.
The only valid measure of the quality of code during a code review.
automated testing can let stuff fail but still pass the auto tests and it still misses the GUI / user experience testing.
Since the interview was with Dr. Dobbs, why not link to the Dr. Dobbs blog?
http://drdobbs.com/open-source/229502480
except for regulated industries(where fines and penalties can mount up pretty darn fast) and life and death control systems(where people die if it's wrong) ... code reviews aren't cost effective. It's usually cheaper to find a bug in production than to spend 500 hours ( 5 reviewers x 10 hrs) reviewing the code and looking for bugs that probably aren't there. In an ideal world everything would be reviewed but in this one the dollar(pound/ drachma whatever) ... the "bottom line" rules.
-MondoGordo
Code reviews are good at finding certain types of problems such as coding standards violations. That being said, they are not a substitute for real testing. Don't fire your testing team because you think all validation can be done with code reviews.
there are many tools that produce better software quality, btu they all seem to be up-front, and require a large amount of programmer time. This is probably because they are produced by programmers for programmers.
so test-driven-development is very fashionable at the moment, even though it doesn't really work well with legacy code and can take an amazing amount of time to set up for new; similarly code reviews are great, but require lots of time for a (presumably) better coder to check what you did is ok (as a cursory look through to spot the glaringly obvious problems isn't too much use).
So why do we spend so much programmer time checking and rechecking, when we can test the system like we used to in the old days. Not only can you get dedicated testers (who have fresh eyes on the problem), but they test all the other aspects that code review and unit test would miss.
I know there are places where unit tests are very good - regression testing a library for example, and code reviews are good for the blindingly obvious errors, but too much emphasis are given to these for almost every part of software nowadays. For example, I read today (on stackoverflow) that someone decided to use TDD for his new project and wrote 50 tests per module and it took him ages to get 100% test coverage, and now he can't bring himself to write a new module because it takes so long and is so unproductive. The answers were generally of "you're writing too many tests, 80% coverage is really good", but then.. if you only unit test 80% of your system, you're going to have to 'system test' the whole thing anyway!
So, I think they have their place, but they're not magic bullets of software quality, no matter how much my boss (who's been reading these blogs on the internet again) thinks they will be.
The benefits of code review or intangible immeasurable benefits in the future, most likely going to benefit whoever is going to be in my chair at the time. So why invest in it? That is another tack taken by managers.
But if bugs are found, we could estimate the resources needed to fix it and expand my empire. That is another tack taken by managers.
Even when the top management insists on code review, the middle managers implement it in the most asinine manner. Comment lines to code line ratio. Length of functions. Number of spaces per tab or braces closing style etc instead of truly insightful code review of algorithms and failure modes and consequences.
Finally in my neck of the woods, (scientific and engineering analysis software development) competent peers are rarely found. Even a top company employing hundreds of developers for circuit simulation, say, would have just two guys in any super super specialty like eye-diagram creation, and the work load, locations, skill sets etc are not likely to permit easy code reviews.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Yes, Yes I am.
I don't so much mind having my code looked at. But I don't like looking at other people's code. Does the application work? Great. I don't need to see your code then. If you're happy and the user is happy, I'm happy.
Proverbs 21:19
While I'm not a programmer myself, I have friends that are/were, and based on their descriptions and stories, it's always seemed like code reviews end up an antagonistic process instead of the collaborative one it's supposed to be. Maybe it's just the luck of the draw in finding a good group, but I've heard of some serious snark going on between programmers that disagree with each others styles of coding. Something as simple as indents driving people to the point of blows, etc...
Then again, maybe those stories were notable because of the antagonism and the good experiences are forgotten? Everyone seems to remember the negative, human nature 101...
I believe there are multiple reasons, but impostor syndrome could be one.
I am a pretty good programmer. I work as a consultant, roughly the 2-3rd most senior developer in a company of 35, and i usually end up at our toughest and most important clients, and the feedback i get tends to be very good. However, i'm constantly haunted by a feeling that "this could use some refactoring" or "there might be a better way to do this, and i feel stupid about not finding it". Code review really shows these things, and it can be intimidating.
Can anyone else relate to this?
Important stuff
Nobody is so good that they should not have their code reviewed.
If you think you are that good, this is the first sign that you shouldn't be coding. Management Needs You.
Dog is my co-pilot.
If your ego is so big that you believe you don't need your code to be reviewed to make it better, maybe you should approach it as an opportunity to share with the rest of your staff the practices that you use. Code review can work both ways. Help clean up weaker code and learn from great code. Having the code review keeps the egotists on their toes ;)
In the end code reviews are only as good as the person doing the reviews. SO yes, having your best coder look over everyones code is a very beneficial thing. But I've never worked anywhere code reviews worked because no manager wants to lose his best programmer to reviews. So he has some underling do it and you get useless feedback.
Are you working in an environment in which you're the only developer working on your particular piece of code and everyone else has their own little fiefdom as well, or are you working in a more collaborative environment, such as an Agile/Scrum/whatever environment that practices paired-programming, collective code ownership, and TDD? I've worked in both (I'm currently in an Agile environment and never plan to go back to the "old" way of doing things in case you're wondering where my bias lays.), and I gotta say the need for code reviews seems a lot stronger in your typical Waterfall shop than it it in the Agile shop.
In the waterfall scenario my experience was everyone worked on their own module and there wasn't much in the way of oversight or another pair of eyes until a formal code review was held. You could get away with writing some really bad code and unless a code review was held on a regular enough basis (and they weren't) it would ship as long as it worked.
In the paired-programming scenario you always have a second pair of eyes to check the code being written, and if your pairing partner is effective they'll stop you when they see a better way of solving the current problem and vice versa. Paired-programming is essentially a continuous code review if it is done properly. Couple this with switching partners often enough and you get a team that thoroughly knows the codebase and can generally make more informed design decisions. Add in TDD and you'll (hopefully) have enough code coverage and quality tests to keep your code clean and maintainable.
Now, I'm not trying to say practicing Agile completely eliminates the need for code reviews, but it lessens that need greatly. It is still entirely possible for a lot of terrible code to get written in an Agile environment, especially if two clueless developers are pairing, but if you're working with clueless developers you'll have that problem no matter if you're on a Waterfall or Agile project.
God, schmod. I want my monkey man!
The value of code reviews depends on the motivation behind it. If it's for mutual education, quality control, style conformity, etc., then it's a worthwhile venture. If, however, it's sole purpose is for the jackass-with-a-Doctor's-degree to tell me that I should abandon C and instead do my embedded development in C++, making everything object oriented (among other bloated, touchy-feely bullshit)... you can kiss my ass.
sig: sauer
the amount of craptacular software that is out there, both free and paid, I would say the answer is yes.
Between the exhaustively documented bugs in Civ and AC (to name two games from the same person/group), to the WTF? in many open source packages, coders, as a group, believe they are too good for code review.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
automated testing is primarily for regression testing anyway. GUI / user experience 'testing' is usually after that point, since 'GUI' is just the interface and not the back end logic. Working but looking bad is inherently preferable to looking good but not working....
People in cars cause accidents....accidents in cars cause people
Heh...we as a department/development group generated a set of coding standards we would all adhere to. It makes reading other people's code easier, and it helps us all to be able to step in and address issues regardless of which module it is, without having to adjust mindset to understand some different set of standards. Yes, newcomers have to adapt to the departmental standard, but it's for the best. After all, all this code is work for hire, not our own personal property.
And no, I had nothing to do with setting the standard, but I heartily endorse it. Most code I encounter freely available on the Internet is pretty poorly formatted, making it so much harder to read and enhance than cleanly and consistently formatted code.
Yes, we sometimes have difficulty with new hires when they get upset that the mandate is to replace their precious tabs with 3 spaces per indentation, but the end result is that the code looks right regardless of the code viewer and platform. This is a significant win when developing across multiple OS platform, using different tools with different default setting for tab stops.
Now things have changed. To expect people to find the time in their schedules to try and understand the sofwtare that one of their colleagues has written is impractical. The chances are they won't really understand it anyway - so the chances of finding any real, subtle bugs is pretty low. Add onto that code reviews evolved in a time when software always had a printed form: you'd get a line-printer dump, start at the top and work down - whereas with IDEs today, that is rarely the case. In OO coding there are many, many places to "hide" methods and inherited features/functions that for one person to try to disentangle the mess that another has produced is almost impossible.
So code reviews belong to an age that passed about 20 years ago. I recall doing code reviews and having people feel under pressure to find something - just to prove they'd read the code. Nowadays we have much better automated tools that are much cheaper to employ and can do their work overnight, rather than tying up valuable developer time with duplicated effort.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Code reviews are good for finding bugs and - if you happen to have one - confirming to a coding style guide. This means that we'll be more likely to find bugs, and the code will be potentially easier to maintain. Seems like it's an easy win, at the cost of some small amount of dev time.
However, there's a big list of detriments.
Let's take the average developer, who stereotypically has a social coping mechanism that is ... shall we say off-by-one. Take the thing he does well, and subject it to criticism every time he does it. Keep in mind that many aspects of software development are subjective; how to 'best' write a function, or how to architect a component. That means the criticism isn't constrained to bug fixes (valid) or coding style (valid, even if you dislike them) - it's about personal choices.
Also, there's an issue with ownership. We, as developers, often grow attached to a piece of code and no matter how poorly written or convoluted it is, there's still a certain amount of hurt associated with someone else wanting to change it. This is the case even if we just get assigned to maintain some piece of garbage code we don't even want to deal with.
Then add deadlines. We all know that developing bulletproof code is largely a matter of time. Time to analyze, time to review, time spent peer programming instead of solo, time writing documentation, time writing and running tests, etc. There's good reason that functionality comes first and docs come last in most environments, and it's out of the developer's hands. That's another source of stress since you're tripling the load for each submission: first you have to write it, then you have to go over it with another person in fine detail comparable to writing it. That's assuming you believe you write perfect code to begin with, and don't spend longer than normal reformatting and rewriting your code to make the reviewer happy.
Take those added stresses and add them over and over, and tell me that won't change the coder's behavior in some way. In most places I've worked, this usually results in developers picking 'safe' reviewers - people who don't review in depth, people who don't have the time to do a good job, or people who will defer to the original developer due to perceived differences in experience or rank. In some cases, it means that large rewrites are avoided, and hacks put in place instead, because it's easier to get a 30 line hacked-in function successfully reviewed than a 30 file change. It also appears to limit the creation of new functionality to some extent - if you're breaking ground, everyone has a chance to critique your methods. Most seem to find a way to route around 'damage' in the process, especially if you have any zealots on your team.
Personally, I prefer the more objective code analysis and coverage tools, test driven development, and most important, consensus among developers on questions of architecture prior to implementation. Code can be accessed by those wishing to review it after the fact (which, like refactoring, almost never happens), and it can be handled on an informal level if necessary.
As far as ROI is concerned, this seems to be the most effective and efficient mechanism. Perhaps if the user communities did not so easily accept computer/software failures, this would not be the case.
There, fixed.
Seriously, code reviews don't need to be long, laborious nor overly formal. Code reviews aren't even necessarily about making that particular piece of code better. They're about education and communication. Education as to things that could have been done better (and will be next time), communication as to how and why the code works the way it does (so that more than one person understands it).
If your development team is good, you won't be finding stuff that just doesn't work.
When your input field is overlapped by your nice little logo, there's no way to enter anything in it (for the average Joe). You page may "work" but if users can't figure out how, it it as good as a broken database.
Write boring code, not shiny code!
I'm not against them, but find it REALLY hard to find time for them. Code reviewers are busy too, if I'm ready to check in that doesn't mean someone else is ready to code review.
All these things are good. Unit tests, code reviews...
However, they all come with conditions to make them useful.
Unit tests for example require clean abstracted code to be useful... and they cannot be used to test integration and communication without significant effort. My own view is the primary success of unit testing is that it forces developers to write well abstracted structured code... not in the actual benefits of testing units.
Code reviews require skilled people with good knowledge of the code to be useful.
Does your company have the excess labor to have skilled people duplicating responsibility looking at code? I hope so... but not so in many companies.
I'm not too good for reviews. But I think they're a waste of time when the people doing the review don't know anything about the code, when timelines aren't taken into consideration...
The secret to code reviewing is very simple: Don't be a Dick (tm). When you use Don't be a Dick (tm) when reviewing code, the reviewee will be more inclined to respect your opinion, to see his code objectively, and to incorporate your advice in the future! Of course, and entire team using Don't be a Dick (tm) will be even more effective! Get Don't be a Dick (tm) now, and start not being a dick today!
Unfortunately, we stopped having them due to a reduced group size. Also, last time we had it, the arrogant snob being reviewed fought every single optimization suggestion from the team members and didn't put in any. Then-again, due to the eventual group size reduction, I eventually implemented all the optimizations and his code runs much better now!
not the coder, but the company. Or at least that's my experience. So many organizations still persist in viewing technology as a black hole of expense and yet, expect miracles to pop out of it with minimal investment. Then when code or systems go live with screwy results, the bitch fest begins that morphs into a witch hunt on "who to blame for this error that's costing us money." Rolling back to the beginning, if the company would: - Entrust those hired to do the job to do their job - Hire a TEAM to make the project effective and less costly (even if a temp hire from a external org) - Manage the business and projects therein properly (no draconian deadlines and unobtainable goals) - Invest in the proper tools to allow teamwork & quality to prosper - Require accountability and teamwork to promote employee & product development Looking at my current employer as an example, we have no reliable & functioning source control (and the developers typically code directly against live servers - no better test than a live one right?), no QA tools or test processing cycle, and no team or project management. The coders want to do the right thing, which is admirable - but they need better tools to deliver the goods. Takes money to invest on the infrastructure. Management isn't willing to go there as it requires money. It's miserable, but when I look out into the market place this is not an uncommon story. Organizations expect IT to deliver and all too often people want to take on the challenge only to realize they are effectively an army of one, ill equipped to do the right thing and forced/expected to deliver. In our environment, if coders could rely on teams equipped with decent tools, the review would be easy & effective. And our products would reach the market faster with better results... But instead, they write & review their own work.
... time. And it is a good argument in many cases. Code reviews are great, but they make sense only if you provide good feedback from your review, and the original author has time to revisit their code and make changes according to the feedback. I've seen many work environments were such things were considered too expensive (in terms of time).
Functionality tests can also be important for regression testing. I remember a ruby site I once worked on where, due to some change, registration of a new user didn't work anymore. All the individual classes worked fine, but something wasn't redirected correctly, or not properly stored in the database or something like that. Automated functionality tests allowed us to keep an eye on that.
I seriously wonder how many peopel ehre know what code reviews are about?
a) Drop your ego. You are not gods gift to programming, and you can always improve.
b) Many eyes make for shallow bugs
c) It ensures there is a control on creep.
d) It provides good and more accurate feed back regarding scope.
e) It lets coders know if their code is understandably
f) It bring Jr. Coders up to speed faster and increases their skill
g) It lets Jr. Coders inform Gray beards of new techniques.
h) It ensures people aren't slacking off.
j) It prevents that coders who is in over his head from panicking and being afraid to do anything.
k) It give some level of control to developers
l) It prevents lone coder syndrome.
Since I do a lot of work alone on special projects, I dont' ahve a team. So I go out of my way to find people to review my code.
Because even though I have been doing this for decades, can write circles around most of my peers, I know I make mistakes, I know that being too close means I will over look errors, I understand the tremendus long term benefit of having a coder bring up a styule ot technique I may not be using.
I have seen death march projects get turned around and become successful because of code reviews, I have seen better and more accurate data about scop and time allow coders to get more time.
I have seen people get pissed because other people will be looking at their code. Why? well in my experiences its:
1) They are a lone coder and want control and job security.
2) They don't produce near as much as they imply
3) They don't really grok coding, and their work is a patch work of leaky crap.
Code reviews need to be done correctly. The person running them should be at every meeting, they should understand how to deal with people, then need to maintain a positive meeting.
They also need to teach the coders how to do a positive meeting, and the importance of phrasing questions in a way that isn't negative.
If you through a bunch of coders, force them to come up with changes just to make it 'seem' worth while it wont' work. They're coders, not managers. It's not very likely their skills are very sharp in the organized meeting dept.
If someone starts going on about spacing, tabs, or indenting they had better have a god damn good reason.
A format decisions should be made, but it should be about comments, casing, and naming. Which is important because it need to be constant to aid in maintains, and to aid in discussion about code with people who are new.
One the decision is made. Sat your editor up and the shut up about it.
Code reviews are NOT QA.
The Kruger Dunning explains most post on
If you use some software, then the process is MUCH easier. http://www.reviewboard.org/
Mad Software: Rantings on Developing So
I didn't write it.
I *wish* I had code reviews! Granted, I would also like to choose my reviewers, or at least set a minimum bar ("first, write the FizzBuzz program in the language that the code we are reviewing was written in"). I can understand not wanting to subject yourself to people who really shouldn't be reviewing code (one comic I saw had a "reviewer" stating "all those curly brackets and semicolons really ruin the feng shui of the code"). And maybe some (very rare) people don't need code reviews (I suspect that most people would get more out of reviewing Ken Thompson's code than Ken Thompson would get in return; in other words, learn from the greats). But most code seriously needs to be reviewed. Just drop the ego, get over yourself, and set some standards for reviewers and coding style, then review.
Nathan's blog
But the software only has to be 'good enough' for people to buy it, so there's no ammunition for developers to use to get a better schedule.
I've reflected on this problem quite a bit, and I can't seem to get past "Customers are getting what they are demanding," which is to say "not much."
None of the contracts or RFP's I see are demanding performance measures, quality measures, detailed functional requirements, etc. Nor do I see customers diving into the product and really trying it out before they buy, or comparing the competing products hands-on. Our customers purchase based on limited demos run by the vendors themselves, and those making the purchasing decisions don't have enough experience to thoroughly evaluate a product, nor do they seek the expertise of those who can. In the end, purchase decisions are made with very weak product knowledge, and create contracts that are weak on details (but strong on delivery dates).
This results in frustration all around. Vendors have to deliver what the customer wants, but can't figure out what they want until after they buy it, try it, and then complain it doesn't work they way they want. Customers unwittingly purchase vaporware from vendors. The development teams are asked to deliver functionality with little or no guidelines. Target dates for delivery are off by months. In my opinion, this occurs simply because the customer wasn't clear on what they wanted, didn't make those demands clear in their contract, and didn't make a knowledgeable purchase decision.
Which leads to no time for testing, compressed timelines, no ammunition to do it right, no clear budget or tracking of the costs, and on and on.
At least in my field.
I had a manager who stated that he was introducing regular code reviews. Well, actually, he stated that he wanted to conduct regular code reviews. Not knowing too much about them, I dug up a copy of Freedman and Weinberg's "The Handbook of Walkthroughs, Inspections, and Technical Reviews," and saw that they spell out--from memory, but I'm sure others will correct me if I'm mistaken--that management should not participate in code reviews and that code reviews should never be used for employee evaluation. I pointed this out to him and he said coldly that he was going to conduct code reviews. (In the event, of course, it didn't mattered. We had one meeting, we wasted some time in unproductive discussions of different people expressing their personal coding tastes and the manager stating his approval/disapproval of same, and somehow the manager never found the time to conduct another).
Any employee should be justifiably leery of walking into a "code review" situation, much as any employee should be cautious in taking advantage of HR "Employee Assistance Programs."
I've been in other "code review" situations that deteriorated into edgy negative criticism. Unfortunately, the degree of collegiality in any situation is that of its least collegial member. It takes an awfully good team to have the degree of companionship and trust to do something like that properly.
It's all well and good to say "well, your bad experiences weren't truly code reviews," and my recollection is that Freedman and Weinberg offer numerous suggestions to make them work... but I can only report my own experience.
And while I've been in good teams, teams that I think could have conducted productive code reviews, the parts of the project we were working on were so different--different computer languages and different development systems--that I doubt we could have given all that much help to each other. If we'd been given the time. Which we weren't.
"How to Do Nothing," kids activities, back in print!
As for testing - that's a later stage in the process of development.
Testing and code reviews should occur at the earliest possible moment and be integrated throughout development. Bugs cost less when they are found earlier.
What code reviews miss is, only the coder gave real thought to the solution / implementation. Code reviews can miss very important things, because the readers are not (always) considering the same things the author did.
I see generalizations all over the place when it really depends on the people. When you have a weak link, code reviews catch problems. But only if you have someone good enough to *read* code, if not write it. When you have an all-star team, everyone gets to bring the others up to speed on the code changes, but an all-star team also should be able to read the code for themselves without hand-holding.
Instead of code reviews, I'm developing the idea that two people should write code independently, and then review each other's results. What one person misses might be found with another take on the implementation. Even if they come up with the same thing, you've validated that the solution appears to be correct.
This is not team programming, it is not code review, it is duplication of effort, which is expensive. But if you want good results, expensive once is better than cheap twice or more. This eliminates the major issues behind code reviews:
1) Code writers are not always good readers
2) A given solution may miss edge cases
3) Reviewers don't dedicate as much thought as writers
Code reviews should be your lowest priority. They are the least efficient way of improving the quality of your software, in terms of hours invested vs. improvement in user experience. You are way better off entering feedback from actual customers, testers and UI designers, into an issue tracking system, prioritizing the issues, and working them down in order or priority.
Some supporters of code reviews advocate that they be run as a background task, during what is otherwise programmer idle time. If you are going to do them, that's probably the right way.
You can do good code reviews all day long and your software can remain unusable junk. You need to close the loop, examine how the the actual software works in the field and feed that back into work on the source code. Code reviews short-circuit the process by ignoring the actual performance of the software, instead using the quality of the source code as the measure of correctness. Users don't care about the correctness of your source code as gauged by comparison to a specification. They care about whether the software does stuff that they want it to do and is easy to use.
Code reviews are sometimes only a way for managers to cover their assess. In many organizations managerial competence is defined as adherence to procedures as documented by completed forms. When something blows up, the only artifacts investigators concern themselves with are documents defining procedures and written records documenting that the procedures defined in those documents were followed. Intelligence, good judgement, and actually producing a usable product are irrelevant in such environments. Records of code reviews are an artifact that managers can point to demonstrating their success in following a procedure. Code reviews are really big in regulated environments and especially on government funded projects. Unlike business which needs to sell stuff to actual people to survive, government projects are not required to ever furnish usable products and often do not.
All that said, code reviews do have some advantages. Programmers learn a lot from looking at each other's code and sometimes you have to push them to do that. And it does catch bugs, though the work in finding those is not prioritized by their impact on users, as it should be and is if you prioritize according to user feedback. And if you need highly reliable code, then you need to employ every possible resource for finding bugs, not just the fastest and most efficient, and code reviews are another one of those tools in your kit and you should use them.
Ceci n'est pas une signature.
I regard it that the reviewer is trying to do me a favor. As such, it is my job to return the favor by reviewing some of his/her code. This role reversal typically keeps reviews sensible without too much arrogance on the part of the reviewee and without too much intransigence on the part of the reviewer.
Time should be used for more productive things than looking at the already perfect code I wrote before.
I used to have code reviews at Microsoft. All we did was argue about the proper Hungarian notation. I understand they have given up on that (Thank Heavens) but this illustrates why code reviews can be so bad. They can degenerate into a group search down a checklist for "technical" flaws in the way code is written:
Where did you put your braces? Where are your spaces? Why did you name that variable that?
It is much harder to get (especially less geeky) people to think through the algorithms, and suggest better approaches. I have looked at code (passing code reviews) that performed quick sorts on small arrays so they could just pick up the Minimum value or Maximum value as the first element in the array. How utterly stupid is that? One pass through the array can pick up a Min or Max value O(n) as opposed to Quicksort O(n^2). A code review should pan that sort of behavior in a minute, and yet....
The more geeky among us have their own list of flaws they expect to see in the code of others. Finding these might be *more* useful, but at times also blinds the review for seeing other bigger, more difficult and subtle issues.
Sadly,formating rules, variable names, number of comments, comment formats, etc. etc. and checklists of pet issues are the easiest things to spot in a group scan of the code. The urge to find something and find many things in a group sometimes overrides the need to look past these little things and understand the code at hand, and offer feedback that is really targeted to the problem the code is trying to solve.
It's not that I mind people looking at my code. In fact, I'd love to show off my skills, if they could appreciate my cleverness. And I wouldn't mind some feedback, if other people understood what I was doing well enough to make creative comments. It's not that other people aren't as smart as me; it's just that we're good at different things, and coding seems to be an area where I excel, better than a lot of engineers I know, and better than the vast majority of academics who specialize in theory instead of practical coding. When I have had people look at my code, typically, I get no feedback at all, and occasionally, I'll get someone making stupid remarks about not enough commenting. In fact, I know that I don't comment enough, and I DO NOT believe that it's easy to make self-documenting code. It's just that their remarks would be vague or demonstrate a general misunderstanding of something more fundamental than the lines of code I write. (E.g. that my nlogn algorithm is bigger and harder to read than an n-squared algorithm.)
You're going to get resistance to code reviews from both ends of the spectrum. The lousy coders know they suck and don't want to be caught. It amazes me how some people can't even freaking indent their code, just to make it half-way readable. Their code looks like viagra spam, with random line breaks, extraneous spacing, and everything. The really good coders don't want to be reviewed because it goes over the heads of the typical reviewers.
This is WHY they resist. But the fact is, I think that if we had a culture of code review, it would be good for everyone. The people at the top would get used to explaining themselves better, with the side-effect that other people might learn something. The coders at the bottom would be forced to at least format their code well, and it would force them to think harder about what they write, because stupidity is going to be caught quickly.
And coders of all skill levels are guilty of just hacking crap together sometimes. Just hacking isn't good design practice. Maybe, for someone with an IQ of 150, it's not such a big deal to make solid working code without advance planning, but good design will make it possible for some mere mortal to maintain that code later, even if it's less clever than you could do.
Something that MOST engineers fail to realize is that the world does not revolve around their code. They are doing a job, which contributes to some larger product, and that product is what fills their paycheck. The lines of code you write are almost valueless in and of themselves, because if you weren't there, someone else would do it. If you're a top, well-respected engineer, it's not because you write clever code. It's because you're reliable at churning out CORRECT code that completes products. You are judged on how well you contribute to the bottom line and how many bugs you introduce into end products. Now, maybe you get some satisfaction out of making this or that more efficient or better designed. (I'll do some clever coding tricks because it's less boring, but mostly I spend my brain cycles coming up with better organization that makes bugs harder to introduce, which is actually useful.) Unfortuantely, any competitive edge clever coding leads to will be marginal at best. With today's computers, there are only certain places where cleverness and efficiency really matter, and those are limited to system software and compute-intensive algorithms. Linux and Photoshop have to be smartly coded. Microsoft Word just has to work correctly. Why do you think Apple took so damn long to make Finder snappy? Because it just doesn't matter more than 1% of the time. They spent their resources in more important areas.
I have always worked in places that do not work as a team and do not do code reviews. No one cares about software quality, they just want it done and to go home. Code reviews would be a great way to learn things from more experienced developers. IT would be a great opportunity to learn small tips for improving the overall code quality as well as pointing out flaws so I would know what to work on.....
Instead, I had it once and mostly the person just used it to complain about capitalization in SQL Code and a few other punctuation things. No tips for improving the maintenance, making things cleaner, etc. were given. On actual object oriented code I have never been reviewed. Which is sad really because there is much that could be learned about object oriented design. After all if no one is there to say this code is total crap, or fundamentally flawed....it ends up as production code....sorry.
At my previous job we used to do a lot of code reviews, and they didn't catch squat. Features are usually sufficiently complex that the only thing code reviews did catch were stylistic things, and haggling over minute approaches to problems that ultimately had no impact on the project; there were several instances where we found a bug after launch and it was in a piece of code specifically covered in a code review. Also usually when we had a one or two hour code review we'd have at least three or four other software developers in the room - think of how much time that code review took up. If you believe in code reviews, then a more sane approach is pair programming.
I don't see the programmers as the impediment to code reviews. Projects are often not structured in a way that code reviews are easy to do. Suppose you a small project with 5 programmers. Programmer A has a big chunk of code to be reviewed, so B-E spend a day looking it over, and then half a day in a meeting to discuss changes and fixes. That's 6.5 person days. Multiply by 5 for reviewing the other guys code, and you've got 32.5 person days. A bit more than a man month spent reviewing code. $10k. Now how many times a year do you need to do it? To the average PHB, reviewing code is unproductive time. "Bugs will be found in beta, or after we ship" he'll say. "It's not going to kill anyone. Now get back to work on the brake system software."
Now try a cross project review. What does your boss say when you tell him another project wants you to spend a day and a half reviewing code?
Support SETI@home
it is a good place to put no regression: as user and tester discover ui bugs, capture the flow in code and make it a test case.
after a while, when more and more subtler bugs are discovered, you'll develop a nice suite of automated no regression tests.
also, if you can, make your analysts write some test case about the effect of the stuff they want (this mostly applies to largish projects)
automated test is pretty useless if done by the same programmers that write the code, but extremely valuable if done right
Why don't your automated tests test the GUI? Not testing the UI with automation is crazy.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
... automatic testing is a joke, it just test something you already prove works in the automatic setting and generates totally, totally useless reports which tell nothing of the state of the actual project ...
Sometimes changes inadvertently break previously working code. Some testing is beyond boring and is best automated if possible. For example I have a calculator application, Perpenso Calc for iPhone, and its regression testing checks the results of all operations, formatting options, etc. A human can only stand so much verification of 64 bit bitwise operations, 20 digit complex number operations, time value of money calculations, etc. The human time is better spent exercising the user interface in this case, and letting the machine do most (not all) of the numerical accuracy checks.
OK that was a pretty special case where automation is an obvious fit but automation works in other areas. Gaming for example, consider a real time strategy game's AI. An automated test might create a squad on squad battle, repeat 1,000 time, and compare the results to expected or desired results. This sort of thing can be particularly useful when balancing units, where the changes are not in code but rather in data being tweaked by designers. Of course none of this replaces good old fashioned beta testing, but it actually make for more valuable beta testing that focuses on the edge cases and not so much on the basics.
Open Source is pretty much the only way to get code reviews for free (and even then, it's not guaranteed). I don't have time to review other peoples' code around here either, except when I already have some other reason to believe there's a problem. And even then sometimes I have to mutter "if it ain't broke, don't fix it."
Believe me, code reviews are only one of a number of Good Ideas that turn additional human time into better code, all of which would be no-brainers if only time were free. It's all just a question of whether or not it's worth it, and that often depends on how critical the code is, in the first place.
My website or sales analysis report or whatever, can't justify expenses quite as well as your avionics system. OTOH it might be more important than your flightsim game's avionics.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
We already have this for all release streams. Only one person (Karolin) the release manager can commit to a release stream - all other changes have to be associated with an open bug report and go through at least one code review before going in.
Master branch is still more open for rapid development, but we're moving in the direction of more and more code reviews.
I don't like doing code reviews, but I like having my code reviewed as other people find my bugs :-).
Jeremy.
Working but looking bad is inherently preferable to looking good but not working....
... unless you're dealing with a salesperson, in which case they'll just take the snazzy-looking-but-broken software and present it in a way to hide its brokenness.
I am officially gone from
I've more or less been a solo developer since I left college 5 years ago. My internship had two other developers, but I was given my own project. The first job had co-workers, and there was interaction, but by and far I had my projects and they had theirs. Occasionally they interacted and we had to talk about that. And in my most recent job I am the only person with a scrap of programming logic in the entire company.
So I'm kinda worried that I'm developing bad habits by growing in a monoculture of just me. It could be simple mistakes like knowing when to use a certain pattern, or large mistakes like thinking that making VBA tools are a good idea. But mostly I worry about what I just don't know about because I'm only one guy.
I'd really like to have a code review, but I can't release company code out there for anybody to see, and my own personal projects are... well... sloppy to say the least.
I came here to say this another way around, if all of your developers were Ken Thompson level folks, you wouldn't need formal code reviews.
Excellent developers know what they are doing, research alternatives, run tests, simulations, and performance analysis, and submit awesome code. Someone reviewing it is unlikely to make improvements by reading it, but rather would have to study the problem in depth to improve a solution.
If your reviewer can simply read the code and point out errors or problems you probably should fire the person who wrote it. If they aren't good enough, and can't do a complete enough job to pass a visual inspection you have no chance of turning out high quality software.
Code reviews should be less frequent, and more in depth. Have a programmer present on a section of code after he's figured out all the details. Describe the alternatives he investigated, and why this worked so well. After an hour presentation then his peers might be up to speed enough to make substantial comments on the code.
...then continuous code reviews are great. Keep two sets of eyeballs on the code *as you write it*. Yes, the antisocial archetype hates pair programming, but it simply works, even if it is uncomfortable (as code reviews often are).
The real problem with formal code reviews is that all too often, the reviewers are so distant from the day-to-day issues in the code they can't to much more than give superficial suggestions ("I don't like how you named this variable", or "we need more comments here"). Arguably, to do a truly thorough code review, you'd have to spend *at least as much* time prepping for the code review as it took for the coder to put it together in the first place...quite probably several times more.
If they really wanted to make them more useful, though, code reviews should be conducted on running code, and any review item should be immediately fixed in the code, and the whole regression suite of tests run in front of all the reviewers.
The fact that the code passes the tests says absolutely nothing about the quality of the code or how maintainable it is. If it passes the tests but is a huge mess of spaghetti then it likely needs to be rewritten properly.
Maybe it's a modification to an upstream project and you want to pass back the changes...then you need to make sure that the changes are written in a manner compatible with the uptream project. You need a code inspection for that.
Maybe there's a corner case that was missed in the testing but is visible in the code inspection.
Maybe there's a race condition that wasn't hit in testing but will be visible in the field once you're running in a thousand sites.
Where I work, each project gets a formal code review, and after that a security review. While it definitely serves as a good thing for new developers, and a once-in-a-while review to keep developers honest, it's a waste of time to do one on every project. It takes time and money and after the first couple reviews, the developer should be learning from their mistakes and not making them anymore.
I can't figure out why you jump to the conclusion that my code is 'crappy'.
Perhaps you are the exception, but I (25 years exp) agree with the other poster in a general sense. When someone says "I want my code to be judged on it's output / functionality instead of how it is written" that is a big warning sign. People who make such statements are often those who slap together mediocre code as fast as they can, with only narrow use in mind ... code that in the long term tends to be difficult to maintain, buggy beyond the original narrow use envisioned, and difficult to adapt for related uses. Again, perhaps you are the exception but there is a strong correlation between mediocre code and the perspective offered.
:-), but once negotiated and agreed upon everyone went with it. As for code reviews these people liked them. Highly talented people often like to learn from other highly talented people. Again, perhaps you are the exception, but the attitude offered is more commonly associated with those of lesser talents.
Similar to the above, there is a high correlation with delusional overconfidence and statements like "I've never come to appreciate something as ridiculous as 'company-wide' ANYTHING. You don't hire me for my ability to conform!". I've had the pleasure of working on teams with incredibly talented and experienced professionals and their attitude is quite the opposite. For example they understood the need to have an agreed upon coding standard to make things more readable to the group, to minimize diffs that can be bloated by personal formatting tastes, etc. Personally preferences were prevalent when coming up with the coding standard for the team, blood was nearly spilled
In short, shitty code can come up with the right answer. So arguing that your code comes up with the right answer is not necessarily informative. Once again, having not reviewed your code I can't speak towards your specific talents. I think myself and the other poster are saying that your comments seem to fit a pattern that we and many others have seen before. If you are truly an exception you might want to rephrase your comments to not fit this well established pattern.
Asynchronous reviewing software systems really help. I've found that when things get busy, they get busy for different people at different times, and it can be hard to get the full value of somebody's attention when they're in the pressure cooker.
I really enjoyed using Code Collaborator on a recent project, as the flow was more compatible with everybody's schedule throughout the project. I could do a commit, select a reviewer (or reviewers), and an email would be generated with a link. When the reviewer HAS TIME, they can log in to the system, see what the review queue has for them, and let them get to the meat of the differences, leaving comments/questions in the system as meta-data (NOT the all-too-standard in-the-code /* what is this never initialized?!?! */ comment). When I in turn log in (when I HAVE TIME), I can see this feedback, and if I comment further, the dialog is scoped right at the change. If I do a follow-up commit, Code Collaborator was good at maintaining the dialog for the new differences...
In any case, I found the system to be valuable, and a lot of it seemed to be the asynchronous nature of it. Not having to schedule meetings was key.
I've found race conditions, synchronization bugs, corner cases, opportunities for performance improvement, etc. while reviewing other people's code. Occasionally others have found the same for my code as well.
While they *can* become nitpick sessions, they can also be very useful.
A) taking you out naked in the public and publicly discussing the shortcomings of your body.
B) tasting the dish you've just cooked with a group of friends.
C) flossing your teeth after each meal.
Pick one.
"Nobody is too good for code reviews... except me".
if the code is so difficult to determine what it is doing without comments - then that is a good sign you are doing it wrong. It isn't unheard of for people to read the comments and that blinds them to code doing something stupid.
Comments should be telling you something you couldn't easily workout from the code. Comments telling you how/what the code is doing means you have to read comments, compare the comments and the code, finally check the code - not comments usually you just check the code
But most code reviews I have seen have been reduced to smaller items and standards enforcement (spacing, declaration, naming conventions, etc.) and not around anything that I consider significant enough to make the app "better." Usually those types of things are more in the application architecture, and a code review is much too late for that. As an aside, we used to semi-jokingly refer to code reviews as the "revolving vendetta" in my previous company, as certain individuals would pick on certain others with more zest.
I once seen a guy go bat-shit crazy because I told him in a review of his code that a two letter macro in a header of a public interface was not a good idea. He insisted that NO ONE else would ever choose to use an identifier of the same name.
Not true. A broken database is a mess to fix. A broken webpage is easy to fix. A broken database with a working interface appears to work to the customer, while a broken webpage with a functional database just doesn't work. Fix the broken webpage and you're free and clear. Of course, let's hope you didn't tie the user interface into the logic. That get's you hosed.
Which is exactly why you never show them a working interface that doesn't have a functional backend. Salespeople notoriously create headaches for engineers and customers alike. Never give them an interface without a functional backend.
Code reviews make truth/right ad-hoc techniques a non-accumulation point for programmers' commits. This, in proportion of how much members of the community look at each others' work. Adding values on top of this is still worse, because that bias only makes the downfall faster. This is another occurrence of that law concerned with the bad effect of horizontal exchanges on the rightness of the whole (cf. also Wikipedia). There is a comment of Ritchie somewhat according to this view, namely the one about his being thankful for not having developed the popular operating system using the advices of an overcrowded horde. Also, consider Perelman's isolation and its good intellectual effects.
If you think code reviews are about identifying bugs, that is a reason why they are ineffective.
The primary purpose of code reviews should be to share the code. If you can get other programmers in your organization to understand what you've written, then your code review is a success. Otherwise, you might as well skip them. I am surprised more organizations don't understand this.
What's a code review? A long boring meeting where the whole teams sits around a conference table and reads the source line by line? A second set of eyes on the code while it's being written (pair programming)? Something in between?
The key to doing a good code review is getting additional people deeply engaged in the code. Very few real-world "code review" processes accomplish that.
The "meeting" style of review engages a lot of people, but the engagement is shallow. Responsibility is diffuse, so nobody's especially motivated to find bugs. And reading code off a page, in a linear fashion, is dull.
Reading code as someone writes it catches shallow bugs, like typos. But you are stuck reading at the same pace as the coder. Sometimes you're bored as they type in the obvious. Other times, they speed ahead when you need to stop and reflect.
The ideal process creates incentives, provides support tools, and allows ample time for analysis. How do you do that?
To manage incentives, have clear responsibility for verification. For each code module, one person is responsible for writing the code. One or more people are responsible for verifying it. There's a bounty for finding bugs, and shame for coding them. Keep score and publish it. Reward quality stars and fire the bad coders. If code ships, and you find bugs in the field, penalize the people who were supposed to verify that code. Keep score, and act accordingly.
What tools do you need? Good editors/IDEs with tags support, debuggers, and testing infrastructure. Reviewers don't just read code. They run it. Step through it. Step into functions. Watch variables. Try different inputs. They don't need a full blown testing environment. But they do need a way to browse and explore that's richer than just linear line-by-line reading.
How much time do you need? Maybe less than you already spend on code reviews. Suppose you have 20 modules. That's 20 1-hour meetings where 20 people sit around a table and read code. 400 man hours. Instead, assign 2 people to review each module. Give them a work day each. 20*2*8 = 320 man hours total. I guarantee, 2 people beating up code for a day is more effective than 20 people giving it a half-assed readthrough. More eyes is better, but only if they're paying attention.
Have the right people systems in place and your code reviewing will be less onerous and more effective. Do it wrong, and you'll achieve nothing except wasted time.
To answer the editor's question: Yes, I am too good for code reviews.
Other programmers need code reviews, because they are not good enough or outright suck.
I am also much better at self praise than the rest of you losers and I have a much higher self esteem as a
result.
P.S.:I also think that there is no other worthwhile response to flame baiting (title) than humor.
IOW the automated tests only tests what the test was written for.
Check out my lame java blog at www.javachopshop.com
Seems the answer for whomever developed the /. page is a definitive yes!
Short answer: no.
Long answer: nooooooooooooooooooooooooooo.
Seriously, everyone knows code reviews are a good thing unless your ego is friggen huge. The problem is convincing the higher-ups that it's worth taking an extra X days off the release schedule.
It just doesn't work to have two guys crammed in a cubicle huddled around a monitor. It's just like the human eye that sees by quickly moving about. The person who is 'driving' is the only one with any ability to understand the code. The other person quickly zones out. Meanwhile, the person who is driving gets self-conscious about how fast/slow he's going so he stops thinking about the code too. If either person says anything out loud it completely destroys the other's train of thought. It devolves into a dysfunctional group-think where each person says "I'm OK with it if you are...". For me it works much better to monitor the SVN commits and take my time to look at every line of code and work through it at my own pace.
Code reviews are a giant and totally necessary pain. The problem is that the usual code review process gives complete control to the reviewer: at some point a person trusted to write code has to be able to take responsibility and say it's good enough.
How about:
- Reviews are mandatory and must be documented (Mondrian or email thread, whatever works.)
- Reviewers log their opinion, same as always, and original reviewers must see any changes.
- The coder is free to checkin in reviewed code without changes (they should log their opinion.)
Coders remain responsible for their product as always: if they're comfortable with 'won't fix', they need only say so.
Reviewers document problems they see and cover themselves; they get humiliated for what they miss (as always.)
I'd probably take exactly the same action, but the stress and annoyance would be much less.
One of our customers upped the quality assurance requirements for our projects with them, which means that we get to have a bunch of non-technical (or worse ex-technical) management review everything we do at every stage of the process: design, implementation, change request, test plan, close-out. These people are worse than the coders about debating stupid nitpicking ideas.
There is just something about putting a bunch of people in a room for the purpose of performing a review that eliminates any sense of perspective that they might have.
"keep it fresh"? having a bunch of want-to-be's review my code when they can't even write their names on their paper back lunches?
"On my toes"? So I don't step in their shit-arse arguments that don't hold water as the reviewers spent less than 1 hour to read the specs for a major coding project.
"Ensure continuity"? Sure. I can produce shit like the Indian dumb arses or I can write good code. Give me a break. A review by inferior fools who can't even speak my language has wasted more of my time than you will ever know.
We don't use code reviews here. In fact, we barely introduce new features (only if we really have to, which is sometimes in the span of a decade).
We simply dominate certain segments of the market. We found it is not only cheaper, but more predictable to use our market position to influence other companies and sometimes governments to keep our favorable position. In fact, we often times will announce features but never even implement them! What's crazy, is that shit works - well! Our stock goes up every time because our consumers and shareholders love us so damn much!
As a software company, we would like to proudly announce to the world that a solid understanding of how to manipulate to market, your employees, and public perception at large is far more effective then code review, features, ability, or even competence in general. You should learn something from us, spending so much time on trite details like these.
mov ah, 4ch
int 21h
I'm too busy for code reviews.
But apparently not too busy to read and post to slashdot. A curious definition of "too busy".
"IOW the automated tests only tests what the test was written for."
And that's only if the test is itself bug-free.
I've read a lot of posts in this thread with "you should", "you must", "you have to", you're not", "absolutely" etc. This all sounds like dogma to me, and as such, I view it with a suspicious eye.
C'mon guys, with all the technologies and programming languages, there's an infinity of things that be done very well. Surely, within that infinity, there's room for people who think differently?
In my experience, sticking to any kind of dogma or absolute is one major factor of failures in software development. Keep your mind and your options open. Be ready to adopt code reviews and to abandon them. Best practices are indeed just that. They're not the only practices, and more often than not they are in reality good practices. There's no one-size fits-all, not in the software industry, so please let's calm down and consider things outside our comfort zone, they have merit too.
Perhaps one in ten reviews of my code have managed to find a bug. The rest usually fall into the following category:
1) Bona-fide bugs were not found. This is the vast majority.
2) Someone complains about style... where style is either ill-defined, or has the guide has changed since that block of code was written. This is particularly bad when modifying GPL code that does not adhere to internal style.
3) Someone doesn't understand the programming language and complains about a bug that isn't.
4) Someone doesn't like the implementation but can't offer a valid reason for rejecting it (performance, etc.)
5) There are no bugs, well none that weren't found yet.
Code reviews are useful, but you require good reviewers of two different types: 1) those who don't know the semantics of the components and pick out syntactical errors that are valid language constructs. and 2) those that do know the semantics and can pick out logical errors.
In Liberty, Rene
Rather, almost everyone loves the idea ('oh yeah, we should do that'), but as soon as you attach the time/budget cost to it they decide it wasn't that important anyhow.
And they are extremely time intensive. Coders need to walk through the code line by line in advance for the review to be useful, then there's the drawn out meeting itself, and usually a manager wants to be there which adds more budget and slows things down with useless questions, then the writeup.
Ah, you say, but it will save time in the long run, because it takes less time to track the bugs down now rather than one at a time later. But (almost) nobody is willing to trade possible future time loss against significant right now time loss.
Comment removed based on user account deletion
1) The problem of finding actual peers. Not everyone on a team is capable of meaningfully, much less efficiently, reviewing the code of everyone else.
2) Our tools for spelunking code and thus for its presentation to another person and ad hoc exploration are generally woefully inadequate. This makes code reviews much much less efficient than they could otherwise be. This is a general complaint with the state of tools. In Symbolics and in Smalltalk in the 80s I had better code walking tools than I have on the supposed state of the art IDEs today. It is quite possible to make much better code exploration tools but it never seems to happen.
3) I have had even very good people miss glaring errors so I am not a big believer in this process for elimination of many errors. It has other useful features but this in my experience is not one of them.
All of that said, review with a true peer can be very useful. It is most useful when reviewing bug fixes as compared to initial code in my experience.
I generally avoid the whole debate of review or not to review. My rule of thumb is, let them use their own method, be it with peer review or not; if they're shipping faster and profiting more, I have something to learn. So what about the manager that wants to promote best practices? My answer is, it is hypothetically possible to data mine for best practices. Of course, you aren't any good data mining, and you don't understand productivity yourself, so your observations about best practices are either anecdotal or hopelessly biased; in short, you're doing more distraction than good. Case in point, the latest greatest plan to make the programmers productive never does ship more software. Oh sure, it produces lots of great stories for which the boss can never cough up data, but never more software.
This has been tried before. Boeing put a lot of money into a program just like what you're suggesting.
But as it turns out, even in independent implementations, non-trivial bugs tend to pop up in the same places, so both are broken in the same way. That's because non-trivial bugs come from things like unclear specifications, missed edge cases, and other issues related to the programer's understanding of the problem and the types of solutions that people with a given system of programming tools are likely to find for those problems. The only thing independent implementations can reliably fix are coding errors, and they're probably an expensive way to get an extra set of eyes on the problem, particularly given the complications in reconciling the differences found between the two incompatible systems.
Next question!
Not if you're in marketing.
That is why you write some scripts to test the automated tests.
Rethinking email
...at my current company, a software behemoth which got that way by buying out the VC stakeholders in innovative little companies and cannibalizing them.
We have a process in which you need to submit any change to the source base to "Code Collaborator", a barely functioning web-service tool which, besides needing babysitting by the administrators to work correctly, makes it an absolute requirement that some other engineer approves of your changes. Invariably, this means I'm trying to explain how a multithreaded algorithms work to a kid who just graduated from Bangalore University, and loves the power trip of being able to not actually do anything and get paid for it. I've had code on hold in our system waiting for a solid year to be reviewed (368 days) because of this kind of crap. (And invariably, when the code the junior engineers have all mutually approved for each other fails to work, they call up me to try to fix it.)
But buying out small companies and squeezing the life out of their software is profitable. Can't complain about the salary too much. Truly my company is still a place where software goes to die.
How about going over your own code once in a while, looking at it a month or 2 or 3 after it was written, certainly in that time period the understanding of the business problem has expanded or changed or was clarified somehow and it makes sense to go over business logic intensive parts to clean up, refactor, remove useless and restructure the useful.
You can't handle the truth.
What's driving this I have no idea... less formal CS training? Looser languages? Web-centric apps? Lower end standards? Higher demand = more crappy resources?
I'll tell you what's driving this:
. Tighter budgets. Less money equals two things: (1) What is the least amount I can spend and still do some development? As an IT manager I can't spend a lot of money on a programmer, so I am forced to hire the cheapest one who meets my minimum specifications, instead of hiring a good, experienced programmer for $20k more. (2) My development team has less time to do the appropriate QA and testing tasks. I have a huge backlog of maintenance / support activities, and not enough bodies to do the work. The CFO's response? "Work smarter". Really? Smarter would be to invest up front, instead of on the back end.
. The 'evolution' of crappy methods. Agile? XP? IMHO these are just excuses for not gathering and agreeing upon requirements. No requirements = crap coding. No requirements = no ability to do meaningful QA and testing. Gather requirements up front, keep them in mind in the design, development, testing and deployment, and good things will happen. I'm not advocating for waterfall, but I have seen a tremendous decline in both the quality of requirements documentation, as well as the skills of business analysts to document requirements.
A nice caricature can be found here: http://www.jsquared.co.uk/jennyl/verity.htm
Don't believe that his sort of response during code reviews is all that uncommon.
But who tests those scripts?
The Tao of math: The numbers you can count are not the real numbers.
I think it's scripts all the way down.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Are you too good for code reviews?
The short answer: YES
The long answer: ALMOST CERTAINLY
What Thompson should have said is that among the guys he worked with, poor quality work would have been detected faster than Tony Soprano receiving a thin envelope from a deadbeat nephew with a drug problem.
I don't recall Furio being debriefed ever. Performance norms were adequately enforced by the custom of passing thick envelopes.
On the Firefox team entering into year five of dribblegate, you can make a case for additional code review. The performance norms pertaining to background memory leak are a lot softer and benefit more from up front scrutiny. Also, a better architecture might be considered. But failing that, code review is an excellent second line.
There is no way most software teams can consistently hit schedule without code reviews. What a team is saying when they do not have code reviews is: "We are unable to access the risk of the work we are about to integrate, and yes we are pushing the quality problems on to the next team... QA, It's not our problem".
It's also a great way to identify when team members don't know how the code works. If somebody says, "I don't understand any of this at all", then we know that it's time to sit down and explain things, and maybe add some documentation.
Real world example from a previous employer regarding a C++ project:
(element X) All class member variables shall be accessed vit standard format "getters" and "setters".
(element Y) All class member functions shall be defined within the separate compilation unit associated with the class.
These two elements were far apart from each other in the text. The combination of the two meant that most simple accesses of atomic data types (say integers) went from being an integer load (mov EAX,address) to a far call into a separate object file. When I complained I was told to STFU. When I ignored these two requirements and my code was the only code that ran in the time projected and allotted, everybody acted all surprised.
Most coding standards are good for keeping NPEs (non-practicing entities) straight out of school "in line", but they function on the "interchangeable morons" school of programmer management. Thing is, if your code is constrained to allow for the interchange of morons, then your code will be moronic.
goto(s) are bad, but "break" and "continue" are fine. Sure. Except that every now and again, a goto is _exactly_ what you need to make the logic clear, and sure you could skip the goto with purely local throw catch to get out of a nested loop, but that exception isn't all that exceptional any more.
I am all for "thou shalt not"
//this is not indented more than the braces
if (test)
{
commands;
}
when it is preventing something that unreadable, but that's more of a "call the idiot into your office and smack him upside the head" transaction IMHO. Meanwhile I bet someone is going to jump up and call that the epitome of good code layout.
Even Microsoft has abandoned that stupid thing where the type of the variable is prefixed to the name, which seemed like a good idea to have sValue for a short value, until someone decided that maybe it should be a long, but the docs had all been printed and everybody had already written most of the code, so you end up with just the declarations changed "long sValue;" because a global search and replace would have scooped up a bunch of "psValue" entries, and "short sValue" declarations in functions where it didn't change. We generally _ban_ "lptrszActualUsefulName" in favor of "ActualUsefulName" since it's the _compiler's_ job to deal with the type. Evidence shows that a programmer can deduce "FileName" is a string, and if he cannot, there is usually a declaration right there to tell him what it is if he cannot remember.
Coding standards are like military plans. The DO NOT SURVIVE first contact with the enemy, that being programmers trying to solve real world problems in non-retarded ways.
There are only two hard standards: Your code must be readable, your code must not suck.
But just like comparing Finnegan's Wake to Star Trek Slash Fic, the argument of what constitutes "Readable" is unbounded.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
I think people have different ideas of what code reviews are. I think it's strange that we're talking about working with computers and everybody is assuming we're doing a face to face meeting with a single projected image.*
In my experience, people basically give me a source code change pack. I get around to looking at the diff when I get the time -- usually within the same day, next business day at latest. I read it myself, make my comments, ask questions, raise objections, and tell them I'm done with the current version. Then, when they get around to it, they send me a new change pack and I take a diff between the changes. Usually the second round is much quicker unless there was a major problem in the first round. Eventually we converge, and the final change is committed. Often for small changes I have no issues and it just goes in the first time. Big changes usually require the second round, occasionally three, very rarely more.
In some cases another reviewer or other reviewers will receive the same packs and do the same thing in parallel -- usually if the change crosses several components with different people familiar with each area. Each reviewer will probably focus on their own area and only make more cursory passes over the parts the other reviewer covers.
* Mind you, we do the projector thing where I work after we release a beta / release candidate, to increase the chances that the next one will be the last. We also do this when we're going to distribute a security patch. In both cases, the projector code review happens only after the more typical code review.
It depends on who the reviewers are, and if people have enough time to review other people's code. Besides coding practices as stated by others, code reviews also give us an idea about the business functionality that's being implemented (if the reviewer doesn't know the business functionality), make sure that the person who has coded doesn't miss any business scenario (if the reviewer already has good knowledge about the functionality), helps everybody informed as to what others are doing such that when needed people can quickly pick up each other's tasks.
CPU time dropped dramatically in the production environment. Other code reviews include looking for copyrighted sources that are pasted into the code without suitable permissions.
I happen to be part time programmer, having started with mainframe (ibm 360) and 8088/6502 assembly languages.
Leslie Satenstein Montreal Quebec Canada
"I think it's scripts all the way down."
Gosh, no! I've been said there's an elephant at the bottom supporting everything else.
Nah actually I love to nitpick.
In any case Ken Thompson was not the originator of C (the programming language), he was the originator of UNIX (the operating system). So it would have been more accurate (and slightly more impressive) to have called him Ken 'UNIX' Thompson.
Ken's Bell Labs colleague Dennis Ritchie was the originator of the C programming language.
It's a penny for your thoughts, but you put in your two cents worth. Somebody, somewhere is making a penny. SteveWright
When I'm writing code at work (and as the only repeat only person in the company who ever uses the documentation system) I struggle to get someone else to review my code before putting it out to customers and colleagues.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
I've worked on projects with formal code reviews, and without formal code reviews. And I've seen them work, and I've seen them fail.
One project was with a group of skilled developers all working in the same area. The only rule was "All Code Must Compile". When someone did an update, and the code failed to run, they'd debug it, and most of the time this would entail stepping through someone else's code. If a developer had done something stupid, the developer debugging the runtime error would say "What is going on at $line in $file?" and everyone would immediately update their working directories and check out the problem. The developer who'd done something stupid would then own up to having been stupid, a brief discussion would be had, and everyone would move on.
This was pretty much the ideal. It is not, however, the norm.
Another project had formal code reviews, scheduled for tuesday afternoons. Tuesday mornings the team would spend reviewing the code to be reviewed that afternoon (So, basically, 10-20% of our time was spent on code reviews). One of the developers looked at the various approaches the team had to writing up their code review, and provided a simple five-column form to bring everything into a somewhat consistent structure. We caught a truly abysmal piece of code with this method, and sent the developer in question off to fix the code base. At the followup review, the code had gotten *worse*, as the developer in question had introduced more bugs with the fixes (and had failed to fix the original problems to boot).
The team lead -- not a developer, but a respected process expert -- directed that the code be checked into the mainline anyway, bugs and all, in order that the team would not fall farther behind schedule. And then to help us "streamline" our working review process, gave us an "improved" code review form -- this one fifteen columns, with 57 "codes" printed on the back of the form that we were supposed to use instead of the plain old boring text description of a problem. Code reviews, now fully CMMI-compliant, were effectively meaningless after that.
And then there's the OTHER team that didn't do code reviews. Their code is entirely undocumented, always misformatted, with poor variable names, no modularization, and incoherent organization. There are no unit tests, no regression tests, no sample data generators. The code is fragile, and when it fails, it emits incomprehensible errors, or produces strange data, so that only the original developer would have a chance of finding the error in less than a day. Asking for formal code reviews results in howls of protest -- followed by scheming to form agreements with the other developers to sign off on each other's code. They think they're like the very first group, but they're not.
So I've worked with developers skilled enough not to need code reviews. I've worked on projects where code reviews were very beneficial. I've worked on projects where code reviews were a waste of time. And I've seen a ton of developers who aren't nearly as good as they think they are.
And pretty much everyone here who's saying that THEIR code doesn't need code reviews fall into that last category.
teams of mediocre developers that where created in the pre-dot.com bust era when people abandoned fine arts and science degrees because they could make gobs more money writing code. You need software process when you have teams of developers where using logic and common sense is not instinctive, instead these people learned how to program through DeVry like -get rich quick- programs where after only 6 months of "training" they were unleashed into the workforce and expected to write Windows or Linux, or whatever.
There is a much smaller sub-set of coders such as myself where coding was something I grew up doing. I learned how to program after reading an old TRS-80 basic programming guide when I was 8 years old. Every computer I got or was able to use had code written for it. For me I can model any real world data set as classes and objects and write logical code that, for the most part, does not fail.
I am not above code reviews, but I don't like them imposed on me. I know the difference between when I need a code review ( working in some new technology area I am not familiar with, want a second opinion on some complicated bit of logic, etc ), and I know when I can check in a months worth of work and know it is flawless, because 20+ years of programming experience has developed those skills. I definitely do not need a peer review from a DeVry graduate who is constantly fixing bugs they have committed over and over again.
On the flip side, I do have to give a lot of code reviews which has a tendency to waste my time. It is necessary when dealing with weaker developers, to ensure they are not checking in some massive cluster f*ck of unmanageable code. But usually I want to know that these people are gaining experience and learning so that I do not have to review every line of code they commit for the rest of time. Personally someone that requires a code review, and errors are found every time, should consider an alternative career, and I think more companies need to grow a pair of balls and lay off bad developers rather then trying to pander to them by imposing Draconian software processes that hinder skilled and unskilled developers alike.
I think software process fails when for every 1 hour of code development requires > 1 hour of process. I work in an environment like that and I am quickly looking for work elsewhere. The managers think this process overhead will deliver quality code, the reality is the code base has stagnated innovation wise while Agile processes and code reviews give a false sense of quality control.
I would rather work on a small team of skilled developers who can trust each other's work and know when to peer program or code review rather then a large team of mediocre developers hiding behind software processes and forcing code reviews for all which just waste everyone's time.