ThreadSafe identifies application risks and security vulnerabilities associated with concurrency problems in Java code. The technology was previously only available to selected customers. However, version 1.2 adds new features and opens the technology to a wide range of end users, the company said.
“Our latest release is a significant milestone for ThreadSafe,” Contemplate CEO Derick James, said in a statement. “The deep analysis capability in our previous releases is being recognized as a key tool in removing application risk. With our latest release, we have added further powerful investigation support to help the users understand often subtle and complex code issues. Customer feedback has been hugely positive about the increased ability to pinpoint flaws in their code.”
According to the U.S. National Institute of Standards and Technology (NIST) , software defects cost the U.S. economy $60 billion annually. Programming correctly with concurrency is a major challenge. Even the most experienced programmers find it difficult. Some of the most high-profile software failures in the last few years have been due to concurrency errors. Yet using concurrency is essential to exploit modern multi-core architectures, James said.
ThreadSafe uses advanced static analysis to find potential issues in code. Static analysis, which is analysis of computer software that is performed without actually executing programs, is an essential technique to harness the complexity of concurrent code because it is impossible to test every pattern of concurrent thread execution and every data value. Potential issues in code can be discovered without running the code. Problems that might only be seen in deployment can be eliminated much earlier and more cheaply.
However, identifying problems is only half of the story. ThreadSafe includes unique explanation and debugging aids that enable programmers to find the root cause of problems. For example, ThreadSafe’s Accesses View shows how locks are used in a program, allowing a developer to easily navigate between regions and find the calling contexts where locks are acquired.
ThreadSafe also has an understanding of libraries and frameworks that have concurrent behavior and multiple code entry points, including the standard
java.util.concurrentlibrary. Using good frameworks can help build safe concurrent applications, but it is still possible to make fundamental mistakes, James said. ThreadSafe detects many buggy uses of concurrent collections classes, for example, he said.
ThreadSafe 1.2 is integrated into the Eclipse integrated development environment (IDE), to allow developers to interact with the tool directly while coding. It can also be run via an integration into the SonarQube code quality platform. ThreadSafe 1.2 runs on Windows, Linux and OS X.
ThreadSafe identifies application risks and security vulnerabilities associated with concurrency problems in Java code, such as:
- Race conditions that lead to incorrect or unpredictable behavior that is difficult to reproduce in a debugger
- Deadlocks caused by circular waits between threads waiting for shared resources
- Unpredictable results caused by incorrect handling of concurrent collections, bad error handling, or mixed object synchronization
- Performance bottlenecks caused by incorrect API usage, redundant synchronization and unnecessary use of a shared mutable state.
Most current static analysis tools are general purpose and catch a range of surface-level problems, Contemplate officials said. However, ThreadSafe uses deeper analysis technology, tailored toward very precise identification of concurrency problems, the company said. ThreadSafe finds concurrency problems that are missed by other static analysis tools and achieves a manageably low false-positive rate. For findings that require close inspection, the explanation aids allow the developer to efficiently investigate and annotate for future reference.
Contemplate also works with clients to provide additional custom analysis and framework support for particular projects and organizations. For example, ThreadSafe has been used on large Java projects in some of the major investment banks. Examining millions of lines of code automatically, ThreadSafe helped reduce latent risks by finding hidden concurrency faults in trading applications.
Contemplate, based in Edinburgh, is a spin-out company from the University of Edinburgh. Don Sannella, founder and chief technology officer at Contemplate, has been a professor of computer science in Edinburgh University’s School of Informatics since 1998. Sannella, whose academic career spans 30 years, became involved in Contemplate while leading the research project that led to its formation, and is co-founding director and CTO.