back to article WebAssembly: Finally something everyone agrees on – websites running C/C++ code

Google, Microsoft, and Mozilla on Monday announced preview versions of WebAssembly, a low-level safe binary format designed to allow C/C++ code to run in web browsers. Once WebAssembly, or wasm, matures and appears in browsers, it will allow developers to create native applications, and web applications with native code …

Page:

  1. Doctor Syntax Silver badge

    "Google, Microsoft, and Mozilla on Monday announced preview versions of WebAssembly, a low-level safe binary format designed to allow C/C++ code to run in web browsers."

    Safe? We'll see.

    1. Anonymous Coward
      Anonymous Coward

      Seem to remember similar claims about Java applets as well long ago. Sure it will be different this time. That said I am sure the hipster web "developers" will make enabling it near mandatory for my banking site in no time. All about the sizzle attack surface be damned.

      1. Anonymous Coward
        Anonymous Coward

        Bye bye hipster devs

        "That said I am sure the hipster web "developers" will make enabling it near mandatory for my banking site in no time"

        I should imagine that most hipter developers will have spilt their frothy frapuchinos after reading the article due to the sudden realisation that in the future they might have to learn and code in a grown up programming language. Or more likely - be out of job as functional expectations rise, to be replaced by professional coders who have a clue and don't consider amending machine generated javascript and CSS stylesheets to be programming.

      2. Doctor Syntax Silver badge

        "Sure it will be different this time."

        It always is.

      3. BillG
        Joke

        Those backing WebAssembly claim the technology runs ~20x faster than JavaScript

        Really? My grandmother is ~20x faster than JavaScript!

    2. PNGuinn
      FAIL

      Safe?

      Why would you need C/C++ to make a website safe?

      So all the 3rd party malvertising sites can run their malware more quickly in the browser?

      Yeah, progress at last. Sounds safe enough to me.

      You'll have Norton running natively in the browser next. Oh well, at least that'll speed things up a bit.

      I'll put it another way - laxatives for browsers. KEEP AWAY FROM THE FAN.

      1. bazza Silver badge

        Re: Safe?

        @PNGuin,

        "Why would you need C/C++ to make a website safe?"

        Wrong way round. C/C++ (or indeed anything else that can be compiled down to a WASM) can be run in the browser safely, everywhere, probably. The emphasis is on the "dangerous" language being available to a programmer but being fully constrained by the sandboxed Javascript engine that actually runs the WASM.

        "So all the 3rd party malvertising sites can run their malware more quickly in the browser? Yeah, progress at last. Sounds safe enough to me."

        Quicker, yes. AFAIK the safety of a WASM is vested in the safety the Javascript engine's sandbox. The C/C++ can't do anything that the sandbox won't let Javascript do. So it's neutral, security wise.

        "You'll have Norton running natively in the browser next. Oh well, at least that'll speed things up a bit."

        There's already been proof of concept HTML5 viruses that reside solely in the web browser. Web browsers are simply yet another execution environment, and will / are going through the same phases of bug discovery and fixes as, say, an OS. The more features that get added to that execution environment the worse it'll get. The more such features are used, the less relevant the sandboxing becomes; the sandbox merely prevents web code from interacting with the host OS in certain ways, but that's less relevant if the place malware wants to run is actually in the web browser's own execution environment itself, inside the sandbox.

        There's plenty of opportunity for the web browser to use different tricks to ensure one website cannot interact with another's data (e.g. encryption of persistent data, which is in fact what they do), and this will make it considerably harder for malware to succeed. However, if it gets out of hand then there may have to be things like Norton inside browsers. Eeek! On the irony scales, that'd be a full set of tens.

        Like many others posting, I'm thinking "oh no here we go again". They're talking about supporting garbage collected languages like Java, C#, god knows what else. If this isn't history repeating then I don't know what that phrase is for. If the end result is indistinguishable from a Java browser plug-in done properly (i.e. properly sandboxed), why not just do a Java browser plug-in properly and miss out the nonsense JavaScript part?

        1. Adam 52 Silver badge

          Re: Safe?

          "If the end result is indistinguishable from a Java browser plug-in done properly (i.e. properly sandboxed), why not just do a Java browser plug-in properly and miss out the nonsense JavaScript part?"

          That would seem to be the eventual end game, and a good thing it would be too, but the initial implementations are based on the JavaScript engine - presumably because it's got all the right hooks into the browser internals.

        2. sorry, what?
          Facepalm

          Re: Safe?

          Why would you ever want to support a language that requires the application to perform its own memory management? I second bazza's point about having a Java plugin done properly instead. Of course, there is the small issue of Oracle's aggressive approach to the way Java is adopted and evolved...

          1. Loyal Commenter Silver badge

            Re: Safe?

            Why would you ever want to support a language that requires the application to perform its own memory management?

            What happens when there's a memory leak? Presumably, it has its own virtual address space inside the browser, which it would be trivial to maliciously consume. When the browser's memory runs out does it request more from the OS and expand to fill the system memory (and page file)?

          2. dajames

            Re: Safe?

            Why would you ever want to support a language that requires the application to perform its own memory management?

            Why would you ever want to support a language that has to trust that the environment within which it runs can manage its memory correctly? ... and remember that it's not just about memory.

            Memory management in C++ pretty-much looks after itself if you write the C++ competently. It's not C, we have techniques like RAII that can control object lifetimes and cleanup with no additional effort from the programmer. (I'm talking about C++ specifically, here, not about what WebAssembly may or may not support.)

            Java has garbage collection, yes, and that means that memory resources are just managed by the environment (except when they're not); but because of that Java lacks the basic functionality needed for object lifetime management (destructors that are guaranteed to be called in a timely fashion) so it's very bad at managing resources apart from memory. In many cases that doesn't matter (and Java can do a lot with finally blocks), but in some cases it does.

        3. Displacement Activity

          Re: Safe?

          @bazza - I think you may have the wrong end of the stick as well:

          @PNGuin,

          "Why would you need C/C++ to make a website safe?"

          Wrong way round. C/C++ (or indeed anything else that can be compiled down to a WASM) can be run in the browser safely, everywhere, probably. The emphasis is on the "dangerous" language being available to a programmer but being fully constrained by the sandboxed Javascript engine that actually runs the WASM.

          Disclaimer: I've only spent 10 minutes on the webassembly website, but that seems to be good enough for ElReg comments...

          Nothing to do with JavaScript. Your code compiles down to binary instructions for a stack machine. This code is then executed in what is, hopefully, a safe environment, normally in the end-user's browser, possibly by a JIT compiler, or possibly by an interpreter. Your original high-level code (C++, for example) uses standard library calls and APIs, so there's going to have to be some pretty hefty security model in the JIT compiler/whatever.

          The JavaScript angle is that there's currently only one way for the browser to get the WebAssembly code from the server, and that's with a new WebAssembly object.

          Speaking as someone who writes a lot of server-side C++, and a lot of client-side JavaScript, I have to say that this sounds great. JavaScript is an amorphous pile of byzantine sh**e, and this is potentially infinitely superior. Of course, the security model needs to be tighter, and this does smell of the hype originally surrounding Java and the JVM, so it could be a rocky road.

          1. Doctor Syntax Silver badge

            Re: Safe?

            "This code is then executed in what is, hopefully, a safe environment"

            Spot the key word in there.

            Hope springs eternal.

    3. Anonymous Coward
      Anonymous Coward

      Yeah, I'd really like to learn more about why they claim it will be 'safe'. It sounds like some type of managed code that's designed for speed. Managed code is always designed for safety, but they always overlook things and it isn't safe after all.

      1.13x slower compared to native doesn't leave much room for checking, so it sounds like the format is "assumed" to be safe. Which doesn't make ME feel safe.

      1. JDX Gold badge

        1.13x slower compared to native doesn't leave much room for checking

        Doesn't .NET allow you to completely block things like file IO and out-of-address memory stuff on a per-app basis, while still achieving the same speed.

        If you have to provide the source - or some OBJ style compiled blob - it can be inspected pre-runtime if raw system access can only be performed via library calls, no?

        1. Tom 7

          Re: 1.13x slower compared to native doesn't leave much room for checking

          But .Net is not cross platform - MS still only do a half hearted attempt for ARM.

    4. Rafael 1
      Trollface

      Google, Microsoft, Mozilla and Apple walk into a bar...

      How long until we have different APIs, components, toolkits, etc. to turn that low-level stuff into blinking ads?

  2. Len Goddard

    Apps

    So, if this is running at near native speed, can I get away from the mess of individual "apps" on my phone/tablet and get back to simply using a web-browser as nature intended?

    1. Anonymous Coward
      Anonymous Coward

      "get back to simply using a web-browser as nature intended?"

      Upvote!

      But what about those juicy Apps that make land-grabs on your phone. They'd be locked down running inside a browser... Where'd be the fun in that.... ???

    2. DropBear

      Re: Apps

      If "app" means "URL shortcut" for you, sure...

    3. Anonymous Coward
      Anonymous Coward

      Re: Apps

      No, nature never intended to run applications in something called a "browser", which was born for a very different use. It was turned into an OS wannabe by companies who tried and still tries to perform remote "processing" (also called "snooping") of user data.

      I was never happy to have re-download an application almost every time I need it, use a subpar UI compared to a native one, and send my data back and forth a remote server, especially when there's really no reason to do it.

      1. The Indomitable Gall

        Re: Apps

        " No, nature never intended to run applications in something called a "browser", which was born for a very different use. "

        I'm pretty sure nature didn't create sand just so that we could melt it down and form massive crystals that we then slice into thin sheets and bombard with focused photons in order to start firing pulses of electrons through them.

        Computers are way beyond what nature intended anyway.

        I remember a time when an operating system was considered to be a waste of resources. The Dreamcast was the first console with a proper OS, and even then, almost everything was coded for bare metal.

        A web-browser is a type of GUI, designed initially for very specific types of data and presentation. If I'm knocking together a quick program for my own use, I'll often put up with the general crappiness of Javascript so as to take advantage of HTML forms as a quick and easy GUI.

        1. Anonymous Coward
          Anonymous Coward

          Re: Apps

          The question is: why you still need an application called "browser" with an UI still designed to "browse" documents (i.e. the back and forward button, the bookmarks, history, etc.) to run another application?

          IMHO it's time to get rid of the browser and have HTML/Javascript support built-in into the OS for such kind of applications. Type an URL or click a shortcut, and the web application opens just in its window, no "browser" app in the middle. Keep on using a "browser" to read The Register.

          But believing they are "natural" application is stretching it a lot. I find an application "natural" when my interaction with it is simple, it "amalgamates" well with the OS and other applications, has an UI which is coherent with the OS and other applications, can exchange data and interoperate easily. and doesn't require constant re-learning because it changes constantly to follow the monthly fashion.

          Most web application are as natural as trying to build a computer with wood only. Sure, easy to work with, but not exactly the best approach.

  3. Anonymous Coward
    Thumb Up

    Yay! ActiveX 2016!

    Now we've finally banishing the security hell of Java and Flash, I wondered what great idea would fill the vacuum. And here we are. Just in time.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yay! ActiveX 2016!

      I prefer coding in C and providing my own safety nets which have never failed me yet. There were real (as in prison) penalties if I fragged up. I'm not so sanguine about the rest of the software writers out there. If there's a way to bend/break it for some unsavory or unintended purpose, we can be assured that we'll see it Real Soon Now.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yay! ActiveX 2016!

        >I prefer coding in C and providing my own safety nets which have never failed me yet

        Meanwhile corporation X takes one look at your rates and then is like I can get a whole team on a certain subcontinent for that. If they are lucky by the end some of the team members might have even made it through the C for dummies in their native language.

        1. Anonymous Coward
          Happy

          Re: Yay! ActiveX 2016!

          You are seriously undervaluing (underpaying actually) the programmers of that subcontinent in that team. I'm not at all expensive since money hasn't ever been a consideration in my case. Problems are my meat and drink being a puzzle person. It's why I've been involved in testing software for decades with often the only reward keeping a license at the end of the process. Now if someone would keep me in the computer of the month club (not even expensive ones), pay my electric bill, food, and a cheap place to stay, I'm all yours.

          Spending a career in the military, a couple of jobs for the Veterans Administration, and the like isn't going to get you the big bucks. Again, it's the puzzles/problems that were the reward. And the occasional pat on the head.

    2. bombastic bob Silver badge
      FAIL

      Re: Yay! ActiveX 2016!

      now I'll need a special plugin to BLOCK THAT SCHTUFF won't I?

      hopefully 'NoScript' will be enough. I already disable web-java for the OBVIOUS reasons, along with the flash plugin, yotta yotta.

      What the *HELL* kind of WACKY WEED are those idiots smoking in those W3C 'kumbayah' campfire (aka pass the douchie on the left hand side) sessions?

      NO. we do NOT need downloadable content to INCLUDE full-blown compiled-language code. Javascript is bad enough. JAVA was bad enough, too. FLASH is even worse. Just *NO*, ok?

      1. Anonymous Coward
        Anonymous Coward

        Re: pass the douchie on the left hand side

        Douchie? Are you sure?

      2. Poncey McPonceface
        Megaphone

        Re: Yay! ActiveX 2016!

        Q: argumentum ad hominem?

        A: *yup*

        Q: ranty and shouty?

        A: HELLS YEAH

        Q: random emphasis?

        A: *YUP*, YUP, aaand *YUP*

        Q: madey-uppy words?

        A: douchie made this reader wtf

        Q: ideological?

        A: but of course

        Ladies and gentleregs, it's gotta be Bombastic Bob! Mercifully as this is not a political post we have been spared such linguistical inventions as Hitlery and DemoRat -- I'm surprised we weren't treated to DoubleUseless3Semen or a similarly ridiculous epithet.

        1. sabroni Silver badge

          Re: it's gotta be Bombastic Bob!

          His formatting may be shit and his communication style Trumpesque but IMO he's right about this being a hideous idea.

      3. Anonymous Coward
        Anonymous Coward

        Re: Yay! ActiveX 2016!

        "What the *HELL* kind of WACKY WEED are those idiots smoking in those W3C 'kumbayah' campfire (aka pass the douchie on the left hand side) sessions?"

        W3C have the wacky backy, meanwhile the C++ committee (going by recent iterations of the language) have long since left the campfire and disappeared off into the woods to hunt for magic mushrooms and get some feedback and ideas from the local leprechauns.

  4. Alistair
    Windows

    C and C++ compiled code in da bwosah.

    computationally complex content like streaming video, video editing, games, and virtual reality at high frame rates.

    Lets just take that line right out of the PR documentation and replace it with what was meant in this case:

    Digital Rights Management tools

  5. DamienH

    So if various organisations start using this, does that make it an org-wasm?

  6. Novatone

    No, No, No, GOD NOOOOOO

    I don't want people I trust writing code in C let alone ones that I don't.

    I sure hope this is opt-in not on by default.

    Can we get a system with enforced bounds checking and other safety features, please.

    1. Anonymous Coward
      Anonymous Coward

      Re: No, etc

      I presume the near future holds a new item in NoScript options, on the Embeddings tab.

    2. Poncey McPonceface

      Re: No, No, No, GOD NOOOOOO

      > Can we get a system with enforced bounds checking and other safety features, please.

      As any language can target WebAssembly, so yeah, why not?

      Here is a discussion about Rust.

      I'm a Rubyist so I'm fascinated by the idea of Ruby on Rails being able to use Ruby on the front end, intriguing. Just as Javascript migrated to the server with Node.js we now have the possibility for every other language to migrate to the client. I wonder which language will have the first decent implementation (besides Javascript). What is the provision for multiple assembled packages on a single webpage each with its own garbage collector and other runtime shenanigans?

      1. breakfast Silver badge

        Re: No, No, No, GOD NOOOOOO

        I never understood why one would want to take a terrible language from the browser and put it on the server instead of finding a good language and putting it in the browser. Always seemed totally ass-backwards to me.

  7. Sysgod

    Hmm.

    Well, that dead language that just kept hanging around is coming back.

    Only real programmers will use it, web developers who tried to be real by using javascript frameworks will once again be put in their place.

    The text interface will go bye, bye. Only the supped up canvas with self-contained apps will be the future.

    Yep. What goes around. Welcome back windows 3d, bye html DOS.

    1. Wensleydale Cheese

      Re: Hmm.

      "Well, that dead language that just kept hanging around is coming back."

      Wot? Cobol?

      Could have fun with that.

  8. Dwarf

    Just complete the circle

    Take out the slow browser and use a native C/C++ application.

    I seem to recall that C can use network sockets right out of the box

    1. Adam 52 Silver badge

      Re: Just complete the circle

      It has access to the browser API, so in theory you get a GUI, storage layer, video decoder etc. for free.

    2. The Indomitable Gall

      Re: Just complete the circle

      Native code? For which of the various target platforms currently on the market?

      1. Dwarf

        Re: Just complete the circle

        @Gall

        Whichever ones are needed. Its called a makefile and cross-compilation.

        This is how we used to do things before someone tried to make a one-size fits all platform called a browser - then tried to make it the solution to everything and spent the next decade or so making it work properly - which is why we've had Active-X, Java, Flash, SVG, Desktop views, mobile views, lousy application security (or no security), HTML5, etc.

        Performance issues still remain, so they are bringing in the big guns again.

        Looking at it from the other perspective. with a proper client side application, you can compile for the specifics of each platform, optimise as necessary to get best performance, utilise hardware offload, comply with local UI requirements, so it feels right for the user, etc. Its all been done before *

        This is nothing new - your map app on the phone is probably a local app, as is your mail app, even your browser is local.

        * We can reliably state it will all be done again when they go round the loop next time in about 20 years time.

  9. The Vociferous Time Waster

    Urgh

    So long as I can turn it off...

  10. Robert Grant

    The App Killer?

    I know it's not that simple, but it'd be nice to have more websites and fewer stupid walled-garden apps.

  11. HmmmYes

    Can't we just put LUA in the browser and sort out a competent DOM definition?

  12. buserror

    Not a webhead but...

    Seems to be most of the time is wasted in frameworks and DOM thingies on most webpages, very few pages try to 'compress video on the fly' or other smoke-induced ideas they just came up with.

    The cycle will be as follow:

    + Webassembly thingy is here, rejoince! Fastness the world over!

    + Wait, why have our BROWSER code in normal code, wouldn't it make more sense to have it in Webassembly so the base browser is SO simple to maintain and all the rest is webassembly?

    + Ok we've done that, now our browser is a real fat(tter) dog, WHAT CAN WE DO?!?!

    + *I know* ditch all the webassembly thing, we'll rewrite the core in plain C/C++ and life will be GOOD!

    Seen that before? Remember mozilla (all *javascript* man, it's going to be sooo cool and.. and cool!11!) and then... firefox.

  13. Neil Alexander

    Never will understand this constant desire by developers to make applications as web pages instead of applications as applications. The user experience delivered by web applications usually sucks.

    1. Whitter

      ... applications as web pages instead of applications as applications ...

      The main reason is to reduce the reliance on the OS.

      The main cost is the reliance on "current" browsers, who may pull the rug-out at any time without warning which leads to the still-existent IE6 stuff still hanging around.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like