►
From YouTube: SES-mtg: purity-checker, realm-optimize, JSFoundation
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
B
A
B
B
Right
cool,
so
a
little
bit
of
a
beggar
initially
I
started
writing
a
engine.
Now.
Could
you
run
with
a
yes,
prima
coach
and
a
bunch
of
other
things
and
try
to
write
the
rule
there
and
particle
there,
but
then
I
realize
it's
a
bit
too
much
to
crunch
at
first.
So
now
what
you're
looking
at
is
basically
a
set
of
tests
that
I
wrote
on
an
es
length.
B
A
Okay,
let
me
just
answer:
Alex
just
asked
I
thought
we
were
starting
in
one
we're
jet,
where
we're
getting
started
with
day
on
showing
us
his
implementation
of
the
purity
checking
rules,
we're
starting.
We
started
early
because
Dan
has
to
leave
soon
while
we
are
recording.
So
you
know
anybody
joining
on
time
or
later
will
at
least
be
able
to
refer
to
the
recorded
beginning.
B
Okay,
yes,
Wow
cool,
so
I
want
a
little
bit
of
an
explanation.
I
wrote
three
rules
which
are
all
packed
in
a
plugin
there's
room
for
more
I
am
wrote
tests.
Luckily,
yes
length
as
you
begin
writing
an
enhancement
plugin.
It
gives
you
the
infrastructure
to
run
tests
and
write
to
move
pretty
easy,
so
I've
defined
some
tests
here
and
when
you
see
in
god
console
is
the
execution
of
that
conceivable
now
for
each
room
there
is
a
valid
and
an
invalid
case.
Okay,
see
there's.
C
B
A
B
Okay,
so
I
started
with
some
basic
some
basic
stuff
at
first.
It
was
also
my
first
time
riding
any
asking
for
them,
so
I
had,
in
the
background
a
little
little
bit
of
research
duty,
but
no
undeclared
exports
means
that
whenever
you
are
trying
to
export
something
that
is
not
defined
in
the
current
module,
such
as
you're
trying
to
reference,
you
look
at
it
invalid
you're,
trying
to
reference
the
window
which
may,
which
is
the
global
in
in
the
browser.
For
example,
you
try
to
export
that,
but
also
trying
to
export
a
property.
B
B
C
B
When
is
my
talk,
you
know
export
imported.
It's.
There
is
a
pattern
that
I've
seen
in
the
world
where
people
gather
something
like
this.
They
have
a
folder
and
then
they
have
a
bunch
of
GS
files
and
then
in
an
index
file,
and
then
they
group
all
the
files
as
an
exports
of
of
this
index
in
this
index
file
and
then
technically,
what
that
allows
you
to
do
is
say:
import
module
from
my
package
more
than
one
for
my
package
doesn't
make
sense.
What
I'm
saying
I.
A
D
A
But
but
but
the
rules
the
rules
were
trying
to
enforce
is
that,
under
the
assumption
that
everything
you're
importing
has
everything
that
you're
importing
is
pure
and
everything
that
you're
exporting
will
be
hardened,
where
networking
that
everything
you're
exporting
is
therefore
pure,
but
you're
allowed
to
assume
that
everything
your
imported,
it's
clear
because
that's
supposed
to
be
enforced
by
the
loader
in
terms
of
loading,
an
allegedly
pure
module,
it
should
only
be
able
to
import
from
from
from
allegedly
pure
modules.
So.
B
A
B
A
Would
the
rules
I
have
in
mind,
don't
involve
any
multi
file
checking
it
is
checking
each
file
by
itself,
but
it's
assuming
a
loader
behavior
such
that
everything
exported
gets
hardened
before
it's
provided
to
anything
else
as
an
import,
and
only
things
that
satisfy
our
check
are
static.
Checking
rules
are
candidates
to
be
named
as
something
to
import
from
by
anything
else.
That's
allegedly
pure
right.
B
So
then
would
be
able
to
check,
for
whatever
is
not
harden,
didn't
keep
the
keyword,
functional
or
whatever
you
desire.
If
the
lintel
detects
that
in
the
static
analysis,
then
the
rules
will
ask
yeah,
yes,
yes,
but
I,
didn't
you
find
that
that
keyword,
and
so
this
would
be
knee
as
if
somebody
would
deliberately
skip
the
key
will
speak
the
final
something
has
been
hardened.
A
A
If
we
such
that,
since
we
could
import
from
something
named
foo,
what
we're
importing
from
is
pure.
So
the
foo
variable
that
we're
getting
is
pure
and
then
the
export
is
the
export
is,
is
exporting
to
a
loader
which
will
harden
the
result
and
now
we're
reasoning
statically
about
whether
curly
braket
foo
would
be
pure
if
hardened,
if
foo
were
pure
and
the
answer
should
be.
Yes,
yes,.
B
B
A
Let
me
interrupt
your
moment
because
a
bunch
of
new
people
have
just
joined
we
started
early.
Cuz
Dejan
has
a
lot
to
talk
about
with
his
static
checking
rules
for
purity,
and
he
has
very
limited
time
we
are
recording,
so
everybody
should
be
aware
that
we
recording
recorded
from
the
beginning
so
everything
that
Dejan
explained
before
the
meeting
officially
started
will
at
least
be
visible.
In
retrospect,.
A
B
B
E
B
Touched
on
you
can
there
are
our
considerations
about
what
happens
within
the
function
body
right
now.
I
am
able
to
check
whether-
and
this
was
a
little
bit
of
a
more
extreme
things,
so
we're
defining
a
bar
constitutes
an
object.
This
object
is
being
assigned
to
see
and
then
it
is
returned
to
see
basically
I'm
trying
to
somehow
lose
the
track
of
bar
prod
and
through
static
analysis.
I
am
able
to
find
out
that
bar
that
actually
see
points
to
bar
now
the
same
pattern
can
be
applied
to
parameters
function
parameters.
B
D
A
D
B
C
A
If
we
use,
if
we
we
like
to
say
that
private
state
is
we're
using
the
weak
map
model
of
private
state,
but
if
we
actually
write
it
using
a
weak
map,
we
would
have
to
do
much
stranger
analysis
to
make
a
purity
judgment.
The
purity
judgment
would
still
be
valid
if
we
did
the
much
more
complicated
analysis,
but
I'm
not
recommending
it.
Since
we
are
moving
forward
with
the
private
state
syntax,
let's
go
ahead
and
comment
out
line,
one
and
online
for
say:
pound
state.
B
B
A
So
that
is
the
private
state
syntax
that
the
committee
is
moving
forward
with.
It
is
defined,
purposely
to
be
equivalent
to
the
week
map
model
of
private
state
well,
but
if
written
this
way,
we
should
be
able
to
have
static,
checking
rules.
That
say
this
is
valid.
If
written
in
terms
of
how
this
would
expand
to
a
week,
map
I
do
I
would
I
would
not
expect
our
rules
to
be
sophisticated
enough
to
look
at
how
the
week
map
is
used
and
judge
it
to
still
be
pure.
D
D
D
A
So
this
so
so,
we
need
to
be
careful
about
what
we
mean
by
pure
we're,
using
the
definition
from
Dario's
thesis,
which
is
somewhat
different
than
the
definition
you'll
see
in
some
other
programming
language
work,
the
quiet,
I
would
say
this
class
is
still
pure
pure
does
not
mean
that
it
can't
create
mutable
objects.
Pure
does
not
mean
that
it
cannot
cause
effects.
It's
pure
means
that
the
object
itself
from
the
object
itself.
There
is
no
mutable
state.
That's
from
the
exported
objects.
There
is
no
mutable
state
that
is
reachable.
A
D
D
D
A
You're
accessing,
if
you're
accessing
a
free,
a
just
in
terms
of
speaking
in
terms
of
static
analysis,
if
you're
accessing
a
free
variable,
then
you're
not
pure
I'm.
Sorry,
if
you're
accessing
a
free
variable,
that's
not
on
the
white
list
of
safe
Global's
and
window
is
definitely
not
on
that
white
list.
A
If
you
say
HTML,
if
you're,
if
you're
say
HTML
element
as
a
free
variable,
you're,
not
pure,
the
only
things
that
are
on
the
white
list
of
free
variables,
you
can
use,
are
the
the
the
safe
Global's
from
ECMO
script
itself
like
object,
array,
math,
Jason
and
even
math
is
only
me.
The
math
and
date
are
only
pure
if
you
get
rid
of
the
ability
to
read
the
current
time
or
or
ask
math
dot
random.
That.
B
A
F
However,
when
you
transfer
a
web
component
from
one
frame
to
another
through
an
adoption,
this,
this
reference,
HTML
element,
is
handled
in
a
special
way
because
it
does
not
does
not
fade
a
problem
where
your
element
is
referencing,
a
different
HTML
element
than
the
one.
It
is
in
right
now.
So
so
there's
a
very
special
case
in
terms
of
HTML
element.
I
haven't
read
the
specifics
of
it,
but
but
it
really
is
a
very
special
case
that
you
should
be
aware
of
for
some.
A
Would
be
ok,
so
I
so
I'm
open
to
investigating
that
I.
The
this
whole
web
components
thing
is
not
something
I've
paid
enough
attention
to,
but
I
would
be
very
surprised
if
you
could
both
reference
HTML
element
and
be
pure
just
from
everything
that
I've
ever
experienced
in
the
browser
and
Dom
API.
That
would
be
very
surprising.
D
A
So
this
I
mean
this
is
a
great
example
of
something
where,
because
it's
impure,
you
can
write
a
resource
module
and
then
the
resource
module
will
be
loaded
by
a
per
compartment
loader
rather
than
a
per
route
realm
loader
and
then
different
compartments
can
have
different
views
into
an
underlying
Dom
tree.
So
there,
when
they
say
HTML
element,
they
can
mean
somewhat
different
things.
I
think.
D
G
A
So
Dan
I
just
saw
your
comment
that
okay,
thank
you
Dan.
He
just
dropped
off.
I
got
a
lot
out
of
that.
So
to
recap,
what
all
of
that
was
about
is
Kate
and
I
tried
to
write
down
some
static,
checking
rules
for
checking
that
a
module
could
be
judged
pure
such
that
a
module
loader
that
wanted
to
only
load
pure
modules
could
load
modules
that
passed
the
check,
and
the
rules
is
that,
if
you're
being
loaded
by
that
loader,
then
you
can
count
on
that
loader.
A
Okay,
there
is
this
new.
There
is
this
wonderful
right
up
from
the
model,
guys
the
guys
doing,
embedded
JavaScript,
where
they've
done
this
thing
called
preload
that,
where
they're
explicitly
making
comparisons
between
what
they're
doing
and
what
we're
doing
and
I
think
there's
and
the
basic
idea
here
is
that
if
you
can
do
some
initialization
of
an
application
in
a
way
that
does
not
depend
on
any
outside
state
and
then
once
initialized
freeze
everything
so
that
there's
no
longer
any
mutable
state.
E
Variables
so
you
could,
you
could
say,
I
want
to
run
the
meta
programming
in
the
host.
Sorry
in
the
compiler
versus
some
staged
object
functions
in
the
target,
so
you
could
refer
to
compiler
functions
and
you
could
refer
to
compiler
metas
inside
metas,
or
you
could
not
refer
to
the
target
functions
from
inside
those
matters.
Then
we
just
froze
them
exactly
the
same
way.
E
We
basically
said
all
of
our
all
of
our
meta
programming
was
out
the
window
when
it
comes
to
the
actual
runtime,
unless
you've
created
a
matter
that
can
run
it
out,
and
then
we
freeze
the
binary
that
way.
We
the
functions
we
created
with
the
meadow
programs
can
be
written
directly
into
the
text
section
as
opposed
to
data
mm-hmm.
D
A
D
A
That
kind
of
stage
separation
is,
is
very
nice,
the
additional
thing
with
the
moddable.
That's
that's
different.
If
I
understand
things
from
this
other
stage,
separation
systems
is
that
is
the
desire
to
take
the
preloaded
state
and
put
it
into
ROM,
therefore,
requiring
that
the
pre-loaded
state
be
made
pure
before
it
becomes
available
at
runtime.
E
E
E
A
E
That's
right:
I
made
some
progress
with
the
PEG
tag,
so
I
finally
have
extensible
grammars
working
on
my
side.
The
one
thing
that
I'm
missing
that
I
think
quasi
parts
are
generator
did
better.
It
is
the
error,
reporting
and
I
intend
to
do
that
with
commits
or
cuts
in
the
grammar
to
say
when
we
actually
have
a
grammar
item
that
we
don't
want
to
backtrack
over
mm-hmm.
E
So
the
other
thing
I'm
working
on
is
I'm
using
the
typescript
compiler
to
generate
the
actual
library
files
for
Jesse
for
Jessica
I'm
I'm,
actually
using
the
compiler
API
to
detect
the
static
analysis
that
we
need
to
make
and
also
I
can
provide
type
files
that
are
only
for
the
Jessa
just
a
subset.
So
when
you
compile
it
will
give
you
type
information
and
stuff
for
the
Jessa
subset
you're
easy.
But
if
you
go
outside
that
subset,
they
were
complaining
about.
That
attacks
is.
A
A
F
From
personal
experience,
I
used
to
write
a
lot
of
fights
for
it
and
when
I
discovered
how
much
my
code
is
different
than
what
I
thought
I
stopped
really
like
I
didn't
want
to
stop
because
it's
very
convenient
but
but
I
didn't
stop
and
because
typescript
is
not
useful.
I'm
script
is
very
useful,
but
at
that
time
they
were
also
introducing
the
idea
of
jeaious
dog
adaptation
based
type
checking,
and
that
is
really
heat
evolved.
That
then
I
don't
need
type
spread,
except
if
I
really
want
to
use
some
of
the
non
conforming
features.
F
I
find
that
I
definition
files.
How,
but
all
you
need
is
really
jazz
doc
for
most
of
your
route
type
checking.
Okay,
you
know
it's
like
an
interface
that
you
want
to
define
yeah.
You
can
do
that
and
you
know
secondary
high
definition
file,
but
as
a
from
fiber
it
does
change
you're
awesome,
but
obviously
you
can
set
the
correct
settings
to
prevent
that
from
happening.
Jesse
doesn't
have.
E
F
C
D
E
A
A
A
C
A
E
A
A
You
know
seven
or
so
lines
of
code
looks
like
my
lines
of
code,
but
our
magic
lines
of
code
that
are
the
core
of
the
realms
shin,
and
you
know
it's
really.
You
know
rather
extraordinary
how
how
well
this
works,
except
that
the
way
in
which
we
were
invoking
it,
we
were
invoking
it
so,
okay,
I'm,
sorry,
I
should
I
should
stop
and
say:
I
gave
a
presentation
on
this
has
does
it?
A
Okay,
well
so
wine
60
is
actually
the
topic.
I
wanted
to
talk
about
so
very
good,
so
so
what
this
is
about,
if
we
ignore
line
60,
if
we
ignore
line
60,
then
the
rest
of
this
is
just
let
there's
no
substitution
hole,
so
the
unsafe
function
here
we
just
replace
all
of
this-
is
just
the
body
of
an
anonymous
function.
A
F
G
A
A
D
D
A
D
A
A
G
A
I
think
that's
correct.
We
also
do
not
cover
the
optimizer,
which
is
actually
the
thing
I
wanted
to
discuss,
because
we
had
a
very
bad,
an
extremely
bad
performance
bug
that
I
think
you
guys
don't
have,
but
you
guys
don't
have
you
know
in
the
Salesforce
version
of
this,
but
I
think
the
reason
you
don't
have.
It
is
because
you
hard-coded
a
special
case
yeah.
G
G
A
G
G
A
A
Force
for
must
replace
the
global
error
error
constructor,
with
a
wrapper
because
of
the
way
the
v8
stack
capture
works
and
it
must
replace
the
global
reg
X
constructor,
with
a
wrapper
because
of
on
one
of
the
browser's
I.
Think
it's
Firefox
the
special
static,
mutable
global
communications
channel
things
like
dollar
one
are
not
deletable,
even
though
the
the
tc39
spec
says
that
they
must
be
deletable.
So
the
only
way
to
hide
them
is
to
hide
the
constructor
a
whole.
A
G
A
G
Where
we
made
a,
we
made
a
decision
to
have
the
tc39
specs.
Basically,
the
base
JavaScript
language,
as
all
identifiers
are
immutable,
hold
all
the
window
object
and
the
dummy
API.
They
are
beautiful
because
we
don't
optimize
them
except
for
we're
doing
and
doctor
so
it
gives
it
gives
some
flexibility
to
people
to
load,
say
a
old
version
of
file,
API
or
whatnot
and
override
the
one
we
provide.
G
C
A
G
G
A
G
C
G
So
maybe
I
can
rephrase
or
characterize
a
problem
that
you
correct
me.
If
my
simplification
is,
is
isn't
correct
in
your
case,
which
is
different
than
ours,
you
won't
have
the
capacity
to
execute
code
in
become
in
the
compartment
before
freezing.
It
then
invoke
freezing
and
then
continue
correct.
So.
A
It's
sort
of,
but
the
thing
that's
impossible
with
the
technology
that
we're
looking
at
impossible
with
any
technology
that
I
know
how
to.
How
do
you
know
pervert
JavaScript
into
is
to
have
something
code
that
is
already
evaluated,
continue
execution
now
with
new
optimizations
I.
Don't
think
I,
don't
think
that's
going
to
be
possible,
but
that
doesn't
correspond
to
what
we
actually
need
for
SES.
What
we
actually
need
for
SES
is
that
we
create
a
compartment.
We
create.
You
know
the
the
compartment.
A
You
know
the
compartment
in
which
you,
basically
we
create
the
root
realm,
which
which
has
all
the
compartment
logic
in
it
as
well.
We
evaluate
the
shims
in
there.
We
do
that.
While
everything
is
mutable,
then,
once
all
the
shims
are
evaluated,
then
we
freeze
all
the
Global's,
all
the
primordial
x'
and
then
once
we
only
once
we
do
that.
Do
we
then
evaluate
untrusted
code
now,
when
the
untrusted
code
invokes
functions
that
were
installed
by
the
shims,
those
functions
were
the
result
of
evaluation
prior
to
optimize
ability
and
therefore
they
will.
A
Those
functions
internally
will
still
pay
the
performance
cost,
but
that's
a
that
that
I
do
not
expect
to
be
a
significant
issue.
All
of
the
untrusted
code,
that's
loaded
after
freezing
it's
loaded
by
an
eval
that
happens
after
the
freezing
and
therefore
that
eval
can
benefit
by
optimizing
all
the
frozen
global
variables.
D
A
A
A
C
A
A
Reflect
dot,
define
property
of
of
this
comma
quote:
object,
comma,
writable,
writable,
colored,
frawls,
configurable
call
of
FOSS;
in
other
words,
I
freeze
the
property
and
then,
after
having
evaluated
the
string
that
causes
the
proper
to
be
frozen.
I
then
do
another
fresh
eval
by
calling
the
eval
function
on
on
that.
Just
the
string
object
now.
A
The
the
what
I
claim
we
want
to
happen
is
what
would
happen
according
to
the
ACMA
script.
Spec,
which
is
the
assignment
to
the
global
variable
object,
succeeds
changing
the
value
of
object.
The
defined
property
then
takes
the
property
named
object
on
the
global.
This
object
and
turns
it
into
a
non
writable
non
configurable
data
property,
which
is
now
guaranteed
to
have
a
static
value,
and
then
we
do
a
fresh
eval
of
the
string
object
which
now,
rather
than
faulting
through
the
proxy
mechanism
to
look
up
the
binding
of
object
ends
up.
A
Obtaining
the
value
of
object
from
the
lexical
variable
binding
created
by
the
optimizer,
so
so
let
me
explain
for
everybody
the
optimizer
course
we
didn't
actually
walk
through.
What
build
optimizer
does
so
build.
Optimizer
has
given
this
list
of
constants,
which,
in
the
scenario
I'm
talking
about,
would
include
the
the
name
object.
So
it's
a
list
of
constant
names.
A
A
If
there
are
constants
here,
such
as
the
name
object
and,
let's
also
say
the
other
things
that
will
typically
be
there.
You
know
when,
when
emulating
the
JavaScript
standard
would
be
Man,
undefined
and
infinity,
because
in
the
JavaScript
standard
those
are
also
defined
as
non
configurable
non.
Those
are
the
only
things
defined
as
non
configurable,
non
writable
data
properties
on
the
initial
state
of
the
global
object.
So
let's
say
the
constants
includes
those
four
values.
A
A
What
gets
plugged
in
on
line
61
is
referring
to
this.
So
I
didn't
I.
Didn't
explain
this
previously,
though
this
the
outer
function
is
invoked
essentially
with
two
arguments:
it's
invoked
with
a
this
binding
and
it's
invoked
with
an
argument
sub-zero.
The
arguments
sub-zero
is
the
proxy
we've
already
discussed.
A
The
this
binding
is
the
safe
global
from
which
the
constant
bindings
should
be
extracted
by
that
optimizer
string
and
they're
extracted
purely
by
the
optimizer
string,
is
using
the
new
JavaScript
pattern
matching
syntax
to
extract
all
those
from
the
safe
global
buy
pattern
matching
the
inner
function.
The
argument
is
also
invoked
with
effectively
two
arguments.
The
arguments
of
zero
is
the
spring,
and
the
this
finding
of
the
inner
function
is
the
the
global.
A
This
object
is
the
object
that
the
evaluated
code
should
perceive
to
be
the
global
object
and
those
are
not
necessarily
the
same,
but
it's,
but
for
the
purposes
right
now
we
don't
need
to
worry
about
the
difference.
We're
just
did
it
this
way,
so
that
we
have
the
flexibility
of
those
two
things
being
different.
D
I
think
or
things
that
we
talked
about
in
the
past
were
well.
Can
we
create
one?
There
is
a
mutation
that
is
affecting
the
optimizer
and
we
just
simply
regenerate
the
function.
I
were
saying
no,
because
whatever
you
already
have
a
way,
it's
pointing
to
the
rules,
that's
right,
all
the
things
that
are
that
were
optimizing
previous
incarnations,
all
right,
I,
remember
these
I.
D
D
A
A
Then
we
do
a
fresh
eval
of
something
else,
but
in
that
new
eval
we
take
the
function
we've
already
created
from
the
old
eval
and
the
new
eval
valuates
code
that
call
that
calls
the
old
function.
The
old
function
is
not
optimizable
because
it
was
created
by
evaluating
with
this
direct
eval
inside
a
constructed
function
whose
optimizer
did
not
include
object.
So
even
after
object
gets
locked
down,
functions
created
by
old
evaluations
remain
slow,
which
I
think
practically
does
not
matter,
but
anything.
A
A
Whose
optimizer
failed
to
optimize
for
us,
and
the
reason
is
that
we
create
the
this.
This
function
on
line
70
create
safe,
evaluator
Factory
is
given
a
safe
global
and
then
on
line
74.
It
figures
out.
It
looks
at
the
safe
global
to
figure
out
what
the
constants
are
uses
that
to
make
a
scoped
evaluator
Factory,
which
it
uses
to
make
scoped
evaluator,
which
finally
down
below
here,
is
used
inside
the
eval
function,
the
valve
on
the
safe
eval
function,
which
actually
gets
bound
to
eval
in
the
user's
namespace.
A
A
So
the
reason
why
we
were
failing
to
evaluators
were
making
this
evaluator
factory
thing
early
before
anything
was
locked
down
and
then
we
kept
using
it
after
things
were
locked
down.
So
even
new
evaluations
that
happened
after
things
were
locked
down,
were
using
an
evaluator
factory
that
had
been
created
before
things
will
lock
down
and
therefore
we
were
not
benefiting
from
the
optimization
at
all
and
in
particular
one
of
our
most
important
current
customers,
which
is
met
and
mask
who's.
A
Doing
Sesa
fide
that
by
the
way
I'm
going
to
ask
him
to
come
to
one
of
these
meetings
and
prevents
at
present
Sesa
Phi,
which
is
a
cess
Sesa.
Fide
version
of
browserify
Mehta
mask,
is
a
browser
interface
to
aetherium,
that's
currently
using
browserify
to
handle
modules
and
he's
turning
that
into
Sesa
phi
and
it's
working,
but
because
of
exactly
this
issue,
he's
experiencing
a
massive
slowdown.
A
And
then,
if
the,
if
the
scope
I'm
sorry
if
the
scoped
evaluator
is
not
empty,
then
I
simply
then
this
scoped
evaluator.
Then
you
know
that
I,
basically
over
here
on
line
84
I,
read
the
memo
on
line
86
I
check.
If
I
found
a
scoped
evaluator
that
was
memorized
and
if
so,
then
we
fall
down
below
the
entire
green
box
and
then
just
use
this
scoped
evaluator
here
on
line
113.
A
A
We
do
essentially
what
we
were
doing
in
the
red
lines
of
code
on
the
left,
but
we're
just
postponing
it
till
then,
then.
What
we
do
is
because
of
the
way
the
internal
initialization
logic
of
the
realm
shim
works
is
we
actually
do
some
evaluations
before
we
populate
the
safe
global
at
all,
just
internally
as
part
of
our
own
initialization
logic,
in
order
to
create
some
of
the
things
that
we
use
to
populate
for
the
initial
populating
of
the
safe
Global's?
A
So
if
so,
in
that
case,
for
those
internal
early
evaluations,
there
will
be
no
constants.
So
for
that
one
we
don't
we
don't
memorize,
so
we
don't
memorize
it
all.
Until
we
have
some
constants
once
we
have
constant
once
once,
we
have
some
constants
we'll
go
ahead
and
memorize,
but
notice
that
we're
asking
the
scope
handler
to
do
the
memorizing.
What
is
the
scope
handler?
A
The
scope
handler
is
created
all
the
way
out
here
on
line
73,
which
is
unmodified,
so
there's
one
handler
created
for
the
entire
scope
to
safe
evaluator
factory
that
gets
reused
on
every
evaluation
as
long
as
it's
for
the
same
safe,
global,
so
we're
stored.
So
for
each
handler
we're
going
to
store
the
memo.
The
handler
is
used
down
here
on
line
99
to
create
a
scope,
proxy
/.
A
Basically,
for
at
four
different
endowments,
we
need
different
scope
targets,
which
means
we
need
different
scope
proxies,
but
we're
reusing
the
handler
and
therefore
we're
reusing
the
the
memo,
the
the
memo
on
a
per
handler
basis
and
that
so
that
gives
us
some
hope
of
not
having
to
regenerate
it
more
often
than
we
need
to
now.
Let's
go
to
scope,
Handler.
A
So,
in
scope
handler
we
add
this
new
state,
variable,
scoped,
evaluator
memo
and
a
new
getter
function
and
setter
function
and
in
retrospect,
I
have
to
say
that
I
made
this
more
complicated
than
I
needed
to
I
might
as
well
just
expose
this
as
a
public
property.
Having
it
be
a
lexical
variable,
that's
exposed
with
the
getter
and
setter
is
not
doing
anyone
any
good,
but
that's
the
way
it's
coded
right
now.
A
Here's
the
key
thing,
which
is
the
get
trap
of
the
handler,
is
invoked
when
a
property
lookup
a
very
sorry
when
a
when
a
free
variable
lookup
has
bypassed
the
optimizer
is
looking
up
a
variable,
that's
not
defined
by
the
optimizer
and
and
therefore
faults
on
to
the
proxy.
So
prop
is
the
name
of
that
variable.
If
prop
is
in
the
target,
then
line
88,
which
is
which
is
the
same
as
it
used
to
be
it's
neither
green
nor
red.
Then
we
just
return
targets
of
prop
so
that
so
that
code
is
unchanged.
A
The
additional
code
here
is
well
since
we're
on
the
slow
path.
Anyway,
let's
go
ahead
and
check
whether
this
property
or
the
safe
global
is
now
a
non
writable
non
configurable
data
property,
and
if
so,
we
just
do
a
cache
invalidation
and,
having
done
the
cache
of
that
invalidation,
the
next
time
we
invalid,
we
vow
to
do
an
evaluation,
will
regenerate
the
scoped
evaluator
with
a
fresh
optimizer
that
will
include
at
least
this
new
non
writable
mod
configurable
data
property,
as
well
as
anything
else
that
has
gotten
locked
down.
In
the
meantime,.
D
You
guys
make
sure
it
feels
to
me
that
it
would
be
a
slower,
so
there
are
many
things
that
will
not
be
taxable
and
you
have
to
pay
on
your
hand.
We
will
think
about
what
I
know
operations
you
need
to
do,
or
you
can
do
make
one
of
these
things,
no
writable,
not
computable
and
then
tap
into
those
to
invalidate
the
cash
flow
in
that
operation
happen
yeah.
We
know
you
need
the
main
of
things.
D
A
So
I
agree,
so
I
have
puzzle
to
make,
which
is
part
of
the
reason
we
did
it.
This
way
is
to
avoid
changing
the
realm
shim
API,
because
the
realm
shrim
api
is
supposed
to
be
a
shim
of
what
we
want
to
propose
and
right
now,
where
we
sort
of
have
this
sense
of
where
the
boundary
is
between
realm
and
cess.
A
D
C
D
A
C
A
That
is,
that
is
currently
incorrect,
and
but
so
we
definitely
need
to
address
that.
But
but
let
me
returning
to
her
eighties
point
about
adding
adding
an
expensive
test
in
the
get
trap.
All
we
need
is
some
kind
of
signal
to
tell
the
realm
shrim
now's
a
good
time
to
evaluate
to
to
invalidate
those
caches,
and
as
long
as
we
have
some
signal,
then
we
can
invalidate
the
cache
and
then
recreate
them
on
demand
and
everything's.
Happy.
G
A
G
A
A
matter
of
fact,
the
example
you
were
just
saying
done
in
proper
SES
is
a
perfect
perfect
example,
which
is,
let's
say,
you're
using
SES
in
order
to
create
a
something
like
a
confined
browser
frame,
I
like
kaha
and
like
what's
what
what
you
guys
describe
where
you,
where
each
compartment
after
initialization
is
also
the
global
of
the
you
create
a
new
compartment.
You
populate
its
global
with
a
window
and
a
document
that
was
created
to
be
safe.
A
You
populated
after
the
compartment
was
created,
and
then
let's
say
that,
because,
as
you
found
you'd
like
to
optimize
them,
you
go
ahead
in
your
SES
initialization
code
of
going
of
locking
them
down
you're,
locking
them
down
after
the
initial
signal
and
you'd
still
like
them
to
be
optimized,
so
that
that's
that's
a
very
good
example.
Now.
G
A
A
G
D
D
A
Reason
so
this
there's
actually
a
comment
elsewhere
in
the
code
that
applies
there,
and
here,
which
is
the
target,
is
a
inherits
from
the
safe
global.
The
target
is
the
thing
that
the
proxy
uses
as
the
proxy
target,
so
its
purpose
is
to
hold
the
endowments,
which
are
the
emulation
of
the
global
lexical
scope,
the
global
contour
it
inherits
from
the
safe
global
over
here
we
want
to
look
only
at
the
safe
global.
The
safe
global
is
her
handle.
You
know,
okay,
this
table
anyway.
A
A
And
then
there's
a
necessary
implementation
limitation,
which
we
there's
a
to
do
in
the
code
to
check
for
which
is,
if
an
endowment
shadows,
a
global,
this
code
will
go
crazy
or
code
will
do.
The
wrong
thing
is
the
anything
that
gets
optimized
will
shadow
the
endowments
because
it
shadows
the
proc
city
and
but
the
things
which
are
optimized
come
through
the
safe
global,
which
should
be
shadow.
A
bold
by
the
endowments,
so
I
think
the
right
thing
for
the
shim
to
do
is
a
a
shim.
A
It's
I
think
it's
valid
for
the
purpose
of
the
Shin
to
say
this
particular
part
of
the
specified
behavior
I
just
can't
implement.
You
know,
throw
an
error
that
says
this
is
an
implementation
limitation
of
the
shin,
and
we
do
that
elsewhere
and
so
I
think
that
the
endowments
we
simply
have
to
enforce
the
rule
that
they
cannot
conflict
with
any
of
the
global
variables.
The.
C
I
think
I
think
we're
not
actually
scanning
the
endowments
right
now
so
that
a
bug
in
our
current
shim
is
that
if
the
optimizer
were
working,
if
it
was
actually
optimizing,
the
Global's,
then
we
would
have
the
shadowing
problem
because
line
88
is
checking
to
see
if
property
is
in
the
target,
that's
either
going
to
be
in
the
endowments
or
in
the
globe.
In
the
rules.
A
D
A
D
A
C
A
Know
and
let
him
likewise
that
will
lock
down
an
individual
property
turn
a
property
that
did
not
used
to
be
a
non
writable
non
configurable
data
property
and
turn
it
into
a
non
writable,
not
a
figural
data
property
and
even
as
I'm
saying
this,
the
idea
that
that
might
happen,
internal
to
the
spec
seems
incredibly
unlikely.
Yeah.
C
A
A
Those
would
now
all
become
proxy
traps
rather
than
direct
property
accesses.
So
now
the
question
is
I
mean
you
know
that
can
still
all
be
correct,
but
are
you
willing
to
move
the
performance
burden
over
there?
I
have
every
property
access
on
the
global
object.
That's
explicitly
a
property
access,
not
a
variable
lookup
fault
on
the
proxy.
G
The
issue
is
that
for
the
WPI
freezing
the
Dom
API
is
is,
is
a
much
larger,
larger
undertaking
and
just
the
based
about
you,
PPI
I,
think
we
talking
about
it.
If
five
milliseconds
versus
twenty
milliseconds
five
milliseconds
people
don't
notice,
it'll
start
up
twenty,
they
start
noticing
at
least
the
developer
said
because
there's
a
lot
think
I
doing
these.
G
D
G
Exactly
so,
but
it
was
really
still
need
to
wrap
the
global
versus
with
a
some
type
of
something
that
will
be
that
will
decay
access
so
yeah,
if
not
all
access
of
made
through
the
way
statement,
there's
the
distance
and
what
the
director
we
know.
That's
something
that
we
need
that
global
object,
a
wrapper,
I
think
so.
A
That
would
work
on
and
I
I
do
not
have
a
sense
of
the
performance
cost
part
of
the
reason
that
I
don't
have
a
sense
of
the
performance
cost
and
why
I
would,
for
my
purposes,
be
perfectly
fine
doing
it.
This
way
is
I.
Try
to
stay
clear
of
using
the
global
object
as
an
object
whenever
possible.
Anyway,
exactly.
G
C
A
D
A
G
A
Let
me
try
out
an
attack
and
see
if
either
of
your
schemes
are
vulnerable
to
it.
Let's
say
that
the
the
untrusted
code
being
evaluated
gets
its
global.
This
object
and
then
does
a
object.
Dot
define
property
of
some
property
on
this
object
because
they're
doing
a
defined
property
and
the
the
the
object
itself
is
a
plane
object
that
just
inherits
from
the
proxy.
F
So
it's
one
of
those
yeah,
so
I'll
just
run
through
the
code.
It
basically
takes
us
code,
which
is
one
level
removed
from
no
actually
scope.
Here
is
an
object
that
has
overloads
for
the
Global's
that
it
wants
to
overload
and
if
it's
part
of
the
Global's
it
just
returns
that,
like
the
overloading
Global's,
the
scope,
ones
and
yeah,
my
code
is
actually
like
halfway
edited,
so
there
are
bugs
here.
F
But
if
it's
a
function
from
the
actual
global
scope,
it
keeps
in
the
locals
a
record
like
a
cache
of
the
proxies
created
for
those
functions
here.
The
naive
assumption
is
that,
like
you're,
basically
all
your
functions
are
like
global
functions
like
part
of
the
built-ins
that
are
put
on
window,
for
instance.
F
So
it's
not
really
meant
to
be
like
a
robust
and
proxying
mechanism
at
this
point,
okay,
but
it
creates
that
proxy
for
for
that
property
that
was
called
on
the
getter
and
then
you
know
the
center
basically
says
reference
errors
in
module
namespaces,
if
you're
deferring
to
the
proxy
of
the
global.
That
means
it's
outside
the
scope
of
the
module
namespace.
So
it
should
be
a
reference
there.
F
C
F
It
basically
behaves
that
if
you
call
something
that's
undefined,
it
hits
that
foxy,
it's
undefined.
If
you
call
object
here
that
proxy,
which
which
proxies
object,
can
can
do
whatever
you
know,
behaviors.
You
want
to
tribute
to
that
like
the
emulation
of
the
fries
here
Wow,
but
here
it
says
you
can't
really
assigned
to
object
because
it's
not
defined,
but
you
could
create
a
new
object
and
that's
the
behavior
of
a
module
namespace
I.
A
F
Yeah,
well,
it's
50%
of
me
right
because
I
I
hardly
put
things
in
a
very
observable.
You
know,
okay,
so
so,
when
I
have
a
module
being
simulated,
I
have
a
similar
like
like
a
like
an
eval
with
function.
Wrapping
and
the
width
takes
modules
code.
Okay,
module
scope
is
a
proxy
made
on
on
an
object
with
some
overloads
of
of
the
global
window.
F
In
this
case,
so
I
want
to
overload
one
or
two
other
properties
with
with
you
know,
actual
things,
but
I
also
want
to
make
sure
that
every
time
I
call
a
function
against
this
proxy,
like
if
I'm
calling
the
property
like
object,
then
I
want
to
also
make
sure
that
I
always
return
a
proxy
of
object.
That
gives
me
a
different
behavior
then
calling
object
outside
of
a
module
name
space
like
a
simulated
model
namespace.
F
C
F
F
F
F
So
so
here
I
have
some
just
a
bunch
of
tests
that
I
execute
within
this
within
a
module
namespace
to
simulate
with
modern
namespace
and
an
undefined
variable
which
really
isn't
the
point
in
this
scope
returns
the
correct
air
trying
to
set
it
right
and
if
you
try
to
do
to
set
object,
you
get
the
same
error,
but
still
you
could
refer
to
object
and
construct
an
object,
but
you
know
all
of
which
go
through
that
proxy.
That
can
be
tailored
to
modify
the
behavior
of
object
within
that
namespace
encapsulation.
A
You
know
the
consistent
answer
would
be
that
you
evaluate
an
undefined
variable,
which
is
the
operand
that
throws
a
reference
error
and
then
you
never
type
of
because
reference
error
was
thrown.
Instead,
it's
not
what
JavaScript
does
type
of
an
undefined
variable
returns
returns
the
string
undefined
and
we
found
no
way
when
we
were
constructing
the
realm,
show
when
j'f
and
Brian
and
Dean
and
I
all
spent
a
week
together
in
a
room,
doing
the
security
review
and
experimenting.
A
We
found
just
no
way
for
the
proxy
to
distinguish
a
variable
lookup
that
was
inside
a
type
of
from
a
variable
lookup
that
was
not
inside
a
type
of
so
so.
Therefore,
you
either
had
to
have
the
lookup
of
the
variable,
sometimes
return
undefined
or
we
had
to
have
type
of
undefined
variable
through
a
reference
it
was
just
was.
There
was
no
way
to
be
correct
on
that
yeah.
F
C
C
F
Only
thing
that
came
to
mind
is
at
some
point:
I
wanted
to
look
at
module
name
space
where
particular
binding
is
uninitialized
and
I
just
got
that
by
making
sure
that
the
lookup
object
does
not
have
that
field
until
the
first
initial
lives.
That's
the
only
way.
I
could
really
preserve
that
behavior,
but
here
reference
error
only
simulates
when
you
set
right
so
so
I
avoid
touching
errors
as
much
as
I
can
with
any
proxy.
F
So
so,
but
but
that's
the
only
error
that
you
cannot
really
you
know
have
occur
in
some
fashion
without
you
know,
instrument
and
code
to
actually
do
it
so,
but
but
but
that's
a
very,
very
interesting.
Okay,
now
I'm
gonna
waste
moral
trying
to
debate
trying
to
get
that
behavior
if
I
find
a
good
scenario
for
it.
I
thought
this.
F
F
Okay,
actually,
no
like
III
eval,
the
evaluator
under
the
spread
fold
or
by
you
know
just
using
the
argumented
about
like
one
comment
about
and
I
create
one
evaluator
and
but
I
actually
bundled
it
like
I
write
this
as
modules
like
well,
all
these
fonts
are
written
as
modules
and
I
bundle
them
as
both
ESM
and
just
icky.
I
guess
is
the
other
format
they
use
there.
So.
C
F
F
F
F
A
C
C
The
takeaway
was,
it
sounds
like
we
can
go
ahead
and
start
applying.
We
just
need
to
show
that
we're
seriously
working
on
things
like
having
governance
documents,
contribution
documents,
things
like
that
and
so
I
guess.
The
question
is
of
the
people
who
are
major
stakeholders
and
sets,
and
you
don't
have
an
interest
in
it.
Are
we
interested
in
moving
forward
and
then,
if
so,
how
do
we
want
to
define
our
governance?
It
sounds
like
we
need
at
least
three
companies.
C
C
C
C
G
G
C
C
A
A
Let's
see,
one
final
topic
is
Peter:
Hadi
of
moddable
is
going
to
be
attending,
TC
53
I
think
is
the
if
I'm,
remembering
name
correctly,
which
is
the
new
ECMO
technical
group
for
IOT,
and
he
asked
me
to
present
on
JavaScript
subsets,
while
with
an
eye
towards
the
alignment
between
the
kinds
of
reduction
in
runtime
burden
that
helps
security
and
the
alignment
on
one-time
burden
that
helps
I.
Okay.
A
A
A
A
A
So
when
it
pinches,
let
me
know-
and
you
know,
moderate
extensions
of
it.
The
main
criteria
is
that
anything
that's
hard
to
implement
if
you're
implementing
a
simple
eval
apply
interpreter
in
some
foreign
language,
if
we
can
avoid
adding
it
to
the
whitelist
I
want
to
avoid
adding
to
the
whitelist.
That's
all
that's
also
by
the
way
why
I've
left
out
generators
and
async
functions
is
that
if
you're
implementing
a
simple
eval
apply
interpreter
in
a
completely
foreign
language,
you
have
a
much
higher
burden
to
implement
generators
or
async
functions
correctly.
F
A
C
A
Fine
that
should
all
just
work,
all
it
means
is
to
harden
the
promise
is
that
the
promise
does
not
have
any
meaningful
instance
properties
anyway,
but
what
with
with
promises-
and
they
come
naturally
one
could,
for
you
know
if
I
give
a
promise
out
to
both
Bob
and
Carol
Bob
could
install
a
this
function
as
an
own
property
on
the
promise,
which
then
confuses
Carol.
If
the
prime
Orioles
are
frozen
and
the
promise
instances
are
frozen,
then
that
kind
of
shadowing
attack
becomes
impossible,
but
all
of
all
the
normal
functionality
of
promises
should
remain.
A
C
A
F
A
So
so
one
possibility
is
to
just
omit
all
settled.
Well:
I
I've
I
only
find
myself
on
even
an
E,
where
I
did
have
the
equivalent,
both
promised
on
all
and
promise
that
all
settled
under
completely
different
names,
of
course,
but
even
when
I
had
both
of
them
available
I
only
ever
found
myself
using
the
equivalent
of
promise
got
all
I
just
never
needed
promise,
not
all
set.
F
A
So
let
me
explain
the
the
the
settled
terminology,
because
it
was
actually
a
subtle
matter
that
we
got
we're
in
in
the
as
I
brought
it
over
from
II.
I
was
missing,
a
distinction
and
I
was
missing
a
distinction
in
a
way
that
made
it
easy
to
make
simple
statements
that
that
seemed
intuitive
that
were
actually
wrong
and
that's
the
difference
between
what
we're
now
calling
resolved
versus
what
we're
now
calling
settled.
A
So
if
you,
if
you,
if
you
take
the
resolver
for
a
promise-
and
you
say,
resolve
to
three,
then
the
promise
is
resolved
and
the
promise
is
also
settled.
Well,
if
you
you
take
the
resolver
and
you
resolve
it
to
a
rejected
promise,
then
the
prop
they
reject.
Then
you
make
the
promise
itself
rejected,
in
which
case
again,
the
promise
is
both
resolved
and
settled.
A
Resolved
once
you've
invoked
the
resolver
on
it
or
done
something
equivalent
to
invoking
the
resolver
on
it,
and
a
promise
is
settled
when
it
is
either
fulfilled
or
rejected.
So
the
case
that
makes
these
two
things
different
is
when
we
have
unresolved
promises,
P
and
Q,
and
then
we
resolve
P
to
be
Q.
F
A
If
you
have,
if
it's
fulfilled,
then
if
you
do
then
on
it,
the
first
call
back
of
the
then
gets
invoked.
If
the
promise
is
rejected-
and
you
do
it
in
on
it,
then
the
second
call
back
of
the
then
will
be
invoked.
So
if
a
promise
is
settled,
then,
since
it's
either
fulfilled
or
rejected,
one
of
those
two
will
be
invoked
now.
If
a
promise
P
is
resolved
to
promise
Q,
where
promise
q
is
unresolved,
then
promise
P
is
resolved
in
that
its
resolver
is
used
up.
A
So
the
key
thing
about
the
terminology
is
we
talked
about
the
result,
whether
it's
resolved
or
not,
from
the
point
of
view
of
someone
holding
the
resolver
someone
who's
just
holding
the
promise
cannot
observe
whether
a
promise
is
resolved
or
not.
All
they
can
observe
is
the
transition
from
unsettled
to
either
a
fulfilled
or
reject
it.
A
It's
so.
If,
if
you
resolve
p
to
be
the
same
as
q,
you
use
up
to
the
p
resolver
so
the
so,
you
have
to
have
find
a
way
to
describe
that
stateful
nature
over
the
p
resolver
and
that's
what
we
use
the
term
resolve
for
which
fits
calling
the
object
that
resolver
but
a.
But
if
you
do
that
and
then
you
do
a
dot,
then,
on
p,
neither
callback
will
be
called
until
you
become
so
I.
F
A
One
thing
that
I
really
reject
one
thing
that
I
really
regret
is
the
original
eater
mammalogy
is
that
they
promise
becomes
either
fulfilled
or
broken,
and
that
fits
with
natural
language
usage
of
the
term
promise
really
well
is
the
final
state
of
a
promises.
Well,
the
promise
God
fulfilled
or
the
promise
got
broken.
Well
then,
when
Tyler
closed,
we
did
a
lot
of
the
e
and
promise
concepts
in
water
kin.