Code review (sometimes referred to as peer review) is a software quality assurance activity in which one or several people check a program mainly by viewing and reading parts of its source code, and they do so after implementation or as an interruption of implementation. At least one of the persons must not be the code's author. The persons performing the checking, excluding the author, are called "reviewers".
|Paradigms and models|
|Methodologies and frameworks|
|Standards and Bodies of Knowledge|
- Better code quality – improve internal code quality and maintainability (readability, uniformity, understandability, ...)
- Finding defects – improve quality regarding external aspects, especially correctness, but also find performance problems, security vulnerabilities, injected malware, ...
- Learning/Knowledge transfer – help in transferring knowledge about the codebase, solution approaches, expectations regarding quality, etc; both to the reviewers as well as to the author
- Increase sense of mutual responsibility – increase a sense of collective code ownership and solidarity
- Finding better solutions – generate ideas for new and better solutions and ideas that transcend the specific code at hand.
- Complying to QA guidelines – Code reviews are mandatory in some contexts, e.g., air traffic software
The above-mentioned definition of code review delimits it against neighboring but separate software quality assurance techniques: In static code analysis the main checking is performed by an automated program, in self checks only the author checks the code, in testing the execution of the code is an integral part, and pair programming is performed continuously during implementation and not as a separate step.
Types of review processes
There are many variations of code review processes, some of which will be detailed below.
The historically first code review process that was studied and described in detail was called "Inspection" by its inventor Michael Fagan. This Fagan inspection is a formal process which involves a careful and detailed execution with multiple participants and multiple phases. Formal code reviews are the traditional method of review, in which software developers attend a series of meetings and review code line by line, usually using printed copies of the material. Formal inspections are extremely thorough and have been proven effective at finding defects in the code under review.
An important byproduct of a properly conducted formal code review is a written record describing:
- Who: Names of those involved in the Review.
- When: Date and time the Review was conducted.
- Why: Best-Practice, Error Detection, Vulnerability Exposure, Malware Discovery or a combination.
- What: Name of the class, method, or program, plus line ranges and other particulars specific to the reviewed code.
- Result: What was disclosed during the course of the Review.
Regular change-based code review
In recent years, many teams in industry have introduced a more lightweight type of code review. Its main characteristic is that the scope of each review is based on the changes to the codebase performed in a ticket, user story, commit, or some other unit of work. Furthermore, there are rules or conventions that embed the review task into the development process (e.g., "every ticket has to be reviewed"), instead of explicitly planning each review. Such a review process is called "regular, change-based code review". There are many variations of this basic process. A survey among 240 development teams from 2017 found that 90% of the teams use a review process that is based on changes (if they use reviews at all), and 60% use regular, change-based code review. To perform change-based reviews smoothly, authors and reviewers use software tools: informal ones such as pastebins and IRC, or specialized tools designed for peer code review such as Gerrit and GitHub's pull requests.
Change-based review is also referred to by other names, like "tool-assisted code review", "modern code review", "contemporary code review" or "differential code review". Many of these terms lack a definition that is precise enough to specify whether they are equal to or only similar to "regular, change-based code review".
In addition to the above-mentioned code review types, there are many more terms used to refer to certain variations of the process. Examples are:
- Over-the-shoulder – one developer looks over the author's shoulder as the latter walks through the code.
- Email pass-around – source code management system emails code to reviewers automatically after checkin is made.
- Walkthroughs, usually with an emphasis on the presentation and discussion of the code in a meeting.
Pair programming, i.e., two authors that develop code together at the same workstation, is very similar to code review but not a code review in the narrow sense.
The "IEEE Standard for Software Reviews and Audits" (IEEE 1028-2008) describes several variants of software reviews that can also be applied to code.
Efficiency and effectiveness of reviews
Code reviews require a considerable investment of effort from the software developers. Especially formal inspection has been criticized for this. The needed effort has to be outweighed by an adequate number of detected defects.
Capers Jones' ongoing analysis of over 12,000 software development projects showed that the latent defect discovery rate of formal inspection is in the 60-65% range. For informal inspection, the figure is less than 50%. The latent defect discovery rate for most forms of testing is about 30%. A code review case study published in the book Best Kept Secrets of Peer Code Review found that lightweight reviews can uncover as many bugs as formal reviews, but were faster and more cost-effective in contradiction to the study done by Capers Jones
The types of defects detected in code reviews have also been studied. Empirical studies provided evidence that up to 75% of code review defects affect software evolvability/maintainability rather than functionality, making code reviews an excellent tool for software companies with long product or system life cycles.
Although most found issues are maintainability problems, high impact defects can be found, too. A special category of defects that often has a high impact are security vulnerabilities such as format string exploits, race conditions, memory leaks and buffer overflows, thereby improving software security.
The effectiveness of code review was found to depend on the speed of reviewing. Code review rates should be between 200 and 400 lines of code per hour. Inspecting and reviewing more than a few hundred lines of code per hour for critical software (such as safety critical embedded software) may be too fast to find errors.
Some sources recommend to use a checklist of the most important problems for reviewing code. For example, a STIG [e.g., Application Security STIG 4.3] provides an excellent vulnerability checklist (although many controls are inapplicable and can be ignored).
Many teams perform change-based code reviews based on general-purpose development tools: Online software repositories such as Subversion, Mercurial, or Git and ticket systems such as Redmine or Trac allow groups of individuals to collaboratively review code. But there are also special purpose tools for collaborative code review that can facilitate the code review process.
Static code analysis software lessens the task of reviewing large chunks of code on the developer by systematically checking source code for known vulnerabilities and defect types. A 2012 study by VDC Research reports that 17.6% of the embedded software engineers surveyed currently use automated tools to support peer code review and 23.7% expect to use them within 2 years. Tools that work in the IDE are especially useful as they provide direct feedback to developers.
- Baum, Tobias; Liskin, Olga; Niklas, Kai; Schneider, Kurt (2016). "A Faceted Classification Scheme for Change-Based Industrial Code Review Processes". 2016 IEEE International Conference on Software Quality, Reliability and Security (QRS). pp. 74–85. doi:10.1109/QRS.2016.19. ISBN 978-1-5090-4127-5.
- Kolawa, Adam; Huizinga, Dorota (2007). Automated Defect Prevention: Best Practices in Software Management. Wiley-IEEE Computer Society Press. p. 260. ISBN 978-0-470-04212-0.
- Baum, Tobias; Leßmann, Hendrik; Schneider, Kurt (2017). The Choice of Code Review Process: A Survey on the State of the Practice. Product-Focused Software Process Improvement: 18th International Conference, PROFES 2017, Proceedings. Lecture Notes in Computer Science. 10611. pp. 111–127. doi:10.1007/978-3-319-69926-4_9. ISBN 978-3-319-69925-7.
- Bacchelli, A; Bird, C (May 2013). "Expectations, outcomes, and challenges of modern code review" (PDF). Proceedings of the 35th IEEE/ACM International Conference On Software Engineering (ICSE 2013). Retrieved 2015-09-02.
- Baum, Tobias; Liskin, Olga; Niklas, Kai; Schneider, Kurt (2016). "Factors Influencing Code Review Processes in Industry". Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering - FSE 2016. pp. 85–96. doi:10.1145/2950290.2950323. ISBN 9781450342186.
- Fagan, Michael (1976). "Design and code inspections to reduce errors in program development". IBM Systems Journal. 15 (3): 182–211. doi:10.1147/sj.153.0182.
- Rigby, Peter; Bird, Christian (2013). Convergent contemporary software peer review practices. Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. p. 202. CiteSeerX 10.1.1.641.1046. doi:10.1145/2491411.2491444. ISBN 9781450322379.
- Jones, Capers (June 2008). "Measuring Defect Potentials and Defect Removal Efficiency" (PDF). Crosstalk, The Journal of Defense Software Engineering. Retrieved 2010-10-05.
- Jones, Capers; Ebert, Christof (April 2009). "Embedded Software: Facts, Figures, and Future". Computer. 42 (4): 42–52. doi:10.1109/MC.2009.118.
- Jason Cohen (2006). Best Kept Secrets of Peer Code Review (Modern Approach. Practical Advice.). Smart Bear Inc. ISBN 978-1-59916-067-2.
- Mantyla, M.V.; Lassenius, C. (2009). "What Types of Defects Are Really Discovered in Code Reviews?" (PDF). IEEE Transactions on Software Engineering. 35 (3): 430–448. doi:10.1109/TSE.2008.71. Retrieved 2012-03-21.
- Beller, M; Bacchelli, A; Zaidman, A; Juergens, E (May 2014). "Modern code reviews in open-source projects: which problems do they fix?" (PDF). Proceedings of the 11th Working Conference on Mining Software Repositories (MSR 2014). Retrieved 2015-09-02.
- Siy, Harvey; Votta, Lawrence (2004-12-01). "Does the Modern Code Inspection Have Value?" (PDF). unomaha.edu. Archived from the original (PDF) on 2015-04-28. Retrieved 2015-02-17.
- Kemerer, C.F.; Paulk, M.C. (2009-04-17). "The Impact of Design and Code Reviews on Software Quality: An Empirical Study Based on PSP Data". IEEE Transactions on Software Engineering. 35 (4): 534–550. doi:10.1109/TSE.2009.27.
- "Code Review Metrics". Open Web Application Security Project. Open Web Application Security Project. Archived from the original on 2015-10-09. Retrieved 9 October 2015.
- "Best Practices for Peer Code Review". Smart Bear. Smart Bear Software. Archived from the original on 2015-10-09. Retrieved 9 October 2015.
- Bisant, David B. (October 1989). "A Two-Person Inspection Method to Improve Programming Productivity". IEEE Transactions on Software Engineering. 15 (10): 1294–1304. doi:10.1109/TSE.1989.559782. Retrieved 9 October 2015.
- Ganssle, Jack (February 2010). "A Guide to Code Inspections" (PDF). The Ganssle Group. Retrieved 2010-10-05.
- Balachandran, Vipin (2013). "Reducing human effort and improving quality in peer code reviews using automatic static analysis and reviewer recommendation". 2013 35th International Conference on Software Engineering (ICSE). pp. 931–940. doi:10.1109/ICSE.2013.6606642. ISBN 978-1-4673-3076-3.
- VDC Research (2012-02-01). "Automated Defect Prevention for Embedded Software Quality". VDC Research. Retrieved 2012-04-10.