ThreadSafe

Last updated
ThreadSafe
ThreadSafe for Eclipse screenshot.png
ThreadSafe for Eclipse
Developer(s) Contemplate
Stable release
1.3 / March 28, 2014;5 years ago (2014-03-28)
Operating system Cross-platform: Linux, OS X, Windows
Type Static code analysis
License Proprietary software
Website www.contemplateltd.com/threadsafe

ThreadSafe is a source code analysis tool that identifies application risks and security vulnerabilities associated with concurrency in Java code bases, using whole-program interprocedural analysis. [1] [2] [3] [4] ThreadSafe is used to identify and avoid software failures in concurrent applications running in complex environments. [1] [2] [5] [6]

Contents

Features

ThreadSafe detects Java concurrency defects: [2] [3] [4]

ThreadSafe is integrated with the Eclipse software development environment and with the SonarQube software quality management platform. Contextual information is provided within the development environment to assist the developer with the investigation and resolution of concurrency issues, directly in the code. [2] [3] [4] A command-line version is available for users of IDEs other than Eclipse and for build process integration.

Checking adherence to standards

ThreadSafe detects violations of the concurrency-related rules in the CERT Oracle Secure Coding Standard for Java. [8]

See also

Related Research Articles

Thread safety is a computer programming concept applicable to multi-threaded code. Thread-safe code only manipulates shared data structures in a manner that ensures that all threads behave properly and fulfill their design specifications without unintended interaction. There are various strategies for making thread-safe data structures.

In software engineering, double-checked locking is a software design pattern used to reduce the overhead of acquiring a lock by testing the locking criterion before acquiring the lock. Locking occurs only if the locking criterion check indicates that locking is required.

In computer science, a lock or mutex is a synchronization mechanism for enforcing limits on access to a resource in an environment where there are many threads of execution. A lock is designed to enforce a mutual exclusion concurrency control policy.

Race condition type of software defect

A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of the possible behaviors is undesirable.

Java Pathfinder (JPF) is a system to verify executable Java bytecode programs. JPF was developed at the NASA Ames Research Center and open sourced in 2005. The acronym JPF is not to be confused with the unrelated Java Plugin Framework project.

In computer science and engineering, transactional memory attempts to simplify concurrent programming by allowing a group of load and store instructions to execute in an atomic way. It is a concurrency control mechanism analogous to database transactions for controlling access to shared memory in concurrent computing. Transactional memory systems provide high-level abstraction as an alternative to low-level thread synchronization. This abstraction allows for coordination between concurrent reads and writes of shared data in parallel systems.

Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor. For dynamic program analysis to be effective, the target program must be executed with sufficient test inputs to cover almost all possible outputs. Use of software testing measures such as code coverage helps ensure that an adequate slice of the program's set of possible behaviors has been observed. Also, care must be taken to minimize the effect that instrumentation has on the execution of the target program. Dynamic analysis is in contrast to static program analysis. Unit tests, integration tests, system tests and acceptance tests use dynamic testing.

In software engineering, the initialization-on-demand holder idiom is a lazy-loaded singleton. In all versions of Java, the idiom enables a safe, highly concurrent lazy initialization of static fields with good performance.

The Java programming language and the Java virtual machine (JVM) have been designed to support concurrent programming, and all execution takes place in the context of threads. Objects and resources can be accessed by many separate threads; each thread has its own path of execution but can potentially access any object in the program. The programmer must ensure read and write access to objects is properly coordinated between threads. Thread synchronization ensures that objects are modified by only one thread at a time and that threads are prevented from accessing partially updated objects during modification by another thread. The Java language has built-in constructs to support this coordination.

FindBugs

FindBugs is an open-source static code analyser created by Bill Pugh and David Hovemeyer which detects possible bugs in Java programs. Potential errors are classified in four ranks: (i) scariest, (ii) scary, (iii) troubling and (iv) of concern. This is a hint to the developer about their possible impact or severity. FindBugs operates on Java bytecode, rather than source code. The software is distributed as a stand-alone GUI application. There are also plug-ins available for Eclipse, NetBeans, IntelliJ IDEA, Gradle, Hudson, Maven, Bamboo and Jenkins.

Parasoft is an independent software vendor specializing in automated software testing and application security with headquarters in Monrovia, California. It was founded in 1987 by four graduates of the California Institute of Technology who planned to commercialize the parallel computing software tools they had been working on for the Caltech Cosmic Cube, which was the first working hypercube computer built.

Imagix 4D is a source code analysis tool from Imagix Corporation, used primarily for understanding, documenting, and evolving existing C, C++ and Java software.

Astrée is a static analyzer based on abstract interpretation. It analyzes programs written in the C programming language and outputs an exhaustive list of possible runtime errors and assertion violations. The defect classes covered include divisions by zero, buffer overflows, dereferences of null or dangling pointers, data races, deadlocks, etc. Astrée includes a static taint checker and helps finding cybersecurity vulnerabilities, such as Spectre.

High performance computing applications run on massively parallel supercomputers consist of concurrent programs designed using multi-threaded, multi-process models. The applications may consist of various constructs with varying degree of parallelism. Although high performance concurrent programs use similar design patterns, models and principles as that of sequential programs, unlike sequential programs, they typically demonstrate non-deterministic behavior. The probability of bugs increases with the number of interactions between the various parallel constructs. Race conditions, data races, deadlocks, missed signals and live lock are common error types.

ECLAIR is a commercial static code analysis tool developed by BUGSENG, LLC for automatic analysis, verification, testing and transformation of C and C++ programs.

Research and literature on concurrency testing and concurrent testing typically focuses on testing software and systems that use concurrent computing. The purpose is, as with most software testing, to understand the behaviour and performance of a software system that uses concurrent computing, particularly assessing the stability of a system or application during normal activity.

The Java programming language's Java Collections Framework version 1.5 and later defines and implements the original regular single-threaded Maps, and also new thread-safe Maps implementing the java.util.concurrent.ConcurrentMapinterface among other concurrent interfaces. In Java 1.6, the java.util.NavigableMap interface was added, extending java.util.SortedMap, and the java.util.concurrent.ConcurrentNavigableMap interface was added as a subinterface combination.

References

  1. 1 2 Grazi, Victor (August 28, 2013). "ThreadSafe Concurrency Static Analysis Tool Announces First Public Release". InfoQ.com.
  2. 1 2 3 4 Taft, Darryl (September 4, 2013). "Contemplate Delivers ThreadSafe Java Concurrency Static Analysis Tool". DevX.com.
  3. 1 2 3 Atkey, Robert (January 14, 2014). "Discover and Diagnose Java Concurrency Problems Using Contemplate's ThreadSafe". InfoQ.com.
  4. 1 2 3 Atkey, Robert; Sannella, Donald (2015). "ThreadSafe: Static Analysis for Java Concurrency". Electronic Communications of the EASST. 72. doi:10.14279/tuj.eceasst.72.1025.995.
  5. Roy, Ritobaan (May 1, 2013). "Software Errors: New Technology Briefing For CFOs". CFO Insight. Archived from the original on October 14, 2013. It claims to have developed technology [refers to ThreadSafe, as explained in caption of image, missing from archived version] that can identify errors in software code that don't pop up regularly enough to be detected by conventional tools.
  6. Rubens, Paul (March 12, 2014). "Why Software Testing Can't Save You From IT Disasters". Reference to ThreadSafe on page 2. CIO.com.
  7. Raible, Matt (June 26, 2014). "Contemplate ThreadSafe Introduces Deadlock Detection". InfoQ.com.
  8. "SEI CERT Oracle Coding Standard for Java". Software Engineering Institute, Carnegie Mellon University. Retrieved March 18, 2016.