adventures in mechanising and verifying webassembly
play

Adventures in Mechanising and Verifying WebAssembly Conrad Watt - PowerPoint PPT Presentation

Oct 01, 2023 •306 likes •521 views

Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK Formal Methods Meets JavaScript, VeTSS Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 1 / 21 The webs evolution We want richer web

  1. Adventures in Mechanising and Verifying WebAssembly Conrad Watt University of Cambridge, UK Formal Methods Meets JavaScript, VeTSS Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 1 / 21

  2. The web’s evolution We want richer web apps - 3D rendering, physics, 60fps. Asm.js exists but is too slow and janky. We’re at the limits of JavaScript - need a purpose-built language. http://www.cl.cam.ac.uk/ ∼ pes20/ Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 2 / 21

  3. The web’s evolution We want richer web apps - 3D rendering, physics, 60fps. Asm.js exists but is too slow and janky. We’re at the limits of JavaScript - need a purpose-built language. https://github.com/evanw/webgl-water Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 3 / 21

  4. What is WebAssembly? A web-friendly bytecode. Runs on any browser. “Near-native” performance. Targetted by LLVM. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 4 / 21

  5. WebAssembly is weird A stack reduction semantics... i32.const 4 i32.const 2 i32.const 1 i32.const 4 ❀ ❀ i32.add i32.const 3 i32.add i32.add i32.const 7 Type: [ i32 ] Type: [ i32 ] Type: [ i32 ] Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 5 / 21

  6. WebAssembly is weird ...but allows only structured control flow. loop loop i32.const 4 i32.const 4 i32.const 2 label{...} i32.const 2 i32.const 1 i32.const 4 i32.const 1 ❀ ❀ ❀ i32.add i32.const 3 label{...} i32.add i32.add i32.add i32.const 7 i32.add br 0 br 0 br 0 br 0 end end end end Note label is an “administrative” operation. It represents the loop unrolled once, keeping track of the continuation (abbreviated). Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 6 / 21

  7. The WebAssembly type system All WebAssembly programs must be validated (typed) before execution. WebAssembly instruction types have the form t* → t* i32.const 4 i32.add f32.const 0 i32.add i32.const 4 i32.add Type: Type: Type: [] → [i32] [i32, i32, i32] → [i32] ⊥ Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 7 / 21

  8. The WebAssembly type system Preservation If a program P is validated with a type ts, the program obtained by running P one step to P’ can also be validated with type ts. Progress For any validated program P that is not a list of constant values or a bare trap result, there exists P’ such that P reduces to P’ Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 8 / 21

  9. Initial mechanisation and soundness proof Initially based on an accepted draft of the WASM group’s PLDI paper 1 combined with the draft specification. Definitions and proofs in Isabelle. Type soundness properties: preservation and progress. Progress property as stated in the draft had a trivial counterexample. 1 Andreas Haas et al. “Bringing the Web Up to Speed with WebAssembly”. In: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation . PLDI 2017. New York, NY, USA: ACM, 2017, pp. 185–200. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 9 / 21

  10. Problems found - administrative instructions Exceptions did not properly propagate through administrative instructions. Malformed, irreducible nestings of administrative instructions containing a return opcode could be well-typed. Our suggested fixes were incorporated into the specification. label{...} label{...} trap trap trap trap ❀ ❀ i32.add end end Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 10 / 21

  11. Problems found Various trivial mistakes in the constraints of casting instructions. Big one - host function interface was unsound. 2 After these changes, managed to get a fully mechanised proof of soundness! ( ∼ 5000 LOC) 2 Andreas Rossberg. [spec] Fix and clean up invariants for host functions . Sept. 2017. url : https://github.com/WebAssembly/spec/pull/563 . Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 11 / 21

  12. Verified reference interpreter Directly animating the mechanised specification was infeasible. For the reduction relation - exception propagation is non-deterministic (but confluent), and the specification leans heavily on recursively defined evaluation contexts. For the typing judgement - there is a weakening rule with no upper bound, and the rules for typing dead code(!) involve a high degree of polymorphism - not syntax-directed. Some of these problems are solvable by re-formulating the mechanisation, but wanted eyeball-closeness with the official specification. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 12 / 21

  13. The flow of trust Normative Mechanised specification specification Proven Conformance properties tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 13 / 21

  14. The flow of trust Mechanised Normative executable specification specification Extracted Proven implementation properties (+untrusted interface) Conformance tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 14 / 21

  15. The flow of trust Normative Mechanised specification specification Proven Conformance properties tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 15 / 21

  16. The flow of trust Normative Mechanised Verified specification specification implementation Proven Conformance properties tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 16 / 21

  17. The flow of trust Normative Mechanised Verified specification specification implementation Extracted Proven implementation properties (+untrusted interface) Conformance tests Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 17 / 21

  18. Solution A separate reference interpreter, and typechecker. Proof of correctness between the inductive rules of the model, and the executable definitions of the interpreter and typechecker. Attempted fuzzing using interpreter as a test oracle - only found crash bugs in industry tools unfortunately. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 18 / 21

  19. Next steps The threads proposal! We’ve already seen that specifying interop between JS and WebAssembly isn’t trivial, but this is on another level. Need a compatible axiomatic weak memory model. But more complicated than JS: WASM memory can change size, but (until now) SharedArrayBuffers cannot. Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 19 / 21

  20. Next steps Already finding bugs in the JS memory model. 3 Atomics.wait(tA, 0, 0) Atomics.store(tA, 0, 1) var x = Atomics.load(tA, 0) || Atomics.wake(tA, 0, 1) Full formal spec for WebAssembly threading is being drafted. Mechanisation? Not impossible, but meaningful proofs could be a lot of work. 3 Conrad Watt. Normative: Strengthen Atomics.wait/wake synchronization to the level of other Atomics operations . Mar. 2018. url : https://github.com/tc39/ecma262/pull/1127 . Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 20 / 21

  21. Future work Continue looking at SharedArrayBuffer, WASM threads. Verifying ct-wasm (watch this space!). Model module instantiation. Look at Ethereum’s EVM2.0 (?) Conrad Watt (Cambridge, UK) Mechanising WebAssembly VeTSS 21 / 21

Recommend

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F

WEBPACK + WEBASSEMBLY W E B A S S E M B L Y W E B P A C K A N D T H E C H A L L E N G E O F INTRODUCTION WEBASSEMBLY AND ESM WEBASSEMBLY? L OW -L EVEL B INARY F ORMAT FOR C ODE T YPED ( I 8 I 64, F 32, F 64) M EMORY U

657 views • 39 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level

CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level

CS/COE 1520 pitt.edu/~ach54/cs1520 WebAssembly WebAssembly WebAssembly is a low-level language that runs within the web browser with near-native performance for those tasks that demand that level of performance Eg. Augmented/Virtual

312 views • 14 slides
WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien

WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien

WebAssembly WebAssembly Here Be Dragons JF Bastien Dan Gohman Google Mozilla @jfbastien @sunfishcode Presentation given at the 2015 LLVM Developers Meeting on October 29th in San Jose, California. JF narrates: WebAssembly is a tale

654 views • 17 slides
Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly?

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly?

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic Why do we need WebAssembly? JavaScript is a compilation target > WebAssembly or wasm is a new portable, size- and load-time-efficient format suitable for compilation to the

800 views • 62 slides
Adventures in Verifying Arithmetic John Harrison Amazon Web Services 28th May 2020 (14:00-15:00

Adventures in Verifying Arithmetic John Harrison Amazon Web Services 28th May 2020 (14:00-15:00

Adventures in Verifying Arithmetic John Harrison Amazon Web Services 28th May 2020 (14:00-15:00 Austin, 12:00-13:00 Pacific) From arithmetic on R to arithmetic on Z Floating-point verification at Intel Crypto bignum verification at

777 views • 66 slides
WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly

WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly

WebAssembly neither Web nor Assembly, but Revolutionary Jay Phelps | @_jayphelps The WebAssembly revolution has begun Jay Phelps | @_jayphelps Jay Phelps Chief Software Architect | previously @_jayphelps Support, Dev Rel, Staff Augmentation,

1.33k views • 130 slides
Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar

Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar

Lets embrace WebAssembly! Lets embrace WebAssembly! EuroPython 2018 - Edinburgh Almar Klein What is WebAssembly? What is WebAssembly? WebAssembly == WASM WASM is an OPEN standard ... WASM is an OPEN standard ... Collaborative effort

827 views • 43 slides
Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why

Build your own WebAssembly Compiler Colin Eberhardt, Scott Logic https://wasmweekly.news/ Why do we need WebAssembly? JavaScript is a compilation target > WebAssembly or wasm is a new portable, size- and load-time-efficient format

658 views • 62 slides
WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge

WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge

WebAssembly: Mechanisation, Security, and Concurrency Conrad Watt University of Cambridge Verified Software Workshop 2019 Conrad Watt (Cambridge) Formal WebAssembly 1 / 24 A brief history of WebAssembly (Wasm) A low-level bytecode,

868 views • 24 slides
Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly?

Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly?

Level up with WebAssembly OSCON 2019 Robert Aboukhalil @RobAboukhalil What is WebAssembly? What is WebAssembly? JavaScript WebAssembly char char * hello() { ( module module return return "Hello OSCON 2019!"; ( table table 0

667 views • 29 slides
WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on

WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on

WebAssembly: Status & Web IDL Bindings W3C Games Workshop - June, 2019 Luke Wagner Based on joint Mozilla/Google presentation to WebAssembly CG last week (link) WebAssembly Status 2017: "MVP" ships in 4 browsers \o/

425 views • 14 slides
Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of

Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of

The WebAssembly Revolution has begun Jay Phelps | @_jayphelps WebAssembly will change the way we think of "web apps" Jay Phelps | @_jayphelps Jay Phelps Senior Software Engineer | @_jayphelps So... what is WebAssembly? aka wasm Jay

1.48k views • 103 slides
frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler

frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler

The rise of non-JavaScript frameworks using WebAssembly Boyan Mihaylov @boyanio boyan.io WebAssembly ( WASM ) is compiler target for programs on the Web @boyanio @boyanio https://vimeo.com/272924131 The Web of JavaScript frameworks

588 views • 29 slides
Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript

Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript

Web Evolution and WebAssembly David Herrera Contents Limitations of JavaScript Evolution of Web performance via asm.js WebAssembly Design Pipeline Decoding Validation Execution Examples

1.93k views • 67 slides
Mechanising Hankin and Barendregt using the Gordon-Melham axioms Michael Norrish

Mechanising Hankin and Barendregt using the Gordon-Melham axioms Michael Norrish

Mechanising Hankin and Barendregt using the Gordon-Melham axioms Michael Norrish Michael.Norrish@nicta.com.au Merlin03: Mechanising Hankin and Barendregt using the Gordon-Melham axioms p.1 Motivation & Outline To investigate the

327 views • 31 slides
Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Looking backwards to look forward: Mark Twain and best practice for developing clear and effective content in our globalised, digitally-connected world Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

437 views • 21 slides
with WebAssembly Boyan Mihaylov @boyanio boyan.io https://github.com/boyanio/wasm-class/

with WebAssembly Boyan Mihaylov @boyanio boyan.io https://github.com/boyanio/wasm-class/

In-depth hands-on experience with WebAssembly Boyan Mihaylov @boyanio boyan.io https://github.com/boyanio/wasm-class/ @boyanio WebAssembly ( WASM ) is compiler target for programs on the Web @boyanio function add(a, b) { return a + b; }

962 views • 41 slides
Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and Kindness question your principles @jessitron Adventures in Elm Events, Reproducibility, and Kindness Data Data In Out Server UI Everything My

646 views • 39 slides
Mechanising Session Types Onwards and Upwards Francisco Ferreira and Lorenzo Gheri (joint work

Mechanising Session Types Onwards and Upwards Francisco Ferreira and Lorenzo Gheri (joint work

Mechanising Session Types Onwards and Upwards Francisco Ferreira and Lorenzo Gheri (joint work with David Castro, and Nobuko Yoshida) 2019 ABCD Meeting The First Step Do a case study: Language Primitives and Type Discipline for

650 views • 46 slides
Mechanising Blockchain Consensus George Prlea and Ilya Sergey Monday, 8 January 2018 CPP2018

Mechanising Blockchain Consensus George Prlea and Ilya Sergey Monday, 8 January 2018 CPP2018

Mechanising Blockchain Consensus George Prlea and Ilya Sergey Monday, 8 January 2018 CPP2018 1 Context Hundreds of deployed public blockchains $600 625 675 735 755 780 820 billion total market cap (7 day progression since Jan 1 st )

1.32k views • 38 slides
New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Marius Musch TU

New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Marius Musch TU

New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Marius Musch TU Braunschweig Together with Christian Wressnegger, Martin Johns, and Konrad Rieck The native Web Previous attempts at native performance Adobes

783 views • 18 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
The Internet Computer Tonight well explore . . . The need for a new global business and

The Internet Computer Tonight well explore . . . The need for a new global business and

The Internet Computer Tonight well explore . . . The need for a new global business and information infrastructure The emergence of a new computing paradigm: WebAssembly & Cloud 3.0 Combining WebAssembly & Blockchain The importance

752 views • 28 slides

More recommend