Best Practices/Code Review

A Code review is a way of validating the design and implementation of an application before it goes live. This is not the QA process or but a high level approach of allowing the developer to ensure there is a level of consistency in the coding of the application. This can be accomplished by utilizing a checklist which details various checks to make before the final product goes live.

The reviewer should be someone with domain expertise in the problem area. A reviewer may also utilize other areas of his or her expertise and comment on other possible improvements. There is no gurantee that the person reviewing the code will be familiar with the application therefore it is always good to have the original developer, if possible, present to perform a walk through of the application to give the reviewer a better idea of the application and its internal workings.


Checklist for Code Reviews

Requirements Traceability

  •       Does the code implement the design/bug fix?
  •       Does the developer understand requirements being implemented?
  •       Does the code execute as expected?-
  •       Has the developer tested overall functionality?
  •       Has the error-handling code been tested?
  •       Is there any code included that is not directly associated to the requirements?

Resource Leaks

  •       Is every memory allocation de-allocated?
  •       Is the code written in a way that it has impact on memory usage?
  •       Does the code close database connections
  •       Does the code close HTTP connections
  •       Does the code release objects from memory
  •       Are objects freed up after an error?
  •       Are sessions properly closed and not hanging?


   A. Structure

  •       Is the code well-structured, consistent in style, and consistently formatted?
  •       Are there any extraneous procedures or unreachable code?
  •       Are there any leftover stubs or test routines in the code?
  •       Can any code be replaced by calls to external reusable components or library functions?
  •       Are there any blocks of repeated code that could be condensed into a single procedure?
  •       Are any modules excessively complex and should be restructured or split into multiple  

  B. Documentation

  •       Is the code clearly and adequately documented with an easy-to-maintain commenting style?
  •       Are all comments consistent with the code?
  •       Are variable declarations properly commented?
  •       Are functions, methods, components, classes described and documented?
  •       Are comments used to identify missing functionality or unresolved issues?


  •       Are all variables properly defined with meaningful, consistent, and clear names?
  •       Do all assigned variables have proper type consistency or casting?
  •       Are there any redundant or unused variables?
  •       Are variables scoped correctly?
  •       Are variables initialized before they are used?
  •       Are global variables thread-safe?

Control Structures

  •       Are all loops, branches, and logic constructs complete, correct, and properly nested?
  •       Are the most common cases tested first in IF- -ELSEIF chains?
  •       Are all cases covered in an IF- -ELSEIF or CASE block, including ELSE or DEFAULT clauses?
  •       Does every case statement have a default?
  •       Are loop termination conditions obvious and invariably achievable?
  •       Are indexes or subscripts properly initialized, just prior to the loop?
  •       Can any statements that are enclosed within loops be placed outside the loops?
  •       Does the code in the loop avoid manipulating the index variable or using it upon exit from the   loop?

Defensive Programming

  •       Are indexes, pointers, and subscripts tested against array, record, or file bounds?
  •       Are imported data and input arguments tested for validity and completeness?
  •       Are all output variables assigned correctly?
  •       Are timeouts or error traps used for external interfaces?
  •       Are files checked for existence before attempting to access them?
  •       Are all files left in the correct state upon program termination?
  •       Does the code avoid Deadlocks?

Error Handling

  •       Are errors properly handled each time a function returns?
  •       Where are the resulting errors being handled
  •       Has the error-handling code ever been tested
  •       Does the error checking follow error handling standards

Arithmetic Operations

  •      Are divisors tested for zero?
  •      Does the code systematically prevent rounding errors?
  •      Does the code avoid additions and subtractions on numbers with greatly different magnitudes?


  •       Validate input from all untrusted data sources?
  •       Is data Sanitized through url/form posts
  •       Sanitize data sent to other systems?
  •       Does the code hard code server or user sensitive information
  •       Does the application time out
  •       Are sessions killed after logout


  •       Does the application meet performance requirements?
  •       Is there any code, which could create unintended infinite loops?

Coldfusion Verity Checklist


So the other day we ran into the issue of newly created collections not displaying in the Coldfusion 9 Admin Server.  No exception errors application or other noticeable issues displayed. Checked to see if in fact the collections were actually being created on the server, and they were.  Mystery starting setting in as to how this could be possible.

Decided to take a closet look to see if any other clues would appear for the resolution.

1. Checked the number and size of workspace files being created in the file system. / verity/Data/services/ws folder. This folder can get over populated quickly, and there is no auto service for cleaning it up. So after awhile you will get a whole bunch of “cf_jrpp-88_workspace” files and a million other folders by the same name.  Deleting these files does not hurt s0 I did  a rm -f and blew the files away. Went back into the coldfusion administrator and tried to recreate the collections and they still did not show.

2. Decided to stop and restart the  K2admin server by utilizing the k2admin script located in cf_root/verity/k2/_ss026/bin/k2adminstop.  Recreated the collection… NOTHING!!!!!

3. Decided to Check the verity logs under cf_root/verity/Data/services/ColdFusionk2_indexserver1.  Looking in the logs created under the directories diag and log,  could not find anything to obvious.

6. Checked the Port which K2server was installed to see if firewall or anything was blocking communication. Nothing.

7. Noticed a .lck file being created under each collection directory created on server which usually means a problem with the creation of the collection. Deleted it and recreated collection. NOTHING.

8. After pulling my hair, calling people names that have nothing to with the issue, I saw a posting on cfmasterblog which detailed all the checks I performed except one…..

The folder in which the collection is created and being read needs to belong to the user coldfs. The coldfusion Administrator most likely is performing a cfdirectory to pull back a list of the collections. If this folder or any of the collections were created by root for any reason and not coldfs the list will not be created…..Basically Coldfusion Server does not have access to read the files.

So damn obvious and such a quick fix. If you run into the same problem please try the following checks and balances first before throwing your computer out the window. Cheers!!!