From 00725fadff28bb3c7fed65f208e647f0dab69e75 Mon Sep 17 00:00:00 2001
From: Tomislav Novak <tnovak@meta.com>
Date: Mon, 25 Mar 2024 17:07:53 -0700
Subject: [PATCH] Fix use-after-free in AsyncEventBeat (#43618)

Summary:
Pull Request resolved: https://github.com/facebook/react-native/pull/43618

Both common and Android implementations of AsyncEventBeat use weak_ptrs
to determine if the object is still valid before invoking the callback.
Move the write to `isBeatCallbackScheduled_` down so it's protected by
that same check.

Changelog: [Internal]

Reviewed By: javache, NickGerleman

Differential Revision: D55226529

fbshipit-source-id: 9e2a34369346d11dcea69d120dfa5935320f9ba1
---
 .../ReactAndroid/src/main/jni/react/fabric/AsyncEventBeat.cpp  | 2 +-
 .../react/renderer/scheduler/AsynchronousEventBeat.cpp         | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/packages/react-native/ReactAndroid/src/main/jni/react/fabric/AsyncEventBeat.cpp b/packages/react-native/ReactAndroid/src/main/jni/react/fabric/AsyncEventBeat.cpp
index 62eab4858fb..4160e35da17 100644
--- a/packages/react-native/ReactAndroid/src/main/jni/react/fabric/AsyncEventBeat.cpp
+++ b/packages/react-native/ReactAndroid/src/main/jni/react/fabric/AsyncEventBeat.cpp
@@ -38,12 +38,12 @@ void AsyncEventBeat::tick() const {
   isBeatCallbackScheduled_ = true;
 
   runtimeExecutor_([this, ownerBox = ownerBox_](jsi::Runtime& runtime) {
-    isBeatCallbackScheduled_ = false;
     auto owner = ownerBox->owner.lock();
     if (!owner) {
       return;
     }
 
+    isBeatCallbackScheduled_ = false;
     if (beatCallback_) {
       beatCallback_(runtime);
     }
diff --git a/packages/react-native/ReactCommon/react/renderer/scheduler/AsynchronousEventBeat.cpp b/packages/react-native/ReactCommon/react/renderer/scheduler/AsynchronousEventBeat.cpp
index 692aaa867d2..30ab47eea42 100644
--- a/packages/react-native/ReactCommon/react/renderer/scheduler/AsynchronousEventBeat.cpp
+++ b/packages/react-native/ReactCommon/react/renderer/scheduler/AsynchronousEventBeat.cpp
@@ -43,13 +43,12 @@ void AsynchronousEventBeat::induce() const {
   isBeatCallbackScheduled_ = true;
 
   runtimeExecutor_([this, weakOwner](jsi::Runtime& runtime) {
-    isBeatCallbackScheduled_ = false;
-
     auto owner = weakOwner.lock();
     if (!owner) {
       return;
     }
 
+    isBeatCallbackScheduled_ = false;
     if (beatCallback_) {
       beatCallback_(runtime);
     }