5 Test Coverage Mistakes That Hide Bugs
Discover 5 common test coverage mistakes that create a false sense of security and let bugs slip through. Learn how to write tests that actually catch issues.
While I was looking over some test reports the other day, I noticed something that made my stomach drop. Our dashboard proudly displayed 98% code coverage, yet we had just shipped a critical bug to production. How could this happen?
I was once guilty of treating test coverage like a badge of honor. I'd celebrate hitting that 90% threshold, feeling confident that our code was bulletproof. Little did I know that I was making fundamental mistakes that turned my test suite into nothing more than a false sense of security.
Let me share the five coverage mistakes I've learned to avoid—and more importantly, how to write tests that actually catch bugs.
Why 100% Coverage Doesn't Mean Bug-Free Code
Here's the uncomfortable truth: you can have 100% code coverage and still ship broken software. I learned this the hard way when a "fully covered" payment processing function failed in production because we tested the wrong things.
Coverage metrics tell you which lines of code were executed during tests. They don't tell you if those tests verify correct behavior. They don't tell you if you checked edge cases. They definitely don't tell you if your tests would catch the bugs users will actually encounter.
Think of coverage like checking if a security guard walked past every door in a building. Great! But did they actually check if the doors were locked? That's the real question.
Mistake #1: Testing Implementation Details Instead of Behavior
When I finally decided to audit our test suite, I found dozens of tests that looked like this:
// ❌ Testing implementation details
describe('UserService', () => {
it('should call validateEmail method', () => {
const service = new UserService();
const spy = jest.spyOn(service, 'validateEmail');
service.createUser({ email: 'test@example.com', name: 'John' });
expect(spy).toHaveBeenCalled();
});
it('should call saveToDatabase method', () => {
const service = new UserService();
const spy = jest.spyOn(service, 'saveToDatabase');
service.createUser({ email: 'test@example.com', name: 'John' });
expect(spy).toHaveBeenCalled();
});
});These tests gave us coverage, but they were worthless. They broke every time we refactored internal methods, even when the external behavior stayed correct. Worse, they passed even when the actual user creation logic was broken.
The fix? Test behavior, not implementation:
// ✅ Testing behavior
describe('UserService', () => {
it('should reject invalid email addresses', async () => {
const service = new UserService();
await expect(
service.createUser({ email: 'not-an-email', name: 'John' })
).rejects.toThrow('Invalid email address');
});
it('should create user with normalized email', async () => {
const service = new UserService();
const db = new MockDatabase();
await service.createUser({
email: 'Test@Example.COM',
name: 'John'
});
const savedUser = await db.findByEmail('test@example.com');
expect(savedUser).toBeDefined();
expect(savedUser.name).toBe('John');
});
});This approach tests what users care about: does the function work correctly? Not how it works internally.
Mistake #2: Ignoring Edge Cases and Boundary Conditions
I cannot stress this enough! Most bugs hide in edge cases, yet most developers (including my past self) only test the happy path.
Consider this seemingly simple validation function:
function isValidAge(age: number): boolean {
if (age >= 18 && age <= 120) {
return true;
}
return false;
}
// ❌ Lazy test that only checks the happy path
describe('isValidAge', () => {
it('should return true for valid age', () => {
expect(isValidAge(25)).toBe(true);
});
it('should return false for invalid age', () => {
expect(isValidAge(10)).toBe(false);
});
});This achieves 100% line coverage. Wonderful! But it doesn't test the boundaries where bugs actually live. What about exactly 18? What about 17? What about negative numbers? What about decimals?
In other words, we're testing that the function exists and runs, not that it's correct.
Here's how I learned to think about edge cases:
// ✅ Comprehensive edge case testing
describe('isValidAge', () => {
it('should accept exactly 18', () => {
expect(isValidAge(18)).toBe(true);
});
it('should reject 17', () => {
expect(isValidAge(17)).toBe(false);
});
it('should accept exactly 120', () => {
expect(isValidAge(120)).toBe(true);
});
it('should reject 121', () => {
expect(isValidAge(121)).toBe(false);
});
it('should reject negative ages', () => {
expect(isValidAge(-1)).toBe(false);
});
it('should reject decimal ages', () => {
expect(isValidAge(17.9)).toBe(false);
});
it('should reject NaN', () => {
expect(isValidAge(NaN)).toBe(false);
});
});Same coverage percentage, but now we're actually validating correctness at the boundaries where bugs occur.
Mistake #3: Missing Integration Points Between Covered Units
While looking through our codebase recently, I came across a fascinating bug. Both components had 100% coverage individually, but they failed when connected. This is the integration gap.
You might have perfect unit tests for function A and function B, but what happens when A calls B with unexpected data? What if B depends on A's side effects? Your coverage report won't show this gap.
// Both functions have 100% coverage individually
function calculateDiscount(price, discountPercent) {
return price * (discountPercent / 100);
}
function applyDiscount(item) {
const discount = calculateDiscount(item.price, item.discountPercent);
return item.price - discount;
}
// ❌ Unit tests that miss integration issues
describe('calculateDiscount', () => {
it('should calculate discount correctly', () => {
expect(calculateDiscount(100, 20)).toBe(20);
});
});
describe('applyDiscount', () => {
it('should apply discount to item', () => {
const item = { price: 100, discountPercent: 20 };
expect(applyDiscount(item)).toBe(80);
});
});The bug? When discountPercent is undefined, calculateDiscount returns NaN, but our tests never caught this because we tested the happy path in isolation.
Luckily we can add integration tests:
// ✅ Integration test that catches the real bug
describe('Discount system integration', () => {
it('should handle missing discount gracefully', () => {
const item = { price: 100 }; // discountPercent is undefined
expect(applyDiscount(item)).toBe(100);
});
it('should handle zero discount', () => {
const item = { price: 100, discountPercent: 0 };
expect(applyDiscount(item)).toBe(100);
});
it('should handle invalid discount values', () => {
const item = { price: 100, discountPercent: 'invalid' };
expect(() => applyDiscount(item)).toThrow();
});
});Coverage metrics don't show these gaps. You need to think about how your units interact in real scenarios.
Mistake #4: Using Coverage as a Success Metric Instead of Quality Indicator
I realized this mistake when our team started gaming the system. Developers would add meaningless tests just to bump coverage numbers. Tests like "should create instance" or "should have a render method" that verified nothing useful.
Coverage is a tool, not a goal. It shows you what code isn't tested, which is valuable information. But hitting a coverage target doesn't mean your tests are good.
Think of it like going to the gym. You could do 100 bicep curls with 2-pound weights and say you exercised. But did you actually get stronger? Coverage without quality is exactly that—motion without progress.
Instead of asking "Did we hit 90% coverage?", I started asking:
- Would these tests catch the bugs users reported last month?
- If I change this function's behavior, will the tests tell me?
- Do these tests document how the system should behave?
When you shift your mindset from hitting metrics to preventing bugs, your tests become exponentially more valuable.
Mistake #5: Shallow Assertions That Pass Without Validating Correctness
This was perhaps my biggest blindspot. I'd write tests that executed code and made basic assertions, completely missing whether the code actually did the right thing.
// ❌ Shallow assertion that misses bugs
describe('formatUserData', () => {
it('should format user data', () => {
const input = { firstName: 'john', lastName: 'doe', email: 'JOHN@EXAMPLE.COM' };
const result = formatUserData(input);
expect(result).toBeDefined();
expect(typeof result).toBe('object');
});
});This test gives coverage but validates almost nothing. The function could return an empty object and this test would pass. I was once guilty of writing dozens of these "smoke tests" thinking they protected me.
Here's what meaningful assertions look like:
// ✅ Deep assertions that validate correctness
describe('formatUserData', () => {
it('should properly format all user fields', () => {
const input = {
firstName: 'john',
lastName: 'doe',
email: 'JOHN@EXAMPLE.COM'
};
const result = formatUserData(input);
expect(result.firstName).toBe('John');
expect(result.lastName).toBe('Doe');
expect(result.email).toBe('john@example.com');
expect(result.fullName).toBe('John Doe');
});
it('should handle missing optional fields', () => {
const input = {
firstName: 'john',
lastName: 'doe'
};
const result = formatUserData(input);
expect(result.email).toBeUndefined();
expect(result.fullName).toBe('John Doe');
});
it('should throw on missing required fields', () => {
const input = { firstName: 'john' };
expect(() => formatUserData(input)).toThrow('lastName is required');
});
});Each assertion validates specific behavior. If any of these expectations break, we know exactly what went wrong.
Building a Coverage Strategy That Actually Catches Bugs
After learning these lessons, I developed a practical approach that focuses on bug prevention:
First, I write tests for the critical paths—the code that handles money, user data, or security. These get comprehensive testing regardless of coverage percentages.
Second, I use coverage reports to find untested code, then ask: "Why isn't this tested?" Sometimes it's dead code that should be removed. Sometimes it's a genuine gap that needs tests.
Third, I focus on testing scenarios, not lines of code. I think about how users will interact with the system and write tests that verify those interactions work correctly.
Fourth, I review test quality during code reviews, not just coverage numbers. A test that validates behavior is worth ten tests that just execute code.
Finally, when bugs do slip through (and they will), I write a test that reproduces the bug before fixing it. This ensures that specific bug can never return unnoticed.
Moving Beyond Coverage Metrics to True Test Quality
The ROI on improving test quality is enormous. You spend less time debugging production issues. Refactoring becomes safe instead of terrifying. New team members can understand system behavior by reading tests.
But you won't get there by chasing coverage numbers. You get there by asking better questions: Does this test validate correct behavior? Would it catch real bugs? Does it test the scenarios users actually encounter?
I came to realize that test coverage is like spell check—it catches obvious mistakes but doesn't make you a better writer. True test quality comes from thinking critically about what could go wrong and writing tests that would catch those failures.
When you shift your focus from "What percentage of lines did we execute?" to "What bugs would these tests catch?", your entire testing strategy transforms. You write fewer tests, but they're infinitely more valuable.
And that concludes the end of this post! I hope you found this valuable and look out for more in the future!