script: Empty pending mutation observers when notifying mutation observers (#39456)

Empty the surrounding agent’s pending mutation observers when notifying mutation observers according to the spec. Also, the code in the method MutationObserver::queue_a_mutation_record and the corresponding specification have diverged over the years. These changes bring the code into conformity with the specification. Testing: Added a new crash test Fixes: #39434 #39531 --------- Signed-off-by: Rodion Borovyk <rodion.borovyk@gmail.com>
2025-10-02 09:39:14 +01:00 · 2025-09-29 16:15:07 +02:00 · 2025-09-29 16:15:07 +02:00 · 5b1fe60277
commit 5b1fe60277
parent e64f021550
4 changed files with 74 additions and 42 deletions
--- a/tests/wpt/meta/MANIFEST.json
+++ b/tests/wpt/meta/MANIFEST.json
@ -6984,6 +6984,13 @@
       {}
      ]
     ],
+     "MutationObserver-nested-crash.html": [
+      "0648c2037c8b2602ac77abde62f60793f0855a45",
+      [
+       null,
+       {}
+      ]
+     ],
     "Node-cloneNode-on-inactive-document-crash.html": [
      "cbd7a1e6a500e5671c1e0a71c5dcb963cab727ba",
      [
--- a/tests/wpt/tests/dom/nodes/MutationObserver-nested-crash.html
+++ b/tests/wpt/tests/dom/nodes/MutationObserver-nested-crash.html
@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>MutationObservers: observer inside another observer's callback</title>
+
+<div id="target"></div>
+<script>
+  var observer = new MutationObserver(_ => {
+    var otherObserver = new MutationObserver(_ => {});
+    otherObserver.observe(target, {characterData: true});
+  });
+  observer.observe(target, {subtree: true, attributeOldValue: true});
+  target.setAttribute("foo", "bar");
+</script>