WebAssembly

WebAssembly (Wasm) defines a portable binary-code format and a corresponding text format for executable programs as well as software interfaces for facilitating interactions between such programs and their host environment.

The main goal of WebAssembly is to enable high-performance applications on web pages, "but it does not make any Web-specific assumptions or provide Web-specific features, so it can be employed in other environments as well." It is an open standard and aims to support any language on any operating system, and in practice all of the most popular languages already have at least some level of support.

Announced in 2015 and first released in March 2017, WebAssembly became a World Wide Web Consortium recommendation on 5 December 2019  and it received the Programming Languages Software Award from ACM SIGPLAN in 2021. The World Wide Web Consortium (W3C) maintains the standard with contributions from Mozilla, Microsoft, Google, Apple, Fastly, Intel, and Red Hat.

History
WebAssembly is named to evoke the concept of assembly language, a term which dates to the 1950s. The name suggests bringing assembly-like programming to the Web, where it will be executed client-side — by the website-user's computer via the user's web browser. To accomplish this, WebAssembly must be much more hardware-independent than a true assembly language.

WebAssembly was first announced in 2015, and the first demonstration was executing Unity's Angry Bots in Firefox, Google Chrome, and Microsoft Edge. The precursor technologies were asm.js from Mozilla and Google Native Client, and the initial implementation was based on the feature set of asm.js. The asm.js technology already provides near-native code execution speeds and can be considered a viable alternative for browsers that do not support WebAssembly or have it disabled for security reasons.

In March 2017, the design of the minimum viable product (MVP) was declared to be finished and the preview phase ended. In late September 2017, Safari 11 was released with support. In February 2018, the WebAssembly Working Group published three public working drafts for the Core Specification, JavaScript Interface, and Web API.

In June 2019, Chrome 75 was released with WebAssembly threads enabled by default.

WebAssembly 2.0 is in draft status, which adds many SIMD-related instructions and a new v128 datatype, the ability for functions to return multiple values, and mass memory initialize/copy.

Implementations
While WebAssembly was initially designed to enable near-native code execution speed in the web browser, it has been considered valuable outside of such, in more generalized contexts. Since WebAssembly's runtime environments (RE) are low-level virtual stack machines (akin to JVM or Flash VM) that can be embedded into host applications, some of them have found a way to standalone runtime environments like and. WebAssembly runtime environments are embedded in application servers to host "server-side" WebAssembly applications and in other applications to support plug-in-based software extension architectures, e.g., "WebAssembly for Proxies" (proxy-wasm) which specifies a WebAssembly-based ABI for extending proxy servers.

Web browsers
In November 2017, Mozilla declared support "in all major browsers", after WebAssembly was enabled by default in Edge 16. The support includes mobile web browsers for iOS and Android. 99% of tracked web browsers support WebAssembly (version 1.0), which is more than for its predecessor asm.js, that is not supported by e.g. Safari web browser. For some extensions, from the 2.0 draft standard, support may be lower, but still more than 90% of web browsers may already support, e.g. for reference types extension.

Compilers
WebAssembly implementations usually use either ahead-of-time (AOT) or just-in-time (JIT) compilation, but may also use an interpreter. While the first implementations have landed in web browsers, there are also non-browser implementations for general-purpose use, including Wasmer, Wasmtime or WAMR, wasm3, WAVM, and many others.

Because WebAssembly executables are precompiled, it is possible to use a variety of programming languages to make them. This is achieved either through direct compilation to Wasm, or through implementation of the corresponding virtual machines in Wasm. There have been around 40 programming languages reported to support Wasm as a compilation target.

Emscripten compiles C and C++ to Wasm using the Binaryen and LLVM as backend. The Emscripten SDK can compile any LLVM-supported languages (such as C, C++ or Rust, among others) source code into a binary file which runs in the same sandbox as JavaScript code. Emscripten provides bindings for several commonly used environment interfaces like WebGL.

As of version 8, a standalone Clang can compile C and C++ to Wasm. Its initial aim was to support compilation from C and C++, though support for other source languages such as Rust, .NET languages and AssemblyScript (TypeScript-like) is also emerging.

After the MVP release, WebAssembly added support for multithreading and garbage collection which enabled compilation for garbage-collected programming languages like C# (supported via Blazor), F# (supported via Bolero with help of Blazor), Python, and even JavaScript where the browser's just-in-time compilation speed is considered too slow.

A number of other languages have some support including Python, Julia,   and Ruby.

A number of systems can compile Java and other bytecode languages to JavaScript and WebAssembly. These include CheerpJ, JWebAssembly and TeaVM. These all take Java byte code .class files as input allowing other JVM languages like Groovy, and Scala to be used as well. Kotlin supports WebAssembly directly.

Limitations
Web browsers do not allow WebAssembly code to directly access the Document Object Model. Wasm code must defer to JavaScript for this.

In an October 2023 survey of developers, less than half of the 303 participants were satisfied with the state of WebAssembly. A large majority cited the need for improvement in four areas: WASI, debugging support, integration with JavaScript and browser APIs, and build tooling.

For memory-intensive allocations in WebAssembly, there are "grave limitations that make many applications infeasible to be reliably deployed on mobile browsers [..] Currently allocating more than ~300MB of memory is not reliable on Chrome on Android without resorting to Chrome-specific workarounds, nor in Safari on iOS."

All major browsers allow WebAssembly if Content-Security-Policy is not specified, or if "unsafe-eval" is used, but otherwise they behave differently. Chrome requires "unsafe-eval", though a worker thread can be a workaround.

In 2022, the startup company named Zaplib summarized in a blog why they were shutting down. Their goal had been to significantly increase the performance of existing web apps by incrementally porting them to Rust/Wasm. However, porting a customer's simulator from JavaScript only yielded a 5% improvement. Regarding Figma, they stated: "upon closer inspection it seems that their use of Wasm is more due to historical accidents—wanting to build in C++ to hedge for their native app—than for critical performance needs. Figma files are processed in C++/Wasm, and this is likely a huge speedup, but most of Figma's performance magic is due to their WebGL renderer."

Security considerations
In June 2018, a security researcher presented the possibility of using WebAssembly to circumvent browser mitigations for Spectre and Meltdown security vulnerabilities once support for threads with shared memory is added. Due to this concern, WebAssembly developers put the feature on hold. However, in order to explore these future language extensions, Google Chrome added experimental support for the WebAssembly thread proposal in October 2018.

WebAssembly has been criticized for allowing greater ease of hiding the evidence for malware writers, scammers and phishing attackers; WebAssembly is present on the user's machine only in its compiled form, which "[makes malware] detection difficult". The speed and concealability of WebAssembly have led to its use in hidden crypto mining on the website visitor's device. Coinhive, a now defunct service facilitating cryptocurrency mining in website visitors' browsers, claims their "miner uses WebAssembly and runs with about 65% of the performance of a native Miner." A June 2019 study from the Technische Universität Braunschweig analyzed the usage of WebAssembly in the Alexa top 1 million websites and found the prevalent use was for malicious crypto mining, and that malware accounted for more than half of the WebAssembly-using websites studied. An April 2021 study from Universität Stuttgart found that since then crypto mining has been marginalized, falling to below 1% of all WebAssembly modules gathered from a wide range of sources, also including the Alexa top 1 million websites.

The ability to effectively obfuscate large amounts of code can also be used to bypass ad blocking and privacy tools that prevent web tracking like Privacy Badger.

As WebAssembly supports only structured control flow, it is amenable toward security verification techniques including symbolic execution. Current efforts in this direction include the Manticore symbolic execution engine.

WASI
WebAssembly System Interface (WASI) is a simple interface (ABI and API) designed by Mozilla intended to be portable to any platform. It provides POSIX-like features like file I/O constrained by capability-based security. There are also a few other proposed ABI/APIs.

WASI is influenced by CloudABI and Capsicum.

Solomon Hykes, a co-founder of Docker, wrote in 2019, "If WASM+WASI existed in 2008, we wouldn't have needed to create Docker. That's how important it is. WebAssembly on the server is the future of computing." Wasmer, out in version 1.0, provides "software containerization, we create universal binaries that work anywhere without modification, including operating systems like Linux, macOS, Windows, and web browsers. Wasm automatically sandboxes applications by default for secure execution".

Host environment
The general standard provides core specifications for JavaScript API and details on embedding.

Virtual machine
Wasm code (binary code, i.e. bytecode) is intended to be run on a portable virtual stack machine (VM). The VM is designed to be faster to parse and execute than JavaScript and to have a compact code representation. Any external functionality (like syscalls) that may be expected by Wasm binary code is not stipulated by the standard. It rather provides a way to deliver interfacing via modules by the host environment that the VM implementation runs in.

Wasm program
A Wasm program is designed to be a separate module containing collections of various Wasm-defined values and program type definitions. These are expressed in either binary or textual format (see below) that both have a common structure. Such module may provide a start function that is executed upon instantiation of a wasm binary.

Instruction set
The core standard for the binary format of a Wasm program defines an instruction set architecture (ISA) consisting of specific binary encodings of types of operations which are executed by the VM (without specifying how exactly they must be executed). The list of instructions includes standard memory load/store instructions, numeric, parametric, control of flow instruction types and Wasm-specific variable instructions.

The number of opcodes used in the original standard (MVP) was a bit fewer than 200 of the 256 possible opcodes. Subsequent versions of WebAssembly pushed the number of opcodes a bit over 200. The WebAssembly SIMD proposal (for parallel processing) introduces an alternate opcode prefix (0xfd) for 128-bit SIMD. The concatenation of the SIMD prefix, plus an opcode that is valid after the SIMD prefix, forms a SIMD opcode. The SIMD opcodes bring an additional 236 instructions for the "minimum viable product" (MVP) SIMD capability (for a total of around 436 instructions). Those instructions, the "finalized opcodes" are enabled by default across Google's V8 (in Google Chrome), the SpiderMonkey engine in Mozilla Firefox, and the JavaScriptCore engine in Apple's Safari and there are also some additional proposal for instructions for later "post SIMD MVP", and there's also a separate "relaxed-simd" proposal on the table.

These SIMD opcodes are also portable and translate to native instruction sets like x64 and ARM. In contrast, neither Java's JVM nor CIL support SIMD, at their opcode level, i.e. in the standard; both do have some parallel APIs which provide SIMD speedup. There is an extension for Java adding intrinsics for x64 SIMD, that isn't portable, i.e. not usable on ARM or smartphones. Smartphones can support SIMD by calling assembly code with SIMD, and C# has similar support.

Code representation
In March 2017, the WebAssembly Community Group reached consensus on the initial (MVP) binary format, JavaScript API, and reference interpreter. It defines a WebAssembly binary format (.wasm), which is not designed to be used by humans, as well as a human-readable WebAssembly text format (.wat) that resembles a cross between S-expressions and traditional assembly languages.

The table below shows an example of a factorial function written in C and its corresponding WebAssembly code after compilation, shown both in .wat text format (a human-readable textual representation of WebAssembly) and in .wasm binary format (the raw bytecode, expressed below in hexadecimal), that is executed by a Web browser or run-time environment that supports WebAssembly.

All integer constants are encoded using a space-efficient, variable-length LEB128 encoding.

The WebAssembly text format is more canonically written in a folded format using S-expressions. For instructions and expressions, this format is purely syntactic sugar and has no behavioral differences with the linear format. Through wasm2wat, the code above decompiles to:

Note that a module is implicitly generated by the compiler. The function is actually referenced by an entry of the type table in the binary, hence a type section and the type emitted by the decompiler. The compiler and decompiler can be accessed online.