Software Malpractice

  December 29, 2008

I really liked Jack Ganssle's latest essay "Criminal Coding."  He points out that although some bugs are excusable, others are so avoidable and well-known that perhaps it should be considered criminally negligent if they are repeated.

If nothing else it forces you to think about the level and nature of bugs you have, and whether they are there through honest accident or sheer laziness.

We usually think about bugs based on severity or how much a customer complains, but is that the right measure?  Perhaps an interesting high-level goal for a development organization is to strive to have bugs that are not easily catchable.

There's always going to be bugs; perhaps we could focus on changing the type of bug we have.

We actually do something like that here at Smart Bear.  I call them "good bugs" and "bad bugs."  A "good bug" is a bug that we really wouldn't have expected to find.  For example, we integrate with lots of version control systems.  When they make a new release, sometimes behavior changes -- either new behavior or breaking old behavior.  The resulting "bug" in our code is acceptable in the sense that it's not negligence or laziness, but just an artifact of the problem domain.

There are plenty of issues like this that are difficult to foresee or test.  Scalability is a good example: We do in-house scalability tests, but there's no substitute for real activity in the field.

But then there's the "bad bugs."  Like: We just didn't check for the case where a file didn't exist.  Or even: There's not enough logging to determine what is happening.  The ones where you just slap yourself on the forehead.

Code review can remove the many "bad bugs," because often to another person the problem is obvious.  If some unit test cases are missing, if you're not validating input parameters, if you're not checking for null or for an error condition, these are all potential "bad bugs" that are easy to spot and just as easy to fix.

Any conscientious developer spends time thinking about how to have fewer bugs, or at least bugs that are "more trivial."  Perhaps besides the usual measures like "severity" we could include a measure of "a matter of laziness."  After all, if a lazy doctor can be sued for malpractice, why are lazy coders less culpable?

P.S. If you don't subscribe to Jack's newsletter The Embedded Muse, read some back-issues and see what you're missing.