The Fugue protocol checker: Is your software Baroque?

Even in a safe programming language, such as C or Java, disobeying the rules for using an interface can cause exceptions at run time. Such rules govern how system resources are managed, the order of method calls, and the formatting of string parameters, such as SQL queries. This paper introduces Fugue, a modular static checker for languages that compile to the Common Language Runtime. Fugue allows the rules for using an interface to be recorded as declarative specifications and provides a range of annotations that allow a developer to specify interface rule with varying precision. At the simplest end of the range, a specifier can mark those methods that allocate and release resources. A specifier can also limit the order in which an object’s methods may be called to the transitions of a finite state machine. At the most complex end of the range, a specifier can give a method a plug-in preand postconditon, which is arbitrary code that examines an object’s current state and a static approximation of the method’s actuals, decides whether the call is legal and returns the object’s state after the call. We used these features to specify rules for using ado.net, a library for accessing relational databases, and found several errors in an internal Microsoft Research web site, which extensively uses this library.