►
From YouTube: Extremely Modular Distributed JavaScript
Description
Vision talk at July 2017 TC39 Meeting
Watch this or https://www.youtube.com/edit?o=U&video_id=YQFPAyCgOlI
In this one you can hear the questions and see the speaker. The other has sharper images and smoother animation.
B
And
the
goal
one
thing
working
on
I'm,
calling
here
extremely
modular,
distributed
JavaScript,
but
the
vision
that's
driving
me
towards
the
goal
is
the
vision
of
networks
of
cooperative
computation
that
span
the
world.
The
world
out
of
the
world
has
always
consisted
of
networks
of
interaction
among
potential
adversaries,
and
the
progress
of
civilization
is
largely
the
discovery
of
institutions.
B
So
what
about
cooperating
with
programs?
Well,
once
upon
a
time
when
users
wanted
to
run
programs
that
did
useful
work
for
the
users,
they
would
run
applications
on
traditional
operating
systems
and
those
applications
could
do
many,
many
good
things
for
them.
They
were
very
rich,
but
at
the
price
that
they
could
also
do
many.
Many
things
to
them
for
a
user
Rand
solitaire
solitaire
has
allowed
by
the
operating
system
to
delete
all
of
the
users.
B
B
We
also
compose
programs
together
so
that
they
can
cooperate
to
give
us
ever
greater
functionality,
but
as
we
compose
programs
together
rather
than
cooperate
or
in
addition
to
cooperating,
it
might
destructively,
interfere
with
each
other,
and
this
propensity
for
destructive
interference
limits
the
scale
at
which
we
can
successfully
compose
programs
and
derive
greater
benefit,
for
example,
in
shared
memory.
Multitrader
the
currency
realm.
B
If
the
individual
components
do
enough,
locking
that
they
can
be
confident
they're
maintaining
their
safety,
they
often
do
so
with
the
price
of
inducing
deadlock
under
composition.
If
they're
stingy
enough
of
walking
to
avoid
deadlocks
dangers
and
ensure
progress,
they
often
do
so
as
the
danger
of
their
consistency.
B
Yeah
software
engineering
studies,
accidental
interference,
bugs
and
tries
to
reduce
both
their
frequency
and
their
severity.
Computer
security
studies
again
Frank
reduce
both
their
frequency
and
severity.
But
why
should
we
care
whether
the
funds,
whether
the
interference,
is
accidental
or
intentional?
B
Progress
of
computer
science
has
not
removed
the
needs
to
create
off
functionality
and
safety,
but
it's
been
a
discovery
over
time
of
modularity
mechanisms,
abstraction
mechanisms,
arrangements
and
patterns
that
have
given
programs
more
more
opportunity
to
cooperate
safely
at
less
risk.
It
has
lifted
the
trade
off
the
curve
so
for
the
same
level
of
safety
to
get
more
functionality
for
the
same
level
of
functionality.
B
As
we've
done
that
on
this
committee,
every
step
that
we've
taken
in
that
direction
has
had
payoffs
I
started
in
the
days
of
Atma
script
3,
we
introduced
Atmos
script,
5
strictmode
as
a
major
cleanup
of
language
to
find
a
sub
language
and
enforceable
sub
language
in
which
much
of
the
old
crap
was
left
behind
we're
subtractive
the
step,
4
Standards
Committee
in
pursuit
of
truth
and
absolution.
We
first
prepared
the
lexical
scope
so
that
closures
could
be
genuinely
encapsulating
all
the
way
up
to
today.
B
B
Proxies
and
weak
maps
are
a
mechanism
to
virtual
other
objects
by
transparently
intermediating
between
them,
giving
us
a
whole
host
of
ways
to
emulate
variants
properties
have
template,
literals,
give
us
a
way
to
employment,
avoid
injection
hazards
and
the
promises
that
we
have
derived
very
correctly
from
the
promises
in
my
language,
which
were
designed
both
to
support
distributed
computation
as
well
as
manage
local
asynchronous.
So
far,
our
JavaScript
we've
used
them
very
very
effectively
for
local
asynchrony,
but
the
design
remains
one
that
accommodates
distributed
computation.
B
B
Urgent
engine
is
a
very
good
example
of
what
it's
good
for
earth
engine
Google
Earth
engine
is
an
application
framework
built
to
accept
third
party
plugins
that
add
value
such
as
geospatial
computations
Earth
engine
once
that
an
intimate
interaction
with
those
plugins,
so
it
opens
up
an
8,
an
object.
The
object
API
for
interacting
with
the
plugins,
but
the
pluggers
may
be
fallible.
They
might
be
buggy
in
my
own.
Durable
earth
danger
wants
to
protect
its
own
integrity
against
flaws
in
those
plugins.
B
B
B
B
So
how
do
these
systems
protect
against
destructive
interference?
What's
the
nature
of
the
destructive
interference,
we're
trying
to
protect
against
so
largely
it's
coupling
through
state
changes,
one
component
modifies
a
state
in
a
way
that
that
violates
the
assumptions.
This
leads,
confuses
and
other
components,
and
you
can
see
coupling
as
coming
as
degrees
of
coupling
is
being
on
a
spectrum
at
the
top.
We
have
systems
with
no
modularity
at
all,
in
which,
potentially,
everything
is
coupled
with
everything
else.
B
When
something
goes
wrong,
you
have
no
idea
why
it's
very
hard
to
crack
down,
so
we
can
take
those
off
the
table
at
the
bottom.
We
have
systems
that
have
no
coupling
because
they
have
no
state
or
or
in
general,
because
they're
solving
some
other
problem,
not
the
problem
that
requires
wrestling
with
stake
and
coupling.
B
So
you
take
those
up
on
the
second
line.
We
have
the
practice
of
modularity
that
teaches
us
how
to
create
loosely
coupled
systems
at
no
loss
of
functionality
and
what
I
mean
by
extreme
modularity
is
to
practice
the
principle
of
least
come
on,
which
I
mean
if
syste
least
coupling
is
the
least
coupling
needed
between
the
components
for
them
to
achieve
the
desired
functionality
and
no
more
coupling
in
that
that's
a
limit.
The
principle
of
these
coupling
is
to
try
to
approach
that
limit.
You'll,
never
reach
it
that
it's
trying
to
approach
that
limit.
B
So
in
the
spatial
realm
we
started
with
the
von
Neumann
machine.
Davon
Lymon
address
space
abstracted
so
to
speak
by
C,
MC
Plus+,
in
which
you
have
this.
You
have
this
undependable
nightmare,
where
everything
can
step
on
everything
and
when
something
goes
wrong.
Good
luck,
trying
to
figure
it
out,
so
we
can
take
that
off
the
table
at
the
bottom.
B
B
The
second
row
are
the
systems
that
point
the
way
forward:
the
memory
safe
languages
like
Java
and
JavaScript,
which
the
effective
distance
when
something
goes
wrong.
You
have
a
hope
of
figuring
out
when
to
the
debugger
and
object
capability
systems
like
SES
are
trying
to
take
that
principle
and
amplify
it
in
order
to
give
you
more
reliable,
local
reasoning,
so
that
things
are
much
less
able
to
interfere
with
each
other.
Essentially,
by
extending
the
pole,
the
memory
safety
part.
E
B
So
in
Haskell
there
are
ways
to
model
state
there's
a
lot
of
different
ways
to
model
state,
maybe
SDM
stuff
came
from
Haskell
hospital.
Of
course,
monads
is
the
way
to
model
state,
but
the
problem
is
once
you're
modeling
state
now
you've
got
you're,
essentially
defining
a
new
level
of
abstraction
and
all
these
issues
reappear
in
terms
of
what
is
the
logic
of
the
state
that
your
model,
what
is
the
logic,
you're
bringing
and
that's
essentially
doing
language
design
on
top
of
hassle
hospitals,
great
materials?
B
In
which
there
is
no
inter
leading
of
changes,
there's
no
concurrency
to
speak
out,
so
there's
no
possibility
of
destructive
interference
by
the
timing
of
it.
If
you
label
at
the
top,
we
have
shared
memory.
Monkey
threading
systems
like
Java
and
key
threads,
which
in
the
temporal
realm,
is
as
much
of
a
debugging
disaster
as
the
bomb
of
the
address
space
was
in
the
spatial
roll
you're
starting
off
with
maximum
possible
interleaving,
a
finer
grain
even
than
instructions,
and
then
you
introduce
this
locking
mechanisms
that
very
very
few
people
can
learn
how
to
use
effectively.
B
In
order
to
control
that
interlink.
We
can
take
that
up.
On
the
second
row.
We
have
systems
that
point
your
way
forward.
The
shared-nothing
systems
like
Erlang,
rust
and
honey,
to
give
us
the
ability
to
do
local
reasoning
in
the
communicating
event
in
systems
which
are
shared
nothing
systems.
But
in
addition,
the
atomicity
of
turn
enables
us
to
engage
in
a
form
of
transactional
reason
in
JavaScript
itself
has
always
been
a
communicating
event.
A
new
system.
B
A
B
B
We
have
the
assets
that
are
at
risk
to
exploitation
of
a
flaw
in
any
of
those
agents,
the
resources
that
can
be
damaged
and
well
integrating
over
the
probability
of
an
exploitable
flaw
together
with
the
damage
that
might
result
from
explaining.
It
gives
you
a
good
first
approximation
of
expected
risk.
B
So,
to
reduce
risk,
what
we
want
to
do
is
hollow
out
the
attack
surface,
so
some
of
the
early
operating
systems
like
IPS
at
MIT,
it
multiplex
the
computer
among
multiple
users,
but
had
absolutely
no
protection
whatsoever.
Everyone
could
mess
up
everything.
The
attack
service
was
complete
operating
systems
early
on
discovered.
The
idea
of
the
separate
user
accounts
with
inter
account,
protection
in
which
LMS
withheld
stuff
guard
could
mess
with
barbed
stuff,
Duncan
vessel
of
style
and
first
share
some
of
her
stuff
with
Ellen
and
everyone.
B
Stuff
was
vulnerable
to
a
bug
in
the
kernel
or
the
root
account
and
I'm
going
to
cause
that
call
that
component
of
systems
the
TC
beamed
across
the
computing
base,
which
is
the
component,
that's
responsible
for
doing
the
division
of
these
rights,
which
it
has
above
places
all
the
rights
that
it
is
supposed
to
divide
that
risk.
Now.
B
B
B
The
browser
enables
my
dog
to
run
different
pieces
of
code
on
his
behalf,
each
of
which
were
given
different
access
to
different
resources
and
Doug's
on
the
Android
and
iOS
purity
model
enables
gun
to
install
apps
and
given
their
purchase
rights
to
his
stuff,
but
those
but
the
component,
the
browser
or
the
desktop
that
multiplexes
them
all
of
that
stuff
is
still
vulnerable
to
that.
Can't
do
anything
about
that.
Let's,
let's
zoom
in
on
the
cat
mail,
app.
B
If
the
cat
mail
app
is
written
in
C
or
C++,
and
any
resource
given
to
the
cap,
mail
app
as
a
whole
is,
is
vulnerable
to
any
bug
anywhere
in
an
Academy
level.
But
if
kept
mail
is
written
in
a
memory,
safe
language
are
better
than
object
capability
languages.
Then
we
have
reduced
vulnerability.
That
there's
a
point.
B
We've
taken
a
stick
from
defensive
programming,
where
we
hollow
out
the
attack
surface
here
and
there
as
opportunity
presents
to
defense
in
depth
where
we
systematically
hollow
out
the
attack
surface
and
every
scale
of
composition,
and
by
doing
it
every
scale
of
conversation,
you
get
a
multiplicative
benefit.
If
at
each
scale
we
can
remove
half
of
the
attack
surface,
then
the
aggregate
attack
surface
is
1/2
times
1/2
times,
1/2.
B
Now,
given
these
overall
goals,
why
pursue
them
in
JavaScript?
Well,
the
obvious
answer:
there's
evic
wa
t,
but
what
will
surprise
many
computers
latest
is
that
javascript
is
actually
technically
superior
than
other
by
the
available
dimension
platforms
on
a
whole
variety
of
dimensions,
and
most
of
these
go
back
to
es
3.
We
move
to
focusing
on
to
javascript
ethics
as
a
separation.
That
is
almost
perfect
analogy
for
the
separation
between
user
mode,
computation
and
system
of
computation.
B
B
So
when
a
JavaScript
object
calls
a
host
object,
it's
effectively
doing
the
system,
law
and
authority,
reachable
only
by
scope.
The
only
way
JavaScript
object
gets
initial
access
to
a
host
object
is
by
looking
up
a
name
in
the
global
scope.
So
if
you
can
intervene
on
that,
namespace
lookup,
you
stand
in
a
perfect
position
to
censor
or
virtualize
all
accesses
to
the
outside
world.
Ok,
so
that's
why
javascript?
B
Why
distributing?
Let's
go
back
again
to
the
early
web
in
the
original
web,
the
browser
only
displayed
passive
HTML
pages
and
all
interaction.
The
user
is
when
the
user
would
click
on
a
link
or
a
button.
It
would
send
a
message
to
objects
on
the
server
we
calculate
a
new
HTML
page,
which
they
return
to
the
browser.
B
The
Ajax
revolution
was
the
revolution
of
mobile
code
has
protocol
where
the
servers
will
also
return,
coveted
to
the
browser
explaining
to
the
browser
how
to
interact
with
the
user
and
the
objects
of
the
browser
could
send
these
synchronous
messages
back
to
objects
on
the
server
through
xhr
and
servers.
Now
they
can
imitate
browsers
to
other
servers
bringing
about
the
world
of
web
services.
The
same
origin
policy
attempted
to
restrict
the
communication
pathways
to
the
one
show.
B
However,
programmers
have
so
much
need
to
communicate
on
the
other
pathways
that
they
found
various
browser
bugs
which
they
then
exploited
the
massive
numbers
such
that
those
browsers
and
bumps
became
entrenched
and
written
into
web
standards.
Those
have
since
been
replaced
with
better
web
standards
to
enable
communication
on
one
of
the
other
paths.
B
Is
simply
achieving
the
world
objects
and
event
loops,
sending
messages,
asynchronous
messages,
the
objects
and
other
event
loops.
So
if
we
abstract
over
the
differences
in
these
transports,
the
way
the
queue
connection
library
calls
where
to
you
connection,
let's
an
object.
In
one
event,
we
hold
a
remote
promise
to
an
object
in
another
event,
allowing
at
the
object
level
to
delivery
of
asynchronous
messages,
realizing
the
the
other
half
of
the
goals
of
the
promised
design
that
we
have
now.
B
These
objects
and
the
event
loops
that
they're
inside
of
themselves
run
in
various
hosts.
What
are
these
hosts
when
I
joined
the
committee?
There's
really
only
one
host?
That
was
a
central
concern
committee,
which
was
the
browser's
bean
app
also
have
had
servers
as
a
separate
concern
to
the
committee,
largely
through
largely
because
of
MAS.
B
First
of
all,
theorems
solidity
language
is
already
recognizes,
JavaScript
like
and
was
clearly
inspired
by
JavaScript,
but
all
the
rest
of
these
projects
that
I
list
here
our
systems
using
javascript
itself
in
this
world,
I'm
going
to
focus
on
them
to
my
own
doctor,
says
system
which
is
distributed.
The
zillionth,
secure,
Eggman
script,
adding
the
distribution
and
resilience
to
SDS
and
Jorge
is
gravity
project
which
built
on.
B
This
is
a
substantial
smart
contract.
Written
in
doctor
says
it
brings
about
an
escrow
exchange
between
neutrally
suspicious
parties.
It
deals
this
one
piece
of
code
really
just
this
one
piece
of
code
when
running
on
the
doctors,
s
platform
deals
with
mutual
suspicion
issues
among
objects,
a
mutual
suspicion
issues
among
communicating
machines
and
deals
with
the
distributed
systems,
failures
that
are
inherent
in
distributed
computation
and
the
reason
I
can
write
this
in
one
page
of
the
easily
explainable
code
is
by
leveraging.
B
The
extremely
modularity
of
the
doctor
says,
platform
doctor
says,
was
conceived
to
run
cut
the
contracts
on
the
box
from
is
the
contract
where
each
box
here
is
a
separate
physical
machine
and
the
contract
and
contracts
running
on
the
contract.
Those
bands
between
coordinating
physical
machine
since
I
originally
conceived
this
world
has
not
been
willing
to
accept
a
mutually
trusted
third-party
machine
as
a
currency.
A
short
so
today
the
currency
issuers
of
interest
are
things
like
Bitcoin
and
areum.
B
If
you're
in
case
on
the
right
miners,
the
etherium
miners
synthesize
through
virtual
ethereal
machine
like
consensus
among
them,
so
the
theory
machine
and
their
shared
ball
and
in
case
of
a
theory-
that's
a
general-purpose
virtual
machine
that
can
run
arbitrary
computation.
So
what
many
people
are
doing
is
move
treating
using
it.also
as
the
contract
cuts
moving
the
contracts
that
they
run
on
the
etherion
machine.
But
in
so
doing
they
sacrifice
privacy.
B
What
happens
on
the
experience
to
everyone
and
they
create
a
huge
scaling
problem,
because
the
whole
world
is
competing
to
be
the
next
instruction
of
the
sake
of
the
synthesizer
theory.
Machine
dead,
pork
is
doing
is
by
letting
Alison
Bob
run
appropriate
instrument
to
JavaScript
systems.
Is
they
can
synthesize
privately
between
them?
A
doctor
cess
machine
which
can
then
interact
cryptographically
with
the
rest
of
the
world.
B
B
One
of
the
one
of
the
problems
with
the
cue
connection
library
is
it
has
to
it-
has
a
distributed
storage
management
problem.
It
causes
the
lack
of
we've
references,
one
of
the
reasons
that
I'm
very
interested
in
moving
the
references,
so
I
mean
I,
can
go
on
and
on
about
the
various
different
proposals,
but
altogether
the
proposals
for
that
that
would
advance
us
along
this
trajectory
again.
Each
time
have
many
other
payoffs
and
the
argument
support
the
proposals
are
also
included.
Quite
the
motivations
from
many
of
the
other
payoffs,
as
well
as
advancing
this
agenda.
B
Each
kept
hidden
by
you
or
giving
beautiful
statement
primordial
becomes
a
security
night
for
this.
For
this
directions
and
in
general,
one
of
the
reasons
why
I've
been
so
religious
about
attending
virtually
every
meeting
of
this
group
over
the
last
ten
years
is
to
catch
situations
where,
as
where
some
proposal
would
accidentally
blow
one
of
the
security
properties
in
the
JavaScript.
Making
this
thing
harder.
B
One
of
the
things
that
we
desperately
do
need
to
do
and
I
have
done
way
too
little
about
how
to
repair
that
is
to,
instead
of
just
being
the
Guardian
with
with
the
invariance.
Only
in
my
head
is
to
do
what,
but
you
know,
Tom
Ben
cut
something
with
the
property
in
there
is
to
actually
state
what
the
invariants
are.
That
must
not
be
broken,
and
I
certainly
need
to
do
a
lot
more.
A
C
But
the
ecosystem
has
been
doing
some
of
that,
especially
with
iOS,
and
the
net
result
is
that
things
become
very
known
programmable.
So
you
can't
script
your
mail
application
anymore,
because
scripting
allowing
scripting
in
your
mail
application
would
expand
the
matrix
of
who
can
mess
with
what.
So
what
do
you
have
an
answer
to
that?
Yes,.
E
B
B
Yeah
this
is
this,
is
the
JavaScript
component
to
comm.
Scs
is
now
part
of
modern
kaha
college.
Basically,
the
JavaScript
component,
combined
with
D'amato
for
securing
the
browser,
API,
and
so
the
modern
browser
is
D'amato
plus
SDS.
On
older
browsers,
it
was
the
motto
plus
the
es,
5
BBS,
3
translator.
We
actually
had
this
very
expensive
translator
back
to
ps3,
then,
indeed,
the
es
5
semantics,
including
all
the
emulation
of
property,
descriptors
and
all
the
enforcement
mechanisms
of
property
descriptors
and
despite
the
expense
of
that
abstract,
used
it
for
years
than
the
reason.
B
The
motivation
was
exactly
to
enable
scripting
of
applications,
the
extending
of
their
functionality
by
scripting
that
still
be
able
to
control
what
authority
was
given
to
what
script.
The
reason
why
App
Engine
is
no
longer
using
it
is
because
the
es
3
es
5
es
3
translator
had
lots
of
costs,
especially
something
especially
startup
cost.
Then
they
have
to
do
this
rather
gargantuan
visualization
environment,
but
I
very
much
believe
in
principles
that
they
demonstrate
and
with
this
stuff
being
support
better,
we
can
regain
those
principles.
B
Once
again,
Earth
engine
is
being
extended
by
people
writing
scripts.
You
can
use
plugins
for
being
plugged
into
Earth
engine.
The
trip
engine
is
intimately
interacting,
while
still
protecting
itself
right.
Likewise
itself
course
Salesforce
courses.
They
can
get
another
demonstration
that
you
can
have
extensibility,
adding
value.
Pies
clerk
parties
writing
code.
Adding
value
to
the
framework
is
still
allows
human
interaction
to
gains
from
that
with
protection.