2121\Program {Computer Science}
2222\majorprof {John Boyland}
2323\algorithmspagefalse
24+ \figurespagefalse
25+ \tablespagefalse
26+ \ackspagetrue
2427
2528\Abstract {% TODO
2629}
2730
28-
2931\beforepreface
3032
31- \prefacesection {Preface}
32-
33- % TODO
34-
3533\Acks {%
36- % TODO
34+ Certainly, this work would not be possible without the foundational
35+ work by Conrad Watt.
36+ His work continues to be an inspiration, and his kind words of support
37+ about my project instills me with pride to this day.
38+
39+ I would also like to of course thank my adviser Dr. John Boyland, a
40+ phenomenal professor who inspired me to pursue proof mechanization and the
41+ study of programming language design in the first place, for his guidance,
42+ support, and needed nudging that enabled me to complete this project.
43+
44+ I would also like to thank my close friend Alison Saia for always
45+ supporting me and agreeing to proofread this work.
46+
47+ Finally, I must thank my family, my mother Deborah and sister Justine,
48+ for their everlasting and immense support of me and everything I do.
49+ I would be nowhere without them.
3750}
3851
3952\afterpreface
4053
41- \chapter {Introduction }
54+ \chapter {Introduction } % FIXME
4255
4356With the only standardized and widely supported language for the Web being
4457JavaScript, it became more common for other languages to support JavaScript as
@@ -394,38 +407,36 @@ \chapter{Proof Mechanization}
394407Formal handwritten proofs continue to be the standard for showing a given
395408system holds certain properties, but they suffer from several drawbacks.
396409They can be difficult to both read and write, because often they require
397- maintaining a great deal of state of the problem space within one's head
398- at a given time in order to reason about the problem at hand .
410+ maintaining a great deal of state of the problem space within one's head at a
411+ given time.
399412Additionally, making adjustments to logical assertions or intermediate
400413lemmas is challenging, as even a minor adjustment in one section of the proof
401- may cause related statements to no longer hold.
414+ may cause seemingly unrelated statements elsewhere to no longer hold.
402415Finally, they can leave small hidden gaps of missing logic that are easily
403416glossed over by reviewers, such as when something seems so \textit {obviously }
404417the case that no one bothers to question it, or when ambiguously phrased
405418assertions result in potential logical errors.
406419
407- Proof assistants aim to address these goals, by providing a framework in
420+ Proof assistants aim to address these goals by providing a framework in
408421which logical proofs can be encoded in a structured form and verified
409422automatically by the proof assistant software.
410423This encoding of a natural language proof to such a verifiable format is
411424called \textit {mechanization }.
412- Ideally, these mechanizations are also human-readable, and provide a high level
413- of `` eyeball closeness''
414- materials such as language specifications\cite {JSCert }.
415-
416425Proof assistants can be used to model a variety of logical or mathematical
417426systems, though have received much attention for proving properties about
418427programming languages in particular\cite {JSCert ,RustBelt ,WattMechanizing };
419428the (hopefully strict and well-defined) specifications of such languages lend
420429themselves well to translation into mechanized forms.
430+ Ideally, these mechanizations are also human-readable, and provide a high level
431+ of `` eyeball closeness''
432+ materials such as language specifications\cite {JSCert }.
421433
422- Many such proof assistants exist, including Coq\cite {AboutCoq },
434+ Many proof assistants exist, including Coq\cite {AboutCoq },
423435Isabelle\cite {IsabelleOverview }, Lean\cite {LeanProver }, and
424436SASyLF\cite {SASyLF }.
425437In addition to the fundamental purpose of proof verification, many such tools
426438assist proof writers by providing automated proof \textit {tactics } or
427- \textit {methods } which attempt to fully automate the proof for a given
428- assertion.
439+ \textit {methods } which attempt to automate the proof for a given assertion.
429440While this can greatly reduce the tedium of both writing and reading proofs
430441that apply logical steps individually, it also can result in confusion
431442when such proof methods do not behave as expected.
@@ -434,6 +445,8 @@ \chapter{Proof Mechanization}
434445method with the list of rules to apply are often unclear.
435446When reading, automatically-proved assertions provide little context,
436447requiring the reader to simply trust the method's claim about the assertion.
448+ This is particularly the case when certain tactics implicitly include
449+ lemmas or rules, which is possible in certain circumstances.
437450In order to understand the details of the claim, one must deconstruct it
438451either mentally when reading or by reducing it to smaller logical steps
439452when debugging.
@@ -444,11 +457,11 @@ \chapter{Proof Mechanization}
444457\chapter {Soundness }
445458
446459A programming language with a \textit {sound } or \textit {safe } type system
447- provides certain guarantees that operations are only performed on values
448- of the appropriate type. For example, it prevents one from mistakenly
449- adding a number to a string of textual characters, or from attempting
450- to access a nonexistent property of a record or object.
451-
460+ provides certain guarantees that operations are only performed on values of the
461+ appropriate type.
462+ For example, it prevents one from mistakenly adding a number to a string of
463+ textual characters, or from attempting to access a nonexistent property of a
464+ record or object.
452465Typically, a programming language's type system is considered sound when it
453466exhibits the following two primary properties\cite {pfpl2 }:
454467
@@ -479,8 +492,8 @@ \chapter{Soundness}
479492Any number of other logical or operational errors can still arise:
480493the addition operation in \texttt {add } may overflow the maximum value that can
481494be expressed in the number type resulting in the incorrect value being
482- returned, or complex conditional logic or even a mistyping may result in a
483- subtraction being performed instead, for example.
495+ returned, or complex conditional logic or even a character input mistake by the
496+ programmer may result in a subtraction being performed instead, for example.
484497In all of such cases the types of the values are correct and sound, but the
485498values themselves are not.
486499
@@ -490,9 +503,8 @@ \chapter{Soundness}
490503goal of security, vulnerabilities have been found primarily due to its simple
491504linear memory model and the ability to escape the virtual machine sandbox using
492505embedder host functions\cite {LehmannEverything }.
493- However, one issue brought up by the authors could have been prevented by
494- a differently designed sound type system: that memory addresses are simply
495- primitive 32-bit integers.
506+ However, one such issue could have been prevented by a differently designed
507+ sound type system: that memory addresses are simply primitive 32-bit integers.
496508If instead memory addresses had a dedicated type to themselves, functions
497509designed to operate on integers and functions designed to accept memory
498510address pointers would be incompatible, preventing certain remote code
@@ -505,7 +517,6 @@ \chapter{Soundness}
505517In order to confirm the soundness claims made by the rather terse proof, a
506518mechanized proof of the full language specification was developed
507519independently, using the Isabelle/HOL proof assistant\cite {WattMechanizing }.
508-
509520\citeauthor {WattMechanizing }'s mechanization of core WebAssembly took place
510521separately from the development of the language, though it proved crucial in
511522its foundation by identifying several major errors in the official WebAssembly
@@ -519,8 +530,8 @@ \chapter{Soundness}
519530result\cite [p. 61]{WattMechanizing }.
520531
521532In addition to proving soundness of the core language via progress and
522- preservation, the original mechanization included several notable
523- additional properties .
533+ preservation, the original mechanization included several notable additional
534+ features .
524535Firstly, it included one proposal not existing in the initial version of the
525536core language: the Multi-value Proposal\cite {MultiValueProposal }.
526537In the original specification, functions and instructions can return at most
@@ -543,10 +554,10 @@ \chapter{Soundness}
543554steering WebAssembly development.
544555To my knowledge, no work is being done to extend it, and new language features
545556are not required to be mechanized before they are adopted into the standard.
546- Aside from human checks by the Working Group, which are fallible as mentioned
547- in the previous chapter, no process currently exists to prevent proposals from
548- causing errors making the type system no longer sound.
549- While no requirement exists currently, it may be useful to require proof
557+ Aside from human checks by the Working Group, which are fallible for reasons
558+ mentioned in the previous chapter, no process currently exists to prevent
559+ proposals from causing errors making the type system no longer sound.
560+ While no requirement exists currently, it would be useful to require proof
550561that the type system is not adversely affected before a proposal can be
551562finalized and adopted.
552563The Isabelle mechanization, particularly when augmented with the language
@@ -884,8 +895,8 @@ \chapter{Related Work}
884895from core language features.
885896
886897\citeauthor {RustBelt } mechanized a core calculus of the Rust programming
887- language using the Iris proof assistant \cite { RustBelt } and an accompanying
888- \textit { extensible soundness proof
898+ language using the Iris logic framework and an accompanying \textit { extensible
899+ soundness proof} \cite { RustBelt }.
889900Rust is a modern systems language and one of the leading languages with support
890901for compiling to WebAssembly.
891902Notable features of the language include its novel ownership and borrowing
@@ -896,15 +907,16 @@ \chapter{Related Work}
896907use as a starting point---so the authors reduced the language to a
897908continuation-passing style language that includes the core lifetime features
898909mentioned above named $ \lambda _{\textrm {Rust}}$
899- Iris provides built-in support for ownership reasoning, making it a fitting
900- choice for a proof assistant for this task.
910+ Iris\cite {Iris }, a `` Higher-Order Concurrent Separation Logic Framework, implemented and
911+ verified in the Coq proof assistant'' provides built-in support for ownership
912+ reasoning, making it a fitting choice for a proof assistant for this task.
901913\citeauthor {RustBeltRelaxed } extended this work, accounting for relaxed-memory
902914operations in use by concurrent Rust programs\cite {RustBeltRelaxed }.
903915
904916\citeauthor {Watt_2020 }, the author of the original Isabelle WebAssembly
905- mechanization on which my work is based, used the Alloy model checker to find
906- errors in JavaScript's specification causing concurrency issues and compilation
907- problems\cite {Watt_2020 }.
917+ mechanization on which my work is based, used the Alloy model
918+ checker \cite { Alloy } to find errors in JavaScript's specification causing
919+ concurrency issues and compilation problems\cite {Watt_2020 }.
908920In particular, the authors show that JavaScript's concurrency model does not in
909921fact support compilation to the ARMv8 scheme which is used in real-world
910922applications without violating its specified guarantees, and also show that
0 commit comments