Code review

From Wikipedia, the free encyclopedia

Code review is systematic examination (often as peer review) of computer source code intended to find and fix mistakes overlooked in the initial development phase, improving overall code quality. Code reviews can often find and remove common security vulnerabilities such as format string attacks, race conditions, and buffer overflows, thereby improving software security. Online software repositories, like anonymous CVS, allow groups of individuals to collaboratively review code to improve software quality and security.

Contents

[edit] Pros

Code review is a valuable part of the software development process often called testing. Some argue that code review is less important when certain rules or secure coding methodologies are followed from the software's inception.

The Extreme Programming (XP) approach includes the practice of pair programming, which can be argued to be code review during development. XP proponents argue that other XP practices, such as refactoring and creating tests before even writing the code, produces code that doesn't need to be reviewed or rewritten as often and thus speeds software development.

Code review can also be used as a tool for improving code during development and improving developer skills at the same time. When applied that way, it is called Professional Review.

There are many examples of how code review improved a project. They include

  • Blender3d - A 3D graphics design package greatly improved by an open source development community.
  • The Linux Kernel - Once a hobby project written by a Finnish student programmer is now reviewed and improved by hundreds of programmers worldwide.

Automated code reviewing software lessens the task of reviewing large chunks of code on the developer by systematically checking source code for vulnerabilities such as:

Flawfinder and Rough Auditing Tool for Security (RATS) are two well-known examples of code reviewing software.

[edit] Cons

DOD-STD-2167A listed as a key lesson that code review was not worthwhile. Lausen and Younessi IEEE Software, July/Aug 1998, pg 69-73 concluded that line by line code review was of little value. Paying programmers to conduct line by line code review is likely to be less productive than other methods of defect removal.

[edit] See also

[edit] External links

In other languages