This is exciting for the Ewasm team (Ethereum WebAssembly). We're hoping this new single-pass compilation in Liftoff won't be vulnerable to JIT bombs, which are wasm modules that take a lot longer to compile than they do to execute. JIT bombs would be DoS attack vectors on Ethereum clients using JIT wasm engines, and we found some v8 JIT bombs through fuzz testing some months ago.
Aa EOS is already leveraging WASM, do you know if they implement any hardening against these? I know they use wall clock measurements for some operations.
I mention in the talk that our fuzz tester, Guido Vranken, moved on to fuzzing WAVM (the wasm jit engine used in EOS) after v8. He earned some bounties (only some of them were related to WAVM) and several articles were written about it. I believe WAVM has some constants that can be set low enough to prevent JIT bombs, but I didn't follow the details so I'm not sure. Check out this commit, in particular the changes to WASMSerialization.cpp: https://github.com/EOSIO/eos/commit/af02ebba5d5797b6dcc2f06b...
I'm amused by the "Lift" naming trend for code generators. Mozilla's next gen code generator for wasm will be called "Cranelift" [1]. Probably coincidence.
"lifting" is a common optimization -- moving a computation from inside a loop to outside. It can make a huge difference in numerical functions. For instance, consider the JS code:
for (let i=0; i<a.length; i++) {
a[i] = a[i]*2
}
Without lifting, every time through the loop it has to check that a is an array and (i >= 0 && i < a.length). Lifting lets the compiler move all the checks before the loop and do them once. It's nontrivial to check that the truth value of the check can't possibly change during the loop.
I may be missing something here. Given that i is incremented in the loop, wouldn't the truth value of (i < a.length) change? Or do you mean the two other checks (a is an array and i>= 0)?
I think I'm following, but I'm not sure I completely understand. From the GP:
> Without lifting, every time through the loop it has to check that a is an array and (i >= 0 && i < a.length).
It sounds like these checks are being performed once. Does that mean that instead of it checking in the loop, it's checked prior to and outside of the loop body? Otherwise, I'm not sure how the value of (i < a.length) wouldn't change as the loop is performed multiple times, as the increment expression is called after every loop.
for (let i = 0; i < a.length; i++) {
a[i] = a[i]*2
}
Has to be converted into something that can be run onto a machine that won't cause a fatal error if the array `a` doesn't have an item at index `i` (e.g. negative index). It can be converted to the following by a naive compiler:
for (let i = 0; i < a.length; i++) {
if (i > 0 && a < a.length) { // safe to access
a[i] = a[i] * 2
} else {
throw('in a safe way')
}
}
Or, to avoid repetitive checks to a.length:
const temp = a.length
for (let i = 0; i < temp; i++) {
if (i > 0 && a < temp) { // safe to access
a[i] = a[i] * 2
}
}
A more advanced compiler might realise that the if statement is irrelevant, we've defined it in the loop that we'll never have a negative `i` or one above the length of the array, so we can just avoid those checks entirely and actually revert back to the original code to compile. This is not always the case:
const temp = a.length
for (let i = 0; i < temp; i++) {
a[i] = a[i]*2
}
This comes up in interesting places, like why it is faster to go through an array backwards than forwards[0].
I think it is that since the length is never mutated in the body the check can be simplified. From a generic dictionary lookup to comparison to a constant int.
If the array structure itself were being modified, the "i < a.length" check would have to be done every iteration, but in this case there's no mutation of the array itself, so it's OK to move "a.length" to a constant outside the loop... and from there it's trivial to move bounds checks outside the loop (and from there: eliminate them entirely)
I would love to see a wasm repl online. Something that's focused on teaching the language, not for people who are going to write compilers that target it, but for people who are confused about what it is and how it works, as a way of demystifying wasm so that they have more confidence in choosing to adopt it. Maybe something that really visualizes the ins and outs of a wasm program, and maybe some kind of dynamic visualization of how the s-expressions transform into stack-based code. Just an idea, but I think it could be useful and fun for someone to make for those of us who want to play around with wasm without installing anything :)
I gave a talk about it back in June. Slides: https://docs.google.com/presentation/d/1n75Mo09HmyruV5S7q0cH... video: https://youtu.be/2eISBAbT3GM?t=1h22m3s