📢 The Bug That Passed Every Test
Read moreDiscover why conventional tests miss logical bugs in AI-generated code and how signature-based pattern matching improves code reviews.

Jul 10, 2026
14 minutes read

Testing was invented for a world in which humans wrote the code and imagined the tests. In 2026, one intelligence can often help write both, so the assumptions shaping the implementation can also shape what gets tested. This essay examines an increasingly important production risk in AI-augmented codebases: plausible logical bugs that survive conventional checks because the relevant real-world condition was never modelled. It explains why standard defences can miss them and how pattern matching against a shared signature library adds a different lens to the same code.

Figure 1. One hundred and twelve green checks. One shape that shouldn’t be there. Find it before the customer does.
At 2:17 a.m. on the last day of March, a logistics platform’s scheduling service began producing the wrong output at exactly the wrong time. Work doubled, then doubled again, until the queue was forty thousand deep and an on-call engineer was staring at preference_sync.py – a file that had passed unit tests, integration tests, staff review, and a CFO demo.
The bug was on line 49: target = next_run(last). Two correct, tested calls. Together, they produced a datetime in the container’s local time (Europe/Amsterdam), while the anchor value came from the database in UTC. When the clocks jumped forward for daylight saving, the target computed to a moment already in the past. The scheduler enqueued the job. And enqueued it. And enqueued it. By the time anyone noticed, the sync had run four times against every user and melted three downstream systems.
The tests all passed. The staff engineer had signed off. The demo had worked. And the bug was still there.

The Claim of This Piece
The old story was simple: bugs came from what an engineer forgot, and tests captured what the engineer remembered to check. That worked because different people brought different blind spots — a reviewer, a QA engineer, a support ticket extended the conditions the code was tested against.
In 2026, code and tests are often produced with help from the same intelligence. When a developer prompts an assistant to create both the implementation and the test file, the assumptions about what could go wrong may become less independent. Passing tests then confirm the behaviours the shared assumptions anticipated; the remaining exposure is concentrated at the conditions neither side was designed to imagine.

Figure 2. When implementation and tests are shaped by the same assumptions, passing tests confirm the region they both anticipated. The greatest exposure lies in the conditions neither side was designed to imagine.
Bugs, like species, come in genera. The null pointer exceptions of the mid-2000s, the SQL injections of the early web, the memory leaks of the C++ era, the race conditions of the concurrency era — each was well-served, in its time, by a specific instrument of detection: the static analyser, the prepared statement, the reference counter, the mutex.
AI-augmented delivery creates a recognizable variant: code that looks conventional, passes available tests, and fails only when it meets a real-world condition absent from the assumptions that produced both.

Figure 3. Specimen profile. The class is not new in kind, but the environmental conditions that reveal it are increasingly common in fast-moving AI-augmented delivery.
Four features distinguish the specimen. The code reads cleanly — conventional names, unbranched flow, types check. The tests pass; the assistant covered the cases it anticipated. The bug lives at a boundary the tests weren’t designed to check — a time zone, a rare state, an interaction effect. And it reveals itself only under real-world conditions the pre-prod environment can’t replicate: traffic scale, calendar boundaries, downstream state changes.
Teams can discover these bugs by suffering them in production. Or they can improve their odds of catching them earlier by naming them, encoding their structure as patterns, and comparing each new diff with a library of patterns derived from prior incidents.
A signature is a small, precise description of what a bug looks like structurally – not merely what it does, but the combination of code shape, operating context, and evidence showing how that shape has failed before. ‘Money as float in a module named for billing.’ ‘A datetime.now() call inside a scheduled process without an explicit timezone anchor.’ ‘A gateway.charge(…) call inside a retry block without an idempotency key parameter.’ Each is a shape you can inspect in a new diff. Each can correspond to a specific class of incident that has affected other teams.
The idea of a signature library is not new. Every static analyser, security scanner, and linter rule set contains structured knowledge about recurring risks. What is different here is the source and maintenance model: a living registry can reflect incident-backed patterns observed in real systems and be updated as new evidence is validated. Linters catch syntax and style; analyser rules catch classes of bug their authors already know. A signature registry adds evidence-backed shapes from incidents that teams have already experienced. This is the kind of registry Umaku’s Bugs Finder is designed to maintain – not a claim that every match is certain, but a reviewed source of historically grounded hypotheses.

Figure 4. Snapshot of the registry at the time of writing: 247 signatures across eight categories, sourced from customer post-mortems, public advisories, community research, and validated Bugs Finder catches at other teams.
A full description of the library would take a small book. Six examples are enough to convey the flavour.

Figure 5. Six signature entries. Each is a shape supported by multiple real incident references. The full registry carries 247 similar entries at the time of writing.
Signature #01 — Money as float
A float used for currency arithmetic in billing, payment, refund, or invoice code. It can create fractional-cent rounding drift that becomes visible at scale.
Signature #04 — Local-time anchor
Datetime arithmetic in a scheduled process without an explicit UTC or timezone anchor. It surfaces around DST changes, month boundaries, or regional moves.
Signature #07 — Silent type coercion
A == comparison against a value declared boolean but inferred from an API response. Coercion can make a branch run for truthy, non-zero, or non-empty-string values.
Signature #11 — Retry without idempotency
A retry loop around an external-state mutation without an idempotency_key, request_id, or nonce. It can create duplicate charges, refunds, or webhooks.
Signature #17 — Read-modify-write race
A read-modify-write sequence without a version check. Concurrent transactions can overwrite one another and lose a change.
Signature #23 — Async chain stale read
A chain of awaits in which an earlier value is reused after underlying state can change. It appears in booking, inventory, and pricing flows.

The Insight
It helps to name what pattern matching is not. It is not a replacement for tests or static analysis. It is a third instrument: it compares a change with evidence-backed shapes from prior incidents. Like every instrument, it has limits – its usefulness depends on the quality, coverage, and relevance of the signature library – but it can surface risks the other two methods were not configured to see.

Figure 6. Three detection methods view the same diff differently: static analysis checks code structure, tests check named behaviour, and pattern matching compares a change with evidence-backed shapes from prior incidents.
Consider a specific diff — the refund handler in a mid-sized SaaS. Fourteen lines of Python. Fully typed. Full test coverage on the happy and unhappy paths. Approved by a staff engineer.

Figure 7. The linter reports zero findings. The tests all pass. Bugs Finder returns two matches — each linked to real prior incidents, each with a specific recommended remedy.
The linter has nothing to say. The tests have already passed. The third lens – the one that compares the diff with known incident shapes – surfaces two cited hypotheses: gateway.refund may need an idempotency key, and the read-modify-write pattern on user.balance may need a version check. Both findings point the reviewer to relevant prior incidents and a concrete condition to verify before merge.
Pattern matching is not keyword search. It compares the shape of a diff with shapes represented in an incident-backed signature library.

Figure 8. Four stages: a diff arrives, its shape is extracted, candidate matches are computed against the library, and cited findings are produced. Each finding identifies the evidence that supports the candidate match.
Stage one is the PR diff itself – not just the file, because context around the change matters. Stage two extracts what the machine can reason about: abstract syntax, control flow, type usage, and call patterns. Stage three compares those shape vectors with signatures in the library and computes a confidence score for each candidate. Stage four produces the finding: not ‘your code smells,’ but ‘this change resembles signature #11 and #17, with these confidence levels and these incident references.’ A match is not a verdict. It is a cited hypothesis for the reviewer: here is a known failure pattern, here is the evidence, and here is the condition to check before merge.
Confidence and citations distinguish this approach from a conventional static analyser. A traditional analyser fires on a rule. Pattern matching surfaces an evidenced correspondence to real prior incidents, together with the context a reviewer needs to judge relevance. That difference matters when deciding whether to investigate further, request a change, or block a merge.
The most reasonable question a CTO can ask is: whose incidents? The value of the library is its provenance. A pattern list written from the memory of a few engineers is useful, but narrow. A signature library built from validated incident evidence across multiple teams can provide broader coverage – provided each entry retains inspectable sources and a clear standard for inclusion.

Figure 9. The registry is fed from four sources: customer post-mortems, public advisory databases (CVE, GitHub Advisory DB, and vendor incident reports), validated Bugs Finder catches at other Umaku teams, and community research. Each production-ready signature carries provenance.
Each production-ready entry in the Umaku registry is supported by multiple incident references and includes provenance that reviewers can inspect. Some references are internal: a validated Bugs Finder catch at Team A can become a signature that helps Team B and Team C. Others are external: public post-mortems and incident write-ups can inform patterns that participating teams benefit from. The model is familiar from the vulnerability community: shared evidence helps teams learn from failures they did not have to experience firsthand.

Figure 10. The learning loop. An incident at Team A can become a validated signature that helps protect Team B and Team C. Team D can refine it further. The library becomes a shared memory of what production has taught.
The economic argument for pattern matching is the same argument behind every shift-left move in software delivery. Bugs generally become more expensive the further right they are discovered. The exact cost varies by company and system, but later discovery typically adds coordination, customer impact, recovery work, and reputational cost.

Figure 11. Illustrative relative cost of discovering the same class of issue at different stages of delivery. Earlier detection can turn a production incident into a short review and a small code change.
Bugs Finder is most valuable when it surfaces a cited hypothesis during PR review. A time-zone signature might have highlighted the opening incident before merge, when a short review and small fix were still possible. Exact outcomes depend on context and coverage, but earlier evidence gives teams more options.
Bugs Finder is one of Umaku’s four post-sprint agents. It surfaces logical risks matching known signatures during review, then aggregates those findings into post-sprint feedback so leaders can see recurring patterns. The other agents focus on coordination, contract drift, and production readiness.

Figure 12. The Umaku sprint dashboard, showing the four post-sprint agents and a highlighted Bugs Finder score card. The view aggregates recurring risk signals for sprint-level visibility.
A score is useful only when a reviewer can inspect the evidence. Bugs Finder opens each highlighted risk into its affected area, risk level, evidence, recommended action, and analysis.

Figure 13. The Bugs Finder module overview. It summarises alignment, risk level, and the action required, then links the reviewer to supporting detail.

Figure 14. Agent detail view, focused on risks. Other tabs expose recommended fixes, supporting evidence, and analysis.
Findings are cited rather than anonymous, and each match links to its supporting incident evidence. The same signals can guide pull-request review and give leadership sprint-level visibility. Approved signatures can then be shared across participating teams.
Three concrete moves. None require a full quarter to start.
The key risk in 2026 is often not a new bug, but a plausible one: code that reads correctly, passes available tests, and fails only in the real world. AI-assisted delivery increases the speed at which plausible implementations and plausible tests are produced.
Tests and linters remain essential. Pattern matching adds a third instrument: historically grounded evidence that can narrow the blind spot between plausible code and production reality.
Umaku’s Bugs Finder is designed as that instrument. Its registry is the knowledge base; the learning loop is how that knowledge can improve over time.
| NEXT STEP
Send us one production post-mortem from the last quarter. Umaku will show you the signature it could have matched, a representative earlier change the signature could have highlighted, and – if you enable Bugs Finder against your codebase for thirty days – how many open PRs match signatures already in the library. |

Build with clarity, deliver with confidence.