►
From YouTube: SES-mtg: Out of memory attacks against membranes and SES
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
B
This
way
in
the
project
that
we're
working
on,
we
receive
something
very
similar
from
one
of
the
researchers
and,
basically,
what
they
do
here
is
they
they
have
this
piece
of
code
that
is
supposed
to
run
inside
the
sandbox,
and
what
they
do
is
the
creative
recursive
function
that
determines
the
the
amount
of
functions
you
can
stack
at
the
end
of
the
invocation
of
this
function.
You
get
a
number.
B
B
B
B
If
the
thing
that
you
are
trying
to
call
is
going
to
be
allocated
in
the
stack,
the
error
that
you're
going
to
get
my
or
might
not
be
an
error
that
belongs
to
your
role
that
in
this
particular
case
they
are
overflowing
with
the
console
law,
which
is
in
this
particular
project,
something
that
is
a
proxy
of
the
console
block
from
the
other
round.
And
what
this
causes
is
that
it
throws
an
error.
B
They
arrange
a
range
error
in
this
case
telling
the
stack
that
your
memory
to
the
stack,
overflow
and
you're
going
to
get
a
reference
error,
or
they
are
wrong
now
the
attack
that
they
were
using
here,
but
the
methodology
the
same
you
over
for
the
stack
you
know
when
this
is
going
to
happen,
then
you
count
the
steps
to
do
the
overflow
and
then
you
attempt
to
do
the
overflowed
on
a
particular
operation
that
you
know
it's
going
to
give
you
the
error
from
the
other
round.
That
makes
sense
of
art,
yeah,
Curtis,
okay.
B
B
So
if
this
function
happens
to
be
a
proxy
of
a
function
from
the
other
round,
this
function,
if
this
function
is
the
cleric
here
in
this
scope,
nothing
is
nothing
will
happen,
because
the
error
that
you're
going
to
get
is
an
error
associated
to
the
rome
that
is
associated
to
the
function.
That
is
overflowing
the
stack
or
the
function
that
is
trying
to
allocate
the
new
function
into
the
stack
either
of
those
two.
Those
are
the
two
options
at
this
point
and
different
browsers.
B
B
Additionally,
if
the
function
that
you
are
invoking
happens
to
be
a
proxy,
then
there
are
even
more
problems
because
less
that
the
proxy
identity
belongs
to
the
sandbox
round,
and
the
target
of
the
proxy
belongs
to
the
prom
and
the
traps
that
are
being
invoked.
In
this
case,
the
apply
trap
or
the
construct
trap
are
also
or
belong
to
the
sandbox
role.
If
some
of
these
conditions
happens
to
be
false,
then
you
might
get
an
error
that
belongs
to
the
air
around.
B
The
target
belongs
to
the
sandbox,
and
the
traps
belongs
to
the
sandbox
and
even
in
those
situations,
you
have
to
also
guarantee
that
if
the
trap
is
using
and
is
doing
any
interaction
with
other
realm,
you
have
to
protect
against
that
interaction.
Those
are
the
conditions
that
we
found
our
reliable
so
effectively.
B
If
this
is
a
proxy
proxy
of
a
function,
the
shadow
target
of
the
proxy
must
be
a
function
that
is
declare
inside
the
sandbox
and
the
traps
of
the
handler
for
that
proxy
also
belongs
to
the
sandbox
and
that's
how
we
are
able
to
control
the
stack
overflow.
At
this
point
so
far,
so
good
can't
excrete
I,
don't
know
if
we
have
solve
these
in
the
past,
but
we
have
been
able
to
successfully
get
away
with
a
membrane
implementation
that
is
completely
separate.
B
It
seems
that
it's
hard
to
do,
but
it's
do
I
feel
that
this
this
is
the
important
bit
it's
doable,
so
you
can
create
a
membrane
that
has
this
characteristics
and
our
memory
are
never
going
to
affect
you
if
the
membrane
is
accounted
for,
that
what
we
did
in
this
project
was
simply
saying.
The
thing
that
really
relate
between
the
two
sides
of
the
membrane
is
sort
of
a
rare
in
history,
and
this
register
is
almost
no
code.
B
Those
are
pretty
much
every
history
of
weak
Maps
and
then
the
operations
that
you
do
on
those
weak
past
will
not
overflow
the
stack,
because
the
neural
caddy
needing
function
and
and
therefore
any
communication
with
this
registry
is
safe.
But
the
minute
you
have
to
go
on
evaluate
something
from
the
other
room.
You
have
to
put
a
try-catch,
but
those
are
in
a
couple
of
places
on
it.
B
B
B
D
B
Yeah
I
saw
that
because
at
least
the
product
that
we
were,
you
know
the
product
that
we
are
working
on:
a
lot
of
people,
teachers
or
a
repertory
libraries
and
scripts
in
general.
No,
no,
no,
solid
module.
It's
going
to
be
really
hard
to
just
go
with
anything
that
just
automatically
fills
in
that
process.
Is
it
going
to
be
too
much
too
aggressive
effectively?
What
happened
when
that,
when
this
fails,
then
you
you're
going
to
throw
away
all
the
memory
allocation
and
now
the
crushing
day
at
the
top,
or
something
like
that
for
the
app.
A
Yeah
yeah,
it
looks
like
for
SES
at
least
we
may
be
looking
more
at
metering
options
so
that,
even
if
the
proposal
made
by
mark
and
yourself
Jeff
about
the
out
of
memory
doesn't
go
through
yet
or
isn't
supported
on
a
given
platform,
we
may
be
able
to
do
things
like
instrument.
How
much
stock
depth
is
used
and
thereby
reserve
some
stock
for
primitives
to
run
under
right.
Yeah,
that's
your
right
and
that
we
need
to
either
protect
how
proxies
interact
or
else
reserve
some
stock
written
yeah.
B
Yeah,
it's
going
to
be
tricky
I
feel
that
if
the
membrane
is
well
constructed
and
you
put
certain
measurements
there,
it
might
be
sufficient
to
control
this
problem
through
a
membrane,
but
at
the
same
time
it's
not
trivial.
It's
not
trivial.
We
spend
many
many
weeks
trying
to
figure
out
what
to
do
here
and
because
it's
under
specified
it's
just
a
guessing
game.
B
B
B
B
Well,
at
least
the
proxy
got
allocated
drop
in
the
stack,
and
so
is
the
allocator.
The
one
defines
identity,
and
that
seems
to
be
safer
in
in
all
cases
that
I
looked
at,
that's
my
opinion,
but
krump
seems
to
go
with
the
other
one
like
it's
always
about
the
thing
that
you're
trying
to
allocate
was
the
identity
of
it,
and
then
you
throw
from
I.
D
D
For
the
for
the
typical
typical
use
cases,
so
we
yeah
what
we
do,
which
is
void.
We
revoke
to
proxy
when
we
detect
that
type
of
year,
but
at
least
it
was
not
like
we're
in
control
and
if
we
have
been
mechanism
for
that
we're
talking
about
for
termination
in
overthrow
them,
it's
inside
our
should
covertly
so
it's
it's
controllable.
So
that's
working!
The
other
thing
is
we're
moving
away
from
realm
to
realm.
So
we
give
up
evaluating
everything
inside
a
single
realm,
so
we
not
gonna.
Have
we
don't
have
any
code
down?
B
D
B
B
B
But
at
the
same
time
this
is
very
challenging
because
there
are
many
cases
in
which
you
do
want
to
get
the
room
ready
and
do
operations
that
are
host
specific,
like
importing
a
marshal
and
such,
and
for
that
you
have
to
either
provide
a
set
of
API.
That
allows
you
to
control
those
operations
and
do
fulfill
them
in
the
context
of
the
realm
known
as
a
solid,
so
you're
playing
they
as
a
creator
of
the
realm,
you
are
playing
the
role
of
the
host
and
you
are
responsible
for
fulfilling
those
connections.
B
While
we
have
another
comp,
a
tc39
I
believe
that
the
round
should
respect
the
host
behavior
and
the
realm
is
not
a
thing
that
is
isolated
and
it's
portable
from
one
engine
to
another,
one.
It's
just
something
that
is
very
close
to
specific,
and
we
have
been
sort
of
a
going
back
and
forward
about
these
two
concepts
and
then
these
two
models
per
se.
B
In
the
last
conversation
that
we
have,
we
have
a
tentative
agreement
on
allowing
both
modes
of
operations
allowing
the
creation
of
a
realm
that
is
associated
to
the
hose
and
then
also
allowing
the
creation
of
a
role
that
is
running
in
isolation.
It
doesn't
have
any
I/o
operations
that
go
through
the
host
and
I.
Believe
mark
was
ok
with
this
as
well,
and
he
was
supportive
of
this.
B
Therefore,
they
don't
have
any
IO,
they
don't
have
modules,
they
don't
have
anything,
they
are
running
in
isolation,
but
you
also
have
the
ability
to
initialize
them
when
they
are
still
connected
to
the
holes,
and
this
is
the
same
model
that
the
iframe
uses.
So
when
you
create
an
iframe
that
you
pinned
it
to
the
dome
you're,
basically
providing
hose
details
that
allow
you
to
do,
I,
oh,
like
you
have
access
to
the
network.
B
You
have
access
to
evaluating
code
inside
that
you're
you're
allowed
to
to
evaluate
modules
and
such
because
you
are,
you
have
a
host
that
will
back
it
up
and
once
you
want
to
detach
that
he
just
removed
for
the
dominie
dogmatically
gets
detached
from
the
host
and
therefore
these
I
friends
hanging
in
memory.
They
still
can
do
operations,
but
no
no.
These
operations
can
me
talk
to
the
outside
world.
So
the
model
that
I'm
proposing
is
a
a
single
creation
process
for
the
round.
So
you
do
the
creation
of
the
new
realm.
B
D
B
B
B
B
B
I
would
get
today
no
detached
holds
or
something
that
might
be.
Okay,
the
oh,
there
is
one
more
thing
which
is
obviously,
if
this
is
true
now
they
have
to
be
some
sort
of
connection
between
Nesta
products.
So
is
it
wrong
if
a
realm
creates
on
our
own
and
a
pattern
around,
this
is
attached
what
happened
bracket
attached
as
well?
Oh
there!
It
is
that's
a
that's!
B
This
new
mechanize
comes
with
some
flavors
there,
so
we're
going
to
figure
out
what
the
semantics
is,
but
it
seems
like
it's
easy
to
implement.
Why
just
having
a
way
to
say
if
you
want
to
detach
if
I
find
all
the
children's
or
I
friends,
other
children's
are
around
for
automatically
all
the
other
rooms
created
out
of
their
own
automatically
get
at
the
attached
as
well.
Right.
D
Yeah
this
this
touches
something
that
we've
noticed
over
the
password
till
the
specification,
which
is
the
concept
of
it's
really
under
specified,
especially
the
route
to
realm
relationship
you're
the
context.
There
are
very
very
few
cases
where
more
than
one
realm
is
affecting
operations
as
specified
in
the
code.
I
can
think
of
reflector
construct,
probably
as
one
of
the
only
one
that
I've
done,
where
of
that
kind
of
leads
to
an
attraction
between
multiple
ground
but
other
than
that,
there's
very
nothing
respects
father,
so
that
exploration
or
that
discussion.
You
talk
about
what
nesting
ground.
B
So
it's
becoming
more
like
a
watered.
What
are
the
hooks
that
we
need
for
the
round
itself
and
up
to
this
point,
I?
Don't
I,
don't
I,
don't
have
any
any
good
for
the
round
which,
if
that's
true,
then
it
simplifies
a
few
things
to
have
to
determine
what
the
hook
w14
for
the
round,
knowing
that
the
run
comes
with
a
DA
meaning
not
don't
but
I
know.
B
D
B
B
D
Yeah
that
accepts
what
thing
that
we
will
be
looking
at
is
this
concept
of
realm
record,
which
can
be
very
different
forward.
Plat
40
another
its
activity,
but
let's
say
it's
a
collection
of
slots
that
travel
together.
That
happened
to
be
created
together
with
equator
realm
and
not
all
platforms
on
all
of
the
slots.
Access,
for
example,
doesn't
have
an
intrinsic
slot
with
their
round.
D
So
when
we
looking
at
the
compartment
everything
that's
currently,
the
route
needs
to
be
at
a
compartment
level,
except
for
differences
and
that's
another
way
to
say
well.
All
of
the
hooks
we
had
to
look
at
are
dealing
with
everything
else,
but
the
intrinsics,
so
maybe
the
only
hook
or
the
only
method
that
you
will
get
on
the
other
realm
will
be
getting
physics.
B
D
D
C
D
C
What
I'm
saying
is
it
might
be
useful
to
extract
the
membrane,
specific
parts
of
those
or
write
a
DAP
tations
that
were
that
could
be
compared
against
existing
membrane
implementations
for
or
let
me
restate
that
written
in
these
other
membrane
implementations,
so
the
membrane
part
could
be
abstracted
out
as
an
example.
Now,
if
you
don't
want
to
do
that,
that's
fine!
It's
just
a
suggestion.
Yeah.
D
What
all
of
the
operations
it
says
that
are
related
to
memory
is
only
to
isolate
the
an
execution
context
from
the
globalization
context.
So
if
we
go
back
to
the
specs
is
to
say
that
we're
trying
to
emulate
a
global
environment
record
within
another
public
record,
we
don't
use
my
brain
for
or
the
concept
of
anything
similar
to
remember
and
other
things.
D
So
you
might
have,
for
example,
mean
it
might
not
be
implemented
with
a
proxy,
but
you
might
want
to
inject
in
a
new
compartment
and
even
a
console
that
hides
the
real
console.
It
can
be
limited
with
it
and
the
expensive
object
that
you
create
on
the
fly
as
you
need
it,
you
can
be,
it
can
be
a
proxy.
It
definitely
ways
to
get
there,
but
other
than
that.
D
That
is
not
you
know
something,
as
defined
in
the
language
said.
We
have
a
deep
inspector
for
that
which
will
where
we
whitelist
the
properties
in
here
we
deem
acceptable
so
they're
there
sno-med,
brain
and
I
believe
that
Jessie
and
I
could
please
complete
Jessie's,
mostly
limited
by
further
movie
and/or
transpiling.
A
A
As
far
as
I
understand
it.
It's
like
what
you're
describing
Vincent
or
alex
is
a.
We
need
to
create
another
evaluation
context
that
limits
what
Global's
are
accessible,
and
this
is
not
needed
all
the
time,
because
proper
Jessie
code
should
be
able
to
run
just
under
SES
without
or
with
those
additional
Global's.
It
just
doesn't
reference
them,
so
is
that
kind
of
what
you
were
getting
at
I
was
like
as
far
as
restricting
the
language
subset.
C
D
A
A
A
So
there's
that
line,
there's
the
Global's
and
then
there's
another
thing:
I've
been
finding
when
implementing
portable
metering.
So
I
want
to
be
able
to
intercept
calls
to
global
endowments
like
that,
essentially
the
intrinsics,
with
the
primordial
and
cause
them
to
bill
against
the
metering
when
they
get
called.
So
that's
the
third
kind
of
membrane
that
I've
had
a
desire
to
make
all
right.
So
my
understanding
is
those
are
the
kinds
of
things
that
we
would
be
candidates
for
reference
implementations
if
they
are
useful
in
other
contexts
for
sure.
A
I
I
started
with
a
read
on
the
proxy,
but
the
thing
that
discouraged
me
from
it
was
when
mark
analyzed
it
and
said
the
problem
is
that
the
other
side
of
the
read-only
proxy
can
mutate
the
objects
at
will.
So
it
makes
it
hard
to
reason
about
things
so,
instead
I
transitioned
into
proxy
that,
instead
of
providing
a
read-only
view,
actually
does
the
hardening,
but
it
does
it
transitively
against
function,
return,
values
and
throwing
values.
Well,.
D
D
A
And
this
capture
needs
the
in
the
same
way
it
needs
the
definition
of
a
membrane
which
is
the
inside
and
outside
or
wet
and
dry
or
whatever
you
have,
and
this
capture
around
the
membrane
around
the
protected
objects
and
then
on
the
outside
of
a
protected
object
is
a
suspected
object,
was
how
I
have
it
so
forever
and
when,
when
a
protected,
when
a
protective
function
or
within
a
protected
object,
is
calling
a
suspected
object.
If
it
passes
a
protected
this,
then
it
gets
intercepted
and
blocked.
C
C
A
So,
oh
crap,
yes,
dot
net.
What
is
it
org,
dot,
org,
Co,
captious
org
is
the
discussion
forum
that
we've
been
talking
about
various
JavaScript
things
in
relation
to
accounts
and
it
might
be
nice
to
make
an
organization
for
them
and
how
like
this
innit,
but
yeah
I'll
put
it
forward
to
the
other
folks
at
work
and
we'll
see
if
we
can
make
something
like
that.
That
might
be
good
to
gather
up
all
these
different
projects
and
at
least
Forks
of
them
from
github
right.