We're using it at RunReveal and I've got to say that we're extremely happy with it.
At Segment I always wanted a good sandbox environment for running customer code. This is the ideal solution, and the fact that it doesn't require CGo: :chefs_kiss:
Happy to answer any questions people considering using it might have!
Using WASM for things requiring low IO and high compute that are traditionally written in C/C++ makes a lot of sense to me. Image codecs are an example and native implementations for things like JPEG encoders are hard to come by. So, I used wazero to implement a few image codecs in Go^1. Codecs were compiled to WASM, and wazero works great for running them (albeit with overhead).
For this use case, wazero appears to be the cleanest solution as it's the only runtime that doesn't need CGo. The biggest appeal to me embedding WASM in Go is avoiding CGo to allow cross compilation. If my dependency is using CGo anyway, I might as well as link against a C library. I think native WASM runtimes like wazero are currently the best options for porting code language-agnostically.
I've used wazero for a pet project (raw wasm generation from simple query plans) and it was really nice to work with!
I also had to play around a bit with wasm relocations and the encoding/decoding libraries they've built are very readable, too, so I was able to hack together what I needed.
Fingers crossed for the optimizing compiler that's planned for some point!
what are you using for generating wasm? tinygo or new go runtime support of wasm? what are the sizes of wasm binaries? last i checked helloworld was in the order of few MB's.
The project was a custom compiler to turn a simple query plan (think select, where, group by) into wasm. So it was basically hand-written raw wasm generation.
I did compile some helper functions from Rust though, which also served as the "skeleton" of the wasm artifact I was later generating my wasm into, since wasm doesn't have any kind of proper dynamic linking right now.
tinygo still wins for size, and the reflection story got better (json works!). The traditional Go compiler produces larger binary but OTOH it's super-fast, as fast as native builds!
Can someone explain this to me like I’m 5? I thought web assembly was primarily run in a browser. Is this saying you can run a wasm binary in your go project (outside of the browser)?
That is correct. It is a webassembly runtime that you can embed in your go project. There are also other wasm runtimes that run outside the browser, this is one written in Go
Haven't looked at it, but I assume the use-case is opposite of your suggestion, i.e. CUE wants to offer some kind of plugin integration and embedding a WASM runtime is the safest way.
It's also to enable you to do non-CUE things in CUE or do things more efficiently (in the long run). Think of things like topological sort or processing a value recursively. Places where an imperative system is so much easier to do something.
as far as I know wazero is the only zero-dependency Wasm runtime written in Go.
This is not just one of those "written in $LANG" kinda deal: most other runtimes require linking against a native library; this in turn plays against a lot of the killer features of Go, such as good tooling, easy cross-compilation, goroutines [0]; so, not requiring Cgo means a team may bring wazero to their Go project without a second thought.
As for other features, we may not be as bleeding edge as other projects, but we are a rather tiny team. If you expect support for WASI (preview 1) we have it :) we try to concentrate our effort on high-quality support of stable specs.
EDIT: oh, and a huge shout-out to Stealthrocket, they are building a lot of cool stuff on top of wazero:
There are a few, but I suspect the most widely used would be wasmtime. It's written in Rust and can be used from Go [2] but requires CGo (as mentioned by GP).
I'm one of the Dapr (Distributed Application Runtime) maintainers which has a wazero based wasm integration. The wazero team contributed this integration.
I just wanted to say that the wazero team has done a great job keeping the integration up to date and have been very responsive. For example, our project also supports Linux Arm32 and wazero was initially not testing against that architecture which led to a compile issue for us. Once we pointed this out they fixed this and added this architecture to their CI tests as well.
EDIT: Also because our project can be compiled for any common O/S and architecture combination the pure Go implementation is critical. We do not accept use of CGO.
It depends on what you mean for JIT. wazero is load-time AoT; i.e. we compile the module in-memory on load, for efficient execution later, when you instantiate, it is not AoT in the sense that we produce a stand-alone executable, the runtime is always hosting that executable code that is generated, and we go back-and-forth between translated wasm and "Go space" at run-time in many cases. It is AoT in the sense that we do not tune the generated code depending on tracing or profiling information, because we don't track it for compilation.
The Wasm model itself gives a certain degree of safety: e.g. you do not have complete control over the host OS, because you have to explicitly expose functions to the gues module; we also provide a certain degree of control over e.g. execution time (you can instantiate a module in such a way that executions can be cancelled or set a timeout) and memory space.
We also provide an interpreter for all platforms where Go runs, and Takeshi (the founder of the project) is also working on bootstrapping an optimizing compiler that should soon land on main, and more work will happen in that space.
That’s a bug/oversight in a specific VM implementation. A JIT with a code cache (like V8) could have the same type of bug. It says nothing about about the inherent security of JIT vs AOT
wasmtime and wasmer are basically state-of-the-art. Our compilation backend is a fast, but straightforward translator from wasm to binary (think v8 liftoff vs turbofan), so it's faster than interpreting, but still slower than a well-crafted optimizing compiler. However depending on your use case, that kind of performance may not be everything: e.g. when I/O dominates .
The good news is an optimizing backend is being worked on as we speak and should be available very soon :)
I don't suppose you have any concrete benchmark numbers, e.g. coremark? (:
Also, how do you sandbox the guest program? Just bounds checks on memory accesses? Do you use the same trick as wasmtime does where they map a ton of inaccessible address space and depend on a SIGSEGV to catch violations? What about potential stack overflows - how do you protect against those?
Any plans to support the WebAssembly GC proposal? Binaryen supports GC structs and arrays now, but there aren’t a lot of runtimes that have it yet. It would be cool if Wazero could do it in a way where managed structs can be seamlessly shared across the Wasm/Go boundary using the native Go GC.
We are tracking the evolution of most proposals but we are a tiny team so we try to concentrate our efforts on those that have a higher degree of maturity, but I am sure we will at some point :)
Yeah, should have been more precise.
Code that can be loaded at runtime, does not need to be compiled together with the host application, can be loaded by just providing a path to a file/directory and can be executed in the host, ideally securely (not a strict requirement for my usage).
The plugin ideally runs with performance very close to host performance
go plugin package gets close, but the compile part is completely broken, where in reality the plugin has dependencies that can collide with the host. It would be fine if it was just the go runtime requirement that must match, but in reality it forces usage of cgo and a set of problems that make it really hard to use.
Plugins in wordpress are installed from the web UI and that's all, these just work with the same performance as the whole application (terrible native performance, but that's a PHP problem).
In go to achieve that I would need to compile the plugins on the fly, as well as recompile the whole application, instead of delivering an executable file and a bunch of dynamic libraries.
In .NET this was further used in large applications to reduce boot time, by loading code when it was first needed (DLLs)
I used this to run ML models I compiled down to WASM from Go. Really useful to put generic, high performance HTTP / JSON handling in front of some common interchangeable code.
I start out with a trained ML model, transform it into equivalent C code, then compile that C code targeting WASM.
Then I have a HTTP server in Go, which loads the wasm module on startup, just like dlopen but with a small ~10% performance overhead, rips the HTTP payload out, and calls the WASM function with the arguments filled in.
If you go that route (use wazero instead) and want to avoid cgo, you may be interested in my wazero based SQLite bindings:
https://github.com/ncruces/go-sqlite3
Also, the Go SDK. There is also the OS and the hardware.
I think what they mean to say is that their module has no additional dependencies on other modules. But, how much should users care? Go is pretty good at managing dependencies and they’re okay within reason.
It seems like an odd way to name your module? I guess it shows commitment. But if they later decide on adding a dependency, they could rename it.
By avoiding CGO, wazero avoids prerequisites such as shared libraries or libc, and lets you keep features like cross compilation. Being pure Go, wazero adds only a small amount of size to your binary. Meanwhile, wazero’s API gives features you expect in Go, such as safe concurrency and context propagation.”
Though that seems to be more about specifically C dependencies
At Segment I always wanted a good sandbox environment for running customer code. This is the ideal solution, and the fact that it doesn't require CGo: :chefs_kiss:
Happy to answer any questions people considering using it might have!