A recent article on the top five causes of poor software quality and top 5 non-technical mistakes inspired me to also provide a top five on software quality bugs. Here is my top 5 list of bugs (with some simple examples) that I see time and time again looking at customer code:
1. Null Pointer dereference
This is far and beyond the most common issue that I see time and time again.
void npd_gen_must() {
int *p = 0; // NULL is assigned.
*p = 1; // pointer is dereferenced
}Now this example is pretty basic and if you ever did something this obvious, maybe it was time to re-evaluate your development skills. The idea is simple, you assign NULL somewhere then dereference it at some point later. This is usually missed under a complicated control flow (many conditionals). Or even more common is the fact that I see memory is allocated, but is never checked against NULL. Now, some organizations don’t care about this but I would hope anyone doing embedded development is all over it.
2. Null pointer dereference from function
This is really the same thing but with one very important difference. This deals with issues from functions.
void xstrcpy(char *dst, char *src) {
if (!src) return;
dst[0] = src[0];
}
char global;
char *xmalloc() {
if (global) return &global;
return 0;
}
void npd_func_might(int flag, char *arg) {
char *p = &arg;
if (flag) p = xmalloc(); // xmalloc() may return NULL
if (arg) { p = arg; } // p may get a new value here
xstrcpy(p, "Hello"); // p will be dereferenced in xstrcpy()
}It is this inter-procedural (spanning multiple files/functions) context that is often overlooked.
3. Memory leaks
I have yet to find a programmer in the C/C++ world who doesn’t know this intimately. Sadly they happen, a lot.
void foobar(int i) {
char* p = new char[10];
if(i) {
p = 0;
}
delete[] p;
}Here we have dynamic memory stored in ‘p’ and allocated through the function ‘new[]‘ at line 3 and is ultimately lost at line 5.
4. Array index out of bounds
Again, most people know what these are but there are so many variations of this that they are always inevitable.
int main() {
char fixed_buf[10];
sprintf(fixed_buf,"Very long format string\n");
return 0;
}The string is 24 characters so at line 4 the array index of ‘fixed_buf’ may be out of bounds.
5. Uninitialized variables
int foo(int t) {
int x;
if (t > 16) {
x = 1;
} else if (t > 8) {
x = 2;
}
return x + 1;
}The value of variable ‘x’ can be used at line 8, when it might be uninitialized. I always found these surprising that these come up as they are pretty basic. But I tend to only see these in complex control flow paths. So the developer might check for these under normal conditions but forgot on some path. Especially for legacy code this might not bite you until you change something later on.
So that’s it. These examples are pretty simple and certainly not reflective of the real world (or at least I hope not). Later I will post the same idea for Java code.
