Taking another quick tour of wasm runtimes, the thing that strikes me the most is how so few of them seem to aim for a first-class experience that prioritizes security over speed.
-
@raggi I have to assume it's either feeling the pressure from wasmtime and their cranelift-based JIT, or being pushed in a particular direction by a customer base.
I also don't begrudge doing JIT in addition to interpreting, it's a natural stepping stone as a project matures. I just... I dunno, once you introduce the things a JIT needs, I expect to have a lot of reading material available about how carefully it's being developed and thought about. But again I seem to be an outlier
-
@danderson use case matters ofc, how many layers of defense can you put in place in a particular deployment. a lot of the edge compute interest can quite easily have several other layers of defense and limited intertenant and escalation access at more fundamental levels, but in these use cases startup time and runtime are very important obviously
-
@raggi yeah it can be mitigated, certainly. But that's the sort of thing where I'm looking for docs that sit me down and go "okay, real talk, here's the tradeoffs, the risks, how we try to mitigate them, other things you should consider doing on your end" and so forth. Instead the tutorial tells you to run the constructor that uses a JIT under the hood, and I dunno I guess trust the code?
Maybe the disconnect is that I have trust issues
-
@raggi Good point about deployment. When the commercial backers of this ecosystem are happy to sell you a place to run the thing that provides the extra layering, the tradeoffs happening here fall out fairly naturally. Ease of getting started and how quickly the customer function gets off CPU so you can rent it to someone else is the driver.
-
Brian Swetlandreplied to Dave Anderson last edited by
@danderson There are a lot of design features in WASM that make it much easier to generate safe code, especially on 64bit architectures, than many bytecodes, etc. Things like the way memory is limited to (currently 1) linear array, references are through handles, etc.
My main grumble with it remains that I find the specification/documentation really annoyingly laid out and hard to follow.
-
Brian Swetlandreplied to Brian Swetland last edited by
@danderson I feel like, similar to how the Lua virtual machine with its "word code" packing arguments in with opcodes to simplify fetch and decode making a fast interpreter implementation straightforward, WASM's design was very specifically built with safe-as-possible AOT/JIT code generation in mind, intentionally trying to simplify high performance implementations especially on modern 64bit architectures.
-
Dave Andersonreplied to Brian Swetland last edited by
@swetland That's good to know! I still have trust issues somewhat, because JITs are parked in the same bucket in my brain as cryptographic code: everyone is welcome to write the stuff, but I would really like to see the author's license to wrangle untrusted inputs before I let it into my process.
Designing to make fast execution possible is great, I just don't know the people in this space well enough to go "oh, Anna wrote the JIT, that's fine I can absolutely trust it to be solid"
-
Brian Swetlandreplied to Dave Anderson last edited by
@danderson Fair! And you can certainly build unsafe WASM runtimes. The design doesn't guarantee safety in the face of sloppy or incorrect implementations, it just has a lot of features that make building a safe AOT/JIT runtime much easier and more straightforward than a lot of other representations I've seen over the years.
-
Dave Andersonreplied to Brian Swetland last edited by
@swetland Yeah that's definitely reassuring! Perhaps a trait of what I was exposed to over the years, but when I think JIT I think Native Client, and how eyewateringly tricky that was to make safe; and the browser javascript JITs, and similarly eyewatering amounts of effort poured into raising the bar up to requiring _two_ tricky 0days to pwn a machine. But both of those are trying to retrofit JIT onto a hostile universe, I can see how wasm would have a leg up.
-
@swetland (and yes calling nacl JIT is a bit of a misnomer, it was more AOT with bitcode verification, I tend to lump them together as "I'm going to let untrusted code have the CPU unsupervised, I'd better not get it wrong" )