A Joon Lee Bug Story

  • Article

Joon Lee

Microsoft Corporation

December 2007

When I first began at Microsoft, my test manager gave me ownership of our team globalization test cases. She also suggested that I enroll in a Japanese-language course that was taught as part of a University of Washington extension curriculum on the Microsoft campus. "Naw...," I naively thought to myself. "I'm way too busy with work, and that course couldn't possibly help me in my job."

Fast-forward a few months, where I find myself having to debug an AV that was found by one of my data-conversion tests. The test case was trying to convert the string "H11111...1" (one "H" followed by 254 "1"s) to a DateTime data type. This test case had never given me problems before; it would always fail, with the appropriate error message. Looking into this issue some more, I realized that this reproduced only on a Microsoft Windows 95 Japanese system. Sighing deeply to myself, I headed into our cold, loud, and miserable test lab.

Unable to reproduce the bug, I had to modify the test code to run in a tight loop, to finally get a reproduction. When the bug was finally caught in the debugger, I noticed that the AV occurred deep in the guts of OLEAUT code. After another hour, I got the OLEAUT source code and correct symbols, and I was able to make progress. But what I saw really surprised me.

According to the comments in the OLEAUT code, the conversion logic was trying to map the input "H1111...1" to some Japanese emperor. "What the @#$!*?%!" I swore loudly. "I must have the wrong source code." As it turned out, I did have the right source code. You see, the Japanese culture has a date/time convention that recognizes a year of emperor/era reign, and the beginning "H" in the input just happened to be recognized as the start of the Heisei era. And the 254 "1"s were interpreted as the year of the era.

The bug was that the conversion of the 254 "1"s overflowed the integer, which then caused the logic to miss the null terminator. In most cases, the code found another 0x00 byte embedded afterwards. Every so often, however, the code would keep looking until it hit a guarded page that caused the AV. As I left the lab, I wondered, "Wow! How could I possibly have known to cover this?"

What's the moral of the story? Yep, you guessed it: I walked back to my test manager's office and politely requested that she enroll me in the Japanese-language course, after all.

About the Author

Joon Lee joined Microsoft in 1996 as an SDET on the ODBC/OLEDB test team. He is currently an SDET on the AdCenter team. His specializations include data-access technologies, globalization, and, most recently, performance/reliability testing.