Fix callback vtable lifetime

arg0d · Jauler · commit f37fc2a8f9ba · 2025-09-09T10:39:06.000+03:00
Passing vtable struct via 'ref' may cause invalid memory accesses
when GC defragments the heap and may move the vtable struct address.
To prevent GC from moving vtable struct, pin vtable struct using GCHandle.

To make the change work, update 'Reference' FFI type to use 'IntPtr'
instead of 'ref'. Add some necessary casts from 'IntPtr' in callback
implementation to make the code compile (the code previously used ref
with concrete types).

Signed-off-by: Kristupas Antanavičius &lt;antanaviciuskristupas@gmail.com&gt;
diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml
@@ -2,9 +2,9 @@ name: C#
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "main", "main-v0.28.3" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "main", "main-v0.28.3" ]
 
 env:
   CARGO_TERM_COLOR: always
diff --git a/bindgen/Cargo.toml b/bindgen/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "uniffi-bindgen-cs"
-version = "0.9.0+v0.28.3"
+version = "0.9.2+v0.28.3"
 edition = "2021"
 
 [lib]
@@ -28,4 +28,4 @@ toml = "0.5"
 
 uniffi_bindgen.workspace = true
 uniffi_meta.workspace = true
-uniffi_udl.workspace = true
+uniffi_udl.workspace = true
diff --git a/bindgen/src/gen_cs/mod.rs b/bindgen/src/gen_cs/mod.rs
@@ -398,7 +398,7 @@ impl CsCodeOracle {
             FfiType::RustBuffer(_) => "RustBuffer".to_string(),
             FfiType::ForeignBytes => "ForeignBytes".to_string(),
             FfiType::Callback(_) => "IntPtr".to_string(),
-            FfiType::Reference(typ) => format!("ref {}", self.ffi_type_label(typ, prefix_struct)),
+            FfiType::Reference(typ) => format!("IntPtr /*{}*/", self.ffi_type_label(typ, prefix_struct)),
             FfiType::RustCallStatus => "UniffiRustCallStatus".to_string(),
             FfiType::Struct(name) => {
                 if prefix_struct {
@@ -410,4 +410,4 @@ impl CsCodeOracle {
             FfiType::VoidPointer => "IntPtr".to_string(),
         }
     }
-}
+}
diff --git a/bindgen/templates/CallbackInterfaceImpl.cs b/bindgen/templates/CallbackInterfaceImpl.cs
@@ -22,7 +22,10 @@ class {{ callback_impl_name }} {
 
             {%- match meth.return_type() %}
             {%- when Some with (return_type) %}
-            @uniffiOutReturn = {{ return_type|ffi_converter_name }}.INSTANCE.Lower(result);
+            unsafe {
+                {%- let return_ffi_type = return_type|ffi_type %}
+                *({{ return_ffi_type|ffi_type_name }}*)uniffiOutReturn = {{ return_type|ffi_converter_name }}.INSTANCE.Lower(result);
+            }
             {%- when None %}
             {%- endmatch %}
 
@@ -109,8 +112,10 @@ class {{ callback_impl_name }} {
             }, cts.Token);
 
             var foreignHandle = _UniFFIAsync._foreign_futures_map.Insert(cts);
-            @uniffiOutReturn.@handle = foreignHandle;
-            @uniffiOutReturn.@free = Marshal.GetFunctionPointerForDelegate(_UniFFIAsync.UniffiForeignFutureFreeCallback.callback);
+            unsafe {
+                (*(_UniFFILib.UniffiForeignFuture*)uniffiOutReturn).handle = foreignHandle;
+                (*(_UniFFILib.UniffiForeignFuture*)uniffiOutReturn).free = Marshal.GetFunctionPointerForDelegate(_UniFFIAsync.UniffiForeignFutureFreeCallback.callback);;
+            }
             {%- endif %}
         } else {
             throw new InternalException($"No callback in handlemap '{handle}'");
@@ -128,16 +133,17 @@ static void UniffiFree(ulong @handle) {
     {%- endfor %}
     static _UniFFILib.UniffiCallbackInterfaceFree _callback_interface_free = new _UniFFILib.UniffiCallbackInterfaceFree(UniffiFree);
 
-    public static _UniFFILib.{{ vtable|ffi_type_name }} _vtable = new _UniFFILib.{{ vtable|ffi_type_name }} {
-        {%- for (ffi_callback, meth) in vtable_methods.iter() %}
-        {%- let fn_type = format!("_UniFFILib.{}Method", callback_impl_name) %}
-        {{ meth.name()|var_name() }} = Marshal.GetFunctionPointerForDelegate(_m{{ loop.index0 }}),
-        {%- endfor %}
-        @uniffiFree = Marshal.GetFunctionPointerForDelegate(_callback_interface_free)
-    };
-
     public static void Register() {
-        _UniFFILib.{{ ffi_init_callback.name() }}(ref {{ callback_impl_name }}._vtable);
+        _UniFFILib.{{ vtable|ffi_type_name }} _vtable = new _UniFFILib.{{ vtable|ffi_type_name }} {
+            {%- for (ffi_callback, meth) in vtable_methods.iter() %}
+            {%- let fn_type = format!("_UniFFILib.{}Method", callback_impl_name) %}
+            {{ meth.name()|var_name() }} = Marshal.GetFunctionPointerForDelegate(_m{{ loop.index0 }}),
+            {%- endfor %}
+            @uniffiFree = Marshal.GetFunctionPointerForDelegate(_callback_interface_free)
+        };
+
+        // Pin vtable to ensure GC does not move the vtable across the heap
+        _UniFFILib.{{ ffi_init_callback.name() }}(GCHandle.Alloc(_vtable, GCHandleType.Pinned).AddrOfPinnedObject());
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -398,7 +398,7 @@ impl CsCodeOracle {`
`398`	`398`	`FfiType::RustBuffer(_) => "RustBuffer".to_string(),`
`399`	`399`	`FfiType::ForeignBytes => "ForeignBytes".to_string(),`
`400`	`400`	`FfiType::Callback(_) => "IntPtr".to_string(),`
`401`		`- FfiType::Reference(typ) => format!("ref {}", self.ffi_type_label(typ, prefix_struct)),`
	`401`	`+ FfiType::Reference(typ) => format!("IntPtr /{}/", self.ffi_type_label(typ, prefix_struct)),`
`402`	`402`	`FfiType::RustCallStatus => "UniffiRustCallStatus".to_string(),`
`403`	`403`	`FfiType::Struct(name) => {`
`404`	`404`	`if prefix_struct {`
`@@ -410,4 +410,4 @@ impl CsCodeOracle {`
`410`	`410`	`FfiType::VoidPointer => "IntPtr".to_string(),`
`411`	`411`	`}`
`412`	`412`	`}`
`413`		`-}`
	`413`	`+}`