backtop

Software Showstopping Bug Delays Windows Vista RTM
Marcus Yam (Blog) - October 26, 2006 8:12 AM
Print E-mail del.icio.us 94 comment(s) - last by Hoser McMoose.. on Oct 31 at 4:30 PM
Despite nasty bug, Microsoft's new OS stays scheduled for January

Microsoft was forced to delay the release of the final version of Windows Vista to manufacturers due to a bug found in the final stretch of testing. IDG News quotes a tester who revealed that the bug "would totally crash the system, requiring a complete reinstall."

According to DigiTimes, Vista build version 5824 reduced the bug count from  from 1450 to around 500 since the second release candidate and was set for RTM (release to manufacturing) on October 25 before the bug was uncovered.

The bug was squashed a week after its discovery and the revised final build for RTM is numbered 5840. It is believed that the 5840 build has been in testing for nearly a week now. There is no mention, however, of the 499 other bugs which may remain alive and well.

The setback has pushed Vista's RTM date to November 8, exactly two weeks after the originally intended date. The two-week delay is not expected to alter plans for the operating system's debut in January, 2007.

Microsoft recently announced its official plans to offer discounted upgrades to those who purchase a PC pre-loaded with Windows during the holiday season.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
499 Zero-day exploits?
By Cubexco on 10/26/06, Rating: 0
RE: 499 Zero-day exploits?
By Thorburn on 10/26/2006 8:29:56 AM , Rating: 5
A bug can be classed as anything from a system crash to a spelling mistake in a text box.


RE: 499 Zero-day exploits?
By Cubexco on 10/26/2006 8:42:48 AM , Rating: 2
I agree.
It would also include "mis-informative" pop-ups like the one in NT4.0 which proclaimed "ERROR - The operation completed successfully! "

Perhaps Microsoft can borrow a page from the ole Intel and call them "erratum not bug". :)


RE: 499 Zero-day exploits?
By rushfan2006 on 10/26/2006 8:46:53 AM , Rating: 5
That's actually a good reminder to make for this day and age when software products, more correctly -- software developers are just flamed for every bug that exists in their gold code.

Its been 10 years since I was a programmer (long story short I hated it..so I got out and crossed over to the hardware/networking side of IT)...but I do remember at previous employers they defined a bug as merely "any unintended effect in the code/application".

So yep -- if there were spelling mistakes -- its a bug. If there was even the wrong size for a dialog box it was a bug.

People, particularly the younger crowd who aren't yet in professional IT jobs with experience behind them but yet are often among the most harsh to critize, should keep in mind when a company says --- this product is releasing with 1219 bugs or whatever.

As a side note -- January could be a big month for gamers/pc enthusiasts --- New Windows OS debuts and the much hyped and anticipated WoW Expansion: The Burning Crusade...should at least drive up some business to places like NewEgg I would think.



RE: 499 Zero-day exploits?
By leidegre on 10/26/2006 9:23:09 AM , Rating: 4
Good point, but I would like to add a couple of things.

For instance, in the begining of CE (Computer Engineering), users tolerated bugs and errors more than today, it was okay that software wouldn't really perform that well. However this attitude has changes, and today users expect more.

However just whining about it wont make it better. The release candidates is part of the developing process, and bugs will always exist, it's just a matter of how well we they can be avoided.

What Vista needs is stability, and support for updating vital code in a safe and reliable way. And from what I can tell, Vista is very stable. I've been using RC1 for the last 3 weeks, and it's been preforming well. The overall user experience is many times better than XP, and I'm not talking about Aero, that's just nice, there are so many things which make Vista superior.

Now take a look at World of Warcraft, it's life-cycle allows the software to go through an iteration usually each month, were new code is tested, introduced, and then improved in upcomming releases. This kind of development results in very stable and reliable software.

Microsoft releases new code each week through Windows Update, and this is an important part of the development of Windows, so actually all they need is to create a solid foundation, but after that, the most work will be to fix things.

I do however think, that the process for the end-user to provide feedback to Microsoft is a bit too complicated. Blizzard has thier fourm, and community which provide them with basically everything, suggestions, feedback, and bugs. Microsoft has overcomplicated utilities for providing accurate reports, I think Microsoft is underestimating the end-user in providing reliable feedback, and should take action to improve this.


RE: 499 Zero-day exploits?
By drank12quartsstrohsbeer on 10/26/2006 11:01:53 AM , Rating: 3
quote:
For instance, in the begining of CE (Computer Engineering), users tolerated bugs and errors more than today, it was okay that software wouldn't really perform that well. However this attitude has changes, and today users expect more.


Where have you been living? In the days when software developers would have to physically ship out disks with updates/patches, they spent a lot more time testing. Now that everyone has fast internet, they can release beta-quality software and finish the project at thier leisure.


RE: 499 Zero-day exploits?
By ss284 on 10/26/2006 11:41:21 AM , Rating: 2
Computer Engineering isnt Computer Science. They are two related, yet different fields.


RE: 499 Zero-day exploits?
By TomZ on 10/26/06, Rating: -1
RE: 499 Zero-day exploits?
By Spivonious on 10/26/2006 4:16:22 PM , Rating: 2
No the difference between Computer Science and Software Engineering is academic. Computer Engineers go to work for Intel or AMD.


RE: 499 Zero-day exploits?
By othercents on 10/26/2006 11:56:05 AM , Rating: 2
quote:
I've been using RC1 for the last 3 weeks, and it's been preforming well. The overall user experience is many times better than XP

In my experience Vista is not as good as XP. I have loaded it twice once with RC1 and once before that. Both times the majority (more than 50%) of the applications I use would not run. Granted I do use my desktop primarily for gaming. I would recommend that most gamers wait until better drivers come out and even install updates from game manufacturers since some of the games wouldn't even install. I'm sure overtime everything will be taken care of, but for the majority of the users Vista should work just fine.

I can not comment on stability, but I have heard that it is more stable than XP. I don't have problems with XP being unstable, so it is hard to compare a stable product against one that is supposed to be more stable. Since I'm in IT I just fix my own problems or find a work around. I also keep my computers very clean, so I don't usually have the problems most users have with spyware causing issues.

Most of the bugs that are left over in Vista are not major issues that need to be addressed. Most of them are embedded so deep in the technical side of Vista that you won't ever see them or notice a problem. Also others are very complicated and by fixing them you will break other things. In this case you would just leave them and introduce a work around. Some bugs like this will take a lot of time to fix.

Other


RE: 499 Zero-day exploits?
By imaheadcase on 10/26/2006 12:05:17 PM , Rating: 2
The diffrence between RC1 and RC2 is night and day experince :)



RE: 499 Zero-day exploits?
By RedStar on 10/26/2006 3:44:38 PM , Rating: 2
Don't forget about Quake wars!!

It would also help if people did not run as an admin.

But i think the true answer, to avoid virii and other malware, rests with Intel:

http://www.dailytech.com/article.aspx?newsid=4624

I think the biggest exploit is buffer overruns.
Regardless, Intel seems to be on the right track (DRM concerns aside) :)


RE: 499 Zero-day exploits?
By Locutus465 on 10/26/2006 6:58:17 PM , Rating: 2
Hmmmm... At my previous employer if a program didn't solve a business problem that was not anticipated/planned for in the specification but does impact the daily work of the users it was classified as...yup...a but. "The spec didn't say to do this but it needs to OMG it's broken!"


RE: 499 Zero-day exploits?
By clayclws on 10/26/2006 9:28:45 AM , Rating: 1
Most programmes are not bug-free. Actually, I think all programmes are not bug-free. The reported 499 are the ones that they knew about...there may be even more that they are yet to be aware of.

Still...a bug is a bug. You have to reduce them, especially since Microsoft KNEW about them. I don't mind it being delay for another quarter or so, till they squashed almost all the bugs they know...better yet, squash all the reported bugs. Still...it is good within our point of view...maybe not within Microsoft's economic strategy point of view.

Hence, people tend to wait till all their daily-used softwares and hardwares are compatible with Vista, and after thorough review and tweaking by Microsoft...then they'll switch...usually takes a few months till years for IT companies (cause my bro's company just finished switching all the 200 comps from WinNT4.0 to WinXP Pro SP2).


RE: 499 Zero-day exploits?
By Korvon on 10/26/2006 11:24:24 AM , Rating: 3
Just remember that XP had 2000 KNOWN bugs when it was released to the public. Vista already has a head start.


RE: 499 Zero-day exploits?
By TomZ on 10/26/2006 1:03:08 PM , Rating: 2
Plus, Vista is bigger and more ambitious than XP was.


RE: 499 Zero-day exploits?
By goku on 10/31/2006 4:54:05 AM , Rating: 2
Yeah but the beta version of XP was far better than vista, problem with vista is that microsoft when first designing it either tried to do too many things at once or had lazy programmers focusing on unimportant features. This would explain why 90% of the worthwhile forcasted features aren't going to be in the operating system.


RE: 499 Zero-day exploits?
By encryptkeeper on 10/26/06, Rating: -1
RE: 499 Zero-day exploits?
By Russell on 10/26/2006 1:36:34 PM , Rating: 2
One would assume though that any known bugs that were mere typos would be corrected fairly quickly considering the simplicity of it. Low priority? Perhaps, but MS wants to make themselves look good by saying they have less bugs. So I bet the known typos get fixed pretty quickly.

Most of those 499 bugs are surely ones that we would consider "real" bugs.


RE: 499 Zero-day exploits?
By Wwhat on 10/26/2006 8:00:35 PM , Rating: 2
Yeah sure, they have 499 spelling errors in it that for some reason they cannot correct before release, sounds likely doesn't it..


RE: 499 Zero-day exploits?
By Samus on 10/28/2006 5:55:41 PM , Rating: 2
You can bet those 499 remaining bugs aren't spelling mistakes. As a programmer, believe me, I fix the easy bug's first. The 499 bugs remaining are likely the most difficult/controversial to fix, which could mean fixing them might break other features, or be a lengthy process, so they're just be getting to them later with auto-update.

Tim


RE: 499 Zero-day exploits?
By FITCamaro on 10/26/2006 9:26:18 AM , Rating: 4
And 500 bugs in roughly 50 million lines of code (according to wikipedia for RC2) is damn good. Thats 1 bug per 100,000 SLOC. Granted thats just found bugs, but its still impressive.


RE: 499 Zero-day exploits?
By phatboye on 10/26/2006 9:48:06 AM , Rating: 1
quote:
And 500 bugs in roughly 50 million lines of code (according to wikipedia for RC2) is damn good. Thats 1 bug per 100,000 SLOC. Granted thats just found bugs, but its still impressive.


It does not matter how you put it. A bug is a bug no matter if it's a small bug or a large one, be it 30 bug sin 50 lines of code or 1 bug per 100,000 lines of code. MS should postpone the release of Vista they can iron out the bugs. The fact that they are still finding "showstoppers" probably means that MS have not done enough quality control testing. MS have made so major changes in the last few months to it's OS, I don't see how in the hell it could have have enough time to test it's software well enough to release something this major before Jan.

I remember XP's release and how buggy it was on it's release day. I doubt MS has learned from it's mistake of releasing a OS too early before testing the code well enough. We will probably see a flood of reports from angry customers on release day just like on XP's launch.


RE: 499 Zero-day exploits?
By retrospooty on 10/26/2006 10:03:42 AM , Rating: 3
Actually 500 known bugs is extremely low for an OS these days... I suspect the actual list is much. There is no way to squash them all. If you dont want a peice of software with bugs you cannot use a computer, because no OS exists without 100's of bugs if not 1000's of them, not Windows, not Mac, not Linux, and none others.


RE: 499 Zero-day exploits?
By Aikouka on 10/26/2006 10:10:25 AM , Rating: 5
I really need to ask... are you even a programmer of any sort? Not attempting to be rude, but the audacity of expecting software to be perfect is typical of a non-programmer. Do you understand that removing a bug usually isn't a simple or quick task. Even if the bug is as simple as changing a couple lines of code, Windows is a huge project. Huge projects usually have procedures to go about everything from modification of design to fixing an error that was discovered. These processes can be time consuming and would be seen as red tape "to the extreme" to most people, but they're simply necessary to ensure the product meets the original design.

Not to mention, if you think software should be perfect, you're really living in a dream world. As software complexity goes up, the chance for errors raises in direct correlation. I'd recommend looking up the CS concept called "Ivory Snow".


RE: 499 Zero-day exploits?
By rushfan2006 on 10/26/2006 10:24:42 AM , Rating: 2
Aikouka, you completely beat me to it. LOL good post.

I was about to refer to my own quote about folks without professional IT Programming experience in their background should really consider what constitutes a bug, from that guy you are referring too I deduce he is probably very young (teenager) still in HS OR if he is adult -- just lacks IT experience of any kind, especially a programmer.


RE: 499 Zero-day exploits?
By PunaProgrammer chris on 10/26/2006 2:40:50 PM , Rating: 3
Here are my experiences, feel free to ignore...
Being young myself (15 years) I'm offended that you would deduce that he is probably a teenager from the fact that he doesn't know what he is talking about.
As I program for a hobby (and possibly as a future career) I know very well how hard some bugs can be to fix, even if you know exactly what the problem is and even if you know what is causing it. The majority of bugs around are usually "medium-sized" problems, because even though there are less of those than there are minor bugs, fixing a medium bug will often screw up code that someone else is working on at the time, so it is super hard to get bugs fixed without very good communication between all the programmers working on a project. Even while making a game with only one other person, I experienced many of these problems, and eventually just started the project over completley. Now it is on hold until winter break when I will have more free time.


RE: 499 Zero-day exploits?
By Aikouka on 10/26/2006 3:01:09 PM , Rating: 2
This is of by no means meant to be an offensive or demeaning reply. I'd actually like to commend your interest in programming as I know I started when I was young as well.

The reason software applications tend to fall apart from bugs is usually due to poor planning. This isn't to say your project wasn't worked out at all, but usually if a project begins to become sloppy, it shows that it wasn't as well thought out as it should have been. Even though me just spouting this out makes it sound like it's easy, speccing and designing a program can be hard to do, but it's most certainly rewarding when you find your development/integration going along smoothly.

I know I've had a couple of instances where better planning would've saved anguish later on when someone fails to complete their section and it drags an entire project down or you get one of those bugs that's so obscure and awkward that you just look at it funny wondering how in the world it happened. Happens to everyone, especially while learning :D.


RE: 499 Zero-day exploits?
By TomZ on 10/26/2006 3:08:27 PM , Rating: 2
Good points. Let me also add to that the challenge of management/people. Consider now, that instead of writing your own code, your job is to manage a team to develop a software application. Now that becomes a more challenging problem! Planning becomes even more important in this case.


RE: 499 Zero-day exploits?
By phatboye on 10/26/06, Rating: -1
RE: 499 Zero-day exploits?
By phatboye on 10/26/06, Rating: -1
RE: 499 Zero-day exploits?
By phatboye on 10/26/06, Rating: -1
RE: 499 Zero-day exploits?
By TomZ on 10/26/2006 10:58:22 AM , Rating: 3
What are you taking about - they found 1 showstopper - where do you get this idea of finding them "left and right"? Did you RTFA?


RE: 499 Zero-day exploits?
By Aikouka on 10/26/2006 11:27:30 AM , Rating: 2
How do you know what Microsoft's Q&A process is like? Do you even know what Microsoft's process is for corrections and testing of those corrections? Do you even know how much time they've spent testing the different parts of Vista? Software and parts of software are typically tested separately and then integrated and then they'd go into integration testing. It is simply not efficient to integrate and then test each part as you tend to lose the isolated environment of a segment of the application that you're working on. Losing that typically makes it harder to say exactly where the error is occuring. Such as, say you're testing a game and you integrate it. An object in the game starts rendering erratically when you move. Is it the rendering (graphics) engine rendering improperly or is it the physics engine that is improperly adjusting the object's properties?

Actually, phatboye, I am a computer programmer with a Bachelors of Science in Computer Science and I currently work as a software engineer :P. Because of my schooling and experience, I expect Vista to have bugs and although no one is ever happy when they encounter one, at least I'm never taken totally off-guard ;).

Also, just because Vista Release Candidates have only been around for a couple months doesn't mean that Vista's only been in testing for a couple months. Don't you recall the betas that were leaked over a year ago? What do you think those were for ;).


RE: 499 Zero-day exploits?
By TomZ on 10/26/2006 10:26:15 AM , Rating: 2
I agree with the above poster - you show that you have no experience in software development, or even the development of anything of any complexity. Perfection is something to strive for, but perfection is impossible in any non-trivial human endeavor. It is especially impossible in any resource-limited endeavor, such as software development.

When you manage a program, the job is to judge "good enough to ship" based on your quality criteria. In the case of Windows, their ship target of fewer than 500 known non-critical bugs relative to the size of the product (thousands of man-years of effort, and millions of lines of code) is in reality very impressive. Show me any other organization in the world that has ever achieved that level of completion in such a complex software product.


RE: 499 Zero-day exploits?
By GreenEnvt on 10/26/2006 10:39:48 AM , Rating: 2
I'll echo the others, if you think you can release any piece of software short of "hello world" that does not contain bugs you are living in a dream world.

500 bugs is very low for a piece of software this size.

As for them just "finding" a show stopping bug, this is more likely a case of someone fixing another bug, and that in turn created this new big bug, through some unforseen interaction. It's unlikely this bug was around in previous builds.


RE: 499 Zero-day exploits?
By peternelson on 10/26/2006 3:42:18 PM , Rating: 2
>I'll echo the others, if you think you can release any piece of software short of "hello world" that does not contain bugs you are living in a dream world.

Not really true.

I can write a program that prints "hello world" exactly 10 times, ask me for my name and then prints my name exactly 5 times. And I can write that program without any errors (although it's not trivial), and peer review would demonstrate that it had no errors. Of course one has to consider things like runtime error handling like lack of free memory, processor errata, hardware interrupts and keyboard buffering, what happens if the user presses an escape sequence etc, buffer overflows on the input, but it's not impossible.

If EVERY software had bugs, you would be foolish to trust:

the engine management ECU in your car and the ABS braking system

your washing machine not to overheat your delicate clothes

the autopilot system of a plane

the control of MRI, CAT scanner, Xray machine and medical life support equipment

the computers controlling nuclear reactors and chemical plants

the computer(s) inside a modern digital telephone exchange.

the systems involved in nuclear or other missile launches.

IT IS ABSOLUTELY POSSIBLE to create bug free software, AND to verify its opereration as such.

The only problem is it's a lot harder, and costs more, particular as the size of the project scales.

If a bug will kill someone you consider it very worthwhile to ensure that severity of bug are absent in order to avoid lawsuits that would cripple the company.

Embedded applications for the above applications will have tightly defined requirements on their behavior, may have failsafes, watchdog timers, or multiple cpus that compare their answers or take over if one fails.

GENERAL software is produced to budgetary and time constraints that act to drive managers to reduce the chosen level of "perfectness" to what is acceptable to their business. It's a trade off.

In the case of Vista, Microsoft could test it for another 10 years and put a price of $50,000 on each copy to pay for the effort (and still it would not be perfect, just "better"), but that is not what they or their customers want.

Having said that, I would be happier if MS gave more effort on some of the bigger bugs before launching. What I'd like to see is post-release pre-slip-streamed installation disks with the fixes because it's a waste of time and bandwidth to have to apply them after installation, not to mention the vulnerability exists before patching.


RE: 499 Zero-day exploits?
By Spivonious on 10/26/2006 4:28:08 PM , Rating: 2
While your points are valid (except for your trivial hello world with loops), systems that are so-called "mission critical" get vast amounts of testing. An operating system is pretty far from being mission critical. Oops, it crashed, time to reboot. No lives are at stake, and if someone is running a machine controlling lives using a beta version of an OS, they are mentally damaged.

I agree with the end of your post, but don't they already do this? When you buy XP now, it comes with SP2 already applied. If you mean the little critical updates, that would be far too expensive for MS to do. Every week they'd have to make a new product and ship it off to the distributers.


RE: 499 Zero-day exploits?
By TomZ on 10/26/2006 4:43:48 PM , Rating: 2
Sorry, I have to respectfully disagree. In all those critical systems you mentioned, the probability of a bug still remaining is greater than zero. The art and science of software engineering has not yet determined a method or system to prove that a particular piece of software is 100% bug-free.

In addition, there is still cost-benefit analysis applied to determine the right amount of effort to expend finding and removing bugs in safety- and mission-critical systems. There are obviously no projects that expend an approximately infinite amount of resources to overcome the fact that the probability of a bug is non-zero.

Finally, if you look at the history of these critical systems, you see in practice that bugs do come up, sometimes with very dire consequences, although the majority of them are corrected without any great harm done.


RE: 499 Zero-day exploits?
By ChronoReverse on 10/26/2006 7:15:15 PM , Rating: 2
There actually does exist a method to produce a mathematically bug-free program. This is by translating it to Z and then applying certain tests.

However, in practice this is incredibly complex to do properly and as such all conventional understanding of programming remain.


RE: 499 Zero-day exploits?
By TomZ on 10/26/2006 8:02:24 PM , Rating: 2
There actually does exist a method to produce a mathematically bug-free program. This is by translating it to Z and then applying certain tests.

Well, please enlighten us - links, please? I'm skeptical but open-minded.


RE: 499 Zero-day exploits?
By ChronoReverse on 10/26/2006 8:56:14 PM , Rating: 2
http://en.wikipedia.org/wiki/Z_specification_langu...

This would be a good place to start. I *think* this is what I'm referring to. It's been a while since my software engineering classes so I may have misremembered the name of it.

Basically, you can specify what the system is intended to do and prove that what you have does that and only that.

What makes it impractical is translating real code into Z.


RE: 499 Zero-day exploits?
By Rayz on 10/27/2006 6:12:37 AM , Rating: 2
I don't think that's quite right.

A Z generated program will guarantee that the program will match the specification, that certainly doesn't mean that the program is bug free. To begin with, a dodgy requirements capture will lead to an incorrect spec, and that will still lead to bugs.



RE: 499 Zero-day exploits?
By ChronoReverse on 10/27/2006 10:08:10 AM , Rating: 2
It just means theoretically it's possible to capture everything (the requirements) and prove that it (the code) will do that.

Like I said, in real life this doesn't work because capturing every single requirement in Real Life simply is impossible.


RE: 499 Zero-day exploits?
By ChronoReverse on 10/27/2006 10:16:29 AM , Rating: 2
Just to add this, I'm not insisting on my view right now since I'm not sure about it. I was probably misled a bit on what Z was.


RE: 499 Zero-day exploits?
By peternelson on 10/28/2006 12:30:55 PM , Rating: 2
I agree that which techniques like using Z and other verification testing on a modular level, can produce something bug free or close to bug free, they cannot operate to eliminate errors in requirements specification.

If you verify against all stated requirements that is good, but it cannot fix the requirements being buggy in the first place.

Many embedded applications use a so-called "realtime" OS, rather than a consumer OS, because they are considered more stable and because they are simpler, less things to go wrong.

I agree nearly all software of complexity has some at least minor errors, I was just pointing out that it is POSSIBLE to go beyond "hello world" without having errors.

Taking it on a hardware design level, you turn your requirements into some kind of HDL like VHDL or Verilog. Then you do synthesis and verification on the HDL and confirm the outputs of the programmed design behave as you expected (for all possible inputs). Again this does not remove the possibility of a mistake during requirements capture.


RE: 499 Zero-day exploits?
By Scrogneugneu on 10/26/2006 9:56:29 PM , Rating: 3
quote:
Finally, if you look at the history of these critical systems, you see in practice that bugs do come up, sometimes with very dire consequences


You mean, like the Arianne 5 rocket? It's one of my all-time favorite :)


RE: 499 Zero-day exploits?
By Aikouka on 10/27/2006 1:17:18 AM , Rating: 2
Peter, I simply do not 100% agree with what you said. There is no such guarantee of perfect software. Even though during testing, a piece of software may pass all tests that have been devised from requirements, there can still be a hole.

With my experience in Software and Embedded environments, the real difference lies in the acceptance levels. You could say Vista's acceptance might be 80%, but a mission-critical application might have a 99.9% acceptance level. The idea is that you strive for perfection, but there's an understanding that there may be a very small margin of error. Then like you said, there's typically back-up systems; however, back-up systems are really not applicable to the nature of bug free code, they're insurance ;).

Also, Peter, cars have been called in to dealerships, because the ECU needed to be reprogrammed because of data being invalid (such as lifters causing valves to be open for too long, etc).

To kind of fix what you said, it is possible to create software that to the best of human knowledge should never flaw.

I hope this was descriptive enough to show you my stance on the subject in regards to your comment.


RE: 499 Zero-day exploits?
By Rayz on 10/27/2006 6:07:53 AM , Rating: 2
Most of what you said, leads me to believe that you have very little experience in software development. Having worked on safety critical systems for three years, I can assure you that not only does the software get installed with bugs, the developers actually assume that that this will be the case, and work to ensure that there are enough failsafes to prevent a disaster.

I remember that I was working on a joint integration team for one paricular project. The project manager for the other team stood up and claimed that their software would be 100% bug free on delivery. After the other team had left, our project manager turned to us and said:

"Well as you just heard chaps, we're dealing with muppets ..."

Here are few examples of safety critical projects that didn't have a defensive mindset behind them. Given your probable lack of experience in software development, I suggest you wear a tin hat while reading it.

http://www.cs.tau.ac.il/~nachumd/horror.html



RE: 499 Zero-day exploits?
By peternelson on 10/28/2006 12:51:04 PM , Rating: 2
Sorry I've only experience of telecomms, machine vision for industrial environments, hospital equipment and missile guidance systems. And other general work where the bar is set lower, like video drivers.

I don't say ALL software for such purposes is bug free or verifiably bug free.

Thankyou for your examples in the link.

Of course there can be errors like the autopilot landing software that could never land because if it had the wrong angle on approach it had to recircle and try again. Yet the software also had contradictory code to change the angle to avoid a nosedive into the runway which ensured the first rule would always kick in. This was only discovered running it on a real airplane.

As for the other examples, the one about an exocet missile hitting a British ship in the falklands conflict. The program worked as specified. What failed was the assumption that anyone firing an exocet would be a "friendly". Our enemies had acquired exocet, so it was the assumptions in the requirements that were flawed, not the programming.


RE: 499 Zero-day exploits?
By peternelson on 10/28/2006 12:56:24 PM , Rating: 2
Also although it is convenient to blame the computer or the software, in reality many problems are actually caused by human error. eg Train driver goes through a red stop sign, nuclear site operator deliberately disables failsafe systems (Chernobyl), a soldier fires a missile at friendly forces, or the medical staff tells the xray machine to give an inappropriate does of radiation, or drug dose for the condition. It's not always a software problem (although it can be sometimes).


RE: 499 Zero-day exploits?
By oTAL (blog) on 10/27/2006 8:45:15 AM , Rating: 2
Not really... You can have "big bugs" in the sense that their consequences are huge (like this one), but that only happen in VERY specific, hard to reproduce, circumstances.
Imagine a bug that only manifests itself when you hover the clock for the time, right click on the network connections and then double click on the time to acess the calendar...
This obviously an over simplification that would not happen in a well programmed OS, but you can get the picture.... It would e hard to find, hard to reproduce, and even the people that find the bug would have a hard time understanding the mechanism without some time around the debugging output.
There was a bug in word perfect that would crash it (and loose all unsaved work) when it would hyphenize a word with an accent, something that doesn't happen a lot. That a was a BIG showstopper... you have no idea of the frustration of time and time again loosing your work, when you doing a specialized work which uses a very large word with accents.


RE: 499 Zero-day exploits?
By Russell on 10/26/2006 10:39:55 AM , Rating: 2
The moment you set out to search for and eradicate bugs, you immediately begin to find more. In the long run, you will find one bug to replace each that you eliminate.

So to wait until they're going means nothing will ever be released.


RE: 499 Zero-day exploits?
By ani4ani on 10/26/2006 1:06:57 PM , Rating: 2
....and more often not, that bug fix can also proliferate through the code and create another bug. I am no software programmer, but the sheer fundemental size and complexity of modern software never fails to amaze me. I take my hat off to the coders that give us the Operating Systems and Games that we just take for granted.


RE: 499 Zero-day exploits?
By Russell on 10/26/2006 1:32:03 PM , Rating: 2
Indeed (on both points).

If the number of known bugs in Vista (499 I suppose) is to be believed, then hats off to MS for keeping it so low. I wouldn't believe it had so few bugs except that RC2 (which I have been using for a month) is rock-f*cking-solid. Even XP isn't this stable.

I may not enjoy Vista's DRM, high memory usage (which is still a smaller mem usage jump than there was when XP was new) or licencing terms, but this thing is bloody solid. I look forward to owning a copy of the final retail release.


RE: 499 Zero-day exploits?
By ChronoReverse on 10/27/2006 12:45:03 AM , Rating: 2
I can't help myself: licensing =P (The only new feature of Firefox 2 that I absolutely love is the inline spell checker)

Anyways, you'll be pleased to find out that MS has clarified that you if change your hard drive simultaneously with one other component you can still reactivate up to 10 times before they'll start asking questions and making you phone them. That's actually pretty generous of them since I usually ADD hard drives and swap components.


RE: 499 Zero-day exploits?
By jtesoro on 10/26/2006 9:40:49 PM , Rating: 2
quote:
I take my hat off to the coders that give us the Operating Systems and Games that we just take for granted.

And that, my friends, is why I pay for commercial software.


RE: 499 Zero-day exploits?
By FITCamaro on 10/26/2006 12:23:33 PM , Rating: 2
If you can show me a complex program even 1% the size of Vista (for the math challenged that'd be roughly 500,000 SLOC) thats 100% free of bugs, I'd love to see it.

And as "buggy" as XP may have been on launch day, it worked better than ME. I was using XP 3 months before launch and only got one virus with the initial version. And that was because it was freshman year in college, I lived in the dorms, and our entire school network was infected with one of the big viruses of that time. It was 5 years ago and I forget which one.


RE: 499 Zero-day exploits?
By Russell on 10/26/2006 1:33:52 PM , Rating: 2
Well, as great as XP is, you didn't get the virus because it simply wasn't coded for the NT kernal, which wasn't as popular at the time as the ol' 9x kernal. Look at Blaster and Sasser. That was XP's prime time for viruses.

Still, the XP of today is great and fairly secure for a MS product.


RE: 499 Zero-day exploits?
By AndreasM on 10/26/2006 10:43:59 AM , Rating: 2
quote:
And 500 bugs in roughly 50 million lines of code (according to wikipedia for RC2) is damn good. Thats 1 bug per 100,000 SLOC. Granted thats just found bugs, but its still impressive.


Bugs per lines of code is a poor metric. There could be 49 million lines of comments for all we know. If someone really wanted to be masochistic he could avoid using enter and stuff lots of code per line. Lines of code is not a useful way of appraising the size of a program.


RE: 499 Zero-day exploits?
By TomZ on 10/26/2006 10:55:06 AM , Rating: 2
I disgree - LOC gives you a good estimate of the size of the code. That is all it is - an estimate - not a precise measure. More complex measures are available, but they also are imprecise, and when you factor in the ease of counting LOC relative to more complex measures, you start to see why LOC is widely used in software engineering.


RE: 499 Zero-day exploits?
By FITCamaro on 10/26/2006 12:29:36 PM , Rating: 2
SLOC is different than LOC. LOC can include comments. SLOC generally does not. Notice I said SLOC. Now granted maybe Vista isn't 50 million SLOC. But I doubt more than 10-15% of that 50 million lines of code is comments. Otherwise they're writing a butt load of comments (good comments are important but still). Even 1 bug per 10000 lines of actual code is pretty good (which is what it would be even if 45 million lines of that code was comments).


RE: 499 Zero-day exploits?
By TomZ on 10/26/2006 1:00:17 PM , Rating: 2
I don't agree with your statements that SLOC is necessarily different than LOC, and that SLOC typically excludes comments. That is not my experience, at least. Also, the below-referenced Wikipedia article uses SLOC and LOC synonymously, and also states that SLOC typically includes comments and whitespace.

http://en.wikipedia.org/wiki/Source_lines_of_code

But, that said, it is clear that there are no strong, objective definitions of these terms, and therefore, I would expect to see individuals and organizations use these terms differently.


RE: 499 Zero-day exploits?
By Hoser McMoose on 10/31/2006 4:30:08 PM , Rating: 2
It's also not entirely correct to ignore the lines of comments in the code, as an incorrect comment could very well end up being logged as a bug. Such a bug is likely to be marked trivial and would not be fixed until the next release. Even though this bug would be counted it would have absolutely no impact on the operation of the OS.


RE: 499 Zero-day exploits?
By Lazarus Dark on 10/26/2006 12:37:50 PM , Rating: 4
dailytech award for longest thread with most posts below threshhold evar.


Write a 50 million line book
By Nik00117 on 10/26/2006 9:37:48 AM , Rating: 4
Ok lets all write a 50 million line book, with lots of words in each line. Now tell me that everything line is utterly perfect and theres less then 10 mistakes in the entire document.

Then you can criticize Microsoft. AS one user said out of 100,000 lines of code, a bug appears whats so bad about that? We are human, we make mistakes.

Like I found a list of bugs for a software that apparently worked perfectly. IT was some stuff like dialog box named incorrectly or something the end user wouldn't even notice. I haven't found very few bugs in XP which some say is bug riddled but after 5 years of use I don't see it.




RE: Write a 50 million line book
By Loser on 10/26/06, Rating: -1
RE: Write a 50 million line book
By djcameron on 10/26/2006 10:11:42 AM , Rating: 3
That's not true. Publishers are always releasing books with lots of mistakes in them.


RE: Write a 50 million line book
By rushfan2006 on 10/26/2006 10:18:30 AM , Rating: 3
Exactly...

Technical manuals, suprisingly are among the worse offenders of having mistakes in them.....indeed I have found more than a couple things that make me go "huh?" in a cisco book, I then go online to the publisher of the book and sure enough I find an errata sheet on it.



RE: Write a 50 million line book
By FITCamaro on 10/26/2006 12:38:49 PM , Rating: 2
AHAHAHAHAAHAHAHA!!!!

Have you ever even read a book? I typically notice spelling errors quite a bit (not so much on comma placement and such though) and my college textbooks were chock full of misspellings, missing words, etc. Same goes even for books you read just for fun.

Do you work in an engineering field? My current job is in requirements verification and testing and even in design documents for the systems here there's tons of the same kind of stuff. And this is coming from engineers of major corporations.


RE: Write a 50 million line book
By Russell on 10/26/2006 1:34:54 PM , Rating: 2
I find textbooks to be the worst. They work so hard to churn them out year after year that some of them have dozens of typos in a single chapter!


RE: Write a 50 million line book
By TomZ on 10/26/2006 10:29:27 AM , Rating: 3
It's actually a really bad analogy, because to test a book, you just have to read it end-to-end, note and fix the problems.

Software is infinitely more complex to test because of all the ways it can be used, all the possible sequences, all the possible hardware configurations, etc. There is no comparison between this job and proofreading a book, regardless of the number of words.


RE: Write a 50 million line book
By Nekrik on 10/26/2006 2:22:07 PM , Rating: 2
Not to mention the complexity of the fix, the time consumed to make the correction, and the cost. In reality, I would think that the print industry would prioritize certain errors and correct some but have a certain tolerance level they would ship a final press of a book with, same as the software industry.

No progress bar displayed for an local process used by .1 percent of the customers, ship it. Can't launch a certain process, fix it.

Missing the last page or spelled the authors name wrong, fix it. Mis-spelled a word in an apendix, ship it.


RE: Write a 50 million line book
By ani4ani on 10/26/2006 1:14:55 PM , Rating: 2
Tha apparent accuracy of the latest Vista, i.e. 500 bugs in 50,000,000 lines of code could be considered that same as finding one bad second per day! It's actually less than that, 1 second in every 27+ hours. That's pretty impressive no matter how you spin it.


Poor software programmers
By cheburashka on 10/26/2006 3:35:19 PM , Rating: 1
The cost for finding and fixing software bugs is trivial compared to doing the same for hardware logic. I assure you there are not 500 hardware defects/bugs shipping in our 150+ million transistor CPUs these days.




RE: Poor software programmers
By Spivonious on 10/26/2006 4:33:32 PM , Rating: 2
At least not ones so big as the old Pentium FP bug.


RE: Poor software programmers
By TomZ on 10/26/2006 8:11:47 PM , Rating: 2
Oh, really? You sure about that? Here's the errata list of the latest Core 2 Duo processor:

http://download.intel.com/design/processor/specupd...

Nearly 200 items and counting. Sorry to burst your bubble, but hardware is not tested to perfection either.


RE: Poor software programmers
By jtesoro on 10/26/2006 9:57:20 PM , Rating: 2
I didn't know this kind of thing happened with hardware. So how are these problems addressed? Software programmers just code around it? Hmmm, now that I think about it, maybe this is handled by the C++ compilers: they could generate low-level code which avoids hitting the known bugs of the target CPUs.


RE: Poor software programmers
By cheburashka on 10/27/2006 2:45:53 PM , Rating: 2
I never said the word 'perfection'. Last I checked 200 < 500. Also you should read the document you posted because there are only 82 listed in that doc. 82 << 500.


RE: Poor software programmers
By TomZ on 10/27/2006 4:55:36 PM , Rating: 2
Whether the number of errata is 82, 200, or 500, it doesn't make any difference. The point is that hardware logic is also full of mistakes, just like software. Your point is that hardware is more costly to fix than software, with the implication that hardware is tested to the point where it has no more issues. We know that is not the case.

In addition, since many of the software problems do get fixed, and then updates sent out to customers, I would argue that in the case of software, the costs are even higher than hardware. In the case of hardware, there is little exposure to replacement costs, since most of the problems are never fixed, except for the most criticial. And even in the case of a critical problem like the now-famous Pentium FP bug, Intel did not replace any processors AFAIK. The burden was shifted to compiler vendors to fix the problem in software.


RE: Poor software programmers
By Hoser McMoose on 10/31/2006 4:05:57 PM , Rating: 2
Check the errata sheets sometimes... maybe not 500 bugs, but they aren't that far off. 50-100 bugs is not abnormal for a modern processor.

Besides, Windows Vista is a FAR more complicated project than a modern processor. Those processors might have 250+ million transistors, but 225 million of them are cache (4MB cache = 225M transistors). Also each functional logic block in a processor is made up of dozens or possibly hundreds of transistors. So logic transistors are really more akin to characters of code rather than lines of code.

Rough estimate, Windows Vista is probably 1 to 2 orders of magnitude more complex than the Core 2 Duo. So if there really are only 500 bugs, that's pretty impressive. Of course, it remains to be seen how many bugs will be found once the software is out in the field.


Well good.
By Master Kenobi (blog) on 10/26/2006 8:29:11 AM , Rating: 2
Atleast they decided to halt the RTM until they fixed such a huge bug, the others are likely minor ones that are typical for software, bet on day after patching when they launch in January. But thats not such a big deal. No worse than EA and the Endless Patching of games with the name of Battlefield.




RE: Well good.
By The Sword 88 on 10/26/2006 9:40:47 AM , Rating: 3
EA wins the buggy code and endless patching award.


RE: Well good.
By Lonyo on 10/26/2006 10:47:08 AM , Rating: 2
Nah, they often just give up patching games after maybe one or two and drop support. They win the bugs and lack of patching award.


RE: Well good.
By ss284 on 10/26/2006 11:45:08 AM , Rating: 2
You forgot the patches that introduce more bugs than they fix award.


Impressed
By freon on 10/26/2006 1:24:37 PM , Rating: 2
I am quite impressed they have knocked it down to just 500 known bugs.
However, I, and many of you im sure, know once it gets released to the world that number of bugs will escalate quite a bit. Something people dont seem to think about is all these coders, in house testers, and outside beta testers cant imagine every single scenario ol' billy and marge, the average dont-know-jack-about-computers home users, will come up with just by using their own system for what they do. When I run app a with b and do process c in app a, while twirling my pen in my left hand, singing oldies, my calculator crashes!
Starting from 500 is still pretty damn good.




RE: Impressed
By TomZ on 10/26/2006 1:38:41 PM , Rating: 2
True, but also consider that Vista has had a very large public beta period lasting over the past couple of years. I don't know the exact figures, but I'd be willing to bet the number of machines running Vista today is probably well into the hundreds of thousands, and maybe into the millions.


RE: Impressed
By freon on 10/26/2006 1:51:29 PM , Rating: 2
Sure, there are a lot of people running vista now, but I would like to think the majority of those public beta testers are people with at least half a clue. It is highly doubtful your average everyday consumers who purchase their PCs at the local Walmart/BestBuy/Circuit City are downloading and installing Vista betas.


RE: Impressed
By TomZ on 10/26/2006 2:06:34 PM , Rating: 2
I agree, and I am of the opinion that sophisticated users are more likely to report actual bugs and to provide more useful information back to Microsoft compared to average users. That works in Microsoft's advantage in this case.


how long will RC2 run?
By Pwnt Soup on 10/27/2006 12:36:49 AM , Rating: 2
a question if i may. how long is a copy of RC2 good for? will it expire at a certin date, or can it run for only a certin amount of time? maybe someone can clear this up for me...thanks




RE: how long will RC2 run?
By ChronoReverse on 10/27/2006 12:41:24 AM , Rating: 2
It will run until June 2007 unless there's a bug in the deactivation code like in some random cases for the XP RC's.


For a moment there...
By mbf on 10/26/2006 11:55:09 AM , Rating: 2
...I believed Microsoft suddenly became aware of that tiny bit of DRM in their next OS, and pushed back the RTM to remove it. Why oh why am I always so gullible... :)




It's a hard life for programmers
By solgae1784 on 10/26/2006 12:11:52 PM , Rating: 2
I was majoring on computer engineering, so I feel the pain of the programmers just by reading at this article. 500 bugs on millions of lines of code is extremely impressive, I must say. After years of bashing around programmers, I finally understood their pain after going thru some programming courses myself.




@Marcus Yam
By Loser on 10/26/2006 10:06:35 AM , Rating: 1
"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation











botimage
Copyright 2010 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki