ER T: : J AV AVASCRIPT V ER CATION T OOL HAIN (P (POP OPL 18) - PowerPoint PPT Presentation

L OG OGIC - BA BASED V ER ERIFIC IFICATIO ION OF OF J AV AVA S CR CRIPT P RO ROGRAMS PET PETAR R MA MAKSIMO IMOVIĆ IĆ IMPERIAL COLLEGE LONDON WITH J OSÉ F RAGOSO S ANTOS , P HILIPPA G ARDNER , D AIVA N AUDŽIŪNIENĖ , AND T HOMAS W OOD FORMAL METHODS MEET JAVASCRIPT IMPERIAL, MARCH 2018

J A V ER ER T: : J AV AVASCRIPT V ER CATION T OOL HAIN (P (POP OPL’ ’ 18) ERIFICA OOLCHA W HAT IS J A V ER T? JaVerT is a semi-automatic verification toolchain for JavaScript based on separation logic W HAT IS ITS PURPOSE ? JaVerT is aimed at the specialist developer wanting rich, mechanically verified specifications of critical JavaScript code

J A V ER ER T: : T HE HE C HAL HALLENGE GES S PECIFICATION C HALLENGE : To design specifications readable by developers (S1) Abstractions that capture key JavaScript concepts Prototype inheritance, variable scoping, function closures Property iteration (for-in) (S2) Abstractions that hide JavaScript internals V ERIFICATION C HALLENGE : To handle the complex nature of JavaScript without simplification (V1) Complexity of JavaScript statements (V2) Fundamental dynamic behaviour of JavaScript Extensible objects, dynamic property access, dynamic function calls (V3) JavaScript internal functions V ALIDATION C HALLENGE To understand what it means for the verification to be trusted

J A V ER ER T: : S PE FICATION C HAL PECIFI HALLENGE GE S PECIFICATION C HALLENGE : To design specifications readable by developers (S1) Abstractions that capture key JavaScript concepts Prototype inheritance, variable scoping, function closures Property iteration (for-in) (S2) Abstractions that hide JavaScript internals V ERIFICATION C HALLENGE : To handle the complex nature of JavaScript without simplification (V1) Complexity of JavaScript statements (V2) Fundamental dynamic behaviour of JavaScript Extensible objects, dynamic property access, dynamic function calls (V3) JavaScript internal functions V ALIDATION C HALLENGE To understand what it means for the verification to be trusted

J AV AVA S CR IPT : : K EY EY -V AL ALUE M AP CRIP AP

J AV AVA S CR IPT : : K EY EY -V AL ALUE M AP CRIP AP B REAKING THE LIBRARY : 1/2

J AV AVA S CR IPT : : K EY EY -V AL ALUE M AP CRIP AP B REAKING THE LIBRARY : 2/2

P RO ROTOTYPE S AF AFETY TY Constructed objects cannot redefine properties that are to be found in their prototypes • Prototypes cannot have non-writable properties that are to be present in their instances • M AP OBJECTS Must not contain get , put , and validKey M AP . PROTOTYPE AND O BJECT . PROTOTYPE Must not contain _contents as non-writable

J AV AVA S CR IPT : : K EY EY -V AL ALUE M AP AP S PE CRIP PECIFI FICATION S OME B ASIC A BSTRACTIONS : JSObject(o) = (o, “@proto”) -> Object.prototype * (o, “@class) -> “Object” * (o, “@extensible”) -> true JSObjectWithProto(o, pr) = (o, “@proto”) -> pr * (o, “@class) -> “Object” * (o, “@extensible”) -> true DataProp(o, p, v) = (o, p) -> [ “d”, v, true, true, true ] FunctionObject(o, id, sc) = (o, “@body”) -> id * (o, “@scope”) -> sc * ...

J AV AVA S CR IPT : : K EY EY -V AL ALUE M AP AP S PE CRIP PECIFI FICATION W HAT DOES IT MEAN TO BE A M AP ? Map (m, mp, kvs) = JSObjectWithProto(m, mp) * (m, "get") -> None * (m, "put") -> None * (m, "validKey") -> None * DataProp(m, "_contents", c) * JSObject(c) * KVPairs(c, kvs) * emptyFields(c | first(kvs)) D ETAIL : KVPairs(c, kvs) captures the key-value pairs of c .

J AV AVA S CR IPT : : K EY EY -V AL ALUE M AP AP S PE CRIP PECIFI FICATION W HAT DOES IT MEAN TO BE A M AP PROTOTYPE ? MapProto (mp) = JSObject(mp) * (mp, "_contents") -> None) * DataProp(mp, "get", gf) * FunctionObject(gf, “get”, g_sc) * DataProp(mp, "put", pf) * FunctionObject(pf, “put”, p_sc) * DataProp(mp, "validKey", vkf) * FunctionObject(vkf, “validKey”, vk_sc) C AVEAT : The definition of MapProto cannot be part of the Map predicate because of shared resource. All maps share the same prototype.

J AV AVA S CR IPT : : K EY EY -V AL ALUE M AP AP S PE CRIP PECIFI FICATION S PECIFICATION OF THE GET FUNCTION [ Map(this, mp, kvs) * MapProto(mp) * (k, v) in kvs * ObjProto() ] get(k) [ Precondition * (ret = v) ] [ Map(this, mp, kvs) * MapProto(mp) * !(k in first(kvs)) * ValidKey(k) * ObjProto() ] get(k) [ Precondition * (ret = null) ]

J A V ER ER T: : T HE HE C HAL HALLENGE GES S PECIFICATION C HALLENGE : To design specifications readable by developers (S1) Abstractions that capture key JavaScript concepts Prototype inheritance, variable scoping, function closures Property iteration (for-in) (S2) Abstractions that hide JavaScript internals V ERIFICATION C HALLENGE : To handle the complex nature of JavaScript without simplification (V1) Complexity of JavaScript statements (V2) Fundamental dynamic behaviour of JavaScript Extensible objects, dynamic property access, dynamic function calls (V3) JavaScript internal functions V ALIDATION C HALLENGE To understand what it means for the verification to be trusted

J A V ER ER T: : O VE VERALL ST STRUCTURE A NNOTATED JS PROGRAMS J A V E R T: J AVA S CRIPT V ERIFICATION T OOLCHAIN JS L OGIC JS PROGRAMS A NNOTATIONS JS-2-JSIL JS-2-JSIL JSIL VERIFICATION I NFRASTRUCTURE C OMPILER L OGIC TRANSLATOR JSIL L OGIC JSIL PROGRAMS A NNOTATIONS A NNOTATED JSIL PROGRAMS JSIL L OGIC SPECS OF JS INTERNAL FUNCTIONS JSIL V ERIFY Yes / No

(V (V1) 1) C OM OF J AV AVA S CR IPT S TAT OMPLEXITY OF CRIP TATEMENTS A NNOTATED JS PROGRAMS J A V E R T: J AVA S CRIPT V ERIFICATION T OOLCHAIN JS L OGIC JS PROGRAMS A NNOTATIONS JS-2-JSIL JS-2-JSIL JSIL VERIFICATION I NFRASTRUCTURE C OMPILER L OGIC TRANSLATOR JSIL L OGIC JSIL PROGRAMS A NNOTATIONS A NNOTATED JSIL PROGRAMS JSIL L OGIC SPECS OF JS INTERNAL FUNCTIONS JSIL V ERIFY Yes / No

(V (V2) 2) F UN UNDAMENTAL D YN YNAMIC B EH OF J AV AVA S CR EHAVIOUR OF CRIP IPT A NNOTATED JS PROGRAMS J A V E R T: J AVA S CRIPT V ERIFICATION T OOLCHAIN JS L OGIC JS PROGRAMS A NNOTATIONS JS-2-JSIL JS-2-JSIL JSIL VERIFICATION I NFRASTRUCTURE C OMPILER L OGIC TRANSLATOR JSIL L OGIC JSIL PROGRAMS A NNOTATIONS A NNOTATED JSIL PROGRAMS JSIL L OGIC SPECS OF JS INTERNAL FUNCTIONS JSIL V ERIFY Yes / No

(V3) (V 3) J AV AVA S CR IPT I NT NAL F UN CRIP NTERNA UNCTIONS A NNOTATED JS PROGRAMS J A V E R T: J AVA S CRIPT V ERIFICATION T OOLCHAIN JS L OGIC JS PROGRAMS A NNOTATIONS JS-2-JSIL JS-2-JSIL JSIL VERIFICATION I NFRASTRUCTURE C OMPILER L OGIC TRANSLATOR JSIL L OGIC JSIL PROGRAMS A NNOTATIONS A NNOTATED JSIL PROGRAMS JSIL L OGIC SPECS OF JS INTERNAL FUNCTIONS JSIL V ERIFY Yes / No

J A V ER ER T: T: T RUS RUSTED V ER ERIFICATION A NNOTATED JS PROGRAMS J A V E R T: J AVA S CRIPT V ERIFICATION T OOLCHAIN JS L OGIC JS PROGRAMS A NNOTATIONS Follows the standard line-by-line P ROPER Tested against JS-2-JSIL Proven JS-2-JSIL ECMAScript JSIL VERIFICATION I NFRASTRUCTURE correct VALIDATION C OMPILER L OGIC TRANSLATOR Test262 test suite Fragment proven correct JSIL L OGIC JSIL PROGRAMS A NNOTATIONS A NNOTATED JSIL PROGRAMS JSIL L OGIC SPECS OF JS INTERNAL FUNCTIONS JSIL Logic JSIL V ERIFY proven sound Satisfied by JSIL reference Yes / No implementations

T HA WELL … HAT WE WENT NT WE O UR SPECIFICATION OF M AP . GET FAILED – HOW CAN WE FIND THE ERROR ? § We assume that JaVerT is working correctly § The specifications seem reasonable, there is no obvious error § Lifting meaningful error messages from JSIL to JavaScript is difficult § JaVerT’s debugging proof trace for this example is 346,786 lines long We cannot expect the developer to go through the proof trace. We need a more robust approach.

C OS OSETTE : : S YM YMBOLIC T ES FOR J AV AVA S CR ESTING FO CRIP IPT Rosette : solver-aided programming language R OSETTE E XTENDED JS PROGRAMS (first-order logic) IMPLEMENTATIONS OF INTERNAL / BUILT - IN FUNCTIONS § JS and JSIL extended with simple constructs JS-2-JSIL C OMPILER for creating/reasoning about symbolic values R OSETTE § JSIL concrete interpreter written in Rosette E XTENDED JSIL PROGRAMS JSIL S YMBOLIC § Concrete interpreter carefully written so that I NTERPRETER Rosette’s solver-aided constructs are lifted, obtaining a JSIL symbolic interpreter Yes (up to a bound) or Counter-model § JSIL symbolic execution formalised and proven sound; absence of false positives proven (joint work with Julian Dolby, IBM)

C OS OSETTE : : S IM IMPLE S YM YMBOLIC T ES FOR M AP AP . GE EST FO GET var k = __s ; /* let k be a symbolic string */ var v = __n ; /* let v be a symbolic number */ var m = new Map(); /* let m be an empty key-value map */ if validKey(k) { /* let k be a valid key */ m.put(k, v); /* put the key-value pair (k, v) in the map */ var w = m.get(k); /* get the value corresponding to the key k */ assert(v = w); /* that value must equal the one that we put */ }

J AV AVA S CR IPT : : K EY EY -V AL ALUE M AP AP R EV CRIP EVISI SITED ED B REAKING THE LIBRARY : 3/3

P RO ROTOTYPE S AF TY R EV AFETY EVISI SITED ED Constructed objects cannot redefine properties that are to be found in their prototypes • Prototypes cannot have non-writable properties that are to be present in their instances • M AP OBJECTS Must not contain get , put , and validKey M AP . PROTOTYPE AND O BJECT . PROTOTYPE Must not contain _contents as non-writable M AP CONTENTS Must not contain hasOwnProperty as non-writable