►
Description
In this call, MarkM and Mathieu deliver a new understanding about how Records and Tuples should be new language primitives, how this will interact with the evolution of SES to accommodate them, and the constraints on the design that are sufficient to preserve confinement invariants.
A
All
right
welcome
to
the
cess
meeting,
we're
resuming
our
conversation
on
records
and
tuples
and
we've
had
since
our.
Since
we
last
spoke.
We
we
were
stuck
on
the
matter
of
which
of
the
bad
options
we
were
on
the
table
and
on
the
work
side.
Mark
and
matthew
have
been
working
hard
to
figure
out
a
way
to
to
move
forward
so
mark.
Let's
take
it
away
so.
B
Okay,
so
I'll
get
I'll
I'll
actually
do
it
sort
of
from
my
subjective
point
of
view
on
the
record
now
and
then
and
then
we
can
proceed
from
there.
So
I
was
objecting
to
records
and
tuples
as
primitives
because
of
old
code
that
would
check
for
for
primitive
and
then
say.
Well,
if
it's
a
primitive,
it's
it's
fine.
There
can't
be
any
hidden
authority
here.
Let
it
through
and
matthew,
had
previously
raised
the
thing
about.
B
Cess
project
that
people
keep
using
and
that
we
keep
maintaining
as
the
spec
evolves,
and
once
you
do
the
case
splitting
the
dilemma
I
was
worried
about
goes
away
and
the
reason
it
goes
away
is
that
old
says
because
of
the
white
listing
mechanism
and
because
box
is
already
not
on
the
white
list
will
remove
box
and
therefore
the
security
dangers
for
old
says
does
not
arise
because
bach
the
whole
box
constructor,
is
simply
censored
now.
B
We
simply
stop
testing
for
deep
primitiveness
in
the
old
ways.
Part
of
the
records
and
tuples
proposal
is
to
provide
a
new
predicate,
which
is
needed
anyway,
for
is
this
deeply
primitive,
which
you
can't
tell
by
just
type
of
or
using
the
object,
constructor
so
every
place
that
that's
that
maintains
ses
needs
to
know.
If
something
is
primitive,
it
would
switch
to
the
new
primitive
and
only
after
it
successfully
switches
everything
over
to
the
new
primitive.
B
Would
we
stop
censoring
the
box
constructor,
and
at
that
point
we
can
accept
the
new
language
with
records
and
tuples
and
with
box
and
without
the
security
danger
so,
and
I
think
that
case
splitting
not
only
applied
one
of
the
things
I
was
very
worried
about
is
we
know
that
cess
essentially
has
been.
You
know.
The
core
assess
has
been
reinvented
several
times,
so
we
should
presume
today
that
it's
also
still
reinvented
several
times
by
people
out
there
in
the
wild
that
we
don't
know
about.
B
I
keep
coming
across
academic
papers
that
try
to
secure
javascript
and
that
rediscover
elements
of
sas
on
their
own
or
or
partially
cite
us
and
then
rediscover
other
things.
I
know
that
the
history
of
salesforce
was
caridi,
was
kind
of
reinventing
cess
just
from
the
enablers
in
javascript,
without
knowing
about
ocap
theory
just
from
from
what
it's,
what
it
seemed
like
was
possible.
B
So
the
reason
I'm
still
okay
under
that
scenario
is
anything
that
is
successfully
securing
javascript
in
assess
like
way,
must
already
have
a
white
listing
mechanism
like
this,
because
there's
enough
dangerous
other
things
that
come
in
that
need
to
be
removed
because
they're
not
on
the
white
list,
so
anything,
that's
that's
successfully.
Securing
javascript
in
a
cess-like
way
must
already
have
a
white
listing
mechanism
like
this.
So
I
think
the
same
case
splitting
applies.
C
C
My
understanding
of
those
use
cases
is
there
isn't
really
a
whitelisting
mechanism
like
that,
which
means
a
box
might
be
mined
up
getting
constructed.
C
C
D
And
this
is
just
to
try
to
understand
what
you're
saying
you're
talking
about
saying
the
main
iframe
kind
of.
C
Yeah
so
same
domain
iframe,
I'm
assuming
that
when
you
create
a
realm
in
same
domain
iframe,
I
don't
know
if
you're
censoring
all
the
apis,
all
the
globals
of
that
iframe
and
if
you
would
be
removing
the
box
constructor
in
them.
I
don't
know
if
you
ever
have
a
case
where
you
need
to
put
a
membrane
between
the
incubator,
realm
and
a
created
realm,
and
in
that
case,
is
it
possible
for
the
incubator
realm
to
create
boxes
and
pass
them
to
a
created
realm.
B
B
C
Right
and
so,
if
that's
the
only
case
we
actually
care
about
and
if
those
created
realms
do
clean
up
their
global
and
sensor
the
box
constructor
the
same.
C
The
same
reason
sets
would
be
safe.
Membranes
like
this
or
systems
build
on
top
of
real
membranes
would
be
safe
as
well.
I
it's
it
just
feels.
I
don't
know
enough
if,
if
that's
actually
the
case
in.
D
This
is
exactly
what
we
what
we
use,
so
I
believe
that's
not
a
problem
and
the
reason
why
that
should
not
be
a
problem
if
we
get
to
implement
the
checks
in
the
in
the
unboxing
method,
to
only
unbox,
if
you,
if
the
rom
associated
to
the
to
the
box,
is
the
round
that
is
trying
to
unboxing,
it
is
because
imagine
that
the
the
incubator
realm
creates
that
record
and
has
a
box
on
it
and
give
it
to
to
the
to
the
creator
on
what
we
call
blue
and
red
yeah.
D
Give
it
from
blue
to
red
red
will
not
be
able
to
open
that
up,
because
it
will
fail
by
unboxing
it
that
that
that
case
is
okay.
D
The
the
case
that
is
a
a
a
little
more
tricky
is
that,
assuming
that
you
could
access
the
box
prototype
method
from
the
other
rom
to
try
to
unbox
the
thing
on
the
other
end.
That
case
is
impossible,
because
when
you
create
a
membrane
and
you
try
to
access
the
box
in
one
side,
it
will
map
that
box
to
the
other
side.
So.
C
I
think
I
was
not
clear
enough
on
the
context
here.
I
I
entirely
agree.
So
this
is
what
this
is.
The
reason
I
I
said
to
be
entirely
safe.
Having
unbox
check
the
realm,
where
the
box
was
created
would
guarantee
that
the
multi-realm
use
case
like
that
would
never
be.
There
would
never
be
a
problem.
However,
this
is
a
contentious
point.
This
is
something
jordan
is
pushing
back
against
and
he
would
like
the
unbox
to
behave
to
not
do
a
realm
check.
C
Basically,
you
would
be
able
to
like
pluck
the
unbox
from
another
element
apply
into
a
box
created
locally
without
it
throwing
and
that's
what
I'm
wondering.
Is
it
something
we
can
actually
accommodate
or
is
it?
I.
D
Don't
think
so?
Okay,
I
don't
think
so
push
back
on
that
to
two
main
reasons:
the
the
one
what
you
mentioned
before,
like
we
are
in
that
scenario.
We
have
that
scenario
where,
if
the
thing
is
a
primitive,
we
don't
know
we
just
blindly
give
it
to
the
other
guy
and
the
other
guy
might
try
to
access
the
box
to
fail.
But
the
secondary
reason,
I
think,
is
more
important
is
to
have
some
coherence
with
the
shadow
realm.
D
Where,
in
the
shadow
realm
scenario,
you
will
never
be
able
to
unbox
because
you're
going
to
get
an
error,
because
you
cannot
get
access
to
an
object
from
from
another
realm,
and
I
believe
google
will
probably
have
the
same
stand
that
they
have
for
the
realms
when
it
comes
to
mixing
the
the
the
object
graph
from
different
realms
yeah
in
an
iframe,
you
will
be
able
to
do
that
if
you
have
access
to
the
iframes
prototypes
to
ask
to
try
to
unbox
with
the
with
the
foreign
prototype,
and
that
should
be
fine
and
there's
some
precedent
in
the
web
idl
for
that
most
likely.
D
I
remember
some
of
the
web
components.
Apis
registry
of
web
components-
stuff,
like
that,
that
you
must
have
access
to
the
other,
the
other
realm
api
in
order
to
try
to
access
or
do
something
that
is
meaningful.
B
In
any
way,
that
case
is
that's
that
case
still
same
origin,
or
is
the
web
component
case
where
they're
concerned
only
about
cross
origin.
D
Yeah
same
same
origin,
yeah,
okay,
yeah!
It's
just
that
you,
you
might
register
like
the
case
of
web
components
like
you
might
register
components
in
different
documents
and
you
might
be
able
to
instantiate
it
and
move
them
around.
But
when
you
move
them
around,
like
you
create
an
element
from
an
iframe
and
then
you
move
it
to
the
main
window,
and
this
element
now
will
do
some.
Creation
of
other
elements
is
no
longer
tied
to
the
old
iframe
anymore.
D
It's
remapped
to
the
iphone
that
received
the
thing.
So
there's
some
some
precedent
there
in
terms
of
oh,
you
must
have
the
thing
on
the
other
side
in
order
to
do
something
with
it,
which
I
think
is
fine,
but
the
the
fatal
one
is
like.
If
we
allow
that,
then
it's
just
simply
going
to
be
brock
and
foreshadow
shadow
realm,
because
in
the
shadow
round
you
never
will
be
able
to
do
that,
and
you
will
be
like
what's
going
on
here,
like
there's
a
reason
to
have
that.
C
Yeah,
that
means
shadow
realm
would
have
to
prevent
any
box
from
being
passed
across
the
boundary,
which
is.
D
D
B
B
So
if,
if
the
ability
to
unbox
is
local
to
a
protection
domain,
something
that's
seen
as
useful
that
you
can't
unbox
after
it's
passed
through
another
protection
domain,
then
if
we
put
the
unboxing
operation
on
the
constructor,
then
cess
can
treat
the
box
constructor
the
way
it
treats
the
date
constructor
or
the
function
constructor
as
local
to
a
compartment.
I
already
saw
on
the
thread
that
people
seem
to
that.
Mostly
people
seem
okay
with
box
dot
d
ref,
rather
than
putting
it
on
the
prototype.
People
seem
okay
with
that.
D
Yeah,
I
think
I'm
okay
with
that.
I
I
I
don't
see
the
I
when
it
comes
to
primitive.
We
already
have
the
present
and
for
the
dot,
something
that
the
done
notation
on
a
primitive
that
is
tied
to
the
local
prototype,
not
to
the
remote
prototype.
So
I'm
finding
the
way,
but
certainly.
B
B
Within
one
realm,
but
between
different
compartments,
let's
take
the
the
date.
Constructor
is
the
the
simplest
clearest
example,
which
is
in
the
start.
Compartment
you've
got
a
fully
powerful
date,
constructor
that
still
has
date.now
on
it
as
a
static
in
other
compartments.
You
have
a
safe
date,
constructor
that
you
from
which
you
cannot
find
the
current
time.
However,
both
of
them
point
to
the
same
date,
dot
prototype
instance.
Instances
created
by
any
of
them
are
instances
that
inherit
from
the
same
date.prototype.
B
Furthermore,
the
construct,
the
the
the
inert
constructor
pattern
or
the
safe
constructor
pattern,
as
is
that
from
any
of
these
constructors,
if
you
say
date,
dot
prototype,
dot,
constructor,
the
shared
prototypes
dot,
constructor
property
only
points
back
at
the
safe
date,
so
I
so
the
the
and
and
and
for
some
things
like
function
where
there
is
no
safe
one
to
be
generally
shared,
because
the
entire
concept
of
function
is
specific
to
a
global.
Because
of
scoping,
we
put
a
inert.
B
That's
the
inert
constructor
pattern
where,
if
you
say
function,
dot,
prototype
dot,
constructor,
you
get
a
function
that
only
that
looks
like
a
function
constructor,
but
only
throws.
B
B
They
can
have
different
dref
behaviors
as
statics
on
the
box
constructor,
but
box
dot.
Prototype
leads
to
the
same
shared
prototype
where
the
prototype
itself
has
no
draft
behavior.
So
it
should
have
no
draft
method
and
the
prototypes
dot.
Constructor
property
points
back
at
a
box,
constructor
that
is
safely
shared
and
the
only
way
to
make
it
safely
shared
across.
All
these
compartments
is
to
is,
for
its
dref
to
never
deref
anything,
because
it
has
to
be
shared
between
different
protection
domains.
D
B
But
if
you're
going
to
have
the
primitives
behavior
differ
between
realms,
then
it
then
people
will
come
to
expect
that
that
and
and
if
you're
doing
that,
in
a
way
that
people
can
use
that
to
treat
realms
as
a
protection
domain.
So
they
can
count
on
the
box
being
underefficable
from
within
a
non-origin
protection
domain.
B
C
I
mean
you
could
make
both
work,
but
conceptually
so
I
I
want
to
say
quickly,
I
I
agree
and
mark.
Actually
we
don't
you
don't
contradict
something
you
don't
reconstruct
something
we
agreed
upon
earlier
because
earlier,
when
we
discussed
this,
the
original
idea
was
to
have
books
being
equal
and
not
realm
specific
here
at
this
point,
since
they
would
only
be
able
to
contain
objects
they
to
do
to
perform
this
check.
C
They
would
also
be
realm
specific,
so
making
the
constructor
and
the
unboxing
mechanism
compartment
specific,
makes
sense.
So
we're
we're
good
yeah,
actually.
B
That's
right,
but
that
would
be
something
that
cess
does
as
part
of
as
as
part
of
part
of
how
cess
changes
javascript
during
lockdown,
just
as
it
does
for
date
right
in
normal
javascript
date.prototype
points
back
at
the
dangerous
date
object
after
cess
does
lockdown
after
you
do
lockdown
in
your
assess
environment,
date.prototype.constructor.
B
Points
back
at
a
safe
date
that
everyone
shares
likewise
function.prototype.constructor
points
back
at
a
safe,
shareable
function,
constructor
and
the
function
constructor
is
in
order
to
be
safe
and
shareable.
That
one
has
to
only
throw
so
you
have
to
so.
The
constraint
is:
what
is
it
that
is
safe
and
compartment
independent
and
it's
okay?
If
it's
not
very
useful,
because
nobody
looks
up
the
useful
one
by
following
the
dot
constructor
property,
making
the
dot
constructor
property
lead
to
something
that's
much
less
useful.
B
We
have
found
essentially
breaks
no
code,
so
the
the
proposal
is
that
for
cess,
the
from
any
box
constructor
box.prototype.constructor.
B
B
Refuses
to
dereference
any
box,
and
as
I'm
saying
this,
I
realized
it
could
actually
be
more
permissive
than
that.
It
could
just
be
that
every
box
constructor
only
derefs
boxes,
that
it
constructs,
which
you
could
keep
track
of
with
a
weak
map
and
then
even
the
shared
one,
so
that
that's
a
possibility
for
making
it
more
permissive,
as
I'm
saying
this
out
loud,
I'm
uncomfortable
with
it,
but
even
if
it
can't
de-ref
anything,
nobody
will
care
because
nobody
finds
these
things
by
following
the
dot
constructor
property.
F
Okay
thanks
so
yes
like
having
a
prototype,
is
really
nice
for
us,
because
this
means
that
we
can
have
the
value
of
method
that
jordan
wants,
because
for
records
you
can
unwrap
a
wrapped
record
without
value
off,
but
for
box
value
off
is
the
only
way
to
to
get
back
the
primitive.
B
Oh,
the
object
wrapper.
That's
fine!
That's
fine,
leaving
leaving
the
the
value
of
on
the
prototype,
because
that
will
be
the
case
across.
Let's
bring
it
back
to
what
we're
generalizing
from.
If
you
create
an
object,
wrapper
on
a
primitive
in
one
realm,
including
an
object
wrapper
of
a
record
or
a
box,
and
you
pass
that
to
another
realm
and
in
the
other
realm
you,
you
do
a
box.prototype.valueof.call.
B
D
Yeah
nikola,
that's
what
what
I
was
saying
before,
like
in
a
real
case,
there's
another
way.
You
have
a
membrane
that
brings
some
guarantees
there.
You
will
never
be
able
to
get
your
hands
on
that
other
box,
prototype
or
box
method
from
the
other
from
the
other
name
in
space,
because
it
will
be
remapped
to
your
local
one
and
it
will
continue
to
throw.
E
What's
what
are
the
possibilities
of
iframe
based
systems,
not
sanitizing
the
global
as
well,
because
I
understand
you
know
the
separation
of
object
graph.
Does
that
pretty
much
always
go
hand
in
hand
with
reducing
access
to
powerful
things
like
date
and
fetch,
or
could
there
be
quite
legitimately,
people
that
are
purely
doing
object,
graph
separation,
but
no
other
security.
C
I'm
not
a
specialist
here,
but
my
understanding
is,
since
there
is
a
membrane.
Anything
that
looks
like
an
object
would
be
wrapped
anyway.
So
it's
not
as
risky
to
not
sanitize,
but
I
will
let
kary
d
talk
about
membranes
and
realms
yeah.
D
No,
I
I
think
I
would
say
that
keeping
the
separation
between
a
same
domain,
iframe
and
then
main
window
or
multiple
saying
the
mining
frame
is
very
very
hard.
We
haven't
found
very,
very
little
code
that
can
actually
keep
that
separation
very
clean,
and
the
objective
here
is
that
the
box
doesn't
introduce
a
new
thing
that
might
hinder
that.
D
But
again
it's
just
really
really
difficult
to
have
that
that
separation,
when
it
comes
to
errors
and
throws,
and
things
like
that,
like
people
do
crazy
things.
So
I
think
the
answer
to
that
is
we
don't
know
if
there
is
anything
out
there
in
the
world.
I
doubt
it
that
there
is
something
out
there
in
the
world
that
is
very
well
though,
and
implement,
and
then
that
has
a
clear
separation
and
it
never
leaks
anything,
and
it's
just
very
hard
to
think
about
something
like
that
in
a
same
domain
scenario,.
C
However,
I
think
kerali
had
a
great
point
earlier
is
that
if
you
do
not
throw
on
unboxing
for
a
box
that
was
created
in
different
realm,
the
shadow
box,
the
shadow
realm
semantics
have
to
change,
and
instead
of
allowing
a
box
through
the
collarbone
boundary,
you
now
have
to
decline
it,
and
that
makes
a
membrane
building
on
top
of
shadow
realms,
either
impossible
or
extremely
difficult
and
inefficient.
B
B
You
have
to
reconstruct
the
box
around
the
proxy
anyway,
and
so
for
the
case
where
you
construct
a
membrane
on
top
of
the
callable
boundary,
because
not
passing
the
box
makes
you're
already
not
passing
other
things
through
the
call
of
the
boundary
you're,
not
passing
objects,
and
then
you
have
to
reconstruct
proxies
without
having
passed
the
object.
C
So,
first
passing
a
box
that
you
cannot
unbox
makes
the
box
nothing
more
powerful
than
a
unique
symbol.
So
I
don't
believe
that
creates
any
hazard.
C
So
as
for
basically,
it
allows
you
to
pass
a
record
through
and
rely
on,
the
identity
of
the
of
the
record
through
basically
create
the
proxies
on
the
other
side
for
the
content
of
the
box
and
and
replace
them.
So
so
I
I
did
a
mental
exercise
like
few
days
ago,
and
I
looked
at
how
kerdi
and
implemented
ireland
I
it's
it's
beautiful
engineering,
it's
really
hard
to
understand
and
and
that
one
is
not.
C
I
I
looked
at
how
box
and
how
box
and
records
could
be
supported
through
that,
if
you
assume
identity
being
able
to
put
in
weak
map
and
assume
that
you
can
pass
them
through
and
and
it's
actually
fairly
easy
to
add
support
without
too
much
performance
impact.
You
can
just
pass
the
record
through
and
pass
instruction
on
on
on
for
each
content
of
the
box.
Basically,
a
deep.
C
How
do
you
say
a
deep
spread
of
the
the
boxes
and
and
passing
the
record
and
then
just
recreating
a
record
on
the
other
side
once
where,
if
you
don't
have
that
capability,
you
need
to
re,
take
a
record
if
it
has
boxes,
remove
all
the
boxes
so
you're
you
have
to
clone
a
record
that
way
which
would
not
have
the
same
structure
because,
instead
of
boxes
now
you
have
to
put-
I
don't
know
undefined
or
symbol
instead
or
something
like
that,
pass
it
through
somehow
reconstruct
a
record
showing
everywhere
where
there
were
boxes
that
were
removed.
C
But
since
you
don't
have
an
identity
to
do
that
again,
I'm
not
sure
what
you
can
do.
You
can't
put
those
symbols
in
in
there,
so
I'm
not
sure
how
you
can
easily
identify
where
the
holes
were
and
to
reconstruct
the
record.
On
the
other
side,
it
makes
it
really
much
harder
to
reason
about
for
the
memory.
D
I
I
I
thought
I
was
I
was
I
was
reading
your
comment.
I
was
trying
to
reason
about
this
clearly
more
advanced
mechanics
that
we
could
do
and
I
want
to
specify.
There
are
two
ways
in
which
I
see
using
records
in
a
in
a
membrane
on
top
of
of
a
shadow
realm.
The
first
one
is
to
use
it
as
an
internal
artifact
to
communicate
between
the
two
sides
of
the
membrane,
because
you
can
give
them
something
and
then
they
can
send
back
that
thing.
D
D
So
that's
just
a
very
clear
to
me
at
this
point
that
it
will
help
a
lot
right
now
we're
using
the
the
tracks
with
the
functions
and
the
callable
functions
that
put
something
in
memory
in
one
side
of
the
mem
and
the
membrane
and
on
the
other
side.
So
you
can
recollect
what
the
other
side
is
saying
about
the
objects
that
you
that
you
control,
so
we
could
do
a
lot
easier
with
boxes
through
records
on
on
the
internal
mechanics
of
the
membrane.
D
The
second
one
is:
how
can
we
efficiently
create
a
record
on
the
other
side
that
has
the
proper
boxes
and
where
those
boxes
will
have
a
proxy
of
the
value
on
the
other
side,
on
the
box
on
the
other
side,
and-
and
it
seems
that
the
the
ideas
that
you
brought
up
made
me
think
a
little
bit
more
and
the
way
we
do
it
for
objects.
Today
is
all
lazy.
D
So
I'm
just
going
to
give
you
I'm
going
to
give
the
other
side
a
reference
to
an
object,
I'm
giving
you
the
metadata
of
that
object
and
on
the
other
side,
you
create
a
proxy
and
if
the
other
side
ever
interact
with
that
proxy,
then
you
go
through
the
membrane
again
and
you
ask
what
exactly
is
the
other
side
trying
to
do
so
you
ask
for
that
particular
piece,
and
then
you
reconstruct
the
object
from
that
point
of
view.
In
the
case
of
the
record
we
could
we
could.
D
We
could
do
a
lot
better
by
saying
I'm
going
to
give
you
a
record,
you
must
do
something
on
the
other
side
to
reconstruct
the
record
on
the
other
side,
and
I
don't
have
to
do
any
ahead
of
time
processing
here.
I'm
just
going
to
give
you
the
record
on
the
other
side
will
say:
okay,
I
got
the
record.
Let
me
see
there
are
boxes
on
it.
Let
me
loop
through
those
boxes.
Let
me
ask
for
each
of
these
individual
boxes.
D
Can
you
give
me
a
proxy
of
what
is
inside
the
box
on
the
other
side,
and
is
it
single
pass?
If
we
have
the
mechanic,
the
mechanics
for
that,
it
would
be
a
single
pass
just
to
reconstruct
a
new
record
by
replacing
the
boxes
on
it,
and
if
we
can
optimize
that
in
the
engine
that
would
be
pretty
cool
because
you
just
simply
look
through
it
change
it
produce
a
new
record
with
the
new
boxes,
you're
done
and-
and
that
seems
very
elegant
to
me.
I
hope
I
hope
that
we
can
get
to
that
point.
B
So
after
this
conversation,
the
assumption
that
I'm
inclined
towards
is
that
until
we
tried
someone
should
try,
the
experiment
be
wonderful.
If
somebody
would
try
the
experiment,
but
I'm
not
volunteering,
to
write
a
a
membrane
on
top
of
a
callable
boundary
under
each
of
these
engineering
assumptions
and
seeing
how
much
pain
there
actually
is.
If
we
don't
allow
boxes
to
pass
through
the
caldwell
boundary,
but
so
first
of
all,
that
would
be
wonderful.
Somebody
did
that,
but
I'm
not
volunteering.
B
In
the
absence
of
anybody
trying
the
experiment,
I'm
not
inclined
to
introduce
a
hazard.
Even
if
I
agree
it's
not
a
vulnerability,
I'm
not
inclined
to
make
boxes
pass
through.
The
call
will
boundary
in
the
absence
of
an
experiment
showing
that
it's
substantially
more
painful,
to
construct
a
membrane.
D
So
I
pasted
it
in
the
link
there.
This
is,
in
my
opinion.
Obviously
I
have
worked
on
it.
In
my
opinion,
this
is
the
most
advanced
neo-membrane
implementation
that
we
have
done.
What
material?
What
you
we
saw
in
in
the
iran
is
kind
of
a
dummy
version
of
these,
and
if
you
spend
time
on
it-
and
we
have
a
few
folks,
rick
and
jd
and
myself
mostly
working
on
this
particular
file
this.
D
If
it
feels
to
me
that
with
the
identity
issue-
and
I
know
it
is
an
issue
because
daniel
raised
that
issue-
these
are
incoherence
between
what
the
requirement
tuple
will
will
do.
If
we
allow
boxes
to
be
passed
through
the
callable
membrane,
the
callable
boundary
versus
what
happened
with
the
functions
today
that
are
wrapped
and
then
when
they
come
back,
they
are
wrap
again.
So
they
don't
preserve
the
identity.
D
B
C
F
Sorry
go
ahead:
okay!
Okay,
thanks
does
really
a
function,
keep
identity.
If
you
pass
from
one
side
to
the
other
one
and
then
back.
Doesn't
it.
D
F
Identity
and
the
inconsistency
that
daniel
pointed
out
was
that
if
you
have
a
function
inside
of
a
box,
you
pass
it
to
one
side,
and
then
you
pass
it
back.
B
D
D
F
D
Four
four,
four
four,
so
so
I
I
think
I
understand
what
you're
saying
mark
yes,
so
if,
if
you
give
a
record
with
a
box
to
the
other
side
on
a
membrane
on
top
of
a
call
of
a
boundary
and
they
eventually
send
back
the
record,
you're
gonna
get
a
the
the
orino
record
with
the
arena
boxes
on
it
good.
D
All
right,
well,
you
in
in
this
particular
case,
because
the
boxes
the
the
boxes
are
are
going
to
have
a
a
type
of
that
is
not
object
right
right.
The
membrane
the
initial
implementation
membranes
are
out
there
in
the
wild
will
will
not
support
that.
They
will
not
be
able
to
unbox
right
until.
B
D
Introduce
the
capacity
or
the
capability
to
do
the
the
the
proper
process
to
preserve
that
identity
in
the
first
place.
No.
B
D
Which
is
using
the
the
new
predicate
to
check
if
the
thing
has
the
boxes
and
then
do
the
extra
exercise
of
reconstructing
a
record
that
has
different
boxes
on
it
and
having
the
proper
mapping
between
the
two
sides
of
the
membrane.
So
if
it
comes
back,
it
comes
back
at
the
arena
record,
not
as
the
record
on
the
other
side.
C
D
Yeah,
I
think
it's
going
to
just
be
a
problem
for
for
for
adoption
and
record
tuples.
If
you
just
simply
block
that,
I
I
don't
see
any
problem
with
letting
them
pass
through
the
callable
boundary,
and
I
see
some
benefits
that,
from
my
point
of
view,
are
important
for
implementation
of
membrane,
but
also
for
the
you
to
speed
up
the
process
of
of
of
communicating
between
the
two
sides
of
the
membrane
for
users.
C
There
are
use
cases
for
shadow
realms
that
don't
involve
a
full
membrane
and
it
like
isolation
of
code
executed
and
if
that
code
just
wants
to
go
and
and
operate
on
on
the
record,
whether
it
has
boxes
in
it
or
not
and
and
transform
it
without
touching
the
boxes,
it
should
be
able
to
do
that.
Yeah.
D
And,
and
and
and
and
again
it's
you
you're,
so
it's
right,
it's
not
really
about
membranes,
it's
just
any
kind
of
protocol
that
you
want
to
implement
and
that's
why
I
was
talking
about
the
using
this
mechanism
as
an
artifact
to
do
the
communication
between
the
two
sides.
So
if
you
had
to
build
your
own,
let's
say
you,
you
have
a
plugin
system.
D
You
want
to
evaluate
plugins
there
and
the
plugin
has
to
communicate
back
to
through
the
callable
boundary,
with
the
incubator
and
share
some
data,
some
metadata,
some
objects
or
whatever
some
identities
that
you
use
just
to
control
the
communication.
D
C
Yeah
and
I
think
in
general,
this
the
difference
be.
Actually,
there
is
a
difference
between
a
box
that
you
cannot
unbox
and
a
symbol
is
that
you
can
actually
put
it
in
a
in
a
weak
map
and
and
that's
very
powerful.
C
It
actually
does
solve
the
it
does
solve
the
problem
of
of
symbols
that
we
cannot
use
as
weak
map
keys
currently
and
and
use
an
identity.
That's
shareable
directly
across
the
shadow
realm
callable
boundary.
B
Let's
say
that
we
do
pass
boxes
through
the
callable
boundary
and
that
you
know
we're
all
agreed
that
they're
not
unboxable
on
the
other
side
that
they're
just
opaque,
but
they,
but
they
come
back
and
they
preserve
identity.
B
So,
let's
now
not
worry
about
building
a
membrane
that
passes
records
and
tuples
and
boxes
through.
Let's
say
that
we
that
that
that
boxes
pass
through
the
coral
boundary,
as
we
stated
and
now
we're
just
interested
in
building
a
normal
membrane.
B
D
Sorry,
instead
of
that
thing
that
that
you
mentioned,
which
is
I
I
give
you
this
box
to
the
other
side,
you
send
me
back
whenever
you
want
to
do
an
operation.
On
top
of
that
update
you,
don't
you
don't
have
access
to
the
object?
You
only
have
access
to
the
record.
That
represents
the
object
internally
and,
and
so
you
do
operations
on
the
other
side
and
anytime
that
you
have
to
do
an
operation.
On
top
of
that
object,
you
send
me
that
object
back
and
I
unbox
it
and
use
it.
D
Do
the
operation,
whether
that's
a
get
or
a
set
or
where
it
has
or
a
defined
property
or
whatever
it
is,
and
I
return
the
result
back
that
that
simplifies
the
thing
right
now.
What
we
do
is
different.
We
give
you
a
function,
you
give
me
a
function
back.
That
function
has
no
identity.
I
need
to
call
it.
It
set
something
globally.
Yeah
on
the
scope.
I
take
that
thing
that
I
have
in
the
scope
and
I
use
it
as
the
mapping
between
the
function
and
the
identity
wrapping
that
function.
B
Okay,
so
let
me
just
make
sure
I'm
getting
the
punch
line
here
accurately
if
we
introduce
boxes
and
have
them
pass
through
the
cauldron
boundary,
as
we
talked
about
that
building
a
membrane
using
the
box
encoding
just
for
normal
objects
in
order
to
get
a
membrane
across
the
coral
boundary.
Using
this
as
the
encoding
for
communicating
across
the
coral
boundary
means
that,
for
normal
purposes,
membranes
become
much
cheaper
and
more
straightforward.
Even
when
there's
no
records
and
tuples
and
boxes
involved
in
what
we're
sending
across.
B
E
E
If
I
get
two
records
passed
across
a
callable
boundary,
they
have
boxes
in
them,
and
I
now
want
to
compare
if
they're
equal
engines
going
to
have
any
issues
with
the
fact
that
we're
trying
to
compare
things
as
in
like
could
either
side
of
this
different
realm,
be
in
a
different
address,
space
or
anything
and
they're,
going
to
be
confused.
Trying
to
compare
these
things
or
not,.
B
Yeah
the
place
where
people
create
separate
garbage
collectors
in
separate
address
spaces
is
either
between
different
origin,
iframes
or
between
different
agents.
E
C
In
a
scary
dimension
like
we're
not
introducing
anything
new,
the
the
object.
Graphs
like
themselves
are
isolated
for
shadow
realm,
but
the
linkage
between
the
two
is
not
you
can
already
reference
indirectly,
through
a
wrapped
function,
an
object
from
one
side
to
another.
It's
just
you
have
that
you
have
that,
like
boundary
of
the
wrap
function
here,
the
boundary
would
be
different.
It
would
be
the
box.
E
D
D
Yeah
and
one
one
question
that
I
have
is
that
with
these
new
or
another
new
by
the,
they
seems
that
the
clear
path
forward
is
to
have
them
as
primitive.
C
And
this
is
why
I'm
still
also
saying
like
only
being
able
to
put
an
object
or
function
inside
a
box
makes
this
a
lot
more
easy
to
reason
about,
and
I
know
there
are
use
cases
for
putting
primitives
in
boxes,
but
I
still
don't
fully
grasp
them
and
how
how
prevalent
they
are.
E
If
boxes
can
go
across
a
callable
boundary
that
strengthens
the
argument
about
weak
maps,
because
one
objection
to
putting
them
in
a
weak
map
is
you
can
just
emulate
that,
because
you
can
unbox
the
box
use
a
like
a
finalization
registry
and
kind
of
emulate
weak
behavior.
But
if
the
other
side
can't
unbox
a
box,
the
only
way
they
can
hold
it
weekly
is
if
it's
natively
supported
directly.
E
So
that's
those
two
things
kind
of
go
hand
in
hand,
passing
it
across
a
realm
not
being
able
to
unbox
and
whether
they
can
be
weak
map
keys.
I
think
they're
tied
together.
A
So
we
are
auspiciously
close
to
converging
on
into
concluding
on
the
hour
on
a
high
note,
so
I
I'd
like
I'd
like
nicolo,
has
volunteered
to
summarize
what
what
we've
converged
on
since
we
last
spoke,
so
that
we
can
start
from
there
when
we,
when
we
resume
a
conversation
on
records
and
tuples.
F
Okay,
so
I
think
we
now
all
agree
that
record
support
doubles
and
boxes
can
be
primitives
and
the.
So
this
is
good.
We
didn't
really
talk
about
the
ability
of
putting
primitives
instead
of
boxes.
I
think
we
mostly
all
agree
that
we
can
disallow
primitives,
but
we
can
talk
about
this
again
if
needed,
we
are
still
discussing
about
what
to
do
with
boxes
that
cross
crosstalk
that
go
from
one
run
to
the
other
they
shouldn't
be
allowed
to
be.
F
Yeah
so,
and
it's
important
that
we
move
the
unbox
function
from
the
prototype
to
the
to
the
box
constructor
so
that
it
it
can
be
replaced
in
compartments
to
have
a
like
a
same
compartment
check.
A
That
sounds
that
sounds
like
what
I've
heard
does
is:
does
that
match
everybody's
understanding.
B
Yeah
I
I
would
go
a
little
further
on
on,
I
think,
with
regard
to
boxes
across
the
column
boundary
I
was
the
only
one
who
expressed
that
I'm
uncomfortable
with
it
and
then
after
coridi's
punchline
about
regular
membranes,
become
much
easier
and
probably
more
efficient.
B
I'm
now
fully
on
board,
with
with
boxes,
go
through
the
callable
boundary
opaquely,
but
identity.
Preserving.
I
think,
that's
now
very
powerful.
F
C
Yeah
one
thing
that
wasn't
mentioned,
but
it
is
very
important-
is
that
there
is
no
way
to
syntactically
create
a
box.
Yes,.
D
I
think
the
going
in
in
the
opposite
direction
and
letting
records
to
be
unboxed
from
another
realm
will
again
just
get
a
different
set
of
people,
a
different
group
to
object
to
I'm
talking
specifically
about
google
positions
and
I'm
not
introducing
any
new
api
that
allow
this
kind
of
intertwined
object.
Graph
between
roms.
E
B
E
D
Yeah
to
use
jordan's
punchline
like
this
is
not
a
very
common
use
case.
Anyways,
like
you,
normally
don't
do
those
things
across
iframe
and
using
things
from
the
iframe
and
that.
B
C
Exactly
yeah
and
that
that's
kind
of
was,
I
was
like
if
we
could
make
this
check
instead
of
being
from
where
the
box
functions
and
constructors
were
constructed.
But
if
we
could
make
those
sensitive
to
where
they're
called
from,
I
think
it
would
alleviate
all
the
problems,
but
that
would
be
probably
very
bad
in
a
lot
of
other
yeah.
That's.
E
B
A
Yeah
all
right.
Well,
I
think
that
that's
that's
that's
good
for
this
week.
I
think
this
is
excellent
progress
this
week
and
and
we
have
a
pretty
clear
idea
of
what
the
what
the,
what
the
next
actions
are
for
this
topic.
So
thank
you,
everyone
for
joining
us
for
this
meeting
this
week,
I'm
going
to
pause
about
stop,
recording.