fix: harden FFI lifetime safety

Author: DjDeveloperr

NativeScript/ffi/hermes/NativeApiJsi.mm

@@ -305,6 +305,7 @@ Function CreateNativeApiSelectorGroupFunctionImpl(
        cachedDispatchClass = Class(Nil)](
           Runtime& runtime, const Value& thisValue, const Value* args,
           size_t count) mutable -> Value {
+        NativeApiRoundTripCacheFrameGuard roundTripFrame(bridge);
         if (count >= selectors->size() ||
             (*selectors)[count].selectorName.empty()) {
           throw JSError(runtime,

NativeScript/ffi/jsc/NativeApiJSC.mm

@@ -1065,6 +1065,7 @@ JSValueRef NativeApiSelectorGroupCall(
 
   Runtime& runtime = data->runtime;
   try {
+    NativeApiRoundTripCacheFrameGuard roundTripFrame(data->bridge);
     if (argumentCount >= data->selectors->size() ||
         (*data->selectors)[argumentCount].selectorName.empty()) {
       throw JSError(runtime,

NativeScript/ffi/quickjs/NativeApiQuickJS.mm

@@ -1171,6 +1171,7 @@ JSValue NativeApiSelectorGroupCall(JSContext* context, JSValue thisValue,
 
   Runtime& runtime = data->runtime;
   try {
+    NativeApiRoundTripCacheFrameGuard roundTripFrame(data->bridge);
     size_t count = argc > 0 ? static_cast<size_t>(argc) : 0;
     if (count >= data->selectors->size() ||
         (*data->selectors)[count].selectorName.empty()) {

NativeScript/ffi/shared/NativeApiBackendConfig.h

@@ -21,6 +21,7 @@ struct NativeApiBackendConfig {
   std::function<void(std::function<void()>)> nativeInvocationInvoker = nullptr;
   std::function<void(std::function<void()>)> nativeCallbackInvoker = nullptr;
   std::function<void(std::function<void()>)> jsThreadCallbackInvoker = nullptr;
+  std::function<void(std::function<void()>)> jsThreadAsyncCallbackInvoker = nullptr;
   bool invokeCallbacksOnNativeCallerThread = false;
   bool installGlobalSymbols = false;
 };

NativeScript/ffi/shared/bridge/Callbacks.mm

@@ -555,13 +555,17 @@ bool releaseBlockCopy(const void* blockPointer) {
       }
     };
 
-    if (bridge == nullptr ||
-        std::this_thread::get_id() == bridge->jsThreadId()) {
+    if (bridge == nullptr) {
       releaseOnJS();
-    } else if (const auto& invoker = bridge->jsThreadCallbackInvoker()) {
-      invoker(std::move(releaseOnJS));
+    } else if (const auto& asyncInvoker =
+                   bridge->jsThreadAsyncCallbackInvoker()) {
+      asyncInvoker(std::move(releaseOnJS));
     } else if (auto scheduler = bridge->scheduler()) {
       scheduler->invokeOnJS(std::move(releaseOnJS));
+    } else if (std::this_thread::get_id() == bridge->jsThreadId()) {
+      releaseOnJS();
+    } else if (const auto& invoker = bridge->jsThreadCallbackInvoker()) {
+      invoker(std::move(releaseOnJS));
     } else {
       releaseOnJS();
     }
@@ -660,6 +664,43 @@ void invoke(void* ret, void* args[]) {
     bool waitForNativeThreadCallback =
         currentThreadIsJs && nativeCallbackInvoker &&
         gActiveNativeThreadEngineCallbacks.load(std::memory_order_acquire) > 0;
+    auto dispatchZeroArgVoidBlockAsync = [&]() -> bool {
+      if (currentThreadIsJs || !returnsVoid || !block_ ||
+          !signature_->argumentTypes.empty()) {
+        return false;
+      }
+
+      std::shared_ptr<NativeApiCallback> keepAlive;
+      try {
+        keepAlive = shared_from_this();
+      } catch (const std::bad_weak_ptr&) {
+        return false;
+      }
+
+      auto asyncCall = [keepAlive = std::move(keepAlive)]() mutable {
+        std::string asyncError;
+        keepAlive->invokeOnCurrentThread(nullptr, nullptr, &asyncError);
+        if (!asyncError.empty()) {
+          recordNativeCallbackException(asyncError);
+        }
+      };
+
+      const auto& asyncInvoker = bridge_->jsThreadAsyncCallbackInvoker();
+      if (asyncInvoker) {
+        asyncInvoker(std::move(asyncCall));
+        return true;
+      }
+      if (auto scheduler = bridge_->scheduler()) {
+        scheduler->invokeOnJS(std::move(asyncCall));
+        return true;
+      }
+      return false;
+    };
+
+    if (dispatchZeroArgVoidBlockAsync()) {
+      return;
+    }
+
     if (direct && !waitForNativeThreadCallback) {
       if (nativeCallerThreadCallback) {
         callOnNativeCallerThread();
@@ -745,7 +786,8 @@ void invokeOnCurrentThread(void* ret, void* args[], std::string* error) {
                                   static_cast<size_t>(jsArgs.size()));
       }
       storeReturnValue(result, ret);
-      if (std::this_thread::get_id() == bridge_->jsThreadId()) {
+      if (std::this_thread::get_id() == bridge_->jsThreadId() &&
+          gSynchronousNativeInvocationDepth == 0) {
         runtime_->drainMicrotasks();
       }
     } catch (const std::exception& exception) {

NativeScript/ffi/shared/bridge/HostObject.mm

@@ -433,8 +433,9 @@ throw JSError(runtime,
                                            "CC_SHA256 is not available.");
             }
             NativeApiArgumentFrame frame(3);
-            void* data = pointerFromEngineValue(runtime, args[0], frame);
-            void* output = pointerFromEngineValue(runtime, args[2], frame);
+            void* data = pointerFromEngineValue(runtime, bridge, args[0], frame);
+            void* output =
+                pointerFromEngineValue(runtime, bridge, args[2], frame);
             using CC_SHA256_Fn = unsigned char* (*)(const void*, unsigned long,
                                                     unsigned char*);
             auto fn = reinterpret_cast<CC_SHA256_Fn>(symbol);

NativeScript/ffi/shared/bridge/HostObjects.mm

@@ -49,11 +49,13 @@ void setObject(id object) {
  public:
   NativeApiPointerHostObject(std::shared_ptr<NativeApiBridge> bridge,
                              void* pointer, std::string kind = "pointer",
-                             bool adopted = false)
+                             bool adopted = false,
+                             std::shared_ptr<Value> backingValue = nullptr)
       : bridge_(std::move(bridge)),
         pointer_(pointer),
         kind_(std::move(kind)),
-        adopted_(adopted) {}
+        adopted_(adopted),
+        backingValue_(std::move(backingValue)) {}
 
   ~NativeApiPointerHostObject() override {
     if (adopted_ && pointer_ != nullptr) {
@@ -66,6 +68,10 @@ void setObject(id object) {
   }
 
   void* pointer() const { return pointer_; }
+  std::shared_ptr<Value> backingValue() const { return backingValue_; }
+  void setBackingValue(Runtime& runtime, const Value& value) {
+    backingValue_ = std::make_shared<Value>(runtime, value);
+  }
   bool adopted() const { return adopted_; }
   void adopt() { adopted_ = true; }
   void clearWithoutFree() {
@@ -74,6 +80,7 @@ void clearWithoutFree() {
     }
     pointer_ = nullptr;
     adopted_ = false;
+    backingValue_.reset();
   }
 
   Value get(Runtime& runtime, const PropNameID& name) override {
@@ -102,6 +109,7 @@ Value get(Runtime& runtime, const PropNameID& name) override {
             self->consumed_ = true;
             self->pointer_ = nullptr;
             self->adopted_ = false;
+            self->backingValue_.reset();
             return makeNativeObjectValue(runtime, self->bridge_, object, retained);
           });
     }
@@ -204,6 +212,7 @@ Value get(Runtime& runtime, const PropNameID& name) override {
   std::string kind_;
   bool adopted_ = false;
   bool consumed_ = false;
+  std::shared_ptr<Value> backingValue_;
 };
 
 class NativeApiReferenceHostObject final : public HostObject {
@@ -230,6 +239,7 @@ Value get(Runtime& runtime, const PropNameID& name) override {
 
   void* data() const { return data_; }
   const NativeApiType& type() const { return type_; }
+  std::shared_ptr<Value> backingValue() const { return backingValue_; }
   void ensureStorage(Runtime& runtime, NativeApiType type,
                      NativeApiArgumentFrame& frame, size_t elements = 1);
 
@@ -640,6 +650,10 @@ Array runtimeMembersArray(Runtime& runtime, Class cls, bool staticMembers) {
   }
 
   ~NativeApiObjectHostObject() override {
+    if (bridge_ != nullptr && object_ != nil) {
+      bridge_->forgetRoundTripValue(object_);
+      bridge_->forgetObjectExpandos(object_);
+    }
     if (lifetimeState_ != nullptr) {
       lifetimeState_->clear();
     }
@@ -666,6 +680,10 @@ void storeOwnExpando(Runtime& runtime, const std::string& property,
 
   void disownObject(id expected) {
     if (object_ == expected) {
+      if (bridge_ != nullptr && expected != nil) {
+        bridge_->forgetRoundTripValue(expected);
+        bridge_->forgetObjectExpandos(expected);
+      }
       ownsObject_ = false;
       object_ = nil;
       if (lifetimeState_ != nullptr) {
@@ -906,7 +924,8 @@ Value resolveEnginePrototypeGetter(Runtime& runtime,
         Value getterValue = descriptor.getProperty(runtime, "get");
         if (getterValue.isObject() &&
             getterValue.asObject(runtime).isFunction(runtime)) {
-          Value thisValue = bridge_->findRoundTripValue(runtime, object_);
+          Value thisValue = bridge_->findRoundTripValue(runtime, object_,
+                                                        nullptr, true);
           if (thisValue.isObject()) {
             *found = true;
             return getterValue.asObject(runtime).asFunction(runtime).callWithThis(
@@ -964,7 +983,8 @@ bool invokeEnginePrototypeSetter(Runtime& runtime, const std::string& property,
             descriptorValue.asObject(runtime).getProperty(runtime, "set");
         if (setterValue.isObject() &&
             setterValue.asObject(runtime).isFunction(runtime)) {
-          Value thisValue = bridge_->findRoundTripValue(runtime, object_);
+          Value thisValue = bridge_->findRoundTripValue(runtime, object_,
+                                                        nullptr, true);
           if (thisValue.isObject()) {
             Value args[] = {Value(runtime, value)};
             setterValue.asObject(runtime).asFunction(runtime).callWithThis(
@@ -1145,7 +1165,7 @@ Value get(Runtime& runtime, const PropNameID& name) override {
               return self->callObjectSelector(runtime, selectorName, nullptr,
                                               args + 1, count - 1);
             }
-              return callObjCSelector(runtime, bridge, object, false, selectorName,
+            return callObjCSelector(runtime, bridge, object, false, selectorName,
                                     nullptr, args + 1, count - 1);
           });
     }
@@ -1162,19 +1182,30 @@ Value get(Runtime& runtime, const PropNameID& name) override {
             }
 
             id object = self->object_;
+            bool ownsObject = self->ownsObject_;
             if (self->bridge_ != nullptr) {
               self->bridge_->forgetRoundTripValue(runtime, object);
-            }
-            if (self->ownsObject_) {
-              [object release];
+              self->bridge_->forgetObjectExpandos(object);
             }
             self->object_ = nil;
             self->ownsObject_ = false;
             if (self->lifetimeState_ != nullptr) {
               self->lifetimeState_->clear();
             }
             self->consumed_ = true;
-            return makeNativeObjectValue(runtime, self->bridge_, object, retained);
+            try {
+              Value result =
+                  makeNativeObjectValue(runtime, self->bridge_, object, retained);
+              if (!retained && ownsObject) {
+                [object release];
+              }
+              return result;
+            } catch (...) {
+              if (!retained && ownsObject) {
+                [object release];
+              }
+              throw;
+            }
           });
     }
     if (property == "toString") {
@@ -1183,7 +1214,7 @@ Value get(Runtime& runtime, const PropNameID& name) override {
           runtime, PropNameID::forAscii(runtime, "toString"), 0,
           [object](Runtime& runtime, const Value&, const Value*, size_t) -> Value {
             return NativeApiObjectHostObject::descriptionString(runtime, object);
-              });
+          });
     }
     if (property == "description") {
       return descriptionString(runtime, object_);
@@ -1611,16 +1642,38 @@ throw JSError(
               } else if (args[0].isObject()) {
                 Object object = args[0].asObject(runtime);
                 if (object.isHostObject<NativeApiPointerHostObject>(runtime)) {
-                  pointer = object
-                                .getHostObject<NativeApiPointerHostObject>(
-                                    runtime)
-                                ->pointer();
+                  auto pointerHost =
+                      object.getHostObject<NativeApiPointerHostObject>(
+                          runtime);
+                  pointer = pointerHost->pointer();
+                  if (pointerHost->backingValue() != nullptr) {
+                    Value backingValue(runtime, *pointerHost->backingValue());
+                    id backingObject =
+                        NativeApiObjectHostObject::nativeObjectFromValue(
+                            runtime, backingValue);
+                    if (backingObject == static_cast<id>(pointer) &&
+                        backingObject != nil &&
+                        [backingObject isKindOfClass:cls]) {
+                      return backingValue;
+                    }
+                  }
                 } else if (object.isHostObject<NativeApiReferenceHostObject>(
                                runtime)) {
-                  pointer = object
-                                .getHostObject<NativeApiReferenceHostObject>(
-                                    runtime)
-                                ->data();
+                  auto referenceHost =
+                      object.getHostObject<NativeApiReferenceHostObject>(
+                          runtime);
+                  pointer = referenceHost->data();
+                  if (referenceHost->backingValue() != nullptr) {
+                    Value backingValue(runtime, *referenceHost->backingValue());
+                    id backingObject =
+                        NativeApiObjectHostObject::nativeObjectFromValue(
+                            runtime, backingValue);
+                    if (backingObject == static_cast<id>(pointer) &&
+                        backingObject != nil &&
+                        [backingObject isKindOfClass:cls]) {
+                      return backingValue;
+                    }
+                  }
                 } else if (object.isHostObject<NativeApiObjectHostObject>(
                                runtime)) {
                   pointer = object
@@ -1782,15 +1835,15 @@ Value makeNativeObjectValue(Runtime& runtime,
     return Value::null();
   }
 
-  Value cached = bridge->findRoundTripValue(runtime, object);
+  Value cached = bridge->findRoundTripValue(runtime, object, nullptr, true);
   if (!cached.isUndefined()) {
     // A consumed wrapper (e.g. an alloc'd placeholder singleton already passed
     // to an initializer) must not be reused: drop the stale entry and re-wrap.
     auto cachedHost =
         cached.isObject()
             ? cached.asObject(runtime).getHostObject<NativeApiObjectHostObject>(runtime)
             : nullptr;
-    if (cachedHost == nullptr || cachedHost->object() != nil) {
+    if (cachedHost != nullptr && cachedHost->object() != nil) {
       if (ownsObject) {
         [object release];
       }
@@ -1816,7 +1869,7 @@ Value makeNativeObjectValue(Runtime& runtime,
     Object prototype = prototypeValue.asObject(runtime);
     SetNativeApiObjectPrototype(runtime, result, prototype);
   }
-  bridge->rememberRoundTripValue(
+  bridge->rememberScopedRoundTripValue(
       runtime, object, Value(runtime, result),
       nativeObjectIsStringLike(object));
   return result;

NativeScript/ffi/shared/bridge/Invocation.mm

@@ -404,6 +404,7 @@ Value callCFunction(Runtime& runtime,
   if (prepared == nullptr) {
     throw JSError(runtime, "Native function state is unavailable.");
   }
+  NativeApiRoundTripCacheFrameGuard roundTripFrame(bridge);
 
   MDMetadataReader* metadata = bridge->metadata();
   if (metadata == nullptr) {
@@ -1535,6 +1536,7 @@ Value callPreparedObjCSelector(
     throw JSError(runtime,
                   "Cannot send Objective-C selector to nil.");
   }
+  NativeApiRoundTripCacheFrameGuard roundTripFrame(bridge);
 
   const NativeApiSignature& signature = prepared.signature;
   Value fastResult;
@@ -1661,6 +1663,7 @@ Value callObjCSelector(Runtime& runtime,
     throw JSError(runtime,
                                  "Cannot send Objective-C selector to nil.");
   }
+  NativeApiRoundTripCacheFrameGuard roundTripFrame(bridge);
 
   SEL selector = sel_registerName(selectorName.c_str());
   Class receiverClass =