Coolaid: Debugging Compilers with Untrusted Code Verification

1
Coolaid Debugging Compilers with Untrusted Code
Verification

• Bor-Yuh Evan Chang
• with George Necula, Robert Schneck, and Kun Gao
• May 14, 2003
• OSQ Retreat

2
Code Verification for Compiler Debugging
3
Code Verification for Compiler Debugging

• COOLs type system ensures certain safety
  properties, such as memory safety
• Unverifiable code is either
• not from a certifying COOL compiler
• from a compiler with a code generation scheme
  confusing to the verifier or
• e.g. offset an address by indexing into a table
• from a broken COOL compiler
• e.g. did not emit null pointer check

4
Coolaid vs. JVML Bytecode Verifier

• Similarities
• Abstract interpreter over types for each register
  (roughly)
• Execute a method by proceeding assuming the
  effect as dictated by the method type
• Take least upper bound for each register at join
  points
• Stop when a fixed point is reached

• Differences
• Coolaid verifies low-level assembly
• Need to store some intermediate information
• e.g. a pointer is not null
• e.g. class tag for some object
• Need equivalence classes of values
• i.e. not only that r1 A and r2 A, but that
  r1 r2
• null checks
• Some code generation sensitivity

5
Coolaid as an Open Verifier
Decoder
Core
trusted
untrusted
code
6
Summary

• COOL Aiken et al.
• more compilers than programs!
• small language but with realistic challenges,
  e.g., dynamic dispatch
• ideal testbed for open verifier project
• COOL Open Verifier
• test our ideas for an open verification
  architecture for proof-carrying code
• provide students with a helpful debugging tool