WASM is in an interesting place. The value has clearly been proved with a pretty minimal core spec. Now there's a big push to implement a much larger API surface for WASI and the Component Model. A lot of people in the community are concerned about this direction, or at least the way it's happening[2].
For my part, I hope WASM doesn't go the way of the rest of web browsers where it gets so complicated that only big tech is capable of making implementations and experimenting.
[0]: https://github.com/lastlogin-net/decent-auth
[1]: https://extism.org/
[2]: https://www.assemblyscript.org/standards-objections.html
- Wasm is a (virtual) instruction format for programs to be compiled into (think: x86).
- Wasm Components are a container format and type system that wrap Core Wasm instructions into typed, hermetic binaries and libraries (think: ELF).
- WASI is a reserved namespace for a collection of standardized Wasm component interfaces (think: POSIX header files).
To reach our goal of having shared, portable binaries that aren't locked into any one vendor we need all three. A standard instruction set, standard calling convention, and standard syscalls. Wasm Components and WASI might not be necessarily be perfect, but at a minimum they're targeting the right scope. And that carries essential complexity.
Are there any forces in place to prevent the (de facto) mandatory API from becoming so complex that Google (or Fastly) is the only org capable of maintaining an implementation? Because that's how you end up in the situation where the "user agent" with majority market share starts gutting ad blockers.
I'm not saying I'm predicating this will happen with WASM or even think it's very likely. I don't know enough to have a real opinion on that. I'm just saying I really really don't want it to happen.
The big change going from WASI 0.1 to WASI 0.2 is that we decoupled the calling convention (Wasm Components) from the actual syscall APIs (WASI). That enabled us to make the various syscall APIs modular and composable.
Because CDN functions probably shouldn't know about TCP; and CLI applications probably don't care about blob storage. And now they don't need to. Take a look at the WASI Proposals page [1] for an overview of all WASI APIs.
[1]: https://github.com/WebAssembly/WASI/blob/main/Proposals.md
What happened to browsers? Few vendors implementing them? There are still 3 major vendors supporting an open source runtime or two (Google and MS on Blink), and a good open implementation (Mozilla). Better than 20 competing engines, does anybody miss IE's own engine?
And with WASM it's way easier for multiple implementations to be written, if need be, as it's a language runtime. These have 1/100th the scope of a browser (which is 99 other very hard to implement things PLUS a WASM runtime).
>The major players are the same, which is concerning. Then there's early signs from the specs themselves. Why do we need wasi-sockets and wasi-http? Why not only specify wasi-sockets and let HTTP be implemented optionally by libraries for apps that need it?
Because "let third parties define and write basic libraries" (and sockets and http are very basic) has been a disaster every time. You get a fragmented ecosystem, several popular libs fighting it out, and users either stay away or suffer the consequences.
At least with an official spec implementations will be compatible, and we'll get some reference one.
You can also have a standard web assembly component that simply implements wasi-http on top of wasi-sockets.
This sounds like an OS like user space to run atop WASM similar to POSIX.
Standards are good but my hope is the design is well thought out.
As you know, we're all about delivering value with the actual standards today. This means using truly portable, w3c Wasm core modules. Not some "maybe in the future" standard a la Components.
If you realistically want to use Wasm everywhere, in practically every language, Extism is the way to go and we're in it for the long haul.
For those who appreciate the WIT IDL being worked on (now for way too long), we support a far simpler, more familiar OpenAPI based version to eliminate the boilerplate of type conversion & serialization across the guest-host boundary, worth checking out: https://github.com/dylibso/xtp-bindgen
For example, https://mcp.run is one such business we are very excited about — and it is Extism at the core. No modifications to the runtime, just the same Extism we all know and love.
And we want way more than our own team to help maintain the open source project, no doubt about that! So simplicity and transparency are the name of the game.
Java's subsequent development was driven by enterprise/containers (mainly Oracle), and the VM has stayed relevant for 30 years by incorporating dozens of advances in machine and programming models. Both successful and lamentable.
If WASM (i.e., the loose collection of organizations driving it) could do it better than Java, wouldn't Java (with all its resources and organization) have already done it?
The answer has to lie in unsustainable or limiting technical decisions. What exactly are the design decisions WASM made to make it seem like it would escape becoming Java-like?
That was already possible with Haskell to JavaScript.
Today we’re happy to announce the Hyperlight Wasm guest based on the Wasmtime runtime. This makes it possible to run Wasm Component binaries on top of WASI interfaces without the need for a guest OS in the VM. In this post we explain how this works and walk through an example.
Firecracker is great if you want to securely execute an OS image. It has the benefit of compatibility with many existing programs, but that comes at the cost of some overhead.
Hyperlight is great if you want to securely execute program runtimes. This requires bespoke guest bindings, but it has the benefit of having less overhead.
There’s a place for both approaches, and I see both happily co-exist.
- If we take VMs as our boundary and compare cold start times, Hyperlight confidently comes out on top. That's 1-2ms vs 125ms+.
- If we take warm instances and measure network latency for requests, Hyperlight will come out on top if deployed to a CDN node (physics!). But if both workloads run in the same data center performance will be a lot closer.
- Say we have a workload where we need to transmux a terabyte of video, and we care about doing that as quickly as possible. A native binary has access to native instructions that will almost certainly outperform pure-Wasm workloads.
I think about Hyperlight Wasm is as yet another tool in the toolbox. There are some things it's great at (cold-starts, portability, security) and some other things it isn't. At least, not yet. Whether it's a good fit for what you're doing will depend on what you're doing.
> Hyperlight is able to create new VMs in one to two milliseconds. While this is still slower than using sandboxed runtimes like V8 or Wasmtime directly, with Hyperlight we can take those same runtimes and place them inside of a VM that provides additional protection in the event of a sandbox escape.
[1]: https://opensource.microsoft.com/blog/2024/11/07/introducing...
Maybe we should drop the Web from Web Assembly and call it something else?
[1]: https://dropbox.tech/tech/2018/06/building-better-compressio...
[2]: https://thenewstack.io/adobe-developers-use-webassembly-to-i...
[3]: https://www.figma.com/blog/webassembly-cut-figmas-load-time-...
I think that WASM in the browser will either largely replace JavaScript or will wither away like Java applets did. I fear there is no in-between and if it is only because no one will support two languages and ecosystems in parallel and in the long run. Not the big companies and certainly not the small ones.
The world I see is one where WASM is a permanent second class citizen and probably already has reached its peak adoption.
Not that I hope for it, quite the contrary, but that is what it looks to me.
EDIT: crypto miners and fancy tech demos I should say
Art and design: Photoshop, Figma
Games: Unity, many other engines or components inside engines (e.g. Bullet)
Videoconferencing: Zoom, Google Meet, etc.
Productivity: Google Sheets
Other: Google Maps and many, many more. For example, here is a talk about how Google uses wasm in a large range of its products: https://www.youtube.com/watch?v=2En8cj6xlv4
Look, wasm is a supplementary technology, used where JavaScript isn't good enough, like all the examples I just gave. Those use cases work extremely well right now, and most users on the web benefit from wasm, even if they are unaware wasm is running on the page - which is how it should be.
That is exactly the success that wasm aimed for from the start.
Amazon's Twitch service (and by extension also AWS's Interactive Video Service product that uses all the same backend stuff). Their video player is either fully a WASM thing or has some WASM components, I'm not completely sure which.
I though you meant it isn't used by web developers, which it very much is.
As I understand it this is designed to sit on bare metal and this is all a bit hamfisted but I don’t have a spare bare metal x86 around.
Guessing just throw this into a vm and accept that it’s nested virt?
Can you give a Wasm Component binary the capability to execute a tree of connected Wasm Components, delegate capabilities, and manage their life cycle?
As for executing a tree of connected components, in the current state of Hyperlight-Wasm you'd probably want to take a collection of components and compose them together using something like https://github.com/bytecodealliance/wac to create a final component composed together from multiple components.
I wondered how components were supposed to be used. So wac takes a group of wasm components and merges them into a new .wasm file with inputs/outputs mapped according to a defined .wac file. Then you can just run the new .wasm file. Does this not obviate the isolation benefits of having separate wasm modules? Is there a path to running a tree of components directly while maintaining the sandbox between them?
Have we ever thought of .... Using Unix processes for what they were meant to do, which is .. isolate programs?
The WASM ecosystem is recapitulating this stage of affairs by increasing the surface area with external systems in the same fashion.
Unix processes combined with seccomp (or pledge) to reduce exposed kernel surface and landlock (or unveil) to limit filesystem access puts you back at square one. Processes running WASM interpreters should be leveraging those interfaces, anyhow. What really differentiates WASM is the "compile once, run anywhere" portability allure.
But we live in an age of open source (in the literal sense). Ecosystems like Go and Rust assume source code availability; binary blobs are the exception. There's not much of a difference between C, Go, or Rust textual source code on the one hand and a WASM binary on the other; both are going to be compiled to native code by the downstream user. When you have the source code available to compile, then standards like POSIX should suffice. But they don't (at least not completely), because people are always chasing newer features that various environments invent to differentiate themselves. I don't see how WASM resolves that fundamental dynamic. Though I don't deny there are marginal benefits, just like there were with the JVM, which in many niches effectively resolved the Unix/Windows portability issue, allowing people to migrate platforms easier as preferences and requirements change.
Instead of WebSphere, WebLogic, IIS et al, you get Hyperlight WASM, with WASI components (aka CORBA/DCOM).
