WebAssembly: An Attempt To Give the Web Its Own Bytecode 126
New submitter Josiah Daniels writes with this kernel from a much more detailed article at Ars Technica about what already looks like a very important initiative: WebAssembly is a new project being worked on by people from Mozilla, Microsoft, Google, and Apple, to produce a bytecode for the Web. WebAssembly, or wasm for short, is intended to be a portable bytecode that will be efficient for browsers to download and load, providing a more efficient target for compilers than plain JavaScript or even asm.js
Too slow (Score:2)
my submission here [slashdot.org]
Re:Too slow (Score:5, Funny)
If you'd submitted it in some sort of compressed, machine readable format, it would have been faster.
Hmmm (Score:1)
Re: (Score:2)
You mean 1970s?
The more the web evolves, the more it looks like TeX and DVI and Metafont but with video.
Guys, you're losing it (Score:3, Insightful)
The web is hardly usable anymore. Even the simplest web sites are slow as molasses, thanks to heaps of "active" content alongside the actual information. Now you're going to bestow your own runtime on us? Now that we've finally ditched Java and Flash?
Re: (Score:1)
Of course, there are the security aspects as well. We already have been down this road with Java (which did have a lot of promise, especially with HotJava as an example of a browser written in the language, and prototype CPUs that could execute Java bytecode natively.) However, it fell apart, and now, code running on the same JVM on a Mac may just completely fail on Windows, and the other way around. Then, there is finding the right JVM.
Of course, there will be updates. A bytecode language is never fini
Re:Guys, you're losing it (Score:5, Informative)
You're confused about Java
The byte code is compatible.
Code compiled in the first ever Java compiler will run on the latest JVM. There have been a few additions to the byte codes, so it doesn't always work the other way.
If you really want your new code to work in old JVM's all you need to do is set the compiler compliance level.
You don't need to down-grade a JVM for it to correctly interpret byte code from an old compiler.
The compatibility problems come with changes to the run-time libraries. Byte code has nothing to do with that. Compiling from source won't fix it.
Re:Guys, you're losing it (Score:4, Informative)
This is mostly true, but it is worth expanding as there are a lot of misconceptions about this. Java bytecode contains the JVM version it was compiled against, and later JVMs will run it just fine, even if it will no longer compile. I remember when Java added the enum keyword, and all our applications ran fine on the new JVM, even though it wouldn't compile without changes (one of our programmers used enum as the standard variable name for Enumerators). Overall, I've been very impressed with Java's cross platform and version compatibility, but I have found three causes of compatibility problems that are worth knowing about.
First, you cannot rely on non-standard libraries such as the com.sun packages. These aren't guaranteed to exist from one version of Java to the next. They aren't even guaranteed to work the same between minor Java versions. If you limit yourself to the standard libraries, you are safe. Be advised that deprecated methods may be removed in the future, though none have been removed so far.
Second, some programmers explicitly version check the JVM. This is usually for compliance issues, as some organizations feel that code should never run against a JVM that it hasn't been formally verified against. I have also seen this done because code was written to a known bug and some idiot thought it would be better to ensure that the underlying JVM always had the bug rather than work with both bugged and unbugged JVMs. Whatever your reasons, I consider this to be a bad practice, as you won't get security fixes from updated JVMs.
Third, while bytecode should always be forward compatible (barring bugs in the Java library), if you use native code you should be aware that JNI libraries are not guaranteed to work across major JVM versions. JNI libraries must be recompiled to work on newer JVMs.
There may be other sources of compatibility problems, but these are the only that I've run across them in my 15 years maintaining several million lines of Java code.
Re: (Score:2)
Java byte code contains no version.
You've confused it with Class versions.
Re: (Score:3)
You can get the version of the compiler used to compile a class file (which contains the bytecode) using "javap -verbose MyClass.class". A major and minor version will be at the top. For what it is worth, Java 7 uses major version 51.
Re: (Score:2)
Yes, that's the class file format.
It's not the version of the compiler, it's the class version. A Java 8 compiler can create classes with versions 47 through 52.
You can set that with the -target option of javac
Re: (Score:2)
I believe that some of the details in jni.h changed from 1.3 to 1.4. Perhaps a change to how JNIEnv was defined? A quick Google shows that the JNI version did in fact change then, but every page describes launching a JVM from within C/C++ code (which does use the JNI version information).
It is possible that my memory could be faulty (it was a long time ago after all) and that the problem was with launching a JVM from native code. Either way, my point stands. It is possible (however unlikely) to upgrade
Re: (Score:3)
A bytecode format is easy to maintain backward compatibility with, and because it's bytecode, not native code, it's fairly easy to enforce proper sandboxing at a pretty low level. It could be argued that this is actually what JavaScript and the security disaster that is the Java plugin should have been from the beginning.
Like with the .NET CLR (Common Language Runtime), you can actually use just about any language you want to that's designed to compile down to this common runtime (or in this case bytecode
Re: (Score:2)
Java bytecode should always be compatible across platforms, and they have done a good job of keeping that true. There may be rare cases of compatibility issues but I haven't heard of them.
Native code is another matter entirely. That will fail if you move to a different architecture, as could happen if you moved from an old PowerPC Mac to a newer Mac or an x86 system, or when you try to move Java code to a system with an ARM processor. And the libraries have not been as good about maintaining backward compat
Re: (Score:2)
Somehow you're under the impression that JavaScript doesn't already run in its own virtual machine and simplifying the compilation process that already happens would somehow make things slower.
Multiple platforms (Score:2)
In the end you'll wonder why you don't just download the EXE.
Because you can't easily run an EXE on anything but an x86 PC running Windows, or in some cases an x86 PC running Wine.
Re: (Score:1)
That has nothing to do with anything.
Crappy websites are slow because they use bullshit like jQuery and 10 other libraries and don't take the time to remove stuff they don't need.
They have 50 different kinds of scripts all loading their own instances after pages load.
They have scripts doing constant DOM updates instead of doing it all in memory, then writing to DOM once.
They have timers running at zero speed, aka, as fast as the browser is allocating timeslices to the page, making the page lag like dicks.
EN
Re: (Score:2)
It would nice to have a utility that would identify javascript's unused variables and uncalled functions; other than the generic line delete.
Re: (Score:2)
Now that we've finally ditched Java and Flash?
They have? It's official? Yay!! Hey code monkeys and desk bunnies - get me a case of beer and take the rest of the day off. It's party time - tell the clients we're compiling all day.
Re: (Score:3)
The web is hardly usable anymore. Even the simplest web sites are slow as molasses, thanks to heaps of "active" content alongside the actual information. Now you're going to bestow your own runtime on us? Now that we've finally ditched Java and Flash?
JavaScript and the DOM is a runtime that has replaced Java applets (almost completely) and Flash (mostly). There's room for improvement in performance.The problem with asm.js is that it's a Mozilla thing, even though asm.js runs quite well on Chrome. The problem with Dart is that it's a Google thing, even though it can be transpiled to JavaScript.
WebAssembly has all four of the key players involved (Mozilla, Google, Apple, Microsoft). Maybe, just maybe, we'll be able to write code in a language that suits
WTF with the new comment links? (Score:2, Interesting)
Why did /. ruin their layout by moving comment counts into the headlines? Sometimes the counts do not display at all. Is Dice outsourcing design to Retardistan?
Re: (Score:2, Funny)
Completely unnecessary (Score:2)
Re: (Score:2)
"The Cloud" needs this. Microsoft for example has used asm.js inside their office online product.
Great, another attack vector (Score:1)
Just what we need, another browser executable language to aid in drive-by malware. And i'll bet it'll be the kind to execute without prompts too. Activex mark 2 perhaps?
Re: (Score:2)
byte code is not executable. From a security perspective, its not any different than source code.
Re: (Score:3)
asm.js already exists, and already runs in your browser, and is not the cause of any known security issues. This is just a different packaging for the exact same thing.
Makes Perfect Sense (Score:5, Insightful)
This is ultimately where the browsers need to go. Many have tried in the past, but always from some side angle assuming that it had to be through a plugin or had to use Javascript as the underlying byte code, e.g. GWT. This could finally allow a wide array of languages to be used to build web applications, similar to the explosion of languages that now run on a JVM.
Re: (Score:3)
Re: (Score:2)
Sure there will be sandboxes, but they have bugs and errors too.
Re:Makes Perfect Sense (Score:5, Interesting)
No. We need to completely abandon this aspect of the browser. Desktop applications are far, far better and their toolkits are far better. What we need is excellent sandboxes so you can download any program and run it without fear of destroying your system. Doing everything as web apps only makes the installation process easier. It makes everything else harder. Instead of trying to make everything else easier, we should be making the single task of installation easier and safer.
Everything the web is doing already exists in 'real' applications, they're just reinventing everything badly in an attempt to get around HTML shortcomings. The easy solution is to drop back to real applications running with similar restrictions as web pages have. We used to have that but the sandboxes had too many holes. Please just make better sandboxes instead of turning everyone's browser into more of an OS.
Re: (Score:1)
The problem is just that PC security is fucking ridiculous. No one should be forced to choose between giving any application they run the ability to do anything they themselves can do on the computer, or simply not running the application at all. What the hell is the point of having a computer if you're not going to run software on it? It's useless without software, and so the fact that our computers can't safely run software is insane.
There's no reason that kids shouldn't be able to download any applica
Re: (Score:2)
The only applications that require access to any random file they care to access are file browsers and archive utilities, but those come with the OS. No software that the user installs should be able to do that.
"Nobody needs a specialized file browser. Nobody needs a specialized archive utility." I disagree. But those could still be worked into your security paradigm by prompting the user to select his home directory in File > Open and File > Save when the application is installed.
Re: (Score:2)
You're forgetting the big advantage of web apps: they are cross-platform. Also, they are not only zero-install, but they can also be continuously updated on the server without needing auto-updaters or patching on users' machines.
Platforms other than yours (Score:2)
I only use one platform. Apps should tailor themselves to my one platform
Now watch as the majority of app developers tailor their apps to platforms other than yours.
[To continue reading this comment, install Conglomo Reader. Available exclusively for Xubuntu.]
Re: (Score:2)
While I agree with your overall vision this hypothetical sandbox would benefit greatly for being inside the browser itself because browsers are crossplatform.
Java (Score:2)
Have you run a Java applet lately? Or maybe you'd prefer Silver-light?
I think Adobe had something called Flash that's pretty popular too..
Back to the future .. (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
I have my doubts.
Re: (Score:2)
But I don't want to have to opt out of Yahoo! on each security update [slashdot.org].
The Web needs a lot of things (Score:4, Insightful)
I've been saying this for twenty years.
Java tried to be this, and unfortunately came close enough to remove the incentive to improve but not quite good enough to really accomplish the goal.
Everything on the web is ultimately a crude hack on top of HTML, which is why there are new development and deployment frameworks constantly being created, because no-one has come up with something good.
Re:The Web needs a lot of things (Score:5, Informative)
I have also been saying this for years.
It's nice that HTML and CSS were accessible to the masses, and without their simplicity, we could never have reached the level of adoption we now have. See the argument over the MEDIA vs. IMG tag from way back for a good example of that. However, now, that additive simplicity is holding us back.
What we need is a language with flow control, variables, functions, templating, the whole 9 yards. Not just on top of HTML & CSS, but as part of it. So we can dynamically change the size of page elements based on other page elements (think layout managers) without making incredibly complex and highly specific css for a variety of media screen sizes. Common features like centering a dialog box or a three-column display with header and footer sections shouldn't be a hack you need to ferret out, that may behave badly with long or short pages. It'd be nice to explicitly link action management with page elements and avoid much of the code required to identify actors and route events. Heck, some sort of built in asynchronous request mechanism might be nice, rather than having to write custom javascript each time.
What we don't need is another life support extension to a markup language.
Re: (Score:1)
"What we need is a language with flow control, variables, functions, templating, the whole 9 yards."
Fuck you! I don't want to have to run such complex code off off the internet where i have no control over it at all.
Your idea will fuck up the internet. Seriously.
Just look at the shit that is possible with the current limited set op external commands that people run daily off off the net. Now imagine this problem growing exponentially. For one, your idea would not survive a day without a proper virus scanner
Too late. (Score:1)
Your idea will fuck up the internet. Seriously.
The internet is already fucked up. Seriously.
After reading all the comments in this discussion, it's clear to me that nobody here has the final word on this subject.
A few have posted their ideas which approach the truth, and are being blasted for it. I love it. Makes me sleep a thousand times easier at night.
Not going to explain to you why you're wrong. I can guarantee you'll figure it out eventually; when the right product hits the market.
Re: (Score:2)
This is not anything we're not already doing, the difference is that right now it's incredibly difficult to do well, and the result is an intractable mess. Markup - and CSS is just an externalized form of markup - lacks any real power. It's simplistic, which makes it approachable, but not very flexible or adaptive. In order to achieve even simple goals, we're using fairly complex and increasingly obscured and inflexible markup. When that fails, we turn to javascript to provide liquid layouts that work,
Re:The Web needs a lot of things (Score:5, Insightful)
Have you tried the latest framework, Vanilla JS [vanilla-js.com]? It's faster and more efficient than any other framework.
Re: (Score:2)
Re: (Score:2)
Here's a FAQ for slashdotters (Score:5, Informative)
With the removal of binary plugins in Chrome and Edge (and soon to happen on Firefox), a way to code at native performance in the browser is still needed. Mainly to run high performance games, audio software, etc. You may not want it, but a lot of people consumes this content so there is a large industry behind it.
2) Why not asm.js?
This is almost the same as asm.js, except it's precompiled, so it' s more efficient for Javascript engines to JIT or AOT. Currently, compiling large asm.js codebases results in a large download and resource intensive compilation.
3) How is this different from Java, Flash, Silverlight?
It is different because:
A) It' s a w3c standarized effort
B) All the big players are behind it (Google, Mozilla, Microsoft and Apple)
C) It relies on the browser security model, it does not bypass it
D) It' s a low-level bytecode, more so than AS3, JVM or Silverlight, so it can run any language.
E) It runs in the same "space" as the DOM, it's not a separate/embeeded app.
4) Isn' t this unsafe or a new attack vector?
No, it relies on the same browser security model as Javascript, so It's as dangerous as having Javascript enabled. Read up on how PNACL works for material on why this is not unsafe.
5) Will it replace Javascript?
It is not intended to, but it gives developers the same API with the ability of writing in any language, even C++, so developing a website using tools such as Qt will become possible (efficiently at least).
Re: (Score:3)
A) It' s a w3c standarized effort
Close, but still wrong [mozilla.org]
We’re pretty early into the overall process—there is no draft spec or even final formal standards body chosen, just a W3C Community Group
But it will be an open standard, thats sure.
Re: (Score:2)
Re: (Score:2)
4) Isn' t this unsafe or a new attack vector? No, it relies on the same browser security model as Javascript, so It's as dangerous as having Javascript enabled. Read up on how PNACL works for material on why this is not unsafe.
Except you're bypassing the compiler now and potentially accessing a larger portion of the sandbox attack surface than before.
Re: (Score:2)
Re: (Score:2, Interesting)
3) How is this different from Java, Flash, Silverlight?
It is different because:
A) It' s a w3c standarized effort
B) All the big players are behind it (Google, Mozilla, Microsoft and Apple)
C) It relies on the browser security model, it does not bypass it
D) It' s a low-level bytecode, more so than AS3, JVM or Silverlight, so it can run any language.
E) It runs in the same "space" as the DOM, it's not a separate/embeeded app.
In other words, it's exactly like Java but instead of being designed by a software company, it's being introduced by personal data sellers, ad designers, NSA henchmen, DRM paladins, government lobbyists and walled-garden tenders. And unlike Java, it's going to be used by every single web page and we won't be able to uninstall it. Sounds great, what could possibly go wrong.
Re: (Score:2)
In other words, it's exactly like Java
Point A: Unlike Java.
Point B: Depends on your definitions, but fairly unlike Java.
Point C: Unlike Java.
Point D: Unlike Java.
Point E: Unlike Java.
How you can be given five different ways that wasm is unlike Java and conclude that it is "exactly like Java" is not easily comprehended.
Re: (Score:3)
Point B: When Java was added to HTML, everyone and his dog (including Microsoft) thought that Java was the future and that every software in the world would have been rewritten in Java. Proof in the fact that the "Java" branding was added to Javascript in order to increase its appeal.
Point C: the sandbox for
New attack vector (Score:2)
Nice idea guys, but unless Browsers REFUSE to run code of any type (including Javascript and Java) without some kind of checksum confirmation, the whole framework will be open to man-in-the-middle malware insertion.
Re: (Score:2)
Re: (Score:2)
Because checksums can't possibly ever be hacked!
Yea something other than JS (Score:3)
Evolution of PNaCL, asm.js (Score:3)
This is literally various similar projects (PNaCL, asm.js, etc) being merged into one industry-wide project. And by literally I mean the PNaCL and asm.js teams are working on WebAssembly.
Re: (Score:3)
Everybody do most definitely not know that PNaCl is the way to go. PNaCl suffers from many difficult problems, such as being based on LLVM bitcode, which is not static, but is machine-specific and has undefined behaviour. The PNaCl team has put a huge amount of effort into working around those fundamental problems, with quite a bit of success, but it's still not in any way a very good solution.
wasm will take advantage of some of that work, it seems, but its bytecode will be more strictly defined and designe
Why not improve Java? (Score:4)
Probably some legal bullshit, but I think the effort could be better spent in making the JVM attractive and safe for the web...
Re: (Score:3)
Feh. The Java sandbox, Part II (Score:2)
Anything which tries to run a "binary" or bytecode in the browser is going to be vulnerable to sandboxing issues. It doesn't matter who writes it, it doesn't matter how it's "designed" or "architected", there will be vulnerabilities. Hopefully there is a better and more efficient patching process than there was for the much-hated Java sandbox, but no one should fool themselves that this is a "secure" approach for web applications.
Re: (Score:1)
You don't seem to realise that this doesn't add anything which isn't already possible with JavaScript. Downloading bytecode (as with Java) versus downloading source code then compiling it to bytecode (as with JavaScript) makes no difference to security. It's what that bytecode can do which matters.
Java's problem wasn't the addition of an interpreter. Java's problem was the addition of a ton of extra native functions which could be invoked from that interpreter.
This effort doesn't have that problem because t
Re: (Score:2)
Yeah, and because the functionality is actually needed, with JavaScript you get a bunch of downloaded "extensions" that may or may not have vulnerabilities of their own, or roll your own code, which is even more likely to have bugs.
People keep re-inventing the wheel and insisting that their "new" invention isn't vulnerable to the same problems as those of the past. After 35 years of programming, it is just sickening to see the same arrogance from generation after generation of programmers.
Re: (Score:2)
But one set of injected code works everywhere with this. Not so with JavaScript.
Yeah, close the web even further (Score:1)
One of the nice things of the web is that teens learning there little way about computers can look at the JavaScript source code and often figure out how some little trick is accomplished and from there gain insight in how programming works and inspiration for new tricks. Much the same as when we were punching in lines of BASIC from a magazine into a computer that didn't support much beyond 40x25 green & white characters.
I think this change would result in a lot of JavaScript being replaced with essenti
Re: (Score:2)
This will actually make asm.js code more readable than it is right now.
/Oblg. Birth & Death of Javascript ... (Score:2)
We are slowly moving towards this nightmare ...
https://www.destroyallsoftware... [destroyallsoftware.com]
So, I had a thought about this a while back (Score:1)
http://developers.slashdot.org... [slashdot.org]
Re: (Score:3)
It boils down to "why not pre-compile entire websites into binary packages per-page? It would make it much faster and more efficient for the browser to load it..."
http://developers.slashdot.org... [slashdot.org]
Or we could write programs, compile them and let users run them on their computer.
At Last (Score:2)
Its about 1 billion times better than minified js.
A solution in search of a problem (Score:3)
"Efficient downloading" is a nonissue. Existing compression, concatenation, and minification techniques yield file sizes that a binary format will have a great deal of trouble beating at all, and even when it does, the savings will be no more than a few bytes at best.
"Efficient parsing" is a nonissue. This has been true for decades. Browsers simply do not spend enough time parsing JavaScript for it to ever become an issue. This is sorely misguided premature optimization at best.
"Language choice" is a nonissue. Emscripten and its kin have already solved the problem of compiling other languages to JavaScript. These languages will still have to be compiled to the bytecode, and gain no benefit from doing so.
"High performance" is a nonissue. This is what asm.js is for, and indeed, the existing polyfill uses asm.js to achieve its performance gains. This is a newer solution than those for the previous problems, but either way, the problem is solved.
"A standard runtime specification" is a nonissue. We already have one of those. It's called ECMAScript.
There is no point to this. All it does is comply with buzzwords and kowtow to JavaScript-haters. And make closed-source Web applications that much closer to feasible, I guess, but no one would consider that a benefit, right?
Not bytecodes (Score:2)
If by bytecode you mean 8-bit instructions for a stack machine, such as Python and the JVM use, then WebAssembly is NOT NOT NOT a bytecode. In fact, it is a concise binary encoding of a program in AST form. The team are working on a polyfill for existing browsers which will translate the AST into Javascript for execution. Future browsers will be able to JIT-compile the WebAssembly in much the same way as they JIT-compile asm.js or its equivalent.
Basically, WebAssembly is a distributed compiler infrastructur
New Thing for Hackers to Attack (Score:2)
Great... Just what we need... Another virtual machine for hackers to attack...
And now the disadvantages (Score:1)
While the advantages are significant, let's not forget about the disadvantages:
* There will be fewer browser add-ons which extend the functionality of a website, as it will be a lot harder to figure out how the code works.
* It will no longer be possible to inspect the JavaScript-code to see how it works and learn from it.
* It will no longer be possible to inspect the JavaScript-code to look for security problems.
* It will no longer be possible to inspect the JavaScript-code for abuse of your privacy.
* It wi
Targets C++ again (Score:1)
The problem with asm.js (and now WebAssembly) is it targets C++ delevopers. No one who works on the web codes in C++. The best thing they can do for adoption is to compile from a langauge that web developers already use: C#, Java, ruby, python, etc. I'd love to use something like this, but I can't expect my coworkers to learn C++ and the company to buy C++ tooling.