Skip to content

Mutation Observer Callback can crash browser #550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
karlseguin opened this issue Apr 20, 2025 · 0 comments
Open

Mutation Observer Callback can crash browser #550

karlseguin opened this issue Apr 20, 2025 · 0 comments

Comments

@karlseguin
Copy link
Collaborator

karlseguin commented Apr 20, 2025
edited
Loading

It's possible for a MuttitonObserver callback to mutate the DOM in a way that invalidates the code trying to do the original mutation.

This can be seen by running zig build wpt -- tests/wpt/dom/nodes/MutationObserver-document.html

Or, using the following unit test:

try runner.testCases(&.{
    .{
        \\ var node = document.getElementById("para");
        \\ new MutationObserver(() => {
        \\     node.innerText = 'a';
        \\ }).observe(document, { subtree:true,childList:true });
        \\ node.innerText = "2";
        ,
        "undefined",
    },
}, .{});

Similar code actually causes Firefox and Chrome to go into an endless loop. In practice, that's probably worse, but it does seem more correct to me. It's unclear how it should be handled.

The issue happens here: https://github.com/lightpanda-io/libdom/blob/master/src/core/node.c#L988
The dispatched event, causes the MO's callback to execute, which invalidates old_child, causing _dom_node_detach(old_child); to crash (a few lines down).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@karlseguin