Tutorial 4: Review AI-Generated Code
- Contributor
- 4 days ago
- 2 min read
AI writes confident wrong code. Reviewing it is now a critical skill.
Step 1: Read Every Line (10 min)
Tempting: see the function "looks right"; accept.
Don't. Read every line.
AI mistakes pile up across the codebase if you don't.
5 minutes of review per AI-generated function saves debugging hours.
Step 2: Check Invented APIs (10 min)
# AI suggested
import requests
response = requests.get_with_retry(url, retries=3)
requests.get_with_retry doesn't exist. Hallucinated.
Verify: does this function actually exist? In this version?
For unfamiliar libraries: check docs.
Step 3: Check Edge Cases (15 min)
AI optimizes for the happy path. Edge cases get skipped:
Empty inputs
Null / None
Concurrent access
Boundary values
Negative numbers
Unicode
Add tests. Run them. Often AI code fails on edges.
Step 4: Verify the Logic (15 min)
def is_valid_age(age):
return age > 0 and age <= 150
Looks reasonable. But:
Should age == 0 be valid?
Is 150 the right max?
What about negative ages (legitimate test data)?
Read the logic against your actual requirements. AI guesses.
Step 5: Security Sensitivity (15 min)
AI writes SQL like:
query = f"SELECT * FROM users WHERE email = '{email}'"
db.execute(query)
That's injection waiting.
Check for:
SQL injection
XSS
Hardcoded secrets
Weak crypto
Auth bypasses
Path traversal
AI often misses these. Don't trust security-critical code.
Step 6: Style Consistency (10 min)
AI may write style different from your codebase:
Different naming conventions
Different error handling patterns
Different test structure
Different file organization
Conform to local style. Reviewer will flag otherwise.
Step 7: Performance (10 min)
AI sometimes:
Nested loops where one would do
Unnecessary copies
N+1 queries
Redundant computation
For hot paths: read with perf in mind. Profile if uncertain.
Step 8: Maintainability (10 min)
AI loves:
Many helper functions
Defensive coding
Type assertions everywhere
Generic abstractions
Sometimes overengineered. Simplify for readability.
You'll read this code in 6 months. Make it understandable.
Step 9: Test It (10 min)
Run the code.
Don't just review. Execute:
Tests pass
Manual run works
Integration with neighbors OK
I've seen too much "looks good, ship it" — code that doesn't even compile.
Step 10: Treat It Like a PR (10 min)
Mental shift: AI is a junior contributor.
Apply the same review bar you'd apply to a junior's PR:
Correctness
Tests
Style
Performance
Security
Not lower. AI gets a million chances; the bar holds.
What You Just Did
Review AI code: read every line, invented APIs, edges, logic, security, style, perf, maintainability, test, like a junior's PR. Quality control.
Common Failure Modes
Trust AI for security code. Vulnerabilities ship.
Skip edge cases. Bugs in production.
Ship invented function calls. Crashes immediately or worse, silently wrong.
Accept first suggestion. Lower quality than your real bar.
No tests for AI code. Untested code production.


