About this research note: Implement & Integrate notes provide comprehensive, step-bystep guidance on the best practice

implementation of technologies, tools, and processes.

Rapid Code Inspection Speeds Bug Discovery

Publish Date: August 13, 2008

Code inspection is a powerful technique that identifies code defects early in the development cycle when they are inexpensive to remove. Nonetheless, many development teams avoid code inspection because of the overhead involved in review meetings and defect tracking. Learn a rapid code inspection method that leverages collaborative technologies to glean maximum benefit at a minimum time investment.

1998-2008 Info-Tech Research Group

Executive Summary
Code inspection is the peer review of proposed code for the purpose of identifying defects. Although this review can identify defects early in the development cycle when they are inexpensive to remove, many development teams do not practice it because of the time consuming nature of traditional code inspection. The rapid code inspection method described in this research note provides the benefits of traditional code inspection with a substantially lower time investment. This note covers the following topics: Cultivating a code-review culture. Using a style guide. Developing inspector and author checklists. Preparing for inspection with bench checks and annotations. Submitting the optimal amount of code and reviewing for the optimal time period. Using a central repository to track defects. Holding reply meetings. Verifying that defects are fixed.

Learn a rapid code inspection method that can be adapted by any team for a variety of development methods.

Implement & Integrate Rapid Code Inspection Speeds Bug Discovery

2 www.infotech.com

Implementation Point
A recent review of 68 studies on the economics of defect detection found that the earlier in the development cycle a defect is detected, the less time consuming and costly it is to remove (see Figure 1).

Figure 1. Hours Required to Remove a Defect at Various Phases

Source: Based on data published in the Proceedings of the 2006 ACM/IEEE International Symposium on Empirical Software Engineering

Requirements Design Phase Discovered Coding Unit Test Integration Test System Test 0

1.06 2.31 2.71 3.45 5.42 8.37 2 4 6 8 10

Hours to Remove

Code inspection the peer review of proposed code for the purpose of identifying defects is a powerful technique for removing code defects early in the development cycle when they are inexpensive to remove. In addition to providing cost-effective defect removal, code inspection facilitates knowledge transfer, provides informal training, and encourages developers to write the best code they can because they know it will be inspected.

Implement & Integrate Rapid Code Inspection Speeds Bug Discovery

3 www.infotech.com

Key Considerations
Given the benefits, why dont all development teams inspect their code? The reasons can be grouped into two main categories: Psychological barriers. Human beings dont generally ask to be criticized, and pointing out code defects can feel like criticism. In extreme cases, poorly delivered feedback can create conflict in the team that leads to hurt feelings and impairs productivity. One response is to avoid code inspections. A more constructive response is to overcome psychological barriers by fostering a code-review culture. Practical barriers. A formal Fagan inspection requires a review meeting that takes time to organize (schedule, distribute code, etc.) and implement (carry out the meeting). A typical Fagan inspection takes nine person-hours per 200 lines of code reviewed. Although Fagan inspections demonstrate good ROI (for example, Hewlett-Packard accomplished a 10:1 ROI), the time required can make them difficult to implement for groups following an agile development process or those pressured to deliver as soon as possible. While some of these nine hours are consumed in the actual inspection of code, some of them are non-productive overhead that can be reduced by either eliminating or restructuring the review meeting.

Common Lightweight Approaches

In practice, development teams have scaled back the Fagan inspection to make it more lightweight. Some approaches that are easier to implement but problematic for other reasons include the following: Walkthrough is an informal group review where authors walk their colleagues through the code and receive comments. Typically, reviewers do not prepare for the meeting. Because authors are guiding the process and usually at a fast pace, there is a high risk that defects will be overlooked. Additionally, corrections are not usually verified. Over the shoulder review has a single reviewer looking over the shoulder of the author as the author guides the reviewer through the code. This is a useful way to get input on a particular programming problem, but it is inadequate for a full review for the same reasons that the walkthrough is inadequate: defects can be overlooked in an author-guided process and there is usually no follow-up because it is not built into the process. E-mail pass around. Here, the author simultaneously e-mails source files to all reviewers, who return them with comments. Authors must compile all comments, which is time consuming. Additionally, corrections are not usually verified.

Although the methods above are not optimal, the rapid code inspection process described in the next section can provide most of the value of the full Fagan inspection in a significantly reduced time frame.

Implement & Integrate Rapid Code Inspection Speeds Bug Discovery

4 www.infotech.com

Implementation & Integration

Get maximum value from code inspection while keeping the time required to a minimum by applying the following points: 1. Cultivate a code-review culture. Promote the idea that the discovery of defects is a happy occasion. After all, it means delivering more stable code at lower cost. The idea that finding defects is positive is so unintuitive that it must be explicitly stated and regularly repeated. Managers must also publicly promise not to use defect metrics as part of performance evaluations, since doing so would make developers reluctant to gracefully accept feedback. 2. Use a style guide. To focus inspections on substantive issues and not on issues of style, develop a style guide that summarizes how to format code. 3. Develop inspector and author checklists. Checklists dramatically improve code inspection effectiveness by focusing reviewers on important issues that may otherwise be overlooked. In particular, errors of omission are difficult to notice without an external reminder. In addition to developing a checklist for inspectors, have authors develop personal checklists they can use to clean up code before submitting it for peer review. Authors tend to make the same mistakes repetitively, and a personal checklist not only saves time during peer review, but increases awareness to help train authors to avoid those same errors while coding. For information on how to develop a checklist, refer to the Info-Tech Advisor research note, Use Rapid Code Inspection Checklists to Zap Bugs Early. 4. Prepare for inspection with bench checks and annotations. A bench check is the self-review of compiled code using a personal checklist and style guide. Once authors have reviewed and corrected their code, they add comments to it to guide reviewers through the code. These annotations extend beyond traditional comments which explain non-intuitive code functions and speak directly to the reviewer, suggesting which file to start with, what the changes were, and why the changes were made. The process of explicitly guiding the reviewer not only increases reviewer productivity, but the introspection required to document the code also sheds light on poor coding choices that the author often self-corrects before submitting the code for review. 5. Submit 200-400 lines of code and spend about an hour reviewing it. The number of defects found decreases as the number of lines of code reviewed increases. The concentration of the reviewers wanes and other priorities place demands on their attention, making them less productive. Keeping the lines of code per review in the 200 to 400 range ensures a thorough inspection in a reasonable amount of time. Do not rush through a review, more defects are found when reviewers take about an hour to inspect approximately 400 lines of code.

Implement & Integrate Rapid Code Inspection Speeds Bug Discovery

5 www.infotech.com

6. Use a central repository to track defects. One major time sink with traditional code reviews involves consolidating the comments received from reviewers (often on paper). By using a single server-based document into which all reviewers enter their comments, teams can eliminate consolidation time and share comments between reviewers without holding a meeting. One reviewers comments help another reviewer to find additional defects, a process called phantom inspection in a traditional code review. A version-controlled spreadsheet posted to a server or Google Docs spreadsheet will do the trick for a small team. For an example of one, refer to the ITA Premium download, Code Inspection Tracker. For larger teams, consider collaborative code review software that not only supports defect tracking but also provides a host of comment routing and defect metric tracking features. Some examples include Smart Bear Softwares Code Collaborator and Atlassians Crucible. 7. Hold a reply meeting (optional). In a reply meeting, each author responds to the comments logged by reviewers. Authors can either accept that the defect needs to be corrected or defend its current implementation. Typically, the entire teams code can be replied to in a short meeting. The reply meeting facilitates communication between developers and provides a deadline by which reviewers must complete their inspection. However, in organizations where scheduling a reply meeting is difficult, it can be omitted and the replies entered into the central repository. 8. Verify that defects are fixed. To ensure that no defects fall through the inspection cracks, make someone responsible to verify that defects have been fixed. That person could be the team lead or the reviewer that discovered the defect.

Bottom Line
Code inspection is a powerful technique for identifying code defects early in the development cycle when they are inexpensive to remove. However, many development teams avoid code inspection because of the overhead involved in review meetings and defect tracking. Learn a rapid code inspection method that leverages collaborative technologies to glean maximum benefit at a minimum time investment.

Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. Our practical approach is designed to have a clear and measurable positive impact on your organization's bottom line. We serve over 21,000 clients at 8,000 organizations around the world. Since 1998, we have focused on making the work of IT professionals easier - and on helping them achieve greater personal and corporate success. More About Info-Tech

Implement & Integrate Rapid Code Inspection Speeds Bug Discovery

6 www.infotech.com