Peace For All

Letting bugs pile up is bad. This should be obvious.

My internship last year was lucky in two ways. The first was that the company was in a bug squishing phase, so I could count on feedback to my bug reports sometimes in a manner of hours.

The second bit of luck was that as a developer, I was able to gain a comprehension of the underlying foundations of the system. Using this comprehension, I was able to break the system in many creative and painful ways.

Examples include realizations that a particular operation was not truly atomic (DB corruption issues), to my favorite when I caused a buffer overflow by installing the Japanese Language Pack and started writing hiragana characters in to fields that expected just English text.

The Japanese exploit was my favorite one, if solely because it allowed me the opportunity to witness first hand (but not have to be involved in the fixing of!) the results of making assumptions about a user’s nationality, and about something so simple as how big a char should be. Using Unicode 100% through an application can be difficult, it only takes a single call to a function in some API that assumes 8 bit chars to break everything. Of course everyone knows that by now, but who actually tests it to that extreme?

Giving bug reporters quick feedback is essential for a programming team to do. QA is your enemy, and they are also your best friends. Remember that QA’s job is to poke you with a sharp stick now, so that you do not end up blowing off your entire leg with a shotgun later on down the line!