Fix unsafe JSI access in UIManagerBinding::startViewTransition onReadyCallback

Summary:
onReadyCallback captured jsi::Runtime& by reference but could be called from a non-JS thread by the view transition delegate. Route it through runtimeExecutor_ (matching the existing onCompleteCallback pattern). Document the threading contract on UIManagerViewTransitionDelegate::startViewTransition.

Changelog: [Internal]

Differential Revision: D98717252

Author: javache

packages/react-native/ReactCommon/react/renderer/uimanager/UIManagerBinding.cpp

@@ -1064,10 +1064,8 @@ jsi::Value UIManagerBinding::get(
           auto promiseConstructor =
               runtime.global().getPropertyAsFunction(runtime, "Promise");
 
-          auto readyResolveFunc =
-              std::make_shared<std::shared_ptr<jsi::Function>>();
-          auto finishedResolveFunc =
-              std::make_shared<std::shared_ptr<jsi::Function>>();
+          std::shared_ptr<jsi::Function> readyResolveFunc;
+          std::shared_ptr<jsi::Function> finishedResolveFunc;
 
           auto mutationFunc = std::make_shared<jsi::Function>(
               arguments[0].asObject(runtime).asFunction(runtime));
@@ -1078,14 +1076,13 @@ jsi::Value UIManagerBinding::get(
                   runtime,
                   jsi::PropNameID::forAscii(runtime, "readyExecutor"),
                   2,
-                  [readyResolveFunc](
+                  [&readyResolveFunc](
                       jsi::Runtime& runtime,
                       const jsi::Value& /*thisValue*/,
                       const jsi::Value* args,
                       size_t /*count*/) -> jsi::Value {
-                    auto onReadyFunc = std::make_shared<jsi::Function>(
+                    readyResolveFunc = std::make_shared<jsi::Function>(
                         args[0].asObject(runtime).asFunction(runtime));
-                    *readyResolveFunc = onReadyFunc;
                     return jsi::Value::undefined();
                   }));
 
@@ -1095,19 +1092,21 @@ jsi::Value UIManagerBinding::get(
                   runtime,
                   jsi::PropNameID::forAscii(runtime, "finishedExecutor"),
                   2,
-                  [finishedResolveFunc, viewTransitionDelegate](
+                  [&finishedResolveFunc, viewTransitionDelegate](
                       jsi::Runtime& rt,
                       const jsi::Value& /*thisValue*/,
                       const jsi::Value* args,
-                      size_t /*count*/) -> jsi::Value {
+                      size_t /*count*/) mutable -> jsi::Value {
                     auto onCompleteFunc = std::make_shared<jsi::Function>(
                         args[0].asObject(rt).asFunction(rt));
-                    *finishedResolveFunc = std::make_shared<jsi::Function>(
+                    finishedResolveFunc = std::make_shared<jsi::Function>(
                         jsi::Function::createFromHostFunction(
                             rt,
                             jsi::PropNameID::forAscii(rt, "finishedResolve"),
                             0,
-                            [onCompleteFunc, viewTransitionDelegate](
+                            [onCompleteFunc = std::move(onCompleteFunc),
+                             viewTransitionDelegate =
+                                 std::move(viewTransitionDelegate)](
                                 jsi::Runtime& runtime,
                                 const jsi::Value& /*thisValue*/,
                                 const jsi::Value* /*args*/,
@@ -1125,20 +1124,28 @@ jsi::Value UIManagerBinding::get(
 
           viewTransitionDelegate->startViewTransition(
               [&runtime, mutationFunc = std::move(mutationFunc)]() {
+                // mutationCallback is called synchronously by the
+                // delegate during startViewTransition, so &runtime is
+                // valid (it comes from the enclosing host function).
                 mutationFunc->call(runtime);
               },
-              [readyResolveFunc = std::move(readyResolveFunc), &runtime]() {
-                if (*readyResolveFunc) {
-                  (*readyResolveFunc)->call(runtime);
-                }
+              [readyResolveFunc = std::move(readyResolveFunc),
+               runtimeExecutor = uiManager->runtimeExecutor_]() mutable {
+                runtimeExecutor(
+                    [readyResolveFunc = std::move(readyResolveFunc)](
+                        jsi::Runtime& rt) mutable {
+                      if (readyResolveFunc) {
+                        readyResolveFunc->call(rt);
+                      }
+                    });
               },
               [finishedResolveFunc = std::move(finishedResolveFunc),
-               uiManager]() {
-                uiManager->runtimeExecutor_(
+               runtimeExecutor = uiManager->runtimeExecutor_]() {
+                runtimeExecutor(
                     [finishedResolveFunc = std::move(finishedResolveFunc)](
                         jsi::Runtime& rt) mutable {
-                      if (*finishedResolveFunc) {
-                        (*finishedResolveFunc)->call(rt);
+                      if (finishedResolveFunc) {
+                        finishedResolveFunc->call(rt);
                       }
                     });
               });

packages/react-native/ReactCommon/react/renderer/uimanager/UIManagerViewTransitionDelegate.h

@@ -27,6 +27,11 @@ class UIManagerViewTransitionDelegate {
 
   virtual void restoreViewTransitionName(const ShadowNode &shadowNode) {}
 
+  /*
+   * Start a view transition. mutationCallback MUST be called synchronously
+   * on the JS thread before this method returns. onReadyCallback and
+   * onCompleteCallback may be called from any thread.
+   */
   virtual void startViewTransition(
       std::function<void()> mutationCallback,
       std::function<void()> onReadyCallback,