Mutation Observer Callback can crash browser

[karlseguin]

It's possible for a MuttitonObserver callback to mutate the DOM in a way that invalidates the code trying to do the original mutation.

This can be seen by running zig build wpt -- tests/wpt/dom/nodes/MutationObserver-document.html

Or, using the following unit test:

try runner.testCases(&.{
    .{
        \\ var node = document.getElementById("para");
        \\ new MutationObserver(() => {
        \\     node.innerText = 'a';
        \\ }).observe(document, { subtree:true,childList:true });
        \\ node.innerText = "2";
        ,
        "undefined",
    },
}, .{});

Similar code actually causes Firefox and Chrome to go into an endless loop. In practice, that's probably worse, but it does seem more correct to me. It's unclear how it should be handled.

The issue happens here: https://github.com/lightpanda-io/libdom/blob/master/src/core/node.c#L988
The dispatched event, causes the MO's callback to execute, which invalidates old_child, causing _dom_node_detach(old_child); to crash (a few lines down).