►
From YouTube: SES Meeting: Review SES core evaluator upgrade
Description
In this session, we review a change proposed by Aaron Davis that replaces the scope proxy leak in SES with a sloppy mode leak that affects functions declared in the global scope of a strict script evaluated by the SES shim.
A
Well,
the
CES
meeting
didn't
happen
so
we're
doing
this
instead,
which
is
actually
kind
of
appropriate
since
we're
actually
looking
at
sets
today,
Aaron
Davis
of
mask
has
produced
for
us
a
pull
request
that
would
re
replace
the
eight
magic
lines
with
four
wrist
blocks,
which
we're
currently
calling
the
four.
What.
B
A
Quadruple
backflip
or
the
four
backflips
of
the
apotheosis
I
Aaron
keeps
changing
The
Branding
for
this,
but
the
point
of
it
is
that
this
would
allow
us
to
eliminate
the
possibility
of
leaking
the.
What
we
currently
have
is
called
the
scope
proxy
and
thank
you
Matthew
for
showing
this.
This
is
the
heart
of
it.
We're
changing
the
eight
magic
lines
into,
however
many
Magic
lines.
This
is.
C
A
The
idea
is
that
by
taking
what
was
just
the
scope
proxy
and
then
creating
four
layers
out
of
it,
we
create
for
one
a
more
auditable
artifact,
where
each
of
these
individual
layers
can
be
evaluated
for
their
they're
they're,
isolated
purpose,
but
also,
most
importantly,
when
you
access
a
name,
a
free
variable
from
with
an
assess
program.
It
will
the
apartment,
when
you
access
a
free
name,
corresponding
to
a
function
and
then
call
that
function.
A
The
in
sloppy
mode,
which
we're
well
pardon
in
in
the
mode
of
execution
that
we
are
in
if
under
says
by
whatever
name.
It
is
that
the
the
rule
is
that
this
object
will
be
bound
to
whatever
object.
It
was
extracted
from
on
the
with
block.
Currently,
that's
the
scope
proxy.
So
we
leak
the
scope
proxy
with
this
change.
A
If
you
re,
if
you
get
a
free
variable
and
it
corresponds
to
a
property
of
the
global
object,
your
that
your
receiver
will
be
bound
to
the
global
object,
which
is
also
incorrect
in
terms
of
what
we
want,
which
would
be
a
high
fidelity
emulation
of
what
happens
inside
of
a
JavaScript
module.
That
is
to
say
undefined,
but
leaking.
The
global
object
is
less
risky,
albeit
not
less
insecure,
because
what
we
have
is
secure.
We
just
would
reveal
the
global
object
instead,
that
is
so
so.
A
So
the
way
that
it's
peeled
off
in
this
is
eval
scope
is
an
object
that
is
solely
responsible
for
allowing
the
unsafe
eval
to
pop
out
once
on
line
70
and
then
deny
it
thereafter,
and
then
the
global
lexicals
serve
as
either
the
lexical
environment
of
a
module
or
the
lexical
environment.
The
that
was
passed
into
the
the
compartment
Constructor
or
a
combination
of
the
two.
B
Scope,
let
me
let
me
interrupt
you.
The
global
obstacles
include
for
our
module
translation.
It
includes
the
the
assignment
Interceptor
for
propagating
live
bindings.
Yes,.
C
A
Yeah
Global
lexicals
is
doing
double
duty:
okay
and
the
scope.
Terminator
is
actually
one
of
two
different
things.
Now
this
is
the
only
proxy
and
it
is
the
proxy
that
will
only
be
reached
if
you
have
a
free
variable
that
isn't
doesn't
correspond
to
a
global
or
a
lexical
or
that
eval
once,
and
that
means
that,
in
this
implementation,
the
scope
Terminator
can
either
be
an
opaque
object.
A
That
just
refuses
to
give
you
anything
and
claims
to
have
anything
which,
basically,
which
which
effectively
masks
the
scope
from
anything
in
the
real
Global
this
and
can
be
shared
across
compartments
safely,
because
it
has
absolutely
no
State
whatsoever.
It's
just
a
it's
just
a
closed
door
or
if
you're
in
sloppy
globals
mode.
A
B
So
the
so
the
scope
Terminator
in
the
not
in
the
sloppy
globals
mode,
presumably
it
always
says,
has
true.
D
Currently,
no,
it's
not
changing
the
behavior
but
or
I,
don't
know
actually
I
guess.
A
Yeah,
we
will
see
that
in
this
review,
but
what
I'm
expecting
to
find
when
looking
at
this
is
that
Aaron
has
not
changed
the
behavior
from
what
we
currently
have.
The
behavior
we
currently
have
is
that
it
returns
true
only
if
the,
if
the
the
the
realms
the
the
Realms
Global
this
has
the
property.
A
So
if
the,
if
the,
if
the
Realms
Global
this
does
not
have
the
property
on
it
directly
or
on
its
prototype
chain,
it'll
it'll
return
false,
which
is
presumably
safe,
because
that
should
always
turn
into
a
reference
error
just
farther
up.
A
B
It
still
doesn't
make
the
UN
unreferenced
variable
versus
type
of
be
spec
compliant,
because
there's
nothing
we
can
do
could
make
a
spec
compliance.
I
actually
don't
understand
what
the
purpose
is
of.
C
D
That
actually
do
get
a
reference
error.
B
D
C
B
C
A
Yeah,
so
that
is,
there
are
two
things
on
that,
but
the
probably
the
most
important
one
is
that
that
is
a
separable
concern
from
this
PR
and
Aaron
experimented
with
doing
both
fixes
at
the
same
time
and
ran
into
complications
which
I'm
sure
we'll
get
to
hear
about
when
we
talk
okay.
So
he
chose
not
to
address
that
in
this
PR
and
we'll
see.
If
we,
if
we'll
see
if
the
text
is,
is
consistent
with
that.
C
D
All
right
so
well,
the
first
piece
of
code
I
ended
up
looking
at
is
the
eval
scope,
which
is
this
and
when
reading
this,
my
concern
was
that
the
one-time,
evil
properties
is
in
charge
of
deleting
from
eval
scope,
but
we
really
trust
the
color
of
creative
on
scope
to
add
the
one-time
properties
to
evil
scope.
Mm-Hmm.
D
So
there's
a
bit
of
a
split
brain
here
that
if
the
caller
ends
up
putting
these
on
something
else,
we
won't
be
deleting
on
access.
Would.
D
A
Think
that
that
was
in
a
prior
design
and
the
reason
that
we
went
in
this
direction
was
to
avoid
bumping
the
stack
because
we
don't
want
well,
that's
they're.
C
A
A
C
A
Yeah,
that
is
good,
also
will
never
happen
if
this
by
design.
That
should
never
be
possible
right,
because
the
first
thing
that
happens
is
that
you
access
you
access,
eval
and
then
it
deletes
the
property.
And
then,
if
you
were
to
set
eval,
then
it
will
go
higher
up
the
chain.
The
and
I
believe
that
Aaron
was
kind
enough
to
add
tests
to
that
effect.
To
make
sure.
C
B
And
the
reason
why
we're
concerned
about,
as
you
you
said,
bumping
the
stack
meaning
having
a
procedure
call
a
function
call.
Is
that
we're
worried
about
what
happens
if
you're,
on
the
edge
of
running
out
of
Stack
memory,
correct.
D
And
to
be
honest,
I'm
I'm
concerned
anyway
of
I
mean
calling
a
getter
is
technically
it
is
bumping
the
stack
so
now,
technically
we're
bumping
this
type
in
the
getter,
but
not
that
being
the
Stacked
before
so
we're
actually
we're
actually,
in
this
case
already
so.
C
A
Do
we
if
we
went
with
unscopables
if
we
went
with
instead
of
having
eval
scope,
do
this
instead
had
an
eval
scope
that
had
an
unscopables
property,
a
symbol,
unscoopables
property
that
we
added
and
removed
eval
from?
Would
we
be
able
to
avoid
bumping
the
stack
with
that
technique?
I.
D
Believe
so
because
the
unscopables
is,
it
could
just
be
a
plain
property
that.
A
A
Yeah,
okay,
I'm
in
favor
of
that
I,
don't
particularly
care
whether
it
happens
in
this
PR
or
not.
B
I
understand,
logically,
what
why
that's
preferable.
It
terrifies
me
to
leave
the
dangerous
of
owl
in
place
and
depend
only
on
unscopables
to
hide
it.
B
C
A
D
B
B
The
the
federal
vowel
Is
Still
Remains,
reachable
you're
just
you're,
depending
you're,
depending
only
on
unscopables,
to
knock
the
reference
it,
but
it
remains
reachable.
D
B
B
D
C
D
Could
you
could
try
more
in
and
if
you
succeed
at
more,
you
know
the
the
subsequent
one
will
succeed
so.
A
B
For
a
naive
interpreter,
I
I
believe
that
for
a
jit
system,
where
we
just
don't
know
what
weird
optimizations
it
might
be
doing
on
One
path
and
not
the
other,
it's
hard
to
know
that
we've
actually
allocated
enough
stack
in
the
one
case
to
cover
the
allocation
that
happens.
In
the
other
case,
it
might
be
that
they
optimize
the
first
one
away.
A
So
the
reason
why
I'm
content
with
what
Aaron
has
has
implemented
is
that
deleting
eval
off
of
the
eval
scope
is
probably
as
close
to
zero
function,
calls
as
we
can
get,
and
that
is
reliably
on
the
correct
side
of
this
balance.
B
Yeah
over
there
so.
A
D
B
Well,
what
I'm
thinking?
What
I'm
thinking
is
that,
if
error,
if
Commodities
get
her
blows,
the
stack,
it
will
be
the
inner
width
that
throws.
B
B
C
D
There's
already
a
try
cash
around
wherever
this
is
called.
D
D
Wherever
make
evaluate
factories
codes
right,
so
we
get
the
evaluate
here
yeah,
so
you
can
evaluate
and
whenever
we
call
evaluate.
D
Yeah,
but
no
matter
what
even
including
the
the
the
this
kind
of
stack
and
that's
the
first
thing
we
we
do
here,
it
triggers.
A
B
There
actually
is
a
that
delete
right.
There,
that's
script
code,
correct.
D
Yeah
I
believe
so.
But
what
is.
B
B
A
B
Okay,
that's
what
I
was
worried
about.
Is
it
whether
whether
it
can
drop
it
does
not?
Okay,
good,
okay,
okay,
I'm,
satisfied,
I
think
with
this
I
think
with
this
delete,
we're
safe
against
the
out
of
Stack.
So
let's
do
this.
D
Yeah
I
I,
don't
really
see
a
win
in
how,
in
out
of
stack
on
the
getter,
can
can
result
in
anything.
B
D
Oh
in
case
we
are
already
out
well,
it
does
here.
103
could
trigger
the
same
stipend,
actually.
C
D
B
It'll
cause
a
proxy
trap
if
it's
a
proxy,
but
but
it's
not
going
to
invoke
the
getter
on
an
access
yeah.
This
check
actually
doesn't.
D
Mean
anything
and
say
if
you've
always
feel
exposed
that
oh,
oh,
an
evil
scope.
If
we
deleted
it:
okay,
yeah
yeah.
A
Well,
well,
one
thing
is
certain
that
if
we
oh
no,
we
cannot
reverse
the
order
of
these
lines.
Obviously,
but
we
might
be
able
to
collapse
them,
as
you
suggest,.
A
D
B
B
So
in
strict
this
is
this:
it
actually
does.
What
I
was
was
I
was
worried
that
my
memory
was
was
fallible
here,
because
it's
been
many
years,
but
in
strict
code
delete
only
ever
either
returns
true
or
throws
it
never
strictly
delete
can
never
return
false.
B
It
throws
if
it
fails
if
the
property
itself
continues
to
exist,
so
so
the
delete
succeeds
if,
following
the
delete,
the
properties,
whether
it's
absent,
because
it
was
deleted
or
it's
absent
because
it
wasn't
there
in
the
first
place,
the
elite
doesn't
care.
In
both
cases.
It's
a
success
and
if
the
property
is
Not
absent,
then
the
delete
has
failed
and
in
strict
strictly
will
then
throw
in
a
non-script
and
a
sloppy
delete
will
return
false
I.
D
Blame
maps
for
twisting
my
views
all
right.
Okay,
so
we
can't
quell
as
this,
but
this
is
safe
because
yeah.
B
So
so
I
like
I,
like
marvelous
version,
because
of
the
lesson
now
that
we've
know
that
that
we're
safe
against
the
stack
attack
stack
attack.
Now
that
we
know
we're
safe
against
the
stack
attack.
The
commodity
version
allows
us
to
reason
about
safety
from
reachability,
which
is
great.
D
Be
nice
to
have
a
test
for
this,
but
somehow
you
got
to
build
a
stack
that
is
up
to
the
bumping
limit
and
then
backtrack
and
then
yeah
and
Trigger.
This
yeah.
A
C
C
A
C
D
D
I,
don't
think
we
can
ask
for
a
new
test
just
for
this
in
this
BR.
In
this
code,
we.
B
C
A
D
D
Yeah
I
am
concerned
about
inlining
the
getter
and
stuff
and
capturing
things
in
the
scope.
Here.
The
advantage
is
the
only
thing
in
in
scope
is
eval
scope,
so
we're
not
going
to
be
leaking.
Whatever
else
is,
I
mean
the.
B
The
phrase
stack
bumping
on
the
first
page
of
answers
gets
me
nothing.
C
A
All
right
yeah,
so
there's
yeah
money
lines
on
39
to
41..
This
is
where
we
get.
D
Scope
Terminator,
so
here
is
the
first
change
like
notice
cup
Terminator
is
Christmas
mentioning
earlier.
It
can
be
either
a
shared
scope
Terminator
if
you're
in
strict
mode,
because
the
only
purpose
of
that
thing
is
to
just
deny
all
or
a
pair
compartments
scope.
Terminator
that
is
linked
to
the
global
object
of
the
compartment,
and
most
code
is
going
to
be
in
strict
globals
mode,
which
means
we
can
just
have
a
single
shared
scope,
Terminator
proxy.
That
denies
all
and
doesn't
leak
nothing.
B
So
does
it
has
return
false
even
for
things
that
are
on
the
J
on
the
realm
global.
D
No,
as
as
we
said
it,
I
mean
we
can
go
find
it,
but
this
doesn't
change
the
current
behavior,
which
only
returns
false
or
for
things
that
are
not
on
the
global
that
are
on
the
globals
that
are
not
like
go
wrong.
Global,
okay,.
B
I
do
I
mean,
if
we're
doing
this,
this
much
of
an
invasive
change,
I
think
I
would
like
to
either
understand
why
we
can't
have
what
you
know
what
the
trouble
was
that
kamavis
got
into
by
having
that
one
have
has
always
returned
further.
Well.
B
D
There
are
some
behavioral
changes,
but
they're
either
bug
fixes
or.
D
Or
things
that
I
I,
we
will
we'll
look
we'll
look
in
the
tests,
but
things
that
couldn't
be
dealt
with.
Another
way.
A
A
My
yeah,
my
as
a
rule,
we
should
not
have
the
master
branch
in
an
unreleasable
state
for
any
amount
of
time.
Yeah.
D
Foreign,
so
there
were
questions
about
the
optimizer
object
and
how
currently
I
believe
commemos
is
creating
an
Optimizer
objects
which
combines
the
properties
of
the
global
object
and
Global
lexical,
which
feels
inefficient.
Okay,.
B
So
so
the
key
thing
about
the
a
sign,
although
I,
don't
I,
don't
understand
the
code
I'm
looking
at
I.
D
If
there
is
so,
if
we
look,
if
we
look
here
at,
we
have
a
single
Optimizer
block,
I
guess
the
point
is
to
go
through
the
optimizer
before
evil
scope.
A
So
so
it
would
a
valid
a
valid
alternative
to
this
would,
in
fact,
as
you
say,
Matthew
for
the
optimizer
to
have
two
I
either
have
two
optimizers
or
two
or
have
the
optimizer
have
two
Clauses
with
it,
one
for
extracting
properties
from
Global,
lexicals
and
one
for
extracting
properties
of
global
object.
The
difference
in
code
would
be
that
the
optimizer
generator
would
have
to
be
careful
to
make
sure
that
the
Lexile
lexicals
overshadow
the
global
object,
so
the
global
object
Optimizer
would
have
to
omit
any
that's
already
in
the
lexicals.
D
Like
right
now,
there's
already
a
logic
in
figuring
out
which
optimizer,
which
symbols
are
optimizable.
It's
again
it's
this
feels
like
a
bit
of
a
split
brain
thing
where
pieces
of
it
are
and
I
don't
remember
where
this
was.
A
When
you
were
scrolling
up,
I
saw
this
dot,
Optimizer
properties,
which
I
think
illuminates.
What's
going
on
here,.
B
Let
me
just
double
check
that,
besides
the
shadowing
calculation,
which
is,
of
course
very
important,
there's
also
it's
all
so
some
things
only
optimizable
if
the
property
itself
is
non-right,
is
a
non-writable
non-configurable
data
property.
A
D
All
right
so
I
mean
the
optimizer
right
now
is
pretty
dumb.
It
just
takes
a
list
of
constants,
which
are
the
names.
It
could
very
well
take
two
lists
of
consent,
which
are
the
lexical
constant
and
Global
constants.
A
A
B
D
I
would
just
change
the
logic
of
wherever
the
constants
are
generated
to
generate
two
lists
of
consents,
one
for
the,
because
that
already
is
aware
of
where.
Where
is
this
so.
A
B
D
C
C
B
A
B
A
Matthew
changed
this
last.
The
I
believe
that
the
answer
is
that
we
reuse
the
evaluator
if
we
can
and
we
and
that
basically
depends
on
whether
the
global
lexicals.
B
D
Yes,
so
the
constants
or
the
evaluator
is
generated
lazily
the
first
time.
Any
evaluation
is
done
in
the
compartment
for
function
and
eval
and
then
I
guess
for
evaluation.
When
there
are
new
Global
lexicals
for
some
modules,
the
evaluator
is
rebuilt
because
it's
a
different
set
of
global
lexicals
and
then
after
first
time,
it's
built
with
the
same
sets
of
basically
have
constant
the
same.
D
The
same
Global,
lexical
subjects,
I
think
it
is
never
rebuilt,
so
it's
cached.
So
the
idea
is,
you
can
build
your
compartments.
You
can
go
in
and
set
up
the
global
this
and
the
compartment
and
freeze
them
and
and
do
everything
there,
and
then
you
eval,
and
at
that
point
this
is
when
the
optimizer
is
built.
So
you
have
an
opportunity
to
have
an
Optimizer.
That
does
something,
but
if
you
go
in
and
modify
your
Global
after
that,
it
won't
take
advantage
of
the
optimizer
anymore.
Okay,.
B
D
Hold
on
one
sec,
I
think
that
we're
just
in
practice
the
evaluator
is
just
thrown
away
right
because
we,
it
just
end
up
calling
compartment
evaluated
with
a
new
thing,
but
then
it
will
never
call
that
again.
I,
don't
remember
what
I'm
caching
here
I
think
the
cash
is
based.
D
C
C
A
We're
coming
up
on
time,
would
you
mind
wrapping
up
this
comment
and
and
submitting
a
partial
review
so
that
we
can
have
this
as
the
input
for
our
next
meeting?
Yes,
we'll
be
there
and
I
think
I
think
that
the
next
step
for
us
in
this
review
would
be
to
look
at
how
the
tests
have
changed
and
I.
Don't
recall
whether
Aaron
has
already
rebased
this
on
top
of
the
other
pull
requests
that
simply
adds
more
tests
that
pass.
D
Yeah,
it
would
be
nice
to
start
a
next
meeting,
looking
at
or
index
being
looking
at
the
test,
differences.
B
Why
is
the
optimizer
outside
the
can?
We
move
the
optimizer
interpolation
into
the
strict
code
right
now?
It's
in
the
sloppy
Richard.
A
D
What
is
the
concern
with
it
not
being
in
the
with
not
with
it
being
so.
B
You
know
it
would,
it
would
actually
still
shatter,
because
that's
a
strict
directive
out,
which
has
which,
which
which
has
a
it's
it
it's
as
if
it's
surrounded
by
open,
curly
clothes,
Curly,
it's
its
own
nested
block
scope,
so
I
think
I.
Think
yeah
I
think
we
could
move
line
67
down
below
line
69.
C
D
B
C
B
This
case
it's
pretty
safe,
it's
just
if,
if
everything
else
were
equal,
I
would
prefer
it
to
be
strict,
but
as
as
you
point
out,
everything
else
is
not
equal.
We
want
to
do
the
optimization
once
not
once
per
invocation.
Okay,.
D
A
Yeah
we
could
achieved
that
with
another
iffy
yeah
double
yeah,
in
any
case,
we're
at
we're
at
time
and
have
another
great
meeting,
look
to
look
forward
to
all
we'll
see
on
the
other
side
right.