WebAssembly explained

WebAssembly
Paradigm:structured
stack machine[1]
Designer:W3C
Operating System:Platform independent
License:Apache License 2.0
File Formats:-->

WebAssembly (Wasm) defines a portable binary-code format and a corresponding text format for executable programs[2] as well as software interfaces for facilitating interactions between such programs and their host environment.[3] [4] [5] [6]

The main goal of WebAssembly is to enable high-performance applications on web pages, "but it does not make any Web-specific assumptions or provide Web-specific features, so it can be employed in other environments as well."[7] It is an open standard[8] and aims to support any language on any operating system, and in practice all of the most popular languages already have at least some level of support.

Announced in and first released in, WebAssembly became a World Wide Web Consortium recommendation on 5 December 2019[9] [10] [11] and it received the Programming Languages Software Award from ACM SIGPLAN in 2021.[12] The World Wide Web Consortium (W3C) maintains the standard with contributions from Mozilla, Microsoft, Google, Apple, Fastly, Intel, and Red Hat.

History

WebAssembly is named to evoke the concept of assembly language, a term which dates to the 1950s. The name suggests bringing assembly-like programming to the Web, where it will be executed client-side by the website-user's computer via the user's web browser. To accomplish this, WebAssembly must be much more hardware-independent than a true assembly language.

WebAssembly was first announced in 2015, and the first demonstration was executing Unity's Angry Bots in Firefox, Google Chrome, and Microsoft Edge. The precursor technologies were asm.js from Mozilla and Google Native Client, and the initial implementation was based on the feature set of asm.js. The asm.js technology already provides near-native code execution speeds[13] [14] and can be considered a viable alternative for browsers that do not support WebAssembly or have it disabled for security reasons.

In March 2017, the design of the minimum viable product (MVP) was declared to be finished and the preview phase ended. In late September 2017, Safari 11 was released with support. In February 2018, the WebAssembly Working Group published three public working drafts for the Core Specification, JavaScript Interface, and Web API.

In June 2019, Chrome 75 was released with WebAssembly threads enabled by default.[15]

WebAssembly 2.0 is in draft status,[16] [17] which adds many SIMD-related instructions and a new v128 datatype, the ability for functions to return multiple values, and mass memory initialize/copy.

Implementations

While WebAssembly was initially designed to enable near-native code execution speed in the web browser, it has been considered valuable outside of such, in more generalized contexts.[18] [19] Since WebAssembly's runtime environments (RE) are low-level virtual stack machines (akin to JVM or Flash VM) that can be embedded into host applications, some of them have found a way to standalone runtime environments like and .[20] [21] WebAssembly runtime environments are embedded in application servers to host "server-side" WebAssembly applications and in other applications to support plug-in-based software extension architectures, e.g., "WebAssembly for Proxies" (proxy-wasm) which specifies a WebAssembly-based ABI for extending proxy servers.[22] [23]

Web browsers

In November 2017, Mozilla declared support "in all major browsers", after WebAssembly was enabled by default in Edge 16. The support includes mobile web browsers for iOS and Android. 99% of tracked web browsers support WebAssembly (version 1.0), which is more than for its predecessor asm.js, that is not supported by e.g. Safari web browser. For some extensions, from the 2.0 draft standard, support may be lower, but still more than 90% of web browsers may already support, e.g. for reference types extension.[24]

Compilers

WebAssembly implementations usually use either ahead-of-time (AOT) or just-in-time (JIT) compilation, but may also use an interpreter. While the first implementations have landed in web browsers, there are also non-browser implementations for general-purpose use, including Wasmer, Wasmtime[25] or WAMR, wasm3, WAVM, and many others.[26]

Because WebAssembly executables are precompiled, it is possible to use a variety of programming languages to make them. This is achieved either through direct compilation to Wasm, or through implementation of the corresponding virtual machines in Wasm. There have been around 40 programming languages reported to support Wasm as a compilation target.

Emscripten compiles C and C++ to Wasm using the Binaryen and LLVM as backend.[27] The Emscripten SDK can compile any LLVM-supported languages (such as C, C++ or Rust, among others) source code into a binary file which runs in the same sandbox as JavaScript code. Emscripten provides bindings for several commonly used environment interfaces like WebGL.

As of version 8, a standalone Clang can compile C and C++ to Wasm.[28] Its initial aim was to support compilation from C and C++, though support for other source languages such as Rust, .NET languages[29] and AssemblyScript (TypeScript-like) is also emerging.

After the MVP release, WebAssembly added support for multithreading and garbage collection[30] [31] which enabled compilation for garbage-collected programming languages like C# (supported via Blazor), F# (supported via Bolero[32] with help of Blazor), Python, and even JavaScript where the browser's just-in-time compilation speed is considered too slow.

A number of other languages have some support including Python,[33] Julia,[34] [35] Ruby[36] and Ring.[37] [38]

A number of systems can compile Java and other bytecode languages to JavaScript and WebAssembly. These include CheerpJ,[39] JWebAssembly and TeaVM.[40] These all take Java byte code .class files as input allowing other JVM languages like Groovy, and Scala to be used as well. Kotlin supports WebAssembly directly.[41] [42]

Limitations

Web browsers do not allow WebAssembly code to directly access the Document Object Model. Wasm code must defer to JavaScript for this.

In an October 2023 survey of developers, less than half of the 303 participants were satisfied with the state of WebAssembly. A large majority cited the need for improvement in four areas: WASI, debugging support, integration with JavaScript and browser APIs, and build tooling.[43]

For memory-intensive allocations in WebAssembly, there are "grave limitations that make many applications infeasible to be reliably deployed on mobile browsers [..] Currently allocating more than ~300MB of memory is not reliable on Chrome on Android without resorting to Chrome-specific workarounds, nor in Safari on iOS."[44]

All major browsers allow WebAssembly if Content-Security-Policy is not specified, or if "unsafe-eval" is used, but otherwise they behave differently.[45] Chrome requires "unsafe-eval",[46] [47] though a worker thread can be a workaround.[47]

In 2022, the startup company named Zaplib summarized in a blog why they were shutting down. Their goal had been to significantly increase the performance of existing web apps by incrementally porting them to Rust/Wasm. However, porting a customer's simulator from JavaScript only yielded a 5% improvement. Regarding Figma, they stated: "upon closer inspection it seems that their use of Wasm is more due to historical accidents—wanting to build in C++ to hedge for their native app—than for critical performance needs. Figma files are processed in C++/Wasm, and this is likely a huge speedup, but most of Figma's performance magic is due to their WebGL renderer."[48]

Security considerations

In June 2018, a security researcher presented the possibility of using WebAssembly to circumvent browser mitigations for Spectre and Meltdown security vulnerabilities once support for threads with shared memory is added. Due to this concern, WebAssembly developers put the feature on hold.[49] [50] However, in order to explore these future language extensions, Google Chrome added experimental support for the WebAssembly thread proposal in October 2018.[51]

WebAssembly has been criticized for allowing greater ease of hiding the evidence for malware writers, scammers and phishing attackers; WebAssembly is present on the user's machine only in its compiled form, which "[makes malware] detection difficult".[52] The speed and concealability of WebAssembly have led to its use in hidden crypto mining on the website visitor's device.[52] [53] [54] Coinhive, a now defunct service facilitating cryptocurrency mining in website visitors' browsers, claims their "miner uses WebAssembly and runs with about 65% of the performance of a native Miner." A June 2019 study from the Technische Universität Braunschweig analyzed the usage of WebAssembly in the Alexa top 1 million websites and found the prevalent use was for malicious crypto mining, and that malware accounted for more than half of the WebAssembly-using websites studied.[55] [56] An April 2021 study from Universität Stuttgart found that since then crypto mining has been marginalized, falling to below 1% of all WebAssembly modules gathered from a wide range of sources, also including the Alexa top 1 million websites.[57]

The ability to effectively obfuscate large amounts of code can also be used to bypass ad blocking and privacy tools that prevent web tracking like Privacy Badger.

As WebAssembly supports only structured control flow, it is amenable toward security verification techniques including symbolic execution.[58] Current efforts in this direction include the Manticore symbolic execution engine.

WASI

WebAssembly System Interface (WASI) is a simple interface (ABI and API) designed by Mozilla intended to be portable to any platform.[59] It provides POSIX-like features like file I/O constrained by capability-based security.[60] [61] There are also a few other proposed ABI/APIs.[62] [63]

WASI is influenced by CloudABI and Capsicum.

Solomon Hykes, a co-founder of Docker, wrote in 2019, "If WASM+WASI existed in 2008, we wouldn't have needed to create Docker. That's how important it is. WebAssembly on the server is the future of computing." Wasmer, out in version 1.0, provides "software containerization, we create universal binaries that work anywhere without modification, including operating systems like Linux, macOS, Windows, and web browsers. Wasm automatically sandboxes applications by default for secure execution".[64]

Specification

Host environment

The general standard provides core specifications for JavaScript API and details on embedding.

Virtual machine

Wasm code (binary code, i.e. bytecode) is intended to be run on a portable virtual stack machine (VM). The VM is designed to be faster to parse and execute than JavaScript and to have a compact code representation. Any external functionality (like syscalls) that may be expected by Wasm binary code is not stipulated by the standard. It rather provides a way to deliver interfacing via modules by the host environment that the VM implementation runs in.[65]

Wasm program

A Wasm program is designed to be a separate module containing collections of various Wasm-defined values and program type definitions. These are expressed in either binary or textual format (see below) that both have a common structure.[66] Such module may provide a start function that is executed upon instantiation of a wasm binary.

Instruction set

The core standard for the binary format of a Wasm program defines an instruction set architecture (ISA) consisting of specific binary encodings of types of operations which are executed by the VM (without specifying how exactly they must be executed).[67] The list of instructions includes standard memory load/store instructions, numeric, parametric, control of flow instruction types and Wasm-specific variable instructions.[68]

The number of opcodes used in the original standard (MVP) was a bit fewer than 200 of the 256 possible opcodes. Subsequent versions of WebAssembly pushed the number of opcodes a bit over 200. The WebAssembly SIMD proposal (for parallel processing) introduces an alternate opcode prefix (0xfd) for 128-bit SIMD. The concatenation of the SIMD prefix, plus an opcode that is valid after the SIMD prefix, forms a SIMD opcode. The SIMD opcodes bring an additional 236 instructions for the "minimum viable product" (MVP) SIMD capability (for a total of around 436 instructions).[69] [70] Those instructions, the "finalized opcodes"[71] are enabled by default across Google's V8 (in Google Chrome), the SpiderMonkey engine in Mozilla Firefox, and the JavaScriptCore engine in Apple's Safari[72] and there are also some additional proposal for instructions for later "post SIMD MVP", and there's also a separate "relaxed-simd" proposal on the table.

These SIMD opcodes are also portable and translate to native instruction sets like x64 and ARM. In contrast, neither Java's JVM nor CIL support SIMD, at their opcode level, i.e. in the standard; both do have some parallel APIs which provide SIMD speedup. There is an extension for Java adding intrinsics for x64 SIMD,[73] that isn't portable, i.e. not usable on ARM or smartphones. Smartphones can support SIMD by calling assembly code with SIMD, and C# has similar support.

Code representation

In March 2017, the WebAssembly Community Group reached consensus on the initial (MVP) binary format, JavaScript API, and reference interpreter. It defines a WebAssembly binary format, which is not designed to be used by humans, as well as a human-readable WebAssembly text format that resembles a cross between S-expressions and traditional assembly languages.

The table below shows an example of a factorial function written in C and its corresponding WebAssembly code after compilation, shown both in text format (a human-readable textual representation of WebAssembly) and in binary format (the raw bytecode, expressed below in hexadecimal), that is executed by a Web browser or run-time environment that supports WebAssembly.

All integer constants are encoded using a space-efficient, variable-length LEB128 encoding.[74]

The WebAssembly text format is more canonically written in a folded format using S-expressions. For instructions and expressions, this format is purely syntactic sugar and has no behavioral differences with the linear format. Through, the code above decompiles to:

(module (type $t0 (func (param i64) (result i64))) (func $f0 (type $t0) (param $p0 i64) (result i64) (if $I0 (result i64) ;; $I0 is an unused label name (i64.eqz (local.get $p0)) ;; the name $p0 is the same as 0 here (then (i64.const 1)) (else (i64.mul (local.get $p0) (call $f0 ;; the name $f0 is the same as 0 here (i64.sub (local.get $p0) (i64.const 1))))))))

Note that a module is implicitly generated by the compiler. The function is actually referenced by an entry of the type table in the binary, hence a type section and the emitted by the decompiler.[75] The compiler and decompiler can be accessed online.[76]

See also

External links

Notes and References

  1. Web site: WebAssembly/design/Semantics.md. 2021-02-23. GitHub. en. WebAssembly code can be considered a structured stack machine; a machine where most computations use a stack of values, but control flow is expressed in structured constructs such as blocks, ifs, and loops. In practice, implementations need not maintain an actual value stack, nor actual data structures for control; they need only behave as if they did so..
  2. Web site: Mozilla . Understanding WebAssembly text format . 9 December 2019 . MDN Web Docs . en-US.
  3. Web site: Introduction — WebAssembly 1.0. webassembly.github.io. 18 June 2019. WebAssembly is an open standard....
  4. Web site: Introduction — WebAssembly 1.0. webassembly.github.io. 18 June 2019. WebAssembly is a ... code format.
  5. Web site: Conventions — WebAssembly 1.0. webassembly.github.io. 17 May 2019. WebAssembly is a programming language that has multiple concrete representations (its binary format and the text format). Both map to a common structure..
  6. Web site: Introduction — WebAssembly 1.0. webassembly.github.io. 18 June 2019. ... this specification is complemented by additional documents defining interfaces to specific embedding environments such as the Web. These will each define a WebAssembly application programming interface (API) suitable for a given environment..
  7. Web site: Introduction — WebAssembly 1.1. 2021-02-19. Its main goal is to enable high performance applications on the Web, but it does not make any Web-specific assumptions or provide Web-specific features, so it can be employed in other environments as well.. webassembly.github.io.
  8. Haas. Andreas. Rossberg. Andreas. Schuff. Derek L.. Titzer. Ben L.. Holman. Michael. Gohman. Dan. Wagner. Luke. Zakai. Alon. Bastien. JF. 14 June 2017. Bringing the Web Up to Speed with WebAssembly. SIGPLAN Notices. 52. 6. 185–200. 10.1145/3140587.3062363. 0362-1340. While the Web is the primary motivation for WebAssembly, nothing in its design depends on the Web or a JavaScript environment. It is an open standard specifically designed for embedding in multiple contexts, and we expect that stand-alone implementations will become available in the future.. free.
  9. Web site: World Wide Web Consortium . WebAssembly Core Specification . World Wide Web Consortium (W3) . 9 December 2019.
  10. Web site: Couriol . Bruno . WebAssembly 1.0 Becomes a W3C Recommendation and the Fourth Language to Run Natively in Browsers . infoq.com . 9 December 2019.
  11. Web site: WebAssembly Specification — WebAssembly 1.1. 2021-03-22. webassembly.github.io.
  12. Web site: Programming Languages Software Award. www.sigplan.org.
  13. Web site: Staring at the Sun: Dalvik vs. ASM.js vs. Native. blog.mozilla.org. August 2013 . 7 December 2019. Even discarding the one score where asm.js did better, it executes at around 70% of the speed of native C++ code..
  14. Book: Arjun, Jangda, Abhinav Powers, Bobby Berger, Emery Guha. Not So Fast: Analyzing the Performance of WebAssembly vs. Native Code. 2019-01-25. 1106328738.
  15. Web site: WebAssembly Worker Based Threads - Chrome Platform Status. 2022-02-19. chromestatus.com.
  16. Web site: WebAssembly Specification — WebAssembly 2.0 (Draft 2022-09-01) . 2022-09-09 . webassembly.github.io.
  17. Web site: WebAssembly 2.0 First Public Working Drafts W3C News . 19 April 2022 . 2022-09-09 . en-US.
  18. Web site: Non-Web Embeddings. 15 May 2019. WebAssembly.
  19. Web site: Non-Web Embeddings. 15 May 2019. GitHub / WebAssembly.
  20. Web site: Outside the web: standalone WebAssembly binaries using Emscripten · V8. 2020-07-28. v8.dev.
  21. Web site: Wasmer - The Universal WebAssembly Runtime. Compile everything to WebAssembly. Run it on any OS or embed it into other languages.. 2021-02-19. wasmer.io.
  22. Web site: Proxy-Wasm: It’s WebAssembly for Proxies . Freese . Danny . 2023-10-03 . mdy . Blog . . 2024-05-06.
  23. Web site: proxy-wasm/spec: WebAssembly for Proxies (ABI specification) . . 2024-05-06.
  24. Web site: WebAssembly Reference Types Can I use... Support tables for HTML5, CSS3, etc . 2024-03-03 . caniuse.com.
  25. Web site: Wasmtime — a small and efficient runtime for WebAssembly & WASI. 2020-12-18. wasmtime.dev.
  26. Web site: Roadmap . 2021-12-07 .
  27. kripken. 1186407352880074752. Emscripten has switched to the upstream LLVM wasm backend by default! / Details:https://groups.google.com/forum/#!topic/emscripten-discuss/NpxVAOirSl4 …. Zakai. Alon. 21 October 2019. 22 October 2019.
  28. Web site: LLVM 8.0.0 Release Notes — LLVM 8 documentation. 22 October 2019. releases.llvm.org.
  29. Web site: Frequently asked questions (FAQ) about Blazor. 18 June 2018. blazor.net.
  30. Web site: A new way to bring garbage collected programming languages efficiently to WebAssembly · V8 . 2023-12-11 . v8.dev.
  31. Web site: WebAssembly Garbage Collection (WasmGC) now enabled by default in Chrome Blog . 2023-12-11 . Chrome for Developers . en.
  32. Web site: Bolero: F# in WebAssembly. fsbolero.io. 25 July 2019.
  33. Web site: Pyodide: Bringing the scientific Python stack to the browser – Mozilla Hacks - the Web developer blog. 2020-09-09. Mozilla Hacks – the Web developer blog. en-US.
  34. Web site: Julia in the Browser . nextjournal.com. 9 April 2019.
  35. Web site: WebAssembly platform by tshort · Pull Request #2 · JuliaPackaging/Yggdrasil. GitHub. en. 9 April 2019.
  36. Web site: MRuby in Your Browser. ruby.dj. 25 July 2019.
  37. Web site: Ring language upgrade focuses on WebAssembly . Paul Krill. 24 August 2020 . InfoWorld.
  38. Web site: Ring in web browser. 17 August 2024.
  39. Web site: 2023-04-27. Java to WebAssembly Compiler - CheerpJ.
  40. Web site: 2023-04-27. TeaVM — Overview. www.teavm.org.
  41. Web site: Bringing Kotlin to the Web . 2023-12-11 . en.
  42. Web site: Deleuze . Sébastien . 2023-02-13 . The huge potential of Kotlin/Wasm . 2023-12-11 . seb.deleuze.fr . en.
  43. Web site: The State of WebAssembly 2023 . Scott Logic . 18 October 2023 . 14 March 2024.
  44. Web site: Wasm needs a better memory management story · Issue #1397 · WebAssembly/design. 2021-02-15. GitHub. en.
  45. Web site: WebAssembly/content-security-policy. 2021-02-17. GitHub. en.
  46. Web site: 948834 - chromium - An open-source project to help move the web forward. - Monorail. 2021-02-17. bugs.chromium.org.
  47. Web site: No way to use WebAssembly on Chrome without 'unsafe-eval' · Issue #7 · WebAssembly/content-security-policy. 2021-02-17. GitHub. en.
  48. Web site: Zaplib post-mortem . zaplib.com . April 2022 . 14 March 2024.
  49. Web site: Cimpanu . Catalin . Changes in WebAssembly Could Render Meltdown and Spectre Browser Patches Useless . . 8 June 2019 . en-us . 24 June 2018.
  50. Web site: Sanders . James . How opaque WebAssembly code could increase the risk of Spectre attacks online . . 9 June 2019 . en . 25 June 2018.
  51. Web site: R . Bhagyashree . Google Chrome 70 now supports WebAssembly threads to build multi-threaded web applications . . 9 June 2019 . 30 October 2018.
  52. Web site: Lonkar . Aishwarya . Chandrayan . Siddhesh . The dark side of WebAssembly . . 8 June 2019 . October 2018.
  53. Web site: Segura . Jérôme . Persistent drive-by cryptomining coming to a browser near you . . 8 June 2019 . 29 November 2017.
  54. Web site: Neumann . Robert . Toro . Abel . In-browser mining: Coinhive and WebAssembly . Forcepoint . 8 June 2019 . en . 19 April 2018.
  55. Web site: Recent Study Estimates That 50% of Websites Using WebAssembly Apply It for Malicious Purposes. InfoQ. 3 November 2019.
  56. Book: Musch . Marius . Detection of Intrusions and Malware, and Vulnerability Assessment . 11543 . 23–42 . Wressnegger . Christian . Johns . Martin . Rieck . Konrad . New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild . . 15 February 2022 . 10.1007/978-3-030-22038-9_2 . June 2019 . Lecture Notes in Computer Science . 978-3-030-22037-2 . 184482682 . 26 July 2022 . https://web.archive.org/web/20220726131621/https://www.sec.cs.tu-bs.de/pubs/2019a-dimva.pdf . dead . Slides (PDF)
  57. Aaron Hilbig, Daniel Lehmann, and Michael Pradel (April 2021). "An Empirical Study of Real-World WebAssembly Binaries: Security, Languages, Use Cases." (Archived April 2021) https://software-lab.org/publications/www2021.pdf
  58. Book: Watt, Conrad. Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs . Mechanising and verifying the WebAssembly specification . 2018-01-08. https://dl.acm.org/doi/10.1145/3167082. CPP 2018. en. Los Angeles CA USA. ACM. 53–65. 10.1145/3167082. 978-1-4503-5586-5. 9401691.
  59. Web site: WebAssembly System Interface Repo . GitHub / WebAssembly. 10 February 2020 .
  60. Web site: Additional background on Capabilities . GitHub . 4 March 2022 . bytecodealliance . en.
  61. Web site: Standardizing WASI: A system interface to run WebAssembly outside the web – Mozilla Hacks - the Web developer blog . Mozilla Hacks – the Web developer blog.
  62. Web site: reference-sysroot Repo . GitHub / WebAssembly. 12 January 2020 .
  63. Web site: wasm-c-api Repo . GitHub / WebAssembly. 3 February 2020 .
  64. Web site: The "Wasmer" WebAssembly Runtime is Generally Available. 2021-02-19. InfoQ. en.
  65. Web site: Portability - WebAssembly. 2020-07-28. webassembly.org.
  66. Web site: Conventions — WebAssembly 1.0. webassembly.github.io. 12 November 2019.
  67. Web site: Introduction — WebAssembly 1.0. webassembly.github.io. 17 May 2019.
  68. Web site: Instructions — WebAssembly 1.0. webassembly.github.io. 12 November 2019.
  69. Web site: Final opcodes by tlively · Pull Request #452 · WebAssembly/simd · GitHub . Lively . Thomas . 2021-02-19 . Pull Request opened on 2021-02-05 . Bytecode Alliance . . 2021-05-12 .
  70. Web site: File wasm-tools/expr.rs at b5c3d98e40590512a3b12470ef358d5c7b983b15 · bytecodealliance/wasm-tools · GitHub . Delendik . Yury . 2021-02-19 . SIMD changes committed on 2021-02-19 . Bytecode Alliance . . 2021-05-12 .
  71. Web site: Update interpreter and text with finalized opcodes by ngzhian · Pull Request #486 · WebAssembly/simd. 2021-05-14. GitHub. en.
  72. Web site: WebAssembly/simd. 2021-05-14. GitHub. en.
  73. Web site: How we made the JVM 40x faster. support for all 5912 Intel SIMD intrinsics from MMX to AVX-512.-->. 2021-02-17. astojanov.github.io.
  74. Web site: WebAssembly Specification Release 1.0 . 13 January 2020 . WebAssembly Community Group . January 2020.
  75. Web site: Modules (Binary) . WebAssembly 1.0.
  76. Web site: WebAssembly Binary Toolkit (wabt) demos . webassembly.github.io.