9.9 KiB
9.9 KiB
Common Bugs Checklist
Quick-reference bug patterns organized by category. For detailed code examples, explanations, and comprehensive review checklists, see the dedicated language guides linked below.
Universal Issues
Logic Errors
- Off-by-one errors in loops and array access
- Incorrect boolean logic (De Morgan's law violations)
- Missing null/undefined checks
- Race conditions in concurrent code
- Incorrect comparison operators (
==vs===,=vs==) - Integer overflow/underflow
- Floating point comparison issues
Resource Management
- Memory leaks (unclosed connections, listeners)
- File handles not closed
- Database connections not released
- Event listeners not removed
- Timers/intervals not cleared
Error Handling
- Swallowed exceptions (empty catch blocks)
- Generic exception handling hiding specific errors
- Missing error propagation
- Incorrect error types thrown
- Missing finally/cleanup blocks
TypeScript/JavaScript
==instead of===- Using
any— prefer proper types orunknownwith type guards - Missing
awaiton async calls - Unhandled promise rejections (no try-catch around await)
thiscontext lost in callbacks- Missing
keyprop in lists - Closure capturing stale loop variable
parseIntwithout radix parameter- Modifying array/object during iteration
Full guide: TypeScript Review Guide
React / React 19
- Hooks called conditionally or in loops (violates Rules of Hooks)
useEffectdependency array incomplete or incorrectuseEffectmissing cleanup function (subscriptions, timers, fetches)useEffectused for derived state (useuseMemoinstead)useMemo/useCallbackover-used or used withoutReact.memo- Component defined inside another component (re-mounts every render)
- Unstable props (inline objects/functions passed to memo components)
- Direct mutation of props
- List missing
keyor using array index as key (reorderable lists) - Server Component using client APIs (
useState,useEffect,onClick) 'use client'on parent making entire subtree client-sideuseActionStatecallingsetStateinstead of returning new stateuseFormStatuscalled in same component as<form>(must be in child)useOptimisticused for critical operations (payments, deletions)- Single Suspense boundary for entire page (slow blocks fast)
- Missing Error Boundary wrapping Suspense
use()Hook receiving a new Promise each render
TanStack Query v5:
queryKeymissing parameters that affect data- Default
staleTime: 0causing excessive refetches useSuspenseQuerywithenabledoption (not supported)- Mutation not invalidating related queries on success
- Optimistic update missing rollback in
onError - Using v4 array syntax (
useQuery(['key'], fn)) instead of v5 object syntax
Testing:
- Using
container.querySelectorinstead ofscreen.getByRole - Using
fireEventinstead ofuserEvent - Testing implementation details instead of user-visible behavior
- Using
getBy*for async content (usefindBy*)
Full guide: React Review Guide
Vue 3
- Destructuring
reactive()object loses reactivity (usetoRefs) - Passing
props.xto composable instead of() => props.xortoRef(props, 'x') watchwith async callback missingonCleanup(race condition)computedwith side effects (mutations, API calls)v-forusing index as:keywhen list can reorderv-ifandv-foron the same elementdefinePropswithout TypeScript type declarationwithDefaultsobject default values not using factory functions- Directly mutating props instead of emitting events
watchEffectwith unclear dependencies causing over-triggering
Full guide: Vue 3 Review Guide
Python
- Mutable default arguments (
def f(x=[])) - Bare
except:catchingKeyboardInterruptandSystemExit - Shared mutable class attributes (
class C: items = []) - Using
isinstead of==for value comparison - Forgetting
selfparameter in methods - Modifying list while iterating
- String concatenation in loops (use
"".join()) - Not closing files (use
withstatement) - Missing type annotations on public functions
Full guide: Python Review Guide
Rust
Ownership & Borrowing:
- Unnecessary
clone()to work around borrow checker Arc<Mutex<T>>when single-owner would suffice- Storing borrows in structs when owned data is simpler
- Unnecessary
RefCell(runtime checks vs compile-time)
Unsafe Code:
unsafeblock withoutSAFETY:comment explaining invariantsunsafe fnwithout# Safetydoc section- Unsafe invariants split across modules
Async & Concurrency:
- Blocking in async context (
std::fs,std::thread::sleep) - Holding
std::sync::Mutexacross.await - Spawned task missing
'staticlifetime bound - Dropping a Future without awaiting (forgotten work)
Error Handling:
unwrap()/expect()in production code- Library using
anyhowinstead ofthiserror(callers can't match) - Swallowing error context (
map_err(|_| ...)) - Ignoring
must_usereturn values
Performance:
- Unnecessary
.collect()— prefer lazy iterators - String concatenation in loops without
with_capacity Box<dyn Trait>whenimpl Traitwould work
Full guide: Rust Review Guide
Go
- Ignoring errors (
result, _ := SomeFunction()) - Goroutine with no exit mechanism (leak)
- Missing or incorrect
context.Contextpropagation - Loop variable capture issue (Go < 1.22)
deferin loops (deferred until function, not loop iteration)- Variable shadowing
- Map used before initialization
- Error wrapping with
%vinstead of%w(breakserrors.Is/errors.As)
Full guide: Go Review Guide
Java / Spring Boot
- POJO/DTO with manual boilerplate instead of
record - Traditional switch missing
break(use switch expressions) - Field injection instead of constructor injection
- JPA N+1 query (missing
fetch joinor@EntityGraph) - Incorrect
equals/hashCodeon JPA entities (use business key, not ID) Optional.get()withoutisPresent()check- Stream operations with side effects
Full guide: Java Review Guide
PHP
- Missing
declare(strict_types=1);in new files - Weak comparison (
==,!=) in auth, token, payment, or state logic in_array()/array_search()used without strict mode- SQL built with string concatenation instead of prepared statements
- User input echoed without context-aware escaping
- Passwords stored with
md5()/sha1()instead ofpassword_hash() - Untrusted data passed to
unserialize() - PHP 8.2+ dynamic properties used instead of declared properties
- Errors hidden with
@or swallowed in emptycatchblocks - File uploads using client-provided names or missing MIME/size validation
Full guide: PHP Review Guide
Swift
- Force-unwrap (
!) ortry!where safe unwrapping is possible - Closure capturing
selfstrongly without[weak self](retain cycle) - Reference type (
class) used where a value type (struct) is intended - Errors swallowed instead of propagated via
throws/Result - Data race across concurrency boundaries (missing
Sendable,@MainActor, actor isolation) - Fire-and-forget
Task {}that is never cancelled or leaks @ObservedObjectused where@StateObjectis required for ownership- Implicitly unwrapped optional (
var x: T!) outside IBOutlets - Over-broad access control (
public/openwhereinternalsuffices)
Full guide: Swift Review Guide
C
- Pointer/buffer overflow or underflow
- Undefined behavior (use-after-free, double-free, null deref)
- Missing error handling after allocation (
malloccan returnNULL) - Integer overflow in size calculations
- Resource leaks (missing
free,fclose, etc.) - Missing
staticon file-local functions/variables
Full guide: C Review Guide
C++
- Missing RAII wrapper for resources
- Violating Rule of 0/3/5 (destructor, copy, move)
- Exception safety issues (no
noexceptwhere applicable) - Dangling references from returned iterators or references
- Unnecessary copies (missing
std::moveor pass-by-reference)
Full guide: C++ Review Guide
SQL
- String concatenation for queries (SQL injection risk) — use parameterized queries
- Missing indexes on filtered/joined columns
SELECT *instead of specific columns- N+1 query patterns
- Missing
LIMITon large tables - Not handling
NULLcomparisons correctly (IS NULLvs= NULL) - Missing transactions for related operations
- Incorrect JOIN types
- Collation / case sensitivity surprises across databases (MySQL vs Postgres defaults)
- Date and timezone handling errors (naive timestamps, server-local
NOW(), DST)
See also: Security Review Guide for SQL injection prevention
API Design
- Inconsistent resource naming
- Wrong HTTP methods (POST for idempotent operations)
- Missing pagination for list endpoints
- Incorrect status codes
- Missing rate limiting
- Missing input validation and sanitization
- Trusting client-side validation only
Testing
- Testing implementation details instead of behavior
- Missing edge case tests
- Flaky tests (non-deterministic)
- Tests with external dependencies (no mocks)
- Missing negative tests (error cases)
- Overly complex test setup