WAVM uses LLVM to compile WebAssembly code to machine code with close to native performance. It can even beat native performance in some cases, thanks to the ability to generate machine code tuned for the exact CPU that is running the code.
WAVM also leverages virtual memory and signal handlers to execute WebAssembly's bounds-checked memory accesses at the same cost as a native, unchecked memory access.
WAVM prevents WebAssembly code from accessing state outside of WebAssembly virtual machine*, or calling native code that you do not explicitly link with the WebAssembly module.
* WAVM is vulnerable to some side-channel attacks, such as Spectre variant 2. WAVM may add further mitigations for specific side-channel attacks, but it's impractical to guard against all such attacks. You should use another form of isolation, such as OS processes, to protect sensitive data from untrusted WebAssembly code.
WAVM is tested on and fully supports X86-64 Windows, MacOS, and Linux. It is designed to run on any POSIX-compatible system, but is not routinely tested on other systems.