Add unstable_recreateSchedulerDelegate hook for lifecycle tests

fkgozali · facebook-github-bot · commit 74981345f673 · 2026-05-04T19:36:22.000-07:00
Summary:
Adds a Fantom-only escape hatch that mirrors the iOS RCTScheduler dealloc lifecycle: detach the host's current SchedulerDelegate from the Scheduler and destroy it, then install a fresh one — all while the RuntimeScheduler (and any queued rendering-update lambdas) remains alive. This is exactly the production sequence in `RCTScheduler.mm` (`setDelegate(nullptr)` followed by destruction of the previous SchedulerDelegateProxy) that the host-level Scheduler in Fantom does not otherwise reproduce — surfaces come and go, but the SchedulerDelegate normally lives for the entire test process.

Without this hook, Fantom tests cannot exercise SchedulerDelegate-lifecycle bugs (e.g. queued lambdas that captured a raw delegate pointer by value). With it, a test can:

```js
dispatchCommand(element, 'someCommand', []);
Fantom.unstable_recreateSchedulerDelegate();
Fantom.runWorkLoop();
```

and observe a SIGSEGV when the queued lambda dereferences the previous delegate's freed storage.

Implementation notes:
- `ReactHost::unstable_recreateSchedulerDelegateForTesting()` allocates the replacement delegate **before** destroying the old one, to ensure the new SchedulerDelegate lands at a distinct heap address. Without this, malloc tends to reuse the just-freed slot, masking the use-after-free behind a same-address re-allocation.
- Surface area is hidden behind the `unstable_` prefix and an explicit ForTesting suffix on the underlying ReactHost method to discourage product use.

Changelog:
[Internal]

Reviewed By: mdvacca

Differential Revision: D103744935
diff --git a/packages/react-native/ReactCxxPlatform/react/runtime/ReactHost.cpp b/packages/react-native/ReactCxxPlatform/react/runtime/ReactHost.cpp
@@ -320,6 +320,26 @@ void ReactHost::destroyReactInstance() {
   reactInstanceData_->messageQueueThread = nullptr;
 }
 
+void ReactHost::unstable_recreateSchedulerDelegateForTesting() {
+  // Mirrors iOS RCTScheduler dealloc ordering (RCTScheduler.mm: setDelegate
+  // (nullptr) followed by destruction of the previous SchedulerDelegateProxy,
+  // while the RuntimeScheduler outlives both). The RuntimeScheduler may still
+  // hold queued rendering-update lambdas that captured the previous
+  // delegate's raw pointer by value.
+  //
+  // Allocate the replacement BEFORE destroying the previous one so the new
+  // SchedulerDelegate lands at a distinct address. Otherwise the allocator
+  // tends to reuse the just-freed slot, masking the use-after-free in
+  // queued lambdas behind a same-address re-allocation.
+  auto fresh = std::make_unique<SchedulerDelegateImpl>(
+      reactInstanceData_->mountingManager);
+  fresh->setUIManager(scheduler_->getUIManager());
+  scheduler_->setDelegate(nullptr);
+  schedulerDelegate_ = nullptr;
+  scheduler_->setDelegate(fresh.get());
+  schedulerDelegate_ = std::move(fresh);
+}
+
 void ReactHost::reloadReactInstance() {
   if (isReloadingReactInstance_.exchange(true)) {
     return;
diff --git a/packages/react-native/ReactCxxPlatform/react/runtime/ReactHost.h b/packages/react-native/ReactCxxPlatform/react/runtime/ReactHost.h
@@ -92,6 +92,16 @@ class ReactHost {
 
   void emitDeviceEvent(folly::dynamic &&args);
 
+  /*
+   * Test-only. Mirrors the iOS RCTScheduler dealloc lifecycle: detach the
+   * SchedulerDelegate from the Scheduler and destroy it, then install a
+   * fresh one — all while the RuntimeScheduler (and any queued rendering
+   * update lambdas) remains alive. This lets Fantom tests reproduce
+   * lifecycle bugs where a queued lambda outlived its captured raw
+   * SchedulerDelegate pointer.
+   */
+  void unstable_recreateSchedulerDelegateForTesting();
+
  private:
   void createReactInstance();
   void destroyReactInstance();
diff --git a/packages/react-native/src/private/testing/fantom/specs/NativeFantom.js b/packages/react-native/src/private/testing/fantom/specs/NativeFantom.js
@@ -110,6 +110,13 @@ interface Spec extends TurboModule {
   flushMessageQueue: () => void;
   flushEventQueue: () => void;
   produceFramesForDuration: (miliseconds: number) => void;
+  /**
+   * Test-only. Mirrors the iOS RCTScheduler dealloc lifecycle by tearing
+   * down the host's current SchedulerDelegate and installing a fresh one,
+   * while leaving the RuntimeScheduler (and any queued rendering-update
+   * lambdas) alive. Used to reproduce SchedulerDelegate-lifecycle UAFs.
+   */
+  unstable_recreateSchedulerDelegate: () => void;
   validateEmptyMessageQueue: () => void;
   getRenderedOutput: (
     surfaceId: RootTag,
diff --git a/private/react-native-fantom/src/index.js b/private/react-native-fantom/src/index.js
@@ -379,6 +379,27 @@ export function runWorkLoop(): void {
   }
 }
 
+/**
+ * Test-only. Mirrors the iOS RCTScheduler dealloc lifecycle: detach the
+ * host's current SchedulerDelegate from the Scheduler and destroy it, then
+ * install a fresh one — all while the RuntimeScheduler (and any queued
+ * rendering-update lambdas) remains alive. Used to reproduce
+ * SchedulerDelegate-lifecycle bugs (e.g. queued lambdas that captured a
+ * raw delegate pointer by value).
+ *
+ * @example
+ * ```
+ * dispatchCommand(element, 'someCommand', []);
+ * Fantom.unstable_recreateSchedulerDelegate();
+ * Fantom.runWorkLoop(); // pending lambda drains against the now-recreated
+ *                      // delegate; if it dereferences the previous one,
+ *                      // the test process crashes.
+ * ```
+ */
+export function unstable_recreateSchedulerDelegate(): void {
+  NativeFantom.unstable_recreateSchedulerDelegate();
+}
+
 /**
  * Set this flag to `false` to let Fantom run tasks with LogBox installed
  * (necessary only if you are testing LogBox specifically).
diff --git a/private/react-native-fantom/tester/src/NativeFantom.cpp b/private/react-native-fantom/tester/src/NativeFantom.cpp
@@ -14,6 +14,7 @@
 #include <react/renderer/components/modal/ModalHostViewShadowNode.h>
 #include <react/renderer/components/scrollview/ScrollViewShadowNode.h>
 #include <react/renderer/uimanager/UIManagerBinding.h>
+#include <react/runtime/ReactHost.h>
 #include <fstream>
 #include <iostream>
 
@@ -75,6 +76,11 @@ void NativeFantom::validateEmptyMessageQueue(jsi::Runtime& /*runtime*/) {
   }
 }
 
+void NativeFantom::unstable_recreateSchedulerDelegate(
+    jsi::Runtime& /*runtime*/) {
+  appDelegate_.reactHost_->unstable_recreateSchedulerDelegateForTesting();
+}
+
 std::vector<std::string> NativeFantom::takeMountingManagerLogs(
     jsi::Runtime& /*runtime*/,
     SurfaceId surfaceId) {
diff --git a/private/react-native-fantom/tester/src/NativeFantom.h b/private/react-native-fantom/tester/src/NativeFantom.h
@@ -93,6 +93,8 @@ class NativeFantom : public NativeFantomCxxSpec<NativeFantom> {
   void flushEventQueue(jsi::Runtime &runtime);
   void validateEmptyMessageQueue(jsi::Runtime &runtime);
 
+  void unstable_recreateSchedulerDelegate(jsi::Runtime &runtime);
+
   std::vector<std::string> takeMountingManagerLogs(jsi::Runtime &runtime, SurfaceId surfaceId);
 
   std::string getRenderedOutput(
