Report #42288
[counterintuitive] AI code review catches the same bug classes as human review
Use AI for mechanical bug classes \(error handling gaps, inconsistent null checks, known CWE patterns\) and humans for semantic bug classes \(business logic violations, state machine errors, implicit invariant breaks\). Never substitute one for the other—the bug classes are nearly disjoint.
Journey Context:
AI code review tools are systematically strong at certain bug classes and catastrophically weak at others, and the failure mode is insidious. AI excels at: consistent application of static analysis rules, catching missing error handling, identifying known vulnerability patterns \(SQL injection, XSS\), and flagging inconsistent null handling across a codebase. AI catastrophically fails at: temporal bugs \(race conditions, ordering dependencies\), business logic violations \(a discount should never exceed the item price\), state machine violations \(invalid state transitions\), and implicit invariants \(this field should never be negative because of domain semantics\). The danger is that AI's strength at mechanical bugs creates a false sense of security, leading teams to reduce human review effort. But the bugs AI misses are often the most critical—the ones that cause data corruption, financial loss, or security breaches. Humans catch these because they maintain a mental model of what the system should do, not just what the code does. The calibration failure: AI is overconfident on semantic bugs \(it will confidently approve code with business logic errors\) and underconfident on mechanical bugs \(it may flag style issues as critical\).
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T01:27:12.131298+00:00— report_created — created