Apart from the cooperative scheduling, I think Spectre probably kills the security model, and I can't understand how this could work efficiently without virtual memory. How do you implement `memory.grow`? Do you have to `memmove` an entire app's memory when it wants to grow by 10 kB and another app is in the way? Is that even possible?
Still, very impressive project!
Virtual memory serves two purposes:
1. To isolate processes - physical memory used by one process is only mapped into that process's virtual memory space. No other processes can read it. (Except for shared memory.). Using WASMs isolation instead means you don't need this so much (ignoring Spectre) but you still need...
2. To handle memory fragmentation - each process expects to see a contiguous block of memory available to it (more or less). Especially in WASM, you just get a big linear memory array that you can grow and shrink as you like.
If these blocks have to be physically contiguous blocks in memory it's going to be really hard to organise them, especially because you don't know how much memory they use in advance.
For example you run two apps and they initially say they need 100MB each. So you allocate app A at [0, 100MB) and app B at [100, 200MB). How app A says "I need 1 extra MB please!". Well since you don't have virtual memory that has to be at the physical address 100MB, which is already occupied by app B. So you have a few bad options:
* Leave space between apps in case they want to grow. But it's not obvious how much space, and also this would be extremely inefficient since you're literally wasting physical RAM.
* Don't allow apps to grow their memory. I think the very first versions of WASM didn't support this. Again this is obviously inefficient because apps have to allocate enough memory for their maximum memory usage even if they rarely use that.
* Shuffle apps around in physical memory when you need some space. I think this is possible but it would be really slow and lead to weird random pauses while GBs of memory is copied.
Virtual memory solves those issues. I think you could probably still build a system with these limitations for some use cases, e.g. kiosk/Point of Sale terminals. But for general purpose use it seems impossible unless I've missed some trick...
> I think Spectre probably kills the security model
What's the threat model exactly? As far as I can tell all the apps are compiled directly into the kernel, and the web browser doesn't run JavaScript. So I don't see any way to get untrusted code into the thing.