Editing Software bug

{{Short description|Inherent flaw in computer instructions}}
{{Self-reference|To report a [[MediaWiki]] error on Wikipedia, see [[Wikipedia:Bug reports]].}}
{{Use mdy dates|date=April 2020}}
{{software development process}}

A '''software bug''' is a design defect ([[Bug (engineering)|bug]]) in [[computer software]]. A [[computer program]] with many or serious bugs may be described as ''buggy''. 

The effects of a software bug range from minor (such as a misspelled word in the [[user interface]]) to severe (such as frequent [[crash (computing)|crashing]]).

In 2002, a study commissioned by the US [[Department of Commerce]]'s [[National Institute of Standards and Technology]] concluded that "software bugs, or errors, are so prevalent and so detrimental that they cost the US economy an estimated $59&nbsp;billion annually, or about 0.6 percent of the gross domestic product".<ref>{{cite web|url=http://www.nist.gov/public_affairs/releases/n02-10.htm |title=Software bugs cost US economy dear |date=June 10, 2009 |access-date=September 24, 2012 |url-status=dead |archive-url=https://web.archive.org/web/20090610052743/http://www.nist.gov/public_affairs/releases/n02-10.htm |archive-date=June 10, 2009 }}</ref>

Since the 1950s, some computer systems have been designed to detect or auto-correct various software errors during operations.

== History ==
{{see|Bug (engineering)#History}}

== Terminology ==

''Mistake metamorphism'' (from Greek ''meta'' = "change", ''morph'' = "form") refers to the evolution of a defect in the final stage of software deployment. Transformation of a ''mistake'' committed by an analyst in the early stages of the software development lifecycle, which leads to a ''defect'' in the final stage of the cycle has been called ''mistake metamorphism''.<ref name="metamorph">{{cite journal |journal = Testing Experience|date=March 2012|publisher=testingexperience|title=Testing experience : te : the magazine for professional testers|location = Germany|page =42 |issn=1866-5705}} {{subscription required}}</ref>

Different stages of a mistake in the development cycle may be described as mistake,<ref name=ieeeGlossary>{{cite book
|title= 610.12-1990: IEEE Standard Glossary of Software Engineering Terminology
|publisher=[[IEEE]]
|date=December 31, 1990
|isbn=978-0-7381-0391-4
|doi=10.1109/IEEESTD.1990.101064}}</ref>{{rp|31}}anomaly,<ref name=ieeeGlossary/>{{rp|10}} fault,<ref name=ieeeGlossary/>{{rp|31}} failure,<ref name=ieeeGlossary/>{{rp|31}} error,<ref name=ieeeGlossary/>{{rp|31}} exception,<ref name=ieeeGlossary/>{{rp|31}} crash,<ref name=ieeeGlossary/>{{rp|22}} glitch, bug,<ref name=ieeeGlossary/>{{rp|14}} defect, incident,<ref name=ieeeGlossary/>{{rp|39}} or side effect. 

==Examples==
Software bugs have been linked to disasters.
* Software bugs in the [[Therac-25|Therac-25 radiation therapy machine]] were directly responsible for patient deaths in the 1980s.<ref name="Raj">{{cite journal | last1 = Leveson | first1 = Nancy G. | author-link1 = Nancy G. Leveson | last2 = Turner | first2 = Clark S. | date = 1993-07-01 | title = An Investigation of the Therac-25 Accidents | journal = [[Computer (magazine)|Computer]] | volume = 26 | issue = 7 | pages = 18{{hyphen}}41 | publisher =  [[IEEE Computer Society]] | doi = 10.1109/MC.1993.274940 | eissn = 1558-0814  | issn = 0018-9162 | lccn = 74648480 | s2cid = 9691171 | oclc =  2240099 | url = https://escholarship.org/uc/item/5dr206s3 | df = dmy-all}}</ref>
* In 1996, the [[European Space Agency]]'s US$1&nbsp;billion prototype [[Ariane flight V88|Ariane 5 rocket was destroyed]] less than a minute after launch due to a bug in the on-board guidance computer program.<ref>{{cite journal
|title= ARIANE 5 Flight 501 Failure Report by the Inquiry Board
|date=July 23, 1996
|issue=33–1996
|journal=[[The European Space Agency]]
|series=Ariane 501 Inquiry Board report
|url=https://www.esa.int/Newsroom/Press_Releases/Ariane_501_-_Presentation_of_Inquiry_Board_report
}}</ref> 
* In 1994, an [[1994 Scotland RAF Chinook crash|RAF Chinook helicopter crashed]], killing 29; was initially blamed on pilot error, but was later thought to have been caused by a software bug in the [[FADEC|engine-control computer]].<ref>{{cite journal
|author= [[Simon Rogerson]]
|url= http://www.ccsr.cse.dmu.ac.uk/resources/general/ethicol/Ecv12no2.html
|title=The Chinook Helicopter Disaster
|journal=IMIS Journal
|volume=12
|issue=2
|date=April 2002
|url-status= dead
|archive-url=http://web.archive.org/web/19930915000000/http://www.ccsr.cse.dmu.ac.uk/resources/general/ethicol/Ecv12no2.html
|archive-date=September 15, 1993
|access-date=May 27, 2024}} [https://www5.in.tum.de/~huckle/chinook_software.pdf Alt URL]</ref> 
* Buggy software caused the early 21st century [[British Post Office scandal]].<ref name=beeb182>{{Cite news |title=Post Office scandal ruined lives, inquiry hears |author=<!--not stated--> |work=BBC News |date=14 February 2022 |url= https://www.bbc.co.uk/news/business-60374182}}</ref>

== Controversy ==

Sometimes the use of ''bug'' to describe the behavior of software is contentious due to perception. Some suggest that the term should be abandoned; contending that ''bug'' implies that the defect arose on its own and push to use ''defect'' instead since it more clearly indicates they are caused by a human.<ref>{{cite web
|website=News at SEI
|publisher=[[Software Engineering Institute]]
|title=News at SEI – Bugs or Defects?
|date=April 1, 1999
|first=Watts S.
|last=Humphrey
|author-link=Watts Humphrey
|url=https://insights.sei.cmu.edu/documents/2648/1999_102_001_413932.pdf
|at=page 73 of 154 in PDF file
|access-date=2025-02-02
|archive-url=https://web.archive.org/web/20231015130719/https://insights.sei.cmu.edu/documents/2648/1999_102_001_413932.pdf
|archive-date=2023-10-15
|url-status=live
}} (linked from [https://insights.sei.cmu.edu/library/news-at-sei-1999-archive/ News at SEI 1999 Archive])</ref>

Some contend that ''bug'' may be used to [[coverup|cover up]] an intentional design decision. In 2011, after receiving scrutiny from US Senator [[Al Franken]] for recording and storing users' locations in unencrypted files,<ref>{{cite journal
|author=Gregg Keizer
|title=Apple faces questions from Congress about iPhone tracking
|date=April 21, 2011
|journal=[[Computerworld]]
|url=https://www.computerworld.com/article/1546216/apple-faces-questions-from-congress-about-iphone-tracking2.html}}</ref>
Apple called the behavior a bug. However, Justin Brookman of the [[Center for Democracy and Technology]] directly challenged that portrayal, stating "I'm glad that they are fixing what they call bugs, but I take exception with their strong denial that they track users."<ref>{{cite journal
|author=Gregg Keizer
|title=Apple denies tracking iPhone users, but promises changes
|journal=[[Computerworld]]
|date=April 27, 2011
|url=https://www.computerworld.com/article/1534426/apple-denies-tracking-iphone-users-but-promises-changes}}</ref>

== Prevention ==

[[File:Software bug displayed on two screens at La Croix de Berny station in France - 2021-10-28.jpg|thumb|Error resulting from a software bug displayed on two screens at [[La Croix de Berny station]] in France]]

Preventing bugs as early as possible in the [[software development process]] is a target of investment and innovation.<ref>{{cite book
|title=Automated Defect Prevention: Best Practices in Software Management
|author1=Dorota Huizinga
|author2=Adam Kolawa
|isbn=978-0-470-04212-0
|date=September 2007
|publisher=Wiley-IEEE Computer Society Press
|url=https://ieeexplore.ieee.org/book/5201515}}</ref><ref>{{cite book | last = McDonald | first = Marc | author2 = Musson, Robert | author3 = Smith, Ross | title = The Practical Guide to Defect Prevention | url = https://archive.org/details/practicalguideto00/page/480 | year = 2007 | publisher = Microsoft Press | page = [https://archive.org/details/practicalguideto00/page/480 480] | isbn = 978-0-7356-2253-1 | df = mdy-all | url-access = registration }}</ref>

=== Language support ===

Newer [[programming language]]s tend to be designed to prevent common bugs based on vulnerabilities of existing languages. Lessons learned from older languages such as [[BASIC]] and [[C (programming language)|C]] are used to inform the design of later languages such as [[C Sharp (programming language)|C#]] and [[Rust (programming language)|Rust]].

A [[compiled]] language allows for detecting some typos (such as a misspelled identifier) before [[Runtime (program lifecycle phase)|runtime]] which is earlier in the [[software development process]] than for an [[Interpreter (computing)|interpreted]] language.

Languages may include features such as a static [[type system]], restricted [[namespace]]s and [[modular programming]]. For example, for a typed, compiled language (like [[C (programming language)|C]]):

 float num = "3";

is syntactically correct, but fails type checking since the right side, a string, cannot be assigned to a float variable. Compilation fails {{endash}} forcing this defect to be fixed before development progress can resume. With an interpreted language, a failure would not occur until later at runtime.

Some languages exclude features that easily lead to bugs, at the expense of slower performance {{endash}} the principle being that it is usually better to write simpler, slower correct code than complicated, buggy code. For example, the [[Java (programming language)|Java]] does not support [[pointer (computer programming)|pointer]] arithmetic which is generally fast, but is considered dangerous; relatively likely to cause a major bug. 

Some languages include features that add runtime overhead in order to prevent some bugs. For example, many languages include runtime [[bounds checking]] and a way to handle out-of-bounds conditions instead of crashing.

=== Techniques ===

Programming techniques such as [[programming style]] and [[defensive programming]] are intended to prevent typos.

For example, a bug may be caused by a relatively minor typographical error (typo) in the code. For example, this code executes function {{code|foo}} only if {{code|condition}}is true.

 if (condition) foo();

But this code always executes {{code|foo}}:

 if (condition); foo();

A convention that tends to prevent this particular issue is to require braces for a block even if it has just one line.

 if (condition) {
   foo();
 }

Enforcement of conventions may be manual (i.e. via [[code review]]) or via automated tools.

=== Specification ===

Some{{who?|date=May 2025}} contend that writing a [[program specification]], which states the intended behavior of a program, can prevent bugs. Others{{who?|date=May 2025}}, however, contend that formal specifications are impractical for anything but the shortest programs, because of problems of [[combinatorial explosion]] and [[Nondeterministic algorithm|indeterminacy]].<!--[[User:Kvng/RTH]]-->

=== Software testing ===

One goal of [[software testing]] is to find bugs. 

Measurements during testing can provide an estimate of the number of likely bugs remaining. This becomes more reliable the longer a product is tested and developed.{{citation needed|date=February 2017}}

=== Agile practices ===

[[Agile software development]] may involve frequent software releases with relatively small changes. Defects are revealed by user feedback.

With [[test-driven development]] (TDD), [[unit test]]s are written while writing the production code, and the production code is not considered complete until all tests complete successfully.

=== Static analysis ===

Tools for [[static code analysis]] help developers by inspecting the program text beyond the compiler's capabilities to spot potential problems. Although in general the problem of finding all programming errors given a specification is not solvable (see [[halting problem]]), these tools exploit the fact that human programmers tend to make certain kinds of simple mistakes often when writing software.

=== Instrumentation ===

Tools to monitor the performance of the software as it is running, either specifically to find problems such as [[Bottleneck (engineering)|bottlenecks]] or to give assurance as to correct working, may be embedded in the code explicitly (perhaps as simple as a statement saying <code>PRINT "I AM HERE"</code>), or provided as tools. It is often a surprise to find where most of the time is taken by a piece of code, and this removal of assumptions might cause the code to be rewritten.

=== Open source ===

[[Open source]] development allows anyone to examine source code. A school of thought popularized by [[Eric S. Raymond]] as [[Linus's law]] says that popular [[open-source software]] has more chance of having few or no bugs than other software, because "given enough eyeballs, all bugs are shallow".<ref>[http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s04.html "Release Early, Release Often"] {{webarchive|url=https://web.archive.org/web/20110514032650/http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s04.html |date=May 14, 2011 }}, [[Eric S. Raymond]], ''[[The Cathedral and the Bazaar]]''</ref> This assertion has been disputed, however: computer security specialist [[Elias Levy]] wrote that "it is easy to hide vulnerabilities in complex, little understood and undocumented source code," because, "even if people are reviewing the code, that doesn't mean they're qualified to do so."<ref>[http://www.securityfocus.com/news/19 "Wide Open Source"] {{webarchive|url=https://web.archive.org/web/20070929105937/http://www.securityfocus.com/news/19 |date=September 29, 2007 }}, [[Elias Levy]], ''SecurityFocus'', April 17, 2000</ref> An example of an open-source software bug was the [[Debian#2008 OpenSSL vulnerability|2008 OpenSSL vulnerability in Debian]].

== Debugging ==
{{Main|Debugging}}

''Debugging'' can be a significant part of the [[software development lifecycle]]. [[Maurice Wilkes]], an early computing pioneer, described his realization in the late 1940s that
“a good part of the remainder of my life was going to be spent in finding errors in my own programs”.<ref>{{cite web
|title=Maurice Wilkes Quotes
|url=https://quotepark.com/quotes/1810905-maurice-wilkes-by-june-1949-people-had-begun-to-realize-that-it-w
|publisher=QuoteFancy
|access-date=April 28, 2024}}</ref>

A program known as a [[debugger]] can help a programmer find faulty code by examining the inner workings of a program such as executing code line-by-line and viewing variable values. 

As an alternative to using a debugger, code may be instrumented with logic to output debug information to trace program execution and view values. Output is typically to [[System console|console]], [[Window (computing)|window]], [[log file]] or a [[computer hardware|hardware]] output (i.e. [[LED]]).

Some contend that locating a bug is something of an art. 

It is not uncommon for a bug in one section of a program to cause failures in a different section,{{citation needed|date=November 2012}} thus making it difficult to track, in an apparently unrelated part of the system. For example, an error in a graphics [[Rendering (computer graphics)|rendering]] routine causing a file [[I/O]] routine to fail.

Sometimes, the most difficult part of debugging is finding the cause of the bug. Once found, correcting the problem is sometimes easy if not trivial. 

Sometimes, a bug is not an isolated flaw, but represents an error of thinking or planning on the part of the programmers. Often, such a ''[[logic error]]'' requires a section of the program to be overhauled or rewritten. 

Some contend that as a part of [[code review]], stepping through the code and imagining or transcribing the execution process may often find errors without ever reproducing the bug as such.

Typically, the first step in locating a bug is to reproduce it reliably. If unable to reproduce the issue, a programmer cannot find the cause of the bug and therefore cannot fix it.

Some bugs are revealed by inputs that may be difficult for the programmer to re-create. One cause of the [[Therac-25]] radiation machine deaths was a bug (specifically, a [[race condition]]) that occurred only when the machine operator very rapidly entered a treatment plan; it took days of practice to become able to do this, so the bug did not manifest in testing or when the manufacturer attempted to duplicate it. Other bugs may stop occurring whenever the setup is augmented to help find the bug, such as running the program with a debugger; these are called ''[[heisenbug]]s'' (humorously named after the [[Heisenberg uncertainty principle]]).

Since the 1990s, particularly following the [[Ariane 5 Flight 501]] disaster, interest in automated aids to debugging rose, such as [[static code analysis]] by [[abstract interpretation]].<ref>{{Cite web|url=http://christele.faure.pagesperso-orange.fr/polyspace.html|title=PolySpace Technologies history|website=christele.faure.pagesperso-orange.fr|access-date=August 1, 2019}}</ref>

Often, bugs come about during coding, but faulty design documentation may cause a bug. 
In some cases, changes to the code may eliminate the problem even though the code then no longer matches the documentation. 

In an [[embedded system]], the software is often modified to [[workaround|work around]] a hardware bug since it's cheaper than modifying the hardware.

== Management ==
[[File:Classpath bugs.png|thumb|upright=1.6|Example bug history ([[GNU Classpath]] project data). A new bug is initially ''unconfirmed.'' Once reproducibility is confirmed, it is changed to ''confirmed''. Once the issue is resolved, it is changed to ''fixed''.]]

Bugs are managed via activities like documenting, categorizing, assigning, reproducing, correcting and releasing the corrected code. 

[[Programming tool|Tools]] are often used to track bugs and other issues with software. Typically, different tools
are used by the software development team to [[bug tracking system|track their workload]] than by [[customer service]] to [[issue tracking system|track user feedback]].<ref>{{cite magazine |last=Allen |first=Mitch |date=May–June 2002 |title=Bug Tracking Basics: A beginner's guide to reporting and tracking defects |magazine=Software Testing & Quality Engineering Magazine |volume=4 |issue=3 |pages=20–24 |url=https://www.stickyminds.com/better-software-magazine/bug-tracking-basics |access-date=December 19, 2017}}</ref> 

A tracked item is often called ''bug'', ''defect'', ''ticket'', ''issue'', ''feature'', or for [[agile software development]], ''story'' or ''epic''. Items are often categorized by aspects such as severity, priority and [[version number]].

In a process sometimes called [[triage]], choices are made for each bug about whether and when to fix it based on information such as the bug's severity and priority and external factors such as development schedules. Triage generally does not include investigation into cause. Triage may occur regularly. Triage generally consists of reviewing new bugs since the previous triage and maybe all open bugs. Attendees may include project manager, development manager, test manager, build manager, and technical experts.<ref>{{cite book| url=https://books.google.com/books?id=XN0izRhGylYC&dq=bug+triage&pg=PA139| title=Managing The Testing Process |edition=2nd | author=Rex Black| date=2002| access-date=19 June 2021| publisher=Wiley India Pvt. Limited| isbn=978-8126503131| page=139}}</ref><ref>{{cite book| url=https://books.google.com/books?id=BKj-M_FlU_kC&dq=bug+triage&pg=PA80| title=Shipping Greatness - Practical Lessons on Building and Launching Outstanding Software, Learned on the Job at Google and Amazon| author=Chris Vander Mey| year=2012| publisher=[[O'Reilly Media]]| isbn=978-1449336608| pages=79–81}}</ref>

=== Severity ===

''Severity'' is a measure of impact the bug has.<ref>{{Cite journal|last1=Soleimani Neysiani|first1=Behzad|last2=Babamir|first2=Seyed Morteza|last3=Aritsugi|first3=Masayoshi|date=2020-10-01|title=Efficient feature extraction model for validation performance improvement of duplicate bug report detection in software bug triage systems|url=https://linkinghub.elsevier.com/retrieve/pii/S0950584920301117|journal=Information and Software Technology|language=en|volume=126|pages=106344|doi=10.1016/j.infsof.2020.106344|s2cid=219733047}}</ref> This impact may be data loss, financial, loss of goodwill and wasted effort. Severity levels are not standardized, but differ by context such as industry and tracking tool. For example, a crash in a video game has a different impact than a crash in a bank server. Severity levels might be ''crash or hang'', ''no workaround'' (user cannot accomplish a task), ''has workaround'' (user can still accomplish the task), ''visual defect'' (a misspelling for example), or ''documentation error''. Another example set of severities: ''critical'', ''high'', ''low'', ''blocker'', ''trivial''.<ref>{{cite web|url=http://www.bugzilla.org/docs/4.4/en/html/bug_page.html|title=5.3. Anatomy of a Bug|work=bugzilla.org|url-status=live|archive-url=https://web.archive.org/web/20130523121753/http://www.bugzilla.org/docs/4.4/en/html/bug_page.html|archive-date=May 23, 2013}}</ref> The severity of a bug may be a separate category to its priority for fixing, or the two may be quantified and managed separately.

{{anchor|Show stopper|Showstopper|Showstopper bug}}A bug severe enough to delay the release of the product is called a ''show stopper''.<ref name="DoD_Glossary1989">{{Cite encyclopedia |title=Show stopper |encyclopedia=Glossary: defense acquisition acronyms and terms |year=1989 |publisher=Department of Defense, [[Defense Systems Management College]] |location=Fort Belvoir, Virginia|url=https://hdl.handle.net/2027/mdp.39015061290758?urlappend=%3Bseq=163 |editor-last=Jones |editor-first=Wilbur D. Jr. |edition=4 |page=123 |hdl=2027/mdp.39015061290758?urlappend=%3Bseq=163 |language=en|via=Hathitrust}}</ref><ref name="Zachary1994">{{Cite book |title=Show-stopper!: the breakneck race to create Windows NT and the next generation at Microsoft |last=Zachary |first=G. Pascal |publisher=[[Free Press (publisher)|The Free Press]] |year=1994 |isbn=0029356717 |location=New York |page=158 |language=en |url=https://archive.org/details/showstopperbreak00zach/page/158/mode/1up?q=%22showstopper+bug%22 |url-access=registration |via=archive.org}}</ref>

=== Priority ===

''Priority'' describes the importance of resolving the bug in relation to other bugs. Priorities might be numerical, such as 1 through 5, or named, such as ''critical'', ''high'', ''low'', and ''deferred''. The values might be similar or identical to severity ratings, even though priority is a different aspect. 

Priority may be a combination of the bug's severity with the level of effort to fix. A bug with low severity but easy to fix may get a higher priority than a bug with moderate severity that requires significantly more effort to fix. 

=== Patch ===

Bugs of sufficiently high priority may warrant a special release which is sometimes called a ''[[Patch (computing)|patch]]''. 

=== Maintenance release ===

A software release that emphasizes bug fixes may be called a ''maintenance'' release {{endash}} to differentiate it from a release that emphasizes new features or other changes.

=== Known issue ===
It is common practice to release software with known, low-priority bugs or other issues.  Possible reasons include but are not limited to:

* A deadline must be met and resources are insufficient to fix all bugs by the deadline<ref>{{cite magazine|title=The Next Generation 1996 Lexicon A to Z: Slipstream Release|magazine=[[Next Generation (magazine)|Next Generation]]|issue=15 |date=March 1996|page=41}}</ref>

* The bug is already fixed in an upcoming release, and it is not of high priority

* The changes required to fix the bug are too costly or affect too many other components, requiring a major testing activity

* It may be suspected, or known, that some users are relying on the existing buggy behavior; a proposed fix may introduce a [[wikt:breaking change|breaking change]]

* The problem is in an area that will be obsolete with an upcoming release; fixing it is unnecessary

* "It's not a bug, it's a feature"<ref name=wired>{{cite web|url=https://www.wired.com/story/its-not-a-bug-its-a-feature/|title='It's Not a Bug, It's a Feature.' Trite – or Just Right?|website=wired.com|first=Nicholas |last=Carr|year=2018}}</ref> A misunderstanding exists between expected and actual behavior or [[undocumented feature]]

=== Implications ===
The amount and type of damage a software bug may cause affects decision-making, processes and policy regarding software quality. In applications such as [[human spaceflight]], [[aviation]], [[nuclear power]], [[health care]], [[public transport]] or [[automotive safety]], since software flaws have the potential to cause human injury or even death, such software will have far more scrutiny and quality control than, for example, an online shopping website. In applications such as banking, where software flaws have the potential to cause serious financial damage to a bank or its customers, quality control is also more important than, say, a photo editing application.

Other than the damage caused by bugs, some of their cost is due to the effort invested in fixing them. In 1978, Lientz et al. showed that the median of projects invest 17 percent of the development effort in bug fixing.<ref>{{Cite journal|title = Characteristics of Application Software Maintenance|journal = Communications of the ACM |date = 1978 |pages = 466–471|volume = 21|doi = 10.1145/359511.359522|first1 = B. P.|last1 = Lientz |first2 = E. B.|last2 = Swanson |first3 = G. E.|last3 = Tompkins|issue = 6 |s2cid = 14950091 |doi-access = free}}</ref> In 2020, research on [[GitHub]] repositories showed the median is 20%.<ref>{{cite arXiv |last1=Amit |first1=Idan |last2=Feitelson |first2=Dror G.|date=2020 |title=The Corrective Commit Probability Code Quality Metric |class=cs.SE |eprint=2007.10912}}</ref>

{{anchor|residual defects|Deployment failures}}

=== Cost ===

In 1994, NASA's [[Goddard Space Flight Center]] managed to reduce their average number of errors from 4.5 per 1,000 lines of code ([[Source lines of code|SLOC]]) down to 1 per 1000 SLOC.<ref name=NASA1994>{{cite journal
|journal=Software Engineering Laboratory Series
|title=An Overview of the Software Engineering Laboratory
|date=December 1994
|issue=SEL-94-005
|url=https://ntrs.nasa.gov/api/citations/19950022293/downloads/19950022293.pdf}}</ref>

Another study in 1990 reported that exceptionally good software development processes can achieve deployment failure rates as low as 0.1 per 1000 SLOC.<ref name="CobbMills1990">{{Cite journal |title=Engineering software under statistical quality control |journal=[[IEEE Software]] |url=https://trace.tennessee.edu/utk_harlan/14/|via=University of Tennessee – Harlan D. Mills Collection |last1=Cobb |first1=Richard H. |issue=6 |volume=7 |last2=Mills |first2=Harlan D. |doi=10.1109/52.60601 |year=1990 |page=46 |s2cid=538311 |language=en |issn=1937-4194 |author-link2=Harlan Mills}}</ref> This figure is iterated in literature such as ''[[Code Complete]]'' by [[Steve McConnell]],<ref name="McConnel1993">{{Cite book |title=Code Complete |last=McConnell |first=Steven C. |publisher=Microsoft Press |year=1993 |isbn=978-1556154843 |location=Redmond, Washington|page=611 |language=en |url=https://archive.org/details/codecompleteprac0000mcco/page/611/mode/1up?q=%22space+shuttle%22|via=archive.org |quote=(Cobb and Mills 1990) |author-link=Steve McConnell |url-access=registration}}</ref> and the ''NASA study on Flight Software Complexity''.<ref>{{cite journal
|author=Gerard Holzmann
|title=Appendix D – Software Complexity
|journal= Final Report: NASA Study on Flight Software Complexity (Daniel L. Dvorak (Ed.))
|date=March 5, 2009
|series=NASA Office of Chief Engineer Technical Excellence Program
|url= https://www.nasa.gov/wp-content/uploads/2015/04/418878main_fswc_final_report.pdf
}}</ref> Some projects even attained zero defects: the [[firmware]] in the [[IBM Wheelwriter]] typewriter which consists of 63,000 SLOC, and the [[Space Shuttle]] software with 500,000 SLOC.<ref name="CobbMills1990" />

=== Benchmark ===

To facilitate reproducible research on testing and debugging, researchers use curated benchmarks of bugs:
* the Siemens benchmark
* ManyBugs<ref name="Le GouesHoltschulte2015">{{cite journal|last1=Le Goues|first1=Claire|author1-link=Claire Le Goues|last2=Holtschulte|first2=Neal|last3=Smith|first3=Edward K.|last4=Brun|first4=Yuriy|last5=Devanbu|first5=Premkumar|last6=Forrest|first6=Stephanie|last7=Weimer|first7=Westley|title=The ManyBugs and IntroClass Benchmarks for Automated Repair of C Programs|journal=IEEE Transactions on Software Engineering|volume=41|issue=12|year=2015|pages=1236–1256|issn=0098-5589|doi=10.1109/TSE.2015.2454513|doi-access=free}}</ref> is a benchmark of 185 C bugs in nine open-source programs.
* Defects4J<ref name="JustJalali2014">{{cite book|last1=Just|first1=René|title=Proceedings of the 2014 International Symposium on Software Testing and Analysis – ISSTA 2014|pages=437–440|last2=Jalali|first2=Darioush|last3=Ernst|first3=Michael D.|s2cid=12796895|chapter=Defects4J: a database of existing faults to enable controlled testing studies for Java programs|year=2014|doi=10.1145/2610384.2628055|isbn=9781450326452|citeseerx=10.1.1.646.3086}}</ref> is a benchmark of 341 Java bugs from 5 open-source projects. It contains the corresponding patches, which cover a variety of patch type.

== Types ==

Some notable types of bugs:

=== Design error ===

A bug can be caused by insufficient or incorrect design based on the specification. For example, given that the specification is to alphabetize a list of words, a design bug might occur if the design does not account for symbols; resulting in incorrect alphabetization of words with symbols.

=== Arithmetic ===

Numerical operations can result in unexpected output, slow processing, or crashing.<ref>{{cite conference
|author1=Anthony Di Franco
|author2=Hui Guo
|author3=Cindy Rubio-González
|title=A comprehensive study of real-world numerical bug characteristics
|conference=2017 32nd [[IEEE]]/[[Association for Computing Machinery |ACM]] International Conference on Automated Software Engineering (ASE)
|date=November 23, 2017
|publisher=[[IEEE]]
|doi=10.1109/ASE.2017.8115662}}</ref>
Such a bug can be from a lack of awareness of the qualities of the data storage such as a [[arithmetic precision|loss of precision]] due to [[rounding]], [[numerically unstable]] algorithms, [[arithmetic overflow]] and [[underflow]], or from lack of awareness of how calculations are handled by different software coding languages such as [[Division by zero#Computer arithmetic|division by zero]] which in some languages may throw an exception, and in others may return a special value such as [[NaN]] or [[Infinity#Computing|infinity]].

=== Control flow ===
{{See also|Logic error}}

A [[control flow]] bug, a.k.a. logic error, is characterized by code that does not fail with an error, but does not have the expected behavior, such as [[infinite loop]]ing, infinite [[Recursion (computer science)|recursion]], incorrect comparison in a [[Conditional (computer programming)|conditional]] such as using the wrong [[comparison operator]], and the [[off-by-one error]].

=== Interfacing ===
* Incorrect API usage.
* Incorrect protocol implementation.
* Incorrect hardware handling.
* Incorrect assumptions of a particular platform.
* [[Software incompatibility|Incompatible]] systems. A new [[API]] or [[communications protocol]] may seem to work when two systems use different versions, but errors may occur when a function or feature implemented in one version is changed or missing in another. In production systems which must run continually, shutting down the entire system for a major update may not be possible, such as in the telecommunication industry<ref name="Kimbler1998">{{cite book|first=K. |last=Kimbler|title=Feature Interactions in Telecommunications and Software Systems V|url={{google books |plainurl=y |id=q7BSGKJrWxsC|page=8}}|year=1998|publisher=IOS Press|isbn=978-90-5199-431-5|page=8}}</ref> or the internet.<ref name="Rahman2001">{{cite book|last=Syed |first=Mahbubur Rahman|title=Multimedia Networking: Technology, Management and Applications: Technology, Management and Applications|url={{google books |plainurl=y |id=e3rAmuQSUXkC|page=398}}|date=2001|publisher=Idea Group Inc (IGI)|isbn=978-1-59140-005-9|page=398}}</ref><ref name="WuIrwin2016">{{cite book|first1=Chwan-Hwa (John) |last1=Wu|first2=J. David|last2= Irwin|title=Introduction to Computer Networks and Cybersecurity|url={{google books |plainurl=y |id=bInNBQAAQBAJ|p=500}}|date=2016|publisher=CRC Press|isbn=978-1-4665-7214-0|page=500}}</ref><ref>[[rfc:1263|RFC 1263]]: "TCP Extensions Considered Harmful" quote: "the time to distribute the new version of the protocol to all hosts can be quite long (forever in fact). ... If there is the slightest incompatibly between old and new versions, chaos can result."</ref> In this case, smaller segments of a large system are upgraded individually, to minimize disruption to a large network. However, some sections could be overlooked and not upgraded, and cause compatibility errors which may be difficult to find and repair.
* Incorrect code annotations.

=== Concurrency ===
* [[Deadlock (computer science)|Deadlock]] {{endash}} a task cannot continue until a second finishes, but at the same time, the second cannot continue until the first finishes.
* [[Race condition]] {{endash}} multiple simultaneous tasks compete for resources.
* Errors in [[critical section]]s, [[mutual exclusion]]s and other features of [[Concurrent programming#Coordinating access to resources|concurrent processing]]. [[Time-of-check-to-time-of-use]] (TOCTOU) is a form of unprotected critical section.

=== Resourcing ===
{{See also|Runtime error}}
* [[Null pointer]] dereference.
* Using an [[uninitialized variable]].
* Using an otherwise valid instruction on the wrong [[data type]] (see [[packed decimal]]/[[binary-coded decimal]]).
* [[Access violation]]s.
* Resource leaks, where a finite system resource (such as [[memory leak|memory]] or [[handle leak|file handles]]) become exhausted by repeated allocation without release.
* [[Buffer overflow]], in which a program tries to store data past the end of allocated storage. This may or may not lead to an access violation or [[storage violation]]. These are frequently [[security bug]]s.
* Excessive recursion which—though logically valid—causes [[stack overflow]].
* Use-after-free error, where a [[Pointer (computer programming)|pointer]] is used after the system has freed the memory it references.
* Double free error.

=== Syntax ===
{{See also|Syntax error}}
* Use of the wrong [[Lexical analysis#Token|token]], such as performing assignment instead of [[==#Equality|equality test]]. For example, in some languages <nowiki>x=5</nowiki> will set the value of x to 5 while <nowiki>x==5</nowiki> will check whether x is currently 5 or some other number. Interpreted languages allow such code to fail. Compiled languages can catch such errors before testing begins.

=== Teamwork ===
* Unpropagated updates; e.g. programmer changes "myAdd" but forgets to change "mySubtract", which uses the same algorithm. These errors are mitigated by the [[Don't Repeat Yourself]] philosophy.
* Comments out of date or incorrect: many programmers assume the comments accurately describe the code.
* Differences between documentation and product.

== In politics ==
=== "Bugs in the System" report ===
The Open Technology Institute, run by the group, [[New America (organization)|New America]],<ref name=":1">{{Cite web|url=https://na-production.s3.amazonaws.com/documents/Bugs-in-the-System-Final.pdf|title=Bugs in the System|last1=Wilson|first1=Andi|last2=Schulman|first2=Ross|website=Open Policy Institute|access-date=August 22, 2016|last3=Bankston|first3=Kevin|last4=Herr|first4=Trey|url-status=live|archive-url=https://web.archive.org/web/20160921012606/https://na-production.s3.amazonaws.com/documents/Bugs-in-the-System-Final.pdf|archive-date=September 21, 2016}}</ref> released a report "Bugs in the System" in August 2016 stating that U.S. policymakers should make reforms to help researchers identify and address software bugs. The report "highlights the need for reform in the field of software vulnerability discovery and disclosure."<ref name=":0">{{Cite web|url=https://homelandprepnews.com/government/19481-cyber-reforms-needed-strengthen-software-bug-discovery-disclosure-new-america-report/|title=Cyber reforms needed to strengthen software bug discovery and disclosure: New America report – Homeland Preparedness News|last=Rozens|first=Tracy|date=August 12, 2016|language=en-US|access-date=August 23, 2016}}</ref> One of the report's authors said that [[United States Congress|Congress]] has not done enough to address cyber software vulnerability, even though Congress has passed a number of bills to combat the larger issue of cyber security.<ref name=":0" />

Government researchers, companies, and cyber security experts are the people who typically discover software flaws. The report calls for reforming computer crime and copyright laws.<ref name=":0" />
{{Blockquote|The Computer Fraud and Abuse Act, the Digital Millennium Copyright Act and the Electronic Communications Privacy Act criminalize and create civil penalties for actions that security researchers routinely engage in while conducting legitimate security research, the report said.<ref name=":0" />}}

== In popular culture ==
* In video gaming, the term "[[glitch#Video game glitches|glitch]]" is sometimes used to refer to a software bug. An example is the glitch and [[List of Pokémon|unofficial Pokémon species]] [[MissingNo.]]
* In both the 1968 novel ''[[2001: A Space Odyssey (novel)|2001: A Space Odyssey]]'' and the corresponding [[2001: A Space Odyssey|film of the same name]], the spaceship's onboard computer, [[HAL 9000]], attempts to kill all its crew members. In the follow-up 1982 novel, ''[[2010: Odyssey Two]]'', and the accompanying 1984 film, ''[[2010: The Year We Make Contact]]'', it is revealed that this action was caused by the computer having been programmed with two conflicting objectives: to fully disclose all its information, and to keep the true purpose of the flight secret from the crew; this conflict caused HAL to become paranoid and eventually homicidal.
* In the English version of the Nena 1983 song ''[[99 Luftballons]]'' (99 Red Balloons) as a result of "bugs in the software", a release of a group of 99 red balloons are mistaken for an enemy nuclear missile launch, requiring an equivalent launch response and resulting in catastrophe.
* In the 1999 American comedy ''[[Office Space]]'', three employees attempt (unsuccessfully) to exploit their company's preoccupation with the Y2K computer bug using a computer virus that sends rounded-off fractions of a penny to their bank account—a long-known technique described as [[salami slicing]].
* The 2004 novel ''The Bug'', by [[Ellen Ullman]], is about a programmer's attempt to find an elusive bug in a database application.<ref>{{cite book | last=Ullman | first=Ellen | date=2004 | title=The Bug | publisher=[[Picador (imprint)|Picador]] | isbn=978-1-250-00249-5 }}</ref>
* The 2008 Canadian film ''[[Control Alt Delete (film)|Control Alt Delete]]'' is about a computer programmer at the end of 1999 struggling to fix bugs at his company related to the year 2000 problem.

== See also ==

* [[Anti-pattern]]
* [[Automatic bug fixing]]
* [[Bug bounty program]]
* [[Glitch removal]]
* [[Hardware bug]]
* [[ISO/IEC 9126]], which classifies a bug as either a ''defect'' or a ''nonconformity''
* [[List of software bugs]]
* [[Orthogonal Defect Classification]]
* [[Racetrack problem]]
* [[RISKS Digest]]
* [[Single-event upset]]
* [[Software defect indicator]]
* [[Software regression]]
* [[Software rot]]
* [[VUCA]]

== References ==
{{Reflist}}

== External links ==
{{MediaWiki|Bug management}}
* "[https://nvd.nist.gov/cwe.cfm Common Weakness Enumeration]" – an expert webpage focus on bugs, at NIST.gov
* [https://opensourceforu.com/2010/10/joy-of-programming-types-of-bugs BUG type of Jim Gray] – another Bug type
* {{webarchive |url= https://web.archive.org/web/20150112215748/http://www.history.navy.mil/photos/images/h96000/h96566kc.htm |date= January 12, 2015 |title= Picture of the "first computer bug" }}
* "[https://web.archive.org/web/19970430003658/http://www.waterholes.com/~dennette/1996/hopper/bug.htm The First Computer Bug!]" – an email from 1981 about Adm. Hopper's bug
* "[http://dl.acm.org/citation.cfm?doid=2931037.2931074 Toward Understanding Compiler Bugs in GCC and LLVM]". A 2016 study of bugs in compilers

{{Information security}}
{{Authority control}}

[[Category:Software bugs| ]]