Software Best Practices

I thought I'd ask this here, since it's more about code construction than it is about testing. Does anyone have any helpful things to say about Peer Code Reviews. We currently have them but they are not very effective. Any helpful hints, or references to useful articles or books would be welcome. 

David Clayworth:

I thought I'd ask this here, since it's more about code construction than it is about testing. Does anyone have any helpful things to say about Peer Code Reviews. We currently have them but they are not very effective. Any helpful hints, or references to useful articles or books would be welcome. 

Why are your peer code reviews ineffective? I probably have suggestions, but I'd need to know why?

For example, I was recently at a company which spent about 10-15 minutes on reviews, and the participants hadn't seen the review item in advance. Nobody can do a good review under those circumstances. They need to see the item in advance, and they need more time to look at it, and more time (if needed) when they meet

Are you only finding minor problems?

 Are you not finding enough problems?

The common finding rate for major problems is about 1 problem/hour (counting all the time expended, both reviewing in advance and in the meeting).

I think the first thing you need to figure out is what kind of errors are you expecting to find during inspections. It must exist a clear idea of the goal of the review and all participants should share this idea. If this is not defined you may have reviews wasting time in discussions about variable names, indentation, code comments, message descriptions, or any other topic.

In my company for example, we don't look for code conventions compliance, we use automated tools to ensure that. We run static analysis tool on our code before inspections, therefore we don't look for the type of errors that this tool can easily report. But we do look for compliance with the design: is the code implementing the defined design appropriately? Are all exception conditions handled following the design?

One useful thing that I did in the past to define our goal for code reviews is to read different code inspection checklists available online and identify the items that I considered useful for our reviews. Then, based on that list I agreed with the team the aspects that we should check in our code reviews. In that way we focused our effort and everyone was on the same page during the review.

Just my 2 cents.

Reviews here are currently informal "over-the-shoulder" with no prior look at the code and driven by the author. The vast majority of issues picked up are stylistic or things like lack of documentation. No way are we picking up one major problem per hour of review time.

I'm interested in advice, but also interested in studies, articles or books on the subject.

P.S. I'm on vacation, so while I'll be interested in replies I won't be responding for a  week or so.

David

I recently wrote a short article on Code Reviews to try and organize my thoughts on the topic.  You might find some useful information/links in there.
 

cjlotz:

David

I recently wrote a short article on Code Reviews to try and organize my thoughts on the topic.  You might find some useful information/links in there.
 

 

Nice article!

When we do formal inspections, we do Gilb-style inspections. They have fewer meetings, so are easier to schedule.

There's no kickoff meeting; the materials for the review (the code to be reviewed, plus any relevant checklists, a form to record the defects you found and the time you spent) are either emailed to the participants or handed out by the person organizing the reveiw.

One meeting is scheduled, the meeting to gather and record the defects found. It's scheduled 2 days ahead, or so, to allow the reviewers time to review the materials. At the meeting the defects found are recorded, with no duplicates, and people are encouraged to find more defects during the meeting. At the end of the meeting an outcome is decided by the reviewers. It's one of 'accept as is' (no defects found), 'revise with no follow-up' (a very small number found), 'revise with follow-up' (more defects found and one of the reviewers volunteers to follow up and check the author's changes once they are completed); and 're-review'  where there are many defects and the team feels another review is needed. Thus almost always there isn't a second meeting, and when there is it's another review.

Contrast this with Fagan Inspections where there are 3 meetings per inspection (kickoff, review meeting, and followup meeting). Meetings are often the hardest part to schedule, due to peoples' calendars getting filled up, so if you only have to schedule one, it really helps.

Inspections require the use of checklists. And, at the meeting, the moderator asks each reviewer how much time they spent preparing, so there's a check on the time spent finding defects before the meeting. If it's obviously too short for the material at hand, that reviewer isn't prepared. If there aren't enough people at the meeting who did prepare well enough, the meeting is cancelled and rescheduled. You only have to do this a couple of times and people realize we're serious about how much time you spend preparing, and usually they come prepared.

HP found that 80% of the defects found in reviews wouldn't be found in testing, so also reviews are a good complement to testing. They each find defects, but with only partial overlap in the kind of defects found.

Some of Construx's code checklists are available for free on our website. Here's the page that links to them

http://www.construx.com/Page.aspx?nid=97

and some of our Inspection process materials are also on our website, at this location http://www.construx.com/Page.aspx?nid=101

That said, we usually plan to inspect about 40% of the code, and for the rest do one person reviews, which we call desk checks. We'll inspect all the requirements and designs because historically the biggest payback for reviews comes from the early documents. (anywhere up to 100:1). Code inspection typically gives an ROI of 3 or 4 to 1 (relative to letting the defect get into production).

The time spent really matters. There's lots of data showing that you find more defects if you spend more time preparing. The recommended rate for code is 300 LOC/hr or less.

And I think having the chance to review the material before the meeting, when you can really think about it, check if it's consistent with the design etc. is also important. One of the benefits of inspections is the check on the time spent reviewing. Another is that the moderator can limit or prevent personal comments - all the issues raised should be on the work product being inspected and not on the person who did the work. The moderator also keeps the meeting moving and makes sure it doesn't spend much time discussing each defect; the assumption is the author can fix it by themselves if he/she knows where it is; the fix doesn't need to be discussed in the meeting. Inspection meetings are usually quite short and efficient, with issues being recorded every half minute to 2 minutes.

I came across these references recently that may be useful.

Gilb also promotes "extreme inspections" of specifications described at http://www.gilb.com/community/tiki-page.php?pageName=Inspection which seems to be a refinement of "Agile Spec QC" paper at  http://www.gilb.com/community/tiki-download_file.php?fileId=64

The first just describes the process - the second is the more interesting justification.

These advocate lightweight sampling to 1) indicates whether more thorough/complete inspection is needed  and 2) produce early feedback that can drive corrective behavior. Because this sampling process has low entry barriers and less time is needed than for formal inspections, it seems to me that this can be easily tried within a project without the need for much sponsorship. Early results may well convince the naysayers of the value of the formal or agile inspections.

In my opinion the same approach may be useful for code inspections. 

/andrew