Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Firefox Intel Red Hat Software

Mozilla, Intel, and More Form the Bytecode Alliance To Take WebAssembly Beyond Browsers (neowin.net) 91

slack_justyb writes: Mozilla has been heavily invested in WebAssembly with Firefox, and today, the organization teamed up with a few others to form the new Bytecode Alliance, which aims to create "new software foundations, building on standards such as WebAssembly and WebAssembly System Interface (WASI)." Mozilla has teamed up with Intel, Red Hat, and Fastly to found the alliance, but more members are likely to join over time. The goal of the Bytecode Alliance is to create a new runtime environment and language toolchains which are secure, efficient, and modular, while also being available on as many platforms and devices as possible. The technologies being developed by the Bytecode Alliance are based on WebAssembly and WASI, which have been seen as a potential replacement for JavaScript due to more efficient code compiling, and the expanded capabilities of being able to port C and C++ code to the web. To kick things off, the founding members have already contributed a number of open-source technologies to the Bytecode Alliance, including Wasmtime, a lightweight WebAssembly runtime; Lucet, an ahead-of-time compiler; WebAssembly Micro Runtime; and Cranelift.
This discussion has been archived. No new comments can be posted.

Mozilla, Intel, and More Form the Bytecode Alliance To Take WebAssembly Beyond Browsers

Comments Filter:
  • Original Source (Score:5, Informative)

    by Luthair ( 847766 ) on Wednesday November 13, 2019 @12:52PM (#59410568)
  • Where it belongs (Score:4, Insightful)

    by Retired ICS ( 6159680 ) on Wednesday November 13, 2019 @12:55PM (#59410580)

    Good. A movement to put WebAssembly where it belongs -- not in the browser! The Web Browser should remain a display interface and should not ever execute code from third-parties. JavaScript should be banned in the browser along with WebAssembly.

    • by jellomizer ( 103300 ) on Wednesday November 13, 2019 @01:36PM (#59410742)
      So the good old days.
      You fill out a big form of information. Hit that submit button have a full page refresh, re-render all the HTML again to tell you that you had filled out a bunch of fields wrong.
      Because we don't have any client side processing to do things like.
      Input formatting and validation.
      Running asyncronious requests to the server to get and validate information
      replacing an HTML segment with different HTML just for a notification.

      Today the Web Browser is less of graphical dumb terminal, and considered the UI layer of the nTier architectural setup.

      One can argue HTTP and HTML is a bad protocol for robust internet based applications. I myself would had preferred X11/SSH for this. But like most of this sector the winning standard isn't the best one, but good enough that has a lot of developers who can write for it.

      If Microsoft added an X11 client default in Windows 3.1 the world may be different.
      • So the good old days.
        You fill out a big form of information. Hit that submit button have a full page refresh, re-render all the HTML again to tell you that you had filled out a bunch of fields wrong.

        We could have had more of that functionality without actually running supplied code in our browsers, though. All you really need is frames/iframes, form validation, rollovers, and maybe some basic animation effects to cover the functionality of 99% of dynamic websites.

        replacing an HTML segment with different HTML just for a notification.

        That still happens. It's just mediated through javascript.

        If Microsoft added an X11 client default in Windows 3.1 the world may be different.

        You mean X server?

        • The Unix Haters Handbook explained why this technology was never adopted beyond Unixen platforms. Microsoft Research used to host a copy the book, and many of its complaints are still valid today. Had Unix addressed them with Linux, such as X11/Xorg being such a **** architecture and protocol, it might have found its way to Windows. But to be fair to Linux, Windows has its own problems if you read Raymond Chen.
        • From: raymondc@microsoft.com (Raymond Chen) Date: Wed, 29 Nov 1995 23:27:47 -0800 Subject: The great thing about standards... RFC959, the spec for FTP, says that the response to the "SYST" command must be a string whose first token is on the list of operating systems maintained by the Internet Assigned Numbers Authority (i.e., the people who are authorized to do these sorts of things). Now, one of the official "operating systems" is called WIN32, which means that "this FTP site follows WIN32 lo
        • frames and iFrames were a bad idea. And it doesn't fix the problem of form validation and text formatting.
          • frames and iFrames were a bad idea.

            Why?

            And it doesn't fix the problem of form validation and text formatting.

            Read the whole comment before replying, it'll save us both some time.

      • You fill out a big form of information. Hit that submit button have a full page refresh, re-render all the HTML again to tell you that you had filled out a bunch of fields wrong

        Yeah we had a solution to that. It was called XForms [wikipedia.org] and everyone decided to just do it in JavaScript instead. This notion that we have to have complex execution of code is ridiculous for basic validation. Hell even the Telenet TN5250 protocol had basic validation without the need for complex code execution. What JavaScript is used for today is just plain laziness on the W3 and related steering committees.

        Today the Web Browser is less of graphical dumb terminal, and considered the UI layer of the nTier architectural setup

        And even that is incorrect for today's browser. The browser has become an entire platform for code

        • by caseih ( 160668 )

          X11 needs to die.

          Oh sure I agree with you, but to date none of the replacement proposals can do everything that I rely on X11 for every day. First and foremost is individual app remoting over ssh. It boggles my mind that this sort of thing is so far down the list of priorities for those focused on Wayland. So much energy is focused on mythical "new users" that the needs of actual user base of Linux appear to often be ignored.

          • I don't think a day goes by when I don't wish for a way to pipe the display of a single program to the screen of a separate machine. WITHOUT all the kludgy nonsense of VNC and copying the whole fracking screen buffer pixel-by-pixel. X11 may have had a lot wrong with it, but this is one area in which nothing else widely available today even comes *close*. Hell, X could do it across platforms and operating systems. I'd love to be able to do that with the apps I'm using these days.
          • It boggles my mind that this sort of thing is so far down the list of priorities for those focused on Wayland

            I'm just going to clear something up here. That will never ever, ever be a priority for Wayland developers, end of story. [freedesktop.org] Implementing per app net transparency will have to be some other application that works with Wayland, but adding it to Wayland's core protocol will never happen unless some group replaces every single dev currently working on Wayland. If you are waiting to leave Xorg because of this matter, then you might as well go ahead and accept that you will never leave Xorg.

            It is also possible to put a remoting protocol into a wayland compositor, either a standalone remoting compositor or as a part of a full desktop compositor.

            And honestly I think

      • So the good old days.

        As it still ought to be, according to script haters.

        You fill out a big form of information. Hit that submit button have a full page refresh

        Cached CSS, cached fonts, cached images, new HTML document.

        Input formatting and validation.

        Since then, HTML5 introduced several new <input type="..."> values that display custom pickers, as well as <input pattern="..."> validators based on regular expressions that don't need script. See <input> on MDN [mozilla.org]. I concede that there are things I wish were in HTML5, such as <input> elements that are conditionally required based on the value of another <input> element.

    • A movement to put WebAssembly where it belongs -- not in the browser!

      You don't understand the movement at all. ... Now how people use a browser evidently.

      Please keep your anti-progress rant to the Amish forum where it belongs.

      • Just so long as your "progress" can be limited to you and your ilk, and I have the ability to turn it off. And if you subsequently cry up a storm about the bad outcome of your "progress" (such as RansomWare locking up all your files, or some other nastiness befalling you) then please keep it in your own teacup because I am not particularly interested in having to point out "I believe I told you this is exactly what the result would be and you proceeded anyway, obtaining exactly the result you intended".

        To

        • by tepples ( 727027 )

          I doubt ransomware running from a website can lock up your files except for those few files and folders that you have given that site permission to write.

  • This doesn't seem like a good idea, but I am not entirely sure what it is.
    Looking it up, I am just seeing a lot of Python.
  • Java! (Score:4, Insightful)

    by 0100010001010011 ( 652467 ) on Wednesday November 13, 2019 @01:02PM (#59410604)

    Bytecode Alliance is Java 2.0.

    Runs anywhere*!

    * Certain exclusions apply.

  • I Wish (Score:5, Insightful)

    by organgtool ( 966989 ) on Wednesday November 13, 2019 @01:07PM (#59410640)

    The technologies being developed by the Bytecode Alliance are based on WebAssembly and WASI, which have been seen as a potential replacement for JavaScript

    WebAssembly can not access the DOM so how could it possibly replace Javascript? Don't get me wrong, the thought of being able to write an single app in a native language that can run inside a browser or in the desktop environment sounds great but unfortunately this will not replace Javascript. If anything, it's yet another technology that needs to run alongside Javascript and thus props up a language that should have been killed off many years ago.

  • Like Java, but without the security and performance advantages of a sane memory model. I am not convinced.
    • You mean the advantages of only having signed integer types (as per the Go team, one of the reasons why Java implementations of some serious things run like shit in Java) and a half-baked object model that you can't replace? Among other things?
      • What do unsigned integers have to do with a memory model? Please read what a memory model is [wikipedia.org], because that was the scope of my comment.
        WRT the performance of Java, the JVM is simply put the fastest virtual machine currently available; as everything man-made, it has its defects, which we may discuss, but bad performance is not one of them.
        WRT to the "half-baked object model that you can't replace", there are many languages other than Java that are implemented on the JVM, for instance Python and JavaScript,
        • And what does a memory model have to do with the fundamental drawbacks of having a crippled language, even on a uniprocessor system where your memory model won't even matter? Shouldn't you FIRST care about getting *basic* things right before you even think of the *advanced* ones? True, Java certainly didn't.

          the JVM is simply put the fastest virtual machine currently available

          That might be debatable, given the availability of LLVM JIT features, IBM i TIMI, etc.

          Unsigned numbers were removed from the language because signed numbers are an extension of unsigned numbers, so there is no use case for unsigned numbers that cannot be satisfied by signed numbers as well

          Yes, in theory, anything can be emulated. In practice, some kinds of programs ran like complete shit so Go people lea

          • the JVM is simply put the fastest virtual machine currently available

            That might be debatable, given the availability of LLVM JIT features, IBM i TIMI, etc.

            None of those are general purpose VMs though, their bytecode is an intermediate representation for producing compiled code, which of course will be faster. You are not comparing apples to apples.

            Yes, in theory, anything can be emulated. In practice, some kinds of programs ran like complete shit so Go people learned their lesson from that mistake and included them in their language so that their programs of that kind *wouldn't* run like complete shit. And somehow they also managed to do that without making the language look like the other shitfest you mentioned called C.

            Normally CPUs perform calculations in signed arithmetic at the same speed as they do in unsigned arithmetic. The only programs whose performance will be affected by the absence of unsigned math are those which need to load and store large amounts of unsigned integers: a very specific use case, that certainly in the

            • The only programs whose performance will be affected by the absence of unsigned math are those which need to load and store large amounts of unsigned integers:

              What about needing specific sizes of data? For example, if you have a count that is
              And how does having unsigned values affect simplicity and safety/lack thereof significantly?

            • What about needing specific amounts of space for data? For example, if you need to have a value that you know will be = 255, you'd need 2 bytes instead of 1 unsigned byte, if we just have unsigned bytes. Same with needing 32 bits to store a value you know won't exceed the capacity of a unsigned 16-bit integer, needing 64 bits to store a value you know won't exceed the capacity of a unsigned 32-bit integer, and so on. So many wasted bits, when providing an unsigned integer value would give devs that flexib
              • by tepples ( 727027 )

                For example: File format encoding and decoding, including compression and decompression, is a big user of unsigned integers. And before GP says "So what if bits are wasted?", consider that these "wasted bits" add up to more data cache capacity misses, more garbage collection passes, and more swap file thrashing.

                • by swilver ( 617741 )

                  You can perfectly well write those with signed integers, as in these cases the sign doesn't even matter as compressors just push groups of bits out. Operators like shifts and logical and/or don't care about the type of integer, and for the one case that it does matter (right shift) Java has a special operator.

                  In fact, most "unsigned" stuff can be done perfectly well with signed values; only comparison operators require a bit of more thought.

                  Just because it was written in C and then literally ported does no

                  • by tepples ( 727027 )

                    In fact, most "unsigned" stuff can be done perfectly well with signed values; only comparison operators require a bit of more thought.

                    And a bit of extra CPU time to handle the abstraction inversion caused by the comparison difference. Or is the OpenJDK JVM's JIT compiler known to automatically recognize idioms to implement the unsigned comparison behavior on top of signed comparison and automatically translate those to the underlying unsigned comparison instruction for the CPU?

                    Also consider that Java was not intended for these kinds of low level manipulations (and is also rarely used as such in practice)

                    Are you trying to claim that a program "rarely" reads or writes a file in a binary format whose encoder and decoder happen not to be included in the Java SE spec? I

              • by swilver ( 617741 )

                You can still store it any way you want, just promote it when reading (which happens anyway).

                However, have you ever considered that a number like 255 or 65535 are only popular because of unsigned limits? There's very few real world cases where those "limits" make real sense, and when they do it's usually a lot closer to hardware than you'd be writing in Java.

                Also consider that signed integers are a lot less error prone, simply because the range of numbers you are usually using is a lot safer. If you eve

                • However, have you ever considered that a number like 255 or 65535 are only popular because of unsigned limits?

                  Perhaps I am just tired from a long day, but I am not sure the use of "popular" is correct, so much as these are limits in storing numeric values of an unsigned nature in their respective bit widths that cannot be achieved within said widths if we are forced to deal with one bit being spent on the sign whether we want it or not.

        • Unsigned numbers were removed from the language because signed numbers are an extension of unsigned numbers, so there is no use case for unsigned numbers that cannot be satisfied by signed numbers as well

          No use case? Isn't that a bold (and potentially dangerous (err... risky would probably be more correct)) assumption?

          • It's not an assumption, it's a statement. Signed integers are a superset of unsigned integers.
            • Signed integers are a superset of unsigned integers.

              But ⦠I wasn't talking about if it was a superset or subset but whether the assumption about use cases is one that is valid enough to warrant the lack of unsigned integers in the language.

              • Surely with a superset you can do everything that you can do with the base set? This is not an assumption, it's a fact; you can do everything with signed integers that you can do with unsigned ones. There is mathematically nothing that you lose in a language by not having support for unsigned integers. In practice, the fact that CPU registers have a finite width means that without native unsigned integers you might get a moderate performance hit if what you have to do is to process externally-provided unsig
              • The first VM did not have jit compiling.
                They simply wanted an easy to implement VM, which is not to slow. They kinda ran out of opcodes, I think the byte code uses about 240 codes, already. Strictly you would not need a different set of instructions for signed or unsigned integers, so I'm not sure why they did not include unsigned ints. However the .Net VM is using different opcodes for signed and unsigned math/bit manipulations.

                Obviously it would not have had a big impact if they had interpreter code that

        • by tepples ( 727027 )

          there is no use case for unsigned numbers that cannot be satisfied by signed numbers as well

          Except fitting into the data cache.

          - An array of values from 0 to 255 takes twice the memory if stored as an array of 16-bit signed integers compared to 8-bit unsigned integers.
          - An array of values from 0 to 65,535 takes twice the memory if stored as an array of 32-bit signed integers compared to 16-bit unsigned integers.
          - An array of values from 0 to 4,294,967,295 takes twice the memory if stored as an array of 64-bit signed integers compared to 32-bit unsigned integers.

          • E X A C T L Y.
            Maybe I've not been paying attention to the debate over this in general, but thank you for being that SEEMINGLY rare someone who actually makes this point.
          • You can store an unsigned value in the same memory area where you can store a signed value. The difference is in the handling of the bits, not in the storage. For example, the following variable assignment will work in Java and the variable's storage will take as much memory as it does in C.
            byte b = (byte) 0x83;
            • You can store an unsigned value in the same memory area where you can store a signed value.

              If the sign matters with regards to the value being positive, that value being unsigned reduces the max number of positive values that can be stored. Doesn't matter how much of an "edge" case it may be, it still has a non-zero possibility of happening. And you mentioned before part of the reason being simplicity ⦠how the hell is keeping track of casts, and where/why they are done, easier than just having an unsigned type, at least from the perspective of the person doing the coding (or mainta

              • You can store an unsigned value in the same memory area where you can store a signed value.

                If the sign matters with regards to the value being positive, that value being unsigned reduces the max number of positive values that can be stored.

                Look at my example: 0x83 is larger than 127, and still it gets stored into what is interpreted by default as a signed byte. Storing an unsigned value is not a problem, it's the interpretation of the stored value that makes a difference.

                Doesn't matter how much of an "edge" case it may be, it still has a non-zero possibility of happening.

                Why, it's the only thing that matters! Surely a language that makes the common case harder in order to better support an uncommon edge case, isn't nice?

                And you mentioned before part of the reason being simplicity ⦠how the hell is keeping track of casts, and where/why they are done, easier than just having an unsigned type, at least from the perspective of the person doing the coding (or maintaining the code)?

                You don't have to "keep track" of casts: the compiler does that for you. If you don't put them, the code will not compile, a

                • OK sorry, I got your point only after replying. You meant that without native unsigned integers, if I forget that a signed variable actually contains an unsigned value, because the type of the variable itself doesn't tell me, I can make mistakes by not treating its value for what it is. Good point.
            • by tepples ( 727027 )

              And to read the unsigned value back from a byte[], you use b[index] & 0xFF. Likewise with short[] or int[] arrays.

              But with the & 0xFF (for byte[]), & 0xFFFF (for short[]), and & 0xFFFFFFFF (for int[]) all over the place, don't those extra AND operations cause the JIT to emit a lot of extra instructions? Or is the OpenJDK JIT smart enough to apply "as if" and elide them?

        • Signed numbers are not an extension to unsigned numbers, how do you come to that retarded idea?

          The lack of unsigned numbers makes bit fiddeling a pain in the ass in Java.

    • Exactly. Java is evil, so lets replace it with arbitrary code execution. Oh, don't worry, it's sandboxed.
  • by HalAtWork ( 926717 ) on Wednesday November 13, 2019 @01:23PM (#59410708)

    If you want web pages make web pages. If you want apps make apps.

    It sounds like this could be useful in a few situations, but mainly web analytics and ads will be chewing up the CPU and that's bad.

    A lot of web sites could easily be rendered on devices with much less horsepower but we're seeing a lot of browsers get bogged down quickly with simple layouts. The culprit is all the analytics, telemetry, and ads. This will abuse your device even more.

    • Most of the sites I'm seeing can't even show a simple text page without requiring multiple javascript libraries (some exceeding 1MB).
    • Why are telemetry, analytics and ads a domain of just websites? That seems orthogonal to the application deployment, display methodology and executable method you've chosen (web vs native). I can write an ad-free website and an ad-ful application.

  • by dicobalt ( 1536225 ) on Wednesday November 13, 2019 @01:30PM (#59410726)
    This will usher in a whole new era in sophisticated malware.
    • by AReilly ( 9339 )

      It will have to be _very_ sophisticated, because (a) WASM execution environment prevents most of the existing styles of exploit by design, and (b) the _point_ of the exercise is to sandbox even sub-modules of programs into spaces so small that they can't do any harm. Capbility-based system access, assuming they can get that to work. Similar levels of sandboxing to running apps in Docker images, but at much finer grain and much lower overhead.

  • I never understood the reason for programming in the web, can't we just go back to HTML + CSS and maybe CGI? Why does everything need to be responsive (which only uses up half the screen and looks the same on every webpage) a webpage shouldn't need an API... we have screwed the web up so much we are using assembly to get speed back? What is this the early 90's? I guess efficiency is dead just keep on plastering crap on top of everything else... gah such a waste... I just don't understand it... just because
    • > I never understood the reason for programming in the web, can't we just go back to HTML + CSS and maybe CGI?

      Because people realised it was a huge pain in the ass to keep installing and updating things. Because people realised it was a huge pain in the ass to make any interaction between a website and the server hosting it synchronous.

      > Why does everything need to be responsive (which only uses up half the screen and looks the same on every webpage)

      That has nothing to do with responsiveness. Responsi

      • Yes, not being burdened with micro optimisations and dealing with various levels of abstraction just to squeeze as much as possible onto some shitty 386 machine with 16mb of ram is just such a relief.

        They don't need to be micro optimizations (you're not coding in assembler) and have you used an first gen i5 lately? With 4GiB of ram it has trouble with the web, I don't use this machine everyday as it is old for what I do, but there is zero excuse for buying a computer every 5 minutes because the modern web and it's 128 layers of non-sense, if the web was meant for programming low level not the reverse, now we need assembly (web assembly) to fix this mess, well what happens when even web assembly isn't en

    • by tepples ( 727027 )

      can't we just go back to HTML + CSS and maybe CGI?

      No. Even though HTML5 expanded the capability of <input type="..."> values, there is still no way to catch a drag action without script. The <input type="image"> element [mozilla.org] sends one (x, y) for the click position, not a sequence of coordinates forming a drag path. This makes a web-based image editor or collaborative whiteboard impractical, as the end user has to click, reload, click, reload, click, reload, click along the path.

      Why does everything need to be responsive (which only uses up half the screen and looks the same on every webpage)

      Because clients' displays vary from 3 inches wide to 20, and a 3-inch-wi

  • by MobyDisk ( 75490 ) on Wednesday November 13, 2019 @01:37PM (#59410750) Homepage

    I used to dislike the idea of sending binaries to the browser because of fear of running arbitrary code on the processor, and the concern about obfuscation. But those objections are out-of-date. The obfuscated Javascript we get is almost as bad as bytecode. And the security difference between bytecode and javascript isn't that big. We might as well gain the performance benefits at this point.

    • Re: (Score:2, Interesting)

      by rldp ( 6381096 )
      It's a mix of fake outrage from people who don't know what they're talking about - a la Twitter - and a dose of "64k should be enough for everybody!" tier nonsense from a bunch of obsolete geezers who haven't upgraded their skills since the 80s.
      • It's a mix of fake outrage from people who don't know what they're talking about - a la Twitter - and a dose of "64k should be enough for everybody!" tier nonsense from a bunch of obsolete geezers who haven't upgraded their skills since the 80s.

        I had to check to see if I was still on Slashdot because this single handedly is the most insightful thing I've ever read on this site, full stop.

    • The obfuscated Javascript we get is almost as bad as bytecode.

      Which is why the GNU project has developed an extension to block obfuscated JavaScript in the IceCat and Firefox web browsers. A browser with the LibreJS extension [gnu.org] installed will execute any nontrivial script only if the document calling the script contains a link to source code* under a license that respects some basic rights of users [gnu.org]. By definition, minified or obfuscated code is not source code.

      * GNU GPL versions 2 and 3 define a work's source code as "the preferred form of the work for making modificati

  • Webassembly (Score:3, Interesting)

    by ArhcAngel ( 247594 ) on Wednesday November 13, 2019 @01:58PM (#59410862)
    So they got rid of NPAPI because of security concerns because it had too much power and now they are going to turn Webassembly into NPAPI 2.0? What could possibly go wrong?
    • Parrot is a good place to look for evolutionary guidance; however, the history of problems with everything involves too much system/API access. Security revolves around managing access.

      The BIG objection experienced people are making is the expansion of access to this plug-in / Java Applet replacement having learned the lessons of history. It must be severely constrained with paranoid security upfront at the expense of performance or convenience.

      Frankly, I think ONLY an extremely limited bridge be allowed t

    • by LubosD ( 909058 )
      Seriously, if you're comparing WebAssembly to NPAPI, you have no idea what WebAssembly is and what it can do...
    • by AmiMoJo ( 196126 )

      They are fundamentally different things. NPAPI runs inside the browser process and thus has the same level of access to the underlying OS as the browser itself. WebAssembly runs in the same sandbox as Javascript and only has access to Javascript APIs.

  • They should hire Dan Sugalski, who probably knows the most about implementing register-based VM's these days, after spending time in the trenches with Parrot.

    The error the consortium could make now would be not architecting a vm correctly so that some languages would be hard to port, even assuming new bytecode mnemonics. Or doing something stack-based with security worries.

  • Must be bad, right?
  • CoC like?
  • by ffkom ( 3519199 ) on Wednesday November 13, 2019 @06:08PM (#59411684)
    So WebAssembly now properly represents the left lower box in this most complete explanation: https://xkcd.com/2044/ [xkcd.com]
    • by AReilly ( 9339 )

      I'd up-vote you, but I've already commented elsewhere. This comment, and the XKCD cartoon, are exactly correct, as far as I can tell.

      The tightly-constrained "nano-VM" model of module isolation has exactly the same restrictions as CSP-based parallelism, or the Actor model, compared to threads and shared data, and will very probably be about as successful. (I.e., there will be successful niches, but most code will continue to play fast-and-loose and be a security problem.)

There are two ways to write error-free programs; only the third one works.

Working...