Permissive Interfaces

Thomas A. Henzinger , Ranjit Jhala and Rupak Majumdar

A modular program analysis considers components independently and provides succinct summaries for each component, which can be used when checking the rest of the system. Consider a system comprising of two components, a library and a client. A temporal summary, or {\em interface}, of the library specifies legal sequences of library calls. The interface is {\em safe} if no call sequence violates the library's internal invariants; the interface is {\em permissive} if it contains every such sequence. Modular program analysis requires {\em full\/} interfaces, which are both safe and permissive: the client does not cause errors in the library if and only if it makes only sequences of library calls that are allowed by the full interface of the library. Previous interface-based methods have focused on safe interfaces, which may be too restrictive and thus reject good clients. We present an algorithm for automatically synthesizing software interfaces that are both safe and permissive. The algorithm generates interfaces as graphs whose vertices are labeled with predicates over the library's internal state, and whose edges are labeled with library calls. The interface state is refined incrementally until the full interface is constructed. In other words, the algorithm automatically synthesizes a typestate system for the library, against which any client can be checked for compatibility. We present an implementation of the algorithm which is based on the BLAST model checker, and we evaluate some case studies.

Proceedings of the Symposium on the Foundations of Software Engineering, 2005. (FSE), 2005.

PostScript PDF slides © 2005.