Skip to main content
Back to Library
the invisible-layer how abstraction is making software engineers dumber

The Debugging Crisis

11 min read Chapter 29 of 56
Summary

Examines why debugging skill has deteriorated despite increased...

Examines why debugging skill has deteriorated despite increased time spent debugging, contrasts symptom-chasing with root-cause analysis through a concrete production incident, and maps the debugging intuition pipeline from broad knowledge to targeted investigation.

The Debugging Crisis

A 2023 study by Stripe estimated that the average software engineer spends 42% of their working time debugging and maintaining existing code. GitClear’s analysis of commit data across millions of repositories found that “churn” — code rewritten within two weeks of being written — increased by 39% between 2020 and 2023. Engineers are spending more time debugging than at any point in the profession’s history.

And they’re getting worse at it.

That’s the paradox. We have more debugging tools than ever — distributed tracing, structured logging, APM dashboards, error tracking services, AI-powered log analysis. Yet the median time to resolve production incidents has increased, not decreased. The 2024 State of DevOps report found that elite teams resolve incidents faster than ever, but the gap between elite and average teams has widened dramatically. The average team’s mean-time-to-resolution increased by 22% over five years.

The tools improved. The engineers didn’t. And the reason is that we’ve confused debugging activity with debugging skill.

Two Engineers, One Error

It’s 2:47 AM. PagerDuty fires. The checkout service is returning HTTP 500 errors at a rate of 12% — enough to trigger the alert threshold. Two engineers respond.

Engineer A opens the error tracking dashboard. The exception is ConnectionResetError: [Errno 104] Connection reset by peer, thrown from the payment processing client. They Google the error. Stack Overflow says to add retry logic with exponential backoff. They check — the payment client already has retries configured, but the retry count is set to 2. They bump it to 5, add a longer backoff window, deploy. Error rate drops to 3%. They mark the incident as resolved, add a note: “Increased retry count on payment client to handle transient connection failures.” They go back to sleep.

Engineer B opens the same dashboard. Same error: ConnectionResetError: [Errno 104] Connection reset by peer. But before reaching for a fix, they ask a different question: Why is the payment service resetting connections?

They SSH into a checkout service instance and run:

ss -tn state time-wait | wc -l

The number is 47,312. That’s a lot of TIME_WAIT sockets. They check the payment service:

ss -tn dst :8443 | head -20

Every connection to the payment service is being opened and closed per request — no connection pooling. They check the payment service’s connection limits:

cat /proc/sys/net/core/somaxconn

It reads 128. The default. The checkout service is hammering the payment service with new connections, the payment service’s accept queue is overflowing, and the kernel is resetting connections that can’t be accepted.

Engineer B doesn’t increase retries. They configure the HTTP client to use connection pooling with a pool size of 50, increase somaxconn to 4096 on the payment service, and deploy. Error rate drops to 0.01%. It stays there.

Engineer A’s fix masked the problem. The retries absorbed the connection resets, adding latency (each retry adds 200-400ms) and increasing load on the payment service (failed requests get retried 5 times instead of 2). Under Black Friday traffic, this fix would compound into a cascading failure. Engineer B eliminated the root cause.

The difference between these two engineers isn’t talent. It’s knowledge depth. Engineer B understood TCP connection states, kernel socket buffers, and connection pooling mechanics. That knowledge didn’t come from a debugging tutorial — it came from years of understanding the layers beneath their application code.

The Debugging Intuition Pipeline

Debugging intuition looks like magic from the outside. A senior engineer glances at a log, says “check the file descriptor limit,” and they’re right. But intuition isn’t mystical. It’s a pipeline with concrete stages:

Stage 1: Broad Knowledge. You know how systems work — not every system, but the general categories. You understand that TCP has connection states, that operating systems manage memory in pages, that databases use query planners, that the JVM has garbage collection pauses. This knowledge is wide, not necessarily deep in every area.

Stage 2: Pattern Recognition. When you’ve seen a class of problem before, symptoms trigger associations. “Connection reset by peer” plus “intermittent” plus “under load” immediately suggests capacity limits — socket backlogs, file descriptor limits, connection pool exhaustion. You don’t consciously reason through this. The pattern fires automatically because you’ve encoded it from previous encounters.

Stage 3: Hypothesis Formation. From the pattern match, you form one or more hypotheses ranked by likelihood. “The accept queue is full” is a stronger hypothesis than “there’s a bug in the TLS handshake” because the first is a common failure mode under load and the second is rare. This ranking is informed by base rates — how often each failure mode occurs in practice.

Stage 4: Targeted Investigation. You test your hypothesis directly. You don’t grep through all the logs hoping something jumps out. You run ss -tn state time-wait | wc -l because you’re testing a specific prediction: if the accept queue is full, you’ll see excessive TIME_WAIT sockets. If the prediction is wrong, you move to the next hypothesis.

Now contrast this with what happens when the pipeline is missing:

Without Stage 1, symptoms are just error messages. ConnectionResetError is a string to Google, not a clue about TCP state transitions. There’s no context to interpret it in.

Without Stage 2, every bug is novel. You can’t say “this looks like X” because you’ve never internalized the categories of X. Each incident requires starting from zero.

Without Stage 3, investigation is random. You look at whatever dashboard is open, grep for whatever keyword seems relevant, try whatever fix comes up first on the internet. You might find the root cause by accident, but you have no way to prioritize where to look.

Without Stage 4, you can’t verify your fix actually addressed the cause. You changed something, the error rate went down — was it your change, or did the load decrease, or did a cron job finish, or did the auto-scaler add instances? Without targeted verification, you never know.

This pipeline is why senior engineers debug faster despite investigating fewer things. They’re not doing less work — they’re doing less wasted work.

The “Restart and Pray” Anti-Pattern

The most pervasive symptom-chase in our industry doesn’t even look like debugging. It looks like operational practice: when something goes wrong, restart the service.

Kubernetes made this the default behavior. A pod fails its liveness check? Kill it, start a new one. Memory usage climbing? OOMKill, replacement pod. Stuck process? Restart. And for availability purposes, this is correct — keeping the service running is more important than understanding why it failed, in the moment.

But “restart and resolve” have become synonymous in too many teams. The incident timeline reads: “Pod restarted at 03:14, service recovered, no further action needed.” The root cause is never investigated because the symptom — service unavailability — was eliminated.

Meanwhile, the underlying bug continues:

  • The memory leak grows 50MB per hour, so pods get OOMKilled every 8 hours. Nobody notices because Kubernetes replaces them silently.
  • The database connection pool leak closes and reopens connections in a pattern that works for 6 hours, then degrades for 20 minutes, then works again after the pod restarts. The team calls this “known flakiness.”
  • A goroutine leak spawns 10,000 goroutines per day, each holding a small amount of memory and a file descriptor. The pod restarts nightly from OOM, the leaked goroutines never complete their work, and data is silently lost.

Every one of these is a real bug I’ve seen in production systems that ran for months or years because restarts kept the symptoms below the pain threshold.

The restart-and-pray anti-pattern is the natural endpoint of abstraction without understanding. If you treat every layer below your application as opaque, then you have exactly one remediation tool: make the opaque layer start over. When your car makes a funny noise, you don’t turn the engine off and on — but that’s because you accept that cars have internal mechanisms that matter.

What Observability Can’t Tell You

Modern observability stacks — Datadog, Grafana, Honeycomb, New Relic — are genuinely impressive. Distributed traces that follow a request across fifteen services. Log aggregation that searches terabytes in seconds. Custom metrics on anything you can instrument.

But they share a fundamental limitation: they can only show you what you asked them to measure.

If you didn’t instrument connection pool utilization, your dashboards won’t show connection pool exhaustion. If you didn’t add a timer around the JSON serialization step, your traces won’t reveal that 60% of your response time is spent converting objects to JSON. If your logs don’t include the query execution plan, you won’t see the full table scan that’s eating your database.

Observability is a flashlight. It illuminates exactly where you point it. If you don’t know that TCP accept queues exist, you’ll never point the flashlight at somaxconn. If you don’t know that garbage collection has stop-the-world pauses, you’ll never correlate your latency spikes with GC logs.

This is why observability amplifies understanding but doesn’t create it. An engineer who understands memory management will instrument heap utilization, GC pause duration, allocation rate, and object tenuring — because they know these are the variables that matter. An engineer who only knows “memory” as a Resource Limit in Kubernetes will set a limit of 2GB, get OOMKilled at 2GB, increase it to 4GB, and wonder why costs doubled.

The Tools That Go Deeper

When dashboards run out of answers, you need tools that interrogate the system directly. These aren’t exotic — they ship with every Linux distribution. But most engineers have never used them:

strace — traces system calls made by a process. When your application hangs, strace -p <pid> -e trace=network tells you exactly which network call it’s stuck on. Not what your logs say it’s doing, not what your trace says it’s doing — what it’s actually doing.

strace -p 12345 -e trace=read,write,connect -T

The -T flag shows time spent in each syscall. When you see read(7, ...) = -1 EAGAIN repeating thousands of times, you know the socket is non-blocking and the application is busy-waiting instead of using epoll properly.

tcpdump — captures network packets. When two services disagree about what happened, the network is the source of truth:

tcpdump -i eth0 -nn port 8443 -w capture.pcap

Load that into Wireshark and you can see every TCP handshake, every retransmission, every RST packet. You can see whether the server sent a FIN or an RST, whether the TLS handshake completed, whether the keepalive timed out. No log can lie to you here.

perf — Linux’s performance profiling tool. It samples CPU activity and produces flamegraphs showing exactly where your CPU time goes:

perf record -g -p 12345 -- sleep 30
perf script | stackcollapse-perf.pl | flamegraph.pl > flame.svg

When your service uses 100% CPU and you can’t tell why from application metrics, perf shows you. It might be JSON parsing. It might be regex compilation. It might be TLS handshake overhead. You won’t know until you look.

/proc filesystem — the kernel’s window into process state. Every running process has a directory under /proc/<pid>/ with files that reveal its internal state:

cat /proc/12345/status    # Memory usage, thread count, state
cat /proc/12345/fd | wc -l   # Open file descriptor count
cat /proc/12345/smaps      # Detailed memory mapping
cat /proc/12345/io         # I/O statistics

These tools aren’t replacements for Datadog. They’re what you reach for when Datadog shows you the symptom and you need to find the cause. They operate at the layer where bugs actually live — the system call interface, the network wire, the CPU pipeline, the kernel’s view of your process.

The Knowledge Gap Is a Debugging Gap

Here’s the uncomfortable truth: every gap in your systems knowledge is a category of bug you can’t diagnose.

If you don’t understand how DNS resolution works, you can’t diagnose why your service intermittently fails to reach another service after a deployment (stale DNS cache with a TTL longer than your deployment cycle).

If you don’t understand how virtual memory works, you can’t diagnose why your application slows down gradually over hours despite having “plenty of memory” (heap fragmentation causing page faults as the allocator searches for contiguous blocks).

If you don’t understand how database query planners choose execution paths, you can’t diagnose why a query that was fast yesterday is slow today (statistics updated after a data migration changed the row distribution, causing the planner to switch from an index scan to a sequential scan).

None of these bugs produce an error message that tells you the root cause. They produce symptoms: timeouts, slowness, occasional failures. The gap between the symptom and the cause is exactly the gap in your knowledge. And no amount of retries, restarts, or dashboard-staring will close it.

The debugging crisis isn’t a tooling problem. It’s a knowledge problem. The tools are better than ever. The engineers operating them are working with a shallower understanding of the systems they’re debugging. And until that changes, we’ll keep spending 42% of our time chasing symptoms while the root causes quietly accumulate beneath the abstraction layer we’ve been told we don’t need to understand.