The effectiveness of traditional type checking in C is limited by the presence of type conversions using type casts. Because the C standard allows arbitrary type conversions between pointer types, neither C compilers, nor tools such as lint, can guarantee type safety in the presence of such type conversions. In particular, by using casts involving pointers to structures (C structs), a programmer can interpret any memory region to be of any desired type, further compromising C's weak type system. Not only do type casts make program vulnerable to type errors, they hinder program comprehension and maintenance by creating latent dependencies between seemingly independent pieces of code. To address these problems, we have developed a stronger form of type checking for C programs, called physical type checking. Physical type checking takes into account the layout of C struct fields in memory. This paper describes an inference-based physical type checking algorithm and its implementation. Ou...

The use of type casts is pervasive in C. Although casts provide great flexibility in writing code, their use obscures the meaning of a piece of code, and can present obstacles during maintenance. Casts involving pointers to structures (C structs) are particularly problematic, because by using them, a programmer can interpret any memory region to be of any desired type, thereby compromising C's already weak type system. This paper presents an approach towards making sense of such casts, in terms of understanding their purpose and identifying fragile code. We base our approach on the observation that casts are often used to simulate object-oriented language features not supported directly in C. We first describe a variety of ways---idioms---in which this is done in C programs. We then develop a notion of physical subtyping, which provides a model that explains these idioms. We have created tools that automatically analyze casts appearing in C programs. Experimental evidence collected by ...

Lint is a command which examines C source programs, detecting a number of bugs and obscurities. It enforces the type rules of C more strictly than the C compilers. It may also be used to enforce a number of portability restrictions involved in moving programs between different machines and/or operating systems. Another option detects a number of wasteful, or error prone, constructions which nevertheless are, strictly speaking, legal. Lint accepts multiple input files and library specifications, and checks them for consistency. The separation of function between lint and the C compilers has both historical and practical rationale. The compilers turn C programs into executable files rapidly and efficiently. This is possible in part because the compilers do not do sophisticated type checking, especially between separately compiled programs. Lint takes a more global, leisurely view of the program, looking much more carefully at the compatibilities. This document discusses the use of lint...

. The use of type casts is pervasive in C. Although casts provide great flexibility in writing code, their use obscures the meaning of a piece of code, and can present obstacles during maintenance. Casts involving pointers to structures (C structs) are particularly problematic, because by using them, a programmer can interpret any memory region to be of any desired type, thereby compromising C's already weak type system. This paper presents an approach towards making sense of such casts, in terms of understanding their purpose and identifying fragile code. We base our approach on the observation that casts are often used to simulate object-oriented language features not supported directly in C. We first describe a variety of ways -- idioms -- in which this is done in C programs. We then develop a notion of physical subtyping, which provides a model that explains these idioms. We have created tools that automatically analyze casts appearing in C programs. Experimental evi...