CCS Terms: [PRIMARY] D.3 Programming Languages, D.3.2 Javascript, I.2.5 Programming Languages And Software, C.2.4 Client/Server
Web browsers have become a primary method of delivering applications both inside corporate networks and from corporations to the external customers and suppliers. Such applications require efficient and secure code. But the main language for browser-side programming, JavaScript, is neither. Various attempts to improve the situation, such as Java or NaCl, have not altogether succeeded.
This paper describes a recent alternative, supported by all of the major browser companies -- in fact, this paper's authors are from Apple, Google, Mozilla, and Microsoft -- that promises fast and safe browser-side code execution: WebAssembly. It is a binary code standard for a virtual machine intended to be embedded in a browser, as well as an accompanying "assembly-like" language specification. It is primarily intended as a compilation target for other languages, and promises safe, fast, platform-independent code that is easy to decode, validate and compile.
The effort seems promising: by designing the language
with formal semantics, the creators have
achieved a clean design that is easy to reason about. By
including structured control flow concepts in their VM, they
have designed out many common errors, such as branching into
the middle of a multi-byte instruction. The authors note that
"By design, unstructured and irreducible control flow using
goto
is impossible in WebAssembly," a choice
that should surely help make the VM easier to debug and secure.
Code fetched over the Web, is, in WebAssembly, validated
by an "embarrassingly simple" type checking system.
Quite importantly for its initial acceptance, WebAssembly code
can be called from, and can call out to, JavaScript.
This paper is a thorough and rigorous, if dense, introduction to what could be a break-through in browser-side coding for the web. (The authors note that WebAssembly is not restricted to running inside a browser, so other uses of it may develop as well.) Only time will tell if this ambitious project will succceed, but for anyone engaged in web development, it is certainly worth tracking.