H(p,q) Where AI meets the rest of reality
March 20, 2026
From the Trenches AI & Dev Tools Production Reality

When AI Reviews the Reviewers

The Linux kernel has the most rigorous code review process in software. An AI agent just found half the bugs it missed. Here's what that means for every production engineering team.

Google open-sourced Sashiko this week, an agentic AI code review system built for the Linux kernel. It monitors kernel mailing list submissions and evaluates proposed changes across four dimensions: architecture, security, concurrency, and resource management. The team tested it against the last 1,000 upstream kernel issues. Sashiko found 53% of the bugs.

That sounds modest. It isn't.

Every single one of those bugs had already been reviewed and approved by human kernel maintainers. The Linux kernel review process involves some of the most experienced systems programmers alive, reviewing code with a level of scrutiny that most software projects can only aspire to. Sashiko caught bugs that this process missed. Not a few edge cases. More than half.

Two Data Points Make a Coincidence. Two Make You Pay Attention.

Two weeks ago, Anthropic disclosed 22 new security vulnerabilities in Firefox through a partnership with Mozilla. Fourteen were high severity, seven moderate, one low. The Firefox codebase is massive, mature, and maintained by experienced security engineers who have been finding and fixing vulnerabilities for over two decades.

Now Sashiko catches 53% of bugs the kernel process missed.

Two different AI systems. Two of the most carefully reviewed codebases in the history of software engineering. Same result: AI found significant bugs that skilled human reviewers didn't. That's not a coincidence anymore. That's the beginning of a measurable capability category.

We tracked the emergence of agentic coding tools on March 12, noting the shift from code generation (Cursor, Claude Code) to project-level context awareness. Sashiko represents the next evolution: from code generation to code review. And code review may be more valuable for production systems, because bugs in production cost real money.

What Human Reviewers Miss (and Why)

I've done code review on systems processing real-time video at 200fps. The kind of system where a missed edge case means dropped frames in production or, worse, a false positive on a security alert. I know what human reviewers miss, because I've been the one missing it.

Concurrency edge cases are the big one. When you're reviewing a diff that touches thread synchronization, you can reason about the code in front of you. What you can't easily do is hold the entire state space of thread interactions in your head while also considering what happens under load. The combination of "this lock gets contended at 200fps" and "this buffer allocation happens in a separate thread" creates failure modes that are invisible in a standard code review.

Resource management under load is the second category. A function that allocates memory correctly in isolation might leak under sustained throughput because the deallocation path has a subtle timing dependency. You can't see this in a diff. You'd need to trace the full lifecycle of the resource across multiple call sites, under concurrent access patterns, at production-scale load.

Interaction effects between components reviewed separately are the third. When Component A was reviewed by one engineer and Component B by another, nobody reviewed the interaction between them under the specific conditions that production creates. The bug lives in the seam.

These are exactly the categories where Sashiko excels, according to its evaluation: architecture, security, concurrency, resource management. AI doesn't get tired of holding state. It doesn't context-switch between reviewing two different subsystems. It can trace resource lifecycles across the entire codebase in a way that would take a human reviewer hours.

Not Replacement. A Different Layer.

The framing matters here. Sashiko isn't replacing kernel maintainers. The bugs it found were ones the maintainers missed, which means the human review process is catching an entirely different set of issues. Design coherence, API consistency, architectural decisions, backward compatibility, the kind of judgment calls that require understanding why the code exists, not just what it does. AI isn't good at that. Humans are.

What we're looking at is two complementary review tracks that see different things. Human review catches design problems and architectural issues. AI review catches the concurrency bugs, the resource leaks, the security vulnerabilities that hide in the interactions between components.

You wouldn't skip integration tests because you have unit tests. They test different things. Same logic applies to code review.

How to Actually Use This

For production engineering teams, the practical integration path looks something like this.

First, run AI review as a parallel track. Don't gate human review on AI review or vice versa. Run them simultaneously on the same PRs. Compare what each catches. Build intuition for the categories where each excels.

Second, focus AI review on the high-risk areas. Sashiko's strongest categories, concurrency, security, resource management, and cross-component interactions, are the ones that produce the most expensive production bugs. Point AI review at the code that costs you the most when it breaks.

Third, use AI review output to train human reviewers. If the AI keeps catching a specific class of concurrency bug that humans miss, that's signal about where your review process has blind spots. The AI findings become training data for better human review.

Fourth, track metrics. The 53% number from Sashiko and the 22-vulnerability finding from Anthropic's Firefox work give you a baseline. Measure how many AI-flagged issues your team would have caught versus missed. That ratio tells you how much value AI review is adding in your specific codebase.

The Broader Implication

The Linux kernel and Firefox are probably the two most intensely reviewed open-source codebases in existence. If AI catches half the bugs that slip through the kernel's process and finds 22 vulnerabilities in Firefox, the question for every other codebase is straightforward: how many bugs is AI catching in code that gets far less rigorous human review?

For most production systems, the honest answer is probably "a lot." Most teams don't have the luxury of dedicated, expert reviewers examining every line. Most code gets reviewed by a colleague who's also juggling three other PRs and a standup in 10 minutes. The gap between what AI catches in the kernel and what it would catch in a typical production codebase is likely wider, not narrower.

AI code review won't be optional for long. We're predicting it becomes standard practice on large open-source projects within 12 months, with enterprise security teams adopting by Q1 2027. The pattern is clear, the data is compelling, and the cost of not doing it, measured in production bugs that could have been caught, is about to become indefensible.

← Back to Daily Brief: 2026-03-20

Sources

  1. Sashiko: Google's Agentic AI Code Review for the Linux Kernel — Phoronix
  2. Google's Sashiko AI Catches Half the Bugs Human Reviewers Miss in the Linux Kernel — The Register
  3. Sashiko: Agentic Code Review for the Linux Kernel — GitHub