Michael Furr and Jeffrey S. Foster, Checking Type Safety of Foreign Function Calls
Many programming languages contain a foreign function interface (FFI) for invoking functions written in other languages. While such an interface facilitates access to system-wide libraries and legacy code, having an FFI also provides many opportunities for programmer error. In particular, it becomes possible to violate type and memory safety in an otherwise safe language, and such mistakes can be very hard to find. In this paper, we present a multi-lingual type inference system for checking type safety across a foreign function interface. Our system targets O'Caml's FFI to C, which is relatively lightweight and illustrates some interesting challenges in multi-lingual type inference. The type language in our system embeds O'Caml types in C types and vice-versa, which allows us to track type information accurately even through the foreign language, where the original types are lost. Our system uses a \textit{representational} type that can model multiple O'Caml types, because C programs can observe that many O'Caml types have the same physical representation. Furthermore, because C has a low-level view of O'Caml data, we must enrich our language for O'Caml types with memory offsets and tag information. Finally, our type system includes garbage collection information in order to ensure that pointers from the FFI to the O'Caml heap are tracked properly. We have implemented a prototype of our inference system and applied it to a small set of benchmarks. Our results show that programmers do misuse these interfaces, and our prototype has found several bugs and questionable coding practices in our benchmarks.