r/codereview

Do zero-LLM health metrics predict where bugs land? Ran it across 21 repos, here's what held up
▲ 816 r/codereview+3 crossposts

Do zero-LLM health metrics predict where bugs land? Ran it across 21 repos, here's what held up

Most "AI reviews your PR" tools annoy me. They hallucinate nits, the output changes every run, and you can't tell if a flag means anything. So I wanted to know if you can get a useful review signal the boring way. Static metrics plus git history, without any LLM in the loop, so same input gives the same output every time.

The question I actually wanted answered: do deterministic code-health metrics predict which files get bug-fixed later?

How I set it up :

  • Score every file at a historical commit (T0).
  • Count bug-fixing commits to that file over the next 6 months.
  • Correlate the T0 score with the bug-fixes that came after. No file sees its own future.

Metrics are the usual suspects plus churn signals. McCabe complexity, deep nesting, LCOM4 cohesion, god classes, clone detection, function-level churn, code age, ownership spread, change entropy. 25 of them, combined into a 1-10 per file. I ran it across 21 OSS repos, 9 languages.

What came out:

  • Mean ROC AUC 0.74 at picking the files that go on to get bug-fixes. Up to 0.90 on some repos, weaker on others.
  • It survives controlling for file size (partial Spearman -0.16). So it's not just "big files have more bugs," which was my first worry.
  • Out-ranks churn alone by about +0.10 AUC, and prior-defect history by +0.12.
  • Held on an external dataset I never touched (PROMISE/jEdit), AUC ~0.77.

I ran it head to head against CodeScene too, same 2,770 files, same commit, same labels, since it's the closest established tool. Discrimination was close (0.73 vs 0.71). The gap showed up on effort-aware ranking. Under a "you only have time to review 20% of the changed lines" budget, the deterministic score surfaced more of the real defects (recall 0.17 vs 0.07, Popt 0.61 vs 0.46). Similar at telling risky from safe, better at ordering what to look at first.

Where it falls down, because 0.74 is not magic:

  • It tells you where bugs cluster, not what the bug is.
  • Ranks files, doesn't read them so not a review replacement.
  • Defect labels come from bug-fix commits, which is a noisy heuristic. Some "fixes" aren't, some bugs never got a clean fix commit. That ceiling is baked in.
  • The 6-month window is a choice. Move it and the numbers move.
  • The CodeScene edge is specifically ranking under a budget. On raw "is this file risky, yes or no," they're close.

Where I landed: the signal is real and it's reproducible, which is the part I care about for PR gating but it won't catch a logic bug in a 4-line diff.

It's good at "this PR touches a file that's been a problem for a year with one owner, slow down." Different job than line-by-line review, and I think it's the job the deterministic approach is actually good at.

I have also added agent provenance to the same which allows it to determine if an AI PR is worse than human

If anyone wants to take a look at the repo: https://github.com/repowise-dev/repowise

Also, if you have any feedback on the metrics itself or if I can try some new metric, would love to try that

u/Obvious_Gap_5768 — 10 hours ago
▲ 129 r/codereview+4 crossposts

I reorganized my control and robotics course materials into a free GitHub repository

I recently made a major update to my Control and Robotics learning repository and decided to keep the course materials freely accessible.

The repository now includes structured course folders with standalone HTML lecture pages, mathematical explanations, diagrams, and companion code examples for many lessons. The topics cover areas such as:

  • Linear control
  • Modern control
  • System dynamics
  • Robot kinematics and dynamics
  • Robot control
  • Advanced robotics
  • Autonomous mobile robots

For some lessons, the code examples are provided in different languages/environments such as Python, C++, Java, MATLAB, and Wolfram/Mathematica, so the material can be studied from both the theory and implementation side.

Repo: https://github.com/mohammadijoo/Control_Robotics_Lab

I’m sharing it here in case it is useful for students, instructors, or self-learners working through control systems and robotics topics. I would also appreciate feedback, especially if you notice mistakes in equations, explanations, code examples, structure, or missing topics that would make the material more useful.

u/abolfazl1363 — 2 days ago
▲ 4 r/codereview+3 crossposts

Feedback on my old-ish tool

Hello,

Some time ago, I made a tool for performing brute-force attacks (for work purposes, as I work as a security tester/pentester). I don't know if I had hands from the wrong place or what, but it was somewhat difficult to use Hydra, which at that time was a top-tier tool for this. So I made my own tool that works like I want it to work.

The main idea of the tool is that all configuration goes inside a YAML configuration file. Why, you may ask, because security testing usually goes in this circle: performing -> reporting -> someone fixes -> re-testing. Sometimes the systems we test are similar, sometimes they are complex enough, and also saving hydra commands or sharing them wasn't quite a practical solution in the long term.

Some time ago, I moved to another company where I'm more on the defensive side rather than attacking, so I didn't have a chance to use this tool much. So maybe anyone can give some kind of feedback on the code, possible improvements, etc.

Repo: https://github.com/narukoshin/EnRaiJin

p.s. For all the AI haters, this code is not vibe coded, as it was created when the AI hype wasn't even a thing. :) Commits lasting years are a good proof for that.

Thanks.

u/narukoshin — 1 day ago
▲ 61 r/codereview+40 crossposts

Ask questions across your Markdown notes using a fully local Graph RAG engine. Built for Obsidian vaults, works with any folder of Markdown files. Extracts entity-relation triples from wikilinks & YAML frontmatter, retrieves answers via hybrid search (vector + BM25 + temporal). Multilingual. No cloud. Runs on Ollama.

https://github.com/benmaster82/Kwipu

u/WritHerAI — 3 days ago
▲ 8 r/codereview+5 crossposts

Build AI Code Review Agent ( looking for feedbacks and contribution )

I've been learning AI engineering by building instead of just watching tutorials.

To push myself beyond the basics, I started building an AI Code Review Agent. The goal wasn't to create a polished product—it was to force myself to understand how these systems actually work.

Some of the concepts I ended up learning along the way:

  • Retrieval-Augmented Generation (RAG)
  • Embeddings and vector search
  • ReAct-based agent workflows
  • LLM-powered code analysis
  • GitHub integrations

One thing I learned quickly is that getting an LLM to answer questions isn't the hard part. Making retrieval reliable, giving the agent the right context, and designing good workflows takes much more iteration than I initially expected.

The project is open source and still a work in progress, with plenty of room for improvement as I continue building and learning.

Repository: https://github.com/RishabhhG/codereview-agent
Linkedin : https://www.linkedin.com/in/rishabh-guptaaa/

If anyone wants to try it out, use it, or contribute, I'd really appreciate the feedback. I'm also happy to discuss the architecture, implementation decisions, or hear suggestions for improving the agent.

u/Aggravating-Drama916 — 3 days ago
▲ 1 r/codereview+1 crossposts

Please help me optimizing this loop

Here's the code: https://godbolt.org/z/cf6c1Mvd8

The problem: The innermost dimension (hidden_size.z) is completely contiguous and vectorizes cleanly. However, because input_cell depends directly on the contents of the input buffer, it acts as a pseudo-random offset.

Every time visible_x steps forward, the memory pointer leaps across a massive stride in the dictionary buffer. The hardware prefetcher completely gives up, and every single step evicts the previous cache line out of L1.

While I prefer stick to an SoA design for vectorization, I have total flexibility on how that data is structured globally:

  • Dictionary Transposition: I can completely rearrange the macro-dimension ordering of the dictionary array [hidden_col, in_field_idx, input_cell, hidden_size.z]. If swapping the position of input_cell or tiling it helps keep data "warm" in L1, I can change the layout. Just don't move the hidden_size.z because then I'd probably lose the vectorization, at least with the current algorithm.
  • Memory Alignment: I can change the memory alignment (#[repr(align(64))]) of the buffers or pad them to perfectly match CPU cache lines.
  • Loop Structuring / Tiling: I am entirely open to structural loop rewrites (e.g., loop blocking/tiling, using chunk iterators instead of dynamic slicing inside the loop, or altering the execution order of hidden_col vs visible_x/y).

Can anyone help me with this?

u/Severe-Heat-518 — 3 days ago

AI code reviews : am I missing something?

Disclaimer: I'm not anti-AI and I'd like to hear from people who are finding success with code reviews. Ideally, I'd like to have a discussion that's a bit more involved than just "AI bad lol".

So I've been giving AI code reviews a shot for the past couple weeks to try to help with the code-review bottleneck that we, like many other teams, are facing due to individual contributors being able to generate code much faster than before. However, I don't get how they are useful. Here's a typical workflow I've experienced :

  1. Junior sends in a PR, it's obviously mostly AI generated code. Such is life these days.

  2. I ask them if they asked for reviews to their AI agent of choice before sending it my way. Their answer: yes, three times.

  3. ok fine, I give it a shot. I also ask for a review from an AI agent, with the supposed added value that, since I have more experience, I'll be able to judge the quality of that review better. I'm not sure I agree with this assumption I've been hearing, but let's just assume this is how it works.

  4. The AI review comes out with 4 comments, 2 of them i find neat and the other 2 a bit nitpicky. Fine, but im curious... what if I implement these changes locally, and ask another agent to review this new code version in the context of the PR?

  5. New agent finds 5 new "issues" to correct. Wtf? Ok now im curious, so I start looping for 5-6 iterations just to see where this goes. Every single time, it digs deeper to find something to complain about. Turns out the AI reviews can be chained pretty much infinitely and a new model or agent will always find something to "improve" on the PR and find a reason to not accept the merge... at least in my limited experience with them.

Am I missing something? People have been praising code reviews as an "actual good usecase" for AI, but I don't see it. In my experience, the agents just find too many ways to simply chain-critique the code. The agent's job is essentially to find holes in the PR, and it will dig relentlessly until it finds something to complain about. I have not seen a single "yep, that PR looks 10/10 now" from any agent in the 2 weeks I tried them.

reddit.com
u/Both-Algae-5494 — 5 days ago
▲ 10 r/codereview+1 crossposts

My first C++ project — a dice roll simulator. Looking for code review / feedback

Hi everyone,

I've been learning C++ and built a small command-line dice roll

simulator: it rolls a die N times, saves a visual history with ASCII

art, and generates statistics with a bar chart. It also has a "fast

mode" for millions of rolls.

Since I'm still learning, I'd love some feedback:

- Is the code clean and well written?

- Is it well optimized?

- What would you add or change?

- Any general thoughts?

Repo: https://github.com/martinmol2007/dice-sim

Thanks for taking a look!

u/Martin_Mol_2007 — 5 days ago

I benchmarked Claude, GPT-4o, Gemini and DeepSeek on real, shipped CVEs to see which actually catches bugs, method + results

I keep seeing "AI code review" tools and my honest first reaction is probably yours too: an LLM reviewing LLM-written code is often slop reviewing slop. So instead of asking anyone to trust a bot, I tried to measure the thing can frontier models actually catch real, shipped bugs, and how often do they cry wolf?

What I did

  • Took real historical regressions actual CVEs from Keycloak, Django, and Spring and reintroduced each one into the code, with the upstream fix as the ground-truth answer. These are bugs maintainers actually shipped and later patched, not bugs I wrote to flatter a model.
  • Ran Claude, GPT-4o, Gemini, and DeepSeek over each, blind, and scored the three things these tools usually hand-wave:
    • Detection rate - did it catch the planted bug?
    • False positives - how much noise on clean diffs?
    • Consistency - same diff, same model, run twice: does it even agree with itself?

What I found (real numbers from the leaderboard)

The spread on hard regressions is brutal and binary. On the vLLM deserialization-RCE regression and the Parse Server operator-injection-account-takeover regression, Claude Sonnet and Gemini 2.5 Pro caught the bug on all 3 runs — and GPT-4o and DeepSeek missed it on all 3. Same diff, opposite outcome depending on the model.

A miss plus noise is worse than silence. On that Parse Server regression, GPT-4o and DeepSeek didn't just miss the real bug they each raised false positives on top of it, netting a negative weighted score (−8.9). The wrong model doesn't just fail to help, it actively wastes your triage time.

"Caught it" ≠ "told you it mattered." On the cross-file suite, DeepSeek flagged 100% of the planted bugs but mis-rated severity on every one real high-severity issues quietly downgraded to medium/low. Detection and calibration are separate problems, and most tools only talk about the first.

The thing that surprised me: run-to-run consistency was basically perfect across every suite, the same model on the same diff gave the same verdict three times (zero variance). The flakiness I expected wasn't the failure mode; which model you pick was. That's the whole argument for measuring it.

The part I'll defend: this isn't "trust my reviewer." It's a public, vendor-neutral leaderboard, I don't sell a "reviewer model," I score the ones you already pay for, and every result links to the real CVE and its upstream fix so you can check my work. If the method is wrong, it's wrong in public.

On the obvious objections, because I'd raise them too:

  • "It's still just an LLM." Yes and the data shows they're uneven and miss real things (complex authorization logic especially). The point isn't "LLMs are great," it's "here's exactly where each one is and isn't trustworthy, measured." Using a second, independent model (not the one that wrote the code) and cross-model agreement helps, but I publish the misses too, not just the wins.
  • "This replaces SonarQube / linters." It doesn't, and I won't claim it does. Static analysis is deterministic and catches a different class of thing. LLMs catch semantic/intent bugs linters miss, and miss things linters catch. Complementary, not a replacement.
  • "Where does my code go?" You bring your own API key, the diff goes to your Anthropic/OpenAI/Google/DeepSeek account, reviewed in memory, not stored by me, never used for training. And I checked my own site so I'm not a hypocrite about it: no Google Analytics, no third-party trackers, no marketing pixels. The only browser storage is your theme choice and your login session.

Where I actually want holes poked:

  • Is "reintroduce a historical CVE" fair, or does it leak hints a real PR wouldn't have?
  • Better ways to measure false positives than what I'm doing?
  • Does cross-model consensus actually cut noise in a real workflow, or just average it?

You can browse the leaderboard with no signuphttps://www.benchmodel.io/leaderboard. If you want to run your own diff, paste one, or just a GitHub PR URL, though that part needs a login + your own key, which I know is friction.

Building this solo and in the open about the method. Tear the methodology apart, genuinely the most useful thing you can do for me.

reddit.com
u/Individual_Squash_59 — 6 days ago

I built an AI tool to understand any GitHub codebase in minutes. Looking for honest feedback.

Hey everyone,

After months of building, I finally launched my first SaaS: Mitorix.

The idea came from a problem I kept running into as a developer. Every time I joined a new project, I spent days trying to understand the architecture instead of actually building features.

Questions like:

Where does authentication start?

How does the payment flow work?

What breaks if I change this file?

...always took far longer to answer than they should.

So I built Mitorix.

You paste a GitHub repository URL, and it analyzes the codebase so you can:

Chat with your codebase using AI

Visualize the architecture with an interactive dependency graph

Understand the impact of changes before editing code

Scan for common security issues

Repositories are processed temporarily and deleted immediately after analysis. AI processing currently uses Gemini and Groq APIs.

This is my first SaaS, built completely solo with zero funding, so I'm sure there are things I can improve.

I'd genuinely appreciate any feedback, whether it's about the product, UX, pricing, or features you'd expect from a tool like this.

Website: https://mitorix.site

Thanks for taking a look!

reddit.com
u/raj_ribadiya — 6 days ago
▲ 3 r/codereview+3 crossposts

Built and deployed my first AI project on Vercel! Looking for feedback 🚀

Hey everyone!

I'm a second-year B.Tech student and I've been learning AI/ML and web development over the past few months. I recently built my first AI-powered web application using Google AI Studio and successfully deployed it on Vercel.

This project helped me learn a lot about:

  • React + TypeScript
  • Git & GitHub workflow
  • Environment variables
  • Vercel deployment
  • Working with the Gemini API

It definitely wasn't a smooth journey 😅. I ran into issues with Git remotes, environment variables, and deployment, but solving those problems taught me much more than just writing code.

I'd really appreciate any feedback on:

  • UI/UX
  • Performance
  • Code structure
  • Features I should add
  • Anything that could make it more production-ready
  • Live Demo: [https://vercel.com/naitikjha1845-2959s-projects/ai-trust-lens]
  • GitHub: [https://github.com/Naitikjha]
  • I hope you enjoy trying it out! 😄 If you have any suggestions, spot any bugs, or think there's something I could improve, I'd love to hear your feedback. As a student, advice from experienced developers and the community is incredibly valuable and helps me become a better developer. Thanks for your time!
reddit.com
u/Terrible_Tip_8338 — 6 days ago

HTTP server in Go

Started making a server in go, where I was trying to write the handlers, routing and server start/stop etc. from scratch, until i realised I should have maybe used the net/http module and make my job easier. This is an incomplete version and still has to be finished: https://github.com/SaiVikrantG/mini-projs/tree/main/client-server-go/server

Am I going a layer too deep, and should i just use the the net/http module or is this the correct way?

reddit.com
u/Frequent-Okra-963 — 5 days ago

Need suggestions/critic on my code format.

I need suggestions and review of my code format, I consider this my first ever project. I am worried about spaghetti code and other problems. So please list out all problems you can. Thanks.

#include <stdio.h>
#include <stdbool.h>
#include <stdlib.h> //for random values feature
#include <time.h> //for random values feature
#define LENGTH 10
void Random(int *arr, int *element);
int main(){
  int element, index;
  int arr[LENGTH];
  bool found=false;
  Random(arr, &element);
  printf("LINEAR SEARCH");
  for(int i=0; i<LENGTH; i++){
    if(arr[i]==element){
      found=true;
      index=i;
      break;
    }
  }
  if(found){
    printf("\nElement %d found at index %d.\n", element, index);
  }
  else{
    printf("\nElement not found in the array.\n");
  }
  printf("--------------------------------------------------------------\n");
  return 0;
}
//Random Values Assigner
void Random(int *arr, int *element){
  srand(time(NULL));
  int Option1, Option2;
  //Array choosing
  while(1){
    printf("--------------------------------------------------------------\n");
    printf("Enter the elements in array:\n1 - Manual\t2 - Random\nChoose: ");
    scanf("%d", &Option1);
    if(Option1==1){
      printf("Enter elements separated with spaces(Max 10 elements): ");
      for(int i=0; i<LENGTH; i++){
        scanf("%d", &arr[i]);
      }
      break;
    }
    else if(Option1==2) {
      for(int i=0; i<LENGTH; i++){
        arr[i]=rand()%100;
      }
      break;
    }
    else{
      printf("Choose from options.\n");
      continue;
    }
    printf("--------------------------------------------------------------\n");
  }
  //Element choosing
  while(1){
    printf("--------------------------------------------------------------\n");
    printf("Enter the element to search for:\n1 - Manual\t2 - Random\nChoose: ");
    scanf("%d", &Option2);
    if(Option2==1){
      printf("Enter the element to search for: ");
      scanf("%d", &element);
      break;
    }
    else if(Option2==2) {
      *element=arr[rand() % LENGTH];
      break;
    }
    else{
      printf("Choose from options.\n");
      continue;
    }
    printf("--------------------------------------------------------------\n");
  }
  //Printing Choices
  printf("--------------------------------------------------------------\n");
  printf("Array: ");
  for(int i=0; i<LENGTH; i++){
    printf("%d ", arr[i]);
  }
  printf("\nElement: %d\n", *element);
  printf("--------------------------------------------------------------\n");
}

Here is the program on github if it is easier to read on there: https://github.com/PLEASENTIA/DSA/blob/main/Algorithms/Searching/LinearSearch.c

reddit.com
u/slugorsnail — 6 days ago
▲ 1 r/codereview+3 crossposts

Code review in the age of AI

LLMs have made writing code faster than ever. However, one new problem that has emerged is the bottleneck caused by code review.

Generating thousands of lines of code now takes just a few minutes. The problem is that someone still has to read, understand, and evaluate that code. In my latest Substack article, I discuss:
- why code review has become a greater challenge than ever before,
- what can be done to mitigate the problem of the rapidly growing volume of code to review,
- when you might consider doing away with mandatory code review, and what conditions should be met in that case.

If your project uses Claude Code, Copilot, Cursor, or other AI assistants daily, this problem likely affects you as well.

https://elszczepano.substack.com/p/code-review-in-the-age-of-ai

u/f0rg_ — 7 days ago

How do external LLM reviews reduce bloat?

I have heard common complaints that vibecoding leads to bloated, dead, and zombie code - how much can that be reduced by having a code review loop. For example, let’s say you write code with Claude code, then have Gemini and CharGPT review the code before implementation, then Claude executes.

reddit.com
u/UsedHamburger — 7 days ago

Day 10 update on my side project.

Today's feature is a Text Diff Checker.

Instead of only showing differences, I wanted it to support actual workflows.

Current features:

• Side-by-side comparison

• Highlight additions

• Highlight deletions

• Cherry-pick changes

• Merge content

• Copy final output

• Download the resulting file

I've noticed developers spend a surprising amount of time comparing:

  • API responses
  • JSON files
  • SQL scripts
  • Documentation
  • Generated AI content

Curious to hear from others:

What do you compare most often?

JSON?

Markdown?

Code?

Configs?

SQL?

Prompts?

Trying to understand which workflows are worth improving next.

reddit.com
u/DataHub1234 — 7 days ago
▲ 12 r/codereview+4 crossposts

I built GitHub Year Wrapped because I had no idea if my coding year was actually good (using supabase as database)

Used Supabase for auth, storage, and realtime on DevTrack —

a self-hosted GitHub activity dashboard.

Biggest lessons:

→ Row Level Security saved me from 3 potential data leaks

→ Realtime subscriptions made the leaderboard trivially easy

→ service_role key management is where most people mess up —

never expose it client-side

Features: year wrapped, commit streaks, PR throughput,

AI roasts, code personality report, friend leaderboard

Would love feedback from other Supabase builders —

especially on schema design for activity tracking.

repo: github.com/Priyanshu-byte-coder/devtrack

u/Bladebutcher_ — 10 days ago

Looking for review of my web-app (learning project)

TL;DR - I made a metronome app to learn some tech I've never used before, with Claude Code's help, and I want to make sure I'm learning the right stuff and making something that isn't garbage. Please review it (if you want, but I'd really appreciate it). Have a great day!

I'm trying to transition out of games development (primarily C++, with occasional dips into C#/Python) and back into "traditional" software. To get some experience I got Claude Code to help me write a little metronome web app.

It's a pretty standard metronome (tempo and time signature controls), with some little quality of life niceties (I think), and it allows saving presets locally, in my database (with authentication), or to a Google Drive.

I wanted to try and treat it like an actual product, but that also means I needed Claude to help me do a bunch of stuff I've never done before. So the API, MySQL database, and the web server, are all in Docker. I set up an auth flow, so if you're a registered user you can save presets on the server, if not it's all stored locally.

The front-end is all React, and I learned about hooks and how to write components and tests and all that fun stuff (not to mention, just, Typescript). The backend is C#/.NET.

I say all this just because, almost none of this is tech I've use before (except C#, but that's just minor stuff), architecture I've had to set up before, or considerations I've had to make before. Claude, obviously, did most of the setup, and give me some templates (how to write/use React hooks and components), and I still let it handle most of the CSS because that stuff is still wizardry to me (endless props to you front-end devs out there), but I did still write a lot of the actual code. But again, I'm learning basically this entire stack, so I'm truly not sure if this is good, or would be maintainable.

I'm enjoying this project, and I have plans to make it cross-platform (because I really want to use it), but I figured I should make sure it's not completely garbage before I make a terrible mistake.

If you do look at it, I really appreciate it, and I'd love your feedback. If you don't, that's cool too.

Hope you have a great day!

reddit.com
u/TyRD4 — 10 days ago