►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
I,
don't
have
anything
that
is
material
difference.
They
have
been
a
couple
of
issues
with
the
data
I
friends,
but
those
are
follow
up
with
vendors
that
we
can
also
provide
something
back
here
are
sort
of
affecting
a
little
bit
the
neon
system
that
we
use
for
membranes
in
the
cha-cha
friends.
But
we
can
talk
about
okay,.
A
So,
first
of
all,
I'm
really
really
glad
that
you've
been
really
stressing
the
membrane
mechanism
under
out
of
memory,
attacks
and
I'm.
Very
glad
that
it
looks
like
we're
in
current
JavaScript.
You
can
actually
protect
membrane
separation
in
one
direction
and
what
I
say
in
one
direction
as
I
understand
it.
All
of
your
attacks
is
to
try
to
prevent
the
outer
realm
leaking
into
the
inner
realm
you're
not
trying
to
so
it's
it's
basically.
So
it's
a
one-way
attack
you're
not
trying
to
prevent
the
outer
membrane.
The
outer
realm
from
attacking
the
inner
realm
on.
A
And
trying
to
get
the
objects
from
the
inner
realm
to
leak
into
the
outer
realm,
and
so
I
wanted
to
start
out
with
two
points.
One
is
that
this
doesn't
reduce.
This
doesn't
significantly
reduce
our
need
for
a
preemptive
termination
of
a
some
large
grained
computational
unit,
one
out
of
memory,
because
the
need
we
have
for
that
is
not
it's
not
at
all
specific
to
membranes.
Membranes
are
certainly
a
very,
very
important
special
case,
but
anytime
object.
A
calls
object.
B,
where
object.
B
is
going
to
do
something
with
encapsulated
Authority
that
object.
A
A
is
not
supposed
to
have
an
object.
B
needs
to
maintain
invariant.
The
example
I
gave
in
the
out
of
memory.
Talk
was
just
splicing
into
a
doubly
linked
list.
If
object,
a
calls
object,
B
object.
B
has
an
internal
data
structure
that
it's
maintaining.
That
needs
integrity.
That
conduct
has
a
doubly
linked
list
in
it
that
object.
A
is
not
supposed
to
be
able
to
see
or
manipulate
object.
A
could
strategically
bring
the
system
to
an
almost
out
of
memory.
A
Condition
then
call
be
causing
B
to
fail
to
splice
the
doubly
linked
list,
leaving
it
an
ill-formed
state
and
for
that
there's
no
reasonable,
try-catch
or
pry
finally,
strategy.
That's
going
to
rescue
B
because
you
can
fail
and
those
things
can
fail
at
any
time
and
if
you
try
to
so
you
don't
even
know
what
failed.
If
you
failed,
and
even
if
you
did
know
when
you're
trying
to
repair
it,
you
could
fail
again.
So
in
general,
out
of
memory
has
to
be.
A
You
know
you
have
to
be
able
to
opt
into
a
situation
where
out
of
memory
causes,
preemptive
termination
of
of
whatever
computational
unit
is
necessary
to
contain
all
potential
corruption.
So
perhaps
the
agent,
perhaps
something
smaller.
If
we
can
figure
out
something
smaller,
perhaps
the
agent
cluster,
even
if
we
can't
contain
it
and
show
the
ray
buffers.
A
And
the
Peter
form
audible,
which,
which
only
has
one
membrane
so
the
cross
I'm
sorry
only
has
one
realm
only
has
one
realm
in
the
model
machine.
So
in
the
model
machine
there
is
no
issue
of
inter
realm
leakage.
Nevertheless,
when
he
saw
the
out
of
memory
stuff,
he
reacted
that
this
is
crucial
for
what
they're
doing,
because.
A
B
A
Okay,
I
think
we're
I
think
we're
aligned
also
wanted
to
mention
that
see
Michael
if
I,
if
I
understood
correctly
you're
proposing
that
a
deep
rewrite,
that's
counting
stack
depth,
might
provide
some
help,
and
so
the
thing
I
wanted
to
point
out
is
that
it's
not
just
a
outer
stack
it.
It's
also
an
out
of
heat
issue.
B
Yes
and
I
feel
that
I
don't
have
enough
information
or
examples
where
we
can
exercise
that
and
see
how
it
goes.
Yeah,
if
you
have
any
concrete
example
that
we
can
use
I'll
be
great,
because
then
we
can
try
to
figure
out
if
there's
anything
missing
what
we
have
most
likely
there.
A
it's,
because
you're
not
crossing
a
membrane,
you're
I
mean
the
overflow
in
that
case
is
just
like
a
overflow
of
the
stack
in
obtained
all
the
functions
that
you
own.
B
A
That
is
going
to
allocate
memory
as
part
of
that
operation,
so
the
inner
realm
allocates
heap
until
it's
almost
exhausted
and
Yemen
and
how
it
knows
how
much
heap
to
allocate
is,
of
course
sufficiently
tricky
that
it's
that
it's
almost
it's
really
hard
to
write.
Anything
like
a
reliable
test
for
this,
but
remember
that
a
test
has
to
be
reliable.
An
attack
only
has
to
work
occasionally
so
anything
so
the
inner
realm
allocates
until
it's
almost
out
of
heat.
It
comes
to
the
outer
realm.
A
You
know
the
outer
realm
manipulates
its
own
internal
data
structures,
but
where
a
out
of
heap
error
during
a
crucial
part
of
the
outer
realms
internal
algorithms
causes
it
to
lose
integrity
in
a
way
that
the
attack
code
anticipated
suspect
that
the
attack
code
can
now
exploit
the
particular
form
of
integrity
loss
that
it
induced
in
the
outer
realm.
I.
Think
that
there's
no
way
to
protect
against
that
other
than
to
really
create
a
reliable.
B
A
B
A
C
C
A
Okay,
so
Dan
have
used
I'm,
responding
to
the
conversation
from
last
week,
which
I
was
not
there
last
week,
but
I
just
watched
the
video
and
the
particular
part
that
we're
discussing
right
now
is
the
attacks
due
to
various
out
of
memory
conditions
being
able
to
be
induced
by
allocating
almost
static
memory,
and
then
the
fact
that
a
out
of
memory
error
is
not
necessarily
fatal
means
that
things
can
continue
to
exercise
to
execute.
After
some
algorithm
has
lost
integrity
because
it
ran
at
it.
A
So
accrue
T
last
week
was
explained
the
work
they've
been
doing
on
trying
to
create
a
membrane
such
that's
first
specifically
for
the
membrane
separation
between
an
outer
trusted
realm
and
an
inner
untrusted
realm.
So
just
one
way
suspicion
not
mutual
suspicion.
They
were
able
to
enhance
the
membrane
mechanism
so
that
the
inner
realm
could
not
compromise.
A
Membrane
separation
through
out
of
memory
through
all
specifically
through
out
of
stack,
could
not
compromise
the
membrane
separation
in
order
for
the
inner
realm
to
obtain
direct
access
to
an
object
from
the
outer
realm
and
I
think
what
they
were
explaining
would
probably
work
for
out
of
heap
as
well,
but
I
was
explaining,
but
yeah
it's
wonderful
to
be
able
to
solve
it
for
membranes,
and
it's
wonderful
if
the
membranes
special
case
can
be
solved
on
current
JavaScript,
but
all
together,
we
have.
The
membranes
are
only
one
special
case:
the
ability
to
corrupt.
A
C
B
C
So
in
that
second,
where
there's
no
audio,
could
I
II
urge
everyone
to
try
to
find
a
good
visual
bit
to
have
a
screen
shared
when
they're
talking
I
think
it
does
help
to
keep
people
on
track?
Sometimes,
hopefully
I
don't
know
if
I'm
disconnected
or
kur
it
just
has
his
all
you
that
I
think
it
is
yeah
yeah.
B
Now
yeah
I'm,
weird
I'm
waiting
for
you
to
finish
I,
don't
have
anything
good,
shared
or
an
example.
We
a
little
bit
more
tricky,
but
the
the
point
is
the
point
I'm
trying
to
make
is
that
heat,
overflowed
and
stackoverflow
are
pretty
much
the
same
from
the
membrane
point
of
view.
You
are
doing
operations
in
the
medina
realm,
then
you
call
something
on
the
other
round
that
costs
the
overflow
to
happen,
and
you
are
protecting
the
game's
licking
the
object
reference
from
the
other
round.
B
That's
a
protection
that
we
have
in
place
right
now,
which
means
that
the
minute
you
cross
the
membrane
there
is
protection
there,
if
I
catch
by
she
basically
and
the
proper
protection
in
terms
of
identity.
So
if
there
occurred
on
the
outer
round
you're
going
to
get
an
error
that
belongs
to
the
iron
around
and
it's
not
going
to
be
leaking
the
identity
that
give
you
access
to
things
that
you
should
not
have
access
to.
B
A
B
Construct
it
out
of
the
membrane
inside
a
in
our
own
department
that
creates
the
proxies
that
represent
things
from
the
outside
world.
Well,
the
other
part
that
represents
the
proxies
from
the
iron
around
for
the
outer
realm
that
one
still
in
the
in
the
outer
realm
itself,
Oh
having
a
broker
in
between
which
is
just
a
registry
of
we
maps.
Okay,.
A
Great
great
I
was
about
to
suggest
exactly
that
because
they
didn't
gather
that
from
last
week.
So
so,
basically
there's
a
let's
call
the
two
sides.
So
in
a
system
where
you
have
mutual
mistrust,
you
know
where
alice
is
creating
a
membrane
between
Bob
and
Carol,
so
neither
Bob
nor
Carol
trust
each
other,
but
Alice's
membrane
should
protect
both
of
them
from
each
other.
A
The
thing
that
you've
done
is
a
mechanism
in
that
the
bob
side
of
the
membrane
would
actually
be
created
out
of
proxies
and
target
and
shadow
target
objects
for
Bob's
around
and
the
side
of
the
membrane
exposed
to
Carol's
realm
would
actually
be
constructed
out
of
proxy
and
shadow
target
objects
from
Carol's
realms
are
correct.
Yes,
excellent.
B
Excellent
and
the
communication
between
these
two
pieces
that
is
also
created
by
Alice,
is
just
a
record
of
Wieck
maps.
I
think
ensure
between
the
two
of
them,
so
they
can
do
lookups
and
identity
preserving
operations
by
Joe's,
a
registry
there's
no
code
running
on
Alice,
and
so
Alice
is
just
creating
that
that
record.
A
A
And
it's
the
handler
that
it's
the
it's
the
handler
code
that
that
has
captured
the
pointer
to
the
object
from
the
other
realm,
because
it
it
then
has
to
do
the
the
reflect
operations
in
order
to
turn
these
into
optically
the
cross
realm
operations
right,
it's
it's
it's
the
handler
that
has
has
to
actually
operate
on
the
foreign
object.
Is
that
correct?
Yes,.
B
Let
me
share
the
make
sure
I
think.
Let
me
show
you
here
quickly:
the
operations
that
are
really
important
to
understand
here,
just
for
the
sake
of
everyone
sundae's
this
is
on
this
is
this:
is
the
code
that
runs
besides
a
cure
value?
Is
the
coal
creates
the
proxies
inside
the
eye
neuro
and
when
you
are
about
to
call
something
from
the
outside?
B
This
is
the
applied
trap
on
the
proxy,
so
you
get
it.
You
create
a
proxy
of
a
function
that
is
in
the
outer
wrong
and
you're,
going
to
call
it
right
now,
when
you're
going
to
call
it
you're,
going
to
call
it
using
the
reflect
or
apply
from
the
outer
round
with
the
target
that
belongs
to
the
other
round,
with
the
argument
list
and
this
value
from
the
art
from
the
outer
around
so
the
operation
itself-
and
this
is
the
one
that
protects
against
over
okay.
B
A
B
A
B
A
B
B
A
A
B
A
B
With
each
line
actually
detach
I
frame
in
a
detached
iframe
in
chrome,
when
you
are
well
some
code
there,
they
do
some
extra
checks
to
see
if
the
callback
that
you're
calling
is
for
an
attached,
I
friend,
and
they
throw
some
error.
So
the
solution
that
we
found
was
well
not
even
the
execution
of
they
reflect
that
applied
or
reflect
our
construction
Eve
from
the
ina
ROM.
Instead,
they
should
be
from
the
other
around,
because
we're
calling
things
from
the
other
round.
A
B
Okay,
so
in
this
code,
every
time
that
we
interact
with
raw,
we
have
to
do
a
try-catch,
because
we
know
what's
going
to
happen
there
on
the
other
room
might
be
stack,
overflow
might
be
heap
overflow.
You
could
be
just
an
throwing
error
and
we
need
to
protect
against
that.
So
we
can
recreate
error
when
needed
for
day
I
go
wrong.
B
B
A
B
A
Okay,
good,
so
that
was
everything
I
had
to
say
about
the
membrane
out
of
memory
topic,
the
other.
So
so,
if
there's,
if
there's
more,
you
want
to
say
on
this
topic,
let's
do
that
before
I
change
topics,
no
okay,
so
the
other
one
was
the
issue
of
whether
the
realm
API
should
create
an
isolated
realm
or
a
a
realm.
That's
attached
to
all
of
the
host
specific
behavior
and
and
also
the
question
of
what
the
hooks
should
be
and
the
I
think
there
is
an
implicit
understanding
of
a
particular
constraint
on
the
design.
A
It's
that
we
want
to
create
an
arbitrarily
different
virtual
host
and
have
the
code
in
the
new
realm
see
the
virtual
host
that
we've
created
using
the
hooks
and
using
JavaScript
code
to
just
see
that,
as
the
host
suggested
very
great,
if
I'm
using
the
wrong
API
I
want
to
be
able
to,
let's
say
on
node,
create
an
elated
browser
host
and
then
load
code
into
the
emulated
browser
such
that
the
code
load
it
into
the
emulated.
Browser
can't
tell
that
it's
not
when
a
genuine
browser.
A
A
So
with
that,
as
the
goal
there's
a
particular
question
that
came
up,
that
has
a
interesting
answer
in
terms
of
that
goal,
which
is
if,
whatever
way
there
is
a
spawning
or
realm
such
that
the
new
realm
is
implicitly
tied
to
to
its
host.
If
within
such
a
realm,
you
know
with
let's
say
within
the
virtual
browser
realm-
that's
created
through
the
round
api
on
node.
If
within
that,
it
does
a
new
realm
construction
where
it's
using
whatever
the
the
parameters
are
or
whatever
the
everything
way
of
creating.
A
It
is
such
that
the
new
realm
is
supposed
to
be
connected
to
the
same
host
as
the
creating
realm.
In
this
case,
it
would
be
the
emulated
host,
so
the
the
the
emulation,
the
the
having
the
realm,
having
let's
say
the
round,
constructor
be
able
to
create
a
new
realm
that
reuses
the
host
of
the
that
round.
Constructor
object
itself
that
has
to
preserve
the
virtualization.
B
B
B
A
Normal
realm,
a
running
on
node,
so
so
realm
a
that
is
that
sees
as
its
host
node
with
no
illusion
creates
realm,
D
and
detaches.
It
there's
also
by
the
way,
the
fact
that
it
creates
it
first
and
then
detaches.
It
creates
some
temporal
issues
that
I'm
very
confused
about
that.
We
need
to
come
back
to,
but
let
but
to
avoid
the
temporal
issues.
Let's
say
that
we
just
have
two
operations,
create
attack
realm
and
create
detached
so
round
a
does
a
create
detached
realm
which
creates
realm
B
and
create
detached
round.
A
It
provides
all
of
the
hooks
to
the
create
Beach
detached
realm
operation,
so
that
code
provided
by
realm
a
can
act
as
a
virtual
browser
to
code
running
in
realm
B,
so
code
run.
So
the
realm
B
code
is
what
you
refer
to
as
detached
it's
completely
isolated
from
the
from
node
host,
but
its
host
operations
are
being
intercepted
and
act
according
to
the
hooks
provided
by
the
code
running
in
realm.
A
okay
now
realm
B
now
creates
an
attached
realm
C.
A
B
So
it
was
my
assumption
and
it
might
be
wrong.
It
was
my
assumption
that
the
evaluator
was
going
to
provide
the
proper
hooks
for
all
these
operations
that
you
want
to
control,
saying
that
if
you
create
it
round
and
inside
that
round,
you
create
an
evaluator
and
when
you
are
evaluating
code
inside
are
ever
will.
If
the
code
attempts
to
create
another
round,
the
the
host
operations
are
going
to
be
the
HOS
operations
provided
by
the
evaluator
okay.
B
A
B
A
So
so
I'm
hopeful
that
that
might
turn
out
to
be
the
case
and
I
don't
have
off
the
top
of
my
head
any
host
hooks
that
have
to
be
at
the
realm
level
rather
than
the
value
of
the
level.
So
if
that
turns
out
to
be
the
case,
then
the
simple
story
works,
and
that's
great
just
just,
but
in
order
to
just
make
my
point
in
case
it
doesn't
work.
A
A
It's
provided
by
a
primordial,
a
primordial
deal,
evaluator
it's
per
realm,
so
there.
So
obviously
you
can
create
a
realm
and
then
go
ahead
and
monkey
patch.
Your
date
thought
now
and
the
date
constructor
could
be
whatever
the
hell
you
want,
which
is
why
it's
not
a
compelling
example,
but
let's
say
that,
rather
than
creating
the
primordial
x'
and
then
monkey
patching
before
you
allow
it
to
be
used
that
you
simply
wanted
to
provide
a
current
time
hook,
because
you
know
the
semantics
of
date.
A
Thought
now
is
that
it
calls
a
host
function
to
to
obtain
the
current
time.
So
that's
an
example
of
something
where,
if
you
d,
if
you
created
attached
realm,
the
detached
round
should
not
have
access
to
the
current
time
according
to
the
real
host,
so
the
the
code
in
a
that's
creating
detached
realm
B
might
use
the
realm
API
to
provide
a
current
time.
That,
let's
say
that
says
date
thought
now
is
always
five.
A
If
so,
then
the
the
new
set
of
primordial
for
round
B
would
have
you
know
it's
date,
constructor
and
it's
date,
dot
now
function
would
always
say.
The
current
time
is
thought
if
inside
realm
be
it
creates
an
attached
realm,
see
so
that
so
that
C
inherits
all
of
these
host
behavior
B's
current
time.
Host
behavior
is
five,
so
C
would
implicitly
get
five
as
the
whenever
code
inside
C
asks.
What
the
current
time
is.
It
would
get
five
because
realm
C
being
attached
has
inherited
host
behavior
from
B.
B
Okay,
I
think
I
get
all
that
OneNote
is
about
data.
Now
is
that
2d
data
now
is
not
a
it's
not
going
through
a
whole
specific
poop.
B
B
Right
because
I
feel
that
the
spec
is
not
taking
into
consideration
that
those
operations
should
be
are
in
fact,
IO
and
therefore,
therefore,
unless
you
go
through
the
host
right
right
now,
the
only
one
that
might
be
a
lot
a
lot
more,
even
in
fourth,
four
or
two,
we
say
well
when
you're
trying
to
get
the
default
locale
or
something
like
that.
Exactly
so,
I
haven't
tested
the
default
locale,
but
I
tested
what
happened
with
the
detach
iframe.
But
you
will
be
interesting,
yeah
certain
what
happen
there.
Yeah.
A
I'm
not
claiming
that
any
of
this
corresponds
to
current
detached
iframe,
behavior
I'm
concerned
with
what
it
is
that
we
specify,
and
then
you
know
the
a
shim
can
shim
implementable
today
can
can
deviate
from
what
we
specify
in
ways
that
we
document
that's
always
been
the
case
with
shims,
it's
okay,
to
specify
something
that
doesn't
precisely
correspond
to
what
we
can
show
today.
A
A
But
one
of
the
me
so
one
of
the
things
that
we
really
do
need
to
do
as
part
of
getting
all
this
right
is
to
identify
all
of
the
host
hooks
and
make
an
explicit
that
these
are
host
hooks
and
then
to
make
sure
that
anything,
that's
a
host
hook
can
be
trapped
somewhere
and
trapping
it.
You
know
to
the
degree
to
which
we
can
trap
it
in
the
evaluator
rather
than
trapping
it
in
the
realm.
That's
great.
B
Or
all
the
things
that
our
host
driven,
that
the
detached
action
should
in
fact
put
in
place
or
guarantee,
because
if
we
go
and
say
let's
do
the
round
first,
we
get
this
working.
We
get
a
detach,
and
at
that
point,
after
the
touching
they
are
they
wrong.
You
still
can
do
they
don't
now
it's
going
to
be
a
little
bit
weird
and
and
in
order
for
you
to
really
do
something
about
it
via
their
valor
door,
you
have
to
know
the
state
or
the
current
state
of
that
round.
You
know
yeah.
A
B
Right
what
I'm
trying
to
say
is
that
at
least
that's
what
I
understanding
what
you're
saying
they
said.
We
want
to
make
sure
that
the
detach
action
on
a
realm
has
the
right
consequences.
Mm-Hmm,
because
eventually,
once
they
evaluate
overcome
the
evaluator
will
not
have
to
do
gymnastics
to
guarantee
that
a
detach
iframe
does
not
have
access
to
data
now
or
something
that
yes
do
it.
You
know.
So,
when
they're
older
it'll
come
it's
easier
for
the
evaluator
to
be
introduced.
Yes,.
B
A
Its
case,
so
that's
the
temporal.
Oh,
that's
why
I
said
I
want
to
put
the
temporal
issue
aside
at
first
by
imagining
that
we
just
had
two
atomic
operations
as
alternatives
create,
attach
drum
and
create
detach
drum.
If
you,
if
creating
a
new
realm,
always
creates
it
creates
it
attached
and
then
you
detach
it.
Then
you
have
all
sorts.
B
A
B
If
you,
if
you
attempt
to
call
any
API
that
needs
to
have
a
they
hook
from
the
host,
and
it
will
just
simply
throw
in
our
so
that's
the
initial
step,
the
if
you
want
to
take
control
of
the
hooks
for
a
new
newly
created
ROM,
you
will
have
to
compose
the
evaluator
and
during
the
execution
inside
the
evaluator
you
create
around
and
that's
where
the
new
round
that
you're
creating
is
going
to
be
bound
to
the
post
operations
virtualized
by
the
ever
later.
So
this
is
a
composition
API.
A
The
I
think
we're
still
working
on
two
different
conceptual
models:
I
think
you're,
you're,
saying
that
you
want
to
move
all
the
hooks
in
all
the
ability
to
hook
into
the
evaluator
API.
Even
it's
the
functionality
that
you're
hooking
is
not
about
evaluation,
but
its
functionality
like
they
thought
now.
That
was
round
wide.
B
B
You
have
the
level
of
control
there
that
allow
you
to
visualize
that
operation
and
they
turn
now.
For
me,
it's
just
an
I/o
operation
and
I,
don't
see
a
different
between
data
now
or
any
other
thing
that
we
feel
that
it
belongs
to
the
evaluator
today
and
you
love
very
more
on.
Why
do
you
think
that
this
is.
A
C
A
A
A
A
A
A
A
A
A
Great
so,
sir,
the
the
core
idea
here
is
that
of
the
we
started
off
with
a
large
proposal
called
cess
that
included
the
realms
proposal
and
was
leveraging
the
roms
proposal
to
build
a
cess
system.
Then
we
separated
realms
and
cess
such
that
cess
was
no
longer
layered
on
top
of
realms,
but
they
were
side-by-side
and
that's
that
has
to
do
with.
You
know
the
the
separation
we
were
just
hearing
between
realm
and
evaluator,
so
that
everything
that
cess
is
concerned
with
does
not
assume
that
there
are
multiple
realms.
A
And
and
now
we're
making
a
we're
proposing
to
make
a
further
separation
of
that
into
two
proposals,
because
we
noticed
a
very
clear
separation.
That's
very
much
thanks
to
the
work
of
Mata
ball
and
TC
53,
which
is
what
moddable
has
built.
As
you
know,
one
of
their
configuration
options,
but
the
important
configuration
option
from
our
perspective
and
the
one
that
corresponds
to
the
base
machine
for
the
TC
53
standards.
Work
is
a
single
realm
cess
environment.
A
That
by
default
has
no
runtime
evaluators
that
that
is
consistent
with
all
JavaScript
code,
only
say
all
JavaScript
module
code
getting
compiled
and
loaded
ahead
of
time
at
initialization
telling
such
that
the
thing
that's
running
on
the
device
does
not
necessarily
have
the
ability
to
accept
new
JavaScript
module
source
code
at
runtime.
That
was
not
already
known
about
at
start
time.
A
C
C
C
A
A
A
The
draft
spec
for
stand-alone
cess,
which
I've
also
now
switched
put
into
a
new
tab
and
switched
the
window.
So
does
everybody
see
the
draft
spec
for
standalone,
says
yeah
yeah,
okay,
so
I'm
I'm
going
to
switch
back
to
the
first
tab
to
talk
about
the
new
work,
the
dot
the
standalone
cess
document
is
really.
A
Really
quite
orthogonal
to
the
new
work
that
we've
done
in
in
this
new
document
and
the
standalone
suspect
has
been
stable
for
a
long
time.
So
what
it's?
What
it's
really
about,
is
sort
of?
What
is
the
you
know
the
safe,
the
you
know,
the
Oh
caps
safe
JavaScript
in
terms
of
the
the
reduced
behavior
of
the
primordial,
so
all
the
primordial
all
the
shared
prime
Oriels
of
frozen
the.
A
Function,
prototype
dot,
constructor
points
at
a
function
that
always
throws,
and
likewise
for
all
the
other
function,
constructors
that
are
reachable
by
navigation.
So
things
like
that
date
thought
now.
Acts
like
the
date
is
always
man
just
all
of
those
kinds
of
things.
So
just
but
then,
on
top
of
that,
we've
been
trying
to
figure
out.
A
That's
those
multiple
needs,
that's
what
we
need
and,
and
certainly
everybody
building
on
assessed
within
a
full
JavaScript
like
meta
mask
in
the
browser
and
like
node
with
what
they
need
as
well.
So
we
realized
that
we
can
really
divide
it
all
into
two
phases,
which
is
how
do
you
build
assess
system
out
of
the
JavaScript
system
versus
what
does
assess
the
system?
A
It's
a
source
code
of
course
doesn't
have
any
authority
we
want
to
do
at
runtime
is
controlled.
The
initiative,
the
instantiation
of
those
loaded
of
those
static
modules,
control
their
control,
their
instantiation
control,
the
scope
that
they're
in
control,
how
they're
wired
together
and
control
how,
whatever
the
initial
authorities
are
from
the
host,
allow
the
startup
code
to
also
subdivide
attenuate
and
hand
out.
Those
initial
authorities
see
a
question
from
Dan
Connolly
initial
module
source
code
source
code
is
invisible
in
this
API.
Is
it
that's
correct?
A
B
A
B
So
you
have
the
out-of-band
configuration
is
something
that
is
seems
to
be
important
here
does
die
out
of
Bangkok
operation
is
extracted
from
the
source
code.
During
that
process
of
extracting
that
information
to
you
apply,
do
you
foresee
people
applying
some
sort
of
validation
in
a
way
that
linkage
aspect
of
it
doesn't
have
to
be
validated
at
the
wrong
time?
B
A
Think
the
answer
needs
to
be
no,
but
obviously
people
can
provide
their
own
separate
validation.
But
the
reason
I
think
the
answer
needs
to
be
know
is
that
if
module
foo
has
in
it
the
declaration
import
bar
that
there's
no
necessary
static
knowledge
of
what
what
module
that's
actually
supposed
to
be
important,
because
that's
a.
B
A
Up
to
so
the
compartment
API,
the
API
about
to
explain,
is
intended
to
give
the
code
the
runtime
code,
within
this
proposal,
yeah
the
runtime
code
running
on
the
sass
machine,
complete
control
over
the
input,
the
import
namespaces
and
the
wiring
together
of
modules
through
import
namespaces.
So
if
foo
says
it
imports
bar,
it
should
be
up
to
code
using
this
API
to
determine
at
runtime
what
it
actually
imports.
A
A
The
new
global
object
is
populated
with
exactly
three
per
compartment
initial
objects,
which
we
can
refer
to
as
evaluators
and
which
is
the
eval
function,
the
function
constructor
and
a
new
compartment
constructor.
So
this
was
the
the
you
know
the
big
AHA
from
models
previous
work.
Is
that
saying
new
compartment?
Is
your
you're
always
providing
there's
a
pair
child
relationship
between
the
compartment?
A
That's
you
know
the
creating
compartment
and
the
created
compartment,
and
we
don't
want
to
do
that
according
to
who
called
new
constructor.
Rather
we
do
it
by
which
compartment
constructor
they
did
new
on.
So
every
time
you
create
a
new
compartment,
it
gets
its
own
compartment,
constructor
and
then
nukem
partner
compartment,
using
that
compartment
constructor
creates
a
compartment.
That's
a
child
of
the
compartment
that
the
compartment
constructor
came
from.
A
A
Right
so
so
we
have
not
I
think
that
that's
an
important
question,
because
this
all
needs
to
be
consistent
with
the
multi
realm
world.
So
we
have
to
have
an
answer
to
that
question
and
the
reason
that
I
hadn't
thought
about
that
question
previously.
Is
that
we're
now
focusing
on
the
TC
53
scenario
and
the
moddable
scenario,
where
they're,
where
there's
only
one
realm,
let
me
think
it
through
right.
Let
me
think
it's
right
now,
because
it
should
be
the
case
that
the
constraints
give
us
exactly.
A
In
a
multi
realm
world
that
we
add
a
realm
constructor
to
each
compartment
global
engine
in
the
same
way
that
we
add
a
compartment
constructor,
so
there's
always
so
that
run
construction
is
always
relative
to
a
parent
compartment.
That's
one
choice.
The
other
choice
which
is
jet,
which
is
what
I
kind
of
been
assuming,
is
that
the
realm
constructor
is
part
of
the
shared
primordial
set
so
that
the
realm
constructor
is
created
as
part
of
creating
a
realm.
A
So
the
child,
the
parent
child
relationship,
would
be
from
realm
from
a
child
realm
to
a
parent
realm,
but
not
from
a
child
realm
to
a
parent
apartment
and
I.
Think
that
the
thing
that
will
determine
which
answer
is
right
is
exactly
the
issue
we
were
just
wrestling
with,
which
is
inheritance
of
host
hook.
Behavior
yeah.
B
That's
why
I
was
asking
this
question,
because
I
I
believe
the
compartment
relationship
should
be
cross
around
you
create
around
you.
Try
to
create
a
compartment,
we
need
to
figure
out
what
is
there?
Well,
what
is
the
thing
that
provides
the
current
operations,
and
that
would
be
the
compartment
that
is
trapping
the
wrong.
C
A
So,
okay,
so
so
what
so?
So
so
I
think
that's
a
great
open
issue.
Let's
let's
table
that,
but
but
remembering
that
we
need
to
address
it.
The
other
thing
that
the
previous
discussion
points
out
that
is
lacking
in
the
API
that
I'm
showing
you
is
the
compartment
constructor
here
only
has
two
parameters
and
the
compartment
constructor
subsumes,
the
evaluator,
it's
basically
the
evaluator,
plus
module
handling
and
and,
as
we
just
discussed,
probably
a
lot
of
the
hooks
that
need
to
be
provided
to
emulate
a
host.
A
B
A
A
A
But
since
neither
one
is
shown
here,
let
me
talk
about
what
is
shown,
so
the
Global's
is
a
object
in
which
the
own
properties
of
that
object
get
copied
on
to
the
newly
constructed
global.
So
when
you
say
new
compartment,
you
get
a
new
global
object
that
is
in
which
the
global
variables
are
of
that
new
global
object
are,
first
of
all
populated
by
the
normal,
powerless
global
variables,
which
correspond
to
the
nor
the
specified,
Global's,
object,
array,
etc.
A
In
this
specific
int,
so
in
this
specification
with
regard
to
the
behavior
specified
behavior
of
assess
machine,
the
I
don't
think
there
can
be
distinct
concepts
of
global
object
and
global
this.
But
if
there,
but
but
if
you
have,
if
there's
a
scenario
that
would
still
cause
us
to
distinguish
them,
then
we
need
to
face
that
issue.
But
I've
been
assuming
that
the
that
the
global
variable
global
variable
lookup
that
gets
beyond
the
global,
okay
I
should
also
say.
This
proposal
does
not
yet
say
anything
whatsoever
about
the
global,
lexical,
scope
and
I.
A
Think
it
does
not
need
to,
and
the
reason
it
does
not
need
to
is
that
there
is
only
two
things
in
the
atmosphere:
spec
that
can
cause
variables
to
appear
in
the
global
lexical
scope,
and
that
is
a
top-level,
let
Const
or
class
declaration
in
sloppy
code,
whether
evaluated
as
script
code
or
as
eval
covered
or
a
pop
level.
Let
Const
or
class
declaration
in
strict
code
evaluated
as
script
code
and
none
of
those
cases
are
possible
on
an
SES
machine,
an
SES
machine.
A
The
thing
that
we're
specifying
here
only
supports
code
running
as
module
code
or
code
running
as
strict
eval
code
and
for
both
of
those
top-level
let
Const
or
class,
are
contained
to
that
on
source
unit
contained
to
that
evaluation.
They
do
not
leak
into
anything
global,
so
this
thing
does
not
need
a
global
lexical
environment.
We
can
completely
dispense
with
that
concept,
which
is
great
and
then
the
other
thing
that,
on
the
only
other
case
that
I
know
of
that
causes
a
need
to
distinguish.
Yes,.
C
C
C
A
So
the
browser,
because
a
frame
navigation
has
to
deal
with
the
distinction
between
the
you
know.
What
in
the
brown,
whether
in
the
browser
is
called
the
window
versus
the
window
proxy
in
I?
Think
in
the
in
the
TC
53
as
the
first
concern
for
this
API.
We
can
for
the
moment,
put
that
aside,
but
obviously
like
with
Curry's
question
about
creating
new
realms,
since
the
purpose
of
this
is
also
to
be
part
of
a
larger
system
that
includes
creating
this
within
a
JavaScript
system
and
concerns
about
host
virtualization.
We
have
to
face
those
issues.
A
Okay,
so
so
the
global
of
this
object,
you
would
get
copied
onto
it.
First,
the
shirt
the
standard
homeless
shared
frozen
primordial.
Then
you
would
get
added
to
the
global.
This
object,
the
Val
function,
function,
constructor
and
country,
yeah,
Val
function,
function
to
sort
through
and
compartment
constructor,
and
then
you
would
get
the
own
properties
of
this
global
parameter
and
that's
obviously
just
a
convenience,
because
you
could
just
add
them
yourself
to
the
global
after
you
create
the
compartment
and
so
whether
it's
compelling
to
make
it
a
parameter
or
not
can
be
revisited.
A
But
right
now
we
go
ahead
and
make
it
a
parameter
because
I
think
it'll.
It
makes
it
sort
of
very
clear.
What's
going
on
it
does
raise
an
issue,
though,
which
is:
are
we
copying
the
values
using
get
and
set,
or
are
we
copying
the
descriptors
using
get
on
property
descriptors
and
define
properties?
I
can.
C
C
Properties
get
really
wrong
when
you
copy
them
over
I
could
probably
dig
them
up.
Jess
Dom,
in
particular,
has
had
many
attempts
to
try
to
fix
that
behavior
and
node,
and
eventually
they
just
stopped
using
that
copy
over
behavior
it
is.
You
should
not
do
that.
Copying
over
value
seems
fine
copying
over
descriptors
or
trying
to
create
a
two-way
bridge.
A
Okay,
very
interesting
one
of
the
advantages
to
simply
omitting
this
as
a
parameter
and
just
saying
if
you
want
to
pre
initialize
the
global
object
before
you
run
code
in
this
compartment,
you
can
just
do
that
manually.
Is
it
that
would
leave
it
up
to
the
user
code
and
wouldn't
require
the
API
to
make
a
decision
on
the
Global's
by
the
way
is
inspired
by
the
endowments
parameter
on
the
existing
on
moddable
api
and
dan
you're.
The
one
who's
done,
the
most
experimentation
with
moddable.
C
C
C
C
A
Okay,
so
in
any
case,
so
I
think
I
think
the
global
object
itself
that
we're
creating
there
we're
not
freezing
it.
All
the
shared
primordial
czar,
all
transitively
frozen
or
harmless
as
you'd
expect,
but
the
the
new
global
object
is
is
not
frozen
by
this
API
and
obviously
the
code
constructing
the
compartment
can
go
ahead
and
freeze
it
after
construction
before
it
runs
code
there.
The
interesting
parameter
here
is
the
modulus
parameter
and
the
module's
parameter
is
the
the
analog
of
the
existing
excess
module,
mapped
parameter.
A
A
A
A
Confusion
that
that
I
have
or
there's
there's
something
I'm
confused
about
when
we
put
in
subjective
terms,
I,
don't
know
exactly
what
semantics
moddable
intended,
but
when
I
try
to
figure
it
out,
I
get
confused.
If
this
child
parent
mapping
is
intended
to
give
the
child
access
to
the
same
code.
To
be,
you
know
the
same
static
module
to
be
reinstated
within
the
child's
compartment
or
give
the
child
access
to
the
module
instance,
as
seen
by
the
parent.
A
Are
you
referring
to
the
to
the
MA
all
code
in
the
parents
namespace
by
this
name,
in
which
case
the
code
gets
reinstated
or
gets
instantiated
in
the
child
compartment,
whether
or
not
it
had
ever
been
instantiated
in
the
parent?
Or
are
you
referring
to
the
would
every
instance
the
parent
sees?
So
it's
not
necessarily
instantiated
in
the
part,
but
it's
whatever
instance.
The
parents
is
because
the
parent
itself
may
have
been
granted
that
as
wired
to
some
other
instance,.
A
The
Michael
mentioned
that
at
the
last
TC
53
meeting
that
he
attended
that
I
did
not
attend
that
he
and
Peter
discussed
having
the
instance
passing
B
by
by
having
the
target
of
the
mapping
rather
than
being
named
in
the
parent
B,
the
module
name,
space,
object
and,
and
that
would
create
I
think
a
very,
very
natural
way
to
express
this,
which
is
the
module
name.
Space
object
obviously
is
specific
to
some
instance
and
then
distinguishing
a
string
from
the
module
name.
Space
object
is
is
an
easy
way
to
signal.
Are
you
passing
acts?
A
C
Well,
is
there
any
discussion
about
lazy
instantiation
there,
where
a
compartment
may
be
given
access
to
a
shared
instance?
So
if
I
make
two
compartments,
for
example,
and
I
want
them
to
refer
to
the
same
eventual
module
namespace,
but
the
parent
realm
has
no
intention
of
instantiate
in
that
module
itself.
I
think
it
would
be
difficult
for
us
to
achieve
that
if
we
use
this
API
as
discussed.
Okay,.
A
So
so,
I'm
very
glad
you
brought
that
up,
because
the
question
that
I'm
most
urgently
want
to
ask
Peter
and
Patrick
is:
is
there
any
reason
for
this
modules
parameter
for
the
XS
uses
for
the
XS
implementation?
Is
there
any
reason
to
provide
that
as
an
object
rather
than
as
a
function,
because
the
more
I
think
of
it,
the
more
I
the
more
I,
don't
see
why
they
would
prefer
an
object
to
a
function?
A
And
if
it's
an
object,
it's
still
procedurally
huggable,
because
you
can
provide
a
proxy
so
and
if
it's
and
in
both
cases
for
any
mapping,
it
should
only
be
consulted
once
it
should
never
be.
So
if
you
provide
a
function
that
should
never
be
asked
the
same
question
twice,
because
the
mechanism,
the
platform,
should
memorize
the
answer.
As
long
as
the
question
might
be
needed
again,
in
which
case
the
behavior
of
the
function
unambiguously
encodes
the
same
graph,
the
same
mappings
that
an
object
was
encoded.
A
C
If
it
is
done
as
needed,
yes,
I'd
like
to
be
on
my
call,
if
possible,
if
not
that's
fine,
there
are
some
potential
things
you
can't
do.
Statically
I,
don't
know
if
they're
trying
to
do
some
stuff
ahead
of
time
with
their
preload
feature,
because
I
know
if
we
do
it
at
runtime
on
demand
with
a
function
that
may
cause
problems
with
their
preload
feature.
So
that
seems
like
something
we
should
discuss
so.
A
So
so,
then
there's
the
limits.
Let
me
mention
the
the
missing
method
that
we
talked
about
in
an
internal
conversation
at
Agora
yesterday,
which
is
evaluate
which,
in
the
absence
of
a
an
options,
argument,
would
have
exactly
the
same
behavior
as
the
behavior
of
you
know,
a
compare
comb
or
compartment
instance.
A
A
So
I
think
what
that
has
to
mean
is
it's
the
same
behavior
as
the
dynamic
import
expression
in
the
absence
of
a
specifier
I'm?
Sorry,
in
the
absence
of
a
referral
in
the
absence
they
refer,
so
this
isn't
adequate
as
a
hook
for
determining
alright
right.
It's
not
intended
to
be
a
hawk.
It's
just
intended
to
start
module
execution
within
the
compartment
and
then
the
behavior
of
dynamic
import
expressions
within
code
executing
the
compartment
is
not
hooked
by
this
method.
It's
simply
done.
A
According
to
the
module
map
and
the
specifier
provided
as
argument
here
is
looked
up
in
the
trials
module
map.
So
so
in
that
sense,
it's
that
that's
the
sense
in
which
this
it's
the
same
as
the
import
expression,
it's
the
same
as
the
import
expression
for
an
import
expression
evaluated
in
a
way
that's
not
sensitive
to
who
the
refer
is.
A
And
the
import
expression
returns,
a
promise
for
a
module
instance
object.
This
one
in
States
returns
a
promise
for
a
module
instance
object
and
in
the
PC
53
every
all
code
is
pre-loaded
use
case
I'm,
actually
not
sure.
If
that
should
be
the
only
form
of
this
asynchronous
form.
Would
she
seem
possible
under
that
assumption?
A
C
C
A
When
you
provide
the
module
map
in
excess
as
I
understand
it,
the
normal
interpretation
of
the
module
map
is
it's
giving
access
to
instances,
but
when
you
provide
a
name
as
the
start,
module
that
that
start
module
name
is
still
dereferenced
using
the
module
map,
but
but
being
the
start
module.
It's
not
the
instance
that
of
that
module
inherited
from
the
parent
that
is
used.
It's
the
code,
it's
the
static
module
which
is
reinstated
in
the
new
compartment.
A
C
A
A
C
A
A
So
it
might
be
that,
if
that,
if
the
preload
distinction
there's
an
adequate
way
of
dealing
with
the
distinction,
I
have
in
mind
and
I,
don't
know
that
it
is.
But
if
it
is,
then
it
might
be
that
jf
shim
by
inheriting
that
answer
has
provided
an
adequate
answer.
That
needs
to
be
investigated
very
good
and.
A
So
what
he
provides
in
this
file
is
both
the
shun
of
the
new
API
in
terms
of
the
current
behavior
modulo,
the
refer
and
modulo
this
issue,
and
then
what
he
does
is
he
takes
some
of
the
excess
examples
that
use
the
current
excess
API
and
rewrite
them
in
terms
of
this
API.
To
show
that
this
API
is
at
least
expressive
enough
to
express
their
current
examples
and
then
and
that's
pretty
much.
It.