[PPT] - A Principled Intermediate Language for JavaScript Verification PowerPoint Presentation

SLIDE 1

1/40

A Principled Intermediate Language for JavaScript Verification

Daiva Naudˇ zi¯ unien˙ e

Imperial College London

Resource Reasoning Meeting

SLIDE 2

2/40

The Team

Philippa Gardner Gareth Smith Thomas Wood Jos´ e Fragoso Santos Petar Maksimovi´ c

SLIDE 3

3/40

Running Example: Where is Alice?

var Person = function (x) { this.name = x; } Person.prototype.sayHi = function () { return ”Hi! I am ” + this.name; } var alice = new Person(”Alice”); alice .sayHi();

SLIDE 4

4/40

Where is Alice?

var Person = function (x) { this.name = x; }

Person.prototype.sayHi = function() { return “Hi! I am ” + this.name; } var alice = new Person(”Alice”); alice.sayHi();

1.Evaluate the function literal and assign to var Person

2. Evaluate the function literal,

and assign to “Person.prototype.sayHi”

3. Create new object
4. Evaluate function body with this being an object created in Step 3
5. Assign new object to var alice
6. Call alice.sayHi()

Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop

xproto

SLIDE 5

5/40

Where is Alice?

var Person = function (x) { this.name = x; }

Person.prototype.sayHi = function() { return “Hi! I am ” + this.name; }

var alice = new Person(”Alice”); alice.sayHi();

1. Evaluate the function literal and assign to var Person

2.Evaluate the function literal, and assign to “Person.prototype.sayHi”

3. Create new object
4. Evaluate function body with this being an object created in Step 3
5. Assign new object to var alice
6. Call alice.sayHi()

Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop sayHi:

xproto

SLIDE 6

6/40

Where is Alice?

var Person = function (x) { this.name = x; } Person.prototype.sayHi = function() { return “Hi! I am ” + this.name; } var alice =new Person(”Alice”); alice.sayHi();

1. Evaluate the function literal and assign to var Person
2. Evaluate the function literal,

and assign to “Person.prototype.sayHi”

3.Create new object

4. Evaluate function body with this being an object created in Step 3
5. Assign new object to var alice
6. Call alice.sayHi()

Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop sayHi:

xproto

@proto:

xthis

SLIDE 7

7/40

Where is Alice?

var Person = function (x) { this.name = x; } Person.prototype.sayHi = function() { return “Hi! I am ” + this.name; } var alice =new Person(”Alice”); alice.sayHi();

1. Evaluate the function literal and assign to var Person
2. Evaluate the function literal,

and assign to “Person.prototype.sayHi”

3. Create new object

4.Evaluate function body with this being an object created in Step 3

5. Assign new object to var alice
6. Call alice.sayHi()

Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop sayHi:

xproto

@proto: name: “Alice”

xthis

SLIDE 8

8/40

Where is Alice?

var Person = function (x) { this.name = x; } Person.prototype.sayHi = function() { return “Hi! I am ” + this.name; }

var alice = new Person(”Alice”);

alice.sayHi();

1. Evaluate the function literal and assign to var Person
2. Evaluate the function literal,

and assign to “Person.prototype.sayHi”

3. Create new object
4. Evaluate function body with this being an object created in Step 3

5.Assign new object to var alice

6. Call alice.sayHi()

alice: Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop sayHi:

xproto

@proto: name: “Alice”

xthis

SLIDE 9

9/40

Where is Alice?

var Person = function (x) { this.name = x; } Person.prototype.sayHi = function() { return “Hi! I am ” + this.name; } var alice = new Person(”Alice”);

alice.sayHi();

1. Evaluate the function literal and assign to var Person
2. Evaluate the function literal,

and assign to “Person.prototype.sayHi”

3. Create new object
4. Evaluate function body with this being an object created in Step 3
5. Assign new object to var alice

6.Call alice.sayHi()

alice: Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop sayHi:

xproto

@proto: name: “Alice”

xthis

SLIDE 10

10/40

Running Wrong Example: We Cannot Find Alice

var Person = function (x) { this.name = x; } Person.prototype.sayHi = function () { return ”Hi! I am ” + this.name; } var alice = Person(”Alice”); alice .sayHi();

SLIDE 11

11/40

We cannot find Alice

var Person = function (x) {

this.name = x;

} Person.prototype.sayHi = function() { return “Hi! I am ” + this.name; } var alice =Person(”Alice”); alice.sayHi();

1. Evaluate the function literal and assign to var Person
2. Evaluate the function literal,

and assign to “Person.prototype.sayHi”

3. Create new object

4.Evaluate function body with this being undefined

5. Assign return value to var alice
6. Call alice.sayHi()

Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop sayHi:

xproto

@proto: name: “Alice”

xthis

SLIDE 12

12/40

Verifying JavaScript Programs

‘Towards a Program Logic for JavaScript’, POPL’12, Gardner, Maffeis, and Smith.

SLIDE 13

13/40

Overall Project

JSVerify: A verification tool for JavaScript programs based on an intermediate language JSIL

JS Logic JSIL Logic JSVerify ES5 Strict JSIL

SLIDE 14

14/40

From ES5 Strict to JSIL - Our choices

We implemented, tested, and proved correct a principled translation from ES5 Strict to JSIL. JSIL was specifically designed as a simple verification language for Javascript:

◮ small language; ◮ simple semantics; ◮ similar memory model to JavaScript’s

memory model.

ES5 Strict JSIL Principled Translation

SLIDE 15

15/40

JSIL

Simple goto language:

C ∈ Cmd

x := E

| skip | goto l | goto [E] l1, l2 l denotes a label and E is an expression with no side effects.

SLIDE 16

16/40

JSIL

Procedure calls:

C ∈ Cmd

x := E

| skip | goto l | goto [E] l1, l2 | x := p(E, . . . , E) p ∈ {E, eval, built-in-PId}

SLIDE 17

17/40

JSIL

JavaScript heap commands:

C ∈ Cmd

x := E

| skip | goto l | goto [E] l1, l2 | x := p(E, . . . , E) | x := new() | x := hasField(E, E) | x := [E, E] | [E, E] := E | x := delete(E, E)

SLIDE 18

18/40

JSIL

Prototype-based inheritance:

C ∈ Cmd

x := E

| skip | goto l | goto [E] l1, l2 | x := p(E, . . . , E) | x := new() | x := hasField(E, E) | x := [E, E] | [E, E] := E | x := delete(E, E) | x := protoField(E, E) | x := protoObj(E, E)

SLIDE 19

19/40

JSIL

C ∈ Cmd

x := E

| skip | goto l | goto [E] l1, l2 | x := p(E, . . . , E) | x := new() | x := hasField(E, E) | x := [E, E] | [E, E] := E | x := delete(E, E) | x := protoField(E, E) | x := protoObj(E, E) Procedure

proc PId(x1, . . . , xn){

0: C0 1: C1

. . .

m: Cm

}

SLIDE 20

20/40

JSIL Logic versus JS Logic

SLIDE 21

21/40

However...

The complexity of JavaScript does not

disappear. It has moved to the code

generated by the translation

SLIDE 22

22/40

Back to Example: Where is Alice?

var Person = function (x) { this.name = x; } var alice = new Person(”Alice”);

SLIDE 23

23/40

Translating: Where is Alice in JSIL?

◮ The translation generates a top level procedure for each

function literal.

◮ The translation generates a special procedure main for the

global code.

◮ No nesting of procedures. JavaScript Code JSIL Code var Person = function (x) { ... } proc PProc(xsc, xthis, x){...} Whole Program proc main(){...}

SLIDE 24

24/40

Translating: Where is Alice in JSIL?

JavaScript Code

var Person =function (x) {

this.name = x; }

var alice = new Person(”Alice”);

1.Evaluate the function literal

2. Assign function object to var Person
3. Create new object
4. Evaluate function body with

this being an object created in Step 3

5. Assign new object to var alice

JSIL Code

xproto := new() [xproto, @proto] := lop xperson := new() [xperson, @code] := “PProc” [xperson, @scope] := [lg] [xperson, @proto] := lfp [xperson, “prototype”] := xproto

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop

xproto

SLIDE 25

25/40

Translating: Where is Alice in JSIL?

JavaScript Code

var Person = function (x) { this.name = x; }

var alice = new Person(”Alice”);

1. Evaluate the function literal

2.Assign function object to var Person

3. Create new object
4. Evaluate function body with

this being an object created in Step 3

5. Assign new object to var Alice

JSIL Code

[lg, “Person”] := xperson

Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop

xproto

SLIDE 26

26/40

Translating: Where is Alice in JSIL?

JavaScript Code

var Person = function (x) { this.name = x; } var alice =new Person(”Alice”);

1. Evaluate the function literal
2. Assign function object to var Person

3.Create new object

4. Evaluate function body with

this being an object created in Step 3

5. Assign new object to var alice

JSIL Code

xthis := new() [xthis, @proto] := xproto

Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop

xproto

@proto:

xthis

SLIDE 27

27/40

Translating: Where is Alice in JSIL?

JavaScript Code

var Person = function (x) { this.name = x; } var alice =new Person(”Alice”);

1. Evaluate the function literal
2. Assign function object to var Person
3. Create new object

4.Evaluate function body with this being an object created in Step 3

5. Assign new object to var alice

JSIL Code

xsc := [xperson, @scope] xf := [xperson, @code] xret := xf(xsc, xthis, “Alice”)

Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop

xproto

@proto: name: “Alice”

xthis

SLIDE 28

28/40

Translating: Where is Alice in JSIL?

JavaScript Code

var Person = function (x) { this.name = x; }

var alice = new Person(”Alice”);

1. Evaluate the function literal
2. Assign function object to var Person
3. Create new object
4. Evaluate function body with

this being an object created in Step 3

5.Assign new object to var alice

JSIL Code

[lg, “alice”] := xthis

alice: Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop

xproto

@proto: name: “Alice”

xthis

SLIDE 29

29/40

Back to Wrong Example: We Cannot Find Alice

var Person = function (name) { this.name = name; } var alice = Person(”Alice”); We “forgot” the new.

SLIDE 30

30/40

Translating: We Cannot Find Alice

JavaScript Code

var Person = function (x) {

this.name = x;

} var alice =Person(”Alice”);

1. Evaluate the function literal
2. Assign function object to var Person
3. Create new object

4.Evaluate function body with this being undefined

5. Assign return value to var alice

JSIL Code

xsc := [xperson, @scope] xf := [xperson, @code] xret := xf(xsc, undefined, “Alice”)

Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

sayHi:

xproto

@proto: name: “Alice”

xthis

SLIDE 31

31/40

Simplifications

Naive translation, but makes soundness proof simple!

ES5 Strict JSIL Translation

SLIDE 32

32/40

Simplifications

Standard compiler optimizations, e.g. constant propagation, dead code elimination, algebraic simplifications etc.

ES5 Strict JSIL Translation Simplifications

SLIDE 33

33/40

Simplifications

Further simplifications using symbolic execution.

ES5 Strict JSIL Translation Further Simplifications

SLIDE 34

34/40

Trusted Translation

ES5 Strict JSIL

Principled

Translation ◮ Proven correct with respect to an

perational semantics

◮ Tested using Test262

SLIDE 35

35/40

Validating the JSIL Compiler

◮ We have used ES6 Test262 ◮ Targeted ES5 Strict Subset

Chapters 8-14 except for:

◮ Getters and Setters ◮ Arguments Object ◮ Property attributes

◮ We pass 100% of our targeted ES5

Strict subset

14998 Tests 11328 Tests 3575 Tests 2365 Tests ES5 Strict Mode Chapters 8-14 Targeted Fragment

SLIDE 36

36/40

JSVerify

◮ Program logic for JSIL and a symbolic execution tool based

n Separation Logic

ES5 Strict + JS Logic Specs JSIL + JISL Specs Symbolic Execution Bi-abduction Logic Rules Entailment coreStar JSVerify

SLIDE 37

37/40

JSVerify - Specifying and Verifying the Example

JavaScript Code

var Person = function (x) { this.name = x } var alice = new Person(”Alice”);

JSIL Code

{(xthis, “name”) → } PProc(xsc, xthis, x){...}

(xthis, “name”) → x∗

ret . = undefined

SLIDE 38

38/40

Specifying and Verifying the Example

Correct Example

   (xperson, @scope) → [lg]∗ (xperson, @code) → “PProc”∗ (xthis, “name”) →    xsc := [xperson, @scope] xf := [xperson, @code] xret := xf (xsc, xthis, “Alice”)          (xperson, @scope) → [lg]∗ (xperson, @code) → “PProc”∗ (xthis, “name”) → “Alice”∗ xsc . = [lg] ∗ xf . = “PProc”∗ xret . = undefined         

The spec:

{(xthis, “name”) → } PProc {(xthis, “name”) → x ∗ ret . = undefined} Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

@proto: lop

xproto

@proto: name: “Alice”

xthis

SLIDE 39

39/40

Specifying and Verifying the Wrong Example

Wrong Example

(xperson, @scope) → [lg]∗ (xperson, @code) → “PProc”

xsc := [xperson, @scope]

xf := [xperson, @code] xret := xf (xsc, undefined, “Alice”)

ERROR!

The spec:

{(xthis, “name”) → } PProc {(xthis, “name”) → x ∗ ret . = undefined} Person:

lg

@code: “PProc” @scope: [lg] @proto: lfp prototype:

xperson

sayHi:

xproto

@proto: name: “Alice”

xthis

SLIDE 40

40/40

Connecting JSIL to other tools

ES5 Strict JSIL JSIL Logic INFER Facebook Tool CBMC Oxford/Amazon VIPER ETH JSVerify