Become a fan of Slashdot on Facebook


Forgot your password?
Programming Technology

WebAssembly: An Attempt To Give the Web Its Own Bytecode 126

New submitter Josiah Daniels writes with this kernel from a much more detailed article at Ars Technica about what already looks like a very important initiative: WebAssembly is a new project being worked on by people from Mozilla, Microsoft, Google, and Apple, to produce a bytecode for the Web. WebAssembly, or wasm for short, is intended to be a portable bytecode that will be efficient for browsers to download and load, providing a more efficient target for compilers than plain JavaScript or even asm.js
This discussion has been archived. No new comments can be posted.

WebAssembly: An Attempt To Give the Web Its Own Bytecode

Comments Filter:
  • by Anonymous Coward on Thursday June 18, 2015 @05:26PM (#49939571)

    The web is hardly usable anymore. Even the simplest web sites are slow as molasses, thanks to heaps of "active" content alongside the actual information. Now you're going to bestow your own runtime on us? Now that we've finally ditched Java and Flash?

    • by mlts ( 1038732 )

      Of course, there are the security aspects as well. We already have been down this road with Java (which did have a lot of promise, especially with HotJava as an example of a browser written in the language, and prototype CPUs that could execute Java bytecode natively.) However, it fell apart, and now, code running on the same JVM on a Mac may just completely fail on Windows, and the other way around. Then, there is finding the right JVM.

      Of course, there will be updates. A bytecode language is never fini

      • by viperidaenz ( 2515578 ) on Thursday June 18, 2015 @05:59PM (#49939971)

        You're confused about Java
        The byte code is compatible.
        Code compiled in the first ever Java compiler will run on the latest JVM. There have been a few additions to the byte codes, so it doesn't always work the other way.

        If you really want your new code to work in old JVM's all you need to do is set the compiler compliance level.

        You don't need to down-grade a JVM for it to correctly interpret byte code from an old compiler.

        The compatibility problems come with changes to the run-time libraries. Byte code has nothing to do with that. Compiling from source won't fix it.

        • by swilly ( 24960 ) on Thursday June 18, 2015 @10:45PM (#49941847)

          This is mostly true, but it is worth expanding as there are a lot of misconceptions about this. Java bytecode contains the JVM version it was compiled against, and later JVMs will run it just fine, even if it will no longer compile. I remember when Java added the enum keyword, and all our applications ran fine on the new JVM, even though it wouldn't compile without changes (one of our programmers used enum as the standard variable name for Enumerators). Overall, I've been very impressed with Java's cross platform and version compatibility, but I have found three causes of compatibility problems that are worth knowing about.

          First, you cannot rely on non-standard libraries such as the com.sun packages. These aren't guaranteed to exist from one version of Java to the next. They aren't even guaranteed to work the same between minor Java versions. If you limit yourself to the standard libraries, you are safe. Be advised that deprecated methods may be removed in the future, though none have been removed so far.

          Second, some programmers explicitly version check the JVM. This is usually for compliance issues, as some organizations feel that code should never run against a JVM that it hasn't been formally verified against. I have also seen this done because code was written to a known bug and some idiot thought it would be better to ensure that the underlying JVM always had the bug rather than work with both bugged and unbugged JVMs. Whatever your reasons, I consider this to be a bad practice, as you won't get security fixes from updated JVMs.

          Third, while bytecode should always be forward compatible (barring bugs in the Java library), if you use native code you should be aware that JNI libraries are not guaranteed to work across major JVM versions. JNI libraries must be recompiled to work on newer JVMs.

          There may be other sources of compatibility problems, but these are the only that I've run across them in my 15 years maintaining several million lines of Java code.

          • Java byte code contains no version.

            You've confused it with Class versions.

            • by swilly ( 24960 )

              You can get the version of the compiler used to compile a class file (which contains the bytecode) using "javap -verbose MyClass.class". A major and minor version will be at the top. For what it is worth, Java 7 uses major version 51.

              • Yes, that's the class file format.

                It's not the version of the compiler, it's the class version. A Java 8 compiler can create classes with versions 47 through 52.
                You can set that with the -target option of javac

      • A bytecode format is easy to maintain backward compatibility with, and because it's bytecode, not native code, it's fairly easy to enforce proper sandboxing at a pretty low level. It could be argued that this is actually what JavaScript and the security disaster that is the Java plugin should have been from the beginning.

        Like with the .NET CLR (Common Language Runtime), you can actually use just about any language you want to that's designed to compile down to this common runtime (or in this case bytecode

      • Java bytecode should always be compatible across platforms, and they have done a good job of keeping that true. There may be rare cases of compatibility issues but I haven't heard of them.

        Native code is another matter entirely. That will fail if you move to a different architecture, as could happen if you moved from an old PowerPC Mac to a newer Mac or an x86 system, or when you try to move Java code to a system with an ARM processor. And the libraries have not been as good about maintaining backward compat

    • Somehow you're under the impression that JavaScript doesn't already run in its own virtual machine and simplifying the compilation process that already happens would somehow make things slower.

    • by Anonymous Coward

      That has nothing to do with anything.

      Crappy websites are slow because they use bullshit like jQuery and 10 other libraries and don't take the time to remove stuff they don't need.
      They have 50 different kinds of scripts all loading their own instances after pages load.
      They have scripts doing constant DOM updates instead of doing it all in memory, then writing to DOM once.
      They have timers running at zero speed, aka, as fast as the browser is allocating timeslices to the page, making the page lag like dicks.

    • Now that we've finally ditched Java and Flash?

      They have? It's official? Yay!! Hey code monkeys and desk bunnies - get me a case of beer and take the rest of the day off. It's party time - tell the clients we're compiling all day.

    • The web is hardly usable anymore. Even the simplest web sites are slow as molasses, thanks to heaps of "active" content alongside the actual information. Now you're going to bestow your own runtime on us? Now that we've finally ditched Java and Flash?

      JavaScript and the DOM is a runtime that has replaced Java applets (almost completely) and Flash (mostly). There's room for improvement in performance.The problem with asm.js is that it's a Mozilla thing, even though asm.js runs quite well on Chrome. The problem with Dart is that it's a Google thing, even though it can be transpiled to JavaScript.

      WebAssembly has all four of the key players involved (Mozilla, Google, Apple, Microsoft). Maybe, just maybe, we'll be able to write code in a language that suits

  • by Anonymous Coward

    Why did /. ruin their layout by moving comment counts into the headlines? Sometimes the counts do not display at all. Is Dice outsourcing design to Retardistan?

    • Re: (Score:2, Funny)

      by Anonymous Coward
      They can't even do Unicode or https correctly. You are expecting too much from the script kiddies that run this site.
  • Not needed. Simple as that. Our devices are getting more powerful each generation, and they worked well enough with HTML and human-readable text. This probably wouldn't even be on the table if it weren't for the bazillion advertisements and spyware on most major websites. My 2 cents at least.
  • by Anonymous Coward

    Just what we need, another browser executable language to aid in drive-by malware. And i'll bet it'll be the kind to execute without prompts too. Activex mark 2 perhaps?

    • byte code is not executable. From a security perspective, its not any different than source code.

    • by Goaway ( 82658 )

      asm.js already exists, and already runs in your browser, and is not the cause of any known security issues. This is just a different packaging for the exact same thing.

  • by cmorriss ( 471077 ) on Thursday June 18, 2015 @05:32PM (#49939655)

    This is ultimately where the browsers need to go. Many have tried in the past, but always from some side angle assuming that it had to be through a plugin or had to use Javascript as the underlying byte code, e.g. GWT. This could finally allow a wide array of languages to be used to build web applications, similar to the explosion of languages that now run on a JVM.

    • by goruka ( 1721094 )
      It will take a while to convince developers that running this kind of native code is not unsafe, and that this is technically different (and very superior) to NPAPI, ActiveX, Java, Flash or Silverlight in terms of portability and security.
      • by delt0r ( 999393 )
        Lets be clear. If it is as general as js it won't be safe. There will be bugs, there will be issues, there will be stupid users that click "Yes debit my credit card $1000 and upload all my personal information.

        Sure there will be sandboxes, but they have bugs and errors too.
    • by Anonymous Coward on Thursday June 18, 2015 @09:48PM (#49941575)

      No. We need to completely abandon this aspect of the browser. Desktop applications are far, far better and their toolkits are far better. What we need is excellent sandboxes so you can download any program and run it without fear of destroying your system. Doing everything as web apps only makes the installation process easier. It makes everything else harder. Instead of trying to make everything else easier, we should be making the single task of installation easier and safer.

      Everything the web is doing already exists in 'real' applications, they're just reinventing everything badly in an attempt to get around HTML shortcomings. The easy solution is to drop back to real applications running with similar restrictions as web pages have. We used to have that but the sandboxes had too many holes. Please just make better sandboxes instead of turning everyone's browser into more of an OS.

      • by Anonymous Coward

        The problem is just that PC security is fucking ridiculous. No one should be forced to choose between giving any application they run the ability to do anything they themselves can do on the computer, or simply not running the application at all. What the hell is the point of having a computer if you're not going to run software on it? It's useless without software, and so the fact that our computers can't safely run software is insane.

        There's no reason that kids shouldn't be able to download any applica

        • by tepples ( 727027 )

          The only applications that require access to any random file they care to access are file browsers and archive utilities, but those come with the OS. No software that the user installs should be able to do that.

          "Nobody needs a specialized file browser. Nobody needs a specialized archive utility." I disagree. But those could still be worked into your security paradigm by prompting the user to select his home directory in File > Open and File > Save when the application is installed.

      • by jaa101 ( 627731 )

        You're forgetting the big advantage of web apps: they are cross-platform. Also, they are not only zero-install, but they can also be continuously updated on the server without needing auto-updaters or patching on users' machines.

      • While I agree with your overall vision this hypothetical sandbox would benefit greatly for being inside the browser itself because browsers are crossplatform.

  • by xdor ( 1218206 )

    Have you run a Java applet lately? Or maybe you'd prefer Silver-light?

    I think Adobe had something called Flash that's pretty popular too..

  • by nickweller ( 4108905 ) on Thursday June 18, 2015 @05:38PM (#49939733)
    Java virtual machine (JVM [])
    • No thanks. I don't want a VM that has mandatory built-in GC and a bunch of other nonsensical limitations. Provide me one which I can allocate and commit virtualized memory and a safe method for system access with all the facilities/opcodes of an ideal modern multi-core processor.
      • by delt0r ( 999393 )
        So all web browsers must use this mandatory memory model regardless of underlying platform? Does JS give you access to this? You use those opcodes in normal applications?

        I have my doubts.
    • by tepples ( 727027 )

      But I don't want to have to opt out of Yahoo! on each security update [].

  • by Livius ( 318358 ) on Thursday June 18, 2015 @05:44PM (#49939781)

    I've been saying this for twenty years.

    Java tried to be this, and unfortunately came close enough to remove the incentive to improve but not quite good enough to really accomplish the goal.

    Everything on the web is ultimately a crude hack on top of HTML, which is why there are new development and deployment frameworks constantly being created, because no-one has come up with something good.

    • by quietwalker ( 969769 ) <> on Thursday June 18, 2015 @06:01PM (#49939989)

      I have also been saying this for years.

      It's nice that HTML and CSS were accessible to the masses, and without their simplicity, we could never have reached the level of adoption we now have. See the argument over the MEDIA vs. IMG tag from way back for a good example of that. However, now, that additive simplicity is holding us back.

      What we need is a language with flow control, variables, functions, templating, the whole 9 yards. Not just on top of HTML & CSS, but as part of it. So we can dynamically change the size of page elements based on other page elements (think layout managers) without making incredibly complex and highly specific css for a variety of media screen sizes. Common features like centering a dialog box or a three-column display with header and footer sections shouldn't be a hack you need to ferret out, that may behave badly with long or short pages. It'd be nice to explicitly link action management with page elements and avoid much of the code required to identify actors and route events. Heck, some sort of built in asynchronous request mechanism might be nice, rather than having to write custom javascript each time.

      What we don't need is another life support extension to a markup language.

      • by Anonymous Coward

        "What we need is a language with flow control, variables, functions, templating, the whole 9 yards."

        Fuck you! I don't want to have to run such complex code off off the internet where i have no control over it at all.
        Your idea will fuck up the internet. Seriously.
        Just look at the shit that is possible with the current limited set op external commands that people run daily off off the net. Now imagine this problem growing exponentially. For one, your idea would not survive a day without a proper virus scanner

        • Your idea will fuck up the internet. Seriously.

          The internet is already fucked up. Seriously.

          After reading all the comments in this discussion, it's clear to me that nobody here has the final word on this subject.

          A few have posted their ideas which approach the truth, and are being blasted for it. I love it. Makes me sleep a thousand times easier at night.

          Not going to explain to you why you're wrong. I can guarantee you'll figure it out eventually; when the right product hits the market.

        • This is not anything we're not already doing, the difference is that right now it's incredibly difficult to do well, and the result is an intractable mess. Markup - and CSS is just an externalized form of markup - lacks any real power. It's simplistic, which makes it approachable, but not very flexible or adaptive. In order to achieve even simple goals, we're using fairly complex and increasingly obscured and inflexible markup. When that fails, we turn to javascript to provide liquid layouts that work,

    • by viperidaenz ( 2515578 ) on Thursday June 18, 2015 @06:05PM (#49940027)

      Have you tried the latest framework, Vanilla JS []? It's faster and more efficient than any other framework.

  • by goruka ( 1721094 ) on Thursday June 18, 2015 @05:56PM (#49939921)
    1) Why is this needed?

    With the removal of binary plugins in Chrome and Edge (and soon to happen on Firefox), a way to code at native performance in the browser is still needed. Mainly to run high performance games, audio software, etc. You may not want it, but a lot of people consumes this content so there is a large industry behind it.

    2) Why not asm.js?

    This is almost the same as asm.js, except it's precompiled, so it' s more efficient for Javascript engines to JIT or AOT. Currently, compiling large asm.js codebases results in a large download and resource intensive compilation.

    3) How is this different from Java, Flash, Silverlight?

    It is different because:
    A) It' s a w3c standarized effort
    B) All the big players are behind it (Google, Mozilla, Microsoft and Apple)
    C) It relies on the browser security model, it does not bypass it
    D) It' s a low-level bytecode, more so than AS3, JVM or Silverlight, so it can run any language.
    E) It runs in the same "space" as the DOM, it's not a separate/embeeded app.

    4) Isn' t this unsafe or a new attack vector?

    No, it relies on the same browser security model as Javascript, so It's as dangerous as having Javascript enabled. Read up on how PNACL works for material on why this is not unsafe.

    5) Will it replace Javascript?

    It is not intended to, but it gives developers the same API with the ability of writing in any language, even C++, so developing a website using tools such as Qt will become possible (efficiently at least).
    • A) It' s a w3c standarized effort

      Close, but still wrong []

      We’re pretty early into the overall process—there is no draft spec or even final formal standards body chosen, just a W3C Community Group

      But it will be an open standard, thats sure.

      • by goruka ( 1721094 )
        You are right, I used bad wording, meant to be that it's intended to be a w3c standardization effort.
    • 4) Isn' t this unsafe or a new attack vector? No, it relies on the same browser security model as Javascript, so It's as dangerous as having Javascript enabled. Read up on how PNACL works for material on why this is not unsafe.

      Except you're bypassing the compiler now and potentially accessing a larger portion of the sandbox attack surface than before.

    • by rHBa ( 976986 )
      Nice technology, not sure if wasm will catch on as a name though. It sounds too much like a euphemism for some fun you might have on your own...!
    • Re: (Score:2, Interesting)

      by peppepz ( 1311345 )

      3) How is this different from Java, Flash, Silverlight?

      It is different because:

      A) It' s a w3c standarized effort

      B) All the big players are behind it (Google, Mozilla, Microsoft and Apple)

      C) It relies on the browser security model, it does not bypass it

      D) It' s a low-level bytecode, more so than AS3, JVM or Silverlight, so it can run any language.

      E) It runs in the same "space" as the DOM, it's not a separate/embeeded app.

      In other words, it's exactly like Java but instead of being designed by a software company, it's being introduced by personal data sellers, ad designers, NSA henchmen, DRM paladins, government lobbyists and walled-garden tenders. And unlike Java, it's going to be used by every single web page and we won't be able to uninstall it. Sounds great, what could possibly go wrong.

      • by Goaway ( 82658 )

        In other words, it's exactly like Java

        Point A: Unlike Java.

        Point B: Depends on your definitions, but fairly unlike Java.

        Point C: Unlike Java.

        Point D: Unlike Java.

        Point E: Unlike Java.

        How you can be given five different ways that wasm is unlike Java and conclude that it is "exactly like Java" is not easily comprehended.

        • Point A: Java was standardized by a consortium as well. I believe that even the APPLET tag was standardized by the w3c. Oh, and that was before the w3c had began “standardizing” DRM hooks.
          Point B: When Java was added to HTML, everyone and his dog (including Microsoft) thought that Java was the future and that every software in the world would have been rewritten in Java. Proof in the fact that the "Java" branding was added to Javascript in order to increase its appeal.
          Point C: the sandbox for
  • Nice idea guys, but unless Browsers REFUSE to run code of any type (including Javascript and Java) without some kind of checksum confirmation, the whole framework will be open to man-in-the-middle malware insertion.

  • by MightyDrunken ( 1171335 ) on Thursday June 18, 2015 @06:10PM (#49940097)
    I like many other people are forced to work in JavaScript. It's not too bad a language if you are careful but it would be nice to have some choose when working with webpages.While at first it will be all JS they plan to expand WebAssembly to other languages [] which could be compiled to the bytecode. Hurrah!
  • by Guspaz ( 556486 ) on Thursday June 18, 2015 @06:37PM (#49940335)

    This is literally various similar projects (PNaCL, asm.js, etc) being merged into one industry-wide project. And by literally I mean the PNaCL and asm.js teams are working on WebAssembly.

  • by drolli ( 522659 ) on Thursday June 18, 2015 @06:41PM (#49940375) Journal

    Probably some legal bullshit, but I think the effort could be better spent in making the JVM attractive and safe for the web...

    • No thanks. Why jump through hoops for direct memory access on a JVM when one can just embed the JVM on top of WebAssembly?
  • Anything which tries to run a "binary" or bytecode in the browser is going to be vulnerable to sandboxing issues. It doesn't matter who writes it, it doesn't matter how it's "designed" or "architected", there will be vulnerabilities. Hopefully there is a better and more efficient patching process than there was for the much-hated Java sandbox, but no one should fool themselves that this is a "secure" approach for web applications.

    • by Anonymous Coward

      You don't seem to realise that this doesn't add anything which isn't already possible with JavaScript. Downloading bytecode (as with Java) versus downloading source code then compiling it to bytecode (as with JavaScript) makes no difference to security. It's what that bytecode can do which matters.

      Java's problem wasn't the addition of an interpreter. Java's problem was the addition of a ton of extra native functions which could be invoked from that interpreter.

      This effort doesn't have that problem because t

      • by msobkow ( 48369 )

        Yeah, and because the functionality is actually needed, with JavaScript you get a bunch of downloaded "extensions" that may or may not have vulnerabilities of their own, or roll your own code, which is even more likely to have bugs.

        People keep re-inventing the wheel and insisting that their "new" invention isn't vulnerable to the same problems as those of the past. After 35 years of programming, it is just sickening to see the same arrogance from generation after generation of programmers.

      • But one set of injected code works everywhere with this. Not so with JavaScript.

  • by Anonymous Coward

    One of the nice things of the web is that teens learning there little way about computers can look at the JavaScript source code and often figure out how some little trick is accomplished and from there gain insight in how programming works and inspiration for new tricks. Much the same as when we were punching in lines of BASIC from a magazine into a computer that didn't support much beyond 40x25 green & white characters.
    I think this change would result in a lot of JavaScript being replaced with essenti

  • We are slowly moving towards this nightmare ...

    https://www.destroyallsoftware... []

  • It boils down to "why not pre-compile entire websites into binary packages per-page? It would make it much faster and more efficient for the browser to load it..." []
    • It boils down to "why not pre-compile entire websites into binary packages per-page? It would make it much faster and more efficient for the browser to load it..." []

      Or we could write programs, compile them and let users run them on their computer.

  • Its about 1 billion times better than minified js.

  • by Millennium ( 2451 ) on Friday June 19, 2015 @11:08AM (#49945459)

    "Efficient downloading" is a nonissue. Existing compression, concatenation, and minification techniques yield file sizes that a binary format will have a great deal of trouble beating at all, and even when it does, the savings will be no more than a few bytes at best.

    "Efficient parsing" is a nonissue. This has been true for decades. Browsers simply do not spend enough time parsing JavaScript for it to ever become an issue. This is sorely misguided premature optimization at best.

    "Language choice" is a nonissue. Emscripten and its kin have already solved the problem of compiling other languages to JavaScript. These languages will still have to be compiled to the bytecode, and gain no benefit from doing so.

    "High performance" is a nonissue. This is what asm.js is for, and indeed, the existing polyfill uses asm.js to achieve its performance gains. This is a newer solution than those for the previous problems, but either way, the problem is solved.

    "A standard runtime specification" is a nonissue. We already have one of those. It's called ECMAScript.

    There is no point to this. All it does is comply with buzzwords and kowtow to JavaScript-haters. And make closed-source Web applications that much closer to feasible, I guess, but no one would consider that a benefit, right?

  • If by bytecode you mean 8-bit instructions for a stack machine, such as Python and the JVM use, then WebAssembly is NOT NOT NOT a bytecode. In fact, it is a concise binary encoding of a program in AST form. The team are working on a polyfill for existing browsers which will translate the AST into Javascript for execution. Future browsers will be able to JIT-compile the WebAssembly in much the same way as they JIT-compile asm.js or its equivalent.

    Basically, WebAssembly is a distributed compiler infrastructur

  • Great... Just what we need... Another virtual machine for hackers to attack...

  • While the advantages are significant, let's not forget about the disadvantages:
    * There will be fewer browser add-ons which extend the functionality of a website, as it will be a lot harder to figure out how the code works.
    * It will no longer be possible to inspect the JavaScript-code to see how it works and learn from it.
    * It will no longer be possible to inspect the JavaScript-code to look for security problems.
    * It will no longer be possible to inspect the JavaScript-code for abuse of your privacy.
    * It wi

  • The problem with asm.js (and now WebAssembly) is it targets C++ delevopers. No one who works on the web codes in C++. The best thing they can do for adoption is to compile from a langauge that web developers already use: C#, Java, ruby, python, etc. I'd love to use something like this, but I can't expect my coworkers to learn C++ and the company to buy C++ tooling.

Remember to say hello to your bank teller.