State of the Union: Type Inference Via Craig Interpolation

  • Ranjit Jhala
  • Rupak Majumdar
  • Ru-Gang Xu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4424)


The ad-hoc use of unions to encode disjoint sum types in C programs and the inability of C’s type system to check the safe use of these unions is a long standing source of subtle bugs. We present a dependent type system that rigorously captures the ad-hoc protocols that programmers use to encode disjoint sums, and introduce a novel technique for automatically inferring, via Craig Interpolation, those dependent types and thus those protocols. In addition to checking the safe use of unions, the dependent type information inferred by interpolation gives programmers looking to modify or extend legacy code a precise understanding of the conditions under which some fields may safely be accessed. We present an empirical evaluation of our technique on 350KLOC of open source C code. In 80 out of 90 predicated edges (corresponding to 1472 out of 1684 union accesses), our type system is able to infer the correct dependent types. This demonstrates that our type system captures and explicates programmers’ informal reasoning about unions, without requiring manual annotation or rewriting.


Type System Inference Algorithm Dependent Type Type Inference Type Check 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aiken, A., Wimmers, E., Lakshman, T.K.: Soft typing with conditional types. In: POPL 94, pp. 163–173. ACM Press, New York (1994)CrossRefGoogle Scholar
  2. 2.
    Chandra, S., Reps, T.: Physical type checking for c. In: PASTE 99, pp. 66–75. ACM Press, New York (1999)CrossRefGoogle Scholar
  3. 3.
    Craig, W.: Linear reasoning. J. Symbolic Logic 22, 250–268 (1957)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Cytron, R., et al.: Efficiently computing static single assignment form and the program dependence graph. ACM TOPLAS 13, 451–490 (1991)CrossRefGoogle Scholar
  5. 5.
    Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: a theorem prover for program checking. J. ACM 52(3), 365–473 (2005)CrossRefMathSciNetGoogle Scholar
  6. 6.
    Fang, Y.: Translation validation of optimizing compilers. PhD thesis, New York University (2005)Google Scholar
  7. 7.
    Flanagan, C.: Hybrid type checking. In: POPL 06, pp. 245–256. ACM Press, New York (2006)CrossRefGoogle Scholar
  8. 8.
    Furr, M., Foster, J.: Checking type safety of foreign function calls. In: PLDI 05, pp. 62–72. ACM Press, New York (2005)CrossRefGoogle Scholar
  9. 9.
    Harren, M., Necula, G.C.: Using dependent types to certify the safety of assembly code. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 155–170. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Henzinger, T.A., et al.: Lazy abstraction. In: POPL 02, pp. 58–70. ACM Press, New York (2002)CrossRefGoogle Scholar
  11. 11.
    Jhala, R., Majumdar, R., Xu, R.: Type inference using Craig interpolation. Technical Report. UCLA Computer Science Department (2007)Google Scholar
  12. 12.
    Jhala, R., Majumdar, R., Xu, R.: Structural invariants. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 71–87. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Jim, T., et al.: Cyclone: A safe dialect of C. In: Usenix Tech. Conf., pp. 257–288 (2002)Google Scholar
  14. 14.
    Komondoor, R., et al.: Dependent types for program understanding. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 157–173. Springer, Heidelberg (2005)Google Scholar
  15. 15.
    Loginov, A., et al.: Debugging via run-time type checking. In: Hussmann, H. (ed.) ETAPS 2001 and FASE 2001. LNCS, vol. 2029, pp. 217–232. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    McMillan, K.L.: An interpolating theorem prover. TCS 345, 101–121 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Necula, G.C., et al.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: Horspool, R.N. (ed.) CC 2002 and ETAPS 2002. LNCS, vol. 2304, pp. 213–228. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Necula, G.C., et al.: CCured: type-safe retrofitting of legacy software. ACM TOPLAS 27(3), 477–526 (2005)CrossRefGoogle Scholar
  19. 19.
    Rushby, J.M., Owre, S., Shankar, N.: Subtypes for specifications: Predicate subtyping in PVS. IEEE Trans. Software Eng. 24(9), 709–720 (1998)CrossRefGoogle Scholar
  20. 20.
    Siff, M., et al.: Coping with type casts in C. In: ESEC/FSE 99, pp. 180–198. ACM Press, New York (1999)Google Scholar
  21. 21.
    Xi, H., Harper, R.: A dependently typed assembly language. In: ICFP 01, pp. 169–180. ACM Press, New York (2001)CrossRefGoogle Scholar
  22. 22.
    Xi, H., Pfenning, F.: Dependent types in practical programming. In: POPL 99, pp. 214–227. ACM Press, New York (1999)CrossRefGoogle Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Ranjit Jhala
    • 1
  • Rupak Majumdar
    • 2
  • Ru-Gang Xu
    • 2
  1. 1.UC San Diego 
  2. 2.UC Los Angeles 

Personalised recommendations