Change 'incompletely specified behavior' phrasing to 'limited local nondeterminism' #141
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| # Nondeterminism in WebAssembly | ||
|
|
||
| WebAssembly is a [portable](Portability.md) sandboxed platform with limited, | ||
| local, nondeterminism. | ||
| * *Limited*: non-deterministic execution can only occur in a small number of | ||
| well-defined cases (described below) and, in those cases, the implementation | ||
| may select from a limited set of possible behaviors. | ||
| * *Local*: when non-deterministic execution occurs, the effect is local, | ||
| there is no "spooky action at a distance". | ||
|
|
||
| The limited, local, non-deterministic model implies: | ||
| * Applications can't access data outside the sandbox without going through | ||
| appropriate APIs, or otherwise escape the sandbox. | ||
| * WebAssembly always maintains valid, trusted callstacks; stray pointer writes | ||
| cannot corrupt return addresses or spilled variables on the stack. | ||
| * Calls and branches always have valid destinations ensuring | ||
| [Control Flow Integrity](http://research.microsoft.com/apps/pubs/default.aspx?id=64250). | ||
| * WebAssembly has no [nasal demons](https://en.wikipedia.org/w/index.php?title=Nasal_demons). | ||
|
|
||
| Ideally, WebAssembly would be fully deterministic (except where nondeterminism | ||
| was essential to the API, like random number generators, date/time functions or | ||
| input events). Nondeterminism is only specified as a compromise when there is no | ||
| other practical way to achieve [portable](Portability.md) native performance. | ||
|
|
||
| The following is a list of the places where the WebAssembly specification | ||
| currently admits nondeterminism: | ||
|
|
||
| - [When threads are added as a feature](EssentialPostMVPFeatures.md#threads), | ||
| even without shared memory, nondeterminism will be visible through the | ||
| ordering of API calls. Shared memory will allow further nondeterminism via | ||
|
There was a problem hiding this comment. I don't know if this is too pedantic, but it's also visible between API calls and WebAssembly program termination. There was a problem hiding this comment. True true, we must never forget termination. |
||
| load/store operations which, | ||
| [following the C++ definition](http://www.hboehm.info/c++mm/sc_proof.html), | ||
| only provide sequentially consistent views of memory in the absence of races. | ||
|
There was a problem hiding this comment. By "races" here, I assume you mean "data races" as is used in that link. I think this is still incomplete. The first bullet covers non-determinism in API ordering, and this bullet covers non-determinism in not getting sequentially consistency. However, a sequentially-consistent interleaving of actions can produce observable behavior differences other than API ordering. I'd like to again propose for consideration the "race condition" terminology as being a more broad term meaning "anything where the non-deterministic ordering is observable", which is exactly what we want and doesn't get bogged down in memory model semantics. There was a problem hiding this comment.
Like what (other than program termination)? There was a problem hiding this comment. Actually, I guess the distinction here is: w/ threads but no shared memory, you have nondeterminism at the API call/termination level. W/ shared memory, you get nondeterminism at the load ops. Is that what you were going after? There was a problem hiding this comment. If we cover those two points, I agree it's not really necessary to mention seq cst; it's just as nondeterministic as non-seq-cst. However, I do like talking about what is nondeterministic; vaguely refering to race conditions doesn't seem to do this, though I'd be happy to see proposed alternatives. There was a problem hiding this comment. Ah, further investigation reveals a clause I didn't spot at first in the link above, which is that it only applies to "programs which [...] do not use atomic operations". Our shared memory is going to have atomic operations, so then it's not immediately clear where we stand there. |
||
|
|
||
| - [Out of bounds heap accesses *may* want some flexibility](AstSemantics.md#out-of-bounds) | ||
|
|
||
| - [NaN bit patterns](AstSemantics.md#floating-point-operations) | ||
|
There was a problem hiding this comment. Add denormal handling: unspecified if we go full IEEE 754 (for scalar and/or vector), or if we DAZ/FTZ. There was a problem hiding this comment. I think this should be a separate conversation/PR (outside the scope of this PR). Also, fwiw, I'd been assuming we'd just (1) initially define DAZ/FTZ, (2) later, only if there is a pressing need, offer more control. There was a problem hiding this comment. Would you mind filing a separate issue so that we can have a discussion about this? Thanks. |
||
|
|
||
| - [Fixed-width SIMD may want some flexibility](EssentialPostMVPFeatures.md#fixed-width-simd) | ||
| - In SIMD.js, floating point values may or may not have subnormals flushed to zero. | ||
| - In SIMD.js, operations ending in "Approximation" return approximations that may vary between platforms. | ||
|
|
||
| - Environment-dependent resource limits may be exhausted. | ||
|
|
||
| ## Note for users of C, C++, and similar languages | ||
|
|
||
| Some operations which have fully defined behavior in WebAssembly itself may nonetheless have undefined behavior at the source code level. For example, while unaligned memory access is fully defined in WebAssembly, C and C++ compilers make no guarantee that a (non-packed) unaligned memory access at the source level is harmlessly translated into an unaligned memory access in WebAssembly. And in practice, popular C and C++ compilers do optimize on the assumption that alignment rules are followed, meaning that they don't always preserve program behavior otherwise. | ||
|
|
||
| On WebAssembly, the primary invariants are always maintained. Demons can't actually fly out your nose, as that would constitute an escape from the sandbox. And, callstacks can't become corrupted. | ||
|
|
||
| Other than that, programs which invoke undefined behavior at the source language level may be compiled into WebAssembly programs which do anything else, including corrupting the contents of the application heap, calling APIs with arbitrary parameters, hanging, trapping, or consuming arbitrary amounts of resources (within the limits). | ||
|
|
||
| [Tools are being developed and ported](Tooling.md) to help developers find and fix bugs in their code. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Capitalize "limited" and "local" above, since they're at the start of sentences.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done