random.uuidv4: OperationError from crypto.getRandomValues in Firefox

[themiguelamador]

Problem

random.uuidv4() (and random.uint32()) can throw an unhandled OperationError (DOMException, code 0) when crypto.getRandomValues() fails transiently in Firefox.

We observed this in production on Firefox 148.0 / Ubuntu during Yjs Doc construction, which calls uuidv4() to generate the document GUID. The error is unrecoverable and crashes the application.

Stack trace (minified, from Yjs bundle)

OperationError: The operation failed for an operation-specific reason

Df  → crypto.getRandomValues.bind(crypto)   // lib0/webcrypto.js
Kb  → uuidv4()                              // lib0/random.js
t   → new Doc({ guid: uuidv4() })           // yjs

Reproduction

This is a transient failure — Firefox's Web Crypto implementation can occasionally throw OperationError from getRandomValues() due to process isolation or entropy pool issues. It's rare but not recoverable without a try/catch.

Suggested fix

Two complementary improvements:

1. Prefer crypto.randomUUID() for uuidv4()

All modern browsers (Firefox 95+, Chrome 92+, Safari 15.4+) support crypto.randomUUID(), which returns a UUID v4 string directly without going through getRandomValues. This avoids the failure entirely for the most common use case.

const uuidv4 = typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function'
  ? () => crypto.randomUUID()
  : () => uuidv4Template.replace(/[018]/g, c => (c ^ uint32() & 15 >> c / 4).toString(16))

2. Add a try/catch fallback in uint32()

The module comment already says "falls back to Math.random if the browser does not support crypto", but this fallback isn't actually implemented for uint32(). A defensive fallback would protect all callers:

const uint32 = () => {
  try {
    return webcrypto.getRandomValues(new Uint32Array(1))[0]
  } catch {
    return (Math.random() * 2 ** 32) >>> 0
  }
}

Workaround

We're currently wrapping new Doc() in a retry loop on our side, which works since the failure is transient. But the fix belongs in lib0 since every Yjs consumer is affected.

Environment

• lib0: 0.2.117
• yjs: 13.6.14
• Browser: Firefox 148.0 on Ubuntu
• Error: OperationError (DOMException, code 0) from crypto.getRandomValues

[dmonad]

As this behavior is not is the spec, it would be good to report this error to Firefox directly.

I don't like quick-fixes. They hide issues, rather than actually finding the root-cause.

• I will likely switch to crypto.randomUUID in the next 1.0 release of lib0 (the 0.2.* branch - which is used by yjs v13 - is in maintenance mode only). Moving to native crypto.randomUUID might not fix the issue anyway, as you might get "OperationError" anyway.
• try-catch: I won't wrap every crypto call in a try-catch block to hide some Firefox bug. Could you please investigate how they expect us to handle such an error message? I assume they don't expect us to try-catch all crypto calls so we can simply try again. That is something that they could already do internally to hide the error. How should we react?
• Math.random fallback: that note was created a long time ago. I'd like to enforce stricter rules, now that crypto is generally available (but apparently still buggy in some browsers).

I would appreciate it if you would report the issue with as much information as possible to Mozilla. This error is unexpected and - I hope - they will fix it if you report it.