Skip to content

fix(runtime): replace silent catches in overlay with console.warn#61

Merged
hqhq1025 merged 2 commits intomainfrom
wt/loop-fix-overlay-no-silent-catch
Apr 19, 2026
Merged

fix(runtime): replace silent catches in overlay with console.warn#61
hqhq1025 merged 2 commits intomainfrom
wt/loop-fix-overlay-no-silent-catch

Conversation

@hqhq1025
Copy link
Copy Markdown
Collaborator

@hqhq1025 hqhq1025 commented Apr 18, 2026

Summary

  • The 8 catch (_) {} blocks in packages/runtime/src/overlay.ts swallowed every error from postMessage, listener attach/detach, and setInterval calls — making sandbox iframe issues invisible.
  • Replaced each with catch (err) { console.warn('[overlay] <context>:', err); } so failures surface in the iframe DevTools console without changing overlay behaviour.
  • console.warn is the proper diagnostic channel inside the sandboxed renderer iframe (no IPC needed, doesn't escalate to IFRAME_ERROR loop).

Locations covered (line numbers in original):

  • L60: postMessage ELEMENT_SELECTED failed
  • L75: postMessage IFRAME_ERROR (error) failed
  • L89: postMessage IFRAME_ERROR (unhandledrejection) failed
  • L103: removeEventListener failed for <evt>
  • L104: addEventListener failed for <evt>
  • L107: attach window error listener failed
  • L110: attach unhandledrejection listener failed
  • L114: setInterval reattach failed

Compatibility / Upgradeability / No bloat / Elegance

  • Compatibility: green — no API or behaviour change; identical control flow.
  • Upgradeability: green — easier to diagnose iframe issues going forward.
  • No bloat: green — zero new deps; +0 net lines (8 catches reshaped in place).
  • Elegance: green — replaces silent failure with contextual diagnostics.

Test plan

  • pnpm typecheck
  • pnpm lint (exit 0; pre-existing warnings unrelated)
  • pnpm --filter @open-codesign/runtime test — 3/3 passed
  • Pre-commit hook ran full repo test suite — all green

github-actions[bot]
github-actions Bot reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Findings

  • [Major] Unbounded warning spam in 200ms reattach loop can become a log-amplification DoS in hostile iframe content — console.warn(...) now runs on every failed listener operation inside reattach(), which executes every 200ms, so malicious/generated code that breaks addEventListener/removeEventListener can flood logs and degrade runtime responsiveness, evidence packages/runtime/src/overlay.ts:103.
    Suggested fix: 
    var warned = Object.create(null);
function warnOnce(key, err) {
  if (warned[key]) return;
  warned[key] = true;
  console.warn('[overlay] ' + key, err);
}

// in reattach loop
try { document.removeEventListener(spec.evt, spec.fn, true); }
catch (err) { warnOnce('removeEventListener failed for ' + spec.evt + ':', err); }
try { document.addEventListener(spec.evt, spec.fn, true); }
catch (err) { warnOnce('addEventListener failed for ' + spec.evt + ':', err); }

Summary

  • Review mode: initial
  • 1 issue found in modified lines.
  • docs/VISION.md and docs/PRINCIPLES.md: Not found in repo/docs.

Testing

  • Not run (automation). Missing coverage for repeated listener-failure path to verify logging is rate-limited.

open-codesign Bot

Comment thread packages/runtime/src/overlay.ts Outdated
var spec = installs[i];
try { document.removeEventListener(spec.evt, spec.fn, true); } catch (_) {}
try { document.addEventListener(spec.evt, spec.fn, true); } catch (_) {}
try { document.removeEventListener(spec.evt, spec.fn, true); } catch (err) { console.warn('[overlay] removeEventListener failed for ' + spec.evt + ':', err); }
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Major] This catch now warns inside a function that runs every 200ms; if sandbox content breaks listener APIs, this can emit warnings continuously and degrade runtime (log-amplification DoS). Please gate this with warn-once or rate-limiting.

Suggested fix:

var warned = Object.create(null);
function warnOnce(key, err) {
  if (warned[key]) return;
  warned[key] = true;
  console.warn('[overlay] ' + key, err);
}

try { document.removeEventListener(spec.evt, spec.fn, true); }
catch (err) { warnOnce('removeEventListener failed for ' + spec.evt + ':', err); }

hqhq1025 added 2 commits April 19, 2026 05:10
@hqhq1025
fix(runtime): replace silent catches in overlay with console.warn dia…
121d7d0 
…gnostics

The 8 catch blocks in the overlay script silently swallowed errors,
making it hard to diagnose iframe sandbox issues (postMessage failures,
listener attach failures, setInterval failures). Replaced each with
console.warn emitting a contextual tag so problems surface in the
sandbox iframe DevTools console without affecting overlay behaviour.

Signed-off-by: hqhq1025 <1506751656@qq.com>
@hqhq1025
fix(runtime): dedupe reattach loop warnings to avoid console spam
d05f001 
The overlay's 200ms setInterval reattach loop could flood the console
when iframe content breaks add/removeEventListener (Codex Major on #61).
Introduce a warnOnce helper keyed by error message so each unique failure
warns at most once over the loop's lifetime. One-shot catches outside
the loop keep their direct console.warn.

Adds vitest coverage simulating 25 reattach ticks with throwing listeners
and asserts warn count stays bounded by unique-key count, not tick count.

Signed-off-by: hqhq1025 <1506751656@qq.com>
@hqhq1025 hqhq1025 force-pushed the wt/loop-fix-overlay-no-silent-catch branch from dbd3af6 to d05f001 Compare April 18, 2026 21:12
github-actions[bot]
github-actions Bot reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Findings

  • [Minor] Silent fallback reintroduced in warnOnceconsole.warn failures are swallowed with catch (_) { /* noop */ }, which conflicts with the repo rule that errors must surface (UI or throw with context); this can hide diagnostics when console APIs are patched/broken, evidence packages/runtime/src/overlay.ts:26.
    Suggested fix: 
    function warnOnce(key, err) {
  if (warned[key]) return;
  warned[key] = true;
  console.warn('[overlay] ' + key, err);
}

Summary

  • Review mode: follow-up after new commits
  • 1 issue found in modified lines.
  • docs/VISION.md and docs/PRINCIPLES.md: Not found in repo/docs.

Testing

  • Not run (automation)

open-codesign Bot

Comment thread packages/runtime/src/overlay.ts
function warnOnce(key, err) {
if (warned[key]) return;
warned[key] = true;
try { console.warn('[overlay] ' + key, err); } catch (_) { /* noop */ }
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Minor] warnOnce currently swallows console.warn errors (catch (_) { /* noop */ }), reintroducing a silent fallback. Please let this throw (or surface via existing iframe error channel) so failures are observable with context.

Suggested fix:

function warnOnce(key, err) {
  if (warned[key]) return;
  warned[key] = true;
  console.warn('[overlay] ' + key, err);
}

@hqhq1025 hqhq1025 merged commit f812415 into main Apr 19, 2026
6 checks passed
@hqhq1025 hqhq1025 deleted the wt/loop-fix-overlay-no-silent-catch branch April 19, 2026 04:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hqhq1025