►
From YouTube: SES Compartments at tc39
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Yesterday
you
altered
kurudi
referred
to
the
evaluator
or
the
compartment
abstraction
several
times
in
the
realm.
Talk
as
we're
a
lot
of
the
things
that
used
to
be
on
the
realm
side
have
moved
in
decoupling,
the
realms
and
sets
and
the
compartments.
So
today,
I'm
going
to
be
talking
about
that
compartment.
Abstraction
I'm
gonna
be
talking
about
it
in
the
context
of
cess.
A
Cess
serves
many
constituencies
that
use
JavaScript
in
very
different
ways.
Xs
is
the
JavaScript
for
use
in
embedded
done
by
model.
Tc
53
is
the
Ekman
Committee
for
standardizing
JavaScript
modules
for
use
in
embedded
and
their
target
is
assess
modules
for
use
on
assess
machine,
salesforce
and
meta
masks.
Both
use
sets
in
the
browser.
Node
is
adopting
elements
obsess
elements
that
supports
us
into
node,
and
that's,
of
course,
for
you
success
on
the
server
and
then
a
goreck
is
using
cess
both
on
the
blockchain
using
the
XS
engine
and
on
solo
machines
using
those.
A
We've
used
that
to
arrive
at
a
compartment
API
that
we
really
quite
love.
In
fact,
this
compartment
API
is
mostly
derived
from
what
moddable
has
already
implemented
and
with
model
initially
designed
with
Patrick's,
okay
and
model
and
many
refinements
by
a
jf,
Paradis
gorrik,
and
what
we
have
found
really
clarifying
is
the
view
of
these
needs
from
TC
53,
because
embedded
is
such
a
different
way
of
using
javascript
and
then
the
way
we
normally
think
to
use
javascript.
A
Quick
historic
recap:
javascript
started
off
as
a
really
really
messy
language
that
was
very,
very
hard
to
use
in
a
defensible
or
disciplined
manner.
It
had
tremendous
missed
features
and,
as
we
proceeded
forward,
the
what
we
started
with
was
not
so
much
trying
to
add
new
features
to
make
things
better,
but
adding
the
ability
to
do
an
enforced
removal
of
miss
features.
So
we
introduced
Eggman
script.
Strictmode
that
for
code
it
was
in
strict
mode,
did
not
have
access
to
some
of
the
worst
missed
features.
A
A
The
same
way
for
defense
of
programming
or
discipline,
programming,
etc,
but
Pechman
scripts,
strict,
still
has
miss
features
that
make
good
defensive,
disciplined
or
secure
programming
impossible,
which
led
to
the
was
the
motivation
for
cess,
where
the
main
differences
are
that,
whereas
in
strict
mode,
you
still
have
a
completely
beautiful
set
of
primordial
where
anybody
any
code
linked
into
that
realm
can
completely
corrupt
the
entire
realm
by
destroying
the
primordial
x'
and
where
all
code
in
the
realm
has
access
to
the
same
global
object.
So
with
both
of
those
there's.
A
This
total
mutual
vulnerability
of
every
module
inside
a
program
too
every
other
module
so
incest.
The
main
differences
are
that
the
primordial
are
transitively
frozen
and
made
harmless
and
that
we
create
separate
global
objects
per
compartment,
giving
us
a
a
featherweight
isolation
boundary
within
a
wrap.
A
But
despite
these
small
number
of
things
that
were
turned
off,
the
really
important
thing
about
the
cest
design
is
that
the
vast
majority
of
javascript
is
still
present
and
is
unchanged
in
its
semantics.
And
the
result
is
that
a
tremendous
amount
of
old
code
runs
unmodified
and
sess.
We've
verified
that
empirically
at
in
Google
at
the
caja
project,
where
sess
was
born
in
the
es5
era
and,
more
recently
to
be
verified
and
again
with
modern
cess
at
Salesforce,
a
meta
mass
categoric,
etcetera.
A
A
Minimizing
ROM
is
also
partnered
with
minimizing
Ram
is
much
more
important
and
that
all
of
the
code
that
runs
on
a
typical
embedded
device
is
determined
at
the
time
device.
Ships
is
there's
no
need
for
dynamic
evaluation
of
strings.
You
don't
have
to
have
the
embedded
device
support,
a
full
runtime
interpreter
and
that
all
of
the
modules,
the
embedded
device
has
really
has
known
you
for
evaluating
scripts
at
all.
So
all
code
is
and
modules,
but
furthermore,
in
an
embedded
device.
A
Typically,
all
of
the
modules
exist
upfront
at
Build
time,
where
the
manufacturer
wants
to
pre,
compile
all
those
modules
and
then
into
static
in
through
static
representation,
the
linkable
modules
and
then
only
it
runs
at
runtime.
The
security
policy
is
expressed
only
by
controlling
the
instantiation,
linking
and
initialization
of
these
modules
to
each
other,
how
they
are
wired
together
and
how
they
are
wired
to
various
sources
of
authority.
A
Again,
largely
because
of
the
memory
footprint
issue,
and
also
because
having
bought
into
frozen
primordial,
the
compartment
is
a
tremendously
lightweight
isolation
mechanism
that
is
suitable
for
the
needs
of
embedded.
So
the
result
is
that
the
pure
primordial
being
all
transitively
frozen,
can
be
placed
in
wrong.
The
static
precompiled
modules
ready
to
be
linked
together.
The
static
information
can
also
all
be
placed
and
wrong,
and
then
the
the
the
amount
of
bookkeeping.
You
then
need
in
RAM
to
do
flexible,
multi,
compartment
execution.
A
It's
really
surprisingly.
Small
I'll
leave
the
quoting
of
concrete
numbers
to
model,
but
they've
been
quoting
rather
amazing
numbers
and
how
little
RAM
they
need
to
do
this,
and
to
do
this
with
interesting
policies
enforced
by
one
piece
of
code
on
another
for
those
who
are
at
the
cess
meetup
on
Peter
was
showing
this
making
use
of
this
enforcement
mechanism
in
a
light
bulb
with
a
really
really
tiny
CPU
chip.
A
Some
of
these
restrictions
have
elements
in
common
with
other,
with
other
sub
setting
mechanisms,
other
enforced
subsetting
mechanisms
that
we're
used
to
from
browser
environment,
for
example
a
CSP
for
four
different
but
related
security
reasons.
Often
will
Turk
will
often
use
CSP
to
turn
off
the
script.
Evaluators.
A
And
people
often
build
web
applications
using
Packers,
where
the
Packer
will
take
all
of
the
modules
that
will
be
part
of
the
application
package
them
all
together
to
be
shipped
together
and
then
often
not
need
to
do
further
dynamic
loading
at
runtime
things
beyond
what's
in
the
pack.
So
these
all
sort
of
push
in
this
in
a
lot
of
the
same
directions
says,
of
course,
still
includes
the
larger
picture,
but
I'm
going
to
focus
here
on
what
is
in
the
the
intersection
of
all
these
needs.
A
To
understand
the
frozen
primordial,
let's,
let's
take
a
look
at
the
actual
prime
morning,
JavaScript
primordial
heat
and
what
it's?
What
its
configuration
is?
The
Prem
there's
I'm
using
primordial
x'
to
talk
about
all
of
the
objects
that
must
exist
before
code
starts
running.
There
is
some
people
use
the
term
intrinsic
to
mean
the
same
thing?
A
So
in
this
heap
of
objects
and
pointing
relationships,
this
just
intended
to
be
just
sort
of
a
representative
in
some
of
the
relationships
we
find
in
the
primordial
heat.
The
bi-directional
arrow
is
a
prototype
property
in
one
direction.
Constructor
property
in
the
other
direction
and
the
vertical
arrows
are
inherits
from
some
of
these
objects
are
undeniable,
meaning
that
they're
reachable
from
syntax,
as
we
saw
yesterday
with
Curry's
presentation
on
making
use
of
the
square
bracket
example
for
reaching
radon
prototype,
which
I
also
mentioned
in
my
Preserve
host.
A
A
And
there's
a
special
relationship
here
between
the
evaluators,
the
functional
constructor
and
the
eval
function
and
the
global
object,
which
is
the
eval
function
and
the
function
instructor
evaluate
code
in
the
scope
of
the
global
object.
However,
none
of
the
other
than
the
evaluators,
including
the
other
functional
constructors,
not
shown
none
of
other
than
the
evaluators.
A
Of
course,
the
global
object
has
mentioned
in
the
preserved
virtual
eyes.
Ability
talk
is
also
the
place
that
hosts
are
supposed
to
put
host
objects
that
give
code
JavaScript
code,
the
ability
to
talk
to
the
outside
world,
like
on
the
browser,
the
document
object,
and
some
of
these.
Some
of
this
initial
keep
is
is
powerful,
is
dangerous,
is
able
to
cause
side-effects
or
sensitive
eye
defects
to
the
outside
world.
The
document
enables
code
to
talk
to
the
user.
A
The
date
object
enables
code
to
find
out
what
the
current
time
is,
which
is
conceptually
Oh
should
be
thought
of
as
a
form
of
I/o
input,
and
because
these
things
are
reachable
from
the
global
object
of
the
global
object
itself
is
dangerous
and
because
the
eval
function
and
the
function
constructor
evaluate
code
in
the
scope
of
the
global
object,
they're
dangerous,
so
the
first
step
towards
the
what
it's.
What
a
cess
environment
is
like
is
that
we
pull
off
all
of
the
dangerous
things
into
a
starter
compartment
and
we
leave
behind
the
frozen
shared
intrinsics.
A
The
function
prototypes,
constructor
property
still
points
at
something,
that's
a
type
of
function,
but
it's
actually
just
a
function
that
always
throws
that's
why
the
function
instructor
is
crossed
off
the
date.
Constructor
is
still
has
almost
all
the
normal
functionality,
the
date
constructor
in
the
sense
of
creating
gain
objects
that
represent
the
abstraction
of
representing
a
point
in
time
and
all
the
methods
that
operate
on
data
objects,
but
it
omits
the
ability
to
sense
the
current
on.
A
The
global
object
on
the
start,
compartment
for
all
the
non
evaluator
primordial,
continues
to
point
at
them
as
part
of
the
frozen
intrinsic
State.
The
host
objects
are
not
part
of
the
president
transit
state
they're.
In
a
separate
category
of
powerful
things,
purposely
provided
by
the
host
the
function,
constructor,
its
dot,
prototype
property,
still
points
at
the
same
function.
Prototype
so
that's
shared,
but
it's
not
pointed
back
to
so.
The
result
is
that
the
start
compartment
seems
much
like
the
normal
global
object,
but
it's
only
pointing
into
the
shared
intrinsic
sense.
A
There's
no
pointers
back
and
the
result
is
that
the
start
compartment
can
easily
create
through
with
the
compartment
API.
A
new
compartment
which
is
completely
isolated,
is
completely
safe,
is
completely
controlled
by
the
by
the
means
by
which
it
was
created
by
the
parameters
provided
to
the
compartment
constructor.
When
it
was
asked
to
create
a
new.
A
A
When
one
compartment
creates
another,
it
can
also
provide
the
new
compartment
with
virtual
host
objects.
So,
for
example,
if
we're
on
a
browser
where
the
start
compartment
has
the
document
object,
then
it
can
create
another
compartment
that
has
a
process
object
in
order
to
arrange
an
emulation
of
the
node
environment
so
that
so
that
you
can
try
to
emulate
note
host
while
on
a
dock,
a
browser
house
or
vice
versa.
But
the
process
object
in
this
case
is
just
an
object
written
in
JavaScript,
created
by
the
controlling
department.
A
And
in
doing
all
this,
of
course,
we're
introducing
this
new
compartment
abstraction
itself,
so
it
has
to
go
somewhere
and
for
reasons
that
we'll
be
explaining
the
compartment
constructor
itself
like
the
function.
Constructor
has
to
be
per
compartment.
The
function
constructor
has
to
be
per
compartment
because
each
compartment
has
its
own
evaluators
that
evaluate
in
its
own
global
object
and
the
compartment
constructor.
Sorry,
the
compartment
has
to
have
its
own
compartment
constructor
because
of
a
mapping
relationship
in
the
import
namespace
among
compartments,
which
will
get
get
back
to
at
the
end
of
the
talk.
A
A
A
There
is
a
getter
forget
and,
as
jordan
pointed
out
in
an
issue
on
the
realm,
shim
I
said
last
night.
Perhaps
this
getter
should
be
relabeled
global
this,
but
in
any
case
it's
a
getter
for
obtaining
the
global
of
the
new
compartment.
Every
compartment
when
you
create
it
you're
creating
a
new,
global
and
evaluate
that
is
essentially
an
alias
for
the
eval
function
for
that
compartment
in
bed.
It's
doing
a
strict,
indirect
eval
evaluating
the
code
as
global
code.
A
However,
for
both
the
compartment
constructor
and
the
evaluate
operation,
we
also
add
an
optional
options.
Bag
and
the
important
one
is
on
the
compartment
constructor,
which
is
where
we
provide
the
host,
looks
I'm
sorry,
the
host
hooks
for
emulating
host
behavior
with
regard
to
the
code
running
in
that
compartment
and
then
finally,
there's
the
elements
of
the
compartment
constructor,
setting
up
the
import
namespace
for
the
modules
that
are
instantiated
in
that
compartment
or
even
for
the
scripts
that
are
evaluated
in
that
compartment.
A
Setting
up
the
import
namespace
seen
by
the
dynamic
import
expression
so
essentially,
what's
going
on
here.
Is
that
there's
three
namespaces,
then,
if
you
want
to
call
it
that
that
code
is
sensitive
to
that
in
the
nature
of
his
execution,
there
is
the
global
scope
in
which
it's
free
variables
are
dereferenced.
A
There
is
the
module
import,
namespace
used
for
resolving
its
imports
and
there's
the
host
hooks,
which
isn't
really
a
namespace,
but
is
a
another
means
by
which
how
code
executes
is
determined
by
the
environment
in
which
it
executes.
So
we
want
all
of
things
to
be
provided
on
a
per
compartment
basis.
So
the
interesting
one
is
the
issue
of
handling
the
import
map.
A
So,
in
order
to
explain
the
module,
linkage
and
important
semantics
associated
with
compartments,
we
first
need
to
explain
it
in
terms
of
the
semantics
of
modules
and,
unfortunately,
the
spec
language
for
explaining
modules
is
rather
confusing.
The
there's
three
abstractions
in
the
spec
module
record,
which
is
sort
of
an
abstract
superclass.
The
square
brackets
are
the
internal
slots,
which
are
the
states
associated
with
each
of
these
abstractions.
The
cyclic
module
record
is
essentially
a
subclass
that
extends
module
record
inherits
all
that
state
adds
those
new
state
variables
source
text.
A
Module
record
is
the
vast
majority
of
modules
that
we're
familiar
with,
and
it
turns
harrods
from
cyclic
module
record
and
therefore
it
has
all
of
the
state
together
the
state
variables
here,
I
colored
them
to
indicate
the
separate
concerns
that
they're
addressing
the
blue
state
variables
are
our
static
information.
There's
information
that
is
derive
about
just
from
the
source
text
in
isolation
by
static
analysis,
with
no
sensitivity
to
the
environment.
That's
going
to
run
in
and
with
no
intra
module
analysis.
A
A
And
there's
one
very
confusing
term
on
this
slide,
which
it's
net
it's
now
confusing
because
called
the
realm
record
and
as
we've
now
divided
up
the
concepts,
it's
not
per
realm
at
all,
it's
not
about
realms
is
really
about
compartments.
So
to
avoid
confusion,
I'm
going
to
temporarily
relabeling
our
record
before
again
relabeling
it
later.
A
And
these
elements
have
the
following
types
and
altogether
this
picks
this
picture
because
of
the
way
it
mixes
concerns
into
common
set
of
abstractions
is
messy.
It's
missing
a
way
that
impedes
explanation,
so
I'm
going
to
ask
us
to
imagine
that
we
refactor
this,
whether
we
actually
do
this
refactoring
or
not,
is
yet
to
be
determined.
But
what
we
want
to
specify
with
compartments
should
be
equivalent
to
what
I'll
be
explaining
in
terms
of
this
refactoring.
A
So
the
first
thing
is
to
divide
the
state
into
3x3,
separate
abstractions,
three
that
do
not
inherit
from
each
other,
but
rather
include
each
other
and
that
separate
the
concerns.
So
what
I'm?
Calling
the
static
module
record
contains?
Just
the
static
information.
The
module
instance
contains
a
pointer
to
a
static
module
record
and
in
addition,
the
state
that
is
per
instance.
A
A
A
A
So
so
far,
all
the
steps
are
just
pure
refactoring.
No
semantic
changes,
nothing
changes,
no
extra
State,
it's
exactly
the
same
state
variables,
they're
just
relocated,
but
having
done-
and
this
could
all
be
done
as
a
separate
PR
refactoring
that
has
that
does
not
that
I
would
say,
does
need
to
go
through
consensus
process,
but
not
through
the
staging
process.
However,
given
this,
we
now
set
the
stage
for
our
next
step,
which
is
that
the
our
record,
rather
that
goes
from
being
an
internal
spec
fiction.
That's
that's
simply
a
internal
data
type
for
explaining
semantics.
A
We
now
make
it
a
first-class
exposed
exotic
object.
The
compartment
instance
becomes
an
exotic
object
with
those
same
internal
slots,
the
intrinsic
slot
I'm
just
renaming
it
here
for
expository
purposes.
That's
where
the
realm
context,
that's
what
the
realm
concept
got
moved
to,
that
is
the
shared
intrinsics
that
is
per
realm.
A
It's
the
only
part
of
this
picture
that
is
the
per
realm
state
and
we
add
to
the
compartment
the
as
the
module
map,
which
is
all
about
mapping
from
specifier
strings
to
modules,
either
static
module
records
or
module
instances
why
it
mapping
to
one
or
the
other
out
coming
back
in
and
the
hooks.
So
the
code
executing
in
that,
where
the
execution
needs
some
behavior
provided
by
a
host
hub,
will
obtain
that
behavior
by
the
host
hooks
that
are
recorded
in
that
slot.
So.
A
A
The
elements
bold-faced
on
the
right
I
relate
to
the
elements
both
based
on
the
right
or
effect
the
elements
both
based
on
the
left.
The
endowments
are
copied
onto
the
global
object
after
copying,
the
normal
global
variables,
pointing
the
shared
intrinsics
and
then
after
copying,
the
evaluators
at
Al
function,
function,
constructor
and
Department
constructor
and
then,
of
course,
these
strings
are
evaluated
in
the
context
of
the
global
environment,
providing
a
lexical
environment
that
Ally
aliases
the
properties
of
the
global
object
on
to
global
variables.
A
The
options,
especially
the
constructor
option:
well,
the
constructor
options
specifically
provide
both
the
hooks
that
get
recorded
in
the
hug
slot
and
the
spec
provides
for
this
other
host
defined
field.
In
a
our
record,
which
we're
preserving
here
pending
further
investigation
to
actually
understand
what
hosts
used
that
for
whether
we
can
unbundle
some
of
that,
but
right
now
we're
just
saying
that
the
options
can
end
up
providing
information
that
goes
into
that
host,
define
salon
to
effect
those
elements
of
houses,
behavior.
A
So
there's
a
so
there's
virtual
addresses
that
go
through
the
MMU
to
turn
into
physical
addresses
and
then
for
some
of
those
physical
addresses,
there's
already
a
physical
memory
page,
so
it
proceeds
with
no
trapping
just
by
direct
trends
and
then
for
some
of
those
there
is
no
mapping
physical
page.
So
in
that
case
it
does
cause
a
crack
which
causes
a
page
to
be
loaded.
A
So
the
analogy
that
I
want
to
make
here
is
that,
when
one
module
controls
another
the
controlling
module
determines
the
import
namespace
of
the
controlled
module
by
providing
a
mapping
from
what
the
control
module
sees
to
the
namespace
of
the
controlling
module
and
in
a
embedded
situation
where
all
the
modules
are
pre-loaded,
then
the
mapping
can
all
just
be
an
immediate
synchronous
mapping
with
no
need
for
asynchronous
delays,
because
there's
nothing.
There's,
there's
no
static
module
information,
that's
not
already
loaded
and
that
in
the
larger
web
context,
we
obviously
we
still
need
to
deal
with.
A
A
And
we
want
to
do
this
mapping
an
arbitrary
number
of
levels
deep.
This
is
where
the
the
ancestry
relationship
among
compartments
comes
in,
which
is
what
led
us
to
have
the
compartment
constructor
itself
be
created
per
compartment,
so
that
when
the
the
parent
creates
a
child,
the
module
mapping,
it
provides
maps
to
trials
names
to
the
parents
names
when
the
child
creates
a
grandchild.
It
provides
a
mapping,
mapping
the
grants,
trials
names
to
the
trials
names.
A
A
So
the
analogy
of
making
with
the
ED
with
the
MMU
only
accounts
for
the
static
module
record
portion
of
that
and
likewise
on
the
module
amount
of
parameter
here,
it
only
accounts
for
the
named
name
portion
of
that
mapping
from
specifier
strengthe
specifier
strength
in
the
case,
where
you're
just
providing
name
name
mapping
in
the
api.
Turning
into
a
name,
static,
module
record
mapping
in
the
internal
state,
an
import
of
that
module
in
a
new
compartment
creates
a
new
instantiation
of
that
static.
A
A
It's
much
of
what
Bradley
has
been
engineering
for
and
what
node
will
be
doing
and
relates
strongly
to
what
sales
force
attacks
so
the
way
in
which
that
works
starts
with
the
observation
that
static,
logical
records
are
not
a
reified
concept.
Module
instances
are
not
a
refined
concept,
we're
not
proposing
to
reify
either
of
those
in
the
apartment
API.
However,
there
is
exactly
a
one
to
one
for
modules
that
have
been
stated.
A
There
is
a
one-to-one
correspondence
between
module
namespaces
and
the
modules
that
they're
instances
up
so
in
the
API
by
providing
the
module
name,
space
object
in
the
module
mapping,
you're
saying
in
the
compartment
being
made
when
it
imports
this
name.
What
it
should
get
is
the
monthly
a
connection
to
the
module
instance
providing
this
module
namespace
object
and
then
that
becomes
the
module
instance
in
the
internal
state
of
the
bottom.