Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125599 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 976F31A00BD for ; Tue, 17 Sep 2024 19:17:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1726600764; bh=9z9h5gaBe1/QBPAPUghC4NMUhJHLx8C/IoD/j7k8jcw=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=f46Gxb9jnc0Z3OKkYiDVlVBlEv4Vg5sHn0px2R4l6poD3ZADDtQdslPEsYRbCPfq9 5ZqoW3AeiRYr9kU7tdFIXDZ7aJpQ5aKS9sL95vBe+VdIDGi9FAHcokmI28i40MrBKA j+Wy0hEtkBtjMtLxeAZMXV41Gf+2bF/5UWm+yZXFz3XQFawWtPVcadssd3lupPgtKL AnXGf8ERIbXQRBp2Rl7yaG5KQNhRa+gtTy61WA62PODe6eSgofK18uMJC58l5jpIPz AuOaGXN3PTbgaiKTKv+mdeMP6Z77qOpLgvBUpe7/DgqxnwT5TKpYF1Zuk3H2+YYX3P G6Pi35BK3CmjQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8BA88180082 for ; Tue, 17 Sep 2024 19:19:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DMARC_MISSING,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 17 Sep 2024 19:19:23 +0000 (UTC) Received: by mail-yb1-f181.google.com with SMTP id 3f1490d57ef6-e1f139b97b5so51135276.0 for ; Tue, 17 Sep 2024 12:17:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20230601.gappssmtp.com; s=20230601; t=1726600637; x=1727205437; darn=lists.php.net; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=FVGIhpSjEg33VNg3eq+WywYNMRW1HPTLX2RDrvFXBUY=; b=typdKvxeFBAKPKdoGyHcRUnsqvrMavSr3oC/vEyUp74EKClICwefNY8Anwom9eH0f/ 4BSsUUsywmgz48fSSsn7DhEvKdLRwnv/tw8gfAEdazl/JGqcY1wa8YUshyJaTAs5iI85 f8by/LKZFpxexBIejcIh9CaZwHcwwdbQO2UN35oF2ivFIThRwxwNvudDfFjHIRqiY7GM EXw7Ri2VcVWUtohBNQIptya6Q97qg+4fD+gncbor06t/IpG/+Sa5bbiGZPQO+qmJDDiG X2sWCBcAWrQaH930vdDGPgCvWROgWlYNB6A50qUOz0tueTsixtzTRBZMA/J/wURIg8mO 61iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726600637; x=1727205437; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FVGIhpSjEg33VNg3eq+WywYNMRW1HPTLX2RDrvFXBUY=; b=E0m5EjBKKgvkc06Yh23K4o3raY+7bVlCJ2KZ2g997PKL6fzb/30+HXtKccYflmtG7j tjzl08doJ7zrHMlDfQltW+7tD148Fe2O17OG+GSUEkPndgYLLCU7BA1UfWTbXz6yTVe4 tTDIMqurpSf6cwtSlwfwXRHuB9DpLc2kBWi/LxITYLX8T10OsSf1F0D4ji9bB3yTeCmm O5gz2hB+iOX8r0aW/Nk/ETyraqPSdt0KS2v/kiSom4hCT8vsfM/nbNNA6kK6hzmwf0jv U4ymG1JAmET3XXjF1C2sooP4AoXEgbKpPD629BopqlafqqOQwYy7P2OOti6qVc9ARuak ILag== X-Gm-Message-State: AOJu0Yz8WUtqlSGVFnvesha/qSUy7JQzfKDvG9Bw998yfHVWYrCKllYl LY03bOH3FJXTHIgNL1kOniCwCNZk1ZxSzXqxSgXgHYgP4PCj9d9Bd0/GXL85X/NSYgAtcMk/okQ m X-Google-Smtp-Source: AGHT+IFY07LdVmeBrHDa95nxupW7R6ALb6n5wt+XMTbHYb8gAbBKdzvBxM6JPJKNKkl63kQaRgd8PA== X-Received: by 2002:a05:6902:310f:b0:e11:80cf:bc34 with SMTP id 3f1490d57ef6-e1d7a2b2c2dmr25098685276.28.1726600636872; Tue, 17 Sep 2024 12:17:16 -0700 (PDT) Received: from smtpclient.apple (c-98-252-216-111.hsd1.ga.comcast.net. [98.252.216.111]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e1dc139b7e2sm1598467276.60.2024.09.17.12.17.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Sep 2024 12:17:15 -0700 (PDT) Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_4FC0D984-4D33-47B4-B759-1B7099BA7236" Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.10\)) Subject: Re: [PHP-DEV] Zephir, and other tangents Date: Tue, 17 Sep 2024 15:17:15 -0400 In-Reply-To: Cc: PHP internals To: Adam Zielinski References: <8D420123-4ECF-48FD-A9C3-F80C60457A37@newclarity.net> X-Mailer: Apple Mail (2.3696.120.41.1.10) From: mike@newclarity.net (Mike Schinkel) --Apple-Mail=_4FC0D984-4D33-47B4-B759-1B7099BA7236 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Sep 17, 2024, at 8:57 AM, Adam Zielinski = wrote: >=20 > > To summarize, I think PHP would benefit from: > > > > 1. Adding WASM for simple low-level extensibility that could run on > > shared hosts for things that are just not possible in PHP as = described a > > few paragraphs prior, and where we could enhance functionality over = time, > > > > 2. Constantly improving PHP the language, which is what you are = solely > > advocating for over extensibility, > Hi Mike, >=20 > I=E2=80=99m Adam, I'm building WordPress Playground [1] =E2=80=93 it's = WordPress running in the browser via a WebAssembly PHP build [2]. I'm = excited to see this discussion and wanted to offer my perspective. >=20 > WebAssembly support in PHP core would be a huge security and = productivity improvement for the PHP and WordPress communities. >=20 > > To summarize, I think PHP would benefit from: > > > > 1. Adding WASM for simple low-level extensibility that could run on > > shared hosts for things that are just not possible in PHP as = described a > > few paragraphs prior, and where we could enhance functionality over = time, >=20 > Exactly this! With WASM, WordPress would get access to fast, safe, and = battle-tested libraries. >=20 > Today, we're recreating a lot of existing libraries just to be able to = use them in PHP, e.g. parsers for HTML [3], XML [4], Zip [5], MySQL [6], = or an HTTP client [7]. There are just no viable alternatives. Viable, as = in working on all webhosts, having stellar compliance with each format's = specification, supporting stream parsing, and having low footprint. For = example, the curl PHP extensions is brilliant, but it's unavailable on = many webhosts. >=20 > With WebAssembly support, we could stop rewriting and start leaning on = the popular C, Rust, etc. libraries instead. Who knows, maybe we could = even polyfill the missing PHP extensions? >=20 > > 2. Constantly improving PHP the language, which is what you are = solely > > advocating for over extensibility, >=20 > Just to add to that =E2=80=93 I think WASM support is important for = PHP to stay relevant. There's an exponential advantage to building a = library once and reusing it across the language boundaries. A lot of = companies is invested in PHP and that won't change in a day. However, = lacking access to the WASM ecosystem, I can easily imagine the ecosystem = slowly gravitating towards JavaScript, Python, Go, Rust, and other = WASM-enabled languages. >=20 > Security-wise, WebAssembly is Sandboxed and would enable safe = processing of untrusted files. Vulnerabilities like Zip slip [8] = wouldn't affect a sandboxed filesystem. Perhaps we could even create a = secure enclave for running composer packages and WordPress plugins = without having to fully trust them. >=20 > Another use-case is code reuse between JavaScript and PHP. I'm = sceptical this could work with reasonable speed and resource = consumption, but let's assume for a moment there is a ultra low overhead = JavaScript runtime in WebAssembly. WordPress could have a consistent = templating language. PHP backend would render the website markup using = the same templates and libraries as the JavaScript frontend. Half the = code would achieve the same task. >=20 > Also, here's a few interesting "WASM in PHP" projects I found =E2=80=93 = maybe they would be helpful: > - WebAssembly runtime built in PHP (!) = https://github.com/jasperweyne/unwasm = > - WebAssembly runtime as a PHP language extension: = https://github.com/veewee/ext-wasm > - WebAssembly runtime as a PHP language extension: = https://github.com/extism/php-sdk >=20 > [1] https://github.com/WordPress/wordpress-playground/ = > [2] = https://github.com/WordPress/wordpress-playground/tree/trunk/packages/php-= wasm/compile = > [3] = https://developer.wordpress.org/reference/classes/wp_html_processor/ = > [4] https://github.com/WordPress/wordpress-develop/pull/6713 = > [5] = https://github.com/WordPress/blueprints-library/blob/87afea1f9a244062a14ae= ff3949aae054bf74b70/src/WordPress/Zip/ZipStreamReader.php = > [6] https://github.com/WordPress/sqlite-database-integration/pull/157 = > [7] = https://github.com/WordPress/blueprints-library/blob/trunk/src/WordPress/A= syncHttp/Client.php = > [8] https://security.snyk.io/research/zip-slip-vulnerability = Thanks for this. It is super great information. Want to work on an RFC? -Mike --Apple-Mail=_4FC0D984-4D33-47B4-B759-1B7099BA7236 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On = Sep 17, 2024, at 8:57 AM, Adam Zielinski <adam.zielinski@automattic.com> wrote:

> To summarize, I think PHP would benefit = from:
>
> 1. Adding = WASM for simple low-level extensibility that could run on
> shared hosts for things that are just not possible in = PHP as described a
> few paragraphs prior, and = where we could enhance functionality over time,
> =
> 2. Constantly improving PHP the language, = which is what you are solely
> advocating for = over extensibility,
Hi Mike,
I=E2=80=99m Adam, I'm building = WordPress Playground [1] =E2=80=93 it's WordPress running in the browser = via a WebAssembly PHP build [2]. I'm excited to see this discussion and = wanted to offer my perspective.

WebAssembly support in PHP core would = be a huge security and productivity improvement for the PHP and = WordPress communities.

> To summarize, I think PHP would benefit from:
>
> 1. Adding WASM for simple = low-level extensibility that could run on
> = shared hosts for things that are just not possible in PHP as described a =
> few paragraphs prior, and where we could = enhance functionality over time,

Exactly this! With WASM, WordPress = would get access to fast, safe, and battle-tested libraries.

Today, we're recreating = a lot of existing libraries just to be able to use them in PHP, e.g. = parsers for HTML [3], XML [4], Zip [5], MySQL [6], or an HTTP client = [7]. There are just no viable alternatives. Viable, as in working on all = webhosts, having stellar compliance with each format's specification, = supporting stream parsing, and having low footprint. For example, the = curl PHP extensions is brilliant, but it's unavailable on many = webhosts.

With = WebAssembly support, we could stop rewriting and start leaning on the = popular C, Rust, etc. libraries instead. Who knows, maybe we could even = polyfill the missing PHP extensions?

> 2. Constantly improving PHP the = language, which is what you are solely
> = advocating for over extensibility,

Just to add to that =E2=80=93 I think = WASM support is important for PHP to stay relevant. There's an = exponential advantage to building a library once and reusing it across = the language boundaries. A lot of companies is invested in PHP and that = won't change in a day. However, lacking access to the WASM ecosystem, I = can easily imagine the ecosystem slowly gravitating towards JavaScript, = Python, Go, Rust, and other WASM-enabled languages.

Security-wise, = WebAssembly is Sandboxed and would enable safe processing of untrusted = files. Vulnerabilities like Zip slip [8] wouldn't affect a sandboxed = filesystem. Perhaps we could even create a secure enclave for running = composer packages and WordPress plugins without having to fully trust = them.

Another = use-case is code reuse between JavaScript and PHP. I'm sceptical this = could work with reasonable speed and resource consumption, but let's = assume for a moment there is a ultra low overhead JavaScript runtime in = WebAssembly. WordPress could have a consistent templating language. PHP = backend would render the website markup using the same templates and = libraries as the JavaScript frontend. Half the code would achieve the = same task.

Also,= here's a few interesting "WASM in PHP" projects I found =E2=80=93 maybe = they would be helpful:
- WebAssembly runtime built = in PHP (!) https://github.com/jasperweyne/unwasm
- WebAssembly runtime as a PHP language extension: https://github.com/veewee/ext-wasm
- = WebAssembly runtime as a PHP language extension: https://github.com/extism/php-sdk

[1] https://github.com/WordPress/wordpress-playground/
[2] https://github.com/WordPress/wordpress-playground/tree/trunk/pa= ckages/php-wasm/compile
[3] https://developer.wordpress.org/reference/classes/wp_html_proce= ssor/
[4] https://github.com/WordPress/wordpress-develop/pull/6713
[5] https://github.com/WordPress/blueprints-library/blob/87afea1f9a= 244062a14aeff3949aae054bf74b70/src/WordPress/Zip/ZipStreamReader.php
[6] https://github.com/WordPress/sqlite-database-integration/pull/1= 57
[7] https://github.com/WordPress/blueprints-library/blob/trunk/src/= WordPress/AsyncHttp/Client.php
[8] https://security.snyk.io/research/zip-slip-vulnerability

Thanks for this. = It is super great information.

Want = to work on an RFC?

-Mike

= --Apple-Mail=_4FC0D984-4D33-47B4-B759-1B7099BA7236--