Your search keyword '"Stephen N. Freund"' showing total 18 results

1. V <scp>erified</scp> FT

Author

James R. Wilcox, Cormac Flanagan, and Stephen N. Freund

Subjects

010302 applied physics, Correctness, Java, business.industry, Computer science, Concurrency, Detector, 020207 software engineering, 02 engineering and technology, 01 natural sciences, Computer Graphics and Computer-Aided Design, Software, Computer engineering, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Implementation, computer, computer.programming_language

Abstract

Dynamic data race detectors are valuable tools for testing and validating concurrent software, but to achieve good performance they are typically implemented using sophisticated concurrent algorithms. Thus, they are ironically prone to the exact same kind of concurrency bugs they are designed to detect. To address these problems, we have developed V erified FT, a clean slate redesign of the F ast T rack race detector [19]. The V erified FT analysis provides the same precision guarantee as F ast T rack , but is simpler to implement correctly and efficiently, enabling us to mechanically verify an implementation of its core algorithm using CIVL [27]. Moreover, V erified FT provides these correctness guarantees without sacrificing any performance over current state-of-the-art (but complex and unverified) F ast T rack implementations for Java.

Published

2018

2. FastTrack

Author

Stephen N. Freund and Cormac Flanagan

Subjects

Java, General Computer Science, Exploit, Vector clock, Computer science, Concurrency, Real-time computing, Program transformation, Data structure, Computer Graphics and Computer-Aided Design, Race (biology), Constant (computer programming), TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Representation (mathematics), computer, Time complexity, Software, computer.programming_language

Abstract

\begin{abstract} Multithreaded programs are notoriously prone to race conditions. Prior work on dynamic race detectors includes fast but imprecise race detectors that report false alarms, as well as slow but precise race detectors that never report false alarms. The latter typically use expensive vector clock operations that require time linear in the number of program threads. This paper exploits the insight that the full generality of vector clocks is unnecessary in most cases. That is, we can replace heavyweight vector clocks with an adaptive lightweight representation that, for almost all operations of the target program, requires only constant space and supports constant-time operations. This representation change significantly improves time and space performance, with no loss in precision. Experimental results on Java benchmarks including the Eclipse development environment show that our FastTrack race detector is an order of magnitude faster than a traditional vector-clock race detector, and roughly twice as fast as the high-performance DJIT+ algorithm. FastTrack is even comparable in speed to Eraser on our Java benchmarks, while never reporting false alarms.

Published

2010

3. Types for atomicity

Author

Marina Lifshin, Cormac Flanagan, Stephen N. Freund, and Shaz Qadeer

Subjects

Atomicity, Correctness, Java, Computer science, Programming language, Concurrency, Inference, Type inference, computer.software_genre, Type theory, Automatic programming, computer, Software, computer.programming_language

Abstract

Atomicity is a fundamental correctness property in multithreaded programs. A method is atomic if, for every execution, there is an equivalent serial execution in which the actions of the method are not interleaved with actions of other threads. Atomic methods are amenable to sequential reasoning, which significantly facilitates subsequent analysis and verification. This article presents a type system for specifying and verifying the atomicity of methods in multithreaded Java programs using a synthesis of Lipton's theory of reduction and type systems for race detection. The type system supports guarded, write-guarded, and unguarded fields, as well as thread-local data, parameterized classes and methods, and protected locks. We also present an algorithm for verifying atomicity via type inference. We have applied our type checker and type inference tools to a number of commonly used Java library classes and programs. These tools were able to verify the vast majority of methods in these benchmarks as atomic, indicating that atomicity is a widespread methodology for multithreaded programming. In addition, reported atomicity violations revealed some subtle errors in the synchronization disciplines of these programs.

Published

2008

4. Types for safe locking

Author

Cormac Flanagan, Martín Abadi, and Stephen N. Freund

Subjects

Source lines of code, Java, Programming language, Computer science, Type inference, Generics in Java, Static analysis, computer.software_genre, Real time Java, Operating system, Software system, computer, Java annotation, Software, computer.programming_language

Abstract

This article presents a static race-detection analysis for multithreaded shared-memory programs, focusing on the Java programming language. The analysis is based on a type system that captures many common synchronization patterns. It supports classes with internal synchronization, classes that require client-side synchronization, and thread-local classes. In order to demonstrate the effectiveness of the type system, we have implemented it in a checker and applied it to over 40,000 lines of hand-annotated Java code. We found a number of race conditions in the standard Java libraries and other test programs. The checker required fewer than 20 additional type annotations per 1,000 lines of code. This article also describes two improvements that facilitate checking much larger programs: an algorithm for annotation inference and a user interface that clarifies warnings generated by the checker. These extensions have enabled us to use the checker for identifying race conditions in large-scale software systems with up to 500,000 lines of code.

Published

2006

5. [Untitled]

Author

John C. Mitchell and Stephen N. Freund

Subjects

Java, Programming language, Computer science, strictfp, Interpreted language, Java bytecode, computer.software_genre, Bytecode, Computational Theory and Mathematics, Real time Java, Artificial Intelligence, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Formal specification, Operating system, Software_PROGRAMMINGLANGUAGES, computer, Java applet, Software, computer.programming_language

Abstract

The Java Virtual Machine executes bytecode programs that may have been sent from other, possibly untrusted, locations on the network. Since the transmitted code may be written by a malicious party or corrupted during network transmission, the Java Virtual Machine contains a bytecode verifier to check the code for type errors before it is run. As illustrated by reported attacks on Java run-time systems, the verifier is essential for system security. However, no formal specification of the bytecode verifier exists in the Java Virtual Machine Specification published by Sun. In this paper, we develop such a specification in the form of a type system for a subset of the bytecode language. The subset includes classes, interfaces, constructors, methods, exceptions, and bytecode subroutines. We also present a type checking algorithm and prototype bytecode verifier implementation, and we conclude by discussing other applications of this work. For example, we show how to extend our formal system to check other program properties, such as the correct use of object locks.

Published

2003

6. A type system for object initialization in the Java bytecode language

Author

Stephen N. Freund and John C. Mitchell

Subjects

Correctness, Java, Computer science, Scala, Subroutine, Java bytecode, Software_PROGRAMMINGTECHNIQUES, computer.software_genre, Common Intermediate Language, Real time Java, Cross-platform, Java applet, computer.programming_language, Programming language, strictfp, Interpreted language, Non-blocking I/O, Generics in Java, Programming language implementation, Java concurrency, Computer Graphics and Computer-Aided Design, Bytecode, Java API for XML-based RPC, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Software_PROGRAMMINGLANGUAGES, Java annotation, computer, Software, Java Modeling Language

Abstract

In the standard Java implementation, a Java language program is compiled to Java bytecode. This bytecode may be sent across the network to another site, where it is then interpreted by the Java Virtual Machine. Since bytecode may be written by hand, or corrupted during network transmission, the Java Virtual Machine contains a bytecode verifier that performs a number of consistency checks before code is interpreted. As illustrated by previous attacks on the Java Virtual Machine, these tests, which include type correctness, are critical for system security. In order to analyze existing bytecode verifiers and to understand the properties that should be verified, we develop a precise specification of statically-correct Java bytecode, in the form of a type system. Our focus in this paper is a subset of the bytecode language dealing with object creation and initialization. For this subset, we prove that for every Java bytecode program that satisfies our typing constraints, every object is initialized before it is used. The type system is easily combined with a previous system developed by Stata and Abadi for bytecode subroutines. Our analysis of subroutines and object initialization reveals a previously unpublished bug in the Sun JDK bytecode verifier.

Published

1998

7. Adding type parameterization to the Java language

Author

Stephen N. Freund, Ole Agesen, and John C. Mitchell

Subjects

Generic programming, Java, Java syntax, Computer science, Scala, Interface (Java), Java bytecode, computer.software_genre, Data type, Real time Java, Type safety, Java applet, computer.programming_language, Programming language, strictfp, Non-blocking I/O, Generics in Java, Java concurrency, Computer Graphics and Computer-Aided Design, Template, Java API for XML-based RPC, Static import, computer, Java annotation, Software, Java Modeling Language

Abstract

Although the Java programming language has achieved widespread acceptance, one feature that seems sorely missed is the ability to use type parameters (as in Ada generics, C++ templates, and ML polymorphic functions or data types) to allow a general concept to be instantiated to one or more specific types. In this paper, we propose parameterized classes and interfaces in which the type parameter may be constrained to either implement a given interface or extend a given class. This design allows the body of a parameterized class to refer to methods on objects of the parameter type, without introducing any new type relations into the language. We show that these Java extensions may be implemented by expanding parameterized classes at class load time, without any extension or modification to existing Java bytecode, verifier or bytecode interpreter.

Published

1997

8. RedCard: Redundant Check Elimination for Dynamic Race Detectors

Author

Cormac Flanagan and Stephen N. Freund

Subjects

Java, Computer science, If and only if, Vector clock, Program trace, Real-time computing, Detector, Thread (computing), Static analysis, Spurious relationship, computer, computer.programming_language

Abstract

Precise dynamic race detectors report an error if and only if an observed program trace exhibits a data race. They must typically check for races on all memory accesses to ensure that they catch all races and generate no spurious warnings. However, a race check for a particular memory access is guaranteed to be redundant if the accessing thread has already accessed that location within the same release-free span. A release-free span is any sequence of instructions containing no lock releases or other "release-like" synchronization operations, such as wait or fork. We present a static analysis to identify redundant race checks by reasoning about memory accesses within release-free spans. In contrast to prior whole program analyses for identifying accesses that are always race-free, our redundant check analysis is span-local and can also be made method-local without any major loss in effectiveness. RedCard, our prototype implementation for the Java language, enables dynamic race detectors to reduce the number of run-time checks by close to 40% with no loss in precision. We also present a complementary shadow proxy analysis for identifying when multiple memory locations can be treated as a single location by a dynamic race detector, again with no loss in precision. Combined, our analyses reduce the number of memory accesses requiring checks by roughly 50%.

Published

2013

9. Cooperative types for controlling thread interference in Java

Author

Stephen N. Freund, Tim Disney, Jaeheon Yi, and Cormac Flanagan

Subjects

Atomicity, Source code, Java, Programming language, Computer science, media_common.quotation_subject, Suite, Concurrency, Inference, 020207 software engineering, 02 engineering and technology, Thread (computing), computer.software_genre, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Programmer, computer, Software, Context switch, media_common, computer.programming_language

Abstract

Multithreaded programs are notoriously prone to unintended interference between concurrent threads. To address this problem, we argue that yield annotations in the source code should document all thread interference, and we present a type system for verifying the absence of undocumented interference in Java programs. Under this type system, well-typed programs behave as if context switches occur only at yield annotations. Thus, well-typed programs can be understood using intuitive sequential reasoning, except where yield annotations remind the programmer to account for thread interference. Experimental results show that yield annotations describe thread interference more precisely than prior techniques based on method-level atomicity specifications. In particular, yield annotations reduce the number of interference points one must reason about by an order of magnitude. The type system is also more precise than prior methods targeting race freedom, and yield annotations highlight all known concurrency defects in our benchmarks. The type system reasons about program behavior modularly via method-level specifications. To alleviate the programmer burden of writing these specifications, we extend our system to support method specification inference, which makes our technique more practical for large code bases.

Published

2012

10. The RoadRunner Dynamic Analysis Framework for Concurrent Programs

Author

Cormac Flanagan and Stephen N. Freund

Subjects

Rapid prototyping, business.operation, Java, business.industry, Computer science, Concurrency, media_common.quotation_subject, Distributed computing, Synchronizing, Thread (computing), Modular design, Roadrunner, Debugging, business, computer, computer.programming_language, media_common

Abstract

RoadRunner is a dynamic analysis framework designed to facilitate rapid prototyping and experimentation with dynamic analyses for concurrent Java programs. It provides a clean API for communicating an event stream to back-end analyses, where each event describes some operation of interest performed by the target program, such as accessing memory, synchronizing on a lock, forking a new thread, and so on. This API enables the developer to focus on the essential algorithmic issues of the dynamic analysis, rather than on orthogonal infrastructure complexities.Each back-end analysis tool is expressed as a filter over the event stream, allowing easy composition of analyses into tool chains. This tool-chain architecture permits complex analyses to be described and implemented as a sequence of more simple, modular steps, and it facilitates experimentation with different tool compositions. Moreover, the ability to insert various monitoring tools into the tool chain facilitates debugging and performance tuning.Despite RoadRunner's flexibility, careful implementation and optimization choices enable RoadRunner-based analyses to offer comparable performance to traditional, monolithic analysis prototypes, while being up to an order of magnitude smaller in code size. We have used RoadRunner to develop several dozen tools and have successfully applied them to programs as large as the Eclipse programming environment.

Published

2010

11. Type inference for atomicity

Author

Marina Lifshin, Cormac Flanagan, and Stephen N. Freund

Subjects

Atomicity, Source lines of code, Correctness, Java, Computer science, Property (programming), business.industry, Programming language, Concurrency, Type inference, Usability, computer.software_genre, Computer Science::Programming Languages, business, computer, computer.programming_language

Abstract

Atomicity is a fundamental correctness property in multithreaded programs. This paper presents an algorithm for verifying atomicity via type inference. The underlying type system supports guarded, write-guarded, and unguarded fields, as well as thread-local data, parameterized classes and methods, and protected locks. We describe an implementation of this algorithm for Java and discuss its performance and usability on benchmarks totaling sixty thousand lines of code.

Published

2005

12. Type Inference Against Races

Author

Cormac Flanagan and Stephen N. Freund

Subjects

Recursive data type, Java, Hindley–Milner type system, Computer science, Programming language, Concurrency, Inference, Parameterized complexity, Type inference, 020207 software engineering, 0102 computer and information sciences, 02 engineering and technology, Propositional calculus, computer.software_genre, 01 natural sciences, Satisfiability, Type theory, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Type class, computer, computer.programming_language

Abstract

The race condition checker rccjava uses a formal type system to statically identify potential race conditions in concurrent Java programs, but it requires programmer-supplied type annotations. This paper describes a type inference algorithm for rccjava. Due to the interaction of parameterized classes and dependent types, this type inference problem is NP-complete. This complexity result motivates our new approach to type inference, which is via reduction to propositional satisfiability. This paper describes our type inference algorithm and its performance on programs of up to 30,000 lines of code.

Published

2004

13. Detecting race conditions in large programs

Author

Stephen N. Freund and Cormac Flanagan

Subjects

Race (biology), Annotation, Source lines of code, Java, Programming language, Computer science, Inference, Software system, User interface, computer.software_genre, computer, Race condition, computer.programming_language

Abstract

The race condition checker \rcc{} statically identifies potential races in concurrent Java programs. This paper describes improvements to \rcc{} that enable it to be used on large, realistic programs. These improvements include not only extensions to the underlying analysis, but also an annotation inference algorithm and a user interface to help programmers understand warnings generated by the tool. Experience with programs containing up to 500,000 lines of code indicate that it is an effective tool for identifying races in large-scale software systems.

Published

2001

14. Type-based race detection for Java

Author

Cormac Flanagan and Stephen N. Freund

Subjects

Source lines of code, Java, Computer science, Programming language, Scala, Interface (Java), strictfp, Generics in Java, computer.software_genre, Computer Graphics and Computer-Aided Design, Java concurrency, Real time Java, Instruction-level parallelism, Java annotation, computer, Software, Java Modeling Language, computer.programming_language, Register allocation

Abstract

This paper presents a static race detection analysis for multithreaded Java programs. Our analysis is based on a formal type system that is capable of capturing many common synchronization patterns. These patterns include classes with internal synchronization, classes thatrequire client-side synchronization, and thread-local classes. Experience checking over 40,000 lines of Java code with the type system demonstrates that it is an effective approach for eliminating races conditions. On large examples, fewer than 20 additional type annotations per 1000 lines of code were required by the type checker, and we found a number of races in the standard Java libraries and other test programs.

Published

2000

15. A formal framework for the Java bytecode language and verifier

Author

Stephen N. Freund and John C. Mitchell

Subjects

Java, Computer science, Programming language, Subroutine, Interpreted language, Java bytecode, Software_PROGRAMMINGTECHNIQUES, Object (computer science), computer.software_genre, Computer Graphics and Computer-Aided Design, Programming language implementation, Bytecode, Common Intermediate Language, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Formal specification, Software_PROGRAMMINGLANGUAGES, computer, Software, computer.programming_language

Abstract

This paper presents a sound type system for a large subset of the Java bytecode language including classes, interfaces, constructors, methods, exceptions, and bytecode subroutines. This work serves as the foundation for developing a formal specification of the bytecode language and the Java Virtual Machine's bytecode verifier. We also describe a prototype implementation of a type checker for our system and discuss some of the other applications of this work. For example, we show how to extend our work to examine other program properties, such as the correct use of object locks.

Published

1999

16. Thetis

Author

Stephen N. Freund and Eric Roberts

Subjects

ANSI C, Programming language, Computer science, business.industry, Learning environment, media_common.quotation_subject, computer.software_genre, Visualization, Set (abstract data type), Debugging, ComputingMilieux_COMPUTERSANDEDUCATION, Compiler, User interface, Software engineering, business, computer, Interpreter, computer.programming_language, media_common

Abstract

Commercially available compilers, particularly those used for languages like ANSI C that have extensive commercial applicability, are not well-suited to students in introductory computer science courses because they assume a level of sophistication that beginning students do not possess. To alleviate this problem at Stanford, we have developed the Thetis programming environment designed specifically for student use. The system consists of a C interpreter and associated user interface that provides students with simple and easily understood editing, debugging, and visualization capabilities. Reactions of students and instructors indicate that Thetis fulfills the goals we set out to accomplish and provides a significantly better learning environment for students in CS1/CS2.

Published

1996

17. Checking Concise Specifications for Multithreaded Software

Author

Stephen N. Freund and Shaz Qadeer

Subjects

Java, Computer science, business.industry, Programming language, Shared variables, Thread (computing), Modular design, computer.software_genre, Predicate (grammar), Software, business, computer, computer.programming_language

Abstract

due to the potential for subtle interactions between threads. We present a new modular verification technique to check concise specifications of large multithreaded programs. Our analysis scales to systems with large numbers of procedures and threads. We achieve thread-modular analysis by annotating each shared variable by an access predicate that summarizes the condition under which a thread may access that variable. We achieve procedure-modular analysis by annotating each procedure with a specification related to its implementation by an abstraction relation combining the notions of simulation and reduction. We have implemented our analysis in Calvin-R, a static checker for multithreaded Java programs.

Published

2004

18. A Type System for Object Initialization In the Java Bytecode Language (summary)

Author

John C. Mitchell and Stephen N. Freund

Subjects

General Computer Science, Java, Computer science, Scala, Java bytecode, Software_PROGRAMMINGTECHNIQUES, computer.software_genre, Theoretical Computer Science, Real time Java, Common Intermediate Language, Formal specification, Cross-platform, Java applet, computer.programming_language, Programming language, strictfp, Interpreted language, Non-blocking I/O, Generics in Java, Programming language implementation, Java concurrency, Bytecode, Java API for XML-based RPC, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Software_PROGRAMMINGLANGUAGES, computer, Java annotation, Java Modeling Language, Computer Science(all)

Abstract

In the standard Java implementation, a Java language program is compiled to Java bytecode and this bytecode is then interpreted by the Java Virtual Machine. Since bytecode may be written by hand, or corrupted during network transmission, the Java Virtual Machine contains a bytecode verifier that performs a number of consistency checks before code is interpreted. As one-step towards a formal specification of the verifier, we describe a precise specification of a subset of the bytecode language dealing with object creation and initialization.