Code Reviews
I recently attended a code review at Wharton. We’ve put together some code reviews at my job, but I know that Wharton has been doing formal code reviews for years and I wanted to check out their process to compare notes. For this particular code review they were looking at a small ColdFusion application developed using Squidhead.
I was immediately surprised by how simple they kept it: no projector, no whiz-bang demo, just a handful of well-prepared developers with a stack of notes. Only the developer and a manager brought a laptop (and the second laptop may have been for my benefit, since I had not previously seen the code). The developer gave a brief summary of the application (its goals, functionality) and immediately handed things over to the reviewers.
The reviewers had clearly spent some time with the application, reviewing both the code and the interface. (I asked about this after the review, and one reviewer said he had spent 2-3 hours reviewing what was a relatively short and simple application. It is telling, I think, that attendance was voluntary–the reviewers in attendance were keen reviewers.) They got down to the level of detail where they brought up the date format (e.g. why did the developer use dd-mmm-yyyy instead of mm/dd/yyyy?).
The review was relatively structured while remaining casual in tone. They discussed CFCs, followed by other ColdFusion code, followed by user interface concerns and SQL. Each suggestion was backed up with a reason, e.g. avoid using evaluate() because it can lead to performance issues, or use mm/dd/yyyy because ~60% of the intended audience is most familiar with that format. In general, the topics covered fell into these categories: security, speed, standards/best practices, readability/maintainability, and user interface concerns.
It really seemed like a useful process to me. True, it added 12-18 developer hours to the project, but that is a small price to pay to avoid a possible security breach or server crash (not that any such vulnerabilities or flaws were found). The key, it seemed to me, was in the preparedness of the reviewers, who each came with comments in hand. Their preparedness, in turn, was helped by having basic guidelines as to what issues to look for.
1 Comment to Code Reviews
Leave a comment
Pages
Archives
- April 2012
- March 2012
- January 2012
- December 2011
- November 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- March 2011
- February 2011
- January 2011
- November 2010
- May 2010
- March 2010
- January 2010
- December 2009
- October 2009
- September 2009
- August 2009
- July 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
Aww man, If I had known you were coming, I would have attended that review.