About me

I’m a scientific computer scientist. I like to solve interesting problems with software.

In 2015 I began a PhD in CS at Virginia Tech. I am advised by Dr. Dongyoon Lee. Details on my activities at Virginia Tech are below.

From 2012-2015 I was a software tester at IBM. I worked on IBM’s General Parallel File System (GPFS), now rebranded as IBM Spectrum Scale. Some highlights:

  • I focused on the ways in which a parallel file system can fail, with an emphasis on error injection and data validation.
    • This work resulted in 3 patent applications, see below.
  • I enjoyed visiting India (Pune, Bangalone) and China (Beijing) to provide training.


Here is my CV.

I also keep a blog and tweet, and I post abridged versions of my research papers on Medium.

Ongoing research projects

  1. Regular expression denial of service (ReDoS). I found ReDoS vulnerabilities in some interesting places, including Node.js core, Python core, MongoDB, Django, and Hapi. I also disclosed vulnerabilities to Microsoft, which acknowledged me here in July 2018. Many more of my finds are listed in Snyk.io’s vulnerability database, mostly under npm. The first part of this project will be published at ESEC/FSE’18.
  2. I have a hand in a project on stream processing systems. This work is under submission.
  3. I am working on improving Node.js performance down in libuv. See my meta-issue about the state of the libuv threadpool and my pull request enabling a pluggable threadpool. We’ll see where this goes…

Past research projects

  1. A Sense of Time for JavaScript and Node.js. Extending a EuroSec’17 workshop paper, we evaluated the avenues for Event Handler Poisoning in Node.js and prototyped a complete defense mechanism: first-class timeouts. We also wrote a guide on nodejs.org, made fs.readFile safe, and added documentation on potential DoS vectors. We published this work at USENIX Security’18.
  2. Node.fz. We investigated concurrency errors in Node.js applications. We studied bug reports to demonstrate that these occur in practice, and built a schedule fuzzing tool called Node.fz to make these bugs more likely to manifest. We published this work at EuroSys’17.


  1. James C. Davis, Christy A. Coghlan, Francisco Servant, and Dongyoon Lee. The Impact of Regular Expression Denial of Service (REDOS) in Practice: an Empirical Study at the Ecosystem Scale. Proceedings of the 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE’18). ACM, 2018.
  2. James C. Davis, Eric R. Williamson, and Dongyoon Lee. A Sense of Time for JavaScript and Node.js: First-Class Timeouts as a Cure for Event Handler Poisoning. Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX, 2018.
  3. James Davis, Gregor Kildow, and Dongyoon Lee. The case of the poisoned event handler: Weaknesses in the Node.js event-driven architecture. Proceedings of the 10th European Workshop on Systems Security (EuroSec’17). ACM, 2017.
  4. James Davis, Arun Thekumparampil, and Dongyoon Lee. Node.fz: Fuzzing the server-side event-driven architecture. Proceedings of the Twelfth European Conference on Computer Systems (EuroSys’17). ACM, 2017.


  1. J. Davis, W. Davis. File Metadata Verification in a Distributed File System. IBM, U.S. patent pending.
  2. W. Davis, J. Davis. Testing of Lock Managers in Computing Environments. IBM, U.S. patent 10,061,777 granted Aug. 28, 2018.
  3. J. Davis, W. Davis, F. Knop. Detection of File Corruption in a Distributed File System. IBM, U.S. patent 10,025,788 granted July 17, 2018.

Other activities

  1. I organize the weekly VT Systems Reading Group (mailing list).
  2. As part of my “Event Handler Poisoning” research, I wrote a guide for nodejs.org: Don’t Block the Event Loop (or the Worker Pool).
  3. I have contributed to a few open-source projects:
    • Node.js: Server-side JavaScript
    • libuv: Cross-platform asynchronous I/O
  4. I served on the EuroSys 2018 Shadow PC. They named me an outstanding reviewer!
  5. I attended Node+JS Interactive 2018 and the subsequent collaborator summit.

Other projects

  1. I’ve read through a few papers on Plausible Deniability (PD) and remain unsatisfied. I think the research is interesting, but the threat model the authors use seems, well, implausible. Here is my rejoinder.
  2. In Fall 2017 I took Dr. Sharath Raghvendra’s course in Algorithms. In my course project I did a small literature review of major papers in testing the correctness of concurrent programs. Report.
  3. In Spring 2017 I took Dr. Pierre Olivier’s course in Linux Kernel Programming. I worked on a project to deploy an alternative scheduler with Xinwei Fu and Jingoo Han. It was a hierarchical multi-level feedback queue, and our feedback mechanism turned out to be so fine-grained that the system wasn’t particularly usable. Report.
  4. In Fall 2016 I took Prof. Steve Harrison’s course in Human-Computer Interaction (HCI). In my course project I suggested that different programming paradigms might be easier for different cultures, based on Nisbett’s The Geography of Thought. Report.
  5. In Spring 2016 I took Dr. Ali Butt’s course in Cloud Computing. I worked on a project to compare cloud service providers (AWS, Google, and Azure) with Uday Ananth and Ayaan Kazerouni. We performed a qualitative study of usability, reliability, and customer service, and a quantitative study of node performance. Report.

Technical skills

I’m reasonably conversant with everything other than the front-end. Some technologies I have used:

  • Operating systems
    • UNIX-like: Linux, AIX.
      • I’ve done coursework in the Linux kernel and have spent a lot of time programming with the UNIX syscalls.
  • Languages
    • Scripting: Bash, Python, Perl, Node.js
      • I am pretty familiar with the implementation of Node.js – Node core, V8, and libuv.
    • Other languages: Java, C-90, C++
  • Parallel programming
    • I am familiar with synchronization in Java and with pthreads in C/C++.
    • In Fall 2017 I was the TA for VT’s graduate course in Multiprocessor Programming.
    • I am not afraid of threads, nor am I afraid of condition variables.
  • Databases
    • I know a bit of SQL, though I admit I prefer grepping giant flat files.
  • Virtualization
    • I’ve used VMs (usually locally, through VirtualBox) for development.
    • I set up VMs on AWS, Google Cloud, Azure, and IBM SoftLayer as part of a course project on VM performance variability.
  • Auditing
    • I’ve used the Linux auditd subsystem extensively.