Bug Symptoms

Identify bugs by their symptoms

Bug Symptoms Index for peqy

Security

8 bug types

SQL injection
Security

Symptoms:

  • >Unexpected rows returned or privilege changes after user-controlled input.
  • >Database errors mentioning syntax near quotes or UNION/SELECT.
  • >Blind timing differences when injecting logical conditions (e.g., sleep/delay).

Example Errors:

SQL syntax error near '...'ORA-00933: SQL command not properly endedPostgreSQL error: unterminated quoted string

Command injection
Security

Symptoms:

  • >Shell errors when user input contains separators like `&&`, `|`, `;`, or backticks.
  • >Unexpected files/processes created by requests containing crafted arguments.
  • >Behavior differences when input includes wildcard or redirection characters.

Example Errors:

sh: 1: cannot open …: Permission deniedbash: syntax error near unexpected token `;'The system cannot find the file specified (Windows)

XSS
Security

Symptoms:

  • >User-controlled content renders as HTML/JS in the page (alert boxes, DOM modifications).
  • >Console logs show script execution from untrusted sources.
  • >Reports of unexpected redirects or credential theft tokens in requests.

Example Errors:

Refused to execute inline script due to Content Security PolicyDOMException: Blocked a frame with origin from accessing a cross-origin frameAudit: Potentially insecure dynamic code evaluation

SSRF
Security

Symptoms:

  • >Server makes outbound HTTP requests to attacker-provided URLs.
  • >Access to internal metadata endpoints (e.g., 169.254.169.254) observed in logs.
  • >High latency or timeouts when fetching user-supplied URLs.

Example Errors:

ECONNREFUSED to 127.0.0.1 from serverTimeout fetching http://169.254.169.254/latest/meta-data/DNS resolution failed for crafted hostname

Path traversal
Security

Symptoms:

  • >Requests containing `../`, `%2e%2e/`, or similar sequences access unexpected files.
  • >Logs show attempts to reach `/etc/passwd`, `.env`, or config directories.
  • >Mismatches between requested path and served file outside the web root.

Example Errors:

File not found: ../../../../etc/passwdSecurityError: attempted relative import beyond toplevel packageAccess denied: path escapes base directory

IDOR (broken object level auth)
Security

Symptoms:

  • >Changing an ID in URL/body returns another user’s resource.
  • >Authorization passes for resource A but not enforced for resource B of same type.
  • >Audit logs show cross-tenant or cross-user reads/writes.

Example Errors:

None (often silent) — incorrect data returned403 only on some endpoints; others improperly allow accessAudit: user X accessed object belonging to user Y

AuthN/AuthZ flaw
Security

Symptoms:

  • >Privileged actions available via hidden UI routes or client-side checks only.
  • >Sessions not invalidated on logout or credential change.
  • >Role/claim tampering grants unauthorized access.

Example Errors:

JWT accepted after expirationMissing CSRF/anti-forgery validationAuthorization header ignored on certain routes

Sensitive data exposure
Security

Symptoms:

  • >Secrets/PII appear in logs, URLs, client storage, or error messages.
  • >Weak or missing TLS; outdated ciphers; plaintext storage of sensitive data.
  • >Database dumps or backups accessible from public endpoints/buckets.

Example Errors:

SSL: no shared cipherWarning: Using a deprecated hashing algorithmAccess log contains Authorization header

Interface & Contract

4 bug types

Serialization/rehydration mismatch
Interface & Contract

Symptoms:

  • >Hydration warnings or DOM checksum mismatches on initial render.
  • >Server-rendered markup differs from client render (blinking or reflow).
  • >Stateful values (dates/random IDs) differ between server and client.

Example Errors:

Hydration failed because the initial UI does not match what was rendered on the server.Unexpected token < in JSON at position 0Text content does not match server-rendered HTML

Type/nullability drift
Interface & Contract

Symptoms:

  • >Runtime errors where types claim non-null but values are null/undefined.
  • >Compilation passes but runtime fails on property access.
  • >API responses omit fields expected as required in client types.

Example Errors:

Cannot read properties of undefined (reading 'x')TypeError: null is not an objectTS2322: Type 'undefined' is not assignable to type 'T'

Stale OpenAPI/TypeScript declarations
Interface & Contract

Symptoms:

  • >Client fails parsing responses due to missing/renamed fields.
  • >Builds succeed but integration tests fail after API rollout.
  • >Contract tests or schema diffs show breaking changes.

Example Errors:

Unknown field 'foo' in responseHTTP 400: required parameter missingTS2339: Property 'bar' does not exist on type 'Baz'

Field/parameter name mismatch
Interface & Contract

Symptoms:

  • >API receives parameter but handler reads a differently named field.
  • >Form submits succeed but server ignores the intended value.
  • >OpenAPI doc shows field casing that differs from implementation.

Example Errors:

Unrecognized parameter 'user_id'; did you mean 'userId'?422 Unprocessable Entity: field requiredRequest validation failed: additionalProperties 'foo'

Functional Logic & Control Flow

7 bug types

Inverted boolean condition
Functional Logic & Control Flow

Symptoms:

  • >Feature toggles behave opposite to expectation.
  • >Guard clauses always allow or always block.
  • >Test for negative case passes while positive fails.

Example Errors:

AssertionError: expected true to be falseUnexpected branch executedIf-condition always true/always false (linter)

Variable/identifier shadowing
Functional Logic & Control Flow

Symptoms:

  • >Assignments have no effect outside block scope.
  • >Unexpected value read due to inner variable masking outer one.
  • >Linters warn about shadowed variables.

Example Errors:

ESLint: 'result' is already declared in the upper scope.Shadowed variable 'config'TypeScript: Block-scoped variable used before declaration

Incorrect enum/constant comparison
Functional Logic & Control Flow

Symptoms:

  • >Switch/case fallbacks triggered unexpectedly.
  • >Branching behaves differently across platforms/types.
  • >Magic numbers used instead of enum symbols.

Example Errors:

Type mismatch in comparisonCase not handled for valueAssignment used where comparison intended

Unreachable code segment
Functional Logic & Control Flow

Symptoms:

  • >Static analysis flags unreachable/dead code.
  • >Coverage tools show never-executed blocks.
  • >Refactor introduced early returns skipping code.

Example Errors:

Warning: Unreachable code detectedSonar/ESLint rule: no-unreachableDead code elimination removed block

Off-by-one / boundary error
Functional Logic & Control Flow

Symptoms:

  • >First/last element skipped or duplicated.
  • >Index out-of-range on boundary inputs.
  • >Allocated size differs by exactly one element.

Example Errors:

IndexError: list index out of rangeArrayIndexOutOfBoundsExceptionBuffer overread/overwrite detected

Integer overflow
Functional Logic & Control Flow

Symptoms:

  • >Negative or wraparound values after arithmetic.
  • >Allocation sizes overflow leading to tiny buffers.
  • >Counters reset unexpectedly at large values.

Example Errors:

Signed integer overflow: undefined behaviorValueError: size must be non-negativeArithmeticException: integer overflow

Buffer overflow
Functional Logic & Control Flow

Symptoms:

  • >Crashes or corruption after copy/format operations.
  • >ASAN/Valgrind reports out-of-bounds writes.
  • >Unusual control flow or return address corruption.

Example Errors:

AddressSanitizer: stack-buffer-overflowSegmentation fault (core dumped)Heap corruption detected

State & Data Consistency

3 bug types

Inconsistent domain state
State & Data Consistency

Symptoms:

  • >Aggregate invariants violated (e.g., totals not matching line items).
  • >Conflicting statuses across related entities.
  • >Intermittent bugs after partial updates or reordering of operations.

Example Errors:

ConstraintError: violated business invariantAssertion failed: aggregate state invalidMismatch between derived and stored values

Uniqueness constraint violation
State & Data Consistency

Symptoms:

  • >Duplicate keys or usernames appear after concurrent inserts.
  • >Database raises unique/duplicate key errors.
  • >Idempotent operations still create duplicates.

Example Errors:

ERROR: duplicate key value violates unique constraintE11000 duplicate key error collectionUnique index violation on (field)

Partial/failed migration
State & Data Consistency

Symptoms:

  • >Some services read new schema while others expect old.
  • >Runtime errors referencing missing columns/tables.
  • >Data shape differs between environments.

Example Errors:

column "foo" does not existLiquibase failed: changeset did not runFlyway: checksum mismatch for migration

Concurrency, Async & Events

5 bug types

Race condition
Concurrency, Async & Events

Symptoms:

  • >Non-deterministic failures under load or on CI.
  • >Data occasionally overwritten or lost when requests overlap.
  • >Flaky tests that pass locally but fail intermittently.

Example Errors:

ConcurrentModificationExceptionOptimistic locking failure / ETag precondition failedWrite conflict detected

Event-order race
Concurrency, Async & Events

Symptoms:

  • >Check-then-act logic fails when state changes between operations.
  • >Validation passes but subsequent use sees different state.
  • >Time-of-check/time-of-use windows exploited in tests.

Example Errors:

Precondition failed due to state changeResource modified since validationTOCTOU violation

Un/poorly handled async promise
Concurrency, Async & Events

Symptoms:

  • >Unhandled promise rejections in logs/console.
  • >Hidden failures where downstream steps silently skip.
  • >UI freezes or inconsistent state after async errors.

Example Errors:

UnhandledPromiseRejectionWarningunhandledrejection event firedPromise rejection: TypeError

Duplicate request
Concurrency, Async & Events

Symptoms:

  • >Double charges/duplicate records created by retries or resubmits.
  • >Idempotent endpoints behave inconsistently across retries.
  • >Network errors followed by duplicated side effects.

Example Errors:

Order already processedIdempotency key conflict409 Conflict on repeated POST

Stale state/cache invalidation
Concurrency, Async & Events

Symptoms:

  • >Users see old data after update until cache expires.
  • >Inconsistent views across nodes/regions.
  • >Conditional requests not revalidating as expected.

Example Errors:

ETag mismatch / 412 Precondition FailedNo-cache directives ignoredReplica lag warnings

Error Handling & Input Validation

6 bug types

Missing error handling
Error Handling & Input Validation

Symptoms:

  • >Operations fail silently with no logs or metrics.
  • >Downstream components receive invalid/partial results.
  • >Retry/backoff not triggered on transient failures.

Example Errors:

None (silent failure)Unhandled return codesEmpty catch blocks in code review

Unhandled exception
Error Handling & Input Validation

Symptoms:

  • >Process or request crashes without graceful fallback.
  • >500 errors with stack traces exposed.
  • >Background jobs halt on first error.

Example Errors:

Unhandled exception: NullReferenceExceptionFatal error: uncaught exceptionNode process exited with code 1

Incorrect exception handling
Error Handling & Input Validation

Symptoms:

  • >Errors swallowed; system continues in corrupted state.
  • >Generic catch blocks mask root causes.
  • >Retries applied to non-retriable errors.

Example Errors:

catch (Exception e) { /* ignore */ }Suppressed exception: original cause hiddenRetry storm detected

Invalid input not validated
Error Handling & Input Validation

Symptoms:

  • >Downstream functions receive unexpected types/shapes.
  • >Security scanners flag injection risks on unvalidated inputs.
  • >Frequent 400/422 validation failures in logs.

Example Errors:

ValidationError: 'field' is requiredBadRequest: invalid formatSchema validation failed

Invalid timestamp/format
Error Handling & Input Validation

Symptoms:

  • >Parsing failures for locale-dependent date strings.
  • >Inconsistent results across time zones/offsets.
  • >Sorting/aggregation wrong due to string dates.

Example Errors:

Invalid time valueRangeError: Invalid time zone specifiedDate parsing failed

Null dereference
Error Handling & Input Validation

Symptoms:

  • >Crashes or exceptions when accessing properties on null/undefined.
  • >Intermittent failures depending on optional inputs.
  • >Hot path guarded only in some code paths.

Example Errors:

TypeError: Cannot read properties of nullNullReferenceExceptionSegmentation fault on null pointer

Memory & Resource Management

4 bug types

Memory leak
Memory & Resource Management

Symptoms:

  • >Process memory grows over time without returning to baseline.
  • >Frequent GC pauses or OOM kills under steady load.
  • >Heap snapshots show unreachable yet retained objects.

Example Errors:

Java OOME: Java heap spaceFatal error: JavaScript heap out of memoryOutOfMemoryError: unable to create new native thread

Resource leak
Memory & Resource Management

Symptoms:

  • >Open file/socket handles increase and never drop.
  • >DB connection pool exhaustion during errors/timeouts.
  • >OS reports 'too many open files' or descriptor exhaustion.

Example Errors:

EMFILE: too many open filesConnection pool exhaustedSocket leak detected

Memory corruption
Memory & Resource Management

Symptoms:

  • >Crashes with inconsistent stack traces.
  • >ASAN/UBSAN detects out-of-bounds or use-after-free.
  • >Nondeterministic behavior sensitive to build flags.

Example Errors:

AddressSanitizer: heap-use-after-freeUndefinedBehaviorSanitizer: out-of-boundsdouble free or corruption

Stack overflow
Memory & Resource Management

Symptoms:

  • >Immediate crash on deep input recursion.
  • >Large local allocations trigger stack overflow.
  • >Tail recursion absent where expected.

Example Errors:

RangeError: Maximum call stack size exceededStackOverflowErrorfatal error: stack overflow

Performance

3 bug types

Blocking call on hot path
Performance

Symptoms:

  • >Latency spikes and long tasks on main thread/event loop.
  • >Throughput drops under CPU-bound sections.
  • >User-visible jank during heavy computation.

Example Errors:

Long Task detected (>50ms)Event loop blocked warningsHigh CPU usage on single thread

Catastrophic regex backtracking
Performance

Symptoms:

  • >Requests hang or CPU spikes on specific input strings.
  • >Regex evaluation dominates profiles under load.
  • >DoS-like behavior with crafted repeating patterns.

Example Errors:

Regex timeout exceededHigh CPU during regex.test/execReDoS detected for pattern

Synchronous validation on async path
Performance

Symptoms:

  • >UI stutters during parsing/validation on input.
  • >Server event loop stalls when validating large payloads.
  • >Throughput collapses under heavy synchronous checks.

Example Errors:

Main thread is busyEvent loop utilization low / blockedSlow request: validation dominated total time

Let peqy catch these bugs for you

Stop memorizing symptoms and error messages. Let our AI automatically identify and flag these issues in your pull requests.