Modern Code Review Modern`Code`Review Making`Software
Definitions Modern'Code'Review Modern Code Review • Wikipedia:* “Code*review*is*systematic*examination*(often*known*as*peer*review)*of* computer*source*code.*It*is*intended*to*find*and*fix*mistakes overlooked* in*the*initial*development*phase,*improving*both*the*overall*quality*of* software*and*the*developers'*skills.” Expectations, Outcomes & Challenges Cohen, Jason. “Chapter 18: Modern Code Review” in Greg Wilson and Andy Oram. Making Software: What Really Works, and Why We Believe It. New York. 2010. • Bacchelli &*Bird:* • Modern code*review*is*characterized*as*informal*and*lightweight,*uses* tools*to*facilitate*the*process,*and*occurs*regularly*in*practice.* Bacchelli, Alberto and Christian Bird. “Expectations, outcomes, and challenges of modern code review”. Proceedings of the 2013 International Conference on Software Engineering (ICSE '13). New York, 2013. 202-211. Jeff Avery CS 846: Topics in Empirical Software Evolution Mar 19, 2015 3 Introduction Making'Software Motivation Ch. 18: Modern Code Review Jason Cohen • Question:*“Every*page*in*this*book*has*been*checked*over*by*an* editor.*Why?” • Answer:*“It’s*impossible*to*write*prose*without*independent*scrutiny,* surely*it’s*also*impossible*to*write*code*in*isolation;*code*has*to*be* correct*to*the*minutest*detail,*plus*it*includes*prose*for*humans*as* well!“ Blogger,*Entrepreneur,* Author Lots*of*articles* on*“Effective*Code*Review” http://blog.asmartbear.com/jasonQcohenQresume • Cohen:*Writing+code+is+a+lot+like+writing+a+book.+Code+reviews+are+the+ way+that+we+ensure+correctness! 4 5 Introduction Introduction What’s'the'Cost? Research'Questions • Code*Reviews*are*a*timeQintensive*process. • CodeQauthor:*time*to*prepare*code*and*supporting*documentation,* send*out*notes*ahead*of*time,*organize*the*meeting. • Reviewers:*Time*to*prepare,*sit*in*a*review*for*1Q2*hours,*provide* feedback. • Is*there*enough*of*a*benefit*to*justify*the*cost? • “*Executed*properly,*code*reviews*find*bugs*faster*than*testing*or*other* known*debugging*techniques—but*when*done*inefficiently*they*can* quickly*become*unproductive.” Two*main*questions: 1. What*factors*lead*to*an*effective code*review? 2. What*are*the*best+practices+around*code*reviews?* 6 Factors 7 Factors Focus'Fatigue'(Time) Inspection'Rate'(Speed) • People*can*only*maintain*intense* focus*for*soQlong*before*their* attention*drops. • Going*tooQfast*prevents* reviewers*from*spotting* defects. • The*rate*of*discovery*drops* significantly* after*about*60*mins. • Code*varies*in*complexity* so*variation*is*expected. • DropQoff*at*400Q500*LOC* explained* as*the*reviewer* “going*too*fast*to*find* defects”. • Conclusions • CodeQreviews* can*be*highQvalue. • They’re*tiring. Defect*detection*rate*drops*at*around*400Q500*LOC*inspected/hour. Average*rate*of*defect*discovery.*After*60*mins,*the* rate*of*discovery*drops*noticeably.*Dunsmore et*al.*[4]. 8 9 Factors Factors Size'Kills Context • If*we*can* • (a)*only*review*code*for*1*hour* effectively,*at* • (b)*a*density*of*no*more*than* 400Q500*LOC,*then* • (c)*we*shouldn’t*review*more* than*400*LOC*per*review. • Defect*rates*noticeably*dropQoff* at*400*LOC. • How*important*is*it*to*perform*code*reviews*with*related*files,* classes,*documentation,*and*other*context*(compared*to*just*a*diff of* the*code*changes?) • Dunsmore 2000:* • Automated* methods* for*finding*related*files:* 15%*more*defects • Person*making*a*judgment*call*about*related*files:*30%*more*defects. • Context*is*important.* Cohen:*“[When+performing+a+code+review]+you+need+to+be+in+front+of+your+IDE+ with+the+entire+codebase+at+your+fingertips.”*[1] Detect* detection*rates*drop*as*code*size*increases.*[5] 10 Best*Practices 11 Best*Practices Are'Meetings'Required? PeerJReviews • Fagan*1976:*meetings*are* essential*to*get*“synergy”. • Votta 1993:*measured*defects* found*before and*during the* code*review*meeting. • “Are*twoQheads*always*better* than*one?” • Cisco*study*comparing*300*selfQ reviews*vs.*300*peer*reviews*[5]. • SelfQchecked* code*had*half*the* defect*density*(i.e.*50%*as* effective). • The*defects*found*in*meetings* are*more*“subtle”. • 25%*of*the*“defects*from* reading”*were*false*positives!* Authors* typically* find* half* of*their* own* defects. Meetings*contributed*4%*of*the*defects*found*[6]** 12 13 Conclusions Expectations,'outcomes,'and'challenges'of' modern'code'review WrapJup “When*is*code*review*useful,*and*what*are*the*best*practices?” Proceedings'of'the'2013'ICSE.'New'York,'2013.'202J211. Observation Best-Practices Authors* can*selfQidentify* about* 50%*of* detectable* defects* (compared* to*peerQreview). Authors* should review* their*own* code* prior to*preparing* for*a*formal* code* review. Most* defects found* by*reviewers* are*discovered* prior+ Before*to*the*meeting:* the*author* should provide* as*much* to*the*code* review*meeting. supporting* material* as*possible* (incl.* checkedQinQcode),* and* reviewers* should* attempt*to*identify* issues.* …*but* 25%*of* the*issues* discovered* prior* to*the*code* review* meeting* are*falseQpositives. Focus the*meeting* around* clarification* of*issues* (instead* of*a*code* walkthrough). Defect*identification in*peerQreviewQmeetings* is*only* effective* for*1*hour* (up* to*a*rate*of*400* LOC/hour). Only* schedule* short* code* review* meetings. Alberto*Bacchelli Assistant* Professor,* TU*Delft https://scholar.google.ca/citations? user=ozQbPWoAAAAJ& hl=en 14 Introduction Christian* Bird Microsoft* Research https://scholar.google.ca/citations?u ser=aDVlSQwAAAAJ& hl=en 15 Introduction Motivation Research'Questions • The*authors*are*interested*in:* “…practices*in*teams*that*use*modern+ code+review,*revealing*what* practitioners*think,*do,*and*achieve”.* 1. What*are*the*motivations*and*expectations*for*modern*code* review?*Do*they*change*from*managers*to*developers*and*testers?* 2. What*are*the*actual*outcomes*of*modern*code*review?*Do*they* match*the*expectations?* 3. What*are*the*main*challenges*experienced*when*performing* modern*code*reviews*relative*to*the*expectations*and*outcomes?* • To*expose*these*practices,*they: “…*empirically*explore*the*motivations,*challenges,*and*outcomes*of* toolQbased*code*reviews”*through*a*series*of*observations,* interviews*and*surveys*with*programmers*and*managers*at* Microsoft.* 16 17 Methodology Methodology CodeFlow'@Microsoft Mixed'Approach • Collaborative*code*review*tool* developed*at*Microsoft. • 40,000*developers*at*time*of* publication;*now*in*Visual*Studio. • Reviewers*can*directly*annotate*code,* and*interact*with*participants.. • Developers*who*want*a*review: • Create*a*package*with*the*changed* (new,*deleted,*and*modified)* files. • Select*the*reviewers.* • Write*a*message*&*description. • Submit*everything*to*the*CodeFlow* service,*which*notifies*via*email.* Mixed* approach:* (1)*analysis* of* previous* study,* (2)*observations* and* interviews* with* developers,* (3)* card*sort*on* interview* data,*(4)* card*sort*on* code* review* comments,* (5)* the*creation*of* an*affinity* diagram,* and* (6)* survey* to*managers* and* programmers* [2]. CodeFlow screenshot* [2]. 18 Results:*Why*Do*Programmers*Do*Code*Reviews? 19 Results:*Why*Do*Programmers*Do*Code*Reviews? Question'1:'Motivation A.'Finding'Defects • “Our*first*research*question*seeks*to*understand*what*motivations* and*expectations*drive*code*reviews.” • The*authors*examine*the*results*of*the*observations*and*interviews. • “The*reason*why*code* inspections*were*devised*in* the*first*place:*reducing* software*defects,*and* addressing*correctness”. • Developers*see* code*reviews*as*an*activity*that*has*multiple beneficial* influences…* for*the*team*and*the*entire*development* process.* • “[code*review]:+(1)+makes+people+less+protective+about+their+code,+(2)+gives+ another+person+insight+into+the+code,+so+there+is+(3)+better+sharing+of+ information+across+the+team,+(4)+helps+support+coding+conventions+on+the+ team,+and+(5)+helps+improving+the+overall+process+and+quality+of+code.+”* • Top*reason*for*44%*of* managers. • Top*reason*for*383*of*the* programmers*(44%),*second* motivation* for*204*(23%),*and* third*for*96*(11%).* 20 Developer ’s*motivations*for*code*reviews. 21 Results:*Why*Do*Programmers*Do*Code*Reviews? Results:*Why*Do*Programmers*Do*Code*Reviews? B.'Code'Improvement C.'Alternative'Solutions • “Comments*or*changes* about*code*in*terms*of* readability,*commenting,* consistency,*dead*code* removal,*etc.,*but*do*not* involve*correctness“. • “Alternative+solutions+ regard* changes*and*comments*on* improving*the*submitted* code*by*adopting*an*idea* that*leads*to*a*better* implementation“. • Managers*reported*code+ improvement+as*their*primary* motivation* in*51*(31%)*cases. • Primary*motivation*for*337* (39%)*programmers,*the* second*for*208*(24%),*and*the* third*for*135*(15%).* Developer ’s*motivations*for*code*reviews. • First*motivation*for*147*(17%)* developers,* second*for*202* (23%),*and*third*for*152*(17%) • Only*4*(2%)*managers*even* mentioned* it. 22 Results:*Why*Do*Programmers*Do*Code*Reviews? 23 Results:*Why*Do*Programmers*Do*Code*Reviews? D.'Knowledge' Transfer E.'Team'Awareness • “If*you*do*a*code*review*and* did*not*learn*anything*about* the*area*…*then*that*was*not* as*good*code*review*as*it* could*have*been”.* • “This*concept*of*using*an* email*list*as*optional*reviewer,* or*including*specific*optional* reviewers*exclusively*for* awareness”. • Programmers:*first*motivation* in*73*(8%)*cases,* second*in* 119*(14%),*and*third*in*141* (16%).* • Managers*included* knowledge+transfer+as*one*of* the*reasons*for*code*review,* but*never*top. Developer ’s*motivations*for*code*reviews. Developer ’s*motivations*for*code*reviews. 24 • 873*programmers*answering*the* survey*ranked*team+awareness+ and+transparency+very*close*to* knowledge+transfer.* • Programmers:*75*(9%)* developers*considered*team* awareness*their*first*motivation,* 108*(12%)*their*second,*and*149* (17%)*their*third.* Developer ’s*motivations*for*code*reviews. 25 Results:*Why*Do*Programmers*Do*Code*Reviews? Results:*The*Outcomes*of*Code*Reviews F.'Share'Code'Ownership Question'2:'Outcomes'of'Code'Reviews • “The*concept*of*shared+code+ ownership+is*closely*related*to* team+awareness and* transparency”. • “Our*second*research*question*seeks*to*understand*what*the*actual* outcomes*of*code*reviews*are,*and*whether*they*match*the* motivations*and*expectations*outlined*in*the*previous*section.*“ • A*means*to*have*more*than*one* knowledgeable*person*about* specific*parts*of*the*codebase.* • Improves*the*personal* perception*of*team*members* about*shared*code*ownership.* • Programmers:*First*motivation* for*51*(6%),*second*for*100* (11%),*third*for*91*(10%). • The*authors*analyzed*the*content*of*200*threads*(~570*comments)* from* code*reviews. • We*would*expect code*reviewers*to*talk*about*the*things* that*are*most* important*to*them*(i.e.*that*outcome* would*match*motivations). Developer ’s*motivations*for*code*reviews. 26 Results:*The*Outcomes*of*Code*Reviews 27 Discussion:* What*Are*The*Challenges*of*Code*Review? When'Expectations'Do'Not'Meet'Reality Question'3:'Challenges' • “Our*third*research*question*seeks*to*understand*the*main*challenges* faced*by*reviewers*when*performing*modern*code*reviews.*“ • “We*also*seek*to*uncover*the*reasons*behind*the*mismatch*between* expectations*and*actual*outcomes*on*finding*defects*in*reviews.” ? The*outcome*of*the*code*review*(reflected* in*code*comments)* does*not*match*the* expected* focus*on*finding*defects. 28 29 Discussion:* What*Are*The*Challenges*of*Code*Review? Discussion:* What*Are*The*Challenges*of*Code*Review? Code'Review'is'Understanding Code'Review'is'Understanding • Interviews • Understanding* was*identified* as*the*most*significant* challenge* when* preparing*for*reviews. • “The+most+difficult+thing+…+is+understanding+the+reason+of+the+change”. • “Understanding+the+code+takes+most+of+the+reviewing+time.”* • Code+Review+Comments • Second*most*frequent*category*concerns*understanding* (i.e.*rationale*of*the* changes,*corresponding*clarification* answers.* • The*authors*included*a*question*in*the*programmers’*survey*to*know* how+much+ understanding+ was+needed+to*achieve*each*motivation. Result:* to*achieve*the*need*for*finding+defects,*context*and*understanding*the* software*change*must*become*a*focus. 30 Discussion:* What*Are*The*Challenges*of*Code*Review? 31 Recommendations*and*Implications The'Importance'of'Context Recommendations'for'Practitioners • Observation:* • Implications*for*Developers • Some*developers*thoroughly*read*the*code*review*description,*while*others* navigated*directly*to*the*relevant*files*(i.e.*familiarity). • “I+start+with+things+I+am+familiar+ with,+so+it+is+easier+to+see+ what+is+going+on.”* • Programmers’*survey: 1. Whether*it*takes*longer*to*review*unfamiliar*files,*compared*to*files*that*you*know* (91%*agree). • “When+reviewing+a+small,+unfamiliar+change,+it+is+often+necessary+to+read+through+ much+ more+code+than+that+being+reviewed.”* 2. Whether*reviewers*familiar*with*the*changed*files*give*different*feedback*(82%* agree). • 1. Quality*Assurance:*Mismatch* between* expectations* and*outcomes.*Don’t* rely*on*code*reviews*to*identify*defects. 2. Beyond*Defects:* The*benefits* beyond*finding*defects* are*critical* (finding* alternatives,* increase* learning,* share*code*ownership*etc.)* 3. Understanding:* Having*knowledge*of*the*context*and*code*helps*reviewers.* Programmers*should*provide*context*and*direction*to*help*guide*reviews. 4. Communication:* Developers*need*richer*communication* than*annotated* comments.* Teams* should*facilitate* inQperson*communication. “It+takes+a+lot+longer+to+understand+ unknown+code,+but+even+then+understanding+ isn’t+ very+deep.+“ 32 33 Recommendations*and*Implications WrapQUp Recommendations'for'Practitioners Limitations • Implications*for*Researchers 1. Research*conducted*strictly*within*one*company*has*limited*value* or*applicability. 1. Automate* Code*Review*Tasks:*Automation* can*solve*“low*hanging*defects”* and*code*improvements,* freeing*up*time*to*discover*more*subtle* defects. 2. Program*Comprehension* in*Practice:*Program*comprehension* tools*should* be*leveraged;*we*can*do*better*than*diffs of*code*changes. 3. SocioQTechnical* Effects:* Awareness*and*learning*were*cited*as*motivations* but*difficult*to*observe.*More*research*can*be*done*here. • Is*Microsoft*representative?* 2. Some*motivations*are*not*observable*(e.g.*knowledge*transfer). • Even*if*not*quantifiable,* these* motivations* are*“real”*and*need*to*be* considered. 3. InQperson*discussions*were*observed*not*not*easily*codified. 34 WrapQUp 35 WrapQUp Conclusions Questions? “Although+ the+top+motivation+ driving+code+reviews+is+finding+ defects,+ the+practice+and+the+actual+ outcomes+ are+less+about+ finding+errors+than+ expected…+code+review+provides+a+wide+spectrum+of+benefits+to+ software+teams,+such+as+knowledge+transfer,+team+awareness,+and+ improved+solutions+ to+problems”. Are*you*convinced? This*paper*contributes • A*examination*of*the*underlying*motivations*for*modern*code*reviews • The*observation*that*motivations*and*outcomes*that*don’t*always*match.* • An*exploration*of*the*importance*of*understanding*in*effective* reviews.* • Specific*recommendations*for*both*practitioners*and*researchers.* 36 37 WrapQUp Introduction Reference Why'Code'Reviews? 1. Cohen, Jason. “Chapter 18: Modern Code Review” in Greg Wilson and Andy Oram. Making Software: What Really Works, and Why We Believe It. New York. 2010. 2. Bacchelli, Alberto and Christian Bird. “Expectations, outcomes, and challenges of modern code review”. Proceedings of the 2013 International Conference on Software Engineering (ICSE '13). New York, 2013. 202-211. 3. Cohen, Jason. Four Ways To A Practical Code Review. http://www.methodsandtools.com. Published Winter 2007. Retrieved Mar 13, 2015. 4. Dunsmore A., M. Roper and M. Wood. “Object-Oriented Inspection in the Face of Delocalisation”. Proceedings of the 22nd International Conference on Software Engineering (ICSE) 2000: 467–476. 5. Cohen, Jason. Best Kept Secrets of Peer Code Review. Beverly, MA. SmartBear Software. 2006. 6. Votta, L. “Does every inspection need a meeting?” Proceedings of the 1st ACM SIGSOFT Symposium on Foundations of Software Engineering, 1993: 107–114. 7. Fagan, M. Design and code inspections to reduce errors in program development. IBM Systems Journal, 15 (3):182–211, 1976. • Primary*goal:* • Attempt*to**find*defects* ahead*of* release.* (“Fix*it*while*it’s*cheap!”) • Secondary*goals: • Share*knowledge*of*the*codeQbase. • Mentor*less*experienced* developers. • Drastically*different*approaches*can* be*taken*to*accomplish*these*goals • Heavyweight*code*inspections* (Fagan) • Lightweight* modern*code*review Michael*Fagan:*Code*inspection*life*cycle*(1976)*[3]. 38 Methodology: Data*Collection 39 Methodology:* Data*Collection M1:'Analysis'of'Previous'Study M2:'Interviews'&'Observations • An*external*2012*study*investigated*how*different*product*teams* were*using*CodeFlow.*It*consisted*of*structured*interviews*(lasting*30Q 50*minutes)*with*23*people*in*different*roles.* • Interviews*&*Observations • The*authors*used*grounded+ theory+to*derive*categories*of*questions,* used*to*determine*four*motivations*for*code*review: 1. Finding*defects. 2. Maintaining*team*awareness. 3. Improving*code*quality. 4. Assessing*the*highQlevel*design.* 40 • OneQonQone*meetings* with*developers* who*use*CodeFlow (40Q60*minutes).* • Interviewed:*five*developers,* four*senior*developers,* six*testers,* one*senior* tester,*and*one*software*architect.*All*had*used*CodeFlow,*had*18*months*to* almost*10*years*experience* (median*of*five*years).* • Each*meeting* was*comprised* of*two*parts:* 1. Observing*them*perform*a*code*review.* 2. A*semiUstructured+followQup*interview. • CodeFlow Comments • Comments* were*extracted*and*categorized*from*the*code*review*sessions. 41 Methodology:* Data*Analysis Methodology:* Validation M3J5:'Processing'Feedback M6:'Survey • Card*Sorting • Survey*1 • Used*to*group*categories* that*emerged*from*interviews/observations* and* code*review*comments* extracted* from*CodeFlow. • Open*card*sort:*groups*emerged*naturally*during*the*sorting*process. • First*author*created*cards,*other*authors*created*categories,* performed*sort. • Consensus* on*final*categories. • Sent*to*a*cross*section* of*600*managers*that*had*at*least* 10*direct*or*indirect* reporting*developers*who*used*CodeFlow.* • The*central*focus*was*the*open*question* asking*to*enumerate* the*main* motivations* for*doing*code*reviews*in*their*team.* • They*received*165*answers*(28%*response* rate). • Survey*2 • Affinity*Diagram • 18*questions,* mostly*closed* with*multiple* choice*answers,*and*was*sent*to* developers* who*signed* off*on*average*at*least* one*code*review*per*week.* • They*received*873*answers*(44%*response* rate).* • An*affinity+diagram+was+used+to+organize*the*categories* from*the*card*sort.* 42 43
© Copyright 2024