On Tue, Sep 17, 2024, at 14:57, Adam Zielinski wrote: > > To summarize, I think PHP would benefit from: > > > > 1. Adding WASM for simple low-level extensibility that could run on > > shared hosts for things that are just not possible in PHP as described a > > few paragraphs prior, and where we could enhance functionality over time, > > > > 2. Constantly improving PHP the language, which is what you are solely > > advocating for over extensibility, > Hi Mike, > > I’m Adam, I'm building WordPress Playground [1] – it's WordPress running in > the browser via a WebAssembly PHP build [2]. I'm excited to see this > discussion and wanted to offer my perspective. > > WebAssembly support in PHP core would be a huge security and productivity > improvement for the PHP and WordPress communities. > > > To summarize, I think PHP would benefit from: > > > > 1. Adding WASM for simple low-level extensibility that could run on > > shared hosts for things that are just not possible in PHP as described a > > few paragraphs prior, and where we could enhance functionality over time, > > Exactly this! With WASM, WordPress would get access to fast, safe, and > battle-tested libraries. > > Today, we're recreating a lot of existing libraries just to be able to use > them in PHP, e.g. parsers for HTML [3], XML [4], Zip [5], MySQL [6], or an > HTTP client [7]. There are just no viable alternatives. Viable, as in working > on all webhosts, having stellar compliance with each format's specification, > supporting stream parsing, and having low footprint. For example, the curl > PHP extensions is brilliant, but it's unavailable on many webhosts. > > With WebAssembly support, we could stop rewriting and start leaning on the > popular C, Rust, etc. libraries instead. Who knows, maybe we could even > polyfill the missing PHP extensions? > > > 2. Constantly improving PHP the language, which is what you are solely > > advocating for over extensibility, > > Just to add to that – I think WASM support is important for PHP to stay > relevant. There's an exponential advantage to building a library once and > reusing it across the language boundaries. A lot of companies is invested in > PHP and that won't change in a day. However, lacking access to the WASM > ecosystem, I can easily imagine the ecosystem slowly gravitating towards > JavaScript, Python, Go, Rust, and other WASM-enabled languages. > > Security-wise, WebAssembly is Sandboxed and would enable safe processing of > untrusted files. Vulnerabilities like Zip slip [8] wouldn't affect a > sandboxed filesystem. Perhaps we could even create a secure enclave for > running composer packages and WordPress plugins without having to fully trust > them. > > Another use-case is code reuse between JavaScript and PHP. I'm sceptical this > could work with reasonable speed and resource consumption, but let's assume > for a moment there is a ultra low overhead JavaScript runtime in WebAssembly. > WordPress could have a consistent templating language. PHP backend would > render the website markup using the same templates and libraries as the > JavaScript frontend. Half the code would achieve the same task. > > Also, here's a few interesting "WASM in PHP" projects I found – maybe they > would be helpful: > - WebAssembly runtime built in PHP (!) https://github.com/jasperweyne/unwasm > - WebAssembly runtime as a PHP language extension: > https://github.com/veewee/ext-wasm > - WebAssembly runtime as a PHP language extension: > https://github.com/extism/php-sdk > > [1] https://github.com/WordPress/wordpress-playground/ > [2] > https://github.com/WordPress/wordpress-playground/tree/trunk/packages/php-wasm/compile > [3] https://developer.wordpress.org/reference/classes/wp_html_processor/ > [4] https://github.com/WordPress/wordpress-develop/pull/6713 > [5] > https://github.com/WordPress/blueprints-library/blob/87afea1f9a244062a14aeff3949aae054bf74b70/src/WordPress/Zip/ZipStreamReader.php > [6] https://github.com/WordPress/sqlite-database-integration/pull/157 > [7] > https://github.com/WordPress/blueprints-library/blob/trunk/src/WordPress/AsyncHttp/Client.php > [8] https://security.snyk.io/research/zip-slip-vulnerability > > -Adam > >
Hey Adam, I actually went down something like this road for a bit when working at Automattic. My repo even probably still exists in the graveyard repository… but I had plugins running in C# and Java over a couple of weeks. This was long before wasm was a thing, and while cool, nobody really could think of a use for it. It seems like you have a use for it though, and I’m reasonably certain you could get it working over ffi in a few weeks; yet you mention hosts not even having the curl extension installed, so I doubt that even if wasm came to be, it would be available on those hosts. However, plugins basically work via hooks/filters. So as long as you register the right listeners and handle serialization properly, you can simply run a separate process for the plugin, or call a socket for “remote” plugins. I don’t see anything stopping anyone from implementing that today. — Rob
