Checking type safety of foreign function calls

Foreign function interfaces (FFIs) allow components in different languages to communicate directly with each other. While FFIs are useful, they often require writing tricky low-level code and include little or no static safety checking, thus providing a rich source of hard-to-find programming errors. In this article, we study the problem of enforcing type safety across the OCaml-to-C FFI and the Java Native Interface (JNI). We present O-Saffire and J-Saffire, a pair of multilingual type inference systems that ensure C code that uses these FFIs accesses high-level data safely. Our inference systems use representational types to model C's low-level view of OCaml and Java values, and singleton types to track integers, strings, memory offsets, and type tags through C. J-Saffire, our Java system, uses a polymorphic flow-insensitive, unification-based analysis. Polymorphism is important because it allows us to precisely model user-defined wrapper functions and the more than 200 JNI functions. O-Saffire, our OCaml system, uses a monomorphic flow-sensitive analysis because, while polymorphism is much less important for the OCaml FFI flow-sensitivity is critical to track conditional branches, which are used when pattern matching OCaml data in C. O-Saffire also tracks garbage collection information to ensure that local C pointers to the OCaml heap are registered properly, which is not necessary for the JNI. We have applied O-Saffire and J-Saffire to a set of benchmarks and found many bugs and questionable coding practices. These results suggest that static checking of FFIs can be a valuable tool in writing correct multilingual software.

[1]  Sheng Liang,et al.  Java Native Interface: Programmer's Guide and Reference , 1999 .

[2]  Peter Thiemann Grammar-based analysis of string expressions , 2005, TLDI '05.

[3]  Nigel Perry,et al.  Scripting .NET Using Mondrian , 2001, ECOOP.

[4]  Jennifer Hamilton,et al.  Language integration in the common language runtime , 2003, SIGP.

[5]  Jack C. Wileden,et al.  Polylingual systems: an approach to seamless interoperability , 1998 .

[6]  Sheng Liang,et al.  Java Native Interface: Programmer's Guide and Specification , 1999 .

[7]  Robert Bruce Findler,et al.  Operational semantics for multi-language programs , 2007, POPL '07.

[8]  Zhendong Su,et al.  Static Checking of Dynamically Generated Queries in Database Applications , 2004, ICSE 2004.

[9]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[10]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[11]  A. Watson,et al.  OMG (Object Management Group) architecture and CORBA (common object request broker architecture) specification , 2002 .

[12]  Dewayne E. Perry,et al.  Design of large-scale polylingual systems , 2004, Proceedings. 26th International Conference on Software Engineering.

[13]  Andrew Shalit,et al.  Modern languages and Microsoft's component object model , 1998, CACM.

[14]  Riccardo Pucella,et al.  A framework for interoperability , 2001, Electron. Notes Theor. Comput. Sci..

[15]  Simon Peyton Jones,et al.  Tackling the Awkward Squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell , 2005 .

[16]  Matthias Blume No-Longer-Foreign: Teaching an ML compiler to speak C "natively" , 2001, Electron. Notes Theor. Comput. Sci..

[17]  Satish Chandra,et al.  Physical type checking for C , 1999, PASTE '99.

[18]  Didier Rémy,et al.  Type checking records and variants in a natural extension of ML , 1989, POPL '89.

[19]  Jeffrey S. Foster,et al.  Checking type safety of foreign function calls , 2005, PLDI '05.

[20]  F. Javier Moldes Java SE 6 , 2007 .

[21]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[22]  Robert Cartwright,et al.  A practical soft type system for scheme , 1997, TOPL.

[23]  Jennifer Hamilton Interlanguage Object Sharing with SOM , 1996, COOTS.

[24]  Jakob Rehof,et al.  Scalable context-sensitive flow analysis using instantiation constraints , 2000, PLDI '00.

[25]  Joshua S. Auerbach,et al.  Mockingbird: flexible stub compilation from pairs of declarations , 1999, Proceedings. 19th IEEE International Conference on Distributed Computing Systems (Cat. No.99CB37003).

[26]  Robert Hieb,et al.  The Revised Report on the Syntactic Theories of Sequential Control and State , 1992, Theor. Comput. Sci..

[27]  Susumu Nishimura,et al.  Static typing for dynamic messages , 1998, POPL '98.

[28]  Fritz Henglein,et al.  Type inference with polymorphic recursion , 1993, TOPL.

[29]  Alan Kaplan,et al.  The Exu approach to safe, transparent and lightweight interoperability , 2001, 25th Annual International Computer Software and Applications Conference. COMPSAC 2001.

[30]  Zhong Shao,et al.  Safe and Principled Language Interoperation , 1999, ESOP.

[31]  David M. Beazley,et al.  SWIG: An Easy to Use Tool for Integrating Scripting Languages with C and C++ , 1996, Tcl/Tk Workshop.

[32]  Jeffrey S. Foster,et al.  Polymorphic Type Inference for the JNI , 2006, ESOP.

[33]  Simon L. Peyton Jones,et al.  Calling hell from heaven and heaven from hell , 1999, ICFP '99.