Fix ce_reactions audit gaps and iterator-invalidation UAF

popAndInvoke captured the reactions queue as a slice at loop entry. If
firing a reaction triggered a nested scope whose enqueue grew the
underlying ArrayList, the captured slice became dangling and the next
iteration read freed memory. Switch to indexed iteration so the queue
pointer is re-read each step. Repros via wpt/custom-elements/
enqueue-custom-element-callback-reactions-inside-another-callback.html.

The rest of the diff adds .ce_reactions = true to bridge declarations
that were missing it per WebIDL [CEReactions] *and* whose Zig impl
actually performs a DOM/attribute mutation (verified by reading each
setter). Without the flag, the algorithm's enqueue path hits
assertScopeActive and panics. Runtime-state-only setters (Input.value,
Input.checked, Select.value, Option.selected, Media.muted/volume, etc.)
are deliberately left untagged.

Covered:
- CustomElementRegistry.define, .upgrade
- HTMLDocument: body, title, dir
- Document: open, close
- HTMLElement base: insertAdjacentHTML, dir, hidden, lang, tabIndex,
  title, innerText
- Range: insertNode, deleteContents, extractContents,
  surroundContents, createContextualFragment
- Selection: deleteFromDocument
- HTMLOptionsCollection: add, remove
- DOMStringMap (dataset): namedIndexed setter/deleter — required adding
  .ce_reactions to NamedIndexed.Opts in bridge.zig
- ~28 HTMLxxxElement files: every settable attribute that resolves to
  setAttributeSafe/removeAttribute (Anchor, Button, Canvas, Data,
  Details, Dialog, FieldSet, Form, IFrame, Image, Input, Label, Link,
  LI, Media, Meta, OL, OptGroup, Option, Quote, Script, Select, Slot,
  Style, TableCell, Template, TextArea, Time, Track, Video)

Author: karlseguin

src/browser/CustomElementReactions.zig

@@ -59,8 +59,12 @@ pub fn push(self: *Self) usize {
 /// enqueued within a nested scope drain at that scope's pop, before this loop
 /// sees them.
 pub fn popAndInvoke(self: *Self, checkpoint: usize, frame: *Frame) void {
-    for (self.queue.items[checkpoint..]) |reaction| {
-        Custom.fireReaction(reaction, frame);
+    // Index, not slice: firing a reaction can recursively enqueue (via JS
+    // callbacks doing DOM mutations), which may realloc queue.items and
+    // invalidate any captured slice.
+    var i = checkpoint;
+    while (i < self.queue.items.len) : (i += 1) {
+        Custom.fireReaction(self.queue.items[i], frame);
     }
     self.queue.items.len = checkpoint;
     self.active_scopes -= 1;

src/browser/js/bridge.zig

@@ -304,6 +304,10 @@ pub const NamedIndexed = struct {
     const Opts = struct {
         as_typed_array: bool = false,
         null_as_undefined: bool = false,
+        // Mirrors [CEReactions] on a named-property setter/deleter (e.g.,
+        // HTMLElement.dataset, which proxies setAttribute/removeAttribute).
+        // Only applies to setter and deleter; getters don't mutate.
+        ce_reactions: bool = false,
     };
 
     fn init(comptime T: type, comptime getter: anytype, setter: anytype, deleter: anytype, comptime opts: Opts) NamedIndexed {
@@ -332,6 +336,18 @@ pub const NamedIndexed = struct {
                 }
                 defer caller.deinit();
 
+                const ce_frame: ?*Frame = if (comptime opts.ce_reactions) switch (caller.local.ctx.global) {
+                    .frame => |frame| frame,
+                    .worker => null,
+                } else null;
+                var ce_checkpoint: usize = undefined;
+                if (comptime opts.ce_reactions) {
+                    if (ce_frame) |frame| ce_checkpoint = frame._ce_reactions.push();
+                }
+                defer if (comptime opts.ce_reactions) {
+                    if (ce_frame) |frame| frame._ce_reactions.popAndInvoke(ce_checkpoint, frame);
+                };
+
                 return caller.setNamedIndex(T, setter, c_name.?, c_value.?, handle.?, .{
                     .as_typed_array = opts.as_typed_array,
                     .null_as_undefined = opts.null_as_undefined,
@@ -348,6 +364,18 @@ pub const NamedIndexed = struct {
                 }
                 defer caller.deinit();
 
+                const ce_frame: ?*Frame = if (comptime opts.ce_reactions) switch (caller.local.ctx.global) {
+                    .frame => |frame| frame,
+                    .worker => null,
+                } else null;
+                var ce_checkpoint: usize = undefined;
+                if (comptime opts.ce_reactions) {
+                    if (ce_frame) |frame| ce_checkpoint = frame._ce_reactions.push();
+                }
+                defer if (comptime opts.ce_reactions) {
+                    if (ce_frame) |frame| frame._ce_reactions.popAndInvoke(ce_checkpoint, frame);
+                };
+
                 return caller.deleteNamedIndex(T, deleter, c_name.?, handle.?, .{
                     .as_typed_array = opts.as_typed_array,
                     .null_as_undefined = opts.null_as_undefined,

src/browser/webapi/CustomElementRegistry.zig

@@ -260,9 +260,9 @@ pub const JsApi = struct {
         pub const prototype_chain = bridge.prototypeChain();
     };
 
-    pub const define = bridge.function(CustomElementRegistry.define, .{ .dom_exception = true });
+    pub const define = bridge.function(CustomElementRegistry.define, .{ .dom_exception = true, .ce_reactions = true });
     pub const get = bridge.function(CustomElementRegistry.get, .{ .null_as_undefined = true });
-    pub const upgrade = bridge.function(CustomElementRegistry.upgrade, .{});
+    pub const upgrade = bridge.function(CustomElementRegistry.upgrade, .{ .ce_reactions = true });
     pub const whenDefined = bridge.function(CustomElementRegistry.whenDefined, .{ .dom_exception = true });
 };
 

src/browser/webapi/Document.zig

@@ -1171,8 +1171,8 @@ pub const JsApi = struct {
     pub const elementsFromPoint = bridge.function(Document.elementsFromPoint, .{});
     pub const write = bridge.function(Document.write, .{ .dom_exception = true, .ce_reactions = true });
     pub const writeln = bridge.function(Document.writeln, .{ .dom_exception = true, .ce_reactions = true });
-    pub const open = bridge.function(Document.open, .{ .dom_exception = true });
-    pub const close = bridge.function(Document.close, .{ .dom_exception = true });
+    pub const open = bridge.function(Document.open, .{ .dom_exception = true, .ce_reactions = true });
+    pub const close = bridge.function(Document.close, .{ .dom_exception = true, .ce_reactions = true });
     pub const doctype = bridge.accessor(Document.getDocType, null, .{});
     pub const firstElementChild = bridge.accessor(Document.getFirstElementChild, null, .{});
     pub const lastElementChild = bridge.accessor(Document.getLastElementChild, null, .{});

src/browser/webapi/HTMLDocument.zig

@@ -288,11 +288,11 @@ pub const JsApi = struct {
         });
     }
 
-    pub const dir = bridge.accessor(HTMLDocument.getDir, HTMLDocument.setDir, .{});
+    pub const dir = bridge.accessor(HTMLDocument.getDir, HTMLDocument.setDir, .{ .ce_reactions = true });
     pub const head = bridge.accessor(HTMLDocument.getHead, null, .{});
-    pub const body = bridge.accessor(HTMLDocument.getBody, HTMLDocument.setBody, .{ .dom_exception = true });
+    pub const body = bridge.accessor(HTMLDocument.getBody, HTMLDocument.setBody, .{ .dom_exception = true, .ce_reactions = true });
     pub const lang = bridge.accessor(HTMLDocument.getLang, HTMLDocument.setLang, .{});
-    pub const title = bridge.accessor(HTMLDocument.getTitle, HTMLDocument.setTitle, .{});
+    pub const title = bridge.accessor(HTMLDocument.getTitle, HTMLDocument.setTitle, .{ .ce_reactions = true });
     pub const images = bridge.accessor(HTMLDocument.getImages, null, .{});
     pub const scripts = bridge.accessor(HTMLDocument.getScripts, null, .{});
     pub const links = bridge.accessor(HTMLDocument.getLinks, null, .{});

src/browser/webapi/Range.zig

@@ -718,12 +718,12 @@ pub const JsApi = struct {
     pub const isPointInRange = bridge.function(Range.isPointInRange, .{ .dom_exception = true });
     pub const intersectsNode = bridge.function(Range.intersectsNode, .{});
     pub const cloneRange = bridge.function(Range.cloneRange, .{ .dom_exception = true });
-    pub const insertNode = bridge.function(Range.insertNode, .{ .dom_exception = true });
-    pub const deleteContents = bridge.function(Range.deleteContents, .{ .dom_exception = true });
+    pub const insertNode = bridge.function(Range.insertNode, .{ .dom_exception = true, .ce_reactions = true });
+    pub const deleteContents = bridge.function(Range.deleteContents, .{ .dom_exception = true, .ce_reactions = true });
     pub const cloneContents = bridge.function(Range.cloneContents, .{ .dom_exception = true });
-    pub const extractContents = bridge.function(Range.extractContents, .{ .dom_exception = true });
-    pub const surroundContents = bridge.function(Range.surroundContents, .{ .dom_exception = true });
-    pub const createContextualFragment = bridge.function(Range.createContextualFragment, .{ .dom_exception = true });
+    pub const extractContents = bridge.function(Range.extractContents, .{ .dom_exception = true, .ce_reactions = true });
+    pub const surroundContents = bridge.function(Range.surroundContents, .{ .dom_exception = true, .ce_reactions = true });
+    pub const createContextualFragment = bridge.function(Range.createContextualFragment, .{ .dom_exception = true, .ce_reactions = true });
     pub const toString = bridge.function(Range.toString, .{ .dom_exception = true });
     pub const getBoundingClientRect = bridge.function(Range.getBoundingClientRect, .{});
     pub const getClientRects = bridge.function(Range.getClientRects, .{});

src/browser/webapi/Selection.zig

@@ -734,7 +734,7 @@ pub const JsApi = struct {
     pub const collapseToEnd = bridge.function(Selection.collapseToEnd, .{});
     pub const collapseToStart = bridge.function(Selection.collapseToStart, .{ .dom_exception = true });
     pub const containsNode = bridge.function(Selection.containsNode, .{});
-    pub const deleteFromDocument = bridge.function(Selection.deleteFromDocument, .{});
+    pub const deleteFromDocument = bridge.function(Selection.deleteFromDocument, .{ .ce_reactions = true });
     pub const empty = bridge.function(Selection.removeAllRanges, .{});
     pub const extend = bridge.function(Selection.extend, .{ .dom_exception = true });
     // unimplemented: getComposedRanges

src/browser/webapi/collections/HTMLOptionsCollection.zig

@@ -106,6 +106,6 @@ pub const JsApi = struct {
     pub const @"[str]" = bridge.namedIndexed(HTMLOptionsCollection.getByName, null, null, .{ .null_as_undefined = true });
 
     pub const selectedIndex = bridge.accessor(HTMLOptionsCollection.getSelectedIndex, HTMLOptionsCollection.setSelectedIndex, .{});
-    pub const add = bridge.function(HTMLOptionsCollection.add, .{});
-    pub const remove = bridge.function(HTMLOptionsCollection.remove, .{});
+    pub const add = bridge.function(HTMLOptionsCollection.add, .{ .ce_reactions = true });
+    pub const remove = bridge.function(HTMLOptionsCollection.remove, .{ .ce_reactions = true });
 };

src/browser/webapi/element/DOMStringMap.zig

@@ -136,5 +136,5 @@ pub const JsApi = struct {
         pub var class_id: bridge.ClassId = undefined;
     };
 
-    pub const @"[]" = bridge.namedIndexed(getProperty, setProperty, deleteProperty, .{ .null_as_undefined = true });
+    pub const @"[]" = bridge.namedIndexed(getProperty, setProperty, deleteProperty, .{ .null_as_undefined = true, .ce_reactions = true });
 };

src/browser/webapi/element/Html.zig

@@ -1234,21 +1234,21 @@ pub const JsApi = struct {
 
     pub const constructor = bridge.constructor(HtmlElement.construct, .{ .new_target = true });
 
-    pub const innerText = bridge.accessor(_innerText, HtmlElement.setInnerText, .{});
+    pub const innerText = bridge.accessor(_innerText, HtmlElement.setInnerText, .{ .ce_reactions = true });
     fn _innerText(self: *HtmlElement, frame: *const Frame) ![]const u8 {
         var buf = std.Io.Writer.Allocating.init(frame.call_arena);
         try self.getInnerText(&buf.writer);
         return buf.written();
     }
-    pub const insertAdjacentHTML = bridge.function(HtmlElement.insertAdjacentHTML, .{ .dom_exception = true });
+    pub const insertAdjacentHTML = bridge.function(HtmlElement.insertAdjacentHTML, .{ .dom_exception = true, .ce_reactions = true });
     pub const click = bridge.function(HtmlElement.click, .{});
 
-    pub const dir = bridge.accessor(HtmlElement.getDir, HtmlElement.setDir, .{});
-    pub const hidden = bridge.accessor(HtmlElement.getHidden, HtmlElement.setHidden, .{});
+    pub const dir = bridge.accessor(HtmlElement.getDir, HtmlElement.setDir, .{ .ce_reactions = true });
+    pub const hidden = bridge.accessor(HtmlElement.getHidden, HtmlElement.setHidden, .{ .ce_reactions = true });
     pub const isContentEditable = bridge.accessor(HtmlElement.getIsContentEditable, null, .{});
-    pub const lang = bridge.accessor(HtmlElement.getLang, HtmlElement.setLang, .{});
-    pub const tabIndex = bridge.accessor(HtmlElement.getTabIndex, HtmlElement.setTabIndex, .{});
-    pub const title = bridge.accessor(HtmlElement.getTitle, HtmlElement.setTitle, .{});
+    pub const lang = bridge.accessor(HtmlElement.getLang, HtmlElement.setLang, .{ .ce_reactions = true });
+    pub const tabIndex = bridge.accessor(HtmlElement.getTabIndex, HtmlElement.setTabIndex, .{ .ce_reactions = true });
+    pub const title = bridge.accessor(HtmlElement.getTitle, HtmlElement.setTitle, .{ .ce_reactions = true });
 
     pub const onabort = bridge.accessor(HtmlElement.getOnAbort, HtmlElement.setOnAbort, .{});
     pub const onanimationcancel = bridge.accessor(HtmlElement.getOnAnimationCancel, HtmlElement.setOnAnimationCancel, .{});