
WAVM: standalone WebAssembly VM prototype - vmorgulis
https://github.com/AndrewScheidecker/WAVM
======
slimsag
Am I correct that WebAssembly is the first browser language VM (like JVM,
Flash, etc) that is developed as a specification and not an implementation? If
so, I wonder how security will fare in comparison to JVM/Flash/etc, I imagine
it'll be much better. WebAssembly is gonna be huge, esp. with languages like
Rust supporting it!

~~~
stepanhruda
I assume there will be no more security holes than there are in javascript,
since it's effectively a sibling to it, implementing the exact same APIs

~~~
akavel
I suspect it (the WASM VM) will "bubble out" from inside the JS VM in browsers
sooner or later, as a distinct entity in browsers. To enable better
optimizations, if only. And especially better optimizations means closer to
metal, which I think makes it harder not to introduce security holes.

Also, brand new external WASM VMs will be created (as in the OP link), and
possibly used in future (or current but new versions?) browsers, again
allowing for brand new security holes.

So, I'm not very convinced by this argument as of now.

------
cm3
I haven't been following WebAssembly, but I've asked myself why, given the
elevated level of security threats, there is not effort to design a safer,
tinier, web page scripting system. I have the feeling that based on the
experience we could streamline and simplify much of the web client stack to
allow (1) safer implementations, (2) smaller implementations and (3) less
interpretation of the standards.

~~~
sievebrain
Once upon a time Javascript _was_ tiny.

Unfortunately, the web became the only app platform that was perceived as
being politically neutral, and so there was huge pressure to add features to
it. These features all hugely increased the complexity of HTML renderers, and
with complexity came bugs.

Could you build a smaller, simpler, safer web? Sure. It's called HTML4.

~~~
cm3
I get what you're saying, but what I meant is that it's surely possible to
keep the current features while streamlining it into something coherent, much
smaller, and easier to implement.

The modern web platform's bloat and what you can achieve with it always
reminds me of 1990s demo scene mags on floppy disks and their mag engines. I
think most of the problems stem from adding more stuff to HTML rather than
taking what we build today building the smallest possible DSL and its engine
around it. At some point we have to do a cut like that or we'll have browsers
that'll have to support many, many HTML profiles and become monstrosities.

~~~
vmorgulis
I expect a reboot of the web with wasm.

As wasm defines a VM, the browser could become useless.

~~~
cm3
Given how single page web sites are more or less like Flash in that they don't
follow the document model anymore, maybe it's for the best, giving real web
pages a chance to revive an effort like XHTML and get us document standards.

------
fizzbatter
Dumb question, but is the purpose of this to run WASM code (binaries/etc) in
standalone?

Ie, is Nodejs to Javascript as WAVM is to WASM?

~~~
ascheidecker
Not exactly. Node.js will probably integrate a future release of V8 that
supports WebAssembly, and WAVM isn't a suitable replacement for that.

WAVM is more like V8, but for WebAssembly only instead of both JavaScript and
WebAssembly. The purpose is to serve as a simple VM for my programming
language that compiles to WebAssembly.

------
merb
Without GC WebAssembly will still hold a shit load of languages away.

~~~
k__
Really? I had the impression it's the other way around.

If it would have GC, other languages would have to use the supplied GC.

If it wouldn't have GC, other languages could simply implement their own GC.

~~~
merb
> implement their own GC

when that would be so easy, maybe. But especially on top of the browser
restrictions that will be even harder.

~~~
sspiff
Garbage collection is not magic. It's a fairly simple (but byzantine) matter
of tracking references, and allocating and freeing memory. Why would this be
so much harder for WebAssembly? Why can't existing garbage collectors be
compiled to WA?

~~~
chrisseaton
> Why can't existing garbage collectors be compiled to WA?

Yes I think that's the idea.

~~~
sspiff
Exactly. From what I've seen of WebAsm, you can request pages of memory using
grow_memory. Upon this, you could implement a memory pool system to handle
malloc and free. Using this, it is trivial to port existing GC's.

I don't understand why people moan about GC in WebAsm. WebAsm is a compiler
target for lower level languages, not the JVM.

