►
Description
This week, Alex discussed his idea to add Promise.allProperties to the language, concluding that a Promise.allEntries might be a suitably general foundation for shallow object and Map resolution. We discussed invariants that the language must or should preserve to avoid introducing zero-day exploits to lockdown shims in the wild.
A
All
right
welcome
to
the
assess
meeting
today's
agenda
is
that
we're
going
to
briefly
discuss
whether
this
this
group
has
anything
to
say
about
promise.all
properties,
we've
scheduled
where
we
will
schedule
a
conversation
about
realm
revocable
for
a
future
meeting.
You.
A
Yes,
all
properties
is
what
what
what
alex
has
put
on
the
agenda
so
so
we'll
we'll
start
off
with
clarifying
what
that
is,
and
next
week
we
have
a
packed
agenda.
The
first
half
of
our
meeting
is
we
have
invited
guests,
the
proponents
of
module
assertions
to
discuss
the
enforceability
of
module
assertions
and,
and
then
the
second
half
we're
meeting
with
jordan,
and
hopefully
we
can
send
a
reminder
so
that
all
of
that
stays
on
the
rails.
A
So
today,
let's
start
with
discussing
alex's
topic
of
promise.all
properties
alex.
Can
you
start
with
recapping
what
the
pro,
what
the
proposal
is.
C
I
certainly
can
so,
basically,
I'm
sharing
an
email
thread
that
I
started
a
couple
months
ago
in
the
ses
strategy-
email
list.
C
Basically,
when
I
was
looking
at,
I
saw
some
code
that
came
across
my
screen,
where
we
would,
we
would
be
defining
an
object
in
an
asynchronous
function,
but
we
would
have
to
await
individual
properties
and
that
bothered
me
it's
not
how
promises
are
should
be
used,
it's
legal,
but
it's
not
the
way
that
asynchronous
operations
should
happen.
What
would
happen
is
you'd
have
to
wait
for
the
shape
property
in
this
example,
and
then
the
color
property
and
then
the
mass
property.
C
So
I
I
got
to
thinking
it'd,
be
a
really
good
idea
to
add
a
promise.all
properties
function,
a
a
static
function
to
the
language,
wherein,
if
you
wanted
to
await
all
of
those
in
a
promise
to
all
like
context,.
C
Having
that
built
into
the
language
would
probably
be
a
good
idea,
the
one
thing
that
stopped
me
from
running
a
straw
man
is
that
this
really
isn't
a
security
kind
of
thing.
That's
why
I
was
wondering:
is
this
even
relevant
for
ses
and
in
the
email
thread
later
on?
C
C
A
does
ses
even
care,
or
should
it
be
proposed
to
tc39
outside
ses,
which
is
perfectly
fair
and
b.
Is
this
something
that
people
are
interested
in
exploring
and
in
terms
of
adding
it
to
the
language,
or
should
this
just
be
dropped
as
hey
there's
an
easy
workaround.
E
Go
ahead,
we
do
have
a
fairly
sizable
kind
of
proxy
that
we're
using
to
do
something
similar,
actually
because
the
developer
vigilance
in
order
to
await
everything
properly
is
difficult
to
maintain
in
a
larger
code
base.
E
So
basically,
what
our
proxy
does
is
something
similar
to
explain
it.
Instead
of
doing
it
as
this
does
where
it
does
a
shallow
traversal,
we
actually
do
a
very
deep
synchronous,
traversal
and
then
coalesce
into
kind
of
a
mirrored
object.
After
that.
A
In
the
queue
ecosystem,
I
did
implement
both
shallow
and
deep
versions
of
this
as
analogs
for
promised
at
all
or
q.all,
and-
and
I
put
I
put
something
like
all-
your
all
properties
in
a
utility
library
until
I
could
figure
out
whether
it
was
useful
enough
to
integrate
into
q
proper,
it
turned
out
to
not
be
it
turned
out
to
not
be
popular
enough
to
put
inside
of
the
payload
of
queue,
but
it
certainly
is
popular
enough
that
I
think
that
it
would
be
beneficial
for
it
to
be
part
of
the
language.
A
I
don't
think
that
this
is
a
secure.
It's
not
a
security
related
thing,
but
it
is
promises
and
promises
were
brought
in
for
security-related
reasons
so
it'd
be
this.
Is
this
is
a
right
audience
to
talk
about
promises?
I
think
very
much.
I
don't
think
that
it
needs
any.
It
certainly
doesn't
need
to
be
blessed
by
this
group
to
be
proposed.
D
I
agree
with
that
last
point,
but
I
disagree
actually
that
it
belongs
in
the
language
and
it's
for
a
practical
reason
that
this
is
so
analogous
to
the
object
copy
problem.
There
are
numerous
dimensions
that
are
going
to
be
flexed
in
different
ways
for
different
use
cases.
Things
like
deep
versus
shallow,
eager
versus
lazy,
innumerable
versus
all
owned,
let's
symbol,
properties
versus
string
value
only
like
there's,
there's
so
many
things
that
that
this
kind
of
thing
basically
becomes
use
case
specific
and
it's
practical.
D
B
Yeah,
I'm
I'm
I'm
very
much
with
richard
on
on
this
point.
The
in
endo
we're
you
know
where
endo
is
ces,
plus
our
distributed
object
semantics.
We
take
a
very,
very
specific
stance
on
what
a
passable
value
is
and
within
that
very
specific
stance.
B
We
have,
we
do
have
an
abstraction
called
all
comparable
that
takes
a
a
promise
for
a
passable.
I'm
sorry
takes
it.
Passable,
which
includes
promise
for
past,
takes
passable,
which
may
have
promises
at
the
leaves
and
returns
a
promise
for
a
comparable
where
a
comparable
in
the
distributed
object.
Semantics
is
something
whose
pass
by
copy
superstructure
terminates
only
in
in
atomically
comparable
leads,
which
is
primitive
values,
and
I
I
and
remotable
objects
which
are
objects
with
unforgivable
identity.
B
So
the
all
comparable
is
the
deep
generalization
but
the
deep
generalization
there
is
well
defined
for
exactly
the
reasons
that
richer
grazes,
which
is
it's
within
a
whole
set
of
decisions
that
characterize
what's
effectively
a
new
language,
semantics
embedded
in
the
javascript
semantics
that
have
made
very
particular
choices.
C
May
I
respond
sure,
first
and
foremost,
I'm
not
familiar
with
the
object
copy
problem
as
you've
described
it.
Maybe
I
am,
but
not
as
that
under
that
name,
I
am
familiar
with
the
with
the
fact
that
recursively
diving
in
is
a
complicated
problem
that
is
generally
left
out
of
the
language,
and
I'm
fine
with
that.
C
Where
was
that
going?
I.
A
Think
I
think
that
I
can
finish,
for
you
is
that
it
is
a
much
much
lower
burden
to
introduce
all
properties
as
a
shallow.
A
shallow
copy
of
this
of
of
innumerable
promises
on
an
object.
C
Thank
you
for
that.
I
would
love
to
see
even
a
shallow
capability
for
that.
Now
again,
I'm
just
throwing
the
idea
out
there.
B
Question
already,
maybe
this
is
direct
more
chris,
since
he
just
said
innumerable.
Why
innumerable.
A
Because
the
common
pattern,
the
pattern
that
this
is
for
is,
is,
or
is
likely
to
be
most
useful
for
is
an
object.
Literal
I
say
innumerable
is
perhaps
too
strong.
Certainly
own.
A
B
So
the
the
thing
that
there's
two
analogies
that
that
I
would
make
for
this-
that
pull
and
opposite
that
that
make
that
pull
in
opposite
directions
with
regard
to
yet
another
distinction.
B
The
thing
that
this
seems
to
me
to
be
most
like
is
an
eventual
form
of
object.keys
or
object.entries
and
object.keys
and
object.entries
believe
it
or
not,
are
specific
to
innumerable
own
string,
valued
and
the
other
thing
that's
analogous
to
is
triple
dot,
which
is
specific
to
innumerable
own,
not
restricted
to
string
value.
B
And
the
fact
that
those
are
different
is
something
that
is,
you
know
incredibly
unfortunate.
C
F
In
a
word
image,
I
wanted
to
basically
say
the
same
thing
as
mark.
There
is
two
precedents:
the
object,
construction
and
object
that
entries
or
object.keys,
which
behave
only
on
and
variable,
but
there
yeah
anyway,
that
was
already
yeah.
B
I
was
very
surprised
recently
by
the
way
and
had
a
bug
in
my
code
due
to
not
realizing
that
object.entries
did
not
include
symbol
named
properties.
That
was,
I
actually
had
a
security
hole
in
my
code
as
a
result
of
that.
A
Alex,
I
think,
in
summary,
that
you
can
antici
that
if
you
were
to
bring
this
forth
to
tc39,
that
it
would,
the
the
shallow
with
the
narrowest
profile
would
be
a
shallow
version
of
this,
and
I
think
that
you
that
we've
visited
some
of
the
arguments
it'll
immediately
run
up
against.
I
got
a
choice
about
what
what
kind
of
all
properties
it'll
be
and
yeah
I'd.
Welcome
the
conversation.
C
Personally,
okay
yeah:
I
can
try
to
draw
something
up,
but
then
I've
promised
to
draw
things
up
in
the
past
and
I
never
got
around
to
it.
But
this
is
relatively
simple.
I
think
compared
to
my
other
ideas.
A
Okay,
so
so
you'll
be
looking
for
a
volunteer.
C
That
would
be
much
appreciated
before
we
close
this
topic
out.
I
do
want
to
raise
another
part
that
I
thought
about
when
I
took
this
a
step
further.
C
C
We
would
want
to
leave
out
maps
but
call
it
out
as
a
danger
will
robinson
moment,
so
to
speak,
just
as
an
initial
stage:
zero,
hey
here's,
an
idea
just.
B
B
So
what
with
regard
to
so
that
I
think
maps
is
actually
a
a
good
way
to
understand
better
what
stance
you
have
in
mind.
In
what
way
would
the
idea
you're
talking
about?
Do
you
think
it
would
generalize
to
maps.
C
I
haven't
thought
of
through
fully
yet
I've
got
my
am
I
still
sharing
my
screen
here.
Yeah.
F
C
E
And
you
can
keep
sharing
it,
I'm
not
going
to
show
code
because
it's
just
gobbledygook,
basically
in
node's
module
loader,
we
have
the
concept
of
a
module
map
that
we've
discussed
multiple
times
at
tc39,
and
the
module
map
is
actually
represented
by
a
javascript
map
structure
and
that
map
structure
does
a
few
things,
but
in
particular
it
can
have
pending
resolutions
and
it
can
have
pending
jobs.
E
So
for
any
given
module
loaded
and
each
of
its
dependencies
in
particular,
you
try
to
resolve
it
asynchronously
and
then
you
populate
a
job.
The
job
is:
what's
going
to
be
used
to
store
things
like
the
source
text
that
it
loads
and
hold
on
to
the
module.
Namespace
object
for
some
other
operations
going
on.
E
When
you
do
this
and
a
module
has
dependencies,
we
actually
have
to
wait
on
all
those
dependencies
to
get
their
module
job
finished
before
we
link
or
evaluate-
and
so
it's
this
kind
of
big
for
loops
everywhere,
where
we
do
essentially
a
big
loop
over
everything.
That
is
basically
just
an
object.
E
E
It
looks
like
our
original
intent
was
to
allow
for
this
module
map
to
have
direct
first
class
values
as
the
keys,
rather
than
a
string
or
a
url,
but
that's
likely
never
gonna
come
to
fruition,
but
right
now
we
do
essentially
this
on
a
map
object
where
both
the
left
and
right
hand,
the
key
and
the
value
are
both
promises.
Essentially,
usually
the
right
hand
is
not
a
promise
it's
already
resolved,
but
we
keep
it
wrapped.
E
C
E
This
video
afterward
one
thing
that
might
be
constructive
is
we
have
a
lot
of
different
entry
methods
they're
on
sets
they're
on
arrays
maps
everything
it
might
also
make
sense
to,
instead
of
work
directly
on
an
object
to
just
accept
an
array
of
pairs
since
that's
what
they
always
return
for
entries
even
sets,
which
we
have.
A
Yeah,
it
could
be
promise
that
all
entries
could
be
the
core
primitive
that
would
unite
unite
each
of
these
concepts.
F
So
that
there
would
just
be
a
shorthand
for
an
awaits
object
from
entries,
promised.all.
A
Not
exactly
it's
a
it's,
it's
you,
it's
yeah,
it's
similar
there.
They
would
be
waiting
for
the
resolution
of
the
of
all
of
the
values
of
the
underlying
array.
F
Oh,
you
mean
if
there
is
a
promise
in
either
of
the
key
or
value
of
the
entries.
Wait
wait
on
that.
I
see
yeah
yeah.
That
would
make
it
a
lot
easier.
Then.
C
All
right,
yeah.
A
Alex,
let's,
let's
make
a
note
that
you're
looking
for
a
volunteer
to
co-champion
this
idea
with
you
and
and
if
you
find
time
for
it,
take
it
from
there.
The
the
next
topic
on
our
agenda
is:
what
constraints
should
we,
as
as
champions
of
cess,
impose
upon
other
proposals
to
tc39?
A
We
by
we
I
mean
mark
blocked
a
proposal.
I
don't
recall
which
one
at
the
last
tc39
plenary
since
it
was
going
to
introduce
a
new
hidden,
intrinsic
iterator,
prototype.
B
B
They
were
and
the
the
reason
why
they
were
introducing
it
revealed
that
there
were
previous
proposals
that
I
should
have
blocked
on
these
grounds
that
I
didn't
because
of
inattention
every
time.
I
think
that
there's
some
big
area,
like
dates
or
regex
breakx,
was
a
specific
one
in
this
case
or
internationalization
that
well
surely.
This
is
just
about
this
specialized
area
that
doesn't
have
any
security
implications.
Every
time
I
I
drop
my
guard
on
that
something
that's
fatal
to
security
slips
in
that
we
then
have
to
clean
up
later.
B
So
this
is
one
of
the
reasons
why
it
would
be
very
good
to
have
to
try
to
start
writing
down
more
of
these
invariants
so
that
we
don't
have
to
to
be
so
on
guard
and
other
people
can
start
to
notice
when
they're
about
to
break
some
security
property.
B
The
the
problem
is
not
that
there
was
new
api
that
returned
an
iterator
or
an
iterable.
The
problem
was
that
the
way
in
which
the
api
was
introduced
purely
based
on
preserving
tradition
from
from
what
was
seen
as
the
tradition
of
previous
apis,
was
to
introduce
essentially
a
new
iterator
class
with
its
own
primordials.
Its
own
prototype
object
in
particular
to
represent
the
new
iter,
iterable
or
iterator
class,
which
was
cut,
which
is
completely
unnecessary,
and
the
intel
thing
is
not
blocked.
B
A
Let's
I
I
want
to
I've
been
thinking
about
this,
and
I've
been
thinking
about
what
is
the?
What
is
the
hard
security
invariant
this?
This
has
been
a
concern
of
a
concern
of
mine
from
a
future
future
compatible
or
ensuring
the
future
security
of
the
lockdown
shim
that
new
language
syntax
would
introduce
the
new
language
syntax
like,
for
example,
if
we
were
to
add
observable
functions
to
the
languages
has
been
proposed
in
the
past
as
a
as
a
dual
to
iterator
functions.
A
That
would
introduce
syntax
from
which
you
could
obtain
a
reference
to
a
prototype
that
did
not
previously
exist
in
the
language
and
and
existing
code.
That
is
trusting
a
lockdown
shim
to
ensure
that
there's
no
mutable
state
accessible
from
to
client
code
that
could
be
used
as
a
side
channel
or
a.
A
Beachhead
for
interfering
with
with
code
in
the
same
compartment
could
be
would
be
unpreventable
it
would.
It
would
basically
be
assuming
that
that
the
lockdown
was
not
maintained.
It
would
be
a
zero
day,
exploit
upon
release
in
a
particular
engine
and
and
invalidate
the
lockdown
shim.
B
Yeah
and
we've
we've
had
that
situation
before
with
the
old
kaha
scs,
that
was
when
engines
started
rolling
out,
implementations
of
async
function.
Async
function
made
new
primordials,
reachable
only
by
syntax.
Our
white
listing
mechanism
was
therefore
not
able
to
detect
or
remove
them,
and
we
had
a
zero
day.
A
Yeah,
so
I
think
that
the
strong
language
invariant
that
we
need
to
propose
to
tc39
at
some
future
meeting
is
the
invariant
that
the
language,
if
it
does
add
additional
syntax
that
reveals
intrinsics,
that
those
intrinsics
also
be
accessible
by
property
access,
discoverable
from
by
discoverable
by
walking
properties
starting
at
global.
This
and
then
mark-
and
I
were
bantering
yesterday
about
what
the
shape
of
that
would
look
like.
A
Would
it
be
something
like
like,
for
example,
to
backfill
the
principle
onto
proposals
that
have
already
violated
this
in
order
to
establish
a
pattern
for
future
fixes?
Would
we
introduce
something
like
realm.async
iterator
prototype,
not
realm,
but
something
with
something
something
done.
You
think
iterator
prototype
accessible
from
global
and
then
suggest
or
mandate
that
any
future
proposal
that
adds
syntax
also
provide
it,
provide
access
to
that
prototype
in
that
location.
B
Yeah
I
like
that,
for
one
thing,
I've
seen
a
number
of
libraries
independently
try
to
just
try
to
enumerate
all
of
the
anonymous
intrinsics.
Jordan
wrote
one
that's
independent
obsessed.
B
I
have
not
compared
these
to
each
other
for
coverage,
but
it's
unfortunate
that
people
keep
need
needing
to
try
to
do
this
and
that
it's
accident-prone-
and
there
was
even
one
case
for
which
there
was
a
primordial
enumerated
by
the
language
that
nobody
could
figure
out
how
to
reify
using
code
in
the
language,
and
it
was
a
big
mystery
for
a
while.
It
was
a
security.
You
know
it
was
potential
security
vulnerability.
It
was
the
sink
to
async,
iterable,
adapter
or
something
the.
B
So.
I
think
that
not
just
making
new
primordials
findable
by
name-based
traversal,
starting
from
the
global
but
taking
all
of
the
old
ones
that
were
not
discoverable
in
this
way
and
making
them
discoverable
naming
all
of
them,
I
think,
would
be
good
starting
from
the
one
that
was
introduced
in
es5,
which
is
the
the
type
throw
type
type
thrower.
I
forget
what
it's
called
the
thing
that
was
representing
the
poisoning
of
function.caller
and
function.arguments.
B
A
So
if
I,
if
I
may,
the
in
summary
the
low
bar
is
that
the
language
must
not
introduce
new
language
that
the
language
in
when
adding
any
any
any
syntax
added
to
the
language
must
reveal
any
of
the
hidden
hidden
hidden
objects
that
it
would
would
make
reachable
by
syntax,
so
that
they
can
also
be
reached
by
a
name.
A
D
Think
we
want
to
rely
upon
alias
in
that
way
or
so
broadly.
B
B
B
Cat,
so
I
would
say:
that's
it's
that
it's
not
just
syntax.
It's
all
new
primordials
should
be
discoverable
by
name-based
traversal.
So.
A
A
The
the
the
next
step
above
that
would
be
obviously
to
satisfy
the
desire
for
the
the
the
language
as
it
stands,
to
establish
a
firm
precedent
for
for
future
editions
by
backfilling
that
principle
to
other
things
that
have
been
added
in
the
past,
like
async,
iterator
and
then
the
next
more
firm
above
that
would
be
I
which
is
like
I.
I
do
not
think
that
I
do
not
think
that
the
intel
proposal
actually
violated
either
of
those
two
invariants
it
it
it
it.
A
It's
it's
violating
a
softer
invariant
that
any
api
added
to
the
language
must
also
reveal
any
of
the
prototypes
or
constructors
of
the
things
that
it's
going
to
return
from
functions.
B
Well,
it's
it's.
When
you
say
return
from
functions,
it's
any
any
refinable
primordial
the
you
know.
Any
new
reifiable
primordial
should
be
discoverable
by
property.
Traversal
and
refillable
means
it's
not
necessarily
just
that
it
returns.
It
might
pass
it
as
an
argument
to
a
callback
function
or
a
zillion
ways
in
which
something
might
be
reified.
I
don't
think
we
need
to
to
distinguish
return
values.
A
Yes,
I
agree
the
any
any
any
object
that
is
revealed
by
a
new
api
to
to
client
code
should
be
discoverable
now
any
any.
A
I
think
we
need
to
frame
the
argument
in
terms
of
what
we
need,
what
we
would
like
and
what
would
be
nice
and
the
last
one
would
be
nice
and
we're
blocking
a
proposal
based
on
a
would
be
nice
at
the
moment,
and-
and
we
should
make
that
clear
in
order
to
not
only.
A
Well,
at
the
moment,
lockdown,
it
does
nothing
to
invalidate
lockdown,
because
intel
itself
isn't
exposed
and
also
it
also
does
not
provide
any,
and
even
if
it
were
exposed,
we
would
be
in
a
position
that
any
new
api,
they
add,
would
not
be
automatically
revealed
to
client
code
via
lockdown,
because
it's
not
in
the
white
list,
and
so
therefore,
there's
no
zero
day
exploit
that
is
created
by
this
behavior
either.
B
A
A
Yes,
non-fatal
is
good.
I
I
can
go
with
that.
Yeah
all
right
I'll,
make
a
note
in
a
minute
so
that
there's
an
action
item
to.
B
Okay,
so
some
other,
so
some
other
things
along
these
lines
is
that
no
introduction
of
hidden
of
primordial
hidden
state
or
primordial.
I
o
abilities.
B
And
I
think
that
we
can
bundle
this
name
based
enumeration
with
another
issue
that
that
that
we've
been
facing,
that
the
that
the
controversies
over
their
own
proposal
makes
yet
more
urgent,
which
is
a
we've.
We've
talked
about
the
need
to
have
some
kind
of
platform
provided
enumeration
of
the
safe
standard,
globals
the
safe
standard,
javascript
globals,
I.e,
omitting
the
hosts
but
including
safe
globals,
introduced
as
the
language
evolves,
so
that
old
lockdowns
can
potentially
honor
new,
safe
globals.
A
For
sure
yeah,
I
I
think
that
we
have
taken
this
topic
to
a
satisfying
conclusion,
the
and
and
the
and
the
queue
is
empty
for
so
I
think
that
we
can
reclaim
some
time.