Defect Injection

The topic of code or peer reviews are sometimes on my mind. That’s why I enthusiastically read a blog entry on the CoffeeGhost web site. The entry was entitled “Bugging Your Code Reviews”. It was written by Al Sweigart. He had found that a lot of requests for code review got no feedback other than “everything looks good”. So he invented a tool called Jester which randomly injects what he calls Jester bugs into the code. This coincides with an idea that I pitched our software manager. So this blog post is very relevant to me.

Jester is officially a unit tester for Java. It injects bugs in the code that have correct syntax, but are nonetheless problems. Al runs the buggy code through his unit tests. This helps him validate whether the unit tests are truly testing the code. He also uses Jester to inject bugs into the source code before he passes it on for code review. The buggy code will compile fine. But the injected bugs cause run time errors.

Al played devil’s advocate and envisioned the potential drawbacks of using Jester to test your code review process. Injecting false bugs may slow down the process of detecting legitimate bugs. And if developers are not careful enough, they might check in the bugged version of the source code. Reviewers who got caught slacking off on their code review duties may get angry that they were duped. Finally reviewer may learn how Jester works and look just for the Jester style bugs.

As always I love to read the comments of other people. Some people who read Al’s blog post thought that code reviews were in essence a waste of time. Others who used a code review tool thought it would be nice if the tool itself supported Jester style bugs. One way that could make the defect injection process fun is to keep metrics on who finds the most bugs. There could be an online top scores for code reviewers to spurn them on to deep reviews. Finally some people in the commercial software world though that code reviews in general were not for them.

Unfortunately my project at work is almost exclusively written in C++. However that does not mean I couldn’t code up a version of Jester that works with C++. The idea is sound. My manager said that defect injection in general sounded like a good idea. The only problem we have is that it seems like nobody is doing actual code reviews any more. Ouch.