code-review
原文: https://github.com/ryanmcdermott/code-review-tips
code-review-tips
Table of Contents
- Introduction
- Why Review Code?
- Basics
- Readability
- Side Effects
- Limits
- Security
- Performance
- Testing
- Miscellaneous
Introduction
Code reviews can inspire dread in both reviewer and reviewee. Having your code analyzed can feel invasive and uncomfortable. Even worse, reviewing other people's code can feel like a painful and ambiguous exercise, searching for problems and not even knowing where to begin.
This project aims to provide some solid tips for how to review the code that you and your team write. All examples are written in JavaScript, but the advice should be applicable to any project of any language. This is by no means an exhaustive list, but hopefully this will help you catch as many bugs as possible long before users ever see your feature.
Why Review Code?
Code reviews are a necessary part of the software engineering process because you alone can't catch every problem in a piece of code you write. That's ok though! Even the best basketball players in the world miss shots.
Having others review our work ensures that we deliver the best product to users and with the least amount of errors. Make sure your team implements a code review process for new code that is introduced into your codebase. Find a process that works for you and your team. There's no one size fits all. The important point is to do code reviews as regularly as possible.
Basics
Code reviews should be as automated as possible
Avoid discussing details that can be handled by a static analysis tool. Don't argue about nuances such as code formatting and whether to use let
or var
. Having a formatter and linter can save your team a lot of time from reviews that your computer can do for you.
Code reviews should avoid API discussion
These discussions should happen before the code is even written. Don't try to argue about the floor plan once you've poured the concrete foundation.
Code reviews should be kind
It's scary to have your code reviewed and it can bring about feelings of insecurity in even the most experienced developer. Be positive in your language and keep your teammates comfortable and secure in their work!
Readability
Typos should be corrected
Avoid nitpicking as much as you can and save it for your linter, compiler, and formatter. When you can't, such as in the case of typos, leave a kind comment suggesting a fix. It's the little things that make a big difference sometimes!
Variable and function names should be clear
Naming is one of the hardest problems in computer science. We've all given names to variables, functions, and files that are confusing. Help your teammate out by suggesting a clearer name, if the one you're reading doesn't make sense.
// This function could be better named as namesToUpperCase |
Functions should be short
Functions should do one thing! Long functions usually mean that they are doing too much. Tell your teammate to split out the function into multiple different ones.
// This is both emailing clients and deciding which are active. Should be |
Files should be cohesive, and ideally short
Just like functions, a file should be about one thing. A file represents a module and a module should do one thing for your codebase.
For example, if your module is called fake-name-generator
it should just be responsible for creating fake names like "Keyser Söze". If the fake-name-generator
also includes a bunch of utility functions for querying a database of names, that should be in a separate module.
There's no rule for how long a file should be, but if it's long like below and includes functions that don't relate to one another, then it should probably be split apart.
// Line 1 |
Exported functions should be documented
If your function is intended to be used by other libraries, it helps to add documentation so users of it know what it does.
// This needs documentation. What is this function for? How is it used? |
Complex code should be commented
If you have named things well and the logic is still confusing, then it's time for a comment.
function leftPad(str, len, ch) { |
Side Effects
Functions should be as pure as possible
// Global variable is referenced by the following function. |
I/O functions should have failure cases handled
Any function that does I/O should handle when something goes wrong
function getIngredientsFromFile() { |
Limits
Null cases should be handled
If you have a list component for example, all is well and good if you display a nice beautiful table that shows all its data. Your users love it and you get a promotion! But what happens when no data comes back? What do you show in the null case? Your code should be resilient to every case that can occur. If there's something bad that can happen in your code, eventually it will happen.
class InventoryList { |
Large cases should be handled
In the list above, what would happen if 10,000 items came back from the inventory? In that case, you need some form of pagination or infinite scroll. Be sure to always assess the potential edge cases in terms of volume, especially when it comes to UI programming.
Singular cases should be handled
class MoneyDislay { |
User input should be limited
Users can potentially input an unlimited amount of data to send to you. It's important to set limits if a function takes any kind of user data in.
router.route('/message').post((req, res) => { |
Functions should handle unexpected user input
Users will always surprise you with the data they give you. Don't expect that you will always get the right type of data or even any data in a request from a user. And don't rely on client-side validation alone
router.route('/transfer-money').post((req, res) => { |
Security
Data security is the most important aspect of your application. If users can't trust you with their data, then you won't have a business. There are numerous different types of security exploits that can plague an app, depending on the particular language and runtime environment. Below is a very small and incomplete list of common security problems. Don't rely on this alone! Automate as much security review as you can on every commit, and perform routine security audits.
XSS should not be possible
Cross-site scripting (XSS) is one of the largest vectors for security attacks on a web application. It occurs when you take user data and include it in your page without first properly sanitizing it. This can cause your site to execute source code from remote pages.
function getBadges() { |
Personally Identifiable Information (PII) should not leak
You bear an enormous weight of responsibility every time you take in user data. If you leak data in URLs, in analytics tracking to third parties, or even expose data to employees that shouldn't have access, you greatly hurt your users and your business. Be careful with other people's lives!
router.route('/bank-user-info').get((req, res) => { |
Performance
Functions should use efficient algorithms and data structures
This is different for every particular case, but use your best judgment to see if there are any ways to improve the efficiency of a piece of code. Your users will thank you for the faster speeds!
// If mentions was a hash data structure, you wouldn't need to iterate through |
Important actions should be logged
Logging helps give metrics about performance and insight into user behavior. Not every action needs to be logged, but decide with your team what makes sense to keep track of for data analytics. And be sure that no personally identifiable information is exposed!
router.route('/request-ride').post((req, res) => { |
Testing
New code should be tested
All new code should include a test, whether it fixes a bug, or is a new feature. If it's a bug fix, it should have a test proving that the bug is fixed. And if it's a new feature, then every component should be unit tested and there should be an integration test ensuring that the feature works with the rest of the system.
Tests should actually test all of what the function does
function payEmployeeSalary(employeeId, amount, callback) { |
Tests should stress edge cases and limits of a function
function dateAddDays(dateTime, day) { |
Miscellaneous
"Everything can be filed under miscellaneous"
George Bernard Shaw
TODO comments should be tracked
TODO comments are great for letting you and your fellow engineers know that something needs to be fixed later. Sometimes you gotta ship code and wait to fix it later. But eventually you'll have to clean it up! That's why you should track it and give a corresponding ID from your issue tracking system so you can schedule it and keep track of where the problem is in your codebase.
Commit messages should be clear and accurately describe new code
We've all written commit messages like "Changed some crap", "damn it", "ugg one more to fix this stupid bug". These are funny and satisfying, but not helpful when you're up on a Saturday morning because you pushed code on a Friday night and can't figure out what the bad code was doing when you git blame
the commit. Write commit messages that describe the code accurately, and include a ticket number from your issue tracking system if you have one. That will make searching through your commit log much easier.
The code should do what it's supposed to do
This seems obvious, but most reviewers don't have the time or take the time to manually test every user-facing change. It's important to make sure the business logic of every change is as per design. It's easy to forget that when you're just looking for problems in the code!