Type Soundness¶

The type system of WebAssembly is sound, implying both type safety and memory safety with respect to the WebAssembly semantics. For example:

All types declared and derived during validation are respected at run time; e.g., every local or global variable will only contain type-correct values, every instruction will only be applied to operands of the expected type, and every function invocation always evaluates to a result of the right type (if it does not diverge, throw an exception, or trap).
No memory location will be read or written except those explicitly defined by the program, i.e., as a local, a global, an element in a table, or a location within a linear memory.
There is no undefined behavior, i.e., the execution rules cover all possible cases that can occur in a valid program, and the rules are mutually consistent.

Soundness also is instrumental in ensuring additional properties, most notably, encapsulation of function and module scopes: no locals can be accessed outside their own function and no module components can be accessed outside their own module unless they are explicitly exported or imported.

The typing rules defining WebAssembly validation only cover the static components of a WebAssembly program. In order to state and prove soundness precisely, the typing rules must be extended to the dynamic components of the abstract runtime, that is, the store, configurations, and administrative instructions. [1]

Contexts¶

In order to check rolled up recursive types, the context is locally extended with an additional component that records the sub type corresponding to each recursive type index within the current recursive type:

𝐶 : : = {\dots, 𝗋 𝖾 𝖼 𝗌 s u b t y p e *}

Types¶

Well-formedness for extended type forms is defined as follows.

Heap Type $𝖻 𝗈 𝗍$ ¶

The heap type is valid.

𝐶 ⊢ 𝖻 𝗈 𝗍 : 𝗈 𝗄

Heap Type $𝗋 𝖾 𝖼 𝑖$ ¶

The recursive type index $𝑖$ must exist in $𝐶 . 𝗋 𝖾 𝖼 𝗌$ .
Then the heap type is valid.

𝐶 . 𝗋 𝖾 𝖼 𝗌 [𝑖] = s u b t y p e 𝐶 ⊢ 𝗋 𝖾 𝖼 𝑖 : 𝗈 𝗄

Value Type $𝖻 𝗈 𝗍$ ¶

The value type is valid.

𝐶 ⊢ 𝖻 𝗈 𝗍 : 𝗈 𝗄

Recursive Types $𝗋 𝖾 𝖼 s u b t y p e *$ ¶

Let $𝐶'$ be the current context $𝐶$ , but where $𝗋 𝖾 𝖼 𝗌$ is $s u b t y p e *$ .
There must be a type index $𝑥$ , such that for each sub type $s u b t y p e 𝑖$ in $s u b t y p e *$ :
- Under the context $𝐶'$ , the sub type $s u b t y p e 𝑖$ must be valid for type index $𝑥 + 𝑖$ and recursive type index $𝑖$ .
Then the recursive type is valid for the type index $𝑥$ .

𝐶, 𝗋 𝖾 𝖼 𝗌 s u b t y p e * ⊢ 𝗋 𝖾 𝖼 s u b t y p e * : 𝗈 𝗄 (𝑥, 0) 𝐶 ⊢ 𝗋 𝖾 𝖼 s u b t y p e * : 𝗈 𝗄 (𝑥)

𝐶 ⊢ 𝗋 𝖾 𝖼 𝜖 : 𝗈 𝗄 (𝑥, 𝑖) 𝐶 ⊢ s u b t y p e : 𝗈 𝗄 (𝑥, 𝑖) 𝐶 ⊢ 𝗋 𝖾 𝖼 s u b t y p e' * : 𝗈 𝗄 (𝑥 + 1, 𝑖 + 1) 𝐶 ⊢ 𝗋 𝖾 𝖼 s u b t y p e s u b t y p e' * : 𝗈 𝗄 (𝑥, 𝑖)

Note

These rules are a generalisation of the ones previously given.

Sub types $𝗌 𝗎 𝖻 𝖿 𝗂 𝗇 𝖺 𝗅 ? h t * c o m p t y p e$ ¶

The composite type $c o m p t y p e$ must be valid.
The sequence $h t *$ may be no longer than $1$ .
For every heap type $h t 𝑘$ in $h t *$ :
- The heap type $h t 𝑘$ must be ordered before a type index $𝑥$ and recursive type index a $𝑖$ , meaning:
  - Either $h t 𝑘$ is a defined type.
  - Or $h t 𝑘$ is a type index $𝑦 𝑘$ that is smaller than $𝑥$ .
  - Or $h t 𝑘$ is a recursive type index $𝗋 𝖾 𝖼 𝑗 𝑘$ where $𝑗 𝑘$ is smaller than $𝑖$ .
- Let sub type $s u b t y p e 𝑘$ be the unrolling of the heap type $h t 𝑘$ , meaning:
  - Either $h t 𝑘$ is a defined type $d e f t y p e 𝑘$ , then $s u b t y p e 𝑘$ must be the unrolling of $d e f t y p e 𝑘$ .
  - Or $h t 𝑘$ is a type index $𝑦 𝑘$ , then $s u b t y p e 𝑘$ must be the unrolling of the defined type $𝐶 . 𝗍 𝗒 𝗉 𝖾 𝗌 [𝑦 𝑘]$ .
  - Or $h t 𝑘$ is a recursive type index $𝗋 𝖾 𝖼 𝑗 𝑘$ , then $s u b t y p e 𝑘$ must be $𝐶 . 𝗋 𝖾 𝖼 𝗌 [𝑗 𝑘]$ .
- The sub type $s u b t y p e 𝑘$ must not contain $𝖿 𝗂 𝗇 𝖺 𝗅$ .
- Let $c o m p t y p e' 𝑘$ be the composite type in $s u b t y p e 𝑘$ .
- The composite type $c o m p t y p e$ must match $c o m p t y p e' 𝑘$ .
Then the sub type is valid for the type index $𝑥$ and recursive type index $𝑖$ .

| h t * | \leq 1 (h t ≺ 𝑥, 𝑖) * (u n r o l l 𝐶 (h t) = 𝗌 𝗎 𝖻 h t' * c o m p t y p e') * 𝐶 ⊢ c o m p t y p e : 𝗈 𝗄 (𝐶 ⊢ c o m p t y p e \leq c o m p t y p e') * 𝐶 ⊢ 𝗌 𝗎 𝖻 𝖿 𝗂 𝗇 𝖺 𝗅 ? h t * c o m p t y p e : 𝗈 𝗄 (𝑥, 𝑖)

where:

(d e f t y p e ≺ 𝑥, 𝑖) = t r u e (𝑦 ≺ 𝑥, 𝑖) = 𝑦 < 𝑥 (𝗋 𝖾 𝖼 𝑗 ≺ 𝑥, 𝑖) = 𝑗 < 𝑖 [2 𝑒 𝑥] u n r o l l 𝐶 (d e f t y p e) = u n r o l l (d e f t y p e) u n r o l l 𝐶 (𝑦) = u n r o l l (𝐶 . 𝗍 𝗒 𝗉 𝖾 𝗌 [𝑦]) u n r o l l 𝐶 (𝗋 𝖾 𝖼 𝑗) = 𝐶 . 𝗋 𝖾 𝖼 𝗌 [𝑗]

Note

This rule is a generalisation of the ones previously given, which only allowed type indices as supertypes.

Defined types $r e c t y p e . 𝑖$ ¶

The defined type $(r e c t y p e . 𝑖)$ is valid if:

The recursive type $r e c t y p e$ is valid for the type index $𝑥$ .

The recursive type $r e c t y p e$ is of the form $(𝗋 𝖾 𝖼 s u b t y p e 𝑛)$ .

$𝑖$ is less than $𝑛$ .

𝐶 ⊢ r e c t y p e : 𝗈 𝗄 (𝑥) r e c t y p e = 𝗋 𝖾 𝖼 s u b t y p e 𝑛 𝑖 < 𝑛 𝐶 ⊢ r e c t y p e . 𝑖 : 𝗈 𝗄

Subtyping¶

In a rolled-up recursive type, a recursive type indices $𝗋 𝖾 𝖼 𝑖$ matches another heap type $h t$ if:

Let $𝗌 𝗎 𝖻 𝖿 𝗂 𝗇 𝖺 𝗅 ? h t' * c o m p t y p e$ be the sub type $𝐶 . 𝗋 𝖾 𝖼 𝗌 [𝑖]$ .
The heap type $h t$ is contained in $h t' *$ .

𝐶 . 𝗋 𝖾 𝖼 𝗌 [𝑖] = 𝗌 𝗎 𝖻 𝖿 𝗂 𝗇 𝖺 𝗅 ? (h t * 1 h t h t * 2) c o m p t y p e 𝐶 ⊢ 𝗋 𝖾 𝖼 𝑖 \leq h t

Note

This rule is only invoked when checking validity of rolled-up recursive types.

Results¶

Results can be classified by result types as follows.

Results $v a l *$ ¶

For each value $v a l 𝑖$ in $v a l *$ :
- The value $v a l 𝑖$ is valid with some value type $𝑡 𝑖$ .
Let $𝑡 *$ be the concatenation of all $𝑡 𝑖$ .
Then the result is valid with result type $[𝑡 *]$ .

(𝑆 ⊢ v a l : 𝑡) * 𝑆 ⊢ v a l * : [𝑡 *]

Results $(𝗋 𝖾 𝖿 . 𝖾 𝗑 𝗇 𝑎) 𝗍 𝗁 𝗋 𝗈 𝗐_𝗋 𝖾 𝖿$ ¶

The value $𝗋 𝖾 𝖿 . 𝖾 𝗑 𝗇 𝑎$ must be valid.
Then the result is valid with result type $[𝑡 *]$ , for any valid closed result types.

𝑆 ⊢ 𝗋 𝖾 𝖿 . 𝖾 𝗑 𝗇 𝑎 : 𝗋 𝖾 𝖿 𝖾 𝗑 𝗇 ⊢ [𝑡 *] : 𝗈 𝗄 𝑆 ⊢ (𝗋 𝖾 𝖿 . 𝖾 𝗑 𝗇 𝑎) 𝗍 𝗁 𝗋 𝗈 𝗐_𝗋 𝖾 𝖿 : [𝑡' *]

Results $𝗍 𝗋 𝖺 𝗉$ ¶

The result is valid with result type $[𝑡 *]$ , for any valid closed result types.

⊢ [𝑡 *] : 𝗈 𝗄 𝑆 ⊢ 𝗍 𝗋 𝖺 𝗉 : [𝑡 *]

Store Validity¶

The following typing rules specify when a runtime store $𝑆$ is valid. A valid store must consist of tag, global, memory, table, function, data, element, structure, array, exception, and module instances that are themselves valid, relative to $𝑆$ .

To that end, each kind of instance is classified by a respective tag, global, memory, table, function, or element, type, or just $𝗈 𝗄$ in the case of data structures, arrays, or exceptions. Module instances are classified by module contexts, which are regular contexts repurposed as module types describing the index spaces defined by a module.

Store $𝑆$ ¶

Each tag instance $t a g i n s t 𝑖$ in $𝑆 . 𝗍 𝖺 𝗀 𝗌$ must be valid with some tag type $t a g t y p e 𝑖$ .
Each global instance $g l o b a l i n s t 𝑖$ in $𝑆 . 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌$ must be valid with some global type $g l o b a l t y p e 𝑖$ .
Each memory instance $m e m i n s t 𝑖$ in $𝑆 . 𝗆 𝖾 𝗆 𝗌$ must be valid with some memory type $m e m t y p e 𝑖$ .
Each table instance $t a b l e i n s t 𝑖$ in $𝑆 . 𝗍 𝖺 𝖻 𝗅 𝖾 𝗌$ must be valid with some table type $t a b l e t y p e 𝑖$ .
Each function instance $f u n c i n s t 𝑖$ in $𝑆 . 𝖿 𝗎 𝗇 𝖼 𝗌$ must be valid with some defined type $d e f t y p e 𝑖$ .
Each data instance $d a t a i n s t 𝑖$ in $𝑆 . 𝖽 𝖺 𝗍 𝖺 𝗌$ must be valid.
Each element instance $e l e m i n s t 𝑖$ in $𝑆 . 𝖾 𝗅 𝖾 𝗆 𝗌$ must be valid with some reference type $r e f t y p e 𝑖$ .
Each structure instance $s t r u c t i n s t 𝑖$ in $𝑆 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝗌$ must be valid.
Each array instance $a r r a y i n s t 𝑖$ in $𝑆 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝗌$ must be valid.
Each exception instance $e x n i n s t 𝑖$ in $𝑆 . 𝖾 𝗑 𝗇 𝗌$ must be valid.
No reference to a bound structure address must be reachable from itself through a path consisting only of indirections through immutable structure, or array fields or fields of exception instances.
No reference to a bound array address must be reachable from itself through a path consisting only of indirections through immutable structure or array fields or fields of exception instances.
No reference to a bound exception address must be reachable from itself through a path consisting only of indirections through immutable structure or array fields or fields of exception instances.
Then the store is valid.

(𝑆 ⊢ t a g i n s t : t a g t y p e) * (𝑆 ⊢ g l o b a l i n s t : g l o b a l t y p e) * (𝑆 ⊢ m e m i n s t : m e m t y p e) * (𝑆 ⊢ t a b l e i n s t : t a b l e t y p e) * (𝑆 ⊢ f u n c i n s t : d e f t y p e) * (𝑆 ⊢ d a t a i n s t : 𝗈 𝗄) * (𝑆 ⊢ e l e m i n s t : r e f t y p e) * (𝑆 ⊢ s t r u c t i n s t : 𝗈 𝗄) * (𝑆 ⊢ a r r a y i n s t : 𝗈 𝗄) * (𝑆 ⊢ e x n i n s t : 𝗈 𝗄) * 𝑆 = {𝗍 𝖺 𝗀 𝗌 t a g i n s t *, 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌 g l o b a l i n s t *, 𝗆 𝖾 𝗆 𝗌 m e m i n s t *, 𝗍 𝖺 𝖻 𝗅 𝖾 𝗌 t a b l e i n s t *, 𝖿 𝗎 𝗇 𝖼 𝗌 f u n c i n s t *, 𝖽 𝖺 𝗍 𝖺 𝗌 d a t a i n s t *, 𝖾 𝗅 𝖾 𝗆 𝗌 e l e m i n s t *, 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝗌 s t r u c t i n s t *, 𝖺 𝗋 𝗋 𝖺 𝗒 𝗌 a r r a y i n s t *, 𝖾 𝗑 𝗇 𝗌 e x n i n s t *} (𝑆 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝗌 [𝑎 s] = s t r u c t i n s t) * ((𝗋 𝖾 𝖿 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝑎 s) ≫ ̸ + 𝑆 (𝗋 𝖾 𝖿 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝑎 s)) * (𝑆 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝗌 [𝑎 a] = a r r a y i n s t) * ((𝗋 𝖾 𝖿 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝑎 a) ≫ ̸ + 𝑆 (𝗋 𝖾 𝖿 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝑎 a)) * (𝑆 . 𝖾 𝗑 𝗇 𝗌 [𝑎 e] = e x n i n s t) * ((𝗋 𝖾 𝖿 . 𝖾 𝗑 𝗇 𝑎 e) ≫ ̸ + 𝑆 (𝗋 𝖾 𝖿 . 𝖾 𝗑 𝗇 𝑎 e)) * ⊢ 𝑆 : 𝗈 𝗄

where $v a l 1 ≫ + 𝑆 v a l 2$ denotes the transitive closure of the following immutable reachability relation on values:

(𝗋 𝖾 𝖿 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝑎) ≫ 𝑆 𝑆 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝗌 [𝑎] . 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 [𝑖] i f e x p a n d (𝑆 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝗌 [𝑎] . 𝗍 𝗒 𝗉 𝖾) = 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 f t 𝑖 1 s t f t * 2 (𝗋 𝖾 𝖿 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝑎) ≫ 𝑆 𝑆 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝗌 [𝑎] . 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 [𝑖] i f e x p a n d (𝑆 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝗌 [𝑎] . 𝗍 𝗒 𝗉 𝖾) = 𝖺 𝗋 𝗋 𝖺 𝗒 s t (𝗋 𝖾 𝖿 . 𝖾 𝗑 𝗇 𝑎) ≫ 𝑆 𝑆 . 𝖾 𝗑 𝗇 𝗌 [𝑎] . 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 [𝑖] (𝗋 𝖾 𝖿 . 𝖾 𝗑 𝗍 𝖾 𝗋 𝗇 r e f) ≫ 𝑆 r e f

Note

The constraint on reachability through immutable fields prevents the presence of cyclic data structures that can not be constructed in the language. Cycles can only be formed using mutation.

Tag Instances ${𝗍 𝗒 𝗉 𝖾 t a g t y p e}$ ¶

The tag type $t a g t y p e$ must be valid under the empty context.
Then the tag instance is valid with tag type $t a g t y p e$ .

⊢ t a g t y p e : 𝗈 𝗄 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 t a g t y p e} : t a g t y p e

Global Instances ${𝗍 𝗒 𝗉 𝖾 m u t 𝑡, 𝗏 𝖺 𝗅 𝗎 𝖾 v a l}$ ¶

The global type $m u t 𝑡$ must be valid under the empty context.
The value $v a l$ must be valid with some value type $𝑡'$ .
The value type $𝑡'$ must match the value type $𝑡$ .
Then the global instance is valid with global type $m u t 𝑡$ .

⊢ m u t 𝑡 : 𝗈 𝗄 𝑆 ⊢ v a l : 𝑡' ⊢ 𝑡' \leq 𝑡 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 m u t 𝑡, 𝗏 𝖺 𝗅 𝗎 𝖾 v a l} : m u t 𝑡

Memory Instances ${𝗍 𝗒 𝗉 𝖾 (a d d r t y p e l i m i t s), 𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 *}$ ¶

The memory type $a d d r t y p e l i m i t s$ must be valid under the empty context.
Let $l i m i t s$ be $[𝑛 . . 𝑚]$ .
The length of $𝑏 *$ must equal $𝑚$ multiplied by the page size $64 K i$ .
Then the memory instance is valid with memory type $a d d r t y p e l i m i t s$ .

⊢ a d d r t y p e [𝑛 . . 𝑚] : 𝗈 𝗄 | 𝑏 * | = 𝑛 \cdot 64 K i 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 (a d d r t y p e [𝑛 . . 𝑚]), 𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 *} : a d d r t y p e [𝑛 . . 𝑚]

Table Instances ${𝗍 𝗒 𝗉 𝖾 (a d d r t y p e l i m i t s 𝑡), 𝖾 𝗅 𝖾 𝗆 r e f *}$ ¶

The table type $a d d r t y p e l i m i t s 𝑡$ must be valid under the empty context.
Let $l i m i t s$ be $[𝑛 . . 𝑚]$ .
The length of $r e f *$ must equal $𝑛$ .
For each reference $r e f 𝑖$ in the table’s elements $r e f 𝑛$ :
- The reference $r e f 𝑖$ must be valid with some reference type $𝑡' 𝑖$ .
- The reference type $𝑡' 𝑖$ must match the reference type $𝑡$ .
Then the table instance is valid with table type $a d d r t y p e l i m i t s 𝑡$ .

⊢ a d d r t y p e [𝑛 . . 𝑚] 𝑡 : 𝗈 𝗄 | r e f * | = 𝑛 (𝑆 ⊢ r e f : 𝑡') * (⊢ 𝑡' \leq 𝑡) * 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 (a d d r t y p e [𝑛 . . 𝑚] 𝑡), 𝖾 𝗅 𝖾 𝗆 r e f *} : a d d r t y p e [𝑛 . . 𝑚] 𝑡

Function Instances ${𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝗆 𝗈 𝖽 𝗎 𝗅 𝖾 m o d u l e i n s t, 𝖼 𝗈 𝖽 𝖾 f u n c}$ ¶

The defined type $d e f t y p e$ must be valid under an empty context.
The module instance $m o d u l e i n s t$ must be valid with some context $𝐶$ .
Under context $𝐶$ :
- The function $f u n c$ must be valid with some defined type $d e f t y p e'$ .
- The defined type $d e f t y p e'$ must match $d e f t y p e$ .
Then the function instance is valid with defined type $d e f t y p e$ .

⊢ d e f t y p e : 𝗈 𝗄 𝑆 ⊢ m o d u l e i n s t : 𝐶 𝐶 ⊢ f u n c : d e f t y p e' 𝐶 ⊢ d e f t y p e' \leq d e f t y p e 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝗆 𝗈 𝖽 𝗎 𝗅 𝖾 m o d u l e i n s t, 𝖼 𝗈 𝖽 𝖾 f u n c} : d e f t y p e

Host Function Instances ${𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝗁 𝗈 𝗌 𝗍 𝖿 𝗎 𝗇 𝖼 h f}$ ¶

The defined type $d e f t y p e$ must be valid under an empty context.
The expansion of defined type $d e f t y p e$ must be some function type $𝖿 𝗎 𝗇 𝖼 [𝑡 * 1] \to [𝑡 * 2]$ .
For every valid store $𝑆 1$ extending $𝑆$ and every sequence $v a l *$ of values whose types coincide with $𝑡 * 1$ :
- Executing $h f$ in store $𝑆 1$ with arguments $v a l *$ has a non-empty set of possible outcomes.
- For every element $𝑅$ of this set:
  - Either $𝑅$ must be $⊥$ (i.e., divergence).
  - Or $𝑅$ consists of a valid store $𝑆 2$ extending $𝑆 1$ and a result $r e s u l t$ whose type coincides with $[𝑡 * 2]$ .
Then the function instance is valid with defined type $d e f t y p e$ .

⊢ d e f t y p e : 𝗈 𝗄 d e f t y p e \approx 𝖿 𝗎 𝗇 𝖼 [𝑡 * 1] \to [𝑡 * 2] \forall 𝑆 1, v a l *, ⊢ 𝑆 1 : 𝗈 𝗄 \land ⊢ 𝑆 ⪯ 𝑆 1 \land 𝑆 1 ⊢ v a l * : [𝑡 * 1] ⟹ h f (𝑆 1; v a l *) \supset \emptyset \land \forall 𝑅 \in h f (𝑆 1; v a l *), 𝑅 = ⊥ \lor \exists 𝑆 2, r e s u l t, ⊢ 𝑆 2 : 𝗈 𝗄 \land ⊢ 𝑆 1 ⪯ 𝑆 2 \land 𝑆 2 ⊢ r e s u l t : [𝑡 * 2] \land 𝑅 = (𝑆 2; r e s u l t) 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝗁 𝗈 𝗌 𝗍 𝖿 𝗎 𝗇 𝖼 h f} : d e f t y p e

Note

This rule states that, if appropriate pre-conditions about store and arguments are satisfied, then executing the host function must satisfy appropriate post-conditions about store and results. The post-conditions match the ones in the execution rule for invoking host functions.

Any store under which the function is invoked is assumed to be an extension of the current store. That way, the function itself is able to make sufficient assumptions about future stores.

Data Instances ${𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 *}$ ¶

The data instance is valid.

𝑆 ⊢ {𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 *} : 𝗈 𝗄

Element Instances ${𝗍 𝗒 𝗉 𝖾 𝑡, 𝖾 𝗅 𝖾 𝗆 r e f *}$ ¶

The reference type $𝑡$ must be valid under the empty context.
For each reference $r e f 𝑖$ in the elements $r e f 𝑛$ :
- The reference $r e f 𝑖$ must be valid with some reference type $𝑡' 𝑖$ .
- The reference type $𝑡' 𝑖$ must match the reference type $𝑡$ .
Then the element instance is valid with reference type $𝑡$ .

⊢ 𝑡 : 𝗈 𝗄 (𝑆 ⊢ r e f : 𝑡') * (⊢ 𝑡' \leq 𝑡) * 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 𝑡, 𝖾 𝗅 𝖾 𝗆 r e f *} : 𝑡

Structure Instances ${𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f i e l d v a l *}$ ¶

The defined type $d e f t y p e$ must be valid under the empty context.
The expansion of $d e f t y p e$ must be a structure type $𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 f i e l d t y p e *$ .
The length of the sequence of field values $f i e l d v a l *$ must be the same as the length of the sequence of field types $f i e l d t y p e *$ .
For each field value $f i e l d v a l 𝑖$ in $f i e l d v a l *$ and corresponding field type $f i e l d t y p e 𝑖$ in $f i e l d t y p e *$ :
- Let $f i e l d t y p e 𝑖$ be $m u t s t o r a g e t y p e 𝑖$ .
- The field value $f i e l d v a l 𝑖$ must be valid with storage type $s t o r a g e t y p e 𝑖$ .
Then the structure instance is valid.

⊢ d t : 𝗈 𝗄 e x p a n d (d t) = 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 (m u t s t) * (𝑆 ⊢ f v : s t) * 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 d t, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f v *} : 𝗈 𝗄

Array Instances ${𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f i e l d v a l *}$ ¶

The defined type $d e f t y p e$ must be valid under the empty context.
The expansion of $d e f t y p e$ must be an array type $𝖺 𝗋 𝗋 𝖺 𝗒 f i e l d t y p e$ .
Let $f i e l d t y p e$ be $m u t s t o r a g e t y p e$ .
For each field value $f i e l d v a l 𝑖$ in $f i e l d v a l *$ :
- The field value $f i e l d v a l 𝑖$ must be valid with storage type $s t o r a g e t y p e$ .
Then the array instance is valid.

⊢ d t : 𝗈 𝗄 e x p a n d (d t) = 𝖺 𝗋 𝗋 𝖺 𝗒 (m u t s t) (𝑆 ⊢ f v : s t) * 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 d t, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f v *} : 𝗈 𝗄

Field Values $f i e l d v a l$ ¶

If $f i e l d v a l$ is a value $v a l$ , then:
- The value $v a l$ must be valid with value type $𝑡$ .
- Then the field value is valid with value type $𝑡$ .
Else, $f i e l d v a l$ is a packed value $p a c k v a l$ :
- Let $p a c k t y p e . 𝗉 𝖺 𝖼 𝗄 𝑖$ be the field value $f i e l d v a l$ .
- Then the field value is valid with packed type $p a c k t y p e$ .

𝑆 ⊢ p t . 𝗉 𝖺 𝖼 𝗄 𝑖 : p t

Exception Instances ${𝗍 𝖺 𝗀 𝑎, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 v a l *}$ ¶

The store entry $𝑆 . 𝗍 𝖺 𝗀 𝗌 [𝑎]$ must exist.
The expansion of the tag type $𝑆 . 𝗍 𝖺 𝗀 𝗌 [𝑎] . 𝗍 𝗒 𝗉 𝖾$ must be some function type $𝖿 𝗎 𝗇 𝖼 [𝑡 *] \to [𝑡' *]$ .
The result type $[𝑡' *]$ must be empty.
The sequence $v a l 𝑎 𝑠 𝑡$ of values must have the same length as the sequence $𝑡 *$ of value types.
For each value $v a l 𝑖$ in $v a l 𝑎 𝑠 𝑡$ and corresponding value type $𝑡 𝑖$ in $𝑡 *$ , the value $v a l 𝑖$ must be valid with type $𝑡 𝑖$ .
Then the exception instance is valid.

𝑆 . 𝗍 𝖺 𝗀 𝗌 [𝑎] . 𝗍 𝗒 𝗉 𝖾 \approx 𝖿 𝗎 𝗇 𝖼 [𝑡 *] \to [] (𝑆 ⊢ v a l : 𝑡) * 𝑆 ⊢ {𝗍 𝖺 𝗀 𝑎, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 v a l *} : 𝗈 𝗄

Export Instances ${𝗇 𝖺 𝗆 𝖾 n a m e, 𝖺 𝖽 𝖽 𝗋 e x t e r n a d d r}$ ¶

The external address $e x t e r n a d d r$ must be valid with some external type $e x t e r n t y p e$ .
Then the export instance is valid.

𝑆 ⊢ e x t e r n a d d r : e x t e r n t y p e 𝑆 ⊢ {𝗇 𝖺 𝗆 𝖾 n a m e, 𝖺 𝖽 𝖽 𝗋 e x t e r n a d d r} : 𝗈 𝗄

Module Instances $m o d u l e i n s t$ ¶

Each defined type $d e f t y p e 𝑖$ in $m o d u l e i n s t . 𝗍 𝗒 𝗉 𝖾 𝗌$ must be valid under the empty context.
For each tag address $t a g a d d r 𝑖$ in $m o d u l e i n s t . 𝗍 𝖺 𝗀 𝗌$ , the external address $𝗍 𝖺 𝗀 t a g a d d r 𝑖$ must be valid with some external type $𝗍 𝖺 𝗀 t a g t y p e 𝑖$ .
For each global address $g l o b a l a d d r 𝑖$ in $m o d u l e i n s t . 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌$ , the external address $𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 g l o b a l a d d r 𝑖$ must be valid with some external type $𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 g l o b a l t y p e 𝑖$ .
For each memory address $m e m a d d r 𝑖$ in $m o d u l e i n s t . 𝗆 𝖾 𝗆 𝗌$ , the external address $𝗆 𝖾 𝗆 m e m a d d r 𝑖$ must be valid with some external type $𝗆 𝖾 𝗆 m e m t y p e 𝑖$ .
For each table address $t a b l e a d d r 𝑖$ in $m o d u l e i n s t . 𝗍 𝖺 𝖻 𝗅 𝖾 𝗌$ , the external address $𝗍 𝖺 𝖻 𝗅 𝖾 t a b l e a d d r 𝑖$ must be valid with some external type $𝗍 𝖺 𝖻 𝗅 𝖾 t a b l e t y p e 𝑖$ .
For each function address $f u n c a d d r 𝑖$ in $m o d u l e i n s t . 𝖿 𝗎 𝗇 𝖼 𝗌$ , the external address $𝖿 𝗎 𝗇 𝖼 f u n c a d d r 𝑖$ must be valid with some external type $𝖿 𝗎 𝗇 𝖼 d e f t y p e 𝖥 𝑖$ .
For each data address $d a t a a d d r 𝑖$ in $m o d u l e i n s t . 𝖽 𝖺 𝗍 𝖺 𝗌$ , the data instance $𝑆 . 𝖽 𝖺 𝗍 𝖺 𝗌 [d a t a a d d r 𝑖]$ must be valid with $o k 𝑖$ .
For each element address $e l e m a d d r 𝑖$ in $m o d u l e i n s t . 𝖾 𝗅 𝖾 𝗆 𝗌$ , the element instance $𝑆 . 𝖾 𝗅 𝖾 𝗆 𝗌 [e l e m a d d r 𝑖]$ must be valid with some reference type $r e f t y p e 𝑖$ .
Each export instance $e x p o r t i n s t 𝑖$ in $m o d u l e i n s t . 𝖾 𝗑 𝗉 𝗈 𝗋 𝗍 𝗌$ must be valid.
For each export instance $e x p o r t i n s t 𝑖$ in $m o d u l e i n s t . 𝖾 𝗑 𝗉 𝗈 𝗋 𝗍 𝗌$ , the name $e x p o r t i n s t 𝑖 . 𝗇 𝖺 𝗆 𝖾$ must be different from any other name occurring in $m o d u l e i n s t . 𝖾 𝗑 𝗉 𝗈 𝗋 𝗍 𝗌$ .
Let $d e f t y p e *$ be the concatenation of all $d e f t y p e 𝑖$ in order.
Let $t a g t y p e *$ be the concatenation of all $t a g t y p e 𝑖$ in order.
Let $g l o b a l t y p e *$ be the concatenation of all $g l o b a l t y p e 𝑖$ in order.
Let $m e m t y p e *$ be the concatenation of all $m e m t y p e 𝑖$ in order.
Let $t a b l e t y p e *$ be the concatenation of all $t a b l e t y p e 𝑖$ in order.
Let $d e f t y p e * 𝖥$ be the concatenation of all $d e f t y p e 𝖥 𝑖$ in order.
Let $r e f t y p e *$ be the concatenation of all $r e f t y p e 𝑖$ in order.
Let $o k *$ be the concatenation of all $o k 𝑖$ in order.
Let $𝑚$ be the length of $m o d u l e i n s t . 𝖿 𝗎 𝗇 𝖼 𝗌$ .
Let $𝑥 *$ be the sequence of function indices from $0$ to $𝑚 - 1$ .
Then the module instance is valid with context ${𝗍 𝗒 𝗉 𝖾 𝗌 d e f t y p e *,$ $𝗍 𝖺 𝗀 𝗌 t a g t y p e *,$ $𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌 g l o b a l t y p e *,$ $𝗆 𝖾 𝗆 𝗌 m e m t y p e *,$ $𝗍 𝖺 𝖻 𝗅 𝖾 𝗌 t a b l e t y p e *,$ $𝖿 𝗎 𝗇 𝖼 𝗌 d e f t y p e * 𝖥,$ $𝖽 𝖺 𝗍 𝖺 𝗌 o k *,$ $𝖾 𝗅 𝖾 𝗆 𝗌 r e f t y p e *,$ $𝗋 𝖾 𝖿 𝗌 𝑥 *}$ .

(⊢ d e f t y p e : 𝗈 𝗄) * (𝑆 ⊢ 𝗍 𝖺 𝗀 t a g a d d r : 𝗍 𝖺 𝗀 t a g t y p e) * (𝑆 ⊢ 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 g l o b a l a d d r : 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 g l o b a l t y p e) * (𝑆 ⊢ 𝖿 𝗎 𝗇 𝖼 f u n c a d d r : 𝖿 𝗎 𝗇 𝖼 d e f t y p e 𝖥) * (𝑆 ⊢ 𝗆 𝖾 𝗆 m e m a d d r : 𝗆 𝖾 𝗆 m e m t y p e) * (𝑆 ⊢ 𝗍 𝖺 𝖻 𝗅 𝖾 t a b l e a d d r : 𝗍 𝖺 𝖻 𝗅 𝖾 t a b l e t y p e) * (𝑆 ⊢ 𝑆 . 𝖽 𝖺 𝗍 𝖺 𝗌 [d a t a a d d r] : o k) * (𝑆 ⊢ 𝑆 . 𝖾 𝗅 𝖾 𝗆 𝗌 [e l e m a d d r] : r e f t y p e) * (𝑆 ⊢ e x p o r t i n s t : 𝗈 𝗄) * (e x p o r t i n s t . 𝗇 𝖺 𝗆 𝖾) * d i s j o i n t 𝑆 ⊢ {𝗍 𝗒 𝗉 𝖾 𝗌 d e f t y p e *, 𝗍 𝖺 𝗀 𝗌 t a g a d d r *, 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌 g l o b a l a d d r *, 𝗆 𝖾 𝗆 𝗌 m e m a d d r *, 𝗍 𝖺 𝖻 𝗅 𝖾 𝗌 t a b l e a d d r *, 𝖿 𝗎 𝗇 𝖼 𝗌 f u n c a d d r *, 𝖽 𝖺 𝗍 𝖺 𝗌 d a t a a d d r *, 𝖾 𝗅 𝖾 𝗆 𝗌 e l e m a d d r *, 𝖾 𝗑 𝗉 𝗈 𝗋 𝗍 𝗌 e x p o r t i n s t *} : {𝗍 𝗒 𝗉 𝖾 𝗌 d e f t y p e *, 𝗍 𝖺 𝗀 𝗌 t a g t y p e *, 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌 g l o b a l t y p e *, 𝗆 𝖾 𝗆 𝗌 m e m t y p e *, 𝗍 𝖺 𝖻 𝗅 𝖾 𝗌 t a b l e t y p e *, 𝖿 𝗎 𝗇 𝖼 𝗌 d e f t y p e * 𝖥, 𝖽 𝖺 𝗍 𝖺 𝗌 o k *, 𝖾 𝗅 𝖾 𝗆 𝗌 r e f t y p e *, 𝗋 𝖾 𝖿 𝗌 0 \dots (| f u n c a d d r * | - 1)}

Configuration Validity¶

To relate the WebAssembly type system to its execution semantics, the typing rules for instructions must be extended to configurations $𝑆; 𝑇$ , which relates the store to execution threads.

Configurations and threads are classified by their result type. In addition to the store $𝑆$ , threads are typed under a return type $r e s u l t t y p e ?$ , which controls whether and with which type a $𝗋 𝖾 𝗍 𝗎 𝗋 𝗇$ instruction is allowed. This type is absent ( $𝜖$ ) except for instruction sequences inside an administrative $𝖿 𝗋 𝖺 𝗆 𝖾$ instruction.

Finally, frames are classified with frame contexts, which extend the module contexts of a frame’s associated module instance with the locals that the frame contains.

Configurations $𝑆; 𝑇$ ¶

The store $𝑆$ must be valid.
Under no allowed return type, the thread $𝑇$ must be valid with some result type $[𝑡 *]$ .
Then the configuration is valid with the result type $[𝑡 *]$ .

⊢ 𝑆 : 𝗈 𝗄 𝑆; 𝜖 ⊢ 𝑇 : [𝑡 *] ⊢ 𝑆; 𝑇 : [𝑡 *]

Threads $𝐹; i n s t r *$ ¶

Let $r e s u l t t y p e ?$ be the current allowed return type.
The frame $𝐹$ must be valid with a context $𝐶$ .
Let $𝐶'$ be the same context as $𝐶$ , but with $𝗋 𝖾 𝗍 𝗎 𝗋 𝗇$ set to $r e s u l t t y p e ?$ .
Under context $𝐶'$ , the instruction sequence $i n s t r *$ must be valid with some type $[] \to [𝑡 *]$ .
Then the thread is valid with the result type $[𝑡 *]$ .

𝑆 ⊢ 𝐹 : 𝐶 𝑆; 𝐶, 𝗋 𝖾 𝗍 𝗎 𝗋 𝗇 r e s u l t t y p e ? ⊢ i n s t r * : [] \to [𝑡 *] 𝑆; r e s u l t t y p e ? ⊢ 𝐹; i n s t r * : [𝑡 *]

Frames ${𝗅 𝗈 𝖼 𝖺 𝗅 𝗌 v a l *, 𝗆 𝗈 𝖽 𝗎 𝗅 𝖾 m o d u l e i n s t}$ ¶

The module instance $m o d u l e i n s t$ must be valid with some module context $𝐶$ .
Each value $v a l 𝑖$ in $v a l *$ must be valid with some value type $𝑡 𝑖$ .
Let $𝑡 *$ be the concatenation of all $𝑡 𝑖$ in order.
Let $𝐶'$ be the same context as $𝐶$ , but with the value types $𝑡 *$ prepended to the $𝗅 𝗈 𝖼 𝖺 𝗅 𝗌$ list.
Then the frame is valid with frame context $𝐶'$ .

𝑆 ⊢ m o d u l e i n s t : 𝐶 (𝑆 ⊢ v a l : 𝑡) * 𝑆 ⊢ {𝗅 𝗈 𝖼 𝖺 𝗅 𝗌 v a l *, 𝗆 𝗈 𝖽 𝗎 𝗅 𝖾 m o d u l e i n s t} : (𝐶, 𝗅 𝗈 𝖼 𝖺 𝗅 𝗌 𝑡 *)

Administrative Instructions¶

Typing rules for administrative instructions are specified as follows. In addition to the context $𝐶$ , typing of these instructions is defined under a given store $𝑆$ .

To that end, all previous typing judgements $𝐶 ⊢ p r o p$ are generalized to include the store, as in $𝑆; 𝐶 ⊢ p r o p$ , by implicitly adding $𝑆$ to all rules – $𝑆$ is never modified by the pre-existing rules, but it is accessed in the extra rules for administrative instructions given below.

$𝗍 𝗋 𝖺 𝗉$ ¶

The instruction is valid with any valid instruction type of the form $[𝑡 * 1] \to [𝑡 * 2]$ .

𝐶 ⊢ [𝑡 * 1] \to [𝑡 * 2] : 𝗈 𝗄 𝑆; 𝐶 ⊢ 𝗍 𝗋 𝖺 𝗉 : [𝑡 * 1] \to [𝑡 * 2]

$v a l$ ¶

The value $v a l$ must be valid with value type $𝑡$ .
Then it is valid as an instruction with type $[] \to [𝑡]$ .

𝑆 ⊢ v a l : 𝑡 𝑆; 𝐶 ⊢ v a l : [] \to [𝑡]

$𝗂 𝗇 𝗏 𝗈 𝗄 𝖾 f u n c a d d r$ ¶

The external function address $𝖿 𝗎 𝗇 𝖼 f u n c a d d r$ must be valid with external function type $𝖿 𝗎 𝗇 𝖼 d e f t y p e'$ .
The expansion of the defined type $d e f t y p e$ must be some function type $𝖿 𝗎 𝗇 𝖼 [𝑡 * 1] \to [𝑡 * 2])$ .
Then the instruction is valid with type $[𝑡 * 1] \to [𝑡 * 2]$ .

𝑆 ⊢ 𝖿 𝗎 𝗇 𝖼 f u n c a d d r : 𝖿 𝗎 𝗇 𝖼 d e f t y p e d e f t y p e \approx 𝖿 𝗎 𝗇 𝖼 [𝑡 * 1] \to [𝑡 * 2] 𝑆; 𝐶 ⊢ 𝗂 𝗇 𝗏 𝗈 𝗄 𝖾 f u n c a d d r : [𝑡 * 1] \to [𝑡 * 2]

$𝗅 𝖺 𝖻 𝖾 𝗅 𝑛 {i n s t r * 0} i n s t r *$ ¶

The instruction sequence $i n s t r * 0$ must be valid with some type $[𝑡 𝑛 1] \to 𝑥 * [𝑡 * 2]$ .
Let $𝐶'$ be the same context as $𝐶$ , but with the result type $[𝑡 𝑛 1]$ prepended to the $𝗅 𝖺 𝖻 𝖾 𝗅 𝗌$ list.
Under context $𝐶'$ , the instruction sequence $i n s t r *$ must be valid with type $[] \to 𝑥' * [𝑡 * 2]$ .
Then the compound instruction is valid with type $[] \to [𝑡 * 2]$ .

𝑆; 𝐶 ⊢ i n s t r * 0 : [𝑡 𝑛 1] \to 𝑥 * [𝑡 * 2] 𝑆; 𝐶, 𝗅 𝖺 𝖻 𝖾 𝗅 𝗌 [𝑡 𝑛 1] ⊢ i n s t r * : [] \to 𝑥' * [𝑡 * 2] 𝑆; 𝐶 ⊢ 𝗅 𝖺 𝖻 𝖾 𝗅 𝑛 {i n s t r * 0} i n s t r * : [] \to [𝑡 * 2]

$𝖿 𝗋 𝖺 𝗆 𝖾 𝑛 {𝐹} i n s t r *$ ¶

Under the valid return type $[𝑡 𝑛]$ , the thread $𝐹; i n s t r *$ must be valid with result type $[𝑡 𝑛]$ .
Then the compound instruction is valid with type $[] \to [𝑡 𝑛]$ .

𝐶 ⊢ [𝑡 𝑛] : 𝗈 𝗄 𝑆; [𝑡 𝑛] ⊢ 𝐹; i n s t r * : [𝑡 𝑛] 𝑆; 𝐶 ⊢ 𝖿 𝗋 𝖺 𝗆 𝖾 𝑛 {𝐹} i n s t r * : [] \to [𝑡 𝑛]

$𝗁 𝖺 𝗇 𝖽 𝗅 𝖾 𝗋 𝑛 {c a t c h } i n s t r $ ¶

For every catch clause $c a t c h 𝑖$ in $c a t c h *$ , $c a t c h 𝑖$ must be valid.
The instruction sequence $i n s t r *$ must be valid with some type $[𝑡 * 1] \to [𝑡 * 2]$ .
Then the compound instruction is valid with type $[𝑡 * 1] \to [𝑡 * 2]$ .

(𝐶 ⊢ c a t c h : 𝗈 𝗄) * 𝑆; 𝐶 ⊢ i n s t r * : [𝑡 * 1] \to [𝑡 * 2] 𝑆; 𝐶 ⊢ 𝗁 𝖺 𝗇 𝖽 𝗅 𝖾 𝗋 𝑛 {c a t c h *} i n s t r * : [𝑡 * 1] \to [𝑡 * 2]

Store Extension¶

Programs can mutate the store and its contained instances. Any such modification must respect certain invariants, such as not removing allocated instances or changing immutable definitions. While these invariants are inherent to the execution semantics of WebAssembly instructions and modules, host functions do not automatically adhere to them. Consequently, the required invariants must be stated as explicit constraints on the invocation of host functions. Soundness only holds when the embedder ensures these constraints.

The necessary constraints are codified by the notion of store extension: a store state $𝑆'$ extends state $𝑆$ , written $𝑆 ⪯ 𝑆'$ , when the following rules hold.

Note

Extension does not imply that the new store is valid, which is defined separately above.

Store $𝑆$ ¶

The length of $𝑆 . 𝗍 𝖺 𝗀 𝗌$ must not shrink.
The length of $𝑆 . 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌$ must not shrink.
The length of $𝑆 . 𝗆 𝖾 𝗆 𝗌$ must not shrink.
The length of $𝑆 . 𝗍 𝖺 𝖻 𝗅 𝖾 𝗌$ must not shrink.
The length of $𝑆 . 𝖿 𝗎 𝗇 𝖼 𝗌$ must not shrink.
The length of $𝑆 . 𝖽 𝖺 𝗍 𝖺 𝗌$ must not shrink.
The length of $𝑆 . 𝖾 𝗅 𝖾 𝗆 𝗌$ must not shrink.
The length of $𝑆 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝗌$ must not shrink.
The length of $𝑆 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝗌$ must not shrink.
The length of $𝑆 . 𝖾 𝗑 𝗇 𝗌$ must not shrink.
For each tag instance $t a g i n s t 𝑖$ in the original $𝑆 . 𝗍 𝖺 𝗀 𝗌$ , the new tag instance must be an extension of the old.
For each global instance $g l o b a l i n s t 𝑖$ in the original $𝑆 . 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌$ , the new global instance must be an extension of the old.
For each memory instance $m e m i n s t 𝑖$ in the original $𝑆 . 𝗆 𝖾 𝗆 𝗌$ , the new memory instance must be an extension of the old.
For each table instance $t a b l e i n s t 𝑖$ in the original $𝑆 . 𝗍 𝖺 𝖻 𝗅 𝖾 𝗌$ , the new table instance must be an extension of the old.
For each function instance $f u n c i n s t 𝑖$ in the original $𝑆 . 𝖿 𝗎 𝗇 𝖼 𝗌$ , the new function instance must be an extension of the old.
For each data instance $d a t a i n s t 𝑖$ in the original $𝑆 . 𝖽 𝖺 𝗍 𝖺 𝗌$ , the new data instance must be an extension of the old.
For each element instance $e l e m i n s t 𝑖$ in the original $𝑆 . 𝖾 𝗅 𝖾 𝗆 𝗌$ , the new element instance must be an extension of the old.
For each structure instance $s t r u c t i n s t 𝑖$ in the original $𝑆 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝗌$ , the new structure instance must be an extension of the old.
For each array instance $a r r a y i n s t 𝑖$ in the original $𝑆 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝗌$ , the new array instance must be an extension of the old.
For each exception instance $e x n i n s t 𝑖$ in the original $𝑆 . 𝖾 𝗑 𝗇 𝗌$ , the new exception instance must be an extension of the old.

𝑆 1 . 𝗍 𝖺 𝗀 𝗌 = t a g i n s t * 1 𝑆 2 . 𝗍 𝖺 𝗀 𝗌 = t a g i n s t' 1 * t a g i n s t * 2 (⊢ t a g i n s t 1 ⪯ t a g i n s t' 1) * 𝑆 1 . 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌 = g l o b a l i n s t * 1 𝑆 2 . 𝗀 𝗅 𝗈 𝖻 𝖺 𝗅 𝗌 = g l o b a l i n s t' 1 * g l o b a l i n s t * 2 (⊢ g l o b a l i n s t 1 ⪯ g l o b a l i n s t' 1) * 𝑆 1 . 𝗆 𝖾 𝗆 𝗌 = m e m i n s t * 1 𝑆 2 . 𝗆 𝖾 𝗆 𝗌 = m e m i n s t' 1 * m e m i n s t * 2 (⊢ m e m i n s t 1 ⪯ m e m i n s t' 1) * 𝑆 1 . 𝗍 𝖺 𝖻 𝗅 𝖾 𝗌 = t a b l e i n s t * 1 𝑆 2 . 𝗍 𝖺 𝖻 𝗅 𝖾 𝗌 = t a b l e i n s t' 1 * t a b l e i n s t * 2 (⊢ t a b l e i n s t 1 ⪯ t a b l e i n s t' 1) * 𝑆 1 . 𝖿 𝗎 𝗇 𝖼 𝗌 = f u n c i n s t * 1 𝑆 2 . 𝖿 𝗎 𝗇 𝖼 𝗌 = f u n c i n s t' 1 * f u n c i n s t * 2 (⊢ f u n c i n s t 1 ⪯ f u n c i n s t' 1) * 𝑆 1 . 𝖽 𝖺 𝗍 𝖺 𝗌 = d a t a i n s t * 1 𝑆 2 . 𝖽 𝖺 𝗍 𝖺 𝗌 = d a t a i n s t' 1 * d a t a i n s t * 2 (⊢ d a t a i n s t 1 ⪯ d a t a i n s t' 1) * 𝑆 1 . 𝖾 𝗅 𝖾 𝗆 𝗌 = e l e m i n s t * 1 𝑆 2 . 𝖾 𝗅 𝖾 𝗆 𝗌 = e l e m i n s t' 1 * e l e m i n s t * 2 (⊢ e l e m i n s t 1 ⪯ e l e m i n s t' 1) * 𝑆 1 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝗌 = s t r u c t i n s t * 1 𝑆 2 . 𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 𝗌 = s t r u c t i n s t' 1 * s t r u c t i n s t * 2 (⊢ s t r u c t i n s t 1 ⪯ s t r u c t i n s t' 1) * 𝑆 1 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝗌 = a r r a y i n s t * 1 𝑆 2 . 𝖺 𝗋 𝗋 𝖺 𝗒 𝗌 = a r r a y i n s t' 1 * a r r a y i n s t * 2 (⊢ a r r a y i n s t 1 ⪯ a r r a y i n s t' 1) * 𝑆 1 . 𝖾 𝗑 𝗇 𝗌 = e x n i n s t * 1 𝑆 2 . 𝖾 𝗑 𝗇 𝗌 = e x n i n s t' 1 * e x n i n s t * 2 (⊢ e x n i n s t 1 ⪯ e x n i n s t' 1) * ⊢ 𝑆 1 ⪯ 𝑆 2

Tag Instance $t a g i n s t$ ¶

A tag instance must remain unchanged.

⊢ t a g i n s t ⪯ t a g i n s t

Global Instance $g l o b a l i n s t$ ¶

The global type $g l o b a l i n s t . 𝗍 𝗒 𝗉 𝖾$ must remain unchanged.
Let $m u t 𝑡$ be the structure of $g l o b a l i n s t . 𝗍 𝗒 𝗉 𝖾$ .
If $m u t$ is empty, then the value $g l o b a l i n s t . 𝗏 𝖺 𝗅 𝗎 𝖾$ must remain unchanged.

m u t = 𝗆 𝗎 𝗍 \lor v a l 1 = v a l 2 ⊢ {𝗍 𝗒 𝗉 𝖾 (m u t 𝑡), 𝗏 𝖺 𝗅 𝗎 𝖾 v a l 1} ⪯ {𝗍 𝗒 𝗉 𝖾 (m u t 𝑡), 𝗏 𝖺 𝗅 𝗎 𝖾 v a l 2}

Memory Instance $m e m i n s t$ ¶

The memory type $m e m i n s t . 𝗍 𝗒 𝗉 𝖾$ must remain unchanged.
The length of $m e m i n s t . 𝖻 𝗒 𝗍 𝖾 𝗌$ must not shrink.

𝑛 1 \leq 𝑛 2 ⊢ {𝗍 𝗒 𝗉 𝖾 m t, 𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 𝑛 1 1} ⪯ {𝗍 𝗒 𝗉 𝖾 m t, 𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 𝑛 2 2}

Table Instance $t a b l e i n s t$ ¶

The table type $t a b l e i n s t . 𝗍 𝗒 𝗉 𝖾$ must remain unchanged.
The length of $t a b l e i n s t . 𝖾 𝗅 𝖾 𝗆$ must not shrink.

𝑛 1 \leq 𝑛 2 ⊢ {𝗍 𝗒 𝗉 𝖾 t t, 𝖾 𝗅 𝖾 𝗆 (f a ? 1) 𝑛 1} ⪯ {𝗍 𝗒 𝗉 𝖾 t t, 𝖾 𝗅 𝖾 𝗆 (f a ? 2) 𝑛 2}

Function Instance $f u n c i n s t$ ¶

A function instance must remain unchanged.

⊢ f u n c i n s t ⪯ f u n c i n s t

Data Instance $d a t a i n s t$ ¶

The list $d a t a i n s t . 𝖻 𝗒 𝗍 𝖾 𝗌$ must:
- either remain unchanged,
- or shrink to length $0$ .

⊢ {𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 *} ⪯ {𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 *}

⊢ {𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 *} ⪯ {𝖻 𝗒 𝗍 𝖾 𝗌 𝜖}

Element Instance $e l e m i n s t$ ¶

The reference type $e l e m i n s t . 𝗍 𝗒 𝗉 𝖾$ must remain unchanged.
The list $e l e m i n s t . 𝖾 𝗅 𝖾 𝗆$ must:
- either remain unchanged,
- or shrink to length $0$ .

⊢ {𝗍 𝗒 𝗉 𝖾 𝑡, 𝖾 𝗅 𝖾 𝗆 𝑎 *} ⪯ {𝗍 𝗒 𝗉 𝖾 𝑡, 𝖾 𝗅 𝖾 𝗆 𝑎 *}

⊢ {𝗍 𝗒 𝗉 𝖾 𝑡, 𝖾 𝗅 𝖾 𝗆 𝑎 *} ⪯ {𝗍 𝗒 𝗉 𝖾 𝑡, 𝖾 𝗅 𝖾 𝗆 𝜖}

Structure Instance $s t r u c t i n s t$ ¶

The defined type $s t r u c t i n s t . 𝗍 𝗒 𝗉 𝖾$ must remain unchanged.
Assert: due to store well-formedness, the expansion of $s t r u c t i n s t . 𝗍 𝗒 𝗉 𝖾$ is a structure type.
Let $𝗌 𝗍 𝗋 𝗎 𝖼 𝗍 f i e l d t y p e *$ be the expansion of $s t r u c t i n s t . 𝗍 𝗒 𝗉 𝖾$ .
The length of the list $s t r u c t i n s t . 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌$ must remain unchanged.
Assert: due to store well-formedness, the length of $s t r u c t i n s t . 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌$ is the same as the length of $f i e l d t y p e *$ .
For each field value $f i e l d v a l 𝑖$ in $s t r u c t i n s t . 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌$ and corresponding field type $f i e l d t y p e 𝑖$ in $f i e l d t y p e *$ :
- Let $m u t 𝑖 s t 𝑖$ be the structure of $f i e l d t y p e 𝑖$ .
- If $m u t 𝑖$ is empty, then the field value $f i e l d v a l 𝑖$ must remain unchanged.

(m u t = 𝗆 𝗎 𝗍 \lor f i e l d v a l 1 = f i e l d v a l 2) * ⊢ {𝗍 𝗒 𝗉 𝖾 (m u t s t) *, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f i e l d v a l * 1} ⪯ {𝗍 𝗒 𝗉 𝖾 (m u t s t) *, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f i e l d v a l * 2}

Array Instance $a r r a y i n s t$ ¶

The defined type $a r r a y i n s t . 𝗍 𝗒 𝗉 𝖾$ must remain unchanged.
Assert: due to store well-formedness, the expansion of $a r r a y i n s t . 𝗍 𝗒 𝗉 𝖾$ is an array type.
Let $𝖺 𝗋 𝗋 𝖺 𝗒 f i e l d t y p e$ be the expansion of $a r r a y i n s t . 𝗍 𝗒 𝗉 𝖾$ .
The length of the list $a r r a y i n s t . 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌$ must remain unchanged.
Let $m u t s t$ be the structure of $f i e l d t y p e$ .
If $m u t$ is empty, then the sequence of field values $a r r a y i n s t . 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌$ must remain unchanged.

m u t = 𝗆 𝗎 𝗍 \lor f i e l d v a l * 1 = f i e l d v a l * 2 ⊢ {𝗍 𝗒 𝗉 𝖾 (m u t s t), 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f i e l d v a l * 1} ⪯ {𝗍 𝗒 𝗉 𝖾 (m u t s t), 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f i e l d v a l * 2}

Exception Instance $e x n i n s t$ ¶

An exception instance must remain unchanged.

⊢ e x n i n s t ⪯ e x n i n s t

Theorems¶

Given the definition of valid configurations, the standard soundness theorems hold. [2] [3]

Theorem (Preservation). If a configuration $𝑆; 𝑇$ is valid with result type $[𝑡 *]$ (i.e., $⊢ 𝑆; 𝑇 : [𝑡 *]$ ), and steps to $𝑆'; 𝑇'$ (i.e., $𝑆; 𝑇 ↪ 𝑆'; 𝑇'$ ), then $𝑆'; 𝑇'$ is a valid configuration with the same result type (i.e., $⊢ 𝑆'; 𝑇' : [𝑡 *]$ ). Furthermore, $𝑆'$ is an extension of $𝑆$ (i.e., $⊢ 𝑆 ⪯ 𝑆'$ ).

A terminal thread is one whose sequence of instructions is a result. A terminal configuration is a configuration whose thread is terminal.

Theorem (Progress). If a configuration $𝑆; 𝑇$ is valid (i.e., $⊢ 𝑆; 𝑇 : [𝑡 *]$ for some result type $[𝑡 *]$ ), then either it is terminal, or it can step to some configuration $𝑆'; 𝑇'$ (i.e., $𝑆; 𝑇 ↪ 𝑆'; 𝑇'$ ).

From Preservation and Progress the soundness of the WebAssembly type system follows directly.

Corollary (Soundness). If a configuration $𝑆; 𝑇$ is valid (i.e., $⊢ 𝑆; 𝑇 : [𝑡 *]$ for some result type $[𝑡 *]$ ), then it either diverges or takes a finite number of steps to reach a terminal configuration $𝑆'; 𝑇'$ (i.e., $𝑆; 𝑇 ↪ * 𝑆'; 𝑇'$ ) that is valid with the same result type (i.e., $⊢ 𝑆'; 𝑇' : [𝑡 *]$ ) and where $𝑆'$ is an extension of $𝑆$ (i.e., $⊢ 𝑆 ⪯ 𝑆'$ ).

In other words, every thread in a valid configuration either runs forever, traps, throws an exception, or terminates with a result that has the expected type. Consequently, given a valid store, no computation defined by instantiation or invocation of a valid module can “crash” or otherwise (mis)behave in ways not covered by the execution semantics given in this specification.

Type System Properties¶

Principal Types¶

The type system of WebAssembly features both subtyping and simple forms of polymorphism for instruction types. That has the effect that every instruction or instruction sequence can be classified with multiple different instruction types.

However, the typing rules still allow deriving principal types for instruction sequences. That is, every valid instruction sequence has one particular type scheme, possibly containing some unconstrained place holder type variables, that is a subtype of all its valid instruction types, after substituting its type variables with suitable specific types.

Moreover, when deriving an instruction type in a “forward” manner, i.e., the input of the instruction sequence is already fixed to specific types, then it has a principal output type expressible without type variables, up to a possibly polymorphic stack bottom representable with one single variable. In other words, “forward” principal types are effectively closed.

Note

For example, in isolation, the instruction $𝗋 𝖾 𝖿 . 𝖺 𝗌_𝗇 𝗈 𝗇_𝗇 𝗎 𝗅 𝗅$ has the type $[(𝗋 𝖾 𝖿 𝗇 𝗎 𝗅 𝗅 h t)] \to [(𝗋 𝖾 𝖿 h t)]$ for any choice of valid heap type $h t$ . Moreover, if the input type $[(𝗋 𝖾 𝖿 𝗇 𝗎 𝗅 𝗅 h t)]$ is already determined, i.e., a specific $h t$ is given, then the output type $[(𝗋 𝖾 𝖿 h t)]$ is fully determined as well.

The implication of the latter property is that a validator for complete instruction sequences (as they occur in valid modules) can be implemented with a simple left-to-right algorithm that does not require the introduction of type variables.

A typing algorithm capable of handling partial instruction sequences (as might be considered for program analysis or program manipulation) needs to introduce type variables and perform substitutions, but it does not need to perform backtracking or record any non-syntactic constraints on these type variables.

Technically, the syntax of heap, value, and result types can be enriched with type variables as follows:

n u l l : : = 𝗇 𝗎 𝗅 𝗅 ? | 𝛼 n u l l h e a p t y p e : : = \dots | 𝛼 h e a p t y p e r e f t y p e : : = 𝗋 𝖾 𝖿 n u l l h e a p t y p e v a l t y p e : : = \dots | 𝛼 v a l t y p e | 𝛼 n u m v e c t y p e r e s u l t t y p e : : = [𝛼 ? v a l t y p e * v a l t y p e *]

where each $𝛼 x y z$ ranges over a set of type variables for syntactic class $x y z$ , respectively. The special class $n u m v e c t y p e$ is defined as $n u m t y p e | v e c t y p e | 𝖻 𝗈 𝗍$ , and is only needed to handle unannotated $𝗌 𝖾 𝗅 𝖾 𝖼 𝗍$ instructions.

A type is closed when it does not contain any type variables, and open otherwise. A type substitution $𝜎$ is a finite mapping from type variables to closed types of the respective syntactic class. When applied to an open type, it replaces the type variables $𝛼$ from its domain with the respective $𝜎 (𝛼)$ .

Theorem (Principal Types). If an instruction sequence $i n s t r *$ is valid with some closed instruction type $i n s t r t y p e$ (i.e., $𝐶 ⊢ i n s t r * : i n s t r t y p e$ ), then it is also valid with a possibly open instruction type $i n s t r t y p e m i n$ (i.e., $𝐶 ⊢ i n s t r * : i n s t r t y p e m i n$ ), such that for every closed type $i n s t r t y p e'$ with which $i n s t r *$ is valid (i.e., for all $𝐶 ⊢ i n s t r * : i n s t r t y p e'$ ), there exists a substitution $𝜎$ , such that $𝜎 (i n s t r t y p e m i n)$ is a subtype of $i n s t r t y p e'$ (i.e., $𝐶 ⊢ 𝜎 (i n s t r t y p e m i n) \leq i n s t r t y p e'$ ). Furthermore, $i n s t r t y p e m i n$ is unique up to the choice of type variables.

Theorem (Closed Principal Forward Types). If closed input type $[𝑡 * 1]$ is given and the instruction sequence $i n s t r *$ is valid with instruction type $[𝑡 * 1] \to 𝑥 * [𝑡 * 2]$ (i.e., $𝐶 ⊢ i n s t r * : [𝑡 * 1] \to 𝑥 * [𝑡 * 2]$ ), then it is also valid with instruction type $[𝑡 * 1] \to 𝑥 * [𝛼 v a l t y p e * 𝑡 *]$ (i.e., $𝐶 ⊢ i n s t r * : [𝑡 * 1] \to 𝑥 * [𝛼 v a l t y p e * 𝑡 *]$ ), where all $𝑡 *$ are closed, such that for every closed result type $[𝑡' 2 *]$ with which $i n s t r *$ is valid (i.e., for all $𝐶 ⊢ i n s t r * : [𝑡 * 1] \to 𝑥 * [𝑡' 2 *]$ ), there exists a substitution $𝜎$ , such that $[𝑡' 2 *] = [𝜎 (𝛼 v a l t y p e *) 𝑡 *]$ .

Type Lattice¶

The Principal Types property depends on the existence of a greatest lower bound for any pair of types.

Theorem (Greatest Lower Bounds for Value Types). For any two value types $𝑡 1$ and $𝑡 2$ that are valid (i.e., $𝐶 ⊢ 𝑡 1 : 𝗈 𝗄$ and $𝐶 ⊢ 𝑡 2 : 𝗈 𝗄$ ), there exists a valid value type $𝑡$ that is a subtype of both $𝑡 1$ and $𝑡 2$ (i.e., $𝐶 ⊢ 𝑡 : 𝗈 𝗄$ and $𝐶 ⊢ 𝑡 \leq 𝑡 1$ and $𝐶 ⊢ 𝑡 \leq 𝑡 2$ ), such that every valid value type $𝑡'$ that also is a subtype of both $𝑡 1$ and $𝑡 2$ (i.e., for all $𝐶 ⊢ 𝑡' : 𝗈 𝗄$ and $𝐶 ⊢ 𝑡' \leq 𝑡 1$ and $𝐶 ⊢ 𝑡' \leq 𝑡 2$ ), is a subtype of $𝑡$ (i.e., $𝐶 ⊢ 𝑡' \leq 𝑡$ ).

Note

The greatest lower bound of two types may be $𝖻 𝗈 𝗍$ .

Theorem (Conditional Least Upper Bounds for Value Types). Any two value types $𝑡 1$ and $𝑡 2$ that are valid (i.e., $𝐶 ⊢ 𝑡 1 : 𝗈 𝗄$ and $𝐶 ⊢ 𝑡 2 : 𝗈 𝗄$ ) either have no common supertype, or there exists a valid value type $𝑡$ that is a supertype of both $𝑡 1$ and $𝑡 2$ (i.e., $𝐶 ⊢ 𝑡 : 𝗈 𝗄$ and $𝐶 ⊢ 𝑡 1 \leq 𝑡$ and $𝐶 ⊢ 𝑡 2 \leq 𝑡$ ), such that every valid value type $𝑡'$ that also is a supertype of both $𝑡 1$ and $𝑡 2$ (i.e., for all $𝐶 ⊢ 𝑡' : 𝗈 𝗄$ and $𝐶 ⊢ 𝑡 1 \leq 𝑡'$ and $𝐶 ⊢ 𝑡 2 \leq 𝑡'$ ), is a supertype of $𝑡$ (i.e., $𝐶 ⊢ 𝑡 \leq 𝑡'$ ).

Note

If a top type was added to the type system, a least upper bound would exist for any two types.

Corollary (Type Lattice). Assuming the addition of a provisional top type, value types form a lattice with respect to their subtype relation.

Finally, value types can be partitioned into multiple disjoint hierarchies that are not related by subtyping, except through $𝖻 𝗈 𝗍$ .

Theorem (Disjoint Subtype Hierarchies). The greatest lower bound of two value types is $𝖻 𝗈 𝗍$ or $𝗋 𝖾 𝖿 𝖻 𝗈 𝗍$ if and only if they do not have a least upper bound.

In other words, types that do not have common supertypes, do not have common subtypes either (other than $𝖻 𝗈 𝗍$ or $𝗋 𝖾 𝖿 𝖻 𝗈 𝗍$ ), and vice versa.

Note

Types from disjoint hierarchies can safely be represented in mutually incompatible ways in an implementation, because their values can never flow to the same place.

Compositionality¶

Valid instruction sequences can be freely composed, as long as their types match up.

Theorem (Composition). If two instruction sequences $i n s t r * 1$ and $i n s t r * 2$ are valid with types $[𝑡 * 1] \to 𝑥 * 1 [𝑡 *]$ and $[𝑡 *] \to 𝑥 * 2 [𝑡 * 2]$ , respectively (i.e., $𝐶 ⊢ i n s t r * 1 : [𝑡 * 1] \to 𝑥 * 1 [𝑡 *]$ and $𝐶 ⊢ i n s t r * 1 : [𝑡 *] \to 𝑥 * 2 [𝑡 * 2]$ ), then the concatenated instruction sequence $(i n s t r * 1 i n s t r * 2)$ is valid with type $[𝑡 * 1] \to 𝑥 * 1 𝑥 * 2 [𝑡 * 2]$ (i.e., $𝐶 ⊢ i n s t r * 1 i n s t r * 2 : [𝑡 * 1] \to 𝑥 * 1 𝑥 * 2 [𝑡 * 2]$ ).

Note

More generally, instead of a shared type $[𝑡 *]$ , it suffices if the output type of $i n s t r * 1$ is a subtype of the input type of $i n s t r * 1$ , since the subtype can always be weakened to its supertype by subsumption.

Inversely, valid instruction sequences can also freely be decomposed, that is, splitting them anywhere produces two instruction sequences that are both valid.

Theorem (Decomposition). If an instruction sequence $i n s t r *$ that is valid with type $[𝑡 * 1] \to 𝑥 * [𝑡 * 2]$ (i.e., $𝐶 ⊢ i n s t r * : [𝑡 * 1] \to 𝑥 * [𝑡 * 2]$ ) is split into two instruction sequences $i n s t r * 1$ and $i n s t r * 2$ at any point (i.e., $i n s t r * = i n s t r * 1 i n s t r * 2$ ), then these are separately valid with some types $[𝑡 * 1] \to 𝑥 * 1 [𝑡 *]$ and $[𝑡 *] \to 𝑥 * 2 [𝑡 * 2]$ , respectively (i.e., $𝐶 ⊢ i n s t r * 1 : [𝑡 * 1] \to 𝑥 * 1 [𝑡 *]$ and $𝐶 ⊢ i n s t r * 1 : [𝑡 *] \to 𝑥 * 2 [𝑡 * 2]$ ), where $𝑥 * = 𝑥 * 1 𝑥 * 2$ .

Note

This property holds because validation is required even for unreachable code. Without that, $i n s t r * 2$ might not be valid in isolation.

Type Soundness¶

Contexts¶

Types¶

Heap Type 𝗋𝖾𝖼 𝑖¶

Recursive Types 𝗋𝖾𝖼 subtype∗¶

Sub types 𝗌𝗎𝖻 𝖿𝗂𝗇𝖺𝗅? ht∗ comptype¶

Defined types rectype.𝑖¶

Subtyping¶

Results¶

Results val∗¶

Results (𝗋𝖾𝖿.𝖾𝗑𝗇 𝑎) 𝗍𝗁𝗋𝗈𝗐_𝗋𝖾𝖿¶

Store Validity¶

Store 𝑆¶

Tag Instances {𝗍𝗒𝗉𝖾 tagtype}¶

Global Instances {𝗍𝗒𝗉𝖾 mut 𝑡,𝗏𝖺𝗅𝗎𝖾 val}¶

Memory Instances {𝗍𝗒𝗉𝖾 (addrtype limits),𝖻𝗒𝗍𝖾𝗌 𝑏∗}¶

Table Instances {𝗍𝗒𝗉𝖾 (addrtype limits 𝑡),𝖾𝗅𝖾𝗆 ref∗}¶

Function Instances {𝗍𝗒𝗉𝖾 deftype,𝗆𝗈𝖽𝗎𝗅𝖾 moduleinst,𝖼𝗈𝖽𝖾 func}¶

Host Function Instances {𝗍𝗒𝗉𝖾 deftype,𝗁𝗈𝗌𝗍𝖿𝗎𝗇𝖼 hf}¶

Data Instances {𝖻𝗒𝗍𝖾𝗌 𝑏∗}¶

Element Instances {𝗍𝗒𝗉𝖾 𝑡,𝖾𝗅𝖾𝗆 ref∗}¶

Structure Instances {𝗍𝗒𝗉𝖾 deftype,𝖿𝗂𝖾𝗅𝖽𝗌 fieldval∗}¶

Array Instances {𝗍𝗒𝗉𝖾 deftype,𝖿𝗂𝖾𝗅𝖽𝗌 fieldval∗}¶

Exception Instances {𝗍𝖺𝗀 𝑎,𝖿𝗂𝖾𝗅𝖽𝗌 val∗}¶

Export Instances {𝗇𝖺𝗆𝖾 name,𝖺𝖽𝖽𝗋 externaddr}¶

Configuration Validity¶

Configurations 𝑆;𝑇¶

Threads 𝐹;instr∗¶

Frames {𝗅𝗈𝖼𝖺𝗅𝗌 val∗,𝗆𝗈𝖽𝗎𝗅𝖾 moduleinst}¶

Administrative Instructions¶

𝗅𝖺𝖻𝖾𝗅𝑛⁢{instr∗0} instr∗¶

𝖿𝗋𝖺𝗆𝖾𝑛⁢{𝐹} instr∗¶

𝗁𝖺𝗇𝖽𝗅𝖾𝗋𝑛⁢{catch∗} instr∗¶

Store Extension¶

Store 𝑆¶

Theorems¶

Type System Properties¶

Principal Types¶

Type Lattice¶

Compositionality¶

Heap Type $𝗋 𝖾 𝖼 𝑖$ ¶

Recursive Types $𝗋 𝖾 𝖼 s u b t y p e *$ ¶

Sub types $𝗌 𝗎 𝖻 𝖿 𝗂 𝗇 𝖺 𝗅 ? h t * c o m p t y p e$ ¶

Defined types $r e c t y p e . 𝑖$ ¶

Results $v a l *$ ¶

Results $(𝗋 𝖾 𝖿 . 𝖾 𝗑 𝗇 𝑎) 𝗍 𝗁 𝗋 𝗈 𝗐_𝗋 𝖾 𝖿$ ¶

Store $𝑆$ ¶

Tag Instances ${𝗍 𝗒 𝗉 𝖾 t a g t y p e}$ ¶

Global Instances ${𝗍 𝗒 𝗉 𝖾 m u t 𝑡, 𝗏 𝖺 𝗅 𝗎 𝖾 v a l}$ ¶

Memory Instances ${𝗍 𝗒 𝗉 𝖾 (a d d r t y p e l i m i t s), 𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 *}$ ¶

Table Instances ${𝗍 𝗒 𝗉 𝖾 (a d d r t y p e l i m i t s 𝑡), 𝖾 𝗅 𝖾 𝗆 r e f *}$ ¶

Function Instances ${𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝗆 𝗈 𝖽 𝗎 𝗅 𝖾 m o d u l e i n s t, 𝖼 𝗈 𝖽 𝖾 f u n c}$ ¶

Host Function Instances ${𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝗁 𝗈 𝗌 𝗍 𝖿 𝗎 𝗇 𝖼 h f}$ ¶

Data Instances ${𝖻 𝗒 𝗍 𝖾 𝗌 𝑏 *}$ ¶

Element Instances ${𝗍 𝗒 𝗉 𝖾 𝑡, 𝖾 𝗅 𝖾 𝗆 r e f *}$ ¶

Structure Instances ${𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f i e l d v a l *}$ ¶

Array Instances ${𝗍 𝗒 𝗉 𝖾 d e f t y p e, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 f i e l d v a l *}$ ¶

Exception Instances ${𝗍 𝖺 𝗀 𝑎, 𝖿 𝗂 𝖾 𝗅 𝖽 𝗌 v a l *}$ ¶

Export Instances ${𝗇 𝖺 𝗆 𝖾 n a m e, 𝖺 𝖽 𝖽 𝗋 e x t e r n a d d r}$ ¶

Configurations $𝑆; 𝑇$ ¶

Threads $𝐹; i n s t r *$ ¶

Frames ${𝗅 𝗈 𝖼 𝖺 𝗅 𝗌 v a l *, 𝗆 𝗈 𝖽 𝗎 𝗅 𝖾 m o d u l e i n s t}$ ¶

$𝗅 𝖺 𝖻 𝖾 𝗅 𝑛 {i n s t r * 0} i n s t r *$ ¶

$𝖿 𝗋 𝖺 𝗆 𝖾 𝑛 {𝐹} i n s t r *$ ¶

$𝗁 𝖺 𝗇 𝖽 𝗅 𝖾 𝗋 𝑛 {c a t c h } i n s t r $ ¶

Store $𝑆$ ¶