Welcome!

Microsoft Cloud Authors: Nick Basinger, Kevin Benedict, Pat Romanski, Liz McMillan, Lori MacVittie

Related Topics: Microsoft Cloud, Agile Computing

Microsoft Cloud: Article

Best Practices for .NET Code Review | @CloudExpo #Cloud

Code review is a set of systematic examination measures used to critique computer code

It is a human nature to make mistakes, but mistakes in source code can lead to expensive consecutive mistakes if not fixed in time. Unfortunately, black box testing often cannot fully cover software. And even if it does, fixing a bug found by QA is at least two times as expensive as fixing it before issuing a build. Performance bottlenecks, security, scalability and reliability issues should be identified as early as possible. This is where code review comes in.

Code review, which is also known sometimes as peer review, is a set of systematic examination measures used to critique computer code with the objective of finding and fixing bugs early in the development stage in order to develop high quality software and perfect skills of developers for future projects.

Carrying out regular code reviews has the advantages of saving money and time, having to fix fewer errors per line of code, using highly decreased development resources while increasing productivity and enjoying software that is 90 percent defect free.

Being aware of best practices for .NET code review is necessary to make the software development process as efficient as possible and deliver quality products in time and on budget. Even though it is impossible to enumerate all of the best practices here, we have included those that are absolutely indispensable. So here are top five best practices for .NET code review:

1. Present project implementation ideas to developers prior to development. It is important for developers to understand how to do the task if the solution is ready-made, or know where to look for such a solution if finding it is part of the task. In the latter case, the process of communication between developers and technical leads becomes vital for the final decision to be the most efficient.

2. Create and follow a code review checklist. This checklist should help enumerate and analyze the specific aspects of what reviewers should pay attention to in order to make the code reviewing process as efficient as possible. Obviously, each project is different and will have its own specifications when it comes to the checklist, but as a general rule, it should ideally follow the outline of coding standards documents. When drafting a checklist, each developer should also examine their strengths and weaknesses and pay extra attention to the areas where they can be more vulnerable. Following is a sample code review checklist that covers the main areas necessary for review:

a) Does the code work as expected? The assumption is that the code works, but often it turns out that the code does not work as the customer would expect.

b)  Are there any warnings generated by a static code analysis tool? Such tools can check for a lot of guidelines enforcements, and their reports should not be missed.

c) Are comments correct? Comments should be correct and not outdated. Otherwise, they will confuse team members. At the same time, comments should be meaningful and present only where absolutely needed.

d) Are there necessary checks for null values? If a variable or input parameter is not supposed to be null, the null check should throw an exception. Otherwise, there should be an alternative if-statement for the null value.

e) Are there necessary checks for invalid values in enumerables? If there is a switch or an if-statement checking enumerable string values or an enum, default or else operator most often should always consider the invalid values, not the other non-mentioned, valid ones.

f) Are custom exceptions correctly declared? Each custom exception should be inherited from the ApplicationException class and should implement at least two constructors: with string and (string, Exception) parameters. If throwing an exception with an empty message is allowed, two more constructors should be implemented: () and (Exception).

g) Are exceptions correctly handled? Generic exceptions should never be suppressed (at least without logging). However, if exceptions are logged, duplicate logging should be avoided as well.

h) If code may be called by multiple threads, is it thread safe? Checking for thread safety is vital, because such errors are hard to track down, and it is easier to avoid them early rather than fix them later.

i) Is the code secure? Security issues can hardly be covered by QA or unit tests, but they are certainly important. For example, if there is a method that is supposed to be called by administrators only, it is better to restrict the method itself, even if the respective action is available only to administrators in the user interface.

j) Are unmanaged or IO resources correctly disposed of? Resources that are not disposed of can cause unexpected crashes or memory leaks. Each such resource should be disposed of correctly after using.

k) Are the most effective algorithms used? Common mistakes include:

  • Using IList instead of IDictionary or Hashtable leads to unnecessary O(n2) complexity instead of O(n).
  • Using multiple consecutive string concatenations instead of StringBuilder or String. The format increases complexity as well as memory usage.
  • Unnecessary web service calls can slow down the application considerably.

l) Are string comparisons correct? Using case sensitive comparisons instead of case insensitive ones in some cases (for example, file names comparisons) can cause errors that are hard to detect. Ideally, each string comparison in the code should be reviewed.

m)  Are the classes, methods, properties and variables named correctly? A static code analysis tool will check naming conventions, but often it is possible to come up with better names.

n)  Is unit tests coverage good enough? Unit tests should be reviewed as well. The same checklist as above can be followed.

3. Use automated tools for code review. Automation is essential for code quality, first of all, to eliminate the necessity for routine checks (saving time spent on reviews by skipping descriptions of incorrect formatting and naming), and secondly, for enforcing code guidelines without the reviewer assuming the role of a strict professor worried about every misplaced comma. Automation takes subjective opinions out of the equation and serves as a neutral and impartial force.

The most popular static code analysis tools for .NET are SonarQube and FxCop. They can check for dozens of code guideline enforcements such as:

  • Classes, methods and variables naming conventions,
  • Empty classes or methods,
  • Unnecessary parentheses,
  • Correct classes and methods declarations,
  • Access modifiers, etc.

4. Hold regular discussions of the main review results. Best development practices and how they can be implemented should be communicated to developers on a regular basis using an example of well-written code (with a focus on successful solutions in particular), rather than targeting specific errors of individual developers (which can negatively influence the atmosphere in the team). Good communication between all project participants (including clients and stakeholders, if necessary, as well as managers and testers) is a vital aspect of being on the same page in terms of code quality. Being patient with team members who don't boast extensive technical backgrounds and speaking their language brings the team closer and ensures better quality of the end product. Team members also learn from each other through a more profound understanding of the code base and can use that knowledge in subsequent projects, as well as project support.

Holding regular meetings and discussions may also have the following benefits:

  • Consistency of design and implementation throughout the project,
  • A common knowledge database where project data is stored may help bring new team members on board when others become unavailable,
  • Walking in the shoes of another team member helps see the product more objectively, and a person looking at a piece of code for the first time may have a fresh perspective,
  • Being recognized by peers boosts morale in the team and motivates developers to code better,
  • Teams become closer by interacting on a more personal level and working together toward a common goal.

5. Don't take mistakes and problems personally. Even though making mistakes is a natural part of writing code, they are too costly, and are therefore always considered the ‘enemy.' But just like failure is an intrinsic part of success, mistakes are acceptable (and they will happen on every project, with every developer) as long as they don't end up in the product that's already gone into production, costing investors money and developers their reputation.

It may be helpful for developers to remember that the whole objective of code review is to find issues with code. No matter how excellent their product is, code review is not targeted at praising their coding prowess, but at finding loopholes in it. It is best to look at the process this way: finding mistakes improves code; it doesn't critique its creator. Learning from mistakes and sharing that knowledge with others is what developers should be taking out of the whole process.

Another sometimes painful aspect of code review is encountering developers who are more advanced and better skilled. The trick is to not view them as rivals but to learn from them. When conducting regular reviews, it is important to be diplomatic and not forget that praise is critical for all creative professionals (and developers are creatives, no doubt about that), and that criticisms and notes go down better with a bit of recognition of the skills that enabled the developer to write the code in the first place.

Carrying out .NET code review on a regular basis may help keep development quality at the designated level of excellence, develop high quality defect-free software, comply with industry standards and share knowhow between developers. Recognizing and following best practices in .NET code review can enable all parties involved in software product development to bring their efforts to perfection and centralize the latest knowledge in their niche.

More Stories By Aleksei Gavrilenko

Aleksei Gavrilenko is a senior developer with Itransition. He joined Itransition in 2005 as a software developer. Currently, he holds a position of the technical lead for a large ASP.NET project for automating key project document management and control procedures in industry-leading engineering and utilities companies worldwide. His areas of interest are .NET, Enterprise Content Management, performance tuning, software design and architecture. Aleksei received a master’s degree in computer science from Belarusian State University in 2007.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...