I love how there's a team of literal wizards out there somewhere speaking ancient runic languages who have the power to delete the internet if they get a rune wrong.

It sounds like an old engineer added the buffer to avoid a leak, but didn't leave notes on it

Cloudflare deserves some more credit for how transparent they were about the issue

one thing my father always told me about iterators: "NEVER check index == end. ALWAYS check index >= end. You should never assume that your iterator is consistent and never skips over any values."

As a dev, I'm not sure if I'm comforted because this stuff can even happen to a company like CloudFlare, or horrified for exactly that reason.

The more you learn of the Internet and its overall supporting structure, the more you'll realize how fragile it really is and how terrifyingly easy it is to make it crumble.

There are three hard problems in computing: cache invalidation, naming things, bounds checking, and hunter2.

The title was intriguing and video was so interesting that I didn't even notice that video has 54 views from such small channel with 157 subs. Good job :D

You managed to make a overly technical topic very interesting instead of boring! Never saw anything like that before.

So it was the time honored, decades old combination of: - working with naked pointers - not checking if you reached the end - foolishly trusting that input from a network source _isn't_ garbage Calling it "Cloudbleed" is fitting, as Heartbleed had all of those as well :)

This also shows a different common issue with loops, where the exit clause is an equal value. Sure, you might expect the incremented value to eventually always reach the desired value, but the safer thing to do in this case is check if it's higher or equal. I would likely write it as less than, but depends a bit on what the surrounding code looks like.

I didn't really think a HTML/XML parser was _that_ hard to implement, but i never even thought that it basically is just a giant state machine, where different characters can change the entire state in many different ways, and managing that is nightmare inducing

Your presentation and use of case studies to make something as mundane as reviewing code somehow made for a downright entertaining watch. Subscribed!

This is the reason why I always do >= than just == comparison, you never know when an accidental off by one error might occur

An empty buffer as a terminator of a buffer filled with null terminated strings is common enough pattern to be named: double null terminated buffers. But it's also weird enough that even when its used it's often not consistently produced or consumed.

Now, this was _very_ instructive, and, to this old hand who committed every imaginable blunder under the sun, very relatable. Thank you!

This is a really great video. It explains the situation really well and easy to understand. I also massively appreciate how you put footnotes in the description.

I finished watching the video and thought that you would have at least 100k subs. Keep making great content and you will definitely go far!

If you’re ever waiting for something to increment until it equals a value, it doesn’t hurt to have an “else > value” block that throws an error to let you know something went wrong

This channel is so underated omg I can't even believe that a small channel can produce so much quality content, keep going bro, you're going long ways ❤

As a QA software dev, my job is to write the program that runs our automated tests as well as hunt down bugs in the code the regular QA guys find. Kudos for making an entertaining video out of a bug hunt. I have had some looooong hunts. Requiring a very specific type of bad input is really hard to figure out, I often end up stepping through the debugger trying to think of if any of the possible branches would fubar me.

I've been on KZbin since it was Google video and I've never seen a video description like yours, good stuff, this video presentation goes tough as nails, I salute

Well done, Kevin. This was extremely well made. Loved it!

This video and channel deserves so much more recognition. I'm almost halfway through the video and it's so well put together. Good wishes and I cannot wait to see you get the views you deserve for the effort put in. ♥♥♥♥

Kudos for isolating and fixing the problem successfully in short order. Really like the video, well made and fun to watch.

New favorite channel; love the high BPM background music, visuals, concise yet detailed explanation, overall format/structure, the Michael Bay explosions every 5 seconds, etc.

8:09 the humor in this little animation is simply sublime. Made me giggle while watching at 1 am

I really appreciate how this guy has all his assumptions, corrections, etc, in the vid description.

Kevin! Just stumbled on this video and was watching until 5:00 before noticing that your channel is tiny. How are you this good at this humble size! Big ups to you my man. Thanks for the content

This is where documentation becomes important. If the developer who implemented the empty buffer had explained why they needed it, maybe this wouldn't have happened or at the very least they could have figured out a way to circumvent the problem when they were first rewriting the HTML parser.

this aged well

I was super surprised when I saw that you didn't have atleast 100k subscribers because of how high quality this video is. Great job!

I always feel uncomfortable seeing/doing something like p == pe to check if the end has been reached, interesting seeing those fears validated. I always do p >= pe, and add assert(p

I've been looking for videos like this. Tech/software story telling. I loved your delivery, hope to see more from you. Subscribed!

TLDR: Buffer overrun in some legacy parser.

"debugging and rethinking life" im going to start using that

Got this in my feed with only 20 views. Usually I always skip those, but I gave it a chance. Great quality on the video, don’t think you’ll not be big one day.

I speak english. I did not understand a single word in this video. I watched the whole thing anyway.

This video was super good and well-made! I don't know how to describe it, but it just felt good to watch. The visuals were just so satisfying, and I especially liked 6:51. I also really appreciate the sources, assumptions, and corrections in the description! Many big KZbinrs don't cite anything and go by the philosophy of "well you shouldn't trust me entirely anyways so it's not my fault if I misinform you." Subscribed and liked, great video!

The extra buffer at the end feels like a band-aid fix that never got documented

This form of content has great potential for your channel. good work

Had some code break once after an update. It was the update that exposed an old bug that hadnt been caught. I can see how things like this happen.

wtf lol i clicked on this and watched it the whole way thru thinking it was from some big tech channel but it only has 984 views. lol good vid bro

I work on systems that address network vulnerabilities for AWS, and you did a good job here.

I just found your channel, must say I am impressed and like the content. I have a CS and Mathematics degree, and most channels don't give a deep enough dive or are just too cornflakes with water dull to pay attention. Thanks for the content

very entertaining and educational! your combination of humor and narration is great

I got recommended this video, first time I've seen your channel and I gotta say I enjoyed this video. I'm now subscribed 👍

A buffer overflow because of memory unsafe languages like C??? I’m shocked! I can’t believe it!

Such informative video! It's easy to follow and it taught me to value backwards compatibility more. I hope you get more views! Also kinda surprised to see Mr. Affable there

How did I not know of this channel before? Great video dude

I have never been more proud to know that as a c++ dev I will always be needed because legacy moon runes written 30 years ago will inevitably fail when some obscure pointer spills over into undefined memory.

You just popped up in my recommendations! Great video!

Wow. I can't imagine the time it must have taken to make this video. Well done.

wonderful production quality from such a small channel keep it up man

well, this aged well

Dude I work in CDN and you explained everything perfectly, great work!

I had a stupid bug last month, that heavily degraded performance, also happened Friday night. I had added a new caching solution some years back (one I wrote), and after 1,5 years flawless performance, I added more usage. This tipped the scales, and the caching storage was exhausted. I then remembered I forgot to add a flush of storage in this case, so it got full and all new requests failed. I quickly added a flush, only a few hours later, but this was only a bandaid; it'll fill, flush, fill. So after some quick sleep with a fever from the flu that I had, I realized the cause (it was added to something unique, causing every call to create a cache with no hits, at 1+ mil transactions per second), so I deleted the caching at this point and it flowed again, phew. Cause? A design change. The caching point WAS a good non-unique place for 6 months in development, but during bug testing, someone altered it, so it became unique. And I had already done the tests for performance at scale, so it just wasn't noticed 😬 Luckily it was hardly noticed by anyone, but it could have been truly terrible. I work in a bank, and the finance engines was grinding to a halt. A process that runs some critical financing was still running after having used 16+ hours! After my hotfix, we terminated it and restarted, and it took 2 minutes (as it should) 😳 If I wasn't sick with a fever, I could likely have reacted faster, but thinking in that condition was as slow as a caching bottleneck 😂

"why was an empty buffer added? No reason" I can almost guarantee that was a developer that thought "someone will inevitably do something dumb. Lets make sure there's nothing beyond the last buffer"... and the developer that removed it thought "this system must be perfect - no overhead. It's not like anyone's going to try read beyond the last buffer".

Great video! The silly sound effects were beautiful; they're what I imagine in my head when doing my own programming :)

Thank you for adding the credits, you are the best!

I've learned to add a >= instead of == even if you always expect the pointer to never get past the target, cuz you never know, right? This could've prevented this from happening as well

This video is amazing! You deserve much more popularity.

The only problem I see with this, is how the f, didn't they have 100% test coverage, with something this important, if they had proper test use cases, they would instantly catch an issue, with the new parser implementation. It's insane that this important digital companies don't do the most basic coding practices, it's just mind boggling to me.

1.4k... I expected this channel to have at least 100k. Great video man, you're making it into the algorithm!

Which is why when having range checks you should not test for equality but equal or greater/less, that way a one off error can only catch one extra char. Yes it will cost performance, but if that is unacceptable, you need to have much better understanding. The extra empty buffer seems in my opinion as a big red flag, if its explicitly added and not just a result of an one off error it probably served a purpose and should be thoroughly documented, or refactored/re-engineered into something less obfuscated. This is why I always encourage curiosity and ask all new devs to make sure to question any code they do not understand, if a more experiences dev cannot explain it in an understandable way its probably wrong, or at least bad code that should be rewritten :)

awesome research work dude!!!

10:20 Usually, if some code looks dumb, or inefficient, it’s because some software engineer before you working to a deadline had to get something out fast, not clean- and there’s probably a good reason for that “empty buffer” 😂

this style of video is great. you should do more of this

8:54 and that's why >= or

I love your editing style. nice vid!

This is kinda like a crime doc but for software engineering and I'd gladly watch much more

I love how you synced up some of the animations with the beat

0:31 oh shit I remember reading that tweet and thinking:"well someone's about to have a shitty day"

This channel is awesome, man. Props. You deserve far more subs.

Absolutely incredible video. Thank you.

Got this in my algorithm, and really liked the video and the way it was narrated! :)

This is very common for how memory bugs occur in software. One programmer makes an assumption as to how the memory works, and writes their code accordingly, then some other programmer changes some other piece of code that makes it so those assumptions no longer hold, and voila, you have a bug.

great sound quality and recording. already better than most other channels

I used to have a website, full of scripts that were poorly coded by me. It was full of unfinished tags i.e. those that weren't closed properly. It could have caused the whole internet to collapse if my website was visited by a lot of people

For a moment, I thought this was the voice of Fireship. Then I remembered Fireship narrates extremely fast. Awesome content.

>= is always better than == when dealing with loops

holy shit bro this vid is so good i thought you had like 100k subs but only 6k? damn you deserve some recognition

10:50 That's horrifying.

Congrats on 4k subs, great video!

I was so confused when i heard the Discord ping sfx lmao

The inclusion of the empty buffer at the end of the previous version sounds like a hack fix that someone forgot about.

This is a fantastic video. Wonderful explanation that I think even someone who never saw a line of code might understand

Stumbled on this channel today, top quality content! Thanks 😄

keep making videos like this, this video was amazing, absolutely loved it.

Thank you for including the artists you used in this video.

Happened again with CrowdStrike..

Back at my college we have been told to use => or =< for buffers for exact same reason. This precise condition (++p == pe) is based on assumption that p will always be incremented by 1 and never will be incremented by 2. But actually there is possibility it will be incremented by 2 or even more. Simple use of (++p >= pe) will actually fix issue, and prevent it from happening. It reminds old exploit of buffer overflow somehow. The reason may be bugs in this or other code, sun or other radiation make bit from 0 to 1, malfunction of memory or registers, etc.

1:20 thats why I never received my parcel!

Famous last words... "I don't need to add documentation, this feature is so clear everyone will get it"

Pointers as always being the bane of coder’s existence.

Didn't expect to see Mr Affable himself in the wild like this. Great video mate.

Is that Brian McElhaney of Britanick @0:13???

Bro went from telling a simple story to nuclear launching algorithms

conclusion: writing parsers safely is confusing and difficult

I have absolutely no idea what you're talking about, but your voice is super relaxing and great background noise