Software Defectsfield guide to stateful defects

mutated × unstructured — blows up live on input you didn't expect

Runtime Errors

A chain: unstructured input with no contract is mutated into state the code has no handler for, then crashes downstream. The hallmark: it works in dev and explodes on the first unexpected input, live.

Unvalidated input written into program state becomes an illegal value, and the program throws the moment it is used.

01in the wild

In the wild

Structural Invalidation

The data shape is wrong — types drift, properties vanish, slots stay uninitialized.

Null / Undefined Dereference

A function that sometimes returns nothing, used as if it always returns a value.

compound ofImproper InitializationCWE-457 Uninit VariableMissing & Undefined ReturnsCWE-252 Unchecked ReturncompoundCWE-476 NULL DerefCWE-690 Unchecked Return to NULL Deref
Read the defect
Type Confusion / Bad Coercion

State mutated to a new type that the next reader does not expect.

compound ofthis MutationCWE-471 MAID (Modification of Immutable Data)Type Errors in Dynamic LanguagesCWE-704 Bad CastcompoundCWE-843 Type Confusion
Read the defect
Shape-Drift AttributeError

An attribute set on only some code paths, read on a path that assumes it always exists.

compound ofImproper InitializationCWE-908 Uninit ResourceDuck Typing Without ContractsCWE-20 Input ValidationcompoundCWE-754 Unchecked Condition
Read the defect
Aliased-Default Type Confusion

A function's mutable default is shared across calls; one caller seeds it with a wrong-typed value, and a later caller crashes operating on it.

compound ofAliasing & Mutable DefaultsCWE-471 MAID (Modification of Immutable Data)Type Errors in Dynamic LanguagesCWE-704 Bad CastcompoundCWE-843 Type Confusion
Read the defect
Unexpected-Type Element in a Heterogeneous Collection

A collection assumed to hold one shape gains an element of another type -- directly or because a method mutated one item -- and the consumer crashes when it reaches the odd one.

compound ofthis MutationCWE-471 MAID (Modification of Immutable Data)Duck Typing Without ContractsCWE-1287 Improper Type ValidationcompoundCWE-241 Unexpected Data Type
Read the defect

Computational Exhaustion

The math or scale is broken — loops run away, indexes overrun, formulas hit a wall.

Off-by-One Index Crash

A counter advanced one step too far indexes past the end of the array.

compound of++ / -- & Integer OverflowCWE-193 Off-by-OneIndex Out of Bounds & Missing KeysCWE-129compoundCWE-125 OOB ReadCWE-787 OOB Write
Read the defect
Divide-by-Zero from an Empty Aggregate

An average over input that can be empty drives the denominator to zero.

compound ofvar / let / mut DeclarationsDivide by ZeroCWE-682 Incorrect CalculationcompoundCWE-369 Divide by ZeroCWE-754 Unchecked Condition
Read the defect
Unbounded Input → Quadratic Blowup

An accumulating loop with no cap on input size turns a linear scan into O(n²) — fine in dev, fatal on real volume.

compound offor-Loop Control FlowCWE-834Unconstrained InputsCWE-1284 Bad QuantitycompoundCWE-400 Resource ExhaustionCWE-407 Quadratic Complexity
Read the defect
NaN / Infinity Poisons a Consumer

Float math yields NaN or Infinity, which crashes the first consumer that needs a finite number.

compound ofTime, Money & EntropyCWE-682 Incorrect CalculationLack of Input ValidationCWE-20 Input ValidationcompoundCWE-754 Unchecked Condition
Read the defect
Integer Overflow Sizes a Buffer Too Small

A size computed by multiplying or incrementing wraps past the integer max to a tiny value; the allocation looks fine, then an in-range-looking index writes off the end.

compound of++ / -- & Integer OverflowCWE-190 Integer OverflowIndex Out of Bounds & Missing KeysCWE-129compoundCWE-680 Integer to Buffer OverflowCWE-787 OOB Write
Read the defect

Architectural Drift

The contract is severed — an external API, library, or payload no longer matches.

Integration Crash on Unexpected Input

Trusting an external payload's shape, then mutating local state from it.

compound ofImpure FunctionsCWE-1108 Global RelianceLack of Input ValidationCWE-20 Input ValidationcompoundCWE-248 Uncaught ExceptionCWE-754 Unchecked Condition
Read the defect
Stale API After Upgrade (AttributeError)

A mixin reaches for a method a dependency upgrade quietly renamed or removed.

compound ofMacro & Mixin MisuseVersion & Library MismanagementCWE-1104compoundCWE-758 Undefined BehaviorCWE-754 Unchecked Condition
Read the defect
Deserialized Type Confusion Crash

A payload reconstructs an object of an unexpected shape; the code mutates it as the type it assumed, and crashes on the first attribute that isn't there.

compound ofInsecure DeserializationCWE-502 Unsafe Deserializationthis MutationCWE-471 MAID (Modification of Immutable Data)compoundCWE-704 Bad CastCWE-843 Type Confusion
Read the defect
Config / Environment Drift Crash

An upgrade renames the config key the code still reads directly; the service boots fine and dies on the first request in the new environment.

compound ofImpure FunctionsCWE-1108 Global RelianceVersion & Library MismanagementCWE-1104compoundCWE-248 Uncaught ExceptionCWE-754 Unchecked Condition
Read the defect
Schema-Drift on Load: Old Payload Sets Unexpected Attributes

A record serialized by an older class version is rehydrated by a mixin/ORM that blindly sets whatever attributes the payload names -- so a renamed or dropped field lands on the new object and a later access breaks.

compound ofMacro & Mixin MisuseInsecure DeserializationCWE-502 Unsafe DeserializationcompoundCWE-915 Object Attribute Injection
Read the defect