adventures in mechanising and verifying webassembly
play

Adventures in Mechanising and Verifying WebAssembly Conrad Watt - PowerPoint PPT Presentation

Oct 01, 2023 •306 likes •521 views

Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK Formal Methods Meets JavaScript, VeTSS Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 1 / 21 The webs evolution We want richer web

  1. Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK Formal Methods Meets JavaScript, VeTSS Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 1 / 21

  2. The web’s evolution We want richer web apps - 3D rendering, physics, 60fps. Asm.js exists but is too slow and janky. We’re at the limits of JavaScript - need a purpose-built language. http://www.cl.cam.ac.uk/ ∼ pes20/ Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 2 / 21

  3. The web’s evolution We want richer web apps - 3D rendering, physics, 60fps. Asm.js exists but is too slow and janky. We’re at the limits of JavaScript - need a purpose-built language. https://github.com/evanw/webgl-water Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 3 / 21

  4. What is WebAssembly? A web-friendly bytecode. Runs on any browser. “Near-native” performance. Targetted by LLVM. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 4 / 21

  5. WebAssembly is weird A stack reduction semantics... i32.const 4 i32.const 2 i32.const 1 i32.const 4 ❀ ❀ i32.add i32.const 3 i32.add i32.add i32.const 7 Type: [ i32 ] Type: [ i32 ] Type: [ i32 ] Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 5 / 21

  6. WebAssembly is weird ...but allows only structured control flow. loop loop i32.const 4 i32.const 4 i32.const 2 label{...} i32.const 2 i32.const 1 i32.const 4 i32.const 1 ❀ ❀ ❀ i32.add i32.const 3 label{...} i32.add i32.add i32.add i32.const 7 i32.add br 0 br 0 br 0 br 0 end end end end Note label is an “administrative” operation. It represents the loop unrolled once, keeping track of the continuation (abbreviated). Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 6 / 21

  7. The WebAssembly type system All WebAssembly programs must be validated (typed) before execution. WebAssembly instruction types have the form t* → t* i32.const 4 i32.add f32.const 0 i32.add i32.const 4 i32.add Type: Type: Type: [] → [i32] [i32, i32, i32] → [i32] ⊥ Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 7 / 21

  8. The WebAssembly type system Preservation If a program P is validated with a type ts, the program obtained by running P one step to P’ can also be validated with type ts. Progress For any validated program P that is not a list of constant values or a bare trap result, there exists P’ such that P reduces to P’ Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 8 / 21

  9. Initial mechanisation and soundness proof Initially based on an accepted draft of the WASM group’s PLDI paper 1 combined with the draft specification. Definitions and proofs in Isabelle. Type soundness properties: preservation and progress. Progress property as stated in the draft had a trivial counterexample. 1 Andreas Haas et al. “Bringing the Web Up to Speed with WebAssembly”. In: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation . PLDI 2017. New York, NY, USA: ACM, 2017, pp. 185–200. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 9 / 21

  10. Problems found - administrative instructions Exceptions did not properly propagate through administrative instructions. Malformed, irreducible nestings of administrative instructions containing a return opcode could be well-typed. Our suggested fixes were incorporated into the specification. label{...} label{...} trap trap trap trap ❀ ❀ i32.add end end Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 10 / 21

  11. Problems found Various trivial mistakes in the constraints of casting instructions. Big one - host function interface was unsound. 2 After these changes, managed to get a fully mechanised proof of soundness! ( ∼ 5000 LOC) 2 Andreas Rossberg. [spec] Fix and clean up invariants for host functions . Sept. 2017. url : https://github.com/WebAssembly/spec/pull/563 . Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 11 / 21

  12. Verified reference interpreter Directly animating the mechanised specification was infeasible. For the reduction relation - exception propagation is non-deterministic (but confluent), and the specification leans heavily on recursively defined evaluation contexts. For the typing judgement - there is a weakening rule with no upper bound, and the rules for typing dead code(!) involve a high degree of polymorphism - not syntax-directed. Some of these problems are solvable by re-formulating the mechanisation, but wanted eyeball-closeness with the official specification. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 12 / 21

  13. The flow of trust Normative Mechanised specification specification Proven Conformance properties tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 13 / 21

  14. The flow of trust Mechanised Normative executable specification specification Extracted Proven implementation properties (+untrusted interface) Conformance tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 14 / 21

  15. The flow of trust Normative Mechanised specification specification Proven Conformance properties tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 15 / 21

  16. The flow of trust Normative Mechanised Verified specification specification implementation Proven Conformance properties tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 16 / 21

  17. The flow of trust Normative Mechanised Verified specification specification implementation Extracted Proven implementation properties (+untrusted interface) Conformance tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 17 / 21

  18. Solution A separate reference interpreter, and typechecker. Proof of correctness between the inductive rules of the model, and the executable definitions of the interpreter and typechecker. Attempted fuzzing using interpreter as a test oracle - only found crash bugs in industry tools unfortunately. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 18 / 21

  19. Next steps The threads proposal! We’ve already seen that specifying interop between JS and WebAssembly isn’t trivial, but this is on another level. Need a compatible axiomatic weak memory model. But more complicated than JS: WASM memory can change size, but (until now) SharedArrayBuffers cannot. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 19 / 21

  20. Next steps Already finding bugs in the JS memory model. 3 Atomics.wait(tA, 0, 0) Atomics.store(tA, 0, 1) var x = Atomics.load(tA, 0) || Atomics.wake(tA, 0, 1) Full formal spec for WebAssembly threading is being drafted. Mechanisation? Not impossible, but meaningful proofs could be a lot of work. 3 Conrad Watt. Normative: Strengthen Atomics.wait/wake synchronization to the level of other Atomics operations . Mar. 2018. url : https://github.com/tc39/ecma262/pull/1127 . Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 20 / 21

  21. Future work Continue looking at SharedArrayBuffer, WASM threads. Verifying ct-wasm (watch this space!). Model module instantiation. Look at Ethereum’s EVM2.0 (?) Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 21 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F INTRODUCTION WEBASSEMBLY AND ESM WEBASSEMBLY? L OW -L EVEL B INARY F ORMAT FOR C ODE T YPED ( I 8 I 64, F 32, F 64) M EMORY U

657 views • 39 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level

CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level

CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level language that runs within the web browser with near-native performance for those tasks that demand that level of performance Eg. Augmented/Virtual

312 views • 14 slides
WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien

WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien

WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien @sunfishcode Presentation given at the 2015 LLVM Developers Meeting on October 29th in San Jose, California. JF narrates: WebAssembly is a tale

654 views • 17 slides
Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly?

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly?

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly? JavaScript is a compilation target > WebAssembly or wasm is a new portable, size- and load-time-efficient format suitable for compilation to the

800 views • 62 slides
Adventures in Verifying Arithmetic John Harrison Amazon Web Services 28th May 2020 (14:00-15:00

Adventures in Verifying Arithmetic John Harrison Amazon Web Services 28th May 2020 (14:00-15:00

Adventures in Verifying Arithmetic John Harrison Amazon Web Services 28th May 2020 (14:00-15:00 Austin, 12:00-13:00 Pacific) From arithmetic on R to arithmetic on Z Floating-point verification at Intel Crypto bignum verification at

777 views • 66 slides
WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly

WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly

WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly revolution has begun Jay Phelps | @_jayphelps Jay Phelps Chief Software Architect | previously @_jayphelps Support, Dev Rel, Staff Augmentation,

1.33k views • 130 slides
Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar

Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar

Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar Klein What is WebAssembly? What is WebAssembly? WebAssembly == WASM WASM is an OPEN standard ... WASM is an OPEN standard ... Collaborative effort

827 views • 43 slides
Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why do we need WebAssembly? JavaScript is a compilation target > WebAssembly or wasm is a new portable, size- and load-time-efficient format

658 views • 62 slides
WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge

WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge

WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge Verified Software Workshop 2019 Conrad Watt (Cambridge) Formal WebAssembly 1 / 24 A brief history of WebAssembly (Wasm) A low-level bytecode,

868 views • 24 slides
Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly?

Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly?

Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly? What is WebAssembly? JavaScript WebAssembly char char * hello() { ( module module return return "Hello OSCON 2019!"; ( table table 0

667 views • 29 slides
WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on

WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on

WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on joint Mozilla/Google presentation to WebAssembly CG last week (link) WebAssembly Status 2017: "MVP" ships in 4 browsers \o/

425 views • 14 slides
Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of

Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of

The WebAssembly Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of "web apps" Jay Phelps | @_jayphelps Jay Phelps Senior Software Engineer | @_jayphelps So... what is WebAssembly? aka wasm Jay

1.48k views • 103 slides
frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler

frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler

The rise of non-JavaScript frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler target for programs on the Web @boyanio @boyanio https://vimeo.com/272924131 The Web of JavaScript frameworks

588 views • 29 slides
Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript

Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript

Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript Evolution of Web performance via asm.js WebAssembly Design Pipeline Decoding Validation Execution Examples

1.93k views • 67 slides
Mechanising Hankin and Barendregt using the Gordon-Melham axioms Michael Norrish

Mechanising Hankin and Barendregt using the Gordon-Melham axioms Michael Norrish

Mechanising Hankin and Barendregt using the Gordon-Melham axioms Michael Norrish Michael.Norrish@nicta.com.au Merlin03: Mechanising Hankin and Barendregt using the Gordon-Melham axioms p.1 Motivation & Outline To investigate the

327 views • 31 slides
Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Looking backwards to look forward: Mark Twain and best practice for developing clear and effective content in our globalised, digitally-connected world Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

437 views • 21 slides
Effective Ways to Building Strategies Promote Split Refunds Southern Bancorp Community Partners

Effective Ways to Building Strategies Promote Split Refunds Southern Bancorp Community Partners

Commonwealth Mariele McGlazer Virtual Training Series Innovation Manager Granite United Way Cary Gladstone Senior Director of Asset Effective Ways to Building Strategies Promote Split Refunds Southern Bancorp Community Partners Mindy

823 views • 32 slides
WELCOME New Faculty! Orientation Guide These materials are intended to orient new faculty to the

WELCOME New Faculty! Orientation Guide These materials are intended to orient new faculty to the

WELCOME New Faculty! Orientation Guide These materials are intended to orient new faculty to the University of North Carolina School of Medicine and provide resources for additional information. Topics covered in this slide deck include:

681 views • 11 slides
The Budget Outlook for 2018 to 2028 in 11 Slides April 2018 For more details, see

The Budget Outlook for 2018 to 2028 in 11 Slides April 2018 For more details, see

CONGRESSIONAL BUDGET OFFICE The Budget Outlook for 2018 to 2028 in 11 Slides April 2018 For more details, see www.cbo.gov/publication/53651. CBO Deficits as a percentage of gross domestic product are projected to increase over the next few

477 views • 13 slides
Managing Web Service Quality James Skene, Franco Raimondi and Wolfgang Emmerich London Software

Managing Web Service Quality James Skene, Franco Raimondi and Wolfgang Emmerich London Software

Managing Web Service Quality James Skene, Franco Raimondi and Wolfgang Emmerich London Software Systems Dept. of Computer Science University College London http://sse.cs.ucl.ac.uk Setting the scene Deutsche Bank AG has agreed to

414 views • 13 slides
CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) CS 5460: Operating

CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) CS 5460: Operating

CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) CS 5460: Operating Systems Lecture 2 Course web page: http://www.eng.utah.edu/~cs5460/ CADE lab: WEB L224 and L226 http://www.cade.utah.edu/

503 views • 18 slides
Nested Virtualization on ARM NEVE: Nested Virtualization Extensions Jin Tack Lim

Nested Virtualization on ARM NEVE: Nested Virtualization Extensions Jin Tack Lim

Nested Virtualization on ARM NEVE: Nested Virtualization Extensions Jin Tack Lim Christoffer Dall Shih-Wei Li Jason Nieh Marc Zyngier LEADING jitack@cs.columbia.edu christo ff er.dall@linaro.org

986 views • 51 slides
Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University

Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University

CS 152: Programming Language Paradigms Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University What is metaprogramming ? Writing programs that manipulate other programs. JavaScript Proxies

380 views • 27 slides
Camera Trapping + ML Benjamin C. Evans Dr. Allan Tucker Brunel University London Dr. Chris

Camera Trapping + ML Benjamin C. Evans Dr. Allan Tucker Brunel University London Dr. Chris

Camera Trapping + ML Benjamin C. Evans Dr. Allan Tucker Brunel University London Dr. Chris Carbone Instute of Zoology @ ZSL Camera Trapping? Automacally triggered cameras Triggers include Infrared (most common) Tripwire Timer

427 views • 11 slides

More recommend