Hallucinations in code are the least dangerous form of LLM mistakes

[Recycled from an older dupe submission]<p>As much as I&#x27;ve agreed with the author&#x27;s other posts&#x2F;takes, I find myself resisting this one:<p>&gt; I&#x27;ll finish this rant with a related observation: I keep seeing people say “if I have to review every line of code an LLM writes, it would have been faster to write it myself!”<p>&gt; Those people are loudly declaring that they have under-invested in the crucial skills of reading, understanding and reviewing code written by other people.<p>No, that does not follow.<p>1. Reviewing depends on what you know about the expertise (and trust) of the person writing it. Spending most of your day reviewing code written by familiar human co-workers is very different from the same time reviewing anonymous contributions.<p>2. Reviews are not just about the code&#x27;s potential mechanics, but inferring and comparing the intent and approach of the writer. For LLMs, that ranges between non-existent and schizoid, and writing it yourself skips that cost.<p>3. Motivation is important, for some developers that means learning, understanding and creating. Not wanting to do code reviews all day doesn&#x27;t mean you&#x27;re bad at them. Also, reviewing an LLM&#x27;s code has no social aspect.<p>However you do it, somebody else should still be reviewing the change afterwards.

My fear is that LLM generated code will look great to me, I won&#x27;t understand it fully but it will work. But since I didn&#x27;t author it, I wouldn&#x27;t be great at finding bugs in it or logical flaws. Especially if you consider coding as piecing together things instead of implementing a well designed plan. Lots of pieces making up the whole picture but a lot of those pieces are now put there by an algorithm making educated guesses.<p>Perhaps I&#x27;m just not that great of a coder, but I do have lots of code where if someone took a look it, it might look crazy but it really is the best solution I could find. I&#x27;m concerned LLMs won&#x27;t do that, they won&#x27;t take risks a human would or understand the implications of a block of code beyond its application in that specific context.<p>Other times, I feel like I&#x27;m pretty good at figuring out things and struggling in a time-efficient manner before arriving at a solution. LLM generated code is neat but I still have to spend similar amounts of time, except now I&#x27;m doing more QA and clean up work instead of debugging and figuring out new solutions, which isn&#x27;t fun at all.

&gt; Just because code looks good and runs without errors doesn’t mean it’s actually doing the right thing. No amount of meticulous code review—or even comprehensive automated tests—will demonstrably prove that code actually does the right thing. You have to run it yourself!<p>I would have stated this a bit differently: No amount of running or testing can prove the code correct. You actually have to reason through it. Running&#x2F;testing is merely a sanity&#x2F;spot check of your reasoning.

Last week, The Primeagen and Casey Muratori carefully review the output of a state-of-the-art LLM code generator.<p>They provide a task well-represented in the LLM&#x27;s training data, so development should be easy. The task is presented as a cumulative series of modifications to a codebase:<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=NW6PhVdq9R8" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=NW6PhVdq9R8</a><p>This is the actual reality of LLM code generators in practice: iterative development converging on useless code, with the LLM increasingly unable to make progress.

&gt; Hallucinated methods are such a tiny roadblock that when people complain about them I assume they’ve spent minimal time learning how to effectively use these systems—they dropped them at the first hurdle.<p>This seems like a very flawed assumption to me. My take is that people look at hallucinations and say &quot;wow, if it can&#x27;t even get the easiest things consistently right, no way am I going to trust it with harder things&quot;.

Hallucinations themselves are not even the greatest risk posed by LLMs. A much greater risk (in simple terms of probability times severity) I&#x27;d say is that chat bots can talk humans into harming themselves or others. Both of which have already happened, btw [0,1]. Still not sure if I&#x27;d call that the greatest overall risk, but my ideas for what could be even more dangerous I don&#x27;t even want to share here.<p>[0] <a href="https:&#x2F;&#x2F;www.qut.edu.au&#x2F;news&#x2F;realfocus&#x2F;deaths-linked-to-chatbots-show-we-must-urgently-revisit-what-counts-as-high-risk-ai" rel="nofollow">https:&#x2F;&#x2F;www.qut.edu.au&#x2F;news&#x2F;realfocus&#x2F;deaths-linked-to-chatb...</a><p>[1] <a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;uk-news&#x2F;2023&#x2F;jul&#x2F;06&#x2F;ai-chatbot-encouraged-man-who-planned-to-kill-queen-court-told" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;uk-news&#x2F;2023&#x2F;jul&#x2F;06&#x2F;ai-chatbot-e...</a>

&gt; Chose boring technology. I genuinely find myself picking libraries that have been around for a while partly because that way it’s much more likely that LLMs will be able to use them.<p>This is an appeal against innovation.<p>&gt; I’ll finish this rant with a related observation: I keep seeing people say “if I have to review every line of code an LLM writes, it would have been faster to write it myself!”<p>&gt; Those people are loudly declaring that they have under-invested in the crucial skills of reading, understanding and reviewing code written by other people. I suggest getting some more practice in. Reviewing code written for you by LLMs is a great way to do that.<p>As someone who has spent [an incredible amount of time reviewing other people&#x27;s code](<a href="https:&#x2F;&#x2F;github.com&#x2F;ziglang&#x2F;zig&#x2F;pulls?q=is%3Apr+is%3Aclosed">https:&#x2F;&#x2F;github.com&#x2F;ziglang&#x2F;zig&#x2F;pulls?q=is%3Apr+is%3Aclosed</a>), my perspective is that reviewing code is fundamentally slower than writing it oneself. The purpose of reviewing code is mentorship, investing in the community, and building trust, so that those reviewees can become autonomous and eventually help out with reviewing.<p>You get none of that from reviewing code generated by an LLM.

An anecdote: I was working for a medical centre, and had some code that was supposed to find the &#x27;main&#x27; clinic of a patient.<p>The specification was to only look at clinical appointments, and find the most recent appointment. However if the patient didn&#x27;t have a clinical appointment, it was supposed to find the most recent appointment of any sort.<p>I wrote the code by sorting the data (first by clinical-non-clinical and then by date). I asked chatgpt to document it. It misunderstood the code and got the sorting backwards.<p>I was pretty surprised, and after testing with foo-bar examples eventually realised that I had called the clinical-non-clinical column &quot;Clinical&quot;, which confused the LLM.<p>This is the kind of mistake that is a lot worse than &quot;code doesn&#x27;t run&quot; - being seemingly right but wrong is much worse than being obviously wrong.

I use ChatGPT to generate code a lot, and it&#x27;s certainly useful, but it has given me issues that are not obvious.<p>For example, I had it generate some C code to be used with ZeroMQ a few months ago. The code looked absolutely fine, and it <i>mostly</i> worked fine, but it made a mistake with its memory allocation stuff that caused it to segfault sometimes, and corrupt memory other times.<p>Fortunately, this was such a small project and I already know how to write code, so it wasn&#x27;t too hard for me to find and fix, though I am slightly concerned that some people are copypasting large swaths of code from ChatGPT that looks mostly fine but hides subtle bugs.

If the hallucinated code doesn&#x27;t compile (or in an interpreted language, immediately throws exceptions), then yes, that isn&#x27;t risky because that code won&#x27;t be used. I&#x27;m more concerned about code that appears to work for some test cases but solves the wrong problem or inadequately solves the problem, and whether we have anyone on the team who can maintain that code long-term or document it well enough so others can.

&gt; Hallucinated methods are such a tiny roadblock that when people complain about them I assume they’ve spent minimal time learning how to effectively use these systems—they dropped them at the first hurdle.<p>If I have to spend lots of time learning how to use something, fix its errors, review its output, etc., it may just be faster and easier to just write it myself from scratch.<p>The burden of proof is not on me to justify why I choose not to use something. It&#x27;s on the vendor to explain why I should turn the software development process into perpetually reviewing a junior engineer&#x27;s hit-or-miss code.<p>It is nice that the author uses the word &quot;assume&quot; -- there is mixed data on actual productivity outcomes of LLMs. That is all you are doing -- making assumptions without conclusive data.<p>This is not nearly as strong an argument as the author thinks it is.<p>&gt; As a Python and JavaScript programmer my favorite models right now are Claude 3.7 Sonnet with thinking turned on, OpenAI’s o3-mini-high and GPT-4o with Code Interpreter (for Python).<p>This is similar to Neovim users who talk about &quot;productivity&quot; while ignoring all the time spent tweaking dofiles that could be spent doing your actual job. Every second I spend toying with models is me doing something that does not directly accomplish my goals.<p>&gt; Those people are loudly declaring that they have under-invested in the crucial skills of reading, understanding and reviewing code written by other people. I suggest getting some more practice in. Reviewing code written for you by LLMs is a great way to do that.<p>You have no idea how much code I read, so how can you make such claims? Anyone who reads plenty of code knows that it often feels like reading other people&#x27;s code is often harder than just writing it yourself.<p>The level of hostility towards just sitting down and thinking through something without having an LLM insert text into your editor is unwarranted and unreasonable. A better policy is: if you like using coding assistants, great. If you don&#x27;t and you still get plenty of work done, great.

&gt; you have to put a lot of work in to learn how to get good results out of these systems<p>That certainly punctures the hype. What are LLMs good for, if the best you can hope for is to spend years learning to prompt it for unreliable results?

Least dangerous only within the limited context you defined of compilation errors. If I hired a programmer and I found whole libraries they invented to save themselves the effort of finding a real solution, I would be much more upset than if I found subtle logical errors in their code. If you take the cynical view that hallucinations are just speed bumps that can be iterated away then I would argue you are under-valuing the actual work I want the LLM to do for me. One time I was trying to get help with the AWS CLI or boto3 and no matter how many times I pasted the traceback to Claude or ChatGPT, it would apologize and then hallucinate the non-existent method or command. At least with logical errors I can fix those! But all in all, I still agree with a lot in this post.

&gt; Hallucinated methods are such a tiny roadblock that when people complain about them I assume they’ve spent minimal time learning how to effectively use these systems—they dropped them at the first hurdle.<p>If you’re writing code in Python against well documented APIs, sure. But it’s an issue for less popular languages and frameworks, when you can’t immediately tell if the missing method is your fault due to a missing dependency, version issue, etc.

I am not a programmer and i don&#x27;t use Linux. I&#x27;ve been working on a python script for a raspberry pi for a few months. Chatgpt has been really helpful in showing me how to do things or debug errors.<p>Now I am at the point that I am cleaning up the code and making it pretty. My script is less than 300 lines and Chatgpt regularly just leaves out whole chunks of the script when it suggests improvements. The first couple times this led to tons of head scratching over why some small change to make one thing more resilient would make something totally unrelated break.<p>Now I&#x27;ve learned to take Chatgpt&#x27;s changes and diff it with the working version before I try to run it.

I think another category of error that Simon skips over that breaks this argument entirely: the hallucination where the model forgets a feature.<p>Rather than the positive (code compiles), the negative (forgets about a core feature), can be extremely difficult to tell. Worse still, the feature can slightly drift, based upon code that&#x27;s expected to be outside of the dialogue &#x2F; context window.<p>I&#x27;ve had multiple times where the model completely forgot about features in my original piece of code, after it makes a modification. I didn&#x27;t notice these missing &#x2F; subtle changes until much later.

&gt; I’ll finish this rant with a related observation: I keep seeing people say “if I have to review every line of code an LLM writes, it would have been faster to write it myself!”<p>&gt; Those people are loudly declaring that they have under-invested in the crucial skills of reading, understanding and reviewing code written by other people. I suggest getting some more practice in. Reviewing code written for you by LLMs is a great way to do that.<p>Not only is this a massive bundle of assumptions but it&#x27;s also just wrong on multiple angles. Maybe if you&#x27;re only doing basic CRUDware you can spend five seconds and give a thumbs up but in any complex system you should be spending time deeply reading code. Which is naturally going to take longer than using what knowledge you already have to throw out a solution.

I&#x27;ve not yet managed to successfully write any meaningful contribution to a codebase with an llm, faster than I could have written it myself.<p>Ok sure it writes test code boiler plate for me.<p>Honestly the kind of work im doing requires that I understand the code im reading, more than have the ability to quickly churn out more of it.<p>I think probably an llm is going to greatly speed up Web development, or anything else where the impetus is on adding to a codebase quickly, as for maintaining older code, performing precise upgrades, and fixing bugs, so far ive seen zero benefits. And trust me, I would like my job to be easier! Its not like I&#x27;ve not tried to use these

Increasingly I see apologists for LLMs sounding like people justifying fortune tellers and astrologists. The confidence games are in force, where the trick involves surreptitiously eliciting all the information the con artist needs from the mark, then playing it back to them as if it involves some deep and subtle insights.

The idea is correct, a lot of people (including myself sometimes) just let an &quot;agent&quot; run and do some stuff and then check later if it finished. This is obviously more dangerous than just the LLM hallucinating functions, since at least you can catch the latter, but the first one depends on the tests of the project or your reviewer skills.<p>The real problem with hallucination is that we started using LLMs as search engines, so when it invents a function, you have to go and actually search the API on a real search engine.

&gt; The moment you run LLM generated code, any hallucinated methods will be instantly obvious: you’ll get an error. You can fix that yourself or you can feed the error back into the LLM and watch it correct itself.<p>Interestingly though, this only works if there <i>is</i> an error. There are cases where you will not get an error; consider a loosely typed programming language like JS or Python, or simply any programming language when some of the API interface is unstructured, like using stringly-typed information (e.g. Go struct tags.) In some cases, this will just silently do nothing. In other cases, it might blow up at runtime, but that does still require you to hit the code path to trigger it, and maybe you don&#x27;t have 100% test coverage.<p>So I&#x27;d argue hallucinations are not always safe, either. The scariest thing about LLMs in my mind is just the fact that they have completely different failure modes from humans, making it much harder to reason about exactly how &quot;competent&quot; they are: even humans are extremely difficult to compare with regards to competency, but when you throw in the alien behavior of LLMs, there&#x27;s just no sense of it.<p>And btw, it is not true that feeding an error into an LLM will always result in it correcting the error. I&#x27;ve been using LLMs experimentally and even trying to guide it towards solving problems I know how to solve, sometimes it simply can&#x27;t, and will just make a bigger and bigger mess. Due to the way LLMs confidently pretend to know the exact answer ahead of time, presumably due to the way they&#x27;re trained, they will confidently do things that would make more sense to try and then undo when they don&#x27;t work, like trying to mess with the linker order or add dependencies to a target to fix undefined reference errors (which are actually caused by e.g. ABI issues.) I still think LLMs are a useful programming tool, but we could use a bit more reality. If LLMs were as good as people sometimes imply, I&#x27;d expect an explosion in quality software to show up. (There are exceptions of course. I believe the first versions of Stirling PDF were GPT-generated so long ago.) I mean, machine-generated illustrations have flooded the Internet despite their shortcomings, but programming with AI assistance remains tricky and not yet the force multiplier it is often made out to be. I do not believe AI-assisted coding has hit its Stable Diffusion moment, if you will.<p>Now whether it will or not, is another story. Seems like the odds aren&#x27;t that bad, but I do question if the architectures we have today are really the ones that&#x27;ll take us there. Either way, if it happens, I&#x27;ll see you all at the unemployment line.

&gt; My less cynical side assumes that nobody ever warned them that you have to put a lot of work in to learn how to get good results out of these systems<p>Why am I reminded of people who say you first have to become a biblical scholar before you can criticize the bible?

The worst for me so far has been the following:<p>1. I know that a problem requires a small amount of code, but I also know it&#x27;s difficult to write (as I am not an expert in this particular subfield) and it will take me a long time, like maybe a day. Maybe it&#x27;s not worth doing at all, as the effort is not worth the result.<p>2. So why not ask the LLM, right?<p>3. It gives me some code that doesn&#x27;t do exactly what is needed, and I still don&#x27;t understand the specifics, but now I have a false hope that it will work out relatively easily.<p>4. I spend a day until I finally manage to make it work the way it&#x27;s supposed to work. Now I am also an expert in the subfield and I understand all the specifics.<p>5. After all I was correct in my initial assessment of the problem, the LLM didn&#x27;t really help at all. I could have taken the initial version from Stack Overflow and it would have been the same experience and would have taken the same amount of time. I still wasted a whole day on a feature of questionable value.

Such &quot;hallucinations&quot; can also be plausible &amp; useful APIs that <i>oughtta</i> exist – de facto feature requests.

&gt; The moment you run LLM generated code, any hallucinated methods will be instantly obvious: you’ll get an error. You can fix that yourself or you can feed the error back into the LLM and watch it correct itself.<p>But that&#x27;s for methods. For libraries, the scenario is different, and possibly a lot more dangerous. For example, the LLM generates code that imports a library that does not exist. An attacker notices this too while running tests against the LLM. The attacker decides to create these libraries on the public package registry and injects malware. A developer may think: &quot;oh, this newly generated code relies on an external library, I will just install it,&quot; and gets owned, possibly without even knowing for a long time (as is the case with many supply chain attacks).<p>And no, I&#x27;m not looking for a way to dismiss the technology, I use LLMs all the time myself. But what I do think is that we might need something like a layer in between the code generation and the user that will catch things like this (or something like Copilot might integrate safety measures against this sort of thing).

I&#x27;ve probably spent about 25$ on Claude code so far.<p>I&#x27;m tempted to pay someone in Poland or whatever another 500$ to just finish the project. Claude code is like a temp that has a code quota to reach. After they reach it, they&#x27;re done. You&#x27;ve reached the context limit.<p>A lot of stuff is just weird. For example I&#x27;m basically building a website with Supabase. Claude does not understand the concept of shared style sheets, instead it will just re-implement the same style sheets over and over again on like every single page and subcomponent.<p>Multiple incorrect implementations of relatively basic concepts. Over engineering all over the place.<p>A part of this might be on Supabase though. I really want to create a FOSS project, so firebase, while probably being a better fit, is out.<p>Not wanting to burn out, I took a break after a 4 hour Claude session. It&#x27;s like reviewing code for a living.<p>However, I&#x27;m optimistic soon a competitor will emerge with better pricing. I would absolutely love to run three coding agents at once, maybe it even a fourth that can run integration tests against the first three.

&gt; Those people are loudly declaring that they have under-invested in the crucial skills of reading, understanding and reviewing code written by other people. I suggest getting some more practice in. Reviewing code written for you by LLMs is a great way to do that.<p>Even if one is very good at code review, I&#x27;d assume the vast majority of people would still end up with pretty different kinds of bugs they are better at finding while writing vs reviewing. Writing code and having it reviewed by a human gets both classes, whereas reviewing LLM code gets just one half of that. (maybe this can be compensated-ish by LLM code review, maybe not)<p>And I&#x27;d be wary of equating reviewing human vs LLM code; sure, the explicit goal of LLMs is to produce human-like text, but they also have prompting to request being &quot;correct&quot; over being &quot;average human&quot; so they shouldn&#x27;t actually &quot;intentionally&quot; reproduce human-like bugs from training data, resulting in the main source of bugs being model limitations, thus likely producing a bug type distribution potentially very different to that of humans.

Reading this article and then through the comments here, the overall argument I&#x27;m hearing here is that we should let the AI write the code and we should focus on reviewing it and testing it. We should work towards becoming good at specify a problem, and then validating the solution<p>Should we even be asking AI to write code? Shouldn&#x27;t we just be building and training AI to solve these problems without writing any code at all? Replace every app with some focused, trained, and validated AI. Want to find the cheapest flights? Who cares what algorithm the AI uses to find them, just let it do that. Want to track your calorie intake, process payroll every two weeks, do your taxes, drive your car, keep airplanes from crashing into each other, encrypt your communications, predict the weather? Don&#x27;t ask AI to clumsily write code to do these things. Just tell it to do them!<p>Isn&#x27;t that the real promise of AI?

&gt; With code you get a powerful form of fact checking for free. Run the code, see if it works.<p>Um. No.<p>This is oversimplification that falls apart in any at minimum level system.<p>Over my career I’ve encountered plenty of reliability caused consequences. Code that would run but side effects of not processing something, processing it too slow or processing it twice would have serious consequences - financial and personal ones.<p>And those weren’t „nuclear power plant management” kind of critical. I often reminisce about educational game that was used at school and cost of losing a single save progress meant couple thousand dollars of reimbursement.<p><a href="https:&#x2F;&#x2F;xlii.space&#x2F;blog&#x2F;network-scenarios&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xlii.space&#x2F;blog&#x2F;network-scenarios&#x2F;</a><p>This a cheatsheet I made for my colleagues. This is the thing we need to keep in mind when designing system I’m working on. Rarely any LLM thinks about it. It’s not a popular engineering by any sort, but it it’s here.<p>As for today I’ve yet to name single instance where any of ChatGPT produced code actually would save me time. I’ve seen macro generation code recommendation for Go (Go doesnt have macros), object mutations for Elixir (Elixir doesn’t have objects but immutable structs), list splicing in Fennel (Fennel doesn’t have splicing), language feature pragma ported from another or pure byte representation of memory in Rust and the code used UTF-8 string parsing to do it. My trust toward any non-ephemeral generated code is sub zero.<p>It’s exhausting and annoying. It feels like interacting with Calvin’s (of Calvin and Hobbes) dad but with all the humor taken away.

&gt; I asked Claude 3.7 Sonnet &quot;extended thinking mode&quot; to review an earlier draft of this post [snip] It was quite helpful, especially in providing tips to make that first draft a little less confrontational!<p>So he&#x27;s also using LLMs to steer his writing style towards the lowest common denominator :)

The more leverage a piece of code has, the more good or damage it can do.<p>The more constraints we can place on its behavior, the harder it is to mess up.<p>If it&#x27;s riskier code, constrain it more with better typing, testing, design, and analysis.<p>Constraints are to errors (including hallucinations) as water is to fire.

If you want to use LLMs for code, use them.<p>If you don&#x27;t, don&#x27;t.<p>However, this &#x27;lets move past hallucinations&#x27; discourse is just disingenuous.<p>The OP is conflating hallucinations, which are a fact, and undisputed failure mode of LLMs that no one has any solution for.<p>...and people not spending enough time and effort learning to use the tools.<p>I don&#x27;t like it. It feels bad. It feels like a rage bait piece, cast out of frustration that the OP doesn&#x27;t <i>have</i> an answer for hallucinations, because <i>there isn&#x27;t one</i>.<p>&gt; Hallucinated methods are such a tiny roadblock that when people complain about them I assume they’ve spent minimal time learning how to effectively use these systems—they dropped them at the first hurdle.<p>People aren&#x27;t stupid.<p>If they use a tool and it sucks, they&#x27;ll stop using it and say &quot;this sucks&quot;.<p>If people are saying &quot;this sucks&quot; about AI, it&#x27;s because the LLM tool they&#x27;re using sucks, not because they&#x27;re idiots, or there&#x27;s a grand &#x27;anti-AI&#x27; conspiracy.<p>People are lazy; if the tool is good (eg. cursor), people will use it.<p>If they use it, and the first thing it does is hallucinate some BS (eg. intellij full line completion), then you&#x27;ll get people uninstalling it and leaving reviews like &quot;blah blah hallucination blah blah. This sucks&quot;.<p>Which is literally what is happening. Right. Now.<p>To be fair &#x27;blah blah hallucinations suck&#x27; <i>is</i> a common &#x27;anti-AI&#x27; trope that gets rolled out.<p>...but that&#x27;s because <i>it is a real problem</i><p>Pretending &#x27;hallucinations are fine, people are the problem&#x27; is... it&#x27;s just disingenuous and embarrassing from someone of this caliber.

Yep. LLMs can get all the unit tests to pass. But not the acceptance tests. The discouraging thing is you might have all green checks on the unit tests, but you can’t get the acceptance tests to pass without starting over.

One thing I&#x27;ve found is that while I work with a LLM and it can do things way faster than me, the other side of it is I&#x27;m quickly loosing understand of the deeper code.<p>If someone asks me a question about something I&#x27;ve worked on, I might be able to give an answer about some deep functionality.<p>At the moment I&#x27;m working with a LLM on a 3D game and while it works, I would need to rebuild it to understand all the elements of it.<p>For me this is my biggest fear - not that LLMs can code, but that they do so at such a volume that in a generation or two no one will understand <i>how</i> the code works.

&gt; The real risk from using LLMs for code is that they’ll make mistakes that aren’t instantly caught by the language compiler or interpreter. And these happen all the time!<p>Are these not considered hallucinations still?

I really like this theory from Kellan Elliott McCrae: <a href="https:&#x2F;&#x2F;fiasco.social&#x2F;@kellan&#x2F;114092761910766291" rel="nofollow">https:&#x2F;&#x2F;fiasco.social&#x2F;@kellan&#x2F;114092761910766291</a><p>&gt; <i>I think a simpler explanation is that hallucinating a non-existent library is a such an inhuman error it throws people. A human making such an error would be almost unforgivably careless.</i><p>This might explain why so many people see hallucinations in generated code as an inexcusable red flag.

Even with boring tech that&#x27;s been in the training set for ages (rails), you can get some pretty funny hallucinations: <a href="https:&#x2F;&#x2F;bengarcia.dev&#x2F;making-o1-o3-and-sonnet-3-7-hallucinate-for-everyone" rel="nofollow">https:&#x2F;&#x2F;bengarcia.dev&#x2F;making-o1-o3-and-sonnet-3-7-hallucinat...</a> (fortunately this one was the very non-dangerous kind, making it very obvious; though I wonder how many non-obvious hallucinations entered the training set by the same process)

&quot;Proving to yourself that the code works is your job. This is one of the many reasons I don’t think LLMs are going to put software professionals out of work.&quot;<p>Good point

&gt; You can fix that yourself or you can feed the error back into the LLM and watch it correct itself.<p>Well, those types of errors won&#x27;t be happening next year will they?<p>&gt; No amount of meticulous code review—or even comprehensive automated tests—will demonstrably prove that code actually does the right thing. You have to run it yourself!<p>What rot. The test is the problem definition. If properly expressed, the code passing the test means the code is good.

I am not so sure. Code by one LLM can be reviewed by another. Puppeteer like solutions will exist pretty soon. &quot;Given this change, can you confirm this spec&quot;.<p>Even better, this can carry on for a few iterations. And both LLMs can be:<p>1. Budgeted (&quot;don&#x27;t exceed X amount&quot;)<p>2. Improved (another LLM can improve their prompts)<p>and so on. I think we are fixating on how _we_ do things, not how this new world will do their _own_ thing. That to me is the real danger.

Timely article. I really, really want AI to be better at writing code, and hundreds of reports suggest it works great if you&#x27;re a web dev or a python dev. Great! But I&#x27;m a C&#x2F;C++ systems guy(working at a company making money off AI!) and the times I&#x27;ve tried to get AI to write the simplest of test applications against a popular API it mostly failed. The code was incorrect, both using the API incorrectly and writing invalid C++. Attempts to reason with the LLMs(grokv3, deepseek-r1) led further and further away from valid code. Eventually both systems stopped responding.<p>I&#x27;ve also tried Cursor with similar mixed results.<p>But I&#x27;ll say that we are getting tremendous pressure at work to use AI to write code. I&#x27;ve discussed it with fellow engineers and we&#x27;re of the opinion that the managerial desire is so great that we are better off keeping our heads down and reporting success vs saying the emperor wears no clothes.<p>It really feels like the billionaire class has fully drunk the kool-aid and needs AI to live up to the hype.

If X, AWS, Meta, and Google would just dump their code into a ML training set we could really get on with disrupting things.

I&#x27;ve definitely had these types of issues while writing code with LLMs. When relying on an LLM to write something I don&#x27;t fully understand I will basically default to a form of TDD, making sure that the code behaves according to some spec. If I can&#x27;t write a spec, then that&#x27;s an issue.

&gt; Compare this to hallucinations in regular prose, where you need a critical eye, strong intuitions and well developed fact checking skills to avoid sharing information that’s incorrect and directly harmful to your reputation<p>Ah so you mean... actually doing work. Yeah writing code has the same difficulty, you know. It&#x27;s not enough to merely get something to compile and run without errors.<p>&gt; With code you get a powerful form of fact checking for free. Run the code, see if it works.<p>No, this would be coding by coincidence. Even the most atrociously bad prose writers don&#x27;t exactly go around just saying random words from a dictionary or vaguely (mis)quoting Shakespeare hoping to be understood.

Another danger is spotted in the later paragraphs:<p>&gt; I genuinely find myself picking libraries that have been around for a while partly because that way it’s much more likely that LLMs will be able to use them.<p>People will pick solutions that have a lot of training data, rather than the best solution.

I&#x27;m excited to see LLMs get much better at testing. They are already good at writing unit tests (as always, you have to review them carefully). But imagine an LLM that can see your code changes _and_ can generate and execute automated and manual tests based on the change.

Software is the manifestation of a solution to a problem.<p>Any entity, human or otherwise, lacking understanding of the problem being solved will, by definition, produce systems which contain some combination of defects, logic errors, and inapplicable functionality for the problem at hand.

LLM generated code is legacy code.

When you go from the adze to the chainsaw, be mindful that you still need to sharpen the chainsaw, top up the chain bar oil, and wear chaps.<p>Edit: oh and steel capped boots.<p>Edit 2: and a face shield and ear defenders. I&#x27;m all tuckered out like Grover in his own alphabet.

As a non programmer I only get little programs or scripts that do something from the LLM. If they do the thing it means the code is tested, flawless and done. I would never let them have to deal with other humans Input of course.

Great article, but doesn&#x27;t talk about the potentially _most_ dangerous form of mistakes: an adversarial LLM trying to inject vulnerabilities. I expect this to become a vector soon as people figure out ways to accomplish this

I thought he was going to say the really danger is hallucination of facts, but no.

I don&#x27;t agree. What if the LLM takes a two-step approach, where it first determines a global architecture, and then it fills in the code? (Where it hallucinates in the first step).

I agree with the author. But can&#x27;t the risk be minimized somehow by asking LLM A to generate code and LLM B to write integration tests?

<p><pre><code> My cynical side suspects they may have been looking for a reason to dismiss the technology and jumped at the first one they found. </code></pre> MY cynical side suggests the author is an LLM fanboi who prefers not to think that hallucinating easy stuff strongly implies hallucinating harder stuff, and therefore jumps at the first reason to dismiss the criticism.

I don’t really understand what the point or tone of this article is.<p>It says that Hallucinations are not a big deal, that there’s great dangers that are hard to spot in LLM-generated code… and then presents tips on fixing hallucinations with the general theme of positivity towards using LLMs to generate code, with no more time dedicated to the other dangers.<p>It sure gives the impression that the article itself was written by an LLM and barely edited by a human.

&gt; No amount of meticulous code review—or even comprehensive automated tests—will demonstrably prove that code actually does the right thing. You have to run it yourself!<p>Absolutely not. If your testing requires a human to do testing, your testing has already failed. Your tests <i>do</i> need to include both positive and negative tests, though. If your tests don&#x27;t include &quot;things should crash and burn given ...&quot; your tests are incomplete.<p>&gt; If you’re using an LLM to write code without even running it yourself, what are you doing?<p>Running code through tests <i>is literally running the code</i>. Have code coverage turned on, so that you get yelled at for LLM code that you don&#x27;t have tests for, and CI&#x2F;CD that refuses to accept code that has no tests. By all means push to master on your own projects, but for production code, you better have checks in place that don&#x27;t allow not-fully-tested code (coverage, unit, integration, and ideally, docs) to land.<p>The real problem comes from LLMs happily not just giving you code but <i>also</i> test cases. The same prudence applies as with test cases someone added to a PR&#x2F;MR: just because there are tests doesn&#x27;t mean they&#x27;re good tests, or enough tests, review them in the assumption that they&#x27;re testing the wrong thing entirely.

I&#x27;m just here to whine, almost endlessly, that the word &quot;hallucination&quot; is a term of art chosen deliberately because it helps promote a sense AGI exists, by using language which implies reasoning and consciousness. I personally dislike this. I think we were mistaken allowing AI proponents to repurpose language in that way.<p>It&#x27;s not hallucinating Jim, it&#x27;s statistical coding errors. It&#x27;s floating point rounding mistakes. It&#x27;s the wrong cell in the excel table.

Code testing is “human in the loop” for LLM generated code.

&quot;If you’re using an LLM to write code without even running it yourself, what are you doing?&quot;<p>Hallucinating

Personally I believe the worst with llm is it&#x27;s abysmal ability to architect code, it&#x27;s why I use llms more like a Google than a so called coding buddy, because there was so many times I had to rewrite the entire file because the llm had added in so much extra unmanageable functions,even deciding to solve problems I hadn&#x27;t asked it to do.

Wait until he hears about yolo mode and &#x27;vibe&#x27; coding.<p>Then the biggest mistake it could make is running `gh repo delete`

Just ask another LLM to proof read?

I asked o3-mini-high (investor paying for Pro, I personally would not) to critique the Developer UX of D3&#x27;s &quot;join&quot; concept (how when you select an empty set then when you update you enter&#x2F;exit lol) and it literally said &quot;I&#x27;m sorry. I can&#x27;t help you with that.&quot; The only thing missing was calling me Dave.