Coolaid: Debugging Compilers with Untrusted

Code VerificationBor-Yuh Evan Chang

with George Necula, Robert Schneck, and Kun Gao

May 14, 2003OSQ Retreat

5/14/2003 2

Code Verification for Compiler Debugging

SPIM

COOLCompiler SPIM

Compiler

Test

Case

Compiler

Test

Case

Compiled Program

Test Cases

Stressed CS164 Student

COOLCompiler

CoolaidCOOLVerifier

Compiler

Test

Case

Compiler

Test

Case

Relaxed CS164 Student

5/14/2003 3

Code Verification for Compiler Debugging• COOL’s type system ensures certain

safety properties, such as memory safety

• Unverifiable code is either– not from a certifying COOL compiler;– from a compiler with a code generation

scheme confusing to the verifier; or• e.g. offset an address by indexing into a table

– from a broken COOL compiler• e.g. did not emit null pointer check

5/14/2003 4

Coolaid vs. JVML Bytecode VerifierSimilarities• Abstract interpreter

over types for each register (roughly)

• “Execute” a method by proceeding assuming the effect as dictated by the method type

• Take least upper bound for each register at join points

• Stop when a fixed point is reached

Differences• Coolaid verifies low-

level assembly• Need to store some

intermediate information– e.g. a pointer is not null– e.g. class tag for some

object

• Need equivalence classes of values– i.e. not only that r1 : A and

r2 : A, but that r1 = r2

– null checks

• Some code generation sensitivity

5/14/2003 5

Extension

Decoder

Coolaid as an Open Verifier

Core

codecode

trusted

untrusted

statess

next states

StandardStandardCOOLCOOLVerifierVerifier

Adapter

verifier state ! predicates

DefinitionsDefinitionsandand

LemmasLemmas

5/14/2003 6

Summary

• COOL [Aiken et al.]– more compilers than programs!– small language but with realistic

challenges, e.g., dynamic dispatch– ideal testbed for open verifier project

• COOL Open Verifier– test our ideas for an open verification

architecture for proof-carrying code– provide students with a helpful debugging

tool