Incessant Ramblings

Please Note: This entry is an archived entry from my previous weblog. No new comments may be posted. Also, as of May 2005, I have left Microsoft. I am still happy to respond to any questions or comments about this article, but as I am no longer on the Visual Studio team, I may not be able to provide any helpful answers.

October 25, 2003

1. Thanks for this very well thought out look from the inside. It all makes a little more sense now.

   Comment by: Brian Graf at October 25, 2003 07:15 AM
2. The Anatomy of a Bug
   Excerpt: I just finished reading a blog entry by a Microsoft tester on the anatomy of a bug. Its really interesting to hear how a really small and silly bug can balloon into a testing nightmare. As I was reading it I was saying to myself: "Developer did a naugh...
   Trackback from: SilverStr's ramblings at the Sanctuary at October 26, 2003 08:33 AM
3. To Fix or not To Fix
   Excerpt: To fix or not to fix -- Incessant Ramblings: The anatomy of a bug. Good read....
   Trackback from: Dichotomy's Purgatory at October 26, 2003 08:46 AM

4. Great article, thanks a lot.
   As a former tester for Windows XP I highly appreciate this openness and effort to explain things that Microsoft never wanted to explain to general public before.

   Greetings Stefen

   (Discovered your link via Soble, http://radio.weblogs.com/0001011/)

   Comment by: Stefen Niemeyer at October 26, 2003 09:14 AM

5. Very intresting read.
   As a hobby beta tester for aps.
   I understand beter now why somtimes the bugs i report arent fixed (minor ones afcorse).

   Comment by: Irridium at October 26, 2003 04:19 PM

6. Great article! It's good hearing about testing-type things from those who have more experience than I. Even if I was a pro, though, it's always great hearing about things like this, just to get another point of view.

   Comment by: Stef at October 26, 2003 11:03 PM

7. Nice article. Glad someone has clear my path. I'm a Beta tester for quite some software companies, but only knows about the bug cycle today.

   Comment by: Jabez Gan at October 27, 2003 12:48 AM

8. Good to hear the details behind some mysteries in sw development. I wish articles like this were more widely circulated as it would make folks more likely to take certain problems in stride rather than to into high whine.

   Comment by: Paul Cassel at October 27, 2003 06:12 AM
9. Anatomy of a bug
   Excerpt: The anatomy of a bug looks at why even a "simple" bug might not get fixed by ship-time. It's well worth a read if you've ever got annoyed about bugs in software. That said, for a company that makes so much money, the "it's too hard, not enough time" ar...
   Trackback from: Rage on omnipotent at October 27, 2003 06:13 AM
10. Working out the bugs.
    Excerpt:
    Trackback from: Jim Meeker at October 27, 2003 06:29 AM

11. Thanks, I now undestand more about the process of a bug and the fix/not fix steps. :^) Working with the MS testing team, I see why some bugs or problems are not fixed until after the RTS date.

    Comment by: John D. Levesque at October 27, 2003 07:39 AM

12. Now I, for one...being a software tester, REALLY hope this helps all the whiners as to why we can't fix them all. He's right...we DO take it personal! It's why we beta test! For a bug to show up after the fact HURTS, but as this fine article showed, not everything is so "black & white".
    Thanks for the explaination for the unitiated,
    Paul

    Comment by: Paul S. Pavelich at October 27, 2003 11:07 AM

13. A great read. Nice to see another perspective on the bugging process.

    Comment by: Adam Field at October 27, 2003 12:53 PM

14. Fabulous article. Saved me from having to write it myself! :-)

    Every time we fix a bug it takes up several person-days which could have been spent finding more important bugs, doing security reviews, designing the next version, implementing features, whatever. It is crucial to ensure that we stop bugs from getting written in the first place, and to brutally triage them once they're in. And I'll tell you, since I started using C#, whole taxonomies of bugs have disappeared from my code...

    Comment by: Eric Lippert at October 27, 2003 05:34 PM

15. Great article

    Comment by: Andrew at October 28, 2003 05:22 AM

16. The kinds of processes and decisions you make in fixing errors is virtually identical to the ones we use. Yes there are know bugs that do not get fixed. I suspect, at minimum, your article will help inform people that bug fixes, especially late-date fixes are expensive. Commonly a large part of the application has to be retested to ensure the "fix" has not broken anything else. Good work!

    Comment by: Jim Edgar at October 28, 2003 09:09 AM

17. While I agree with your overall points in this article, I have to question your proposed solution to the bug. I can understand the concern about adding this check to the main code path. I think this is a valid concern. But it begs the question of why add it as a pre-deployment check as opposed to a post failure check. Once the deployment fails you check if the keys were missing and then do whatever recover is possible. Personally I would have put up a message box telling the user that registry keys are misssing and to import the ProxyPorts.reg in the VS.Net directory. The users are assumed to be developers -- they should understand what this means and how to correct it. It is certainly much more preferable than getting a generic 'Deployment Failed' error.

    Comment by: Billy Boy at October 28, 2003 10:30 AM
18. When "good enough" isn't
    Excerpt: I got a lot of really positive feedback to my recent entry, "The anatomy of a bug." I'm glad some people found it interesting,...
    Trackback from: Incessant Ramblings at November 2, 2003 06:38 PM

19. The post on anatomy of a bug is a very good read for a recent college grad like me. I have a question to follow up this post. I have had a chance to speak to some other MS testers before and I asked them if they tested for security vulnerabilities in their groups and their answer was no. I am surprised to find that you mention security vulnerability as your first choice. They told me that security testing was done by separate division. My question is at what stage do you begin security testing and what general techniques do you take to test security?

    Comment by: Mahi at November 5, 2003 09:59 AM

20. This is a great question, and I want to provide a more detailed answer in a separate entry, but I'll touch on the major points here. We start testing for security as early in the development process as possible. Even before coding has begun, we review feature and design specifications for security issues very early on. Every team in my divison (the Developer Division, responsible for the CLR, the .NET Frameworks, Visual Studio, etc.) has people who are responsible for the security planning and testing process. We do threat modeling for every feature, and we create security tests as part of our test planning and design for every feature. For developers, fixing security bugs is among their highest priorities. It is true that there are dedicated teams around the company who have specific expertise in security testing, and they support the security efforts of individual feature teams. But the responsibility for doing the security work rests squarely with those who design, plan, develop, and test the software.

    Comment by: Joe Bork at November 5, 2003 10:40 AM

21. Hallo,

    Thanks for this article. I always try in my software
    development to give descriptive errors. "Deployment Failed" is really not a descriptive error message,
    and this shows how M$ things about the users. They know the error but they won't tell you. How can I know that there is a possibility to fix my installation? How can I know that a .reg file exists?
    I think there is a big design bug in this whole thing. Error Handling!
    Tell the user what is wrong, stating errors. Do not
    tell them "the deployment failed" It sounds to me like "Get lost ashhole!"
    Just now I am getting "There were build errors" also no error is displayed in the "to do list", and the program runs smoothly on the device. Again. The guy who designed, programmed, tested this should
    think about this! You state fixing bugs costs money and time. Now I am wasting time and money, because M$ did not spend it. Customer deserve nearly bug free code, my customers expect it from my work.
    But I am not M$, I am forced to fix them.
    

    Comment by: Chris at November 8, 2003 10:18 PM

22. The article was good insight into MS bug policy, but I also agree with Billy Boy, who doubts the proposed solution. I believe your bug-fixing would have been quite more effective, if you had asked developer to find more than one alternative to the solution. There are always more than 3 solutions to a problem:
    prevent it from happening in the first place (put the keys under your own program's space in registry or some common area for example - nothing changes in the user experience, even though both programs have to be changed in several places, if written ineffectively, but tests should be fine, only one new test added to test the very bug, no language dependancy)
    when the error occurs, make sure if that is caused by the known bug - fix it, let user do their part (your developer proposed it - not the best user experience)
    let user dig into the big helpfile and find somewhere the answer (worst user experience of those)So I am still convinced, that MS should refine their debugging/error-fixing strategies. Of course I understand that you probably had more critical errors to fix, but even this kind of bug should eventually get fixed instead of forever giving the bad experience of importing registry entries again under certain conditions.

    Comment by: programmer at November 10, 2003 11:08 PM

23. Chris: You are right, the "Deployment Failed" error message is not particularly helpful, and we're working to make the experience of deployment and debugging more reliable and informative in the next release. I agree that the solution is not very discoverable, but we're trying to publicize the availablity of a work around as much as possible, including links on MSDN and the knowledge base.

    With regards to your build errors, I can understand that you are frustrated. If you would like to provide more details about the error you get and the project you're building, we'll be happy to take a look at it. Feel free to post a question in the public newsgroup (see: http://msdn.microsoft.com/newsgroups/loadframes.asp?newsgroup=microsoft.public.dotnet.framework.compactframework). Failing that, you can call PSS or you can email me (joebork@microsoft.com).

    On a personal note, however, your use of the moniker "M$" does not help you make your point. If you wish to follow up on this issue with me or my coworkers, I would appreciate it if you did not use it.

    Comment by: Joe Bork at November 11, 2003 08:50 AM

24. "Programmer": I may not have made it as clear as I should have, but your proposal #1 was something we considered but discarded since it would have required changed to the ActiveSync code (an entirely separate product), and this would have created unacceptable version dependancies between ActiveSync and Visual Studio. As for #2, it was not just the developer who proposed the solution we wound up testing. That solution was a result of discussions between members of the developement, test, and program management teams, and we decided that it was the most appropriate compromise. In the end, we essentially settled with your #3, which requires the user to search in help, MSDN, or the knowledge base to find the workaround. As I have mentioned before, this is far from an ideal soltuion, and we want to make the experience much better in the future.

    However, it would be improper and incorrect to draw any broad conclusions, like when you say you are convinced "that MS should refine their debugging/error-fixing strategies". My original entry dealt in detail with the process of fixing or not fixing one single bug in one piece of one product that Microsoft makes. I tried to be very explicit about this; indeed, I have not related all of the minutae about even this one issue that we considered. I am convinced that we have a responsible and effective method to manage the finding, evaluating, and fixing of bugs, and I believe that I am not alone among Microsoft employees who feels so.

    I was afraid that people might misconstrue the article I wrote as an example of how "Microsoft ships buggy software on purpose," even though such a statement ignores the fact that shipping perfect software is impossible. Instead, I believe that that story I shared demonstrates how much effort and consideration at least my coworkers (and I believe Microsoft as a whole) puts into resolving bugs and other defects in our software.

    Comment by: Joe Bork at November 11, 2003 09:04 AM
25. Of Bugs and Guilt Trips
    Excerpt: As someone whose life revolves increasingly around bugs, I simply couldn’t resist calling attention to two excellent weblog posts on the subject of software quality and the public’s perception of it.
    Trackback from: Sci-Fi Hi-Fi at November 14, 2003 09:07 AM
26. Make you go hmm quickies #18
    Excerpt: A Microsoft tester explains in great detail why some bugs ...
    Trackback from: Things that ... make you go hmm at November 15, 2003 04:52 AM
27. A Microsoft tester's thoughts on bugs
    Excerpt: Via Sci-Fi Hi-Fi I found this post by Joe Bork (a Microsoft software tester - yes, it’s not a joke :)). It’s an excellent treatise on why some bugs get fixed, why others don’t and why ‘hire more testers’ is...
    Trackback from: rebelutionary at November 16, 2003 02:16 PM
28. Great article on bugs
    Excerpt: Here is a great article about testing and what happens when a bug is found. What decisions have to be made when a bug is found....
    Trackback from: Carl's Weblog at November 17, 2003 05:14 PM
29. The Reality of Software
    Excerpt: Many folks are shocked to hear that software companies ship products with bugs. Having worked in software the most frustrating part of any project is the final lap to release. Everyone is on pins and needles that some big nasty bug is going to rise up ...
    Trackback from: maps and legends at November 18, 2003 07:31 AM
30. Dem Bugs
    Excerpt: For anyone who reads this and has no idea what I really do for a living here is a great little blurb about software testing at Microsoft. Now, I work for a much smaller company (about 40 people) so I do more than test. I'm responsible for requirements...
    Trackback from: rawlinson - us at November 20, 2003 07:47 AM

31. i just got started as a software tester. this article really helped me know somethin abt what i will face in future. thanx.

    Comment by: anjani at December 18, 2003 03:57 PM
32. re: Always making the wrong decision
    Excerpt:
    Trackback from: Office Development, Security, Randomness... at January 12, 2004 03:37 AM
33. Software testing inside Microsoft
    Excerpt: Via Malcolm's diary, a Microsoft software tester writes about known bugs that go unfixed and the cost of fixing a bug (salary costs, regression testing, testing the fix and so on)....
    Trackback from: Buglinks at January 20, 2004 02:26 AM
34. The Anatomy of a Bug
    Excerpt: I'm a little late with this, but Joe Bork (an internal QA person at Microsoft) has a posted a good...
    Trackback from: Chris Heller's Weblog at January 25, 2004 11:19 PM

35. Niccceee pagee

    Comment by: Acanty at February 20, 2004 04:45 AM

36. Very interesting and useful article.

    Comment by: mrc at February 28, 2004 01:10 PM

37. Very interesting article. I would be one of "them" in the article asking the exact questions to the author. After reading this article I am more considerate to testers now. I really spent two days trying to fix the connection problem myself which was caused when I did a windows update, which is another issue for the tester's I guess.
    

    Comment by: Ravi Kolluru at March 11, 2004 08:44 AM

38. This reminds me of other products' update procedure, like Symantec does. They have that liveupdate, which works fine. Microsoft itself uses windows update, but only for windows. For office you have a separate update, which is not quite clear for john doe user.

    If a update (one which would warn the user about the error more precisely, or check for the absence of registry keys, whatever) would be published, it surely would need administrator rights.

    This wouldn't reduce the effort for bug fixing, testing and translation, however would be way much better than 1) let the user search MSDN and several help files 2) keep joe user asking to the admin about this fix.

    I'm speaking with no absolute knowledge of cause, I admit. But this kind of bug fixing is what I like in products like Symantec and some others.

    Comment by: Alexandre Strube at April 28, 2004 05:33 AM
39. How many Microsoft employees does it take to change a lightbulb?
    Excerpt: Any new feature which does not serve a large percentage of users is essentially stealing valuable resources that could be spent implementing features, fixing bugs or looking for security vulnerabilities that DO impact the lives of millions of people.
    Trackback from: Fabulous Adventures In Coding at May 13, 2004 08:25 AM
40. How many Microsoft employees does it take to change a lightbulb?
    Excerpt: Any new feature which does not serve a large percentage of users is essentially stealing valuable resources that could be spent implementing features, fixing bugs or looking for security vulnerabilities that DO impact the lives of millions of people.
    Trackback from: Fabulous Adventures In Coding at May 13, 2004 08:27 AM

41. I find the article well written and much needed.

    I am a software developer, and I find that in the specific case of this article the problem goes back to the devs.

    Why on earth are they writing in another application's registry keys???

    Has no one thought of the simple solution to just stop writing keys to the ActiveSync portion of the registry and write them in the portion where they belong, namely that of the VS.NET 2003 mobile dev section?

    I am really dumbfounded that Microsoft is actually shipping software that violates good practices like this? I am not sure where, but I would bet I have read somewhere that you shouldn't write in another app's registry section.

    My two cents...

    Comment by: Sven Aelterman at August 13, 2004 10:01 AM

42. Post #41 hits the nail on the head. It seems to me that the design itself is kludgy, and workarounds consist of hacks to a kludgy design. It is far better to start with a clean design.

    With software getting more and more complex, and with complex interactions between different systems and subsystems, the importance of a well thought out design cannot be underestimated. The first principle of good software design is KISS (keep it simple and stupid).

    Comment by: Pankaj Gupta at November 1, 2004 11:28 AM

43. Good read. Informative, thoughtful, detailed, and it went in-depth enough for the consequences to be understood.

    Unfortunately, I can't echo the sentiments of others when they say this will be helpful for explanations. This sort of thing gets explained all the time (admittedly, not nearly so cogently), but it never stops the whiners. Sure, you'll get a few, but you won't get as many as you hope.

    Still, I'm adding this to my bookmarks for future use as a reference...maybe it'll help me some in similar situations.

    Comment by: Jeff Walden at November 23, 2004 11:52 PM