Formally Verified Native Code Generation in an Effectful JIT -- or: Turning the CompCert Backend into a Formally Verified JIT Compiler

TL;DR

This paper presents a formally verified JIT compiler implemented in Coq, which dynamically generates native code while reusing existing proofs from the CompCert verified compiler, addressing the complexity of formalizing impure, multi-component JITs.

Contribution

It introduces a model for a verified JIT that combines dynamic native code generation with formal proofs, leveraging and extending the CompCert correctness proofs.

Findings

Successfully implemented a Coq-based verified JIT prototype.

Reused and extended CompCert's correctness proofs for dynamic compilation.

Demonstrated the feasibility of formal verification for complex, impure JIT components.

Abstract

Modern Just-in-Time compilers (or JITs) typically interleave several mechanisms to execute a program. For faster startup times and to observe the initial behavior of an execution, interpretation can be initially used. But after a while, JITs dynamically produce native code for parts of the program they execute often. Although some time is spent compiling dynamically, this mechanism makes for much faster times for the remaining of the program execution. Such compilers are complex pieces of software with various components, and greatly rely on a precise interplay between the different languages being executed, including on-stack-replacement. Traditional static compilers like CompCert have been mechanized in proof assistants, but JITs have been scarcely formalized so far, partly due to their impure nature and their numerous components. This work presents a model JIT with dynamic generation of native code, implemented and formally verified in Coq. Although some parts of a JIT cannot be written in Coq, we propose a proof methodology to delimit, specify and reason on the impure effects of a JIT. We argue that the daunting task of formally verifying a complete JIT should draw on existing proofs of native code generation. To this end, our work successfully reuses CompCert and its correctness proofs during dynamic compilation. Finally, our prototype can be extracted and executed.