logoalt Hacker News

The primary purpose of code review is to find code that will be hard to maintain

249 pointsby ColinWrighttoday at 11:41 AM129 commentsview on HN

Comments

thaynetoday at 4:04 PM

Code review doesn't have a single purpose. Finding code that is hard to maintain is one of those, and and an important one, but certainly not the only one, and I'm not sure it is even the most important one. Other purposes include:

- a safety check to ensure that if a developer (or AI) goes rogue, it is more difficult to merge malicious code

- a second perspective from someone who isn't as close to the problem and might see a better way to do things, or problems that the original developer missed

- in some cases having someone more familiar with other parts of the system look at it who can tell if it won't interact well with something else

- ensuring there is at least one other person familiar with the code

- a learning opportunity. The author can learn from feedback from the review, and the reviewer can learn from the code in the change. Especially important when the author and reviwer have differing seniority. When I mentor a new employee, I add them as a reviewer to all my PRs so they can see how I do things, and review all their PRs so I can provide guidance. And sometimes I even learn things from them!

- yes, catching bugs, although this should not be the primary mechanism for that, and I agree is not the most important reason. It is especially important for security and performance bugs though, as those are harder to catch with automated testing.

show 6 replies
donatjtoday at 1:47 PM

What I find to be maybe the single most important part of code review is knowledge transfer.

Our entire small team thumbs up a PR before it's merged unless there's a big rush on it, and this gives everyone on the team a rough idea of the state of the codebase at any given time. There's no being blindsided like "this whole system I depend on is gone" like I had happen at far more siloed places I've worked.

Beyond that, it gives a forum to ask questions about how things work to further build understanding. On a high functioning team, every developer should have at least a modest understanding of the entire system, including parts they never touch.

Another important feature is just the institutional knowledge check. For instance recently I made a small change to a table and a coworker pointed out that there was a microservice I wasn't considering that wrote to that table that would break (yes, sharing tables is bad design, unrelated). I had no idea this microservice existed let alone had access to this table. The institutional knowledge check here though prevented a larger issue and potential data cleanup situation.

show 9 replies
sjburttoday at 1:40 PM

My attitude has always been that code review is best thought of as the gate where code goes from being owned by the author to being owned by the team or project. The code I'm reviewing is not your code, it is code that is about to become our code.

Maintainability is a major factor in that, of course.

show 1 reply
titzertoday at 1:46 PM

This just makes reviewers and authors lazier.

The purpose of code review is multi-faceted. Hard to maintain? Yes. Might have bugs? Yes. Can be done simpler/cleaner? Yes. Is in line with project code style? Yes. Get someone else to also understand the code? Yes. Onboard junior team member? Yes. Sanity check design decisions? Yes.

This flippant note is mostly more self-justification for being a lazy code reviewer.

show 3 replies
whilenot-devtoday at 3:20 PM

> it is not in general possible to find bugs by examining the code.

Oh hell yes it is, at every level of abstraction even. We call those things code smell... A file descriptor that hasn't been closed, a coroutine that hasn't been awaited, a big try/catch block that just falls back to some value without logging the error, wrong type castings, etc.

As a general rule: Neither type checker, nor compiler, nor runtime should ever be steps that merely want to be satified - work with these steps and treat them as the valuable tools they are, and never work against them.

ak217today at 6:19 PM

The primary purpose of code review is whatever your organization decides it wants it to be. The post makes a good enough point but undermines it with this dogma.

BariumBluetoday at 1:39 PM

True - the biggest thing I want to catch in an MR is "will this change lead us onto a path that is uglier, buggier, less maintenanable".

People will generally copy and follow existing patterns, so for example if you let somebody add a new internal date time format, then soon your codebase will bifurcate and there'll be multiple inconsistent versions roaming around.

The other stuff (minor bugs, overly verbose code) can easily be fixed. Paradigm rot cannot.

faitswulfftoday at 2:54 PM

Code review isn’t a singular thing. There are many reasons for code review, like knowledge sharing, liability laundering, code quality, regulatory compliance, etc. As usual, what purpose it serves depend on your use case.

show 1 reply
kasey_junktoday at 2:04 PM

It’s probably important to define what sort of code review you are talking about when making broad claims about it.

GitHub style asynchronous pull request review with inline comments is the norm now, but it’s not the only sort of review there is. I’m old enough to remember processes that include in person reviews that were more like a dissertation defense or conference presentation.

The literature around this that shows that code review is a useful quality practice (in fact one of the only useful quality practices) comes mostly from much more structured review processes than we see now.

My personal opinion is that before llms the GitHub style pr review was for making us feel better about our processes (or governance checkbox checking) and the age of llms will sweep them away as the cost/benefit is so much worse now.

show 1 reply
pmelendeztoday at 1:44 PM

Sure, ensuring maintainability is one of the benefits of code reviews, but I think it is a bold claim to say that's the solo purpose. For example, code reviews is also a tool that allows teams to get inform of the changes in the code and share responsibility of the whole code base.

mjdtoday at 1:46 PM

The author is a mathematician, so when he says “it is not in general possible to find bugs by examining the code” he does not mean it is completely impossible to find bugs. He means only that it is not possible to find all bugs or even any particular bug.

show 3 replies
silva97today at 2:35 PM

The author seens to misunderstand the purpose of code review. The purpose is, literally, review the code. Review means basically to think/talk about something again in order to make or not changes on it. When you review something (including code), you are basically asking for yourself: "Should it be changed or it's okay to stay like this?"

In order words, the purpose of code review is to or not ask for changes on the code.

brimtowntoday at 2:09 PM

The best writing on this is the "agent principal-agent" problem, which correctly frames the problem of agents and code review in terms of trust.

This is why the solutions for high-trust environments (small teams) and low-trust environments (big companies, open source projects) will be different.

https://crawshaw.io/blog/agent-principal-agent

show 1 reply
jdw64today at 2:37 PM

It seems the form that code review takes depends on the structure of the organization. In practice, some places use code review as a way to assert hierarchy and tear someone down, while in others it's a friendly, knowledge-sharing exchange. Code review varies depending on the organization's shape and the manager.

And I agree to some extent with what the OP's tweeter said. these days, bugs can look perfectly fine on the surface, but when combined with the existing system, entirely new types of bugs emerge. This is an especially common pattern in the AI era: the added code itself isn't the problem, but it becomes a bug once it interacts with the existing codebase.

k3vinwtoday at 5:17 PM

I appreciate the perspective, but code reviews are subjective. The tooling and the language can be so good that it shifts to this kind of utopian state, where all bugs are caught and eliminated by guarantees in the language and tooling. Or they could be dismal to the point a human needs to check for mundane issues like bugs in the code.

Splice9160today at 5:19 PM

Maintainability is incredibly important, but acting like bug-catching is just a "happy little accident" of code review is an over correction. A good code review should make sure the code is readable and that it actually does what it’s supposed to do without breaking the system. You need to do both.

hakunintoday at 4:26 PM

I think the author is right.

There are many peripheral nice-to-haves you can get from a code review. Bugs, security, performance, correctness issues are all possible bonus findings you may get sometimes.

But there is only one _must_ in reviews: another person reading and understanding the code, possibly suggesting architectural improvements, or asking questions that should be answered by rephrasing the code for clarity, or by adding code comments. In other words: maintainability. That's the one thing that's not a bonus point, and is a constant for all code reviews.

trentnixtoday at 2:49 PM

> The primary purpose of code review is to find code that will be _hard to maintain_.

In some organizations, maintainability may be the biggest risk being mitigated in a code review. But for me, that's selling code reviews short.

In my experience, code reviews are the single most important quality control process in the entire development life cycle. Engineers often don't have a lot of influence over the quality of requirements. Engineers often don't have a lot of influence over the competence and thoroughness of the QA process (and it often doesn't exist at all). But engineers frequently have total control over code reviews.

If I can't depend on the rest of the organization for QC, code reviews are the first place I look to mitigate that risk. That means code reviews find bugs. That means code reviews identify code smells. That means code reviews pressure test requirements and whether the implementation matches the assignment. That means code reviews transfer knowledge and serve as a teacher for both the PR author and the reviewer. And so on.

Thorough and pedantic code reviews are challenging and tedious, at least at first, but the team adapts and both the code and the review process gets better.

khurstoday at 2:30 PM

"The purpose of code review is not for the reviewer to find bugs"

Well kinda - code review needs to identify any missing tests? And without the tests more likely a bug could exist.

david422today at 2:29 PM

I work with someone who tends to rejects PR suggestions. I also work with someone else who accepts suggestions.

I think that the for the person who accepts suggestions, it's made me wonder if they accept them in part to share ownership with me. I feel like we both maintain and understand the code, and are on the same page.

For the person who rejects PR suggestions, it makes me less inclined to participate in those PRs. Why spend the time doing a thorough review if it's going to get rejected anyways.

show 2 replies
felooboolooombatoday at 2:50 PM

> The primary purpose of code review is to find code that will be _hard to maintain_

Says who? I agree that it's a good purpose. But the main problem with code reviews is not having a in-house code review guidance. Doesn't need to be long. 1 page would do wonders. Then we're all on the same page.

munksbeertoday at 3:30 PM

Look at the state of the comments on that thread.

"This is completely false! Code is review is to ..." proceeds to state an opinion.

Sometimes, some days, I just look forward to not having to deal with programmer hubris ever again.

show 1 reply
empiricustoday at 2:34 PM

Well, we are dumb and we make stupid mistakes, and code review can find and fix them sometimes. I am very surprised that the practice of "review" is not more widespread. For example when I see medical doctors going YOLO with their patients, ppl driving excavators, etc.

whateverboattoday at 2:39 PM

I think when the the SICP authors said

> “Programs must be written for people to read, and only incidentally for machines to execute.”

people probably did not realise what it meant, but AI is bringing it to forefront. Huge amount of work we do is essentially to communicate decisions we want to take, are going to take or have taken. It is a cornerstone of our society when people are continuously exposed to the relevant decisions which are taken in order to build a shared understanding and move forward.

Programming was nothing but that. We did not have a good enough compiler till now and we definitely do not have a good enough language to describe what we need (mostly because thoughts and world in general are so much more complex than any language). And therefore, we used the same language for computer to execute our code and for us to read and understand it. But the reason we store our code in human readable language and not machine code is because we want to communicate the code to future self.

That's why Elon musks's statement about just directly getting a binary makes no sense, because the language used to specify that binary needs to be stored in some engineering records anyway, and then "that is the code".

Code review is also exactly the same, it is a signal which says, "I want to take this decision, are you okay with us taking this decision?" and everyone interested signs off.

Bugs finding are just people going, "I completely agree with the principle of the decision but this particular part of decision is anti-thetic to the principle, should we fix it?"

gstetoday at 3:53 PM

"it is not in general possible to find bugs by examining the code"

That really depends on the quality of developers you are dealing with.

I certainly find myself assessing code quality, performance issues, shortcomings. Occasionally trivial bugs. Most importantly you review for taste, I'm tasting the code.

Maintainability is definitely important but is pretty subjective and is a subset of taste in general.

havbluetoday at 3:22 PM

I've been at a lot of companies where code is held hostage by the reviewers, specifically leads or wannabe leads. Interfaces matter. Maintainability matters. Memory allocation certainly matters. Code reviews frequently go down the rabbit hole of how the reviewer would prefer to design it and a long back and forth until the developer has, "explained himself", like it's a Breaking Bad confrontation. I think it devolves into a status battle.

show 1 reply
giancarlostorotoday at 3:19 PM

The other issue with code review, and I'm glad I've not worked with people like this anymore, for the person being reviewed: NOBODY IS ATTACKING YOU, nobody is saying your code is bad, the goal is to do a once-over for quality.

Another goal people often miss:

It's okay to ask "stupid questions" and I would argue as a Junior, ask away, even if no code changes happen, ASK. Kind of follows the spirit of the original post, which is, can you maintain this?

show 2 replies
firesteelraintoday at 2:28 PM

This post is inverted for high assurance domains. For example, DO-178C requires checks for compliance to requirements, coding standards, traceability, accuracy and verifiability.

zabiltoday at 2:57 PM

There more things in a pull request other that just reviews. It can run a build pipeline and give feedback, provision test instances to run quick tests.

It can also be used to add context and have a conversation around the why's before merging. And yeah while it's not the main purpose we've caught a lot of bugs too just from the statically reviewing code.

ruffreytoday at 3:23 PM

Agree and disagree. It seems hyperbolic to say code review isn't to find bugs; of course it is. That happens every week on my teams. But the main point is the knowledge transfer and readability of code.

pjmlptoday at 2:56 PM

In most projects I worked on it is plain burocracy to ensure the solution architect is happy with their hexagonal or clean architecture.

Really I can count up to five the amount of projects where good code review actually took place.

barbazootoday at 1:50 PM

> The primary purpose of code review is to find code that will be _hard to maintain_.

This makes me wonder if we all have a different primary purpose in mind when it comes to code reviews because that wouldn't be my number one. Talk within your teams would be my advice. Especially now with AI enabling more rapid changes.

d0livertoday at 2:09 PM

What if I told you that understanding what it is doing and finding bugs is actually the same problem?

show 2 replies
Ozzie_osmantoday at 1:45 PM

100% this. This is why it's so hard to trust AI on code reviews, at least for now.

resterstoday at 2:32 PM

I make code review and PR approval optional for my teams. A solid process should emerge from respect and peer pressure alone.

spacingtontoday at 1:37 PM

Found plenty of bugs by reading/doing code review.

show 1 reply
ChrisMarshallNYtoday at 2:52 PM

It's also important to help other members of the team to learn and understand.

misja111today at 2:39 PM

Nowadays the main point of PR's is to find out what Claude has been coding for me.

show 1 reply
jy14898today at 2:16 PM

Not all bugs are buffer overflows, many are just the code not doing what it claimed at a high level

webzltoday at 3:13 PM

The purpose of code review is to talk about the purpose of code review ...

I don't know, but this new definition seems to be very AI friendly and matches the recent transformation of this blogger.

lukascotoday at 3:41 PM

This is the big thing I'm struggling with:

Code reviews are still a critical step in most workflows. Though seems like everyone uses them for a different purpose: extra pair of eyes to meet a regulation/security, style police, and what this one says: maintainability.

And at the same time, code reviews are now a massive bottleneck in the development pipeline. Frankly, in a lot of teams they have been that for a long time. Though many would argue it was the only thing stopping absolute crap going into production.

But in a world where none of us writes code anymore, and I think we're there, even if the future is "just not evenly distributed" (Gibson), why should we have to do code reviews, the worst job of all?

Leaves me thinking that code reviews will land in the dustbin of history.

But for now I don't have a better solution.

jerftoday at 1:46 PM

One of my favorite little things to notice is when everybody thinks they know what something is, and they all agree about it, but they in fact don't agree. In this case we have the statement "Code review is a good idea". What right-minded software engineer could possibly disagree with that?

But then notice 1. the number of people jumping up to say "No, you don't understand the point of code review" and 2. how what follows "The point is..." varies between so many different people. I can't quite say it's a unique take per person, as I've seen before, there are some common threads, but they are also not all the same answer by any means either.

In this case, there isn't a "the" point of code review to discuss. It turns out that while we all may have thought we were doing it for the same reasons, we aren't. This is real. We don't have the same goals, we don't have the same methodology, and thus, the value we get from it may be different. And in fact it is perfectly reasonable to discuss the multiple cost/benefits ratios that differ across the various definitions, because the simplification "it's good, end of story" is destroying important distinctions.

In this situation, it is helpful to frame this as a matter of the costs and benefits of the various options available. Forget the statement "code review is good"; it is fallacious to start with that statement as an axiom and then argue about whether or not your definition of "code review" is or is not the "correct" definition so that your definition gets the "good" attribute applied to it. Consider the options directly.

(I have to admit I've used this effect in anger... in meetings where I can tell that everybody thinks they know what some project is but I can tell they all have a different definition of it in mind, but I also know it's not going to happen anyhow, I don't chase down the differences. Sometimes you can use this to your advantage to cut short what would otherwise be a quite interminable, yet ultimately pointless, meeting.)

hirvi74today at 2:36 PM

My employer has the weirdest code reviews I have ever participated in. I kid you all not, we all get around and it's like team-wide show and tell. We basically demo anything cool we learned, found, etc.. There is actually no real review of any code at all. At least, not in terms of quality or security.

show 1 reply
othmanosxtoday at 1:30 PM

I think you're missing the point of code review. By the time when the PR is ready to merge, discussions around the architecture and how the code should be structured should already be part of the tech design of a given feature. So the discussion around whether a A feature is built and planned in a maintainable way, should be way before a PR is filed. A PR review is making sure that you verify against the already agreed-upon structure, making sure everything matches the plan, and also find bugs and stuff that was missed, according to the plan.

show 1 reply
mannanjtoday at 4:12 PM

Why are we still so obsessed about maintaining code when rewriting it is very low cost now?

anal_reactortoday at 4:11 PM

It's kinda funny that we all agree that code review is important but we cannot agree why exactly it is important. Imagine a bunch of ancient shamans arguing why exactly local volcano needs to be fed one virgin a year but all being in agreement that it does.

moebrownetoday at 2:58 PM

> If I work until I'm exhausted and find three bugs, someone might still complain later that I missed a fourth and I should have tried harder.

This is a weird take. Less bugs is less bugs, just because you maybe didn't find them all doesn't undermine the value of finding some.

🔗 View 12 more comments