> WebAssembly has a sandbox and was designed for untrusted code.

So does JavaScript.

> It's almost impossible to statically reason about JS code, and so browsers need a ton of error prone dynamic security infrastructure to protect themselves from guest JS code.

They have that infrastructure because JS has access to the browser's API.

If you tried to redesign all of the web APIs in a way that exposes them to WebAssembly, you'd have an even harder time than exposing those APIs to JS, because:

- You'd still have all of the security troubles. The security troubles come from having to expose API that can be called adversarially and can pass you adversarial data.

- You'd also have the impedence mismatch that the browser is reasoning in terms of objects in a DOM, and WebAssembly is a bunch of integers.

> There are dynamic languages, like JS/Python that can compile to wasm.

If you compile them to linear memory wasm instead of just running directly in JS then you lose the ability to do coordinated garbage collection with the DOM.

If you compile them to GC wasm instead of running directly in JS then you're just adding unnecessary overheads for no upside.

> Also I don't see how dynamic typing is required to have API evolution and compt.

Because for example if a browser changes the type of something that happens to be unused, or removes something that happens to be unused, it only breaks actual users at time of use, not potential users at time of load.

> Plenty of platforms have static typed languages and evolve their API's in backwards compatible ways.

We're talking about the browser, which is a particular platform. Not all platforms are the same.

The largest comparable platform is OSes based on C ABI, which rely on a "kind" of dynamic typing (stringly typed, basically - function names in a global namespace plus argument passing ABIs that allow you to mismatch function signature and get away with it.

> The first major language for WebAssembly was C++, which is object oriented.

But the object orientation is lost once you compile to wasm. Wasm's object model when you compile C++ to it is an array of bytes.

> To be fair, there are a lot of challenges to making WebAssembly first class on the Web. I just don't think these issues get to the heart of the problem.

Then what's your excuse for why wasm, despite years of investment, is a dud on the web?

▲

eqrion 6 hours ago | parent | next [-]

> If you compile them to GC wasm instead of running directly in JS then you're just adding unnecessary overheads for no upside

Language portability is a big feature. There's a lot of code that's not JS out there. And JS isn't a great compilation target for a lot of languages. Google switched to compiling Java to Wasm-GC instead of JS and got a lot of memory/speed improvements.

> Because for example if a browser changes the type of something that happens to be unused, or removes something that happens to be unused, it only breaks actual users at time of use, not potential users at time of load. > The largest comparable platform is OSes based on C ABI, which rely on a "kind" of dynamic typing (stringly typed, basically - function names in a global namespace plus argument passing ABIs that allow you to mismatch function signature and get away with it.

I don't think any Web API exposed directly to Wasm would have a single fixed ABI for that reason. We'd need to have the user request a type signature (through the import), and have the browser maximally try and satisfy the import using coercions that respect API evolution and compat. This is what Web IDL/JS does, and I don't see why we couldn't have that in Wasm too.

> Then what's your excuse for why wasm, despite years of investment, is a dud on the web?

Wasm is not a dud on the web. Almost 6% of page loads use wasm [1]. It's used in a bunch of major applications and libraries.

[1] https://chromestatus.com/metrics/feature/timeline/popularity...

I still think we can do better though. Wasm is way too complicated to use today. So users of wasm today are experts who either (a) really need the performance or (b) really need cross platform code. So much that they're willing to put up with the rough edges.

And so far, most investment has been to improve the performance or bootstrap new languages. Which is great, but if the devex isn't improved, there won't be mass adoption.

	▲	titzer 23 minutes ago \| parent \| next [-]
		> Language portability is a big feature. There's a lot of code that's not JS out there. And JS isn't a great compilation target for a lot of languages. Google switched to compiling Java to Wasm-GC instead of JS and got a lot of memory/speed improvements. It's also worth noting that Wasm wasn't born into a vacuum like JS was (and Java for that matter), so it is competing[1] in a crowded space. Wasm is making inroads into languages that already have well-developed toolchains and ecosystems like Java, Kotlin, Rust, Scala, and Go. I think the Wasm network effect is happening, it is just very slow because it's primarily been a deployment platform and not a development platform. It's also worth noting that Wasm advancement is pretty decentralized and there are a lot of competing interests, particularly outside the web. Basically every other language had at least one massive investment in both language development and tooling from the get-go. Java=sun, C#=Microsoft, Go=Google, JavaScript=browsers, Scala=foundation, etc. [1] "competing" only in the sense of adding value over the mainstream or mainline implementations of these languages. > Wasm is way too complicated to use today. So users of wasm today are experts who either (a) really need the performance or (b) really need cross platform code. So much that they're willing to put up with the rough edges. I believe we can do better; we've been counting on languages that come to Wasm as a secondary deployment strategy and have their primary devex focused on another platform where then can debug better and offer better tooling.
	▲	pizlonator 6 hours ago \| parent \| prev [-]
		> Language portability is a big feature. It's a big feature of JS. JS's dynamism makes it super easy to target for basically any language. > Google switched to compiling Java to Wasm-GC instead of JS and got a lot of memory/speed improvements. That's cool. But that's one giant player getting success out of a project that likely required massive investment and codesign with their browser team. Think about how sad it is that these are the kinds of successes you have to cite for a technology that has had as much investment as wasm! > Almost 6% of page loads use wasm You can disable wasm and successfully load more than 94% of websites. A lot of that 6% is malicious ads running bitcoin mining. > Wasm is way too complicated to use today. I'm articulating why it's complicated. I think that for those same reasons, it will continue to be complicated

▲

swiftcoder 6 hours ago | parent | prev | next [-]

> Then what's your excuse for why wasm, despite years of investment, is a dud on the web?

It's not really a dud on the web. It sees a ton of use in bringing heavier experiences to the browser (i.e Figma, the Unity player, and so on).

Where it is currently fairly painful is in writing traditional websites, given all the glue code required to interact with the DOM - exactly what these folks are trying to solve.

▲

pizlonator 6 hours ago | parent [-]

Figma is one site. There are also a handful of other sites that use wasm. But most of the web does not use wasm.

> Where it is currently fairly painful is in writing traditional websites, given all the glue code required to interact with the DOM - exactly what these folks are trying to solve.

I don't think they will succeed at solving the pain, for the reasons I have enumerated in this thread.

▲

swiftcoder 6 hours ago | parent [-]

I mean, you are obviously entitely to your opinion, but folks have been solving this stuff the hard, glue-based way for ages now, and are using WASM wherever there is an advantage to do so. Getting rid of the glue layer and the associated performance problems can only accelerate those efforts

▲

pizlonator 6 hours ago | parent [-]

> I mean, you are obviously entitely to your opinion

I'm trying to explain to you why attempts to make wasm mainstream have failed so far, and are likely to continue to fail.

I'm not expressing an "opinion"; I'm give you the inside baseball as a browser engineer.

> Getting rid of the glue layer

I'm trying to elucidate why that glue layer is inherent, and why JS is the language that has ended up dominating web development, despite the fact that lots of "obviously better" languages have gone head to head with it (Java, Dart sort of, and now wasm).

Just like Java is a fantastic language anywhere but the web, wasm seems to be a fantastic sandboxing platform in lots of places other than the web. I'm not trying to troll you folks; I'm just sharing the insight of why wasm hasn't worked out so far in browsers and why that's likely to continue

▲

swiftcoder 6 hours ago | parent [-]

> why JS is the language that has ended up dominating web development

JS was dominating web development long before WASM gained steam. This isn't the same situation as "JS beating Java/ActivX for control of the web" (if I follow the thrust of your argument correctly).

WASM has had less than a decade of widespread browser support, terrible no-good DevEx for basically the whole time, and it's still steadily making it's way into more and more of the web.

	▲	pizlonator 6 hours ago \| parent [-]
		WebAssembly has had extraordinary levels of investment from browser devs and the broader community. > terrible no-good DevEx for basically the whole time I'm telling you why. > still steadily making it's way into more and more of the web. It is, but you can still browser the web without it just fine, despite so much investment and (judging by how HN reacts to it) overwhelming enthusiasm from devs

▲

saghm 5 hours ago | parent | prev [-]

I don't understand this objection. If you compile code that doesn't call a function, and then put that artifact on a server and send it to a browser, how is it broken when that function is removed?