Best Kept Secrets of Peer Code Review by Jason Cohen

Best Kept Secrets of Peer Code Review It has been three years since I have been under the oppressive finger of the waterfall software engineering process, but that is still what comes to mind when I hear the words “peer review.” Corporate software outfits typically require programmers to present their code to other engineers in hopes of finding bugs and fixing them before they become a problem. Usually it involves some form of screen-sharing and walk-through of code snippets developed in the past few days. From my five years of experience doing this sort of review, reviewers rarely found bugs in code–no matter how poor a software engineer or how great a reviewer.

I know book-editing is a great practice, and I know that no software engineer is perfect, but my experience has prevented me from seeing benefit in the concept. Best Kept Secrets of Code Review by Jason Cohen renewed my perspective on peer reviews by presenting a more effective way of doing them. The book’s purpose is two-fold: (1) present compelling arguments and practices for effective code review and (2) sell a peer review tracking product called Code Collaborator. Thankfully, the book reserves the sales pitch for the last chapter and does a great job presenting the facts and arguments that ultimately led Smart Bear to build a peer review product. Here are some of my notes, but, like the reviews before this one, I must encourage you to snag your own copy.

Chapter Four: Brand New Information

Time is the one factor that a reviewer can control that will effect their ability to identify bugs. The reviewer cannot control the language, algorithmic complexity, or the experience of the developer who wrote the code.
60 minutes of peer review is the sweet spot. Spend more or less time than that and you will statistically either miss bugs or waste time looking for bugs that don’t exist. (On that note: do not spend more than 90 minutes…ever.)
The more time a reviewer spends during his first pass over the code, the faster he will be at spotting bugs during his second pass. In other words, go slower the first time around.
Private inspection of code produces better results than being guided by the developer in a presentation format. Often reviewers will raise questions that are about how something works, not whether or not a particular piece of code is correct. (More proof that meetings usually waste people’s time and companies’ money.)
The hardest bugs to find are code omissions, so arm reviewers with checklists. This list might include items like “should this page require SLL?” or “is allocated memory properly destroyed?” Have your team keep a running list of common bugs to look out for.

Chapter Five: Code Review at Cisco Systems

Formal peer review meetings don’t uncover more bugs but do add to the cost of software engineering. (Yes, this is a repeat comment–just driving it home!)
The one benefit of a formal meeting is that it motivates the presenter (developer) to be more careful and produce higher quality material (code). Knowing that someone else is going to formally inspect your code will compel you to write better code.
Only 200-400 lines of code should be reviewed at any one time. (Recall our 60 minute sweet spot from above? 200 lines / 90 minutes = 2.22 lines per minute. 400 lines / 60 minutes = 6.66 lines per minute. That’s a lot of time.)

Chapter Seven: Questions for a Review Process

Keep your peer review checklist in-between 10 and 20 items. Too many, and the reviewer’s effectiveness drops.
If necessary, create different flavors of checklists to cover more than 20 items: logic bugs, security, design, etc. Have different reviewers use different checklists.

The book is also full of really nice references, case studies, techniques for measuring team effectiveness, and points for team leads. It’s worth the read, so check it out.

The Unplugged by Ruven Meulenberg

While researching user experience design techniques, I stumbled upon some nifty whiteboard magnets for prototyping called GuiMags as well as a complementing book called The Unplugged.

GuiMags look like the nicest way to prototype something before going to HTML and CSS. Labor intensive forms of prototyping don’t seem to add much value, and paper and traditional whiteboard prototyping only works until you’ve changed your mind about something and have to throw your work in the trash or erase half the board.

Although I decided to postpone a magnet purchase until I am doing design again, I was able to get my hands on the book. Its premise: we limit ourselves by the technologies we use. Instead of thinking outside the box, we’re often thinking and functioning in it. A large part of this thinking inside the box is how we develop software.

Although, everyone interested in the topic should pick up the book, here are a few of my takeaways:

Every major form of art that involves technology (music, film, video games, graphic design) starts outside technology. Artists do not limit themselves by their technology but by the limits of their own minds. As a software engineer, you often limit yourself by the technology you use day-to-day.
Spend as much time as you can iterating on concept and design before going to implementation.
Design the software front-end not the back-end first.
Just like there are code freezes, freeze the product when it has passed the design phase.
It is often wise to outsource the implementation.
- This serves as a peer review of the design before it goes to implementation. Software developers traditionally think about the back-end first.
- Different cultures have different strengths: “England and Western Europe are great at design, Ukraine and Macedonia have amazing and prompt developers who can think for themselves, the Netherlands always emails back the same day, India is extremely polite, etc.”
- Work can be done while you are sleeping. “This can cut the development time in half.”
- Because you already know what you want and won’t be constantly changing the design, contractors will want to work with you even if you pay less.
- Only be satisfied with five-star developers.
- Pay more than you agree to pay.
- Do one-week sprints. Longer sprints end up getting delayed, with excuses.

With the last (sub)point in mind, I think this methodology is well-suited for an agile development process.

There is a lot to gain from reading the book, so make sure to grab a copy for yourself.

Rails Refactoring and Deprecation

I’ve been using Ruby on Rails exclusively for over a year now, but have used other web frameworks for longer periods of time (classic ASP, ASP.NET, and J2EE). Rails is unique in many ways, and if look hard enough online, you’ll find its qualities spelled-out for you.

Deprecation is one quality that isn’t spoken of much, but it’s one of my favorites. The Rails core team is adamant about doing things the best way possible. When it sees a better way of doing things, it immediately starts removing parts of the API that don’t meet that standard of perfection. Developers offload deprecated functionality into plug-ins that give teams time to migrate aging code, but the deprecated code doesn’t stay in the main code base for long.

The other frameworks I’ve used have kept deprecated API calls in for extremely long periods of time. Some I don’t think will ever disappear. These other APIs allow developers to continue using inefficient, poorly-designed, and overall bad code however long they want.

Rails isn’t simply doing things the best way possible, it trains its developers to do the same. I like that.

A Real-Time User Experience Update in Google Calendar

I just witnessed a beautiful example of web application architecture. After periodically making adjustments to my schedule in Google Calendar the past several hours, I witnessed the user interface change, in real-time, without even refreshing my browser.

For as long as I can remember, any time I would click and drag on my calendar to create a new appointment, a block of time would be selected in gray until I released my mouse button. The time would then be reserved with a solid blue block and I would fill in details about the appointment I just made. Just last week I was thinking, “it would sure be nice if they did a better job indicating the time frame you’re actually blocking off so I don’t have to eyeball it.”

Well, while making one final appointment on my calendar tonight, I noticed that the typical gray selection of time had been replaced with a transparent blue block with the time-frame in it. The time frame and size of the box still adjusted as I moved my cursor down my schedule. When I released the mouse button, things worked as they always have. If this new user experience wasn’t enough to be impressed by, I realized I hadn’t refreshed my browser at all. The new feature just appeared:

And that is one of the wonderful benefits of running an application on the web. Although I’m not sure exactly how they do it, Google has engineered Google Calendar so that they can roll-out changes to the user interface in real-time to users. Real-time connection to Google’s servers through Ajax is all that’s needed–no bulky Microsoft-Office-like update to download and install, not even a browser refresh.

Very impressive.

Getting Out of a Rut

A couple weeks ago, Patrick and I got ourselves into a mental rut. For a few days, Patrick was slaving away on server configurations. I was trying to figure out how we were going to charge credit cards on a monthly basis without storing customers’ credit card information. I started to get in trouble when attempting to merge two unaccepted patches for the Active Merchant Ruby library into something workable. Patrick and I like just about nothing worse than configuring servers and trying to fix unacceptable code. It was eating away at our morale; we could feel it; and it was slowing us down.

One night I wrote an email to Patrick explaining my despair and suggested we work together for a few days. Within minutes Patrick replied admitting that he was just about to write the exact same email.

The following day we pair-programmed our way through the Authorize.Net Automated Recurring Billing patch for Active Merchant. Not only did we see a task drop off our to-do list, we got the morale boost we needed to go back to individual work.

Although I largely agree with developer isolation as described by Fog Creek Software and 37signals, you just need to work together sometimes.