WAVM uses LLVM to compile WebAssembly code to machine code with close to native performance. It can even beat native performance in some cases, thanks to the ability to generate machine code tuned for the exact CPU that is running the code.
WAVM also leverages virtual memory and signal handlers to execute WebAssembly's bounds-checked memory accesses at the same cost as a native, unchecked memory access.
WAVM prevents WebAssembly code from accessing state outside of WebAssembly virtual machine*, or calling native code that you do not explicitly link with the WebAssembly module.
* WAVM is vulnerable to some side-channel attacks, such as Spectre variant 2. WAVM may add further mitigations for specific side-channel attacks, but it's impractical to guard against all such attacks. You should use another form of isolation, such as OS processes, to protect sensitive data from untrusted WebAssembly code.
WAVM fully supports WebAssembly 1.0, plus many proposed extensions to it:
WAVM is written in portable C/C++, with a small amount of architecture-specific assembly and LLVM IR generation code.
WAVM is tested on and fully supports X86-64 Windows, MacOS, and Linux. It is designed to run on any POSIX-compatible system, but is not routinely tested on other systems.
Support for AArch64 is a work-in-progress. WAVM mostly works on AArch64 Linux, but with some known bugs with handling WebAssembly stack overflow and partially out-of-bounds stores.
WAVM's runtime requires a 64-bit virtual address space, and so is not portable to 32-bit hosts. However, WAVM's assembler and disassembler work on 32-bit hosts.