►
From YouTube: SES Compartments at TC53
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
B
B
B
So
a
gorrik
is
using
SES
on
four
smart
contracts
and
you
run
it
on
WAP
train
we're
using
the
XS
machine.
We
run
it
on
solo
machines,
we're
using
node,
but
we're
waiting
roll
of
our
code
in
SES
and
making
securities
node
itself
has
been
adopting
elements
of
SDS
and
providing
that
more
direct
support
for
SES
keynote
and
it'll.
B
And
meta
mask:
there's
a
tremendous
amounts
of
money
at
stake
on
the
integrity
of
the
operation
of
the
meta
master
interface
and
then,
of
course,
there's
excess.
The
JavaScript
machine
constructed
by
model
for
for
purposes
of
embedded
and
there's
TC
53
this
organization
and
it's
the
view
from
TC
53.
That
was
really
the
clarifying
one.
With
regard
to
the
evolution
of
the
compartment
API
and
how
to
solve
the.
B
B
So
everybody
has
a
problem
that
this
slide
illustrates.
The
slide
is
automatically
generated
by
meta
mask,
and
this
is
the
package
dependency
relationship
among
the
JavaScript
packages
that
are
used
to
build
meta
mask
the
purple
dot
in
the
lower
right.
That
is
the
package
that
meta
maps
themselves
wrote
that
is
actual
meta,
mask
applications
and
all
of
the
rest
of
this
is
third-party
code.
That
is
linked
it.
But
this
is
not
unusual.
B
Npm,
where
the
upgrade
is
targeting
some
specific
victim
in
this
case
was
one
called
the
event
scream.
Instead,
we're
then
screaming
library
was
upgraded
in
order
to
attack
a
big
coin
wallet
and
steal
the
keys
in
order
to
steal
the
money
and
in
JavaScript
this
is
completely
open.
There's
there's
no,
no
realistic
ability
to
even
resist
that
form
of
attack.
B
B
Labeled
red
have
been
given
a
tremendous
amount
of
dangerous
access
enough
that,
if,
if
red
is
malicious,
you're
still
in
a
lot
of
trouble,
so
with
this,
what
the
result
of
operating
in
this
way
is
that
the
burden
of
reviewing
the
third
party
code
has
narrowed
tremendously,
and
you
start
with
the
red
dots,
and
this
is
again
metamath
interface
to
this.
When
you
mouse
over
the
adoptive
chosen
what
it
has
accessed
and
in
the
absence
obsess
in
normal
JavaScript,
you
basically
have
the
same
graph
of
all
of
these
dots,
colored
red.
B
When
we
started
in
2007
unless,
when
I
got
on
the
committee
in
2007,
the
current
JavaScript
was
atmosphere,
3
and
Agria
script.
3
was
a
tremendous
tremendously
messy
language
with
various
aspects
that
gave
kindly
non-local
scoping
that
gave
non-local
causality
traces.
It
was
just
a
complete
mess
with
regard
to
trying
to.
B
B
Eknath
script,
strict
still
has
miss
features
that
prevent
defensive
programming
that
still
don't
make
it
possible
to
narrow
your
effort
to
review
for
vulnerabilities,
in
particular
all
of
the
prime
mortals
or
the
intrinsic
options.
The
objects
that
exist
before
code
starts
running
like
object
and
Ray
and
Ray
dot
prototype.
All
of
those
objects
are.
B
Atmosphere,
including
strictly
and
everything,
shares
one
global
object
and
the
hostess
authority,
the
authority
to
affect
the
world
outside
the
house,
the
file
system
or
the
document
or
the
network
is
by
virtue
of
objects
put
on
the
global.
So
that's
that
means
that
it's
ambient
Authority
its
authority.
That
is
simply
implicitly
in
scope
to
all
code.
So
again,
any
piece
of
code
can
damage
everything
without
them.
B
And
the
important
thing
is
that,
after
all
of
these
subtractive
steps,
we
have
removed
very
very
little
of
the
JavaScript
language
standard,
the
vast
majority
of
the
JavaScript
languages,
unchanged
and
much
old
code,
much
existing
JavaScript
code
that
was
written
unaware
access
still
works.
Just
fine
under
zests
google
verified
that
in
the
Google
project
the
Salesforce
has
verified
it.
Supporting
a
five
million
developer
ecosystem
Couric's
verified
that
there's.
A
lot
of
experience
now
note
has
done
some
large-scale
experiments.
There's
a
lot
of
experience
now
that
says
that
a
lot
of
old
code
works.
B
Tc
53
brought
us
yet
another
perspective
about
drawing
these
subsets
of
relationships,
which
is,
when
you're
doing
software
for
an
embedded
device.
A
lot
of
the
things
you
want
in
the
language
during
development
time
are
not
things
that
you
need
in
the
shipping
ship
that
goes
out
with
the
device.
We
generally
try
to
remove
things
that
are
only
useful
during
development
and
only
what's
needed
to
run
in
the
in
the
shipping
product.
So
the
primary
one
is
the
ability
to
evaluate
JavaScript
strains
the
typical
embedded
device.
B
All
of
the
source
code
only
exists
up
front
during
development
time
and
once
a
ship
is
made
to
in
a
device.
It's
typically
in
the
case
that
the
that
new
source
code,
the
device
itself,
does
not
need
to
be
able
to
accept
new
strings
of
source
code
and
person
compiled
run.
So
you
save
a
lot
of
memory
by
simply
omitting
evaluators
from
the
what
I'm
calling
the
typical
TC
53
configuration.
B
Cess
as
a
whole,
like
JavaScript,
has
to
be
able
to
accept
new,
has
to
be
able
to
at
runtime
go
out
and
obtain
new
module
and
source
code
and
parsing,
compile
it
and
turn
it
into
a
module
that
it
links
together
with
other
modules
in
a
TC
typical
TC
53
configuration
all
of
your
module
source
code
again
exists,
all
built
one.
It
all
gets
precompiled
into
the
static
information,
that's
derived
by
pre,
compiling
the
model,
but
and
then
the
static
information
in
order
to
express
security
policy
or
to
create
these
protection
domains.
B
Shipping
product,
so
that's
sort
of
the
residual
functionality
that
leads
to
people
on
the
shipping
product.
It
was
very
clarifying
for
us
to
structure
those
additional
elements.
I
put
on
the
slide,
such
that
the
part
that's
in
the
TC
53
configuration
can
be
fully
functional
in
a
configuration
with
other
abilities,
have
been
omitted.
B
Full
javascript
has
a
notion
of
distinct
realms
in
the
browser
were
its
most
familiar.
Every
time
you
create
a
new
frame.
You've
got
a
brand
new
JavaScript
environment
in
these
environments
can
interact
with
each
there's
a
realms
puzzle
that
we've
been
collaborating
with
for
creating
these
things,
but
in
the
NSS
does
assume
the
realm
API
for
the
overall
SAS
use
cases,
but
again
for
the
device.
There's
really
no
reason
for
rounds
runs,
are
very
memory,
expensive
and
they're.
B
B
Many
applications
are
bundled
together
during
development
time,
bundled
together
into
one
big
file,
which
is
shipped
all
at
once,
and
then
no
further
code
does
get
loaded,
even
if
the
underlying
system
is
able
to
so
engineering
to
live
with
a
bundler
where
the
entire
bundle
gets
loaded
at
the
beginning.
The
world
again
has
a
lot
of
overlap
is,
is,
is
with
the
engineering
we're
doing
that
serves
the
typical
TC
53.
So.
B
Is
I
want
to
I
want
us
to
remember
that
there
will
be
embedded
configurations
that
do
want
to
accept
code
at
runtime,
and
that
will
be
helped,
therefore
exceed
the
green
box
and
include
some
of
the
elements
in
the
yellow
box.
But
it's,
but
it's
important
that
the
typical
one
continue
to
be
very
lightweight
and
with
very,
very
good
security.
A
A
A
B
Okay,
so
the
the
methodology
that
we've
been
engaged
in
of
omitting
things
in
order
to
get
a
more
disciplined
language,
a
more
well-behaved
language
to
better
support
security.
It's
also,
of
course,
linked
with
the
minimization
of
memory
and
the
mission
of
evaluation
in
the
TC
53
James
was
driven
by
the
need
to
minimize
memory,
but
security
and
minimizing
memory
again,
because
both
of
them
benefit.
B
B
The
thick
bi-directional
lines
are
a
constructor
and
the
Constructors
dot
prototype
pointing
at
each
other,
pointing
to
the
right,
with
the
dot
prototype
property,
pointing
to
the
left
of
the
dot
constructor
property.
The
upward
pointers
are
inherits
form,
so
function
inherits
from
functional
prototype.
B
The
global
scope,
when
code
being
evaluated,
uses
a
name
as
a
global
variable
that
global
variable
name
is,
is
aliased
to
a
property
of
the
global
object,
so
that
anything,
that's
a
property
of
the
global
object
can
be
accessed
in
that
manner
other
than
those
two,
the
other
than
that
relationship.
Nothing
else
in
this
heap
points
back
at
the
global
if
evaluation
has
turned
off,
for
example,
there's
no
way
from
the
rest
of
the
heap
to
navigate
back
to
the.
B
And
then
the
global
is
where
host
objects
appear.
Host
objects
are
the
additional
objects
that
are
not
part
of
JavaScript
they're
specific
to
a
given
host
that
are
placed
on
the
global
in
order
to
give
JavaScript
code.
In
that
context,
the
ability
to
ask
the
host
to
cause
effects
on
the
outside
wall,
in
this
case,
in
the
browser,
the
document
object
that
gives
the
JavaScript.
B
So
this
ability
can
talk
to
the
outside
world.
The
ability
to
cause
effects
on
the
outside
world
engaging
on
them
is
exactly
what
you
need
to
not
grant
by
default
in
order
to
be
able
to
get
control
over
what
powers
code
has
any
code
that
has
the
power
of
being
able
to
get
to
the
Jaime
Medoc
ument
object
can
corrupt
the
entirety
of
the
applications,
interaction
of
the
user,
which
is
pretty
bad.
B
That's
a
form:
that's
access
to
an
input
event,
so
for
both
input
and
output
for
any
direct
access
to
audio.
We
consider
that
to
be
in
special
dangerous
category,
because
the
global
object
refers
to
those
dangerous
objects,
it's
dangerous
and
because
the
eval
function
and
the
function
constructor
evaluate
code
in
the
context
of
that
global
object,
that's
dangerous!
So
what
we
do
determine
regular
JavaScript
into
Cesc.
B
Is
we
just
separate
the
heat
conceptually
into
these
two
portions
and
there's
the
shared
intrinsics,
which
we
make
completely
harmless
completely
transitively
mutable
free
of
io,
so
date
is
still
present
and
to
represent
date,
objects
to
rendering
dates
in
person,
dates
and
all
of
that
doing.
Data
arithmetic,
but.
A
B
B
Pointers
like
object
into
the
shared
intrinsics,
its
own
set
of
evaluators,
which
are
which
are
specific
to
this
start
compartment
and
the
initial
authority
that
comes
from
the
house
that
still
the
host
still
needs
to
provide
initial
authority
to
the
application.
So,
for
example,
in
the
browser,
it
might
still
provide
a
document
object
in
the
start,
but
in
this
case
we
can
say
very
strictly
that
there
really
are
no
back
pages
between
from
the
frozen
shared
and
straight
intrinsics
back
to
the
start.
Compiling
the
start,
compartment
is
in
no
way
special
and
therefore
running.
B
In
that
start,
compartment
can
start
a
new
compartment
where
the
new
compartment
has
its
own
global,
its
own
evaluators
and
otherwise
points
into
the
shared
intrinsics
in
the
same
way,
but
doesn't
have
anything
dangerous
long.
So
this
start
compartment
can
be
completely
isolated
and
you
can
create
multiple
of
these
things
that
are
completely
isolated
from
each
other.
B
But
the
the
starting
the
start
compartment
code,
the
starting
code-
can
also
granted
virtual
host
objects.
So,
for
example,
it
might
give
it
a
global
for
a
link
bulk
device,
even
if
it's
running
on
a
browser
could
still
use
this
architecture.
To
pretend
to
the
code
that
it
is
a
an
embedded
host
for
blinding
the
white
world
and
then
the
code
running
in
this
compartment
might
think
it's
running
in
a
start
Department.
They
can't
tell
it's
running
in
the
emulator
to
start
them
and
it
sees
labeled.
A
B
Constructor
has
a
dot
prototype
property
that
points
at
its
prototype
and
the
prototype
has
a
dot
constructor
for
property
that
points
back
in
its
constructor
function
over
here.
The
bi-directional
pointing
by
directional
arrow
is
between
the
function,
prototype
and
the
disabled
function
construct.
So
this
disabled
foudre
instructor
again
is
conforming.
The
language
was
linked
needles.
B
And
the
result
is
that
anybody
navigated
by
following
properties,
cannot
starting
from
frozen
intrinsic
by
the
navigation,
come
to
a
working
function.
That's
there's
no
back
pointers,
but
the
function
constructor
that
is
often
need
to
confront
the
per
department
function.
Constructor
that
works.
It
evaluates
coding
in
that
department,
but
it's
not
prototype
property,
still
points
at
the
shared
function.
A
B
B
So
we
also,
we
have
compartment
to
follow
the
same
pattern
that
we
saw
with
the
function
constructor
where
there
is
a
compartment
constructor,
her
compartment,
but
they
all
point
at
the
same:
shared
compartment,
dot,
predator
and
the
compartment.
Without
prototypes
the
constructor
property
points
that
are
disabled
compartment
construct.
B
B
It
deals
with
the
global
variable
names
being
able
to
give
different
code
different
namespaces
of
variables.
It
deals
with
the
module
importing
space.
So
when
the
code
in
one
compartment
says
import
foo,
it
can
be
given
a
different.
Then
code
in
another
compartment
is
given
it
says,
and
host
Fox,
which
is
the
thing
that
Peter
and
I
were
just
talking
about,
which
is
JavaScript
delegates
various
pieces
of
behavior
to
the
host
and
for
the
various
things
that
JavaScript
delegates
that
the
host
we
want
to
be
able.
B
A
B
This
is
the
part
of
the
API
that
gives
with
global
variables
when,
when
you
create
a
new
compartment
and
say
you
do
it
by
saying
new
compartment
that
invokes
the
compartment
constructor
with
a
set
and
the
arguments,
the
one
relative
relevant
to
the
global
object.
Is
this
first
argument
called
in
Dallas
and
that's
just
an
object
for
providing
extra
properties
like
vault.
So
then
the
start
compartment
might
created
that
new
compartment
can
dowling
it
with
the
emulated
length
it
could
have
done.
B
It
typically
would
have
done
it
by
simply
including
an
endowment
object
that
has
an
own
property
named
bold.
That
has
an
object
created
in
the
start
compartments
code,
which
is
the
simulated
like,
so
you
just
put
it
there
and
those
become
extra
global
to
become
virtual
postal
objects.
As
seen
by
the
compartment
being
constructed
from
a
compartment
instance.
B
You
can
directly
get
the
global
object
so
that,
if
your
account
so
that,
if
you're
trying
to
control
outside
you
don't
have
to
go
through
weird
machinations,
to
retain
the
wall
track
and
then,
if
evaluators
are
not
fully,
if
the
evaluators
that
are
per
compartment
are
enabled,
which
they
won't
be
in
a
typical
TC
53
configuration.
But
we're
trying
to
explain
also
how
this
fits
into
the
larger
language
is
that
you
also
have
an
evaluate
method
on
the
confirmed
instance,
which
is
much
like
the
eval
function
within
the
number.
B
But
what's
the
purpose?
Why
is
it
that
controlling
the
global
scope
is
so
powerful
and
the
way
I'd
like
to
explain
this
is
by
not
making
another
hard
work
on
the
left?
We
see.
A
relationship
are
very
used
to
in
conventional
hardware,
where
a
an
instruction
set
is
divided
between
user
mode
instructions
and
system
instructions
where
the
user
mode
instructions
are
purely
computation,
they
can't
engage
in
any
ayah.
B
They
can
do
data
arithmetic,
but
they
can't
find
out
with
the
current
data,
and
so
they
cannot
interact
with
any
devices
and
then
their
system
of
instructions
will
code
running
in
system
mode
able
to
execute
system.
Motors
functions
can
reach
those
devices,
and
there
is
a
trapping
mechanism
such
that
running
in
user
mode
when
it
when
it
does
something
that
exceeds
user
and
causes
a
trap
and
by
that
trap
enables
the
system
owner
to.
B
The
the
analog
with
JavaScript,
which
is
really
miraculous.
How
close
this
analog,
is
it's
very
rare
for
programming
language
to
have
this
pure
separation
between
the
language,
which
is
almost
completely
free
of
I/o,
and
the
host
providing
objects
that
provide
all
of
the
ayah.
The
JavaScript
has
that
separation
almost
perfectly
that's.
What
enabled
cess
to
be
such
a
pleasant
transition
in
process
can
run
so
much
existing
JavaScript.
B
So
the
analogy
is
that
the
JavaScript
language
is
like
the
user
mode
instructions.
The
the
hosts
internal
mechanisms,
including
the
devices,
are
the
I
hope
the
host
internals
itself
and
and
drop
the
JavaScript
language
provides
the
standard
means
by
which
JavaScript
code
gets.
That
gets
the
abilities
from
the
host,
which
is
lookup
a
global
object
like
document,
so
the
global
object
is
the
means
that
are
provided
for
and
on
top
of
this
architecture
on
the
Left
we
build
operating
systems.
We
have
read
operating
system
kernel
that
runs
in
system.
B
That's
written
to
use
the
system
of
instructions,
the
operating
system
kernel
each
each
operating
system.
The
operating
systems
running
on
the
same
hardware
can
differ
from
each
other.
Each
operating
system
has
own
system
call
interface,
that's
a
design
API
right
for
making
requests
in
that
operating
system
and
the
different
processes.
The
operating
system
also
separates
processing
is
to
measure
different
processes
by
using
that
system
call.
Api
are.
B
In
normal
JavaScript
there's
code,
the
code
running
in
a
row
is
just
local
code
running
an
execution
context,
but
it
only
means
the
ability
to
cause
effects
by
looking
up
host
objects
in
the
global
scope,
and
then
the
API
is
of
those
objects
or
the
API
is
designed
there
specific
to
that
host.
Like
the
browser
host
API
and
when
JavaScript
code
invokes
host
API,
it's
effectively
doing
the
system
and
by
doing
that
system
call
it
can
reach
the
external
devices
of
that
host,
like
in
the
case
of
browser.
A
A
B
B
At
the
with
regard
to
the
to
the
points
that
that
will
be
making
well
since
we're
going
to
move
towards
compartments,
the
ability
to
have
different
inquire
functions
exposed
to
different
pieces
of
code
would
actually
fit
better
with
the
the
compartment
API,
but
in
the
typical
TC
53
context.
We're
actually
not
going
to
why
I'm
Ginny.
B
And
only
do
things
with
modules,
but
you're,
but
your
point
is
still
also
valid
for
modules.
The
the
this
thing
about
the
global
object
that
was
pre
mr.
re,
but
now
that
modules
are
in
the
language
modules
themselves
that
are
important,
can
be
the
means
of
reaching
classes
and
and
will
be,
will
be
dealing
with
that
coming
up.
But
it's,
but
the
host
object
is
sort
of
the
right
conceptual
place
to
start
and
it's
historically,
what
we're
hosts
have
provided
powers.
B
B
Of
the
objects
that
are
global
to
the
realm
of
shared
intrinsics,
they're,
all
frozen
so
they're,
not
a
communications
channel
they're,
not
any
things
for
things
to
affect,
and
that
means
that
the
compartments
are
now
two
separate
units
of
isolation
and
through
the
compartment
API
we're
going
to
allow
one
compartment
the
one
on
the
top
to
instantiate
the
other
compartments
that
whenever
the
other
compartment
reaches
for
a
global,
the
global
that
it
gets
is
the
one
that's.
According.
B
And
the
result
of
this
Creek
is
the
process
on
the
bottom
is
seeing
the
illusion
created
for
it
by
the
process
on
the
top.
It
might
be
thinking
it's
running
on
a
completely
different
host
with
different
devices
that
it's
that
it
thinks
it's
control.
All
the
footage
is
just
emulated
by
the
process
on
the
top
and
likewise
compartment
to
compartment
on
the
right.
B
Showed
another
configuration
where
the
exam,
but
it
doesn't,
is
not
given
direct
access
to
the
one.
Rather
another
compartment
is
created
first,
which
is
a
light
bulb
attenuator.
That
creates
a
virtual
light,
but
that
out
of
the
physical
level
that
the
physical
light
bulb
might
blink
so
fast
that
it
causes
seizures
and
the
the
app
sometimes
let's
say
accidentally
or
on
purpose.
Does
that
or
they
happen
more?
B
Interestingly,
the
app
has
a
vulnerability
such
that
a
third
party
can
corrupt
it.
So
so
that
would
do
that
or
whatever,
for
whatever
reason
you
cap
is
using
the
light
bulb,
you
know
in
a
fully-featured
way
and
you'd
like
to
restrict
it.
So
we
can
impose
this
attenuator
that
creates
a
virtual
and
passes
through
a
subset
of
the
requests
or
some
limitation
requests.
B
B
A
B
A
A
B
The
part
of
it
is
this
other
argument
to
the
constructor,
which
is
called
a
module
map
that
maps
from
names
names
of
modules,
as
might
be
mentioned,
in
an
import
statement
in
the
code
being
controlled,
which,
let's
call
it
the
trial
compartment
mapping
that
into
a
name
of
the
parent
Department.
So
right
now,
I'm
only
going
to
talk
about
the
name
to
name
the
mapping
and
I'm
going
to
leave
aside
be
named
to
module
space.
B
Now,
if
the
German
focus
is
it
maps
from
name
either
to
name
recognizer,
go
to
the
string
virtual
module
namespace,
whose
significance
on
describe
river
and
there's
a
to
get
this
code
running
in
the
compartment?
You
have
to
start
the
code.
Somehow
so
there's
a
import
now
and
an
asynchronous
import
both
it
would
conceptually
do
the
same
thing
just
they
differ
in
terms
of
when,
when
it
happens,
I'm
only
going
to
talk
about
the
synchronous
import
now.
A
B
You
give
it
a
module
name,
it
needs
to
be
a
modern
name.
That's
in
the
important
aim,
space
of
that
compartment
and
it
actually
you
initialism,
instantiates
and
initializes.
That
involves
also
creating
the
full
instantiate
initialize
for
everything
that
it's
synchronous,
imports
and
then
returns
theme.
What's
called
a
module
name,
space
object
as
a
result.
B
B
So
operating
systems
enabling
one
process
to
control
another
process
doesn't
just
do
it
through
a
trapping
mechanism.
The
MMU
mapping
virtual
addresses
to
physical
addresses.
Well,
when
there
is
a
physical
page
in
there,
when
the
page
already
a
physical
page
of
rennes
there's
it
doesn't
track
through
the
adjust
the
MMU
just
translates
address
to
address
and
the
and
the
memory
lookup
proceeds
at
full
speed,
and
then
it's
only
for
for
the
addresses
that
don't
correspond
to
pages
that
are
currently
loaded.
B
B
Is
that
the
child
specifier
specifiers
just
expect
her
for
a
module
name
as
blake
initiated
an
important
state.
I'm
purposely
skipping
some
details
here,
I'm
clear
on
much
later,
but
the
specifier
isn't
the
name
of
a
module
in
an
import
statement.
If
it's
running
in
the
context
of
the
child
compartment.
B
A
B
A
A
B
A
A
B
So
to
explain
the
actual
semantics
of
all
of
this
module
mechanism
I'm
going
to
do
it
in
terms
of
the
state
of
that
that
is
in
the
atmosphere
spec,
they
had
the
various
state
variables,
but
I'm
not
going
to
do
it
as
organized
by
the
current
atmosphere
spec,
because
the
current
organization
of
those
state
variables
in
two
different
record
types
in
order
to
explain
the
semantics.
These
are
purely
internal
record
types,
just
explanatory
I'm
not
exposed
in
the
API.
B
So
we
can
refactor
this
to
move
things
around
into
a
different
internal
explanation
without
affecting
the
semantics
of
all.
This
sets
us
up
to
explain
better
the
semantics
that
we
want.
The
other
thing
is,
and
this
is
I
want
feedback.
Computer
Patrick
is
that
the
new
factor,
I
believe
also
explains
what
implementations
actually.
B
That's
the
module
static
record,
and
that
would
be
the
thing
that
you
put
in
ROM
that
results
from
having
that
source
code
analyzed
at
Delta,
then
there's
the
module
instance
where
you're
going
to
multiple
instances
of
the
same
static
record,
and
that's
like
you-
have
multiple
closures
or
function:
objects
per
function,
expression,
source
code
for
multiple
instances
of
the
class,
same
kind
of
relationship
for
a
given
module
static
record.
You
can
have
multiple
instances,
and
so
the
green
fields
are
the
ways
in
which
one
instance
can
differ
from
another.
B
And
then
the
module
instantiation,
which
are
the
red
fields,
gather
those
together
into
the
separate
module
instantiation.
That
police
act,
the
module,
doesn't
start
that
his
purpose
model
initialization.
Those
fields
are
only
relevant
during
the
process
in
which
a
module
or
graph
is
being
instantiated
linked
together
and
initialized,
and
once
you
have
a
fully
initialized
graph
of
modules.
None
of
that
red
information
is
relevant
anymore,
so
you
can
drop
it.
And
that
means
when
you're
reasoning,
about
a
instantiated
set
of
modules.
You
can
you
can
simply
not
reason
about
the
red
field.
B
A
A
B
B
And
JavaScript
has
two
kinds
of
code
that
evaluate
so
the
column
on
the
Left
explains
how
modules
evaluate
how
modules
execute
and
the
abstraction
on
the
right
is
just
a
renaming
of
the
existing
JavaScript
abstraction
which
for
parallelism
calling
the
script
instance.
But
this
explains
how
non
module
code
evaluates,
and
the
important
thing
is
that
the
analogy
between
these
two
things
to
explain
evaluations
quite
strong,
so
that
all
the
mechanisms
that
that
that
that
help
us
explain
and
refactor
evaluation
on
the
Left
the
result
applies.
A
B
B
A
B
So
we're
going
to
take
this
explanatory
abstraction
of
the
realm
record
and
turn
it
into
the
reified
abstraction
of
the
compartment.
So
a
compartment
instance
is,
is
now
an
object
exposed
to
JavaScript
created
by
the
implementation
that
has
these
internal
fields,
the
internal
fields,
the
double
square
bracket.
That
means
these
are
not
properties
exposed
to
JavaScript.
These
are
internal
things
that
the
built
in
methods
of
compartment
can
operate
on.
So
it's
how
you
explain
the
behavior
of
the
built
in
methods,
but
then
other
JavaScript
code
can
only
invoke
those
built-in
methods
to
cause
it
cause.
B
So
so
these
are
the
the
fields.
Here
are
the
same
fields
shown
in
Rome
record,
but
I
added
two
more
there's
I
added
at
the
module
map,
which
is
the
thief,
the
thing
that
enables
us
to
have
a
per
compartment
import
namespace,
so
the
global
object
and
the
global
end
of
the
global
environment.
As
the
thing
that
gives
us
a
per
compartment
global
namespace,
the
module
map
gives
us
a
per
compartment
import,
namespace
and
then
the
host
field
gives
us
per
compartment
host
books.
B
B
Now
that
we've
got
the
internal
state
of
the
actual
compartment
object,
let's
now
see
how
it
corresponds
to
our
API
that
those
elements
of
the
API
and
bold
on
the
right
are
are
about
the
build
faced
internal
variables
on
the
left.
The
global
end
of
global
environment
is
the
means
by
which
global
variable
references
has
become
alias
to
properties
on
global
object,
and
the
global
object
is
the
value
of
the
global
theft's.
The
endowment
gets
copied
on
through
the
global
one
in
the
transition
and
evaluation
runs
in
scope.
B
B
And
the
options
objects
we
added
to
the
we
had
to
both
the
evaluate
and
the
compartment
constructor
an
options
bag.
We
did
it
to
the
evaluate
sorta
vising,
just
in
case
there's
options
there.
We
want
her
evaluation,
we
currently
don't
have
any,
but
well,
you
can't
add
an
options
bag
to
the
existing
evaluators.
So
this
seemed
like
a
good
opportunity
to
reserve
space
for
that,
but
the
important
one
is
the
options
bag
on
the
compartment
constructor,
because
it's
options
in
that
options,
bag.
That
is
how
the
creating.
B
B
A
B
So
when
code
within
a
directory
says
import,
dot,
dot,
slash
food
and
it's
climbing
out
of
the
directory,
you
need
some
way
to
handle
sort
of
the
the
algebra
of
the
slash
one.
But
you
don't
want
to
build
that
in
to
the
angel.
It's
not
built
into
the
spec.
So
this
is
the
general
hook
that
gives
you
the
ability
to
handle
that,
and
it
gives
you
and
the
same
book
gives
the
ability
to
load
code
dynamically.
B
B
B
What
I've
explained
is
the
mapping
from
name
static
module
worker
where
the
static
module
record
gets
separately
instantiated
inside
each
module
that
addresses
I
realized
in
that
explaining
the
next
step.
The
module
instance
is
I
think
best
put
aside
to
later
talk
unless
you
know
Patrick
Mills
to
explain
it,
which
would
be
wonderful,
but
I
decided
that
at
this
point,
having
explained
this
much
and
pointed
at
the
part
that
remains
to
be
explained
now
take
questions
and
I
can
turn
off
recording
first,
if
you'd
prefer
I'll.
B
The
refer
is
the
name
of
the
module
doing
the
important.
So
if
let's
say
that
you
have
a
module,
foo,
that's
nested
inside
a
subdirectory
and
then
the
module
food
says
import,
dot,
dot,
slash
bar
so
now
in
order
to
know
how
to
interpret
the
dot
dot.
Slash
bar.
You
have
to
know
that
it
was
foo
importing
it
because
if
nowhere
in
the
directories,
if
it
was
something
that
was
hired
up
in
the
directory
tree-
and
it
said
the
same
name,
you
would
interpret
dot
dot
slash
two
differently.
B
B
You
don't
need
for
any
other
reason
to
there's,
there's
no
dynamic
or
if
there's
no
dynamic
loading,
then
something
that
goes
from
specifier
and
referred
to
specify
would
be
perfectly
adequate
and
in
fact
we
went
through
that
as
a
step
towards
getting
so
you
could
do
the
same
kind
of
thing,
we're
doing
up
here
or
the
kind
of
thing
we
doing
over
here,
which
is
you
could
say
this
is
mapping
to
the
name.
Worse,
I,
don't
know,
that's
a
good
idea
latest
invention,
still
persists,
least
least.
A
A
B
B
A
A
A
B
Api
that
provides
such
things
necessarily
will
not
fully
impact.
In
order
to
accomplish
the
uses
needs
to
accommodate
is,
and
the
API
tells
you
what
are
the
names
it
imports
and
what
are
the
names
of
excellence
so
that
you
can
write
an
algorithm
that
processing
only
static
module
records
that
follows
the
important
names
to
figure
out
what
other
account
alone
to
create
other
static
model
records,
so
they
can
create
the
entire
sequence,
dependency
cream
of
static
model
records,
or
do
that
it
has
to
know.
A
B
A
B
B
B
What
we've
been
calling
pure
and
then
do
a
lot
of
our
wiring
among
instances
through
progenitor,
genuine
parameter
as
well.
The
reason
why
this
is
all
needed
is
that,
with
business,
we
still
get
to
run
a
tremendous
amount
of
existing
JavaScript
code.
If,
if
we
did
not
have
been
going
to
provide
Authority
for
initialized
time
in
a
way
that
we
can
isolate
and
separate
and
multiple
instantiating,
we
didn't
have
that
ability.
If
we
can
only
run
pure
executor
modules,
then
there
would
be
essentially
no
pre-existing
JavaScript.
A
A
B
So
that's
what
I
would
recommend,
but
I'm
not
an
embedded
device.
So
let's
just
take
that
as
a
naive
recommendation
to
then
get
feedback
from
all
the
rest
of
you
at
TC
53.
If
there
are
embedded
credits
that
argue
against
that,
for
example,
if
it
creates,
for
some
reason,
more
memory
pressure
than
doing
it.
This
way,
which
doesn't
seem
likely
but
does
seem
possible.