A Tale of Two AI Failures: Debugging a Simple Bug with LLMs

https://bitmovin.com/blog/hackathon-debugging-ai-tools-llms/

9•slederer•2mo ago

Comments

kichik•2mo ago

Not exactly the point of this article, but it would be cool if APIs like this can return the expected signed string for debugging. It would have to be properly limited for security. But if the API is expecting non-standard signatures, it could help developers with better debugging tools.

lillesvin•2mo ago

Given that you can't infer the error from simply looking at the signature string, I don't see how having the expected string rather than a simple "OK" or "mismatched signature" (as you get now) would make a difference?

kichik•2mo ago

You can save the expected string to a file, save your string to a file, and run diff on a hexdump of both. Even without hexdump, you should see the difference between "\n" and "\\n" in properly escaped output.

lillesvin•2mo ago

But the returned signed string will be an HMAC-SHA256 hash, won't it? Then there's not going to be any '\n' or '\\n's in there. Only thing you'll be able to tell is if it matches your hash or not, in which case 'OK' or 'not OK' will work just as well.

Or am I misunderstanding you?

kichik•2mo ago

You are indeed misunderstanding me. I am talking about returning the entire string to be signed. Not the result of the signature.

lillesvin•2mo ago

Ah, my bad. Sorry.

But couldn't you then just make the call to an echo service (like HTTPbin) or simply dump the request when you send it?

kichik•2mo ago

The echo server will have no knowledge on how to construct the string to be signed.

lillesvin•2mo ago

But neither does the actual server. HMAC only verifies that the message is from whoever it claims to be from and that it is intact. It won't know what you intended the body of the request to look like.

lillesvin•2mo ago

I know it's kinda besides the point and I don't know what language this was being done in, but I don't personally know any language where

    String signature = "POST" + "\n" + "/api/v1/..."

and

    String signature = "POST\n/api/v1/..."

don't result in identical variables, so I'm a bit puzzled why that would result in an error.

However, there's a quoting error in the failing example where the double quotes in the JSON body aren't properly escaped:

    String signature = "POST" + "\n" + "/api/v1/query" + "\n" + token + "\n" + timestamp + "\n" + "{"body":"content"}"

It may just be the example that's not correctly formatted, but the other (working) example does in fact escape the double quotes in the JSON. I guess, depending on how forgiving the used language is with quoting, that could also be the source of the error?

juancn•2mo ago

Yeah, I'm stuck here.

Another thing that's really broken is the last string with unescaped quotes.

Not sure how to interpret that unless theres a `:` (colon) operator.

saint_yossarian•2mo ago

The author mentions FoxESSCloud, which led me to https://www.foxesscloud.com/public/i18n/en/OpenApiDocument.h... with this Python example:

    signature = fr'{path}\r\n{token}\r\n{timestamp}'

So if this is indeed the API they're using it's not only literal "\\n" but also "\\r\\n", no "POST", and no body at the end.

nebster•2mo ago

I... still don't understand the issue. It looks like both examples in the table would evaluate to the same thing. Am I missing a stray "\n"?

fernly•2mo ago

agree, I feel dumb but don't see subtle issue.

Also when copy/pasting into Python to try it, I got an error because \“ is in fact U+201C not an ASCII quote. (Surely that's not the subtle issue?)

DylanSp•2mo ago

Echoing the others who say they can't understand the bug/difference; only thing I can think of is that the input string needed the escape sequence for a newline in it? So the correct code would be written as

    "POST" + "\\n" + ...

thehappypm•2mo ago

tl;dr: custom, naïve Concatenation formatting implementation can cause bugs

jojomodding•2mo ago

Perhaps this article was written by the same AI that failed to understand what it was supposed to do in the first place? The post doesn't make a lot of sense and the writing seems fishy. I still don't understand what was wrong with he first code.

snowfield•2mo ago

I often find myself clearing the context when dealing with llms to get a fresh take. Often it just has so much context reinforcing its previous decisions.

Not sure if the author tried to just start a new thread. But anyway, for now you always need to keep an eye on these things and manage it if it follows red herrings or ends up in some logical loop

Sidenote : newlines is one thing tat can be quite tricky for llms in general.

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

The Waymo World Model

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Monty: A minimal, secure Python interpreter written in Rust for use by AI

How we made geo joins 400× faster with H3 indexes

Dark Alley Mathematics

A century of hair samples proves leaded gas ban worked

Show HN: I spent 4 years building a UI design tool with only the features I use

Microsoft open-sources LiteBox, a security-focused library OS

Show HN: If you lose your memory, how to regain access to your computer?

Sheldon Brown's Bicycle Technical Info

Hackers (1995) Animated Experience

An Update on Heroku

PC Floppy Copy Protection: Vault Prolok

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

I spent 5 years in DevOps – Solutions engineering gave me what I was missing

How to effectively write quality code with AI

Learning from context is harder than we thought

Understanding Neural Network, Visually

Delimited Continuations vs. Lwt for Threads

I now assume that all ads on Apple news are scams

Introducing the Developer Knowledge API and MCP Server

Make Trust Irrelevant: A Gamer's Take on Agentic AI Safety

FORTH? Really!?

I'm going to cure my girlfriend's brain tumor

Evaluating and mitigating the growing risk of LLM-discovered 0-days

Show HN: Smooth CLI – Token-efficient browser for AI agents

Female Asian Elephant Calf Born at the Smithsonian National Zoo

Show HN: Slack CLI for Agents

The Oklahoma Architect Who Turned Kitsch into Art

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

The Waymo World Model

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Monty: A minimal, secure Python interpreter written in Rust for use by AI

How we made geo joins 400× faster with H3 indexes

Dark Alley Mathematics

A century of hair samples proves leaded gas ban worked

Show HN: I spent 4 years building a UI design tool with only the features I use

Microsoft open-sources LiteBox, a security-focused library OS

Show HN: If you lose your memory, how to regain access to your computer?

Sheldon Brown's Bicycle Technical Info

Hackers (1995) Animated Experience

An Update on Heroku

PC Floppy Copy Protection: Vault Prolok

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

I spent 5 years in DevOps – Solutions engineering gave me what I was missing

How to effectively write quality code with AI

Learning from context is harder than we thought

Understanding Neural Network, Visually

Delimited Continuations vs. Lwt for Threads

I now assume that all ads on Apple news are scams

Introducing the Developer Knowledge API and MCP Server

Make Trust Irrelevant: A Gamer's Take on Agentic AI Safety

FORTH? Really!?

I'm going to cure my girlfriend's brain tumor

Evaluating and mitigating the growing risk of LLM-discovered 0-days

Show HN: Smooth CLI – Token-efficient browser for AI agents

Female Asian Elephant Calf Born at the Smithsonian National Zoo

Show HN: Slack CLI for Agents

The Oklahoma Architect Who Turned Kitsch into Art

A Tale of Two AI Failures: Debugging a Simple Bug with LLMs

Comments