This paper describes a recent alternative, supported by all of the major browser companies -- in fact, this paper's authors are from Apple, Google, Mozilla, and Microsoft -- that promises fast and safe browser-side code execution: WebAssembly. It is a binary code standard for a virtual machine intended to be embedded in a browser, as well as an accompanying "assembly-like" language specification. It is primarily intended as a compilation target for other languages, and promises safe, fast, platform-independent code that is easy to decode, validate and compile.
The effort seems promising: by designing the language
with formal semantics, the creators have
achieved a clean design that is easy to reason about. By
including structured control flow concepts in their VM, they
have designed out many common errors, such as branching into
the middle of a multi-byte instruction. The authors note that
"By design, unstructured and irreducible control flow using
goto is impossible in WebAssembly," a choice
that should surely help make the VM easier to debug and secure.
Code fetched over the Web, is, in WebAssembly, validated
by an "embarrassingly simple" type checking system.
Quite importantly for its initial acceptance, WebAssembly code
This paper is a thorough and rigorous, if dense, introduction to what could be a break-through in browser-side coding for the web. (The authors note that WebAssembly is not restricted to running inside a browser, so other uses of it may develop as well.) Only time will tell if this ambitious project will succceed, but for anyone engaged in web development, it is certainly worth tracking.