Modular Information Hiding and Type-Safe Linking for C


This paper presents CMod, a novel tool that provides a sound module system for C. CMod works by enforcing four rules that are based on principles of modular reasoning and on current programming practice. CMod's rules flesh out the convention that .h header files are module interfaces and .c source files are module implementations. Although this convention is well-known, existing explanations of it are incomplete, omitting important subtleties needed for soundness. In contrast, we have proven formally that CMod's rules enforce both information hiding and type-safe linking. To use CMod, the programmer develops and builds their software as usual, redirecting the compiler and linker to CMod's wrappers. We evaluated CMod by applying it to 30 open source programs, totaling more than one million LoC. Violations to CMod's rules revealed more than a thousand information hiding errors, dozens of typing errors, and hundreds of cases that, although not currently bugs, make programming mistakes more likely as the code evolves. At the same time, programs generally adhere to the assumptions underlying CMod's rules, and so we could fix rule violations with a modest effort. We conclude that CMod can effectively support modular programming in C: it soundly enforces type-safe linking and information-hiding while being largely compatible with existing practice.

TSE 34(3), 2008: IEEE Transactions on Software Engineering, Volume 34, Number 3, May 2008.