Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125603 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id D41A61A00BD for ; Tue, 17 Sep 2024 21:04:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1726607212; bh=DbrUw1PZVN5ky6UdZRCgiPqITmZBzH8mrwoQu0xQUPI=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=M3l65xboOnKa2lbsgsqbsiPo5odPYhgs+AWs6EJ4hPo5OaSQb/pcmvY6tZR3kbJ0c EuR6T6f18YyJfbbh4gZnQDwc+sG8pKG8w+Q0zY2i7zOJTXEz5hw2e+R3MA2AshSVaO n8wIJ6j7bYXuiSU7Btf5XT31cwF09v2Q4p7OGcownA/4odxmzDn1mSOQMp0pSbYVVq w2AerElc+bhn7028fJ2Y+HpCW+Fb4LzHjyLZIEdRLR09YCRPe0F/8gsPPl6tgU/RYL 95Yy6uhQAwFkzZRd+pSBQ1Akm3XAQRtAcOkpJgxqHIag3pax9faGIwSTfx774Ye0xq 0FZt4dLzRjgJw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 06547180061 for ; Tue, 17 Sep 2024 21:06:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from fout2-smtp.messagingengine.com (fout2-smtp.messagingengine.com [103.168.172.145]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 17 Sep 2024 21:06:51 +0000 (UTC) Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41]) by mailfout.phl.internal (Postfix) with ESMTP id 07C35138027A; Tue, 17 Sep 2024 17:04:46 -0400 (EDT) Received: from phl-imap-09 ([10.202.2.99]) by phl-compute-01.internal (MEProxy); Tue, 17 Sep 2024 17:04:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm2; t=1726607086; x= 1726693486; bh=DbrUw1PZVN5ky6UdZRCgiPqITmZBzH8mrwoQu0xQUPI=; b=b yMUkkcmHCjay4lqM/+OGzavriUrfkuclQ3ol8uHqz4klqzRsqhwpD0I82qzgTknl v7NS4K2iD3xxrTtln0pKxKDW7KNImdZ/Rz6BsbEzWtEXecQMqvsCzwJ0OexGbuZC JSU1Bnk/6SOSZJnPGN9Y7z0vfPhtrM0BDlDU5/tbkMX6Ahf0TNknf0+Nq4MXD2j+ UIb1ZxKhVD/F5yhO6+b04kXuD/yRMJSXydT8XDVFfOg1d9TAKN3Klf/WkJlhS+Ud ks1XgYJp+he81SWL3c+Ajtu80MwNNmZdmD7Y3mmMpjSYd2zU8vDEokVbamM7pmp5 0klxqP1uXaasYjQDF50Sw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1726607086; x=1726693486; bh=DbrUw1PZVN5ky6UdZRCgiPqITmZB zH8mrwoQu0xQUPI=; b=pR7u1UNmsbyMbLY/0Us3S51clARDdNd1TBtB3hsoc0xQ QfEmaZcvp43RqafTkO2PACIm5W7iCje0k4POzPSG013V7tfwxEUhuYAjs7Es5CYh yfCJSEfUGcz/iOsEyHwt19hXtY8Z3Tw7bK/rQ8l14Z9xZKmcX7SIS/zMpcXtDcNv 4qBk8j6RkbEMpWWSHspofqWvKERnNe7TFRlaE/w2Zp7s7Kl860orD3stMevpaeRI mZ4WSW/yZ4jhzflLS98hMlHiHiP7SmCNsBlAa1PpNe+OyjcJ4Y4lRsAk/4KklSCg GDs6YteZCCE2q2XgUUtfnyGx+fDL7GV8dQ4nav+hqw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudekjedgudeitdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivg hnthhsucdlqddutddtmdenucfjughrpefoggffhffvvefkjghfufgtsegrtderreertdej necuhfhrohhmpedftfhosgcunfgrnhguvghrshdfuceorhhosgessghothhtlhgvugdrtg houggvsheqnecuggftrfgrthhtvghrnheplefhhfekleelkeeghfeggfdvieegvefggfef veffgeegheffveevveduieffvefgnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpfi horhguphhrvghsshdrohhrghdpshhnhihkrdhiohenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpehrohgssegsohhtthhlvggurdgtohguvghspd hnsggprhgtphhtthhopeegpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegruggr mhdriihivghlihhnshhkihesrghuthhomhgrthhtihgtrdgtohhmpdhrtghpthhtohephh grmhhivghgohhlugesghhmrghilhdrtghomhdprhgtphhtthhopehinhhtvghrnhgrlhhs sehlihhsthhsrdhphhhprdhnvghtpdhrtghpthhtohepmhhikhgvsehnvgiftghlrghrih hthidrnhgvth X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id A286D780067; Tue, 17 Sep 2024 17:04:45 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 Date: Tue, 17 Sep 2024 23:03:43 +0200 To: "Adam Zielinski" , "Mike Schinkel" Cc: "Hammed Ajao" , "PHP internals" Message-ID: In-Reply-To: References: <8D420123-4ECF-48FD-A9C3-F80C60457A37@newclarity.net> Subject: Re: [PHP-DEV] Zephir, and other tangents Content-Type: multipart/alternative; boundary=5fc1aadbe5204e8b8f113b807007af98 From: rob@bottled.codes ("Rob Landers") --5fc1aadbe5204e8b8f113b807007af98 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Tue, Sep 17, 2024, at 14:57, Adam Zielinski wrote: > > To summarize, I think PHP would benefit from: > > > > 1. Adding WASM for simple low-level extensibility that could run on > > shared hosts for things that are just not possible in PHP as describ= ed a > > few paragraphs prior, and where we could enhance functionality over = time, > > > > 2. Constantly improving PHP the language, which is what you are sole= ly > > advocating for over extensibility, > Hi Mike, >=20 > I=E2=80=99m Adam, I'm building WordPress Playground [1] =E2=80=93 it's= WordPress running in the browser via a WebAssembly PHP build [2]. I'm e= xcited to see this discussion and wanted to offer my perspective. >=20 > WebAssembly support in PHP core would be a huge security and productiv= ity improvement for the PHP and WordPress communities. >=20 > > To summarize, I think PHP would benefit from: > > > > 1. Adding WASM for simple low-level extensibility that could run on > > shared hosts for things that are just not possible in PHP as describ= ed a > > few paragraphs prior, and where we could enhance functionality over = time, >=20 > Exactly this! With WASM, WordPress would get access to fast, safe, and= battle-tested libraries. >=20 > Today, we're recreating a lot of existing libraries just to be able to= use them in PHP, e.g. parsers for HTML [3], XML [4], Zip [5], MySQL [6]= , or an HTTP client [7]. There are just no viable alternatives. Viable, = as in working on all webhosts, having stellar compliance with each forma= t's specification, supporting stream parsing, and having low footprint. = For example, the curl PHP extensions is brilliant, but it's unavailable = on many webhosts. >=20 > With WebAssembly support, we could stop rewriting and start leaning on= the popular C, Rust, etc. libraries instead. Who knows, maybe we could = even polyfill the missing PHP extensions? >=20 > > 2. Constantly improving PHP the language, which is what you are sole= ly > > advocating for over extensibility, >=20 > Just to add to that =E2=80=93 I think WASM support is important for PH= P to stay relevant. There's an exponential advantage to building a libra= ry once and reusing it across the language boundaries. A lot of companie= s is invested in PHP and that won't change in a day. However, lacking ac= cess to the WASM ecosystem, I can easily imagine the ecosystem slowly gr= avitating towards JavaScript, Python, Go, Rust, and other WASM-enabled l= anguages. >=20 > Security-wise, WebAssembly is Sandboxed and would enable safe processi= ng of untrusted files. Vulnerabilities like Zip slip [8] wouldn't affect= a sandboxed filesystem. Perhaps we could even create a secure enclave f= or running composer packages and WordPress plugins without having to ful= ly trust them. >=20 > Another use-case is code reuse between JavaScript and PHP. I'm sceptic= al this could work with reasonable speed and resource consumption, but l= et's assume for a moment there is a ultra low overhead JavaScript runtim= e in WebAssembly. WordPress could have a consistent templating language.= PHP backend would render the website markup using the same templates an= d libraries as the JavaScript frontend. Half the code would achieve the = same task. >=20 > Also, here's a few interesting "WASM in PHP" projects I found =E2=80=93= maybe they would be helpful: > - WebAssembly runtime built in PHP (!) https://github.com/jasperweyne/= unwasm > - WebAssembly runtime as a PHP language extension: https://github.com/= veewee/ext-wasm > - WebAssembly runtime as a PHP language extension: https://github.com/= extism/php-sdk >=20 > [1] https://github.com/WordPress/wordpress-playground/ > [2] https://github.com/WordPress/wordpress-playground/tree/trunk/packa= ges/php-wasm/compile > [3] https://developer.wordpress.org/reference/classes/wp_html_processo= r/ > [4] https://github.com/WordPress/wordpress-develop/pull/6713 > [5] https://github.com/WordPress/blueprints-library/blob/87afea1f9a244= 062a14aeff3949aae054bf74b70/src/WordPress/Zip/ZipStreamReader.php > [6] https://github.com/WordPress/sqlite-database-integration/pull/157 > [7] https://github.com/WordPress/blueprints-library/blob/trunk/src/Wor= dPress/AsyncHttp/Client.php > [8] https://security.snyk.io/research/zip-slip-vulnerability >=20 > -Adam >=20 >=20 Hey Adam, I actually went down something like this road for a bit when working at = Automattic. My repo even probably still exists in the graveyard reposito= ry=E2=80=A6 but I had plugins running in C# and Java over a couple of we= eks. This was long before wasm was a thing, and while cool, nobody reall= y could think of a use for it. It seems like you have a use for it though, and I=E2=80=99m reasonably c= ertain you could get it working over ffi in a few weeks; yet you mention= hosts not even having the curl extension installed, so I doubt that eve= n if wasm came to be, it would be available on those hosts. However, plugins basically work via hooks/filters. So as long as you reg= ister the right listeners and handle serialization properly, you can sim= ply run a separate process for the plugin, or call a socket for =E2=80=9C= remote=E2=80=9D plugins. I don=E2=80=99t see anything stopping anyone from implementing that toda= y. =E2=80=94 Rob --5fc1aadbe5204e8b8f113b807007af98 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

=
On Tue, Sep 17, 2024, at 14:57, Adam Zielinski wrote:
=
> To summarize, I think PHP would benefit from:
>=
> 1. Adding WASM for simple low-level extensibility th= at could run on
> shared hosts for things that are just= not possible in PHP as described a
> few paragraphs pr= ior, and where we could enhance functionality over time,
&= gt;
> 2. Constantly improving PHP the language, which i= s what you are solely
> advocating for over extensibili= ty,
Hi Mike,

I=E2=80=99m Adam= , I'm building WordPress Playground [1] =E2=80=93 it's WordPress running= in the browser via a WebAssembly PHP build [2]. I'm excited to see this= discussion and wanted to offer my perspective.

=
WebAssembly support in PHP core would be a huge security and produc= tivity improvement for the PHP and WordPress communities.
=
> To summarize, I think PHP would benefit from:
>
> 1. Adding WASM for simple low-level exte= nsibility that could run on
> shared hosts for things t= hat are just not possible in PHP as described a
> few p= aragraphs prior, and where we could enhance functionality over time,
=

Exactly this! With WASM, WordPress would get a= ccess to fast, safe, and battle-tested libraries.

Today, we're recreating a lot of existing libraries just to be ab= le to use them in PHP, e.g. parsers for HTML [3], XML [4], Zip [5], MySQ= L [6], or an HTTP client [7]. There are just no viable alternatives. Via= ble, as in working on all webhosts, having stellar compliance with each = format's specification, supporting stream parsing, and having low footpr= int. For example, the curl PHP extensions is brilliant, but it's unavail= able on many webhosts.

With WebAssembly sup= port, we could stop rewriting and start leaning on the popular C, Rust, = etc. libraries instead. Who knows, maybe we could even polyfill the miss= ing PHP extensions?

> 2. Constantly impr= oving PHP the language, which is what you are solely
> = advocating for over extensibility,

Just to = add to that =E2=80=93 I think WASM support is important for PHP to stay = relevant. There's an exponential advantage to building a library once an= d reusing it across the language boundaries. A lot of companies is inves= ted in PHP and that won't change in a day. However, lacking access to th= e WASM ecosystem, I can easily imagine the ecosystem slowly gravitating = towards JavaScript, Python, Go, Rust, and other WASM-enabled languages.<= br>

Security-wise, WebAssembly is Sandboxed and= would enable safe processing of untrusted files. Vulnerabilities like Z= ip slip [8] wouldn't affect a sandboxed filesystem. Perhaps we could eve= n create a secure enclave for running composer packages and WordPress pl= ugins without having to fully trust them.

A= nother use-case is code reuse between JavaScript and PHP. I'm sceptical = this could work with reasonable speed and resource consumption, but let'= s assume for a moment there is a ultra low overhead JavaScript runtime i= n WebAssembly. WordPress could have a consistent templating language. PH= P backend would render the website markup using the same templates and l= ibraries as the JavaScript frontend. Half the code would achieve the sam= e task.

Also, here's a few interesting "WAS= M in PHP" projects I found =E2=80=93 maybe they would be helpful:
- WebAssembly runtime built in PHP (!) https://github.com/jasperweyne/unwasm
- WebAssembly runtime as a PHP language extension: https://github.com/veewee/ext-wasm


-Adam

=

Hey Adam,

I actually went down something like this road for a bit = when working at Automattic. My repo even probably still exists in the gr= aveyard repository=E2=80=A6 but I had plugins running in C# and Java ove= r a couple of weeks. This was long before wasm was a thing, and while co= ol, nobody really could think of a use for it.

<= div>It seems like you have a use for it though, and I=E2=80=99m reasonab= ly certain you could get it working over ffi in a few weeks; yet you men= tion hosts not even having the curl extension installed, so I doubt that= even if wasm came to be, it would be available on those hosts.

However, plugins basically work via hooks/filters. = So as long as you register the right listeners and handle serialization = properly, you can simply run a separate process for the plugin, or call = a socket for =E2=80=9Cremote=E2=80=9D plugins.

<= div>I don=E2=80=99t see anything stopping anyone from implementing that = today.

=E2=80=94 Rob
--5fc1aadbe5204e8b8f113b807007af98--