Harden Blazor WebView disposal races for JSRuntime and IPC

[lewing]

• You've read the Contributor Guide and Code of Conduct.
• You've included unit or integration tests for your change, where applicable.
• You've included inline docs for your change, where applicable.
• There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Improve Blazor WebView disconnect/disposal behavior and race safety

Description

This updates Blazor WebView teardown behavior so JS interop and IPC paths handle page reload and WebView shutdown safely, including follow-up race-condition fixes from review feedback.

• Marks WebViewJSRuntime as disconnected during PageContext.DisposeAsync so BeginInvokeJS fails with JSDisconnectedException, while EndInvokeDotNet/SendByteArray no-op after disposal.
• Disposes IpcSender at the start of WebViewManager.DisposeAsyncCore and adds execution-time disposal checks in queued dispatcher delegates to prevent TOCTOU races for outbound messages and unhandled-exception dispatch.
• Refines IpcReceiver disposal handling to drop only disposed-scope user-invocation messages, while still allowing framework completion/event messages (EndInvokeJS, render/location completion paths).
• Captures page context at message receipt time to avoid stale messages being routed to a newly attached page after reload.
• Prevents manager resurrection after disposal by guarding AttachToPageAsync (including post-await race window), and guards TryDispatchAsync against running work on disposed state.
• Makes disposal flags used across dispatcher/non-dispatcher paths volatile to ensure cross-thread visibility.
• Adds/updates WebViewManager tests for disposal ordering, stale IPC drops, sender-dispose behavior, and post-disposal attach/dispatch behavior.

[Copilot]

Pull request overview

This PR extends Blazor Server’s “disconnected JS runtime” pattern to Blazor WebView so that JS interop during teardown (page reload/WebView shutdown) fails predictably with JSDisconnectedException, and stale inbound/outbound IPC is dropped instead of reaching disposed WebView controls.

Changes:

• Mark WebViewJSRuntime as disconnected at the start of PageContext.DisposeAsync() so BeginInvokeJS throws JSDisconnectedException and EndInvokeDotNet/SendByteArray no-op after disposal.
• Dispose IpcSender at the start of WebViewManager.DisposeAsyncCore() and drop messages/exception notifications after disposal.
• Drop incoming IPC messages in IpcReceiver when the target page’s JS runtime is disposed; add unit tests covering the new teardown behaviors.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/Components/WebView/WebView/test/WebViewManagerTests.cs	Adds tests for JS interop/IPC behavior during page reload and WebView disposal.
src/Components/WebView/WebView/src/WebViewManager.cs	Disposes the IPC sender before disposing the current page context to stop outbound traffic during shutdown.
src/Components/WebView/WebView/src/Services/WebViewJSRuntime.cs	Introduces a disconnected/disposed flag that throws JSDisconnectedException and drops late replies/transfers.
src/Components/WebView/WebView/src/PageContext.cs	Marks the JS runtime disconnected before renderer disposal to protect IAsyncDisposable component teardown.
src/Components/WebView/WebView/src/IpcSender.cs	Adds a disposed flag and guards to drop outbound dispatches and unhandled-exception notifications after disposal.
src/Components/WebView/WebView/src/IpcReceiver.cs	Drops incoming messages for disposed page contexts to avoid routing stale calls into torn-down scopes.

[lewing]

Round 2: addressed reviewer + rubber-duck feedback

@copilot-pull-request-reviewer flagged two real TOCTOU races in IpcSender. An independent rubber-duck pass on top found four more disposal-race holes that this PR's guards fundamentally couldn't fix without companion changes. All are addressed in 637a7c5:

Reviewer feedback addressed

Reviewer comment	Resolution
IpcSender.NotifyUnhandledException checks _disposed before queuing — dispose race after the check still reaches _messageDispatcher and ExceptionDispatchInfo.Throw()	Re-check _disposed inside both queued dispatcher delegates
IpcSender.DispatchMessageWithErrorHandling has the same TOCTOU pattern	Re-check _disposed inside the queued delegate
(False positive) missing using Microsoft.AspNetCore.Components	Global usings cover it (build is clean)
(False positive) Assembly.GetName().Name nullable warning	Test project doesn't have nullable enabled; build is clean

Additional rubber-duck findings addressed

1. MessageReceived didn't capture _currentPageContext before queuing — a message that should target the old page would hit the new one after reload, and my new IpcReceiver.IsDisposed check then evaluated the wrong (new) context. Now captures at receipt time so stale messages target the original (now-disposed) runtime where the guard actually fires.

2. Late AttachPage after WebViewManager.DisposeAsync could resurrect the manager — AttachToPageAsync had no _disposed check and would happily create a new PageContext / scope / renderer / JS runtime against an already-disposed IpcSender. Guarded at both entry and after awaiting the previous context's disposal (the await is itself a race window).

3. TryDispatchAsync could run workItem against a disposed scope — _currentPageContext is not nulled by disposal, so the existing null + identity check both passed after DisposeAsync. Added _disposed guard at entry and inside the dispatcher delegate.

4. _disposed flags weren't volatile — written from disposal paths that may run off the dispatcher thread, read from every IPC path. Plain bool is atomic but lacks acquire/release semantics; a cross-thread Dispose write may not be visible to a dispatcher-thread read. Now volatile bool for both WebViewJSRuntime._isDisposed and IpcSender._disposed.

5. Broad IpcReceiver IsDisposed guard would drop EndInvokeJS — leaving pending InvokeAsync<T> tasks hanging forever. Refined to only drop messages that invoke user code on the disposed scope: BeginInvokeDotNet, ReceiveByteArrayFromJS, OnLocationChanging. EndInvokeJS / OnRenderCompleted / OnLocationChanged pass through — they only complete pending TCSes or fire benign framework events.

Tests

• 2 new tests added (AttachToPageAsync_AfterWebViewManagerDispose_DoesNotResurrectManager, TryDispatchAsync_AfterWebViewManagerDispose_ReturnsFalse)
• All 15 tests pass (8 pre-existing + 7 from round 1 + 2 from round 2)
• Library and Photino consumer build clean with 0 warnings

Known limitation (out of scope for this PR)

In-flight InvokeAsync<T> calls that JS will never reply to (because the JS context is gone) still hang. Fully fixing this requires the runtime to fail-fast all pending tracker entries on MarkAsDisconnected — needs JSRuntime base-class cooperation. Worth tracking as a follow-up issue.

[lewing]

Round 3: second rubber-duck pass

A second independent rubber-duck pass on top of 637a7c5 found 4 more blocking issues that round 2 either introduced or failed to fully close. All addressed in 8cc0204:

Issue	Resolution
WebViewManager._disposed was still a plain bool — round-2 guards in MessageReceived / AttachToPageAsync / TryDispatchAsync depend on cross-thread visibility that plain bool doesn't guarantee	volatile bool, matching the round-2 treatment of IpcSender._disposed and WebViewJSRuntime._isDisposed
AttachToPageAsync vs DisposeAsyncCore could both observe the same _currentPageContext and double-dispose it (PageContext.DisposeAsync is not idempotent)	Atomic detach in both paths — capture local + null the field before awaiting disposal, so a racing path observes null instead of the same reference
Refined IpcReceiver guard was too optimistic: OnLocationChanged fires user subscribers on disposed scopes (exactly what the guard exists to prevent); OnRenderCompleted can throw from Dequeue on stale duplicate/error/out-of-order acks	Tighten the guard: drop EVERYTHING when JSRuntime.IsDisposed EXCEPT EndInvokeJS (the only message that just completes a pending TCS)
IpcSender.NotifyUnhandledException made two separate InvokeAsync calls — a disposal racing between them produced inconsistent partial state	Combine into one dispatcher delegate with a single _disposed re-check, making the decision atomic
TryDispatchAsync read _currentPageContext.ServiceProvider after the identity check passed instead of using the captured local — functionally equivalent today but fragile against future refactor	Use captured local

New test

IpcReceiver_AllowsEndInvokeJSThroughAfterRuntimeDisposed_CompletesPendingInvocation — the rubber-duck-flagged most-important-to-not-skip test. Starts a real InvokeAsync<T> to register a pending tracker, extracts the asyncHandle from the outbound BeginInvokeJS IPC, calls MarkAsDisconnected, delivers the JS-side EndInvokeJS reply with the captured handle, and asserts the original Task completes with the supplied result.

Proves end-to-end that the EndInvokeJS pass-through actually works under the tightened guard — without it, the rationale for keeping EndInvokeJS as the lone exception is only code-comment-deep.

Final state

• 16 tests, all pass (8 pre-existing + 7 round-1/2 + 1 round-3)
• Library + Photino consumer build clean with 0 warnings
• All guard flags are volatile
• Lifecycle race between attach and dispose closed by atomic context detach
• TOCTOU race in IpcSender closed by re-check inside dispatcher delegates
• IpcReceiver guard tightened to only allow the lone safe pass-through (EndInvokeJS)

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[lewing]

Round 5: third rubber-duck pass

The third rubber-duck pass found that round 3's "atomic detach" wasn't actually atomic — two participants could both read the same non-null _currentPageContext before either nulled it, then both await DisposeAsync on the same context (PageContext.DisposeAsync is not idempotent). Round 4's volatile made the read atomic-visible but didn't sequence the read-modify-write. There was also a publish-after-dispose race that would leak the new scope.

Round 5 (422a4fa):

Issue	Resolution
Lifecycle race between AttachToPageAsync and DisposeAsyncCore (RD #1)	Added SemaphoreSlim _lifecycleLock and wrapped both methods in WaitAsync() + finally Release(). Eliminates the entire race class.
Test fragility with SentIpcMessages.Last() (RD #4)	Changed both pass-through tests to find the outgoing BeginInvokeJS message by type rather than positional .Last().
Renderer pending-render-batch TCS hang (RD #10, originally raised in round 2)	Added WebViewManagerDispose_DoesNotHangWhenPendingRenderBatchAckNeverArrives test. Passes immediately — confirming that the renderer's pending render-batch TCSs are not awaited by its disposal path. The hang is theoretical, documented via test.

What changed semantically

A DisposeAsync() call that arrives while an AttachToPageAsync is in flight now waits for the attach to complete before proceeding (previously they raced). Safer semantics: ensures the attach's scope + renderer are fully constructed before they get torn down, and no scope is leaked.

Final state

• 18 tests, all pass (8 pre-existing + 10 new across 5 rounds)
• Library + Photino consumer build clean
• All disposal-race surfaces I'm aware of are closed
• Three rubber-duck passes + two Copilot reviewer passes all addressed
• Zero unresolved review threads

Known limitations (out of scope for this PR)

1. In-flight InvokeAsync<T> with no JS reply still hangs. If JS never sends an EndInvokeJS (because the JS context was destroyed mid-call before the reply was sent), the pending Task hangs forever. Fully fixing this requires JSRuntime base-class cooperation to fail-fast all pending tracker entries on MarkAsDisconnected. Worth tracking as a follow-up. Callers can mitigate with cancellation tokens / timeouts today.

2. AddRootComponentAsync / RemoveRootComponentAsync races with disposal. These public methods read _currentPageContext outside the lifecycle lock. With volatile they get atomic visibility but no ordering guarantee against concurrent disposal. Not amplified by this PR (the pre-existing behavior was the same), but worth a follow-up audit.