1. Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat

2. 2 5/14/2003 Code Verification for Compiler Debugging SPIM COOL Compiler SPIM Compiler Test Case Compiled Program Test Cases Stressed CS164 Student COOL Compiler Coolaid COOL Verifier Compiler Test Case Relaxed CS164 Student

3. 3 5/14/2003 Code Verification for Compiler Debugging COOL’s type system ensures certain safety properties, such as memory safety Unverifiable code is either –not from a certifying COOL compiler; –from a compiler with a code generation scheme confusing to the verifier; or e.g. offset an address by indexing into a table –from a broken COOL compiler e.g. did not emit null pointer check

4. 4 5/14/2003 Coolaid vs. JVML Bytecode Verifier Similarities Abstract interpreter over types for each register (roughly) “Execute” a method by proceeding assuming the effect as dictated by the method type Take least upper bound for each register at join points Stop when a fixed point is reached Differences Coolaid verifies low-level assembly Need to store some intermediate information –e.g. a pointer is not null –e.g. class tag for some object Need equivalence classes of values –i.e. not only that r 1 : A and r 2 : A, but that r 1 = r 2 –null checks Some code generation sensitivity

5. 5 5/14/2003 Extension Decoder Coolaid as an Open Verifier Core code trusted untrusted states next states StandardCOOLVerifier Adapter verifier state ! predicates DefinitionsandLemmas

6. 6 5/14/2003 Summary COOL [Aiken et al.] –more compilers than programs! –small language but with realistic challenges, e.g., dynamic dispatch –ideal testbed for open verifier project COOL Open Verifier –test our ideas for an open verification architecture for proof-carrying code –provide students with a helpful debugging tool