<style type="text/css"> html, body { background-color: #0f172a; } section { background-color: #0f172a; color: #f8fafc; font-family: 'JetBrains Mono', monospace; } h1, h2, h3 { color: #38bdf8; } img { border-radius: 12px; box-shadow: 0 4px 12px rgba(0,0,0,0.3); } </style> # β Code Quiz: Small Bug β Big Impact ## BTPEX SRM Developer Forum ---- > βAll bugs in this presentation are based on actual events.β ππ¬ ---- You litteraly could say: > βThe following code has actually taken down rockets, banks, and billions.β π₯ ---- ### Disclaimer > Yes, this is exaggerated. No, itβs not that unrealistic. > Some examples were intentionally created or adapted for this presentation to illustrate real-world issues. In some cases, the original incidents are not publicly documented or are under NDA. --- # π» Quiz ```c if ((err = SSLVerify(...)) != 0) goto fail; goto fail; ``` > β Whatβs the issue on this c Code? ---- ### β Fix ```c if ((err = SSLVerify(...)) != 0) goto fail; ``` > delete second ```goto``` ---- # π» Quiz: Apple "goto fail" (2014) ### β οΈ Impact - SSL certificate verification skipped - Affected iOS and macOS - Allowed MitM attacks over HTTPS - Shook public trust in Apple security [Source](https://www.blackduck.com/blog/understanding-apple-goto-fail-vulnerability-2.html) --- # βοΈ Quiz ```bash ecs-cli down --cluster "s3-*" ``` > β What went wrong with bash command? ---- ### β Fix ```bash # Intended: ecs-cli down --cluster "s3-a" # Actual: ecs-cli down --cluster "s3-*" ``` > eliminate wildcard on input agrument ### β additional fix ```bash read -p "Confirm cluster: $CLUSTER_NAME? (yes/no): " ans [[ "$ans" != "yes" ]] && exit 1 ``` ---- # βοΈ Quiz: AWS S3 Outage (2017) ### β οΈ Impact - Disabled entire regionβs S3 infrastructure - Took down major platforms: GitHub, Slack, Trello - Estimated economic loss in the hundreds of millions [Source](https://aws.amazon.com/de/message/41926/) --- # π₯ Quiz ```c double time = t * 0.1; // using fixed-point approximation ``` > β Why is this dangerous in long-running systems? ---- ### β Fix ```c uint64_t ticks = t; double time = ticks * 0.1; // use precise conversion ``` ---- # π₯ Quiz: Patriot Missile Drift (1991) ### β οΈ Impact - System time drifted ~0.34s after 100h - Caused missile defense failure - 28 soldiers killed in attack [Source](https://www-users.cse.umn.edu/~arnold/disasters/patriot.html) --- # πΌ Quiz ```java balance = Math.round(balance * 100) / 100.0; ``` > β Whatβs the risk with this rounding logic? ---- ### β Fix ```java int balanceCents = depositCents - withdrawalCents; ``` ---- # πΌ Quiz: Horizon Accounting Scandal ### β οΈ Impact - 700+ postmasters falsely accused and convicted - Based on flawed accounting system - Legal battle, reputational damage, ruined lives > to be fair: this was just one small issue - there were over 28 financial relevant bugs in the software! [Source](https://en.wikipedia.org/wiki/British_Post_Office_scandal) --- <!-- Google Cloud Inspired Example (Java) --> # βοΈ Quiz ### (Fictional Java Example) ```java public class Config { private String databaseUrl; public String getDatabaseUrl() { return databaseUrl; } } public class App { public static void main(String[] args) { Config config = new Config(); System.out.println("DB: " + config.getDatabaseUrl().toLowerCase()); } } ``` > β What might happen during the execution? ---- ### β Fix ```java public class App { public static void main(String[] args) { Config config = new Config(); if (config.getDatabaseUrl() == null || config.getDatabaseUrl().isEmpty()) { throw new IllegalArgumentException("Missing database URL"); } System.out.println("DB: " + config.getDatabaseUrl().toLowerCase()); } } ``` ---- # βοΈ Quiz: Google Cloud Outage (2025) ### β οΈ Impact - Global services went offline - Due to unvalidated critical config fields (null / empty check) - Highlighted fragility of cloud infrastructure [Source](http://centralit.accounts.ondemand.com/saml2/idp/acs/centralit.accounts.ondemand.com) > Google Incident Report: "The issue with this change was that it did not have appropriate error handling nor was it feature flag protected. Without the appropriate error handling, the null pointer caused the binary to crash." --- # βοΈ Quiz ```text CATIA V4 (german team) CATIA V5 (french team) ``` > β Whatβs the risk of using different CAD tools? ---- ### β οΈ Problem ```text CATIA V4: cable = 1000 mm CATIA V5: required = 1001 mm ``` ---- ### β Fix - Standardize to CATIA V5 - Validate full digital mockups (DMU) - Sync ECAD-MCAD data across teams ---- # βοΈ Quiz: Airbus A380 β CAD Version Mismatch ### β οΈ Impact - 530 km of cabling incorrect - Massive rework, 2-year delay - Billions of euros in cost [Source](https://simpleflying.com/airbus-a380-computer-design-delay/) --- <!-- SAP HANA Java Leak --> # βοΈ Quiz ```java try { Connection conn = dataSource.getConnection(); // processing code that throws an exception... conn.close(); } catch (Exception e) { logger.error("Failure", e); } ``` > β Whatβs the critical mistake in this try block? ---- ### β Fix ```java Connection conn = null; try { conn = dataSource.getConnection(); // work with conn } catch (Exception e) { logger.error("Failure", e); } finally { if (conn != null) { try { conn.close(); } catch (SQLException ignore) { // handle / log closing-issue } } } ``` ---- ### β even better Fix ```java try (Connection conn = dataSource.getConnection()) { // safe processing } catch (Exception e) { logger.error("Failure", e); } ``` ---- # βοΈ Quiz: SAP HANA Java Connection Leak (~2017) ### β οΈ Impact - Happened in **SAP IoT context** under load - Unclosed HANA connections accumulated silently - After ~500 connections β **DB crashed** - Crash occurred after ~15 min of runtime - Required debug analysis across services and logs - several ours of service outage for customers [Source - Matthias memories] --- # π§ Key Takeaways β Automated testing catches edge cases early β Four-eyes principle for pull requests prevents human oversight β Consistent tooling & formats reduce integration errors β Config validation is as critical as code β Legacy code reuse must be validated in new contexts β Edge-case awareness (overflows, precision, units) is vital β Communication across teams and systems prevents disasters β Float β money or time β use precise datatypes (Java) ---- # π Thanks for Playing! ### BTPEX SRM Developer Forum π― Which failure surprised you the most? What could you bring into your daily development practice? ---