// Find logic bugs in C code for radare2 by analyzing control flow, state transitions, and silent assumptions.
When planning tasks or reviewing code is important to extend the reasoning of the unstaged changes, commits in the current non-master branch and todo roadmap of the ongoing work.
Clean and refactor code with a focus on unnecessary complexity, reducing lines of code, improving readability, and preferring radare2-native portable APIs.
Find bugs and vulnerabilities in C code for radare2
Use the bundled r2mcp MCP server for binary analysis, disassembly, and reverse-engineering tasks.
Solve a random TODO or XXX comment
Review source code in commit changes, functions or files and report only high-confidence findings in a structured task-note format.
| name | ailogic |
| description | Find logic bugs in C code for radare2 by analyzing control flow, state transitions, and silent assumptions. |
Logic bugs are not syntax errors and the compiler will not catch them. They live in branches that look reasonable, in loops that almost terminate, and in assumptions that are never written down. This skill focuses on radare2's C codebase, where most logic bugs come from misuse of libr APIs, unchecked return values, and state that leaks across calls.
When this skill is used: read AGENTS.md first and follow the project rules. Patches must be surgical, behavior-preserving, and small.
Understand the function contract before reading the body
Identify inputs and boundaries
NULL, zero, negative, and UT64_MAX / UT32_MAX sentinels.R_API entry points (these should use R_RETURN_*).Trace control flow with radare2
aaa
pdf @ sym.function_name
VV @ sym.function_name
else.default: in switch, fallthrough without R_FALLTHROUGH, and early returns that skip cleanup.Track variable state
afvd to inspect locals and arguments.Analyze loops
i <= size vs i < size.Verify return values and error paths
r_* calls checked when they can fail (allocation, IO, parse)?R_NEW/R_NEW0 never return NULL (compile-time constant size), so do not add checks for them.Hunt silent assumptions
Confirm dynamically when possible
ood
db sym.function_name
dc
dr; px
Drive the suspect path with a real input and observe the state. A reproducer beats any amount of static reasoning.
Reduce to a minimal case
switch over an enum that grew a new value! dropped or doubled)core-> field leaks across invocationsr_io_read_at / r_buf_read_at ignored, partial reads treated as fullr_core_cmd* return value ignored when the command can failr_core_seek; prefer call_at or the '@addr'cmd formr_list_delete instead of r_list_delete_itersize * count before allocationaaa # analyze all
pdf # disassemble function
afvd # show variables and arguments
VV # visual graph
axt # find xrefs to symbol
db / dc # breakpoint / continue
dr / px # registers / memory
Write findings to a report file (default: ailogic-report.md) so the user can iterate on it while fixing. If the file exists, append new findings under a fresh dated section instead of overwriting; mark resolved entries with ✅ rather than deleting them, so progress is visible across runs.
# ailogic report — YYYY-MM-DD
## Summary
1-2 sentences on what was audited (branch, files, functions) and the verdict:
✅ Clean / ⚠️ Issues found / ❌ Critical issues found
## Findings
<one @@@task block per finding, ordered by severity>
Each finding is a @@@task block, mirroring aireview so the same tooling can consume both:
@@@task
# 🔴 Short title of the bug
The invariant or assumption that is violated, in at most 2 sentences.
## Trigger
The input, call sequence, or state that exercises the bug. Include an r2
oneliner reproducer when feasible.
## Suggested Commit Message
Short, capitalized, imperative. One line.
## Suggested Fix
What should change, surgically. Reference helpers to use (`r_list_delete_iter`,
`call_at`, `R_RETURN_*`, etc.) instead of describing rewrites.
```ws-block:reference
filePath: libr/core/foo.c
lineRange: 120...138
context: function_name
@@@
**Severity:** 🔴 high | 🟠 medium | 🟡 low
- HIGH CONFIDENCE ONLY. Skip anything you cannot justify from the code itself.
- One well-grounded finding beats a list of speculative ones — post zero if nothing holds up.
- Do not modify code from this skill; the report is the deliverable. Fixes are delegated.