Developers working on CSE projects should conduct peer code reviews on every pull request (or check-in to a shared branch).
- Improve code quality by catching defects before code is checked in.
- Software engineers grow by learning from each other.
- Participants working on a project develop a shared understanding of the project's code.
Many of these items can be automated or enforced by policy in modern version control and work item tracking systems. Verification of the policies on the master branch in AzDO, for example, may be sufficient evidence that a project team is conducting code reviews.
- The master branches in all repositories have branch policies.
- All builds produced out of project repositories include appropriate linters, run unit tests.
- Every bug work item should include a link to the pull request that introduced it, once the error has been diagnosed. This helps with learning.
- Each bug work item should include a note on how the bug might (or might not have) been caught in a code review.
- The project team regularly updates their code review checklists to reflect common issues they have encountered.
- Software engineering managers should review a sample of pull requests and/or be co-reviewers with other developers to help everyone improve their skills as code reviewers.
The goal of code reviews is to identify and remove defects before they can be introduced into shared code branches. To the extent that parts of reviews can be automated via linters, human reviewers can focus on architectural and functional correctness. Human reviewers should focus on:
- The correctness of the business logic embodied in the code.
- The correctness of any new or changed tests.
- The "readability" and maintainability of the overall design decisions reflected in the code.
- The checklist of common errors that the team maintains for each programming language.
Code reviews should use the below guidance and checklists to ensure positive and effective code reviews.
- Understand the code you are reviewing
- Read every line changed.
- If we have a stakeholder review, it’s not necessary to run the PR unless it aids your understanding of the code.
- AzDO orders the files for you, but you should read the code in some logical sequence to aid understanding.
- If you don’t fully understand a change in a file because you don’t have context, click to view the whole file and read through surrounding code.
- Be considerate
- Be positive – encouraging, appreciation for good practices.
- Avoid language that points fingers like “you” but rather use “we” or “this line” -- code reviews aren’t personal and language matters.
- Make comments clear
- Explain why the code needs to change.
- Prefix a “point of polish” with “Nit:”.
- If one or two comments don’t resolve a disagreement, talk in person or on the phone.
- Decide on a common standard for each language
- Automate as much as possible (styling, etc.) to avoid the need for "Nit's" and allow the reviewer to focus more on functional aspects of the PR.
-
Pull Request Overview
- Does the PR description make sense?
- Do all the changes logically fit in this PR, or are there unrelated changes?
- If necessary, are the changes made reflected in updates to the README or other docs? If the changes affect how the user builds code especially.
-
User Facing Changes
- If the code involves a user-facing change, is there a GIF/photo that explains the functionality? If not, it might be key to validate the PR to ensure the change does what is expected.
- Ensure UI changes look good without unexpected behavior.
-
Design
- Do the interactions of the various pieces of code in the PR make sense?
- Does the code recognize and incorporate architectures and coding patterns?
-
Complexity
- Are functions too complex?
- Should a function be broken into multiple functions?
- If a method has greater than 3 arguments, potentially overly complex.
- Single responsibility principle – function or class should do one ‘thing’
- Can the code be understood easily by code readers?
- Does the code add functionality that isn’t needed? Is it overly complex?
-
Naming/readability
- Did the developer pick good names for functions, variables, etc?
-
Error Handling
- Are errors handled gracefully and explicitly where necessary?
-
Functionality
- Is there parallel programming in this PR that could cause race conditions? Carefully read through this logic.
- Could the code be optimized? For example: are there more calls to the database than need be?
- If you may not fully understand how the code could affect the system, ask for help.
- Are there security flaws?
- Does a variable name reveal any customer specific information?
- Is PII and EUII treated correctly? And not logging any PII information.
-
Style
- Are there extraneous comments? If the code isn’t clear enough to explain itself, then the code should be made simpler. Comments may be there to explain why some code exists.
- Does the code adhere to the style guide/conventions that we have agreed upon? We use automated styling like black and prettier.
-
Tests
- Tests should always be committed in the same PR as the code itself (‘I’ll add tests next’ is not acceptable)
- Make sure tests are sensible and valid assumptions are made.
A: Our peer code reviews are structured around best practices to find specific kinds of errors. Much like you would still run a linter over mobbed code, you would still ask someone to make the last pass to make sure the code conforms to expected standards and avoids common pitfalls.
A: Someone outside of the pair should perform the code review. One of the other major benefits of code reviews is spreading knowledge about the code base to other members of the team that don't usually work in the part of the codebase under review.
A: A member of the mob who spent less (or no) time at the keyboard should perform the code review.