fix: use shared_ptr for resolution callback lifetime in WasmModuleCompilation

Replace RustCallable class with shared_ptr<void> to properly handle
std::function copy semantics in V8's Finish method. The previous approach
caused heap-use-after-free because V8 copies the std::function internally,
and the RustCallable copy/destroy semantics couldn't coordinate ownership
of the raw pointer across copies.

Now the Rust closure data is reference-counted through shared_ptr copies,
and the Rust side uses Option<Box<dyn FnOnce>> so the trampoline can
.take() the closure without freeing the outer allocation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: bartlomieju

src/binding.cc

@@ -3809,69 +3809,31 @@ void v8__WasmModuleCompilation__OnBytesReceived(v8::WasmModuleCompilation* self,
   self->OnBytesReceived(bytes, size);
 }
 
-// A callable wrapper that properly tracks a Rust Box pointer lifetime through
-// std::function's copy/move/destroy operations (rule of five). This ensures
-// the boxed Rust closure is freed when the std::function is destroyed, even
-// if the callback is never invoked.
-class RustCallable {
- public:
-  using Callback = void (*)(void* data, const v8::WasmModuleObject* module,
-                            const v8::Value* error);
-
-  RustCallable(Callback callback, void* data, void (*drop)(void*))
-      : callback_(callback), data_(data), drop_(drop), alive_(true) {}
-
-  ~RustCallable() {
-    if (alive_) drop_(data_);
-  }
-
-  RustCallable(const RustCallable& other)
-      : callback_(other.callback_),
-        data_(other.data_),
-        drop_(other.drop_),
-        alive_(false) {}
-
-  RustCallable(RustCallable&& other)
-      : callback_(other.callback_),
-        data_(other.data_),
-        drop_(other.drop_),
-        alive_(other.alive_) {
-    other.alive_ = false;
-  }
-
-  RustCallable& operator=(const RustCallable&) = delete;
-  RustCallable& operator=(RustCallable&&) = delete;
-
-  void operator()(
-      std::variant<v8::Local<v8::WasmModuleObject>, v8::Local<v8::Value>>
-          result) {
-    if (auto* module = std::get_if<v8::Local<v8::WasmModuleObject>>(&result)) {
-      callback_(data_, local_to_ptr(*module), nullptr);
-    } else {
-      callback_(data_, nullptr,
-                local_to_ptr(std::get<v8::Local<v8::Value>>(result)));
-    }
-    // After invoking a FnOnce, the drop is handled by Rust inside the
-    // callback. Prevent double-free when the std::function is destroyed.
-    alive_ = false;
-  }
-
- private:
-  Callback callback_;
-  void* data_;
-  void (*drop_)(void*);
-  bool alive_;
-};
-
 void v8__WasmModuleCompilation__Finish(
     v8::WasmModuleCompilation* self, v8::Isolate* isolate,
     void (*caching_callback)(v8::WasmStreaming::ModuleCachingInterface&),
     void (*resolution_callback)(void* data, const v8::WasmModuleObject* module,
                                 const v8::Value* error),
     void* resolution_data, void (*drop_resolution_data)(void* data)) {
+  // Use shared_ptr to reference-count the Rust closure data through
+  // std::function's copy semantics. The custom deleter calls back into Rust
+  // to drop the boxed closure when the last copy is destroyed.
+  auto shared_data = std::shared_ptr<void>(
+      resolution_data,
+      [drop_resolution_data](void* p) { drop_resolution_data(p); });
   self->Finish(
       isolate, caching_callback,
-      RustCallable(resolution_callback, resolution_data, drop_resolution_data));
+      [resolution_callback, shared_data](auto result) {
+        if (auto* module =
+                std::get_if<v8::Local<v8::WasmModuleObject>>(&result)) {
+          resolution_callback(shared_data.get(), local_to_ptr(*module),
+                              nullptr);
+        } else {
+          resolution_callback(
+              shared_data.get(), nullptr,
+              local_to_ptr(std::get<v8::Local<v8::Value>>(result)));
+        }
+      });
 }
 
 void v8__WasmModuleCompilation__Abort(v8::WasmModuleCompilation* self) {

src/wasm.rs

@@ -352,9 +352,13 @@ impl WasmModuleCompilation {
       }
     };
 
-    // Double-box: the outer Box gives us a thin pointer suitable for void*.
-    let boxed: Box<Box<dyn FnOnce(*const WasmModuleObject, *const Value)>> =
-      Box::new(Box::new(wrapped));
+    // Double-box with Option: the outer Box gives us a thin pointer suitable
+    // for void*. The Option allows the trampoline to .take() the closure
+    // (FnOnce semantics) without freeing the outer allocation, which is
+    // ref-counted by shared_ptr on the C++ side.
+    let boxed: Box<
+      Option<Box<dyn FnOnce(*const WasmModuleObject, *const Value)>>,
+    > = Box::new(Some(Box::new(wrapped)));
     let data = Box::into_raw(boxed) as *mut c_void;
 
     unsafe {
@@ -441,15 +445,24 @@ unsafe extern "C" fn resolution_trampoline(
   module: *const WasmModuleObject,
   error: *const Value,
 ) {
-  let callback: Box<Box<dyn FnOnce(*const WasmModuleObject, *const Value)>> =
-    unsafe { Box::from_raw(data as *mut _) };
+  // Take the closure out of the Option without freeing the outer Box.
+  // The outer Box is ref-counted by shared_ptr on the C++ side and will
+  // be freed via drop_resolution_data when the last copy is destroyed.
+  let slot = unsafe {
+    &mut *(data
+      as *mut Option<Box<dyn FnOnce(*const WasmModuleObject, *const Value)>>)
+  };
+  let callback = slot.take().unwrap();
   callback(module, error);
 }
 
 unsafe extern "C" fn drop_resolution_data(data: *mut c_void) {
   let _ = unsafe {
     Box::from_raw(
-      data as *mut Box<dyn FnOnce(*const WasmModuleObject, *const Value)>,
+      data
+        as *mut Option<
+          Box<dyn FnOnce(*const WasmModuleObject, *const Value)>,
+        >,
     )
   };
 }