Code review — what to look for
WHY does code review exist at all?
WHY it works (first principles):
- The author is blind to their own assumptions — they "see" the code they meant to write, not the code they actually wrote. A fresh pair of eyes has no such blind spot.
- Bugs get exponentially more expensive the later they're found. Rough cost ladder:
where is the stage (0 = at review, 1 = in QA, 2 = in production) and (often quoted ). So catching a bug at review () costs , but in production () it costs . WHY review pays: you move bugs down the exponent.
WHAT to look for — the priority ladder
Review top-down: high-impact, hard-to-reverse things first. If you nitpick spacing before checking correctness, you've optimized the wrong thing (80/20!).

- Correctness — does it do what it claims? Edge cases: empty input,
null, off-by-one, max/min values, concurrency. - Design / architecture — does it fit the system? Right place, right abstraction, not reinventing an existing utility. Hardest to fix later → highest priority.
- Security — input validation, no secrets in code, SQL injection, authz checks.
- Tests — do new tests actually exercise the new behaviour (incl. the failure path)?
- Readability / naming — would a newcomer understand this in 6 months?
- Performance — only where it matters (hot loops, big- regressions), not premature.
- Style — let a linter/formatter do this; humans shouldn't.
HOW to actually do it (the practice)
HOW, step by step:
- Read the PR description + linked ticket first — you can't judge a solution without the problem.
- Forecast what you expect the diff to contain. Then read and verify (Forecast-then-Verify).
- Pull the change locally / read the tests first — they tell you the intended behaviour.
- Trace the happy path, then deliberately hunt edge cases.
- Distinguish blocking comments from preferences. Prefix nits clearly:
nit:.
Worked examples
Common mistakes (Steel-man + fix)
Recall Feynman: explain it to a 12-year-old (click to reveal)
Imagine you wrote a school essay and your friend reads it before you hand it in. You can't see your own spelling mistakes because your brain reads what you meant. Your friend has fresh eyes and catches them. Code review is exactly that — but for the instructions we give a computer. Your friend checks the biggest things first ("does your story even make sense?") before the tiny things ("you missed a comma"), because a confusing story is much worse than a missing comma.
Active-recall flashcards
What is a code review?
Why can't the author reliably catch their own bugs?
In what order should you review?
Why is correctness/design reviewed before style?
Why does bug-fix cost grow with stage?
Review is worth the reviewer time when?
Why should you read the tests first?
Steel-man "it passes the tests so it's correct" — fix?
Why split large PRs?
What's the rule about who you comment on?
Connections
- Unit testing — tests are what you verify; review checks the tests themselves.
- Pull requests and Git workflow — the mechanism reviews ride on.
- Technical debt — design comments in review are debt-prevention.
- SQL injection and input validation — the security layer of a review.
- Big-O notation — needed to spot performance regressions.
- Refactoring — readability comments often request small refactors.
Concept Map
Hinglish (regional understanding)
Intuition Hinglish mein samjho
Dekho, code review ka simple matlab hai: jo code tumne likha, usko merge karne se pehle koi doosra banda padhta hai. Kyun? Kyunki apni galti khud ko nahi dikhti — tum wahi padhte ho jo tumne sochke likha tha, na ki jo actually likha. Fresh eyes se chhoti-moti bugs, edge cases, aur design ki galtiyaan pakdi jaati hain. Yaad rakho: bug jitni der baad pakdi jaaye, utna mehnga fix hota hai — review mein 1x, QA mein 10x, production mein 100x. Isliye review sabse sasti jagah hai bug pakadne ki.
Ab kya dekhna hai, uska order important hai. Pehle Correctness (kya code sach mein sahi kaam karta hai, edge cases — empty list, null, off-by-one?), phir Design (sahi jagah pe code hai? pehle se koi utility thi?), phir Security (SQL injection, secrets), phir Tests, phir Readability, phir Performance, aur last mein Style. Mnemonic: "CD STeReo PerSon". Style pe time waste mat karo — woh linter automatically pakad lega. Bade kaam pehle.
Ek bada rule: comment hamesha code pe karo, banda pe nahi. "Yeh loop empty list pe crash karega" bolo, "tu hamesha bhool jaata hai" mat bolo — taaki author defensive na ho, balki fix karne ko motivate ho. Aur agar PR bahut bada hai (2000 lines), toh author se bolo split karo — kyunki 200-400 lines ke baad reviewer ka dhyaan kam ho jaata hai aur woh bina dekhe approve maar deta hai. Chhote diffs ka asli review hota hai.