Code review is one of the oldest and most reliable methods of defect detection. It is based on the simple idea used in many other areas of human life: if a problem is being discussed and solved by several people, they will be able to work out a better solution and avoid many mistakes. When one is working alone, one may even not suspect he/she is making an obvious mistake or realizing something in a non-optimal way.
The code review method implies collaborative attentive reading of source code and suggesting recommendations on improving it. Errors or potentially incorrect code fragments are detected during the process of code review. It is also accepted that the author of the code shouldn't give any explanations on how a certain part of the program works. The execution algorithm should be clear directly from the program text and comments. If the code doesn't meet this condition, it should be revised.
Code review is usually an effective method, as programmers notice errors in another's code easier than in their own. Code review also fulfills an educational purpose: programmers participating in the review learn new programming methods, patterns and good coding styles. To learn more about the code review method see a wonderful book by Steve McConnell "Code Complete" . The Wikipedia article might be of interest too: Code review .
The only yet great disadvantage of this method is its high cost. You need to gather several programmers regularly to review fresh code or re-review revised code. It distracts programmers from their own tasks and requires their focusing on the new work. At the same time, they need regular breaks. If you try to review large code fragments at once, your attention quickly weakens and the benefit of code review decreases as quickly. As a result, a great many man-hours are spent on code review.
A compromise solution that helps reduce the price of code analysis is using specialized software tools. These tools perform static code analysis and give recommendations to the programmer on which code fragments to consider. Since static analyzers don't possess AI, they perform analysis worse than a programmer. On the other hand, these tools work fast, don't get tired and can be used regularly. The static code analyzer PVS-Studio developed by our company is one of these programs. It has an especially useful mode of incremental analysis which is launched automatically after compiling modified files. Consequently, many bugs and misprints can be caught very early.
- Steve McConnell, "Code Complete, 2nd Edition" Microsoft Press, Paperback, 2nd edition, Published June 2004, 914 pages, ISBN: 0-7356-1967-0.
- Wikipedia. Code review. https://en.wikipedia.org/wiki/Code_review