## Review Checklist

In this section we are going to have basic coding review checklist based on generic good coding practices. It is advisable for developers to review their code based on it before code `check-in`. 

It can also act as a guide for new tech leads, who have recently started the manual code review. 

### General

#### Does the updated code work as intended

#### Is the code easy to understand

#### All agreed coding standards and convensions are followed

#### Is there any dedundant code

#### Is the code modular and reused code in proper place (common utils, classes etc)

#### Global variables are not present

#### Are there any commented out code and if present is the reason present why

#### Are function, classes, logic has been properly commented and existing comments updated to reflect the changes at relevant places

In [None]:
#### 


Does it conform to your agreed coding conventions? These will usually cover location of braces, variable and function names, line length, indentations, formatting, and comments.
Is there any redundant or duplicate code?
Is the code as modular as possible?

Can any global variables be replaced?
Is there any commented out code?
Do loops have a set length and correct termination conditions?
Do the names used in the program convey intent?

Performance

Are there any obvious optimizations that will improve performance?
Can any of the code be replaced with library or built-in functions?
Can any logging or debugging code be removed?
Security
Are all data inputs checked (for the correct type, length, format, and range) and encoded?
Where third-party utilities are used, are returning errors being caught?
Are output values checked and encoded?
Are invalid parameter values handled?
Documentation
Do comments exist and describe the intent of the code?
Are all functions commented?
Is any unusual behavior or edge-case handling described?
Is the use and function of third-party libraries documented?
Are data structures and units of measurement explained?
Is there any incomplete code? If so, should it be removed or flagged with a suitable marker like ‘TODO’?
Testing
Is the code testable? The code should be structured so that it doesn’t add too many or hide dependencies, is unable to initialize objects, test frameworks can use methods etc.
Do tests exist, and are they comprehensive?
Do unit tests actually test that the code is performing the intended functionality?
Could any test code be replaced with the use of an existing API?
Key Points

There are about 15-20 common mistakes made by programmers.
A checklist is a useful means of ensuring that common mistakes are identified.

Code

Does it compile? Look for obvious errors, most IDEs will spot them for you. Baffling that these kind of issues slip into code completes, but we are all humans and mistakes happen. Most common reasons: last minute untested change that surely won’t break anything or forgot to push the fix.

Can you spot any runtime errors just by looking at code? Try to reproduce the exception.

Is the feature/bugfix complete? Does it tick off all the requirements? Is there anything missing or misbehaving?

Is this a good solution? Is this the best solution out of all those that have been considered? This is mostly related to system design and general approach to problem solving. The definition of good and best is context dependent.

Does it introduce any security holes? Definitely not something to be disregarded.

Is the code efficient in whatever metrics matter for your case?

Is it logically correct? Does it solve the problem? This is usually central to the code review, hence obvious, but I don’t want to skip obvious steps.

How does it affect the rest of the system? We review code diffs with no or minimum context regarding the rest of the codebase. With diffs you can only see that much, thus how about start looking in other places? Think about all the other components that might depend on this change. Where any of the APIs violated?

Is it within the scope? Does the ticket touch any unrelated parts of the codebase or does side fixes? The more it gets cluttered, the more complicated it becomes to review, test and release. Stay on topic.

Are there any code style issues? Conventions are important for the sake of codebase sanity. I know we all have strong opinions about all the things, but for your team and code well-being, please disagree and commit.

Is the code readable? Can someone else understand it? How long did it take you to figure it out? Do all namings make sense?

Does it have good and enough documentation? Not to be ignored or considered of least importance.

Automated testing

Does it need tests? Sometimes a favicon update will do just fine without tests.

Does it have tests? Seriously, write tests.

Are tests logically correct? Tests can have bugs too. Review tests thoroughly.

Are tests simple, easy to read and debug? Forget about DRY, don’t build a whole infrastructure to test your code (unless you are writing an isolated testing framework with a clear API that everyone else on the team is more or less familiar with), KISS (keep it simple, stupid). If something fails, it should be apparent what broke.

Are tests testing the right thing? Tests are not a checkbox to be ticked off, they are your safety net. Just the existence of tests or higher test coverage doesn’t guarantee a bug-free life. Make sure to get a good insurance with a solid testbase.

Are tests testing the edge cases? Best case scenarios suck!

Manual testing

Can you run the code? Don’t skip that. Automated tests look good on paper (ehhhm, computer screen?), but running the project is still a good idea. Automated tests reduce manual testing to the minimum, but don’t exclude it completely.

Can you follow through several test scenarios? Pick obvious and non-obvious ones: do they succeed?

Is the rest of the system looking/working fine? Links to How does it affect the rest of the system? from Code section. Similar, but more straight-forward. Have a click-around and make sure things are fine.

Can you break it? Try to think of ways it might fail: feed it large sets of data, consider third-party systems downtime and how it can affect you, use an unusual email address (did you know email address can have comments in-between tokens?). Don’t worry, your users will still find ways to break it for you.

Code Is Easy To Debug

A peer code reviewer need to ensure the code is easy to debug in non developer environment. This may relate to few things 
There needs to be enough logging in the code. Code needs provide enough logging to work in debugging mode for application.
There needs to be enough comments in the code.
There needs to be enough monitoring related code.

Code Documentation

Writing code comments is helpful however not always necessary. Sometimes the code is not self explanatory, or does something un-usual. It needs to be well documented.


Code Indentation And Readability

All developers in a team needs to use common formatting tool with same formatting styles to avoid version control conflicts and difficulty in reading file changes. There is no right or wrong way to format code, however make sure the team uses the same formatting.


Exception Handling

Exception handling code is often ignored in critical timelines. A code reviewer must ensure that sufficient exception handling is done in code. Unit test cases should also be addd to check for all exception scenarios. Some common exception scenarios are
Null objects
Empty objects
Invalid format values
Boundary conditions

Logging Key Attributes For Debugging

Debugging information is important to support and maintain applications. Logging required key attributes makes the job of dev ops and support team easy. Developer and Code reviewer needs to ensure that all key attributes are being logged.



Eliminate Unwanted Code And Libraries If Not Used

Its common habit of developers to not remove unused code from a file. This is mainly since they think it may be required in future. Some developers tend to comment it so it can be used later. This makes the code unreadable. The code reviewer must make sure that all such code is removed. Developers can always go back to a previous version of code in version control. However, in my observation, a commented code is almost always not reused.


Handling NULL And Empty Object Scenarios

Not handling NULL and Empty objects causes many production related problems. A code reviewer must be explicitly watching for these issues.  Unit test cases should also be addd to check for all NULL and Empty object scenarios.


Sticking To Coding Standards

A software needs to follow consistent coding practices. There are coding standards available in almost any programming language. Stick to the standard coding practices to ensure everyone speaks the same language. It makes it easier for a new developer to start understanding the code faster.


Avoid Hard Coding - Prefer Configuration

Many configurations are often hard coded by developers inside the compiled code and makes it difficult to change the behavior of software. For example an optional feature should have a configuration that can enable or disable a feature. I code reviewer my look for such opportunities to ensure configuration is preferred over hard coding.


Code Performance

Performance of the code is important, however difficult to measure depending on type of software. Its important that a code reviewer looks at the performance of a code in various aspects. 
Time to do the task - How much time it take to finish the task. Is it acceptable?
Memory or Number of objects used to do the task.  Is it acceptable?
Number of threads or processes to do the task.  Is it acceptable?
Concurrency limits of the task. How many tasks can be performed by the program concurrently
.

Scalability


Scalability of the code may be a important concern, depending on your requirements.  Its important that a code reviewer looks at the scalability of a code in various aspects. 
Will the current software scale with new changes.
Will there be any impact on scalability in future.

Code Security Review

This is most difficult step in code review since not many people know how to write secure code. Some common guidelines are listed below for a secure code
Encrypt sensitive user information (e.g. SSN, passwords, credit card numbers etc)
Never log sensitive information on log files, it can be dangerous and make hacking easy.
Disable Weak Ciphers on your app/web servers.
Use trusted libraries for cryptography and encryption instead of inventing your own.
Watch for OWASP top 10 issues are addressed in a web facing application.

Releasing Resources

Releasing resources in a busy application is really important step that is often missed out by hasty developers. Ensure all important and shared resources are being released by each code block. Following scenario must be covered

Releasing of resources after the task is completed successfully.
Releasing resources after the task has failed.
Release resources after there is exception in processing task.

Encourage Code Reusability

Copy/Paste is developers best friend.  Many lines of code is duplicated by simply doing a copy paste. This seems to solve problem in short term however creates maintenance issues in long run. Any copy/paste candidate in code must be refactored to be re-usable. It needs to be done carefully since many other code blocks may be calling it already.


Concurrency, Thread Safety And Deadlock Related Issues Are Considered

Most of the developers are not writing multi threading code and concurrent applications. Therefore these aspects are often ignored by developers. You must pay careful attention to your code block and understand its behavior when multiple thread will try to access it at same time. Ensure all shared variables are minimized and handling concurrency of multiple threads is not leading to a potential deadlock situation.


Use Of Design Patterns When Required

It is not easy to spot a design pattern in a bad code, however an experience programmer can easily suggest a better approach provided enough knowledge of the software. 
Try to spot common design pattern application on existing code and see how you can improve it. Use of design pattern improves maintainability of source code.