You paste your code into an AI assistant and ask for a review. It comes back with suggestions about variable naming and missing comments. Meanwhile, the actual bug — a race condition, an unhandled null, a silent data loss — sails through untouched.
This isn't a model limitation. It's a prompt problem. Here are the three bug categories AI reviews consistently miss, and a single prompt that catches all of them.
Bug #1: Silent Failures
AI reviewers love to check for explicit errors — thrown exceptions, failed assertions, syntax issues. What they miss: code that succeeds incorrectly.
const user = users.find(u => u.id === targetId);
const name = user.name; // No error if user is undefined...
// until you try to read .name
The model sees no red flags because find doesn't throw. It returns undefined, and the crash happens three lines later in a completely different function.
Bug #2: Boundary Assumptions
AI assistants assume inputs are well-formed unless you tell them otherwise. They won't flag:
- Empty arrays where your code assumes at least one element
- Negative numbers where you expect positive
- Unicode strings where you're doing byte-length math
- Concurrent access where you assume sequential
These are the bugs that pass every unit test and explode in production.
Bug #3: State Mutations Across Calls
When a function modifies shared state, AI reviewers rarely trace the full mutation path. They review the function in isolation and miss that calling it twice, or calling it after another function, produces a corrupted state.
The Prompt That Catches All Three
Review this code for SILENT FAILURES, not just explicit errors.
For each function, answer:
1. What happens if any input is null, undefined, empty, or negative?
2. What happens if this function is called twice in sequence?
3. Is there any path where this function succeeds but produces
WRONG output instead of an error?
Format your response as:
- FUNCTION: [name]
- Silent failure risk: [description or "none found"]
- Boundary assumption: [what inputs would break it]
- State mutation risk: [description or "stateless"]
Do NOT comment on style, naming, or documentation.
Focus ONLY on correctness bugs.
Why This Works
Three things make this prompt effective:
It tells the model what category of bug to look for. Without this, models default to surface-level style checks because those are easy and always applicable.
It asks concrete questions per function. "What happens if input is null?" is answerable. "Find bugs" is not.
It explicitly excludes style feedback. This forces the model to spend its attention budget on correctness instead of padding the review with naming suggestions.
Real Results
I ran this prompt against a 200-line Express middleware I'd already "reviewed" manually. It found:
- A
req.body.items.lengthcheck that crashed onitems: null(I'd only tested withitems: []) - A database write that succeeded on duplicate keys and silently overwrote data
- A cache function that returned stale data if called within the same event loop tick
I'd missed all three. The standard "review this code" prompt had missed all three. The targeted prompt caught all three in one pass.
The difference between a useful AI code review and a useless one isn't the model. It's whether you tell it to look for the bugs that actually matter.
Top comments (0)