Add unit test for RuntimeExecutor post-shutdown safety (#56995)

Summary:
Pull Request resolved: #56995

The `RuntimeExecutor` returned by `ReactInstance::getBufferedRuntimeExecutor()` is designed to be safe to hold past the lifetime of the `ReactInstance` itself — callers may schedule work on it after shutdown without crashing, and any pending callbacks must be dropped rather than surfaced on the JS queue.

This contract relies on `weak_ptr` captures inside the executor closure and inside the base closure in the `ReactInstance` constructor. Today nothing tests it directly — coverage is incidental through `ReactInstanceTest` happy-path cases — so a future refactor that swaps a `weak_ptr` capture for a `shared_ptr` (keeping the runtime alive) or a raw pointer (introducing UAF) could silently regress.

Adds three focused regression tests covering:

- Calling the held executor after `ReactInstance` destruction drops the callback (no queuing, no execution).
- Repeated post-shutdown invocations remain memory-safe.
- Work buffered in `BufferedRuntimeExecutor` before shutdown is dropped, never surfaced on the JS queue.

The new test file lands under the existing `tests` target's `glob(["tests/**/*.cpp"])`, so no BUCK changes are needed.

Note: this test deliberately targets the buffered API only. `getUnbufferedRuntimeExecutor()` captures `runtimeScheduler_.get()` as a raw pointer and is not safe to hold past shutdown by design — a separate concern, out of scope here.

Changelog:
[Internal]

___

Differential Revision: D106783789

fbshipit-source-id: d28f07d9c79daf8596415686f17e6352c34dfb29

Author: javache

packages/react-native/ReactCommon/react/runtime/tests/cxx/ReactInstanceTest.cpp

@@ -26,9 +26,9 @@ namespace facebook::react {
 
 class MockTimerRegistry : public PlatformTimerRegistry {
  public:
-  MOCK_METHOD2(createTimer, void(uint32_t, double));
-  MOCK_METHOD2(createRecurringTimer, void(uint32_t, double));
-  MOCK_METHOD1(deleteTimer, void(uint32_t));
+  MOCK_METHOD(void, createTimer, (uint32_t, double), (override));
+  MOCK_METHOD(void, createRecurringTimer, (uint32_t, double), (override));
+  MOCK_METHOD(void, deleteTimer, (uint32_t), (override));
 };
 
 class MockMessageQueueThread : public MessageQueueThread {

packages/react-native/ReactCommon/react/runtime/tests/cxx/RuntimeExecutorShutdownTest.cpp

@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+#include <memory>
+#include <queue>
+#include <utility>
+
+#include <gmock/gmock.h>
+#include <gtest/gtest.h>
+
+#include <ReactCommon/RuntimeExecutor.h>
+#include <hermes/hermes.h>
+#include <jserrorhandler/JsErrorHandler.h>
+#include <jsi/jsi.h>
+#include <react/runtime/ReactInstance.h>
+
+namespace facebook::react {
+
+namespace {
+
+class MockTimerRegistry : public PlatformTimerRegistry {
+ public:
+  MOCK_METHOD(void, createTimer, (uint32_t, double), (override));
+  MOCK_METHOD(void, createRecurringTimer, (uint32_t, double), (override));
+  MOCK_METHOD(void, deleteTimer, (uint32_t), (override));
+};
+
+class MockMessageQueueThread : public MessageQueueThread {
+ public:
+  void runOnQueue(std::function<void()>&& func) override {
+    callbackQueue_.push(std::move(func));
+  }
+
+  void runOnQueueSync(std::function<void()>&& /*unused*/) override {}
+  void quitSynchronous() override {}
+
+  void tick() {
+    while (!callbackQueue_.empty()) {
+      auto callback = std::move(callbackQueue_.front());
+      callbackQueue_.pop();
+      callback();
+    }
+  }
+
+  size_t size() const {
+    return callbackQueue_.size();
+  }
+
+ private:
+  std::queue<std::function<void()>> callbackQueue_;
+};
+
+} // namespace
+
+class RuntimeExecutorShutdownTest : public ::testing::Test {
+ protected:
+  void SetUp() override {
+    auto runtime =
+        std::make_unique<JSIRuntimeHolder>(hermes::makeHermesRuntime());
+    messageQueueThread_ = std::make_shared<MockMessageQueueThread>();
+    auto mockRegistry = std::make_unique<MockTimerRegistry>();
+    auto timerManager = std::make_shared<TimerManager>(std::move(mockRegistry));
+    auto onJsError =
+        [](jsi::Runtime& /*runtime*/,
+           const JsErrorHandler::ProcessedError& /*error*/) noexcept {};
+
+    instance_ = std::make_unique<ReactInstance>(
+        std::move(runtime),
+        messageQueueThread_,
+        timerManager,
+        std::move(onJsError));
+  }
+
+  std::shared_ptr<MockMessageQueueThread> messageQueueThread_;
+  std::unique_ptr<ReactInstance> instance_;
+};
+
+// Calling a held RuntimeExecutor after ReactInstance has been destroyed
+// must silently drop the callback. Use a shared_ptr captured into the
+// callback to also prove the callback itself is destroyed (not retained
+// somewhere indefinitely).
+TEST_F(
+    RuntimeExecutorShutdownTest,
+    heldExecutorCallAfterShutdownDropsCallback) {
+  RuntimeExecutor executor = instance_->getBufferedRuntimeExecutor();
+
+  instance_.reset();
+
+  auto tracker = std::make_shared<int>(0);
+  std::weak_ptr<int> weakTracker = tracker;
+  executor([tracker = std::move(tracker)](jsi::Runtime& /*runtime*/) {
+    FAIL() << "Callback should never run after shutdown";
+  });
+
+  EXPECT_EQ(messageQueueThread_->size(), 0u);
+  EXPECT_TRUE(weakTracker.expired())
+      << "Rejected callback (and its captures) should be destroyed";
+  messageQueueThread_->tick();
+}
+
+// Repeated post-shutdown invocations must remain memory-safe. This guards
+// against future refactors that swap the weak_ptr capture for a raw pointer
+// or shared_ptr.
+TEST_F(RuntimeExecutorShutdownTest, heldExecutorCallAfterShutdownDoesNotCrash) {
+  RuntimeExecutor executor = instance_->getBufferedRuntimeExecutor();
+
+  instance_.reset();
+
+  for (int i = 0; i < 100; ++i) {
+    executor([](jsi::Runtime& /*runtime*/) {
+      FAIL() << "Callback should never run after shutdown";
+    });
+  }
+  messageQueueThread_->tick();
+}
+
+// Work scheduled through the buffered executor sits in the internal buffer
+// until flush() (which only happens via loadScript). If the ReactInstance
+// is destroyed before flush, the buffered work must be dropped — never
+// surfaced on the JS queue and never retained past instance destruction.
+// A shared_ptr captured into the callback, watched via weak_ptr from
+// outside, proves the buffered queue actually releases its contents.
+TEST_F(
+    RuntimeExecutorShutdownTest,
+    pendingCallbackShutdownBeforeTickDropsCallback) {
+  RuntimeExecutor executor = instance_->getBufferedRuntimeExecutor();
+
+  auto tracker = std::make_shared<int>(0);
+  std::weak_ptr<int> weakTracker = tracker;
+  executor([tracker = std::move(tracker)](jsi::Runtime& /*runtime*/) {
+    FAIL() << "Buffered callback should never run after shutdown";
+  });
+
+  EXPECT_EQ(messageQueueThread_->size(), 0u);
+  EXPECT_FALSE(weakTracker.expired())
+      << "Callback should still be alive in BufferedRuntimeExecutor's queue";
+
+  instance_.reset();
+
+  EXPECT_TRUE(weakTracker.expired())
+      << "Buffered callback should be destroyed when ReactInstance is";
+  messageQueueThread_->tick();
+}
+
+} // namespace facebook::react