Understanding and Verifying JavaScript Programs

Similar documents
An Infrastructure for Tractable Verification of JavaScript Programs

JaVerT: JavaScript Verification Toolchain

DOM: Specification & Client Reasoning

JaVerT: JavaScript Verification Toolchain

Towards Logic-based Verification of JavaScript Programs

JavaScript: Sort of a Big Deal,

Featherweight Firefox

A Structural Operational Semantics for JavaScript

Matching Logic A New Program Verification Approach

Towards a Program Logic for JavaScript

Language Based isolation of Untrusted JavaScript

A Certified JavaScript Interpreter

JavaScript CS 4640 Programming Languages for Web Applications

A Certified JavaScript Interpreter

The Compiler So Far. CSC 4181 Compiler Construction. Semantic Analysis. Beyond Syntax. Goals of a Semantic Analyzer.

CMSC 330: Organization of Programming Languages

Types. Type checking. Why Do We Need Type Systems? Types and Operations. What is a type? Consensus

JavaScript CS 4640 Programming Languages for Web Applications

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler Front-End

Chapter 3 (part 3) Describing Syntax and Semantics

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler so far

Scala, Your Next Programming Language

CS 242. Fundamentals. Reading: See last slide

Topics Covered Thus Far. CMSC 330: Organization of Programming Languages. Language Features Covered Thus Far. Programming Languages Revisited

CS558 Programming Languages. Winter 2013 Lecture 3

The role of semantic analysis in a compiler

Informal Semantics of Data. semantic specification names (identifiers) attributes binding declarations scope rules visibility

Anatomy of a Compiler. Overview of Semantic Analysis. The Compiler So Far. Why a Separate Semantic Analysis?

Type Checking. Outline. General properties of type systems. Types in programming languages. Notation for type rules.

G Programming Languages - Fall 2012

CMSC 330: Organization of Programming Languages

Programming Languages, Summary CSC419; Odelia Schwartz

Outline. General properties of type systems. Types in programming languages. Notation for type rules. Common type rules. Logical rules of inference

Principles of Programming Languages

The Compiler So Far. Lexical analysis Detects inputs with illegal tokens. Overview of Semantic Analysis

CSCE 314 Programming Languages. Type System

Introduction to JavaScript p. 1 JavaScript Myths p. 2 Versions of JavaScript p. 2 Client-Side JavaScript p. 3 JavaScript in Other Contexts p.

Modules, Structs, Hashes, and Operational Semantics

Static Analysis for JavaScript

SEMANTIC ANALYSIS TYPES AND DECLARATIONS

Compiling Exceptions Correctly

Language Based isolation of Untrusted JavaScript

The design of a programming language for provably correct programs: success and failure

Foundations. Yu Zhang. Acknowledgement: modified from Stanford CS242

Adam Chlipala University of California, Berkeley ICFP 2006

JavaScript. Training Offer for JavaScript Introduction JavaScript. JavaScript Objects

Principles of Programming Languages

Type Inference Systems. Type Judgments. Deriving a Type Judgment. Deriving a Judgment. Hypothetical Type Judgments CS412/CS413

Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology

G Programming Languages - Fall 2012

Matching Logic. Grigore Rosu University of Illinois at Urbana-Champaign

Closures. Mooly Sagiv. Michael Clarkson, Cornell CS 3110 Data Structures and Functional Programming

ITT8060 Advanced Programming

Clock-directed Modular Code-generation for Synchronous Data-flow Languages

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

G Programming Languages Spring 2010 Lecture 4. Robert Grimm, New York University

Intermediate Code Generation

JavaScript: the language of browser interactions. Claudia Hauff TI1506: Web and Database Technology

The course is supplemented by numerous hands-on labs that help attendees reinforce their theoretical knowledge of the learned material.

SE352b: Roadmap. SE352b Software Engineering Design Tools. W3: Programming Paradigms

Separation Logic Tutorial

Semantics-Based Program Verifiers for All Languages

Static Semantics. Winter /3/ Hal Perkins & UW CSE I-1

Using Scala for building DSL s

INF5750. Introduction to JavaScript and Node.js

Compiler Theory. (Semantic Analysis and Run-Time Environments)

DEFINING A LANGUAGE. Robert Harper. Friday, April 27, 12

Verification of an ML compiler. Lecture 3: Closures, closure conversion and call optimisations

Compiler Construction

A Program Logic for JavaScript

ADsafety. Type-based Verification of JavaScript Sandboxing. Joe Gibbs Politz Spiridon Aristides Eliopoulos Arjun Guha Shriram Krishnamurthi

Formal Semantics of Programming Languages

Semantic Analysis. Lecture 9. February 7, 2018

A New Verified Compiler Backend for CakeML. Yong Kiam Tan* Magnus O. Myreen Ramana Kumar Anthony Fox Scott Owens Michael Norrish

Introduction to SML Getting Started

Compiler Construction

Formal Semantics of Programming Languages

CSCI-GA Scripting Languages

CSCI 3155: Principles of Programming Languages Exam preparation #1 2007

CS 415 Midterm Exam Spring 2002

5. Semantic Analysis!

FreePascal changes: user documentation

A Type System for Functional Traversal-Based Aspects

Application: Programming Language Semantics

K and Matching Logic

Lectures 20, 21: Axiomatic Semantics

A Structural Operational Semantics for JavaScript

Compilers. Type checking. Yannis Smaragdakis, U. Athens (original slides by Sam

Compiler Construction

Last name:... First name:... Department (if not D-INFK):...

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Z Notation. June 21, 2018

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

Compiler Construction

CSE 413 Languages & Implementation. Hal Perkins Winter 2019 Structs, Implementing Languages (credits: Dan Grossman, CSE 341)

5. Semantic Analysis. Mircea Lungu Oscar Nierstrasz

B l o c k B i n d i n g s

Compiler Construction

CS 4240: Compilers and Interpreters Project Phase 1: Scanner and Parser Due Date: October 4 th 2015 (11:59 pm) (via T-square)

An Overview to Compiler Design. 2008/2/14 \course\cpeg421-08s\topic-1a.ppt 1

Transcription:

Understanding and Verifying JavaScript Programs Philippa Gardner Imperial College London LFCS 30th Anniversary 1/31

JavaScript at Imperial Philippa Gardner José Fragoso Santos Petar Maksimović Daiva Naudˇziūnienė Azalea Raad Thomas Wood 2/31

Mechanised Language Specification Standard ML: formal definition Milner, Harper, MacQueen, Tofte, 1990 and 1997; mechanised definition Lee, Crary, Harper, 2006. C: many partial definitions, some mechanised e.g. by Norrish 1998, Leroy 2009; complete mechanised definition Ellison, Rosu, 2012; lots of recent work on C11, e.g. Batty s thesis, 2014. Fragments of Java: many partial (large) definitions, first studied by Drossopoulou, Eisenbach, 1997; mechanised definition, Syme, 1998. Javascript: complete formal definition of the ECMAScript 3 standard (ES3), Maffeis, Mitchell, Tally, 2008; mechanised definition of ES5, us, 2014; Park, Stefanescu, Rosu, 2015. 3/31

JavaScript at Imperial DOM Specification P. Gardner, G. Smith, M. Wheelhouse, U. Zarfaty. Local Hoare Reasoning about the DOM, PODS 2008. 4/31

JavaScript at Imperial DOM Specification JSLogic: a program logic for JavaScript P. Gardner, S. Maffeis, G. Smith. Towards a Program Logic for JavaScript, POPL 2012. 4/31

JavaScript at Imperial DOM Specification JSLogic: a program logic for JavaScript JSCert: a mechanised specification of ES5 in Coq M. Bodin, A. Charguéraud, D. Filaretti, P. Gardner, S. Maffeis, D. Naudžiūnienė, A. Schmitt, G. Smith. A Trusted Mechanised JavaScript Specification, POPL 2014. JSCert JSRef Inria Collaborators JavaScript Test262 A. Schmitt A. Charguéraud M. Bodin 4/31

JavaScript at Imperial DOM Specification JSLogic: a program logic for JavaScript JSCert: a mechanised specification of ES5 in Coq JSIL: an intermediate language for JavaScript JSVerify: a verification tool for JavaScript 4/31

JavaScript and Verification JavaScript 5/31

JavaScript and Verification ECMAScript 5 English Standard Language Libraries How is it organised? Chapters 1-7: Overview, notation, parsing Chapters 8-14: Language constructs Chapter 15: Library functions 6/31

JavaScript and Verification ES5 Strict Language Libraries How is it organised? Same as before; strict-only features throughout chapters 8-15 How is it different? Better behavioural properties: lexicographic scoping, mandatory variable declarations, explicit error throwing... 7/31

JavaScript and Verification Core ES5 Strict Non-core Libraries What is Core ES5 Strict? All of the language constructs Core library functions Non-core library functions definable using the core language Why the core language? Important for verification 8/31

Verifying Core ES5 Strict Core ES5 Strict JSIL: simple intermediate goto language, good for verification, memory model similar to JavaScript Semantics-directed compilation from Core ES5 Strict to JSIL Core library functions implemented in JSIL JSVerify: Smallfoot-like verification tool for JSIL (in future for JavaScript) Core library functions specified and verified using JSVerify 9/31

JavaScript vs. JSIL Verification 10/31

Incorporating Non-core Libraries Non-core Libraries Axiomatic specification to verify client programs Does not follow the standard, which is operational Justification of specifications Informal appeal to the English standard Reference implementation in JSIL or Core ES5 Strict, following the standard, verified with JSVerify, tested against Test262 Verification of industrial-strength library implementations 11/31

Introducing JSIL JSCert Core ES5 Strict Non-core libraries Semantics-directed compilation JSIL 12/31

Introducing JSIL JSCert Core ES5 Strict Non-core libraries Semantics-directed compilation JSIL To be implemented Attributes, for-in, getters/setters, the arguments object Some core library functions 12/31

The Syntax of JSIL Expressions: e ::= v x e e e typeof (e) v e. o e e. v e base (e) field (e) Commands: c ::= skip x := e x := new () x := [e, e] [e, e] := e delete (e) x := hasfield (e, e) x := protofield (e, e) x := protoobj (e, e) goto i goto [e] i, j x := e(e) with j 13/31

The Syntax of JSIL Expressions: e ::= v x e e e typeof (e) v e. o e e. v e base (e) field (e) Commands: c ::= skip x := e x := new () x := [e, e] [e, e] := e delete (e) x := hasfield (e, e) x := protofield (e, e) x := protoobj (e, e) goto i goto [e] i, j x := e(e) with j Extensible objects, dynamic fields 13/31

The Syntax of JSIL Expressions: e ::= v x e e e typeof (e) v e. o e e. v e base (e) field (e) Commands: c ::= skip x := e x := new () x := [e, e] [e, e] := e delete (e) x := hasfield (e, e) x := protofield(e, e) x := protoobj(e, e) goto i goto [e] i, j x := e(e) with j Prototype chains 13/31

The Syntax of JSIL Expressions: e ::= v x e e e typeof (e) v e. o e e. v e base (e) field (e) Commands: c ::= skip x := e x := new () x := [e, e] [e, e] := e delete (e) x := hasfield (e, e) x := protofield (e, e) x := protoobj (e, e) goto i goto [e] i, j x := e(e) with j Dynamic function choice 13/31

The Syntax of JSIL Expressions: e ::= v x e e e typeof (e) v e. o e e. v e base (e) field (e) Commands: c ::= skip x := e x := new () x := [e, e] [e, e] := e delete (e) x := hasfield (e, e) x := protofield (e, e) x := protoobj (e, e) goto i goto [e] i, j x := e(e) with j Procedures: proc ::= proc m(x){c} 13/31

Compiling ES5 Strict to JSIL JavaScript Code Object.prototype.foo = 1; var bar = 2; function f() { this.baz = this.bar + foo; } f.prototype.bar = 3 Three ways of calling f: Function call: f() Method call: this.f() Constructor call: new f() 14/31

Compiling Functions Each function translated to a top-level procedure. Global code translated to a special procedure main. No nesting of procedures. Scope and the this object as first two parameters JavaScript Code JSIL Code function f() {... } proc f(x sc, x this ){...} Global code proc main(){...} 15/31

Compiling ES5 Strict to JSIL Heap JavaScript Code Object.prototype.foo = 1; var bar = 2; function f() { this.baz = this.bar + foo; } f.prototype.bar = 3 16/31

Compiling ES5 Strict to JSIL JavaScript Code Object.prototype.foo = 1; var bar = 2; function f() { this.baz = this.bar + foo; } f.prototype.bar = 3 Heap JSIL Code [l op, foo ] := 1 17/31

Compiling ES5 Strict to JSIL JavaScript Code Object.prototype.foo = 1; var bar = 2; function f() { this.baz = this.bar + foo; } f.prototype.bar = 3 Heap JSIL Code [l g, bar ] := 2 18/31

Compiling ES5 Strict to JSIL JavaScript Code Object.prototype.foo = 1; var bar = 2; function f() { this.baz = this.bar + foo; } f.prototype.bar = 3 Heap JSIL Code x fp := new() [x fp, @proto] := l op x fo := new() [x fo, @code] := f [x fo, @scope] := [l g] [x fo, @proto] :=... [x fo, prototype ] := x fp [l g, f ] := x fo 19/31

Compiling ES5 Strict to JSIL JavaScript Code Object.prototype.foo = 1; var bar = 2; function f() { this.baz = this.bar + foo; } f.prototype.bar = 3 Heap JSIL Code [x fp, bar ] := 3 20/31

Constructor call: new f() JavaScript Code Object.prototype.foo = 1; var bar = 2; function f() { this.baz = this.bar + foo; } f.prototype.bar = 3 Heap new f() constructor call JSIL Code x n := new() x fo := [l g, f ] x fp := [x fo, prototype ] [x n, @proto] := x fp x scope := [x fo, @scope] x this := x n x f := [x fo, @code] x ret := x f (x scope, x this ) 21/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo 22/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo Step 1 l n. obaz 22/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo Step 1 l n. obaz Step 2 l n. obar 22/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo Step 1 l n. obaz Step 2 l n. obar Step 3 getvalue(l n. obar) 22/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo Step 1 l n. obaz Step 2 l n. obar Step 3 getvalue(l n. obar) Step 4 3 22/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo Step 1 l n. obaz Step 2 l n. obar Step 5 l g. vfoo Step 3 getvalue(l n. obar) Step 4 3 22/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo Step 1 l n. obaz Step 2 l n. obar Step 5 l g. vfoo Step 3 Step 6 getvalue(l n. obar) getvalue(l g. vfoo) Step 4 3 22/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo Step 1 l n. obaz Step 2 l n. obar Step 5 l g. vfoo Step 3 Step 6 getvalue(l n. obar) getvalue(l g. vfoo) Step 4 Step 7 3 1 22/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo Step 1 l n. obaz Step 2 l n. obar Step 5 l g. vfoo Step 3 Step 6 getvalue(l n. obar) getvalue(l g. vfoo) Step 4 Step 7 3 1 Step 8 Step 8 4 22/31

Constructor call: new f() In this case, the this is bound to the newly created object. this.baz = this.bar + foo Step 1 l n. obaz Step 2 l n. obar Step 5 l g. vfoo Step 3 Step 6 getvalue(l n. obar) getvalue(l g. vfoo) Step 4 Step 7 3 1 Step 8 Step 8 4 22/31

Function call: f() For function calls in strict mode, this is bound to undefined. this.baz = this.bar + foo Step 1 Step 2 undefined. obaz undefined. obar Step 3 getvalue(undefined. obar) Step 4 ERROR 23/31

Method call: this.f() In this case, this is bound to the global object. this.baz = this.bar + foo Step 1 Step 2 Step 5 l g. obaz l g. obar l g. vfoo Step 3 Step 6 getvalue(l g. obar) getvalue(l g. vfoo) Step 4 Step 7 2 1 Step 8 Step 8 3 24/31

Trust: Proof and Testing JSCert Core ES5 Strict Non-core libraries Similar heaps. Semantics-directed compilation. Pen-and-paper correctness proof. Extensive testing using the Test262 conformance test suite. JSIL 25/31

Testing Methodology and Results ES6 Test262 14998 tests Considerably better test classification than ES5 Test262. 26/31

Testing Methodology and Results ES6 Test262 14998 tests Considerably better test classification than ES5 Test262. ES5 Strict 10958 Tests Tests for ES6 features, Annex B, non-strict mode features 26/31

Testing Methodology and Results ES6 Test262 14998 tests Considerably better test classification than ES5 Test262. Tests for ES6 features, Annex B, non-strict mode features ES5 Strict 10958 Tests Tests for non-core features Core ES5 Strict 4599 Tests 26/31

Testing Methodology and Results ES6 Test262 14998 tests Considerably better test classification than ES5 Test262. Tests for ES6 features, Annex B, non-strict mode features ES5 Strict 10958 Tests Tests for non-core features Core ES5 Strict 4599 Tests Tests for core features still to be implemented Compiler Coverage 2738 Tests 26/31

Testing Methodology and Results ES6 Test262 14998 tests Considerably better test classification than ES5 Test262. Tests for ES6 features, Annex B, non-strict mode features ES5 Strict 10958 Tests Tests for non-core features Core ES5 Strict 4599 Tests Tests for core features still to be implemented Tests using non-implemented core features Compiler Coverage 2738 2481 Tests 26/31

Testing Methodology and Results ES6 Test262 14998 tests Considerably better test classification than ES5 Test262. Tests for ES6 features, Annex B, non-strict mode features ES5 Strict 10958 Tests Tests for non-core features Core ES5 Strict 4599 Tests Tests for core features still to be implemented Tests using non-implemented core features Tests using non-core features Compiler Coverage 2738 2481 2388 Tests 26/31

Testing Methodology and Results ES6 Test262 14998 tests Considerably better test classification than ES5 Test262. Tests for ES6 features, Annex B, non-strict mode features ES5 Strict 10958 Tests Tests for non-core features Core ES5 Strict 4599 Tests Tests for core features still to be implemented Tests using non-implemented core features Tests using non-core features Compiler Coverage 2738 2481 2388 Tests 99.6% success rate, 2378 passes, 10 failures due to parser issues, string/number conversion 26/31

JSVerify: a Smallfoot-type Verification Tool for JSIL JSCert Core ES5 Strict Non-core libraries JSIL JSVerify 27/31

JSVerify for Internal and Core Functions JSVerify is used to specify and verify our JSIL implementations of the internal and core library functions, such as getvalue. Example: getvalue { x. = L.o Y Π(L :: LS, Y, Z) } getvalue(x) {Precondition ret. = Z} getvalue(l n. obar) 3 28/31

JSVerify for Internal and Core Functions JSVerify is used to specify and verify our JSIL implementations of the internal and core library functions, such as getvalue. Example: getvalue { x. = undefined.o Y } getvalue(x) {Precondition ret. = error} getvalue(undefined. obar) ERROR 29/31

JSVerify for Non-core Functions JSCert Core ES5 Strict Non-core libraries JSIL JSVerify Axiomatic specifications for non-core functions Reference implementation in JSIL or Core ES5 Strict, following the standard, verified with JSVerify, tested against Test262 30/31

JSIL as a Service JSCert Core ES5 Strict DOM Non-core libraries JSIL JSVerify CBMC (Oxford/Amazon) Infer (Facebook) Rosette 31/31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback