Cross-platform assembly language and bytecode designed for execution in web browsers

WebAssembly (sometimes abbreviated Wasm) is an open standard that defines a portable binary-code format for executable programs, and a corresponding textual assembly language, as well as interfaces for facilitating interactions between such programs and their host environment.[2][3][4][5] The main goal of WebAssembly is to enable high-performance applications on web pages, but the format is designed to be executed and integrated in other environments as well, including standalone ones.[6][7][8]

In 2021, it received the Programming Languages Software Award from ACM SIGPLAN.[9]

WebAssembly (i.e. WebAssembly Core Specification (then version 1.0, 1.1 is in draft[10]) and WebAssembly JavaScript Interface[11]) became a World Wide Web Consortium recommendation on 5 December 2019,[12] alongside HTML, CSS, and JavaScript.[13]

WebAssembly can support (at least in theory) any language (e.g. compiled or interpreted) on any operating system (with help of appropriate tools),[14] and in practice all of the most popular languages already have at least some level of support.

The Emscripten SDK can compile any LLVM-supported languages (such as C, C++ or Rust, among others) source code into a binary file which runs in the same sandbox as JavaScript code.[note 1] Emscripten provides bindings for several commonly used environment interfaces like WebGL. There is no direct Document Object Model (DOM) access; however, it is possible to create proxy functions for this, for example through stdweb,[19] web_sys,[20] and js_sys[21] when using the Rust language.

WebAssembly implementations usually use either ahead-of-time (AOT) or just-in-time (JIT) compilation, but may also use an interpreter. While the first implementations have landed in web browsers, there are also non-browser implementations for general-purpose use, including Wasmer,[14] Wasmtime[22] or WAMR,[23] wasm3, WAVM, and many others. The WebAssembly website has .

The World Wide Web Consortium (W3C) maintains the standard with contributions from Mozilla, Microsoft, Google, Apple, Fastly, Intel, and Red Hat.[24][23]

WebAssembly was first announced in 2015,[25] and the first demonstration was executing Unity's Angry Bots in Firefox,[26] Google Chrome,[27] and Microsoft Edge.[28] The precursor technologies were asm.js from Mozilla and Google Native Client,[29][30] and the initial implementation was based on the feature set of asm.js.[31] The asm.js technology already provides near-native code execution speeds[32] and can be considered a viable alternative for browsers that don't support WebAssembly or have it disabled for security reasons.

In March 2017, the design of the minimum viable product (MVP) was declared to be finished and the preview phase ended.[33] In late September 2017, Safari 11 was released with support. In February 2018, the WebAssembly Working Group published three public working drafts for the Core Specification, JavaScript Interface, and Web API.[34][35][36][37]

While WebAssembly was initially designed to enable near-native code execution speed in the web browser, it has been considered valuable outside of such, in more generalized contexts.[38][39] Since WebAssembly's runtime environments (RE) are low level virtual stack machines (akin to JVM or Flash VM) that can be embedded into host applications, some of them have found a way to standalone runtime environments like Wasmtime and Wasmer.[8][14]

In November 2017, Mozilla declared support "in all major browsers",[40] after WebAssembly was enabled by default in Edge 16.[41] The support includes mobile web browsers for iOS and Android. As of July 2021, 94% of installed browsers support WebAssembly.[42] But for older browsers, Wasm can be compiled into asm.js by a JavaScript polyfill.[43]

Because WebAssembly executables are precompiled, it is possible to use a variety of programming languages to make them.[44] This is achieved either through direct compilation to Wasm, or through implementation of the corresponding virtual machines in Wasm. There have been around 40 programming languages reported to support Wasm as a compilation target.[45]

Emscripten compiles C and C++ to Wasm[33] using the Binaryen and LLVM as backend.[46]

As of version 8, a standalone Clang can compile C and C++ to Wasm.[47]

Its initial aim is to support compilation from C and C++,[48] though support for other source languages such as Rust, .NET languages[49][50][45] and AssemblyScript[51] (TypeScript-like) is also emerging. After the MVP release, there are plans to support multithreading and garbage collection[52][53] which would make WebAssembly a compilation target for garbage-collected programming languages like C# (supported via Blazor), F# (supported via Bolero[54] with help of Blazor), Python, and even JavaScript where the browser's just-in-time compilation speed is considered too slow. A number of other languages have some support including Python,[55] Java,[56] Julia,[57][58][59] Zig,[60] and Ruby,[61] as well as Go.[62]

WebAssembly is supported on desktops, and mobile, but on the latter, in practice (for non-small memory allocations, such as with Unity game engine) there are "grave limitations that make many applications infeasible to be reliably deployed on mobile browsers [..] Currently allocating more than ~300MB of memory is not reliable on Chrome on Android without resorting to Chrome-specific workarounds, nor in Safari on iOS."[63]

All major web browsers allow WebAssembly if Content-Security-Policy is not specified, or if "unsafe-eval" is used, but otherwise the major web browsers behave differently.[64] In practice WebAssembly can't be used on Chrome without "unsafe-eval",[65][66] while a worker thread workaround is available.[67]

In June 2018, a security researcher presented the possibility of using WebAssembly to circumvent browser mitigations for Spectre and Meltdown security vulnerabilities once support for threads with shared memory is added. Due to this concern, WebAssembly developers put the feature on hold.[68][69][70] However, in order to explore these future language extensions, Google Chrome added experimental support for the WebAssembly thread proposal in October 2018.[71]

WebAssembly has been criticized for allowing greater ease of hiding the evidence for malware writers, scammers and phishing attackers; WebAssembly is present on the user's machine only in its compiled form, which "[makes malware] detection difficult".[72] The speed and concealability of WebAssembly have led to its use in hidden crypto mining on the website visitor's device.[72][73][68] Coinhive, a now defunct service facilitating cryptocurrency mining in website visitors' browsers, claims their "miner uses WebAssembly and runs with about 65% of the performance of a native Miner."[68] A June 2019 study from the Technische Universität Braunschweig analyzed the usage of WebAssembly in the Alexa top 1 million websites and found the prevalent use was for malicious crypto mining, and that malware accounted for more than half of the WebAssembly-using websites studied.[74][75] An April 2021 study from Universität Stuttgart found that since then crypto mining has been marginalized, falling to below 1% of all WebAssembly modules gathered from a wide range of sources, also including the Alexa top 1 million websites.[76]

The ability to effectively obfuscate large amounts of code can also be used to disable ad blocking and privacy tools that prevent web tracking like Privacy Badger.

As WebAssembly supports only structured control flow, it is amenable toward security verification techniques including symbolic execution. Current efforts in this direction include the Manticore symbolic execution engine.[77]

WebAssembly System Interface (WASI) is a simple interface (ABI and API) designed by Mozilla intended to be portable to any platform.[78] It provides POSIX-like features like file I/O constrained by capability-based security.[79][80] There are also a few other proposed ABI/APIs.[81][82]

Solomon Hykes, a co-founder of Docker, wrote in 2019, "If WASM+WASI existed in 2008, we wouldn't have needed to create Docker. That's how important it is. WebAssembly on the server is the future of computing."[83] Wasmer, out in version 1.0, provides "software containerization, we create universal binaries that work anywhere without modification, including operating systems like Linux, macOS, Windows, and web browsers. Wasm automatically sandboxes applications by default for secure execution".[83]

The general standard provides core specifications for JavaScript API and details on embedding.[4]

Wasm code (binary code, i.e. bytecode) is intended to be run on a portable virtual stack machine (VM).[84] The VM is designed to be faster to parse and execute than JavaScript and to have a compact code representation.[48] An external functionality (like syscalls) that may be expected by Wasm binary code is not stipulated by the standard. It rather provides a way to deliver interfacing via modules by the host environment that the VM implementation runs in.[85][8]

A Wasm program is designed to be a separate module containing collections of various Wasm-defined values and program type definitions. These are expressed in either binary or textual format (see below) that both have a common structure.[86]

The core standard for the binary format of a Wasm program defines an instruction set architecture (ISA) consisting of specific binary encodings of types of operations which are executed by the VM (without specifying how exactly they must be executed).[87] The list of instructions includes standard memory load/store instructions, numeric, parametric, control of flow instruction types and Wasm-specific variable instructions.[88]

The number of opcodes used in the original standard (MVP) was a bit fewer than 200 of the 256 possible opcodes. Subsequent versions of WebAssembly pushed the number of opcodes a bit over 200. The WebAssembly SIMD proposal (for parallel processing) introduces an alternate opcode prefix (0xfd) for 128-bit SIMD. The concatenation of the SIMD prefix, plus an opcode that is valid after the SIMD prefix, forms a SIMD opcode. The SIMD opcodes bring an additional 236 instructions for the "minimum viable product" (MVP) SIMD capability (for a total of around 436 instructions).[89][90] Those instructions, the "finalized opcodes"[91] are implemented in Google's V8 (in Google Chrome) and in the corresponding engine in Mozilla Firefox (but not enabled in stable versions of the web browsers),[92] and there are also some additional proposal for instructions for later "post SIMD MVP", and there's also a separate "relaxed-simd" proposal on the table.[93]

These SIMD opcodes are also portable and translate to native instruction sets like x64 and ARM. In contrast, neither Java's JVM (nor CIL) support SIMD, at their opcode level, i.e. in the standard; both do have some parallel APIs which provide SIMD speedup. There is an extension for Java adding intrinsics for x64 SIMD,[94] that isn't portable, i.e. not usable on ARM or smartphones. Smartphones can support SIMD by calling assembly code with SIMD, and C# has similar support.

In March 2017, the WebAssembly Community Group reached consensus on the initial (MVP) binary format, JavaScript API, and reference interpreter.[95] It defines a WebAssembly binary format (.wasm), which is not designed to be used by humans, as well as a human-readable WebAssembly text format (.wat) that resembles a cross between S-expressions and traditional assembly languages.

The table below shows an example of a factorial function written in C and its corresponding WebAssembly code after compilation, shown both in .wat text format (a human-readable textual representation of WebAssembly) and in .wasm binary format (the raw bytecode, expressed below in hexadecimal), that is executed by a Web browser or run-time environment that supports WebAssembly.

All integer constants are encoded using a space-efficient, variable-length LEB128 encoding.[96]

The WebAssembly text format is more canonically written in a folded format using S-expressions. For instructions and expressions, this format is purely syntactic sugar and has no behavioral differences with the linear format.[97] Through wasm2wat, the code above decompiles to:

Note that a module is implicitly generated by the compiler. The function is actually referenced by an entry of the type table in the binary, hence a type section and the type emitted by the decompiler.[98] The compiler and decompiler can be accessed online.[99]

Definition of Free Cultural Works logo notext.svg This article incorporates text from a free content work. Licensed under Apache License 2.0 . Text taken from , jfbastien; rossberg-chromium; kripken; titzer; s3ththompson; sunfishcode; lukewagner; flagxor; enricobacis; c3d; binji; andrewosh, GitHub. WebAssembly/design.

To learn how to add open license text to Wikipedia articles, please see this how-to page. For information on reusing text from Wikipedia, please see the terms of use.