[littlegreenb18]

This is not machine assembly. Its bytecode, everything still lives in the browser sandbox.

[hinkley]

There were bugs in the Java VM that were only surfaced by people writing tools that generated java assembly.

It's probably safest to assume that history will more or less repeat itself with web assembly.

[chillydawg]

Where the sandbox now has a much larger attack surface as it has to implement a whole new virtual machine to run the webasm.

[gsnedders]

Nobody's writing a whole new VM to run it; everyone is just treating it as another input format to their JS VM.

[icefox]

https://github.com/AndrewScheidecker/WAVM

[gsnedders]

Given the context, what browser is that going into? How is that relevant to browser sandboxing?

[icefox]

Ah yes within the browser space the various companies are just putting web assembly in/alongside the existing javascript engines. WAVM was just an example of a whole new vm that isn't for a browser, but does run webassembly.

[gsnedders]

Yeah; I probably should've been more explicit in my original comment: there's definitely new VMs being written for WASM, but none are currently expecting to go into browsers, hence concerns about sandbox escapes from browsers aren't affected by them.