Code review
Encyclopedia
Code review is systematic examination (often as peer review
) of computer source code
. It is intended to find and fix mistakes
overlooked in the initial development phase
, improving both the overall quality of software
and the developers' skills. Reviews are done in various forms such as pair programming
, informal walkthroughs, and formal inspections
.
such as format string exploits, race condition
s, memory leak
s and buffer overflow
s, thereby improving software security. Online software repositories based on Subversion (with Redmine
or Trac
), Mercurial
, Git
or others allow groups of individuals to collaboratively review code. Additionally, specific tools for collaborative code review can facilitate the code review process.
Automated code reviewing software lessens the task of reviewing large chunks of code on the developer
by systematically checking source code for known vulnerabilities.
Capers Jones' ongoing analysis of over 12,000 software development projects showed that the latent defect discovery rate of formal inspection is in the 60-65% range. For informal inspection, the figure is less than 50%. The latent defect discovery rate for most forms of testing is about 30%.
Typical code review rates are about 150 lines of code per hour. Inspecting and reviewing more than a few hundred lines of code per hour for critical software (such as safety critical embedded software
) may be too fast to find errors. Industry data indicate that code review can accomplish at most an 85% defect removal rate with an average rate of about 65%.
Formal code review, such as a Fagan inspection
, involves a careful and detailed process with multiple participants and multiple phases. Formal code reviews are the traditional method of review, in which software developers attend a series of meetings and review code line by line, usually using printed copies of the material. Formal inspections are extremely thorough and have been proven effective at finding defects in the code under review.
Lightweight code review typically requires less overhead than formal code inspections, though it can be equally effective when done properly. Lightweight reviews are often conducted as part of the normal development process:
Some of these may also be labeled a "Walkthrough" (informal) or "Critique" (fast and informal).
Many teams that eschew traditional, formal code review use one of the above forms of lightweight review as part of their normal development process. A code review case study published in the book Best Kept Secrets of Peer Code Review found that lightweight reviews uncovered as many bugs as formal reviews, but were faster and more cost-effective.
Some believe that skillful, disciplined use of a number of other development practices can result in similarly high latent defect discovery/avoidance rates.
Use of code analysis tools can support this activity. Especially tools that work in the IDE as they provide direct feedback to developers of coding standard compliance.
Software peer review
In software development, peer review is a type of software review in which a work product is examined by its author and one or more colleagues, in order to evaluate its technical content and quality.-Purpose:...
) of computer source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
. It is intended to find and fix mistakes
Software bug
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
overlooked in the initial development phase
Software development
Software development is the development of a software product...
, improving both the overall quality of software
Software quality
In the context of software engineering, software quality refers to two related but distinct notions that exist wherever quality is defined in a business context:...
and the developers' skills. Reviews are done in various forms such as pair programming
Pair programming
Pair programming is an agile software development technique in which two programmers work together at one workstation. One, the driver, types in code while the other, the observer , reviews each line of code as it is typed in...
, informal walkthroughs, and formal inspections
Software inspection
Inspection in software engineering, refers to peer review of any work product by trained individuals who look for defects using a well defined process...
.
Introduction
Code reviews can often find and remove common vulnerabilitiesVulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
such as format string exploits, race condition
Race condition
A race condition or race hazard is a flaw in an electronic system or process whereby the output or result of the process is unexpectedly and critically dependent on the sequence or timing of other events...
s, memory leak
Memory leak
A memory leak, in computer science , occurs when a computer program consumes memory but is unable to release it back to the operating system. In object-oriented programming, a memory leak happens when an object is stored in memory but cannot be accessed by the running code...
s and buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s, thereby improving software security. Online software repositories based on Subversion (with Redmine
Redmine
Redmine is a free and open source, web-based project management and bug-tracking tool. It includes calendar and Gantt charts to aid visual representation of projects and their deadlines. It supports multiple projects...
or Trac
Trac
Trac is an open source, web-based project management and bug-tracking tool. The program is inspired by CVSTrac, and was originally named svntrac due to its ability to interface with Subversion. It is developed and maintained by Edgewall Software....
), Mercurial
Mercurial (software)
Mercurial is a cross-platform, distributed revision control tool for software developers. It is mainly implemented using the Python programming language, but includes a binary diff implementation written in C. It is supported on Windows and Unix-like systems, such as FreeBSD, Mac OS X and Linux...
, Git
Git (software)
Git is a distributed revision control system with an emphasis on speed. Git was initially designed and developed by Linus Torvalds for Linux kernel development. Every Git working directory is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on...
or others allow groups of individuals to collaboratively review code. Additionally, specific tools for collaborative code review can facilitate the code review process.
Automated code reviewing software lessens the task of reviewing large chunks of code on the developer
Software developer
A software developer is a person concerned with facets of the software development process. Their work includes researching, designing, developing, and testing software. A software developer may take part in design, computer programming, or software project management...
by systematically checking source code for known vulnerabilities.
Capers Jones' ongoing analysis of over 12,000 software development projects showed that the latent defect discovery rate of formal inspection is in the 60-65% range. For informal inspection, the figure is less than 50%. The latent defect discovery rate for most forms of testing is about 30%.
Typical code review rates are about 150 lines of code per hour. Inspecting and reviewing more than a few hundred lines of code per hour for critical software (such as safety critical embedded software
Embedded software
Embedded software is computer software that plays an integral role in the electronics it is supplied with.Embedded software's principal role is not Information technology , but rather the interaction with the physical world. It's written for machines that are not, first and foremost, computers...
) may be too fast to find errors. Industry data indicate that code review can accomplish at most an 85% defect removal rate with an average rate of about 65%.
Types
Code review practices fall into three main categories: pair programming, formal code review and lightweight code review.Formal code review, such as a Fagan inspection
Fagan inspection
Fagan inspection refers to a structured process of trying to find defects in development documents such as programming code, specifications, designs and others during various phases of the software development process...
, involves a careful and detailed process with multiple participants and multiple phases. Formal code reviews are the traditional method of review, in which software developers attend a series of meetings and review code line by line, usually using printed copies of the material. Formal inspections are extremely thorough and have been proven effective at finding defects in the code under review.
Lightweight code review typically requires less overhead than formal code inspections, though it can be equally effective when done properly. Lightweight reviews are often conducted as part of the normal development process:
- Over-the-shoulder – One developer looks over the author's shoulder as the latter walks through the code.
- Email pass-around – Source code management system emails code to reviewers automatically after checkin is made.
- Pair ProgrammingPair programmingPair programming is an agile software development technique in which two programmers work together at one workstation. One, the driver, types in code while the other, the observer , reviews each line of code as it is typed in...
– Two authors develop code together at the same workstation, such is common in Extreme ProgrammingExtreme ProgrammingExtreme programming is a software development methodology which is intended to improve software quality and responsiveness to changing customer requirements...
. - Tool-assisted code review – Authors and reviewers use specialized tools designed for peer code review.
Some of these may also be labeled a "Walkthrough" (informal) or "Critique" (fast and informal).
Many teams that eschew traditional, formal code review use one of the above forms of lightweight review as part of their normal development process. A code review case study published in the book Best Kept Secrets of Peer Code Review found that lightweight reviews uncovered as many bugs as formal reviews, but were faster and more cost-effective.
Criticism
Historically, formal code reviews have required a considerable investment in preparation for the review event and execution time.Some believe that skillful, disciplined use of a number of other development practices can result in similarly high latent defect discovery/avoidance rates.
Use of code analysis tools can support this activity. Especially tools that work in the IDE as they provide direct feedback to developers of coding standard compliance.
See also
- Software reviewSoftware reviewA software review is "A process or meeting during which a software product is examined by a project personnel, managers, users, customers, user representatives, or other interested parties for comment or approval"....
- Software inspectionSoftware inspectionInspection in software engineering, refers to peer review of any work product by trained individuals who look for defects using a well defined process...
- DebuggingDebuggingDebugging is a methodical process of finding and reducing the number of bugs, or defects, in a computer program or a piece of electronic hardware, thus making it behave as expected. Debugging tends to be harder when various subsystems are tightly coupled, as changes in one may cause bugs to emerge...
- Software testingSoftware testingSoftware testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software...
- Static code analysisStatic code analysisStatic program analysis is the analysis of computer software that is performed without actually executing programs built from that software In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code...
- Performance analysisPerformance analysisIn software engineering, profiling is a form of dynamic program analysis that measures, for example, the usage of memory, the usage of particular instructions, or frequency and duration of function calls...
- Automated code reviewAutomated code reviewAutomated code review software checks source code for compliance with a predefined set of rules or best practices. The use of analytical methods to inspect and review source code to detect bugs has been a standard development practice. This process can be accomplished both manually and in an...
External links
- Security Code Review FAQs
- Security code review guidelines
- Lightweight Tool Support for Effective Code Reviews white paper
- Code Review Best Practices white paper by Adam KolawaAdam KolawaAdam Kazimierz Kolawa was CEO and co-founder of Parasoft, a software company in Monrovia, CA that makes software development tools...
- Best Practices for Peer Code Review white paper
- Code review case study
- Best Kept Secrets of Peer Code Review
- "A Guide to Code Inspections" (Jack G. Ganssle)
- Article Four Ways to a Practical Code Review
- http://www.reviewboard.org/
- http://www.agilereview.org