What is a Code Review? Complete Guide [2023]

Code Review:

is a software development process in which source code changes are evaluated by peers.
improves software quality by preventing bugs, defects, or vulnerabilities.
can be tool-assisted, over-the-shoulder, pair programming, or formal inspections.
has been shown to identify 50 - 60% of all defects in a codebase (the most effective)
2X more likely to prevent defects than unreview code.
must be conducted in an environment that encourages psychological safety and knowledge sharing.
should get feedback within 24 hours.
should take no longer than 60 minutes.

What is a code review?

A code review is a software development process where a peer gives a constructive review of a fellow developer's code by evaluating it against quality standards.

It boosts software quality because it prevents bugs, defects, and security vulnerabilities.

Reviewed code is two times less likely to introduce defects compared to unreviewed code.

Code reviews were first intruduced at IBM by

In 1976, Michael Fagan from IBM introduced the formal code review process.

Pros

Here are the main benefits of software reviews:

Find defects early, improving code quality and reducing errors.
Improve code quality through consistent formatting, naming conventions, and adherence to standards.
Identify alternative solutions and improve designs.
Facilitate knowledge transfer and best practices sharing.
Promote team awareness and transparency by allowing feedback on changes.
Foster a culture of shared code ownership and responsibility.

Code reviews can save you big money! 💰

Total cost: Before $368k vs After $152k.

Source: Best Kept Secrets of Peer Code Review

Cons

Code reviews are not always rainbows and unicorns.

Here are the main cons of software reviews:

Time-suck: If your codebase is massive you may find yourself drowning in a sea of code for hours on end.
Subjectivity: Code reviews can be subjective, and the feedback provided may depend on the reviewer's personal preferences, biases, or expertise. This can result in inconsistent feedback and potentially impact code quality.
Over-reliance on reviewers: In some cases, developers may become overly dependent on code reviewers to catch errors or identify issues, rather than taking responsibility for their own code quality.
Negative impact on morale: If not conducted properly, code reviews can become a source of conflict or negativity within a team or organization. This can impact morale and lead to decreased productivity.
Resistance to change: Developers may resist feedback or changes suggested during code reviews, particularly if they feel that their code is being criticized unfairly or that changes will negatively impact their work.

Meme about code reviews. Showing over-reliance on reviewers.

Types of code reviews

1. Tool-Assisted reviews

Tool-Assisted reviews are the most popular type of code review.

Code review tools make it easy to see code differences, leave review comments, and apply suggestions.

2. Over-the-shoulder reviews

Over-the-shoulder reviews involve one person reviewing another person's code in person or on a call.

This informal approach is a quick way to get feedback on code changes. In-person code reviews are usually unstructured and may be done spontaneously without prior planning.

3. Pair-Programming

Pair programming is a collaborative approach to code development where two developers work together on a single task, taking turns typing and reviewing code.

This approach can help catch errors early in the development process, promote knowledge sharing, and improve code quality.

4. Formal inspections

Formal inspections are a type of code review process that involves a rigorous and structured approach to examining code.

This method typically involves a group of reviewers who systematically examine the code for defects, compliance with coding standards, and adherence to design principles.

How does a code review work?

A modern code review follows these steps:

A developer submitting their code to a reviewer to identify and address errors before merging it into the codebase.
The reviewer provides feedback to ensure the code meets quality standards.
The original developer refactors code based on feedback.
The process iterates.
After necessary changes are made, the code is approved and ready for check-in or build incorporation.

Code Review Process Diagram — *Source: Investigating the effectiveness of peer code review*

Research at Google found that over 80% of all changes involve at most one iteration of resolving comments.

Code Review Tools

Code reviews would be impossible without modern code reviews tools such as GitHub, GitLab, and Azure DevOps.

They integrate with source code management systems and use policies to enforce the code review process.

For example:

requiring a certain number of approvals before merging code,
ensuring that code has been reviewed before being merged, and
enforcing specific guidelines for code reviews.

Beyond enforcing, these tools offer features like code highlighting, commenting, and suggesting that facilitate collaboration.

Code Review Stats

At Google, 80% of code reviews lead to code improvements.
Unreviewed code is 2X more likely to introduce defects than reviewed code.
Finding defects is the first motivation for code review for 383 of the programmers (44%), followed by code improvements (39%) for 204 (23%), and third for 96 (11%) - Bacchelli and Bird
Code review increases the number of distinct files a developer knows about by 66% to 150% depending on the project. - Rigby and Bird

Who does a code review?

Code reviews are performed by one or more fellow members of the software development team.

Reviewers must be skilled in the given programming language. Also, they need to have a basic understanding of the business logic surrounding the code to make sure the code does what it's supposed to do.

When to perform code reviews?

Code reviews can be performed in different stages of the Software Development Life Cycle (SDLC):

Change-based
- Pre-commit: Before merging the code change. (most popular)
- Post-commit: After merging the code change.
Periodically: All code changes are reviewed on a schedule. For example, every 2 weeks.

In 2017, a survey of 240 development teams revealed that 90% of them use a change-based review process.

How long does a code review take?

The turnaround time for a code review should be less than 24 hours.

Researches Rigby and Bird analyzed the differences between various software projects, including two Google-led projects (Android and Chromium OS), three Microsoft projects (Bing, Office, and MS SQL), and projects internal to AMD.

Key takeaways:

At Google, Median wait time for initial feedback is under 1 hour for small changes and about 5 hours for very large changes.
AMD has short review intervals, with the median review taking 17.5 hours.
Median developers at Google make 3 changes per week and 80% make less than 7.
Median changes reviewed per week is 4 and 80% of reviewers review fewer than 10 changes.
Overall median latency for the entire review process is under 4 hours.
Google's review sizes: over 35% modify only 1 file, 90% modify fewer than 10 files, and median number of lines modified is 24.

What kind of feedback do code reviews provide?

Useful code reviews provide constructive feedback:

Points out bugs, defects, or security vulnerabilities.
Improves performance or resource consumption.
Praises positives.
Increases code readability.
Transfers knowledge between developers.

How effective are code reviews?

In Code Complete, Steve McConnell states that code reviews are the most effective code quality process.

Here's the average effectiveness of software defect detection:

Effectiveness of software defect detection
Type of Testing	Effectiveness
Unit Testing	25%
Functional Testing	35%
Integration Testing	45%
Code Reviews	50-60%

Source: Code Inspection and Code Review

Psychological safety

As a developer, you are putting your work out there for someone to ~~criticize~~ comment on.

It's a very vulnerable feeling that can cause a lot of stress if the development team doesn't develop psychological safety.

Software development is a craft and developers that pride in their creation.

In my career, I've seen many conflicts arise because of code reviews.

But remember: Code reviews exist to improve code quality. It's not about you or me. We all just want to make better software.

Why do developers care?

The paper Expectations, Outcomes, and Challenges of Modern Code Review sheds light on the expectations that developers have from code reviews, the outcomes they expect to achieve from them, and the challenges they face during the process.

The study found that code reviews are less about finding defects than expected. Beyond finding defects, developers use code reviews as a way to share knowledge and learn from each other.

Bar Chart showing Ranked Motivations from Developers when performing Code Reviews

How to perform an effective code review?

In May 2006, Cisco Systems® conducted a case study of peer code review for their MeetingPlace® software:

50 developers from three continents reviewed every code change for over 10 months.
2500 reviews of a total of 3.2 million lines of code were collected.
They collected process metrics automatically, including the number of lines of code, amount of person-hours spent in the review, and number of defects found.

Here's what you need to know:

Don't review too much code at once (<200-400 LOC). Defect density decreased dramatically when the number of lines of code under inspection went above 200.
Take your time (<500 LOC/hour). Reviewers who went through the code at rates above 1000 LOC/hour probably weren't actually looking at the code.
Spend less than 60 minutes reviewing. Performance starts dropping off after 60-90 minutes.

Keep your code review sessions shorter than an hour.

Formal Code Inspection vs Modern Code Reviews

In a formal code inspection, a development team meets to examine code base. They follow a strict process to understand and spot any issues by following a process.

Both these static quality assurance approaches have their own set of costs and benefits.

IBM popularized this method in the 1970s, and it was widely adopted in the 1980s. Since then, it has been extensively researched and is now viewed as the most effective approach to bug detection.

Through formal code inspections, developers can uncover between 60-90% of bugs. However, it is important to note that this process can also be expensive and labor-intensive due to the resources required for a thorough inspection.

What is Secure Code Review?

Secure code review audits an application's source code to identify security flaws and ensure proper security controls are in place.

For effective security code reviews, a combination of human effort and technology support does the best.

The goal of a secure code review is to ensure that a penetration test does not discover any additional vulnerabilities after a proper security code review has been conducted.

What is a Pull Request?

A pull request is a software development process that allows developers to ask for their code to be merged into a code base.

Most code reviews are tied to pull requests. After opening the request, software developers can review and discuss potential changes with you while adding comments or making additional commits.

Conclusion

Peer code reviews are a crucial aspect of the software development lifecycle.

They involve team members reviewing each other's code, providing constructive feedback, and ensuring code quality standards are met.

Peer review not only helps prevent bugs and defects but also promote collaboration, knowledge sharing, and continuous improvement among development teams.

Being an active team member in the review process is a valuable opportunity to learn, grow, and contribute to the success of the project.

Ultimately, incorporating peer reviews into your development workflow can help build high-quality, maintainable software.

Last modified on: Feb 25, 2023