Software Defectsfield guide to stateful defects

defects that emerge from other defects

Compound Defects

Bugs with no single line number: they emerge where two stateful defects meet. You can only name them by their symptom, because the cause lives in the interaction.

Two correct-looking defects combine into one that classifies by symptom, not by root cause.

01the defects

The defects in detail

mutated × shared — the answer changes between runsNondeterminismA value that varies, observed across actors without synchronization, lets timing pick the result instead of your code.Read the defect mutated × unstructured — blows up live on input you didn't expectRuntime ErrorsUnvalidated input written into program state becomes an illegal value, and the program throws the moment it is used.Read the defect shared × unstructured — bad data written permanently, and it spreadsData CorruptionUnvalidated data crossing a shared boundary persists and propagates, so the damage is permanent and reaches other actors.Read the defect
02the smell

In practice

These three defects are not roots but symptoms. Each is the intersection of two of the stateful families — mutated, shared, and unstructured — and you recognize it by how it feels: an answer that won't reproduce, a crash that only happens live, data that's quietly, permanently wrong. MITRE calls combinations like these Compound weaknesses: Chains (one defect creates the conditions for the next) and Composites (several must occur at once). Fix one ingredient and the smell often persists, because the other half is still there.

How it shows up

  • The bug cannot be reproduced consistently
  • Whack-a-mole fixes that won't stay fixed
  • Crashes first seen live, in the demo
  • Permanent damage or information exposure

Tools that hurt

concurrency over mutable statecaches over hidden inputsexternal input without a contractrolling deploys / mixed versionsshared memory & deserializationtrust across a boundary
03the dream

The pure-function fantasy

A compound defect has no home. Point at the race and the fix is in the cache; point at the cache and the fix is in the clock. The bug lives in the space between two files that each look correct.on debugging the unreproducible
04antidotes

Philosophies & antidotes

This family maps to the CWE pillar: CWE-678 — Composites