The reviewer checklist

Nicola Pietroluongo @niklongstone
THE REVIEWER
CHECKLIST
How to be a better reviewer

“ I’m really good at stuff until people watch me
do that stuff.
-Nerd Anatomy

Nicola Pietroluongo
@niklongstone
▪ Lead developer/Solution architect
▪ Tech article writer
▪ Open Source contributor
▪ Author of “Learning PHP7” by Packt Publishing
▪ +10y of PHP programming
▪ Amazon Alexa skill challenge award winner

Main areas
What we are going to cover
▪ Introduction to code review
▪ The checklist
▪ Tools and conclusions

1.
What code review is
Introduction to code review, things to do before

“ Code review is systematic examination of
computer source code. It is intended to find
mistakes overlooked in the initial development
phase, improving the overall quality of team
and software.
-Wikipedia

TYPES OF CODE REVIEW

Formal
Inspection
/
Fagan
Inspection Meeting
http://www.mfagan.com/pdfs/software_pioneers.pdf
https://www.cs.umd.edu/class/spring2005/cmsc838p/VandV/fagan.pdf
OverviewPlanning Preparation Rework

Over-the-
shoulder

Pull
request

Pair
programming

FeedbackSpot the error Fix
TIME
Key points

Pair
Programming
TIME
Feedback
Spot the
error
Fix

GENERAL RULES

Share
Findings

“ Time is money
-Your boss when you’re late

Manage your time
Provide quick feedback
▪ Inspection rate 250 lines/hours
▪ Review 200-400 lines per review session
▪ Quick Feedback

Capture metrics
Define goals
▪ Lines Of Code
▪ Function Point
▪ Defect Density
▪ Risk Density
▪ Code Coverage
▪ Defect Detection Rate
▪ Defect Correction Rate
▪ Cyclomatic Complexity

Cyclomatic Complexity
Thomas J. McCabe, Sr. 1976
▪ E: Edges
▪ N: Nodes
▪ P: Number of exit points
(CC) = E - N + 2P
http://www.literateprogramming.com/mccabe.pdf
http://www.mccabe.com/pdf/More Complex Equals Less Secure-McCabe.pdf
A
B
C D
E

Cyclomatic Complexity
A>B
B==1
END IF
END IF
A=BB=0
7 Edges
6 Nodes
CC = 7- 6 + 2 = 3
T
TF
F

It’s a Bug Hunt
NOT
a Blame Game

WHEN QUICKLY DECLINE

When
the pull request is out of scope
you should _______
When quickly decline?

When
the pull request is out of scope
you should DECLINE

When
the code has no test coverage
you should _______

When
the code has no test coverage
you should DECLINE

When
you don’t like the solution provided
you should _______

When
you don’t like the solution provided…
you should _______

Production
Border
Force

2.
The checklist
Reviewer’s responsibilities

The checklist
What we will cover
▪ Best Practices
▪ Foundation
▪ Architecture
▪ Key Areas (Security, Logging, Performances)

BEST PRACTICES

“ Fat model, skinny controller
-Weight Watchers

Services
config
# Sf 2.8 app/config/services.yml
services:
# keep your service names short
app.slugger:
class: AppBundleUtilsSlugger
# Sf 3.3 app/config/services.yml
services:
# use the fully-qualified class name as the service id
AppBundleUtilsSlugger:
public: false

Adopt what’s make your team’s life easier.
Best practices

Controller as a
Service
class EventController
{
//...
public function __construct(
TemplatingEngine $templating
Router $router,
LoggerInterface $logger,
EventRepository $eventRepository
)
//...
public function indexAction($id)
{
//...

FOUNDATION

Parameters/
Return Types
/**
* Get options.
*
* @param string $name
* @param mixed $value
*
* @return mixed $option
*/
public function getOption($name, $value)
{
//...

Dependency
Constraint

Alternatives/
Deprecations

TEST

ARCHITECTURE

“ Never assume anything
-Law enforcement

“ To bundle or not to bundle,
that is the question
-Sf Hamlet

Folder
structure

KEY AREAS

Security
CSRF token
# app/config/security.yml
security:
# ...
firewalls:
secured_area:
# ...
form_login:
# ...
csrf_token_generator: security.csrf.token_manager
# twig template
{# ... #}
<form action="{{ path('login') }}" method="post">
{# ... the login fields #}
<input type="hidden" name="_csrf_token"
value="{{ csrf_token('authenticate') }}"
>
<button type="submit">login</button>
</form>

OWASP - Code Review Guide
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

Syslog Message Severities
RFC 5424
Numerical Code Severity
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages

“ I want it all, I want it now
-Queen

Website
Performance
source : Akamai.com

Loops
A)
for ($i = 0; $i < count($array); $i++) {
B)
$total = count($array);
for ($i = 0; $i < $total; $i++) {

3.
Tools
Tools and automation

Blackfire

SensioLabs
Insight

PHP CSF

Exakat

PhpMetrics

PHP MD

PHPMD
$ ./phpmd.phar filesOrDir reportFormat rules
$ ./phpmd.phar fileA.php,fileB.php text cleancode,codesize

Git diff
$ git diff --name-only --diff-filter=d master
src/CinemaBundle/Controller/CinemaController.php
src/CinemaBundle/Entity/Screening.php
src/CinemaBundle/Entity/ScreeningVenue.php
src/CinemaBundle/Entity/Showing.php

Sed
$ sed ':a; $!N; s/n/,/; ta'
:a creates a pattern
$!N appends lines to the pattern if not last line
s/n/,/ replaces new line with comma
ta repeat the a

Pull it together
*All in one line
./phpmd.phar
$(git diff --name-only --diff-filter=d master |
sed ':a; $!N; s/n/,/; ta')
text cleancode,codesize

“ Automate, automate, automate.
Allright, allright, all right.
-Matthew McSymfony

LIGHT TOUCH REVIEW

Light touch review
Inspect what’s critical
▪Automation
▪High code coverage
▪Small and contained release
▪Good knowledge of the project, business and practices

Thanks!!NicolaPietroluongo.com
@niklongstone
https://github.com/niklongstone
https://joind.in/talk/20dcd

The reviewer checklist

Recommended

Recommended

More Related Content

Similar to The reviewer checklist

Similar to The reviewer checklist (20)

Recently uploaded

Recently uploaded (20)

The reviewer checklist

Editor's Notes