4.5.18 · Coding › Software Engineering
Intuition 30-second mental model
Code review sirf typos pakadne ke liye nahi hai — compiler woh pehle hi kar leta hai. Yeh ek
structured conversation hai jahan ek doosra insaan poochta hai: "Agar mujhe yeh 3 AM mein ek
outage ke dauran maintain karna pade, to kya main author ko gaaliyan dunga?" Tum kuch minutes ab
kharch kar rahe ho taaki baad mein ghanton ki debugging se bacho. Review sabse sasta jagah hai
bug pakadne ki — QA se sasta, aur production se bahut zyada sasta.
Code review ek systematic examination hai code change ka (ek "diff" ya "pull request" ka)
kisi aisi person dwara jo author nahi hai , isse shared codebase mein merge karne se pehle.
WHY yeh kaam karta hai (first principles):
Author apni khud ki assumptions ke liye blind hota hai — woh woh code "dekhta" hai jo usne
likhna chaha tha , na ki woh code jo usne actually likha. Fresh pair of eyes ke paas aisa
koi blind spot nahi hota.
Bugs exponentially zyada expensive hote jaate hain jitna der se unhe pakda jaaye. Rough cost ladder:
cost fix ≈ c 0 ⋅ k s
jahan s stage hai (0 = review par, 1 = QA mein, 2 = production mein) aur k > 1 (aksar
k ≈ 10 quote kiya jaata hai). Toh review par bug pakadne par (s = 0 ) cost c 0 hai, lekin
production mein (s = 2 ) yeh ≈ c 0 k 2 = 100 c 0 ho jaati hai. WHY review kaafi hai:
tum bugs ko exponent mein neeche le jaate ho.
Review top-down karo: pehle high-impact, hard-to-reverse cheezein. Agar tum correctness
check karne se pehle spacing nit-pick karte ho, to tumne galat cheez optimize ki (80/20!).
Correctness — kya yeh woh karta hai jo yeh claim karta hai? Edge cases: empty input, null, off-by-one,
max/min values, concurrency.
Design / architecture — kya yeh system mein fit hota hai? Sahi jagah, sahi abstraction, koi
existing utility reinvent nahi ho rahi. Baad mein fix karna sabse mushkil → highest priority.
Security — input validation, code mein koi secrets nahi, SQL injection, authz checks.
Tests — kya naye tests actually naye behaviour ko exercise karte hain (failure path bhi include)?
Readability / naming — kya koi newcomer 6 mahine baad yeh samajh sakta hai?
Performance — sirf wahan jahaan matter karta hai (hot loops, big-O regressions), premature nahi.
Style — yeh ek linter/formatter ko karne do; insaanon ko nahi karna chahiye.
Mnemonic Importance ka order:
"CD STeReo PerSon"
C orrectness, D esign, S ecurity, Te sts, Re adability, Per formance, S tyle.
Change review karo, person nahi
Code par comment karo: "Yeh loop empty list par throw karega" — kabhi nahi "tum hamesha edge
cases bhool jaate ho." Author ko review ke baad fix karne ki motivation honi chahiye, defensive feel nahi.
HOW, step by step:
Pehle PR description + linked ticket padho — problem jaane bina solution judge nahi kar sakte.
Forecast karo ki diff mein kya hoga. Phir padho aur verify karo (Forecast-then-Verify).
Change locally pull karo / pehle tests padho — woh intended behaviour bataate hain.
Happy path trace karo, phir deliberately edge cases hunt karo.
Blocking comments aur preferences mein fark karo. Nits clearly prefix karo: nit:.
Worked example Example 1 — off-by-one pakadna
def last_n (items, n):
return items[ len (items) - n:] # return last n items
Kyun review karein? Happy path par theek lagta hai. Forecast: agar n > len(items) ho?
Tab len(items) - n negative hoga, toh slicing end se wrap ho jaayegi — silently galat
items return karega. Yeh step kyun? Edge cases (n list se bada) wahan hain jahan correctness bugs
chupta hai. Fix: return items[-n:] if n > 0 else [] aur n > len(items) ke liye test add karo.
Worked example Example 2 — design smell, bug nahi
Ek PR UserController mein ek parse_date() helper add karta hai.
Kyun flag karein? Yeh kaam karta hai , toh correctness theek hai — lekin yeh galat jagah hai:
date parsing user concern nahi hai, aur repo mein pehle se utils/dates.py hai. Yeh step kyun?
Design problems aaj kuch crash nahi karti; woh kal duplication aur drift kausi karti hain.
Comment: "Yeh utils/dates.py mein hona chahiye — wahan pehle se parse_iso() hai; kya hum use reuse kar sakte hain?"
Worked example Example 3 — security
query = f "SELECT * FROM users WHERE name = ' { name } '"
Kyun flag karein? name user input se aata hai → classic SQL injection . Yeh step kyun?
Security style se zyada important hai; ek injected '; DROP TABLE users; -- catastrophic hai. Fix: parameterized
query use karo: cursor.execute("... WHERE name = %s", (name,)).
Common mistake "Tests pass ho gaye, toh correct hai."
Kyun sahi lagta hai: green CI proof jaisa lagta hai. Kyun galat hai: tests sirf woh
cases check karte hain jo kisi ne likhne ke baare mein socha . Bug usually us case mein hota hai
jo kisi ne test nahi kiya . Fix: poochho "kaunsa input COVER nahi hua?" aur woh test maango.
Common mistake Style nit-pick karna jabki design ignore karo.
Kyun sahi lagta hai: style issues spot karna aasaan hai , toh comment karna satisfying lagta hai.
Kyun galat hai: tum apna scarce attention sabse saste-to-fix layer par kharch karte ho aur
architectural mistake miss kar dete ho jo hafte cost karegi. Fix: priority order mein review karo
(CD STeReo PerSon); style ko linter se automate karo.
Common mistake Ek huge PR approve karna kyunki review karna exhausting hai.
Kyun sahi lagta hai: author ne "mehnat ki," aur 2000 lines padhna thaka deta hai, toh tum
rubber-stamp kar dete ho. Kyun galat hai: reviewer thoroughness ~200–400 lines ke baad
collapse ho jaati hai — defect-detection sharply drop hoti hai. Fix: author se PR split
karne kaho; small diffs ko real reviews milti hain.
Recall Feynman: ek 12-saal ke bachche ko explain karo (reveal karne ke liye click karo)
Socho tumne school mein ek essay likha aur submit karne se pehle tumhara dost padha. Tum apni
khud ki spelling mistakes nahi dekh sakte kyunki tumhara brain woh padhta hai jo tumne socha tha .
Tumhare dost ki fresh eyes hain aur woh unhe pakad leta hai. Code review exactly wahi hai — lekin
unnn instructions ke liye jo hum computer ko dete hain. Tumhara dost pehle sabse badi cheezein
check karta hai ("kya tumhari story ka koi sense bhi hai?") chhoti cheezein se pehle ("tumse ek
comma miss hua"), kyunki ek confusing story ek missing comma se bahut buri hai.
Code review kya hai? Code change ki systematic examination kisi aur dwara (author nahi), merge hone se pehle.
Author apne khud ke bugs kyun reliably nahi pakad sakta? Woh woh code dekhta hai jo usne likhna chaha tha , na ki jo actually likha — woh apni khud ki assumptions ke liye blind hota hai.
Kis order mein review karna chahiye? Correctness → Design → Security → Tests → Readability → Performance → Style (CD STeReo PerSon).
Correctness/design ko style se pehle kyun review kiya jaata hai? Yeh baad mein fix karna sabse expensive hota hai aur reverse karna sabse mushkil; style ko linter se automate kiya ja sakta hai.
Bug-fix cost stage ke saath kyun badhti hai? Yeh roughly c 0 k s ke roop mein — exponentially — badhti hai, toh ek production bug (s = 2 ) review-stage bug ka ~k 2 guna cost kar sakta hai.
Reviewer time R kab worth it hai review? Jab R < n p c 0 ( k 2 − 1 ) — zyada bugs, better reviewer, costlier failures, sab reviewing ke favour mein hain.
Pehle tests kyun padhne chahiye? Woh intended behaviour document karte hain, yeh bataate hain ki is change ke liye "correct" ka matlab kya hai.
Steel-man "tests pass toh correct hai" — fix? Tests sirf woh cases cover karte hain jo kisi ne likhe; poochho kaunse inputs COVERED nahi hain aur woh test maango.
Large PRs split kyun karni chahiye? ~200–400 lines ke baad reviewer defect-detection collapse ho jaati hai; small diffs ko real scrutiny milti hai.
Tum kiske baare mein comment karte ho, kiska rule hai? Code/change par comment karo, kabhi person par nahi — author ko motivated rakho, defensive nahi.
Unit testing — tests woh hain jo tum verify karte ho; review tests khud ko check karta hai.
Pull requests and Git workflow — woh mechanism jis par reviews chalte hain.
Technical debt — review mein design comments debt-prevention hain.
SQL injection and input validation — review ki security layer.
Big-O notation — performance regressions spot karne ke liye zaroori.
Refactoring — readability comments aksar small refactors request karte hain.
worth it when R below npc0