4.5.18 · D1Software Engineering

Foundations — Code review — what to look for

2,859 words13 min readBack to topic

Before you can read the parent note, you need to understand the words and symbols it throws around as if you already knew them. This page builds each one from nothing. Read top to bottom — every idea uses only the ones above it.


1. The raw materials — what a "change" actually is

Look at the figure below. The left column is the file before; the right is the file after. The red lines are the diff — the only thing a reviewer really looks at.

Figure — Code review — what to look for
Figure 1 — Left: the file as it was. Right: the same file after editing, with the changed lines marked in red. A reviewer reads only the red lines (the diff), never the untouched code around them.

Why the topic needs this: a review examines a diff, not a whole program. If you didn't know what a diff was, "reviewing a change" would sound like re-reading the entire codebase every time — which nobody does.


2. The people and the timeline

Figure — Code review — what to look for
Figure 2 — A bug on a three-station conveyor belt: Review (s=0), QA (s=1), Production (s=2). The red dot is the bug; catching it at the leftmost station costs one unit (), while letting it ride to the far right costs about 100 times as much. The whole cost argument is "catch it as far left as you can."

Why the topic needs this: the entire cost argument is "catch the bug at the leftmost stage." Without the belt picture, are just meaningless numbers.


3. The symbols in the cost formula

The parent writes . Let's earn every letter.

Why an exponent and not just (a straight line)? Because the badness compounds: each stage multiplies the mess left by the previous stage, it doesn't merely add a fixed chunk. That's the difference between linear () and exponential () growth.

Figure — Code review — what to look for
Figure 3 — The dashed black line is what cost would do if each stage merely added a fixed chunk (); the red curve is what it actually does when each stage multiplies (). The vertical gap at — 100 units vs 21 — is the money a review can save you.

Look at the figure: the straight black dashed line (adding) barely climbs; the red curve (multiplying) explodes. The gap between them is the value of catching bugs early.


4. The symbols in the "is it worth it?" formula

The parent's payoff line is . We will now build it from scratch, so the term is no longer a mystery. New symbols first:

Building the payoff, one at a time

Step 1 — WHAT: split the bugs into two buckets. With review, each bug is either caught now (probability ) or escapes (probability ). Multiply the count by each probability:

  • caught at review: bugs, each costing (stage );
  • escaped: bugs, each costing (stage ).

Step 2 — WHY expected value: we don't know which bugs escape, so we can't add exact costs. Instead we weight each cost by its probability and sum — that is exactly what means. Add the reviewer's own time , since running the review isn't free:

Step 3 — the comparison: with no review, nobody catches anything, so every bug reaches production:

Step 4 — WHAT we want: review is worth it when it costs less, . Subtract and watch appear: Group the terms — — then subtract the :


5. Concepts the priority ladder assumes

The parent ranks: Correctness → Design → Security → Tests → Readability → Performance → Style. Each rung leans on an idea — here are the ones the parent never pauses to define:


How these feed the topic

codebase

diff

pull request

author vs reviewer

review before merge

stages s = 0 1 2

cost ladder c0 times k to the s

c0 base cost

k multiplier

expected cost E

n bugs

p catch chance

reviewer time R

worth it when R is small

priority ladder

edge case null off by one

design and readability

SQL injection

Big-O

technical debt

Code review what to look for

Everything on the left is a foundation; the two arrows into "Code review what to look for" are the two halves of the parent: why it pays (the formula) and what to check (the ladder).


Equipment checklist

Cover the right side and see if you can answer each before revealing.

What is a diff, in one sentence?
A picture of only the lines a change removed and added — not the whole file.
What is a pull request?
A diff packaged with a title and description, requesting permission to merge.
Why must the reviewer differ from the author?
The author's brain reads what they meant, not what they wrote; fresh eyes have no such blind spot.
What do the stages mean?
Review, QA, and production — how far a bug has travelled toward real users.
What does represent?
The cost of fixing one bug at the earliest stage (one unit of pain).
What does represent, and why is ?
The factor by which cost multiplies each stage later; because later is always more expensive.
Why is the cost model (exponential) not (linear)?
Badness compounds — each stage multiplies the previous mess rather than adding a fixed amount.
What is a probability like ?
A number from 0 to 1 giving how likely something is; means about 7 in 10.
Why is the escaping fraction ?
The whole is 1; if is caught, the remainder slips through.
What does (expected value) answer, and what is ?
On average what a change will cost; .
Where does the in the payoff condition come from?
It's the saving per caught bug — in production minus at review — so total saving is .
When is review worth the time ?
When .
What corner does the two-outcome model cut?
It ignores QA (); it assumes every escaped bug rides straight to production, an upper bound on danger.
What is an edge case? Give two examples.
An input at a boundary — e.g. an empty list or null.
What does the Design rung check?
Whether code is in the right place with the right shape — fit, not mere function.
What does the Readability rung check?
Whether a newcomer could understand the code in six months (clear names, small functions).
Why does Security rank above Style?
A style slip is cheap; a security hole like SQL injection can be catastrophic.

Connections

  • Yeh note Hinglish mein padho →
  • Pull requests and Git workflow — where diffs and PRs come from.
  • Unit testing — the "Tests" rung of the ladder.
  • SQL injection and input validation — the "Security" rung.
  • Big-O notation — the "Performance" rung.
  • Technical debt — what design comments prevent.
  • Refactoring — cleaning up once a linter or reviewer flags something.