Code Review

A Team-Based Approach to Quality Assurance

Code review is a peer-review process used to examine code to identify problems and improve software quality. Code review is an important task in the development of software for embedded systems, especially those that require certification.

A code review team typically consists of a moderator, quality engineer or manager, and peer software developers. The team often uses a code review checklist to systematically review all pertinent aspects of the software. For example, the team might assess code complexity, look for common logical or programming errors, and check compliance to coding standards such as MISRA-C/C++ or CERT C/C++. Static code analysis tools are often used to assist in code reviews.

Why Conduct Code Reviews?

Software teams adopt code review practices to:

  • Detect coding errors: Reduce the risk that errors are found late in the development cycle or by a customer
  • Check for coding standards violations: Verify compliance with coding standards such as MISRA C, CWE, CERT C/C++, or AUTOSAR C++14
  • Reduce code complexity: Improve readability and maintainability and reduce the likelihood of faults and defects
  • Identify logic and architecture issues: Reduce software testing time and effort by catching these issues early
  • Promote team ownership: Improve quality and knowledge sharing by distributing responsibility
  • Mentor newer engineers: Coach new engineers on coding practices, design, and architecture

Best Practices for Code Reviews

A typical software development workflow.

Although there are a variety of code review techniques, most rely on a few best practices:

  • Define and communicate the code review goals and process: Integrate code reviews in the team’s software development process and ensure that the team understands the benefits of the process and team-member roles
  • Create a code review checklist: Provide code reviewers with systematic guidelines to verify that the code meets quality standards
  • Define the quality gate: Clearly identify criteria for the approval of code changes
  • Set a collaborative tone: Focus on the code, not the coder, to achieve code review goals, and remind reviewers to be objective, mindful, and constructive in their comments
  • Provide the necessary time: Limit code review time to less than 60 minutes, or about 400 lines of code at a time, to encourage reviewers’ concentrated attention
  • Provide adequate training: Focus on developing code review skills of team members

How to Make Code Reviews More Efficient

Inefficiency in the code review process can reduce productivity and cause frustration. Static analysis is a fast and efficient way to find programming errors and ensure compliance with coding rules and conventions. Code reviewers can focus on the more interesting and involved aspects of code review such as detecting logic and design issues.

How Polyspace Products Expedite the Review Process

Polyspace static code analysis products use formal methods to check source code for coding standard violations, code defects, and security vulnerabilities. You can also use these products to prove the absence of critical run-time errors under all possible control flows and data flows.

Polyspace easily integrates with other software development tools to support efficiency by ensuring static code analysis on every code submission:

  • Analyzing code before code reviews: Find issues as soon as the code is written using Polyspace as You Code from within integrated development environments (IDEs) such as Visual Studio, Visual Studio Code, or Eclipse. Developers can find issues in the file they are editing or run an analysis on all files before submitting for code review.

Detecting coding errors using the Polyspace as You Code plugin in Visual Studio Code.

  • Integrating static analysis with code review tools: Integrate Polyspace in code review tools such as Review Board and Gerrit, where Polyspace acts as a reviewer by running analysis on code changes and returning the results to the tool

Code review tool workflows with automated Polyspace analysis.

Learn More about Polyspace Products

  • Polyspace Bug Finder™ checks C/C++ source code for coding standard violations, finds several types of bugs, detects security vulnerabilities, and computes quality metrics such as code complexity metrics
  • Polyspace Code Prover™ uses formal methods to prove the absence of critical run-time errors in C/C++ source code without executing the code
  • Polyspace products for Ada prove the absence of run-time errors in Ada source code