fix: own native blocks with Block_copy/Block_release

A block returned from a native method is +0 and may still be a stack
block. Interop::GetResult retained it with CFRetain and
ObjectManager::DisposeValue released it with CFRelease, but CFRetain does
not promote a stack block to the heap. By the time the JS wrapper was
finalized during GC the CFRelease ran against a freed stack frame and
crashed in objc_release (EXC_BAD_ACCESS).

Use Block_copy when taking ownership of the returned block (which moves a
stack block to the heap, or bumps the refcount of a heap/global block) and
Block_release as the matching counterpart on disposal.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: NathanWalker

NativeScript/runtime/Interop.mm

@@ -1055,12 +1055,18 @@ inline bool isBool() {
       return callback;
     }
 
-    BlockWrapper* blockWrapper = new BlockWrapper(block, typeEncoding, true);
+    // Take ownership of the returned block. Block_copy (not CFRetain) is the
+    // correct primitive here: a block returned by a native method is +0 and may
+    // still be a stack block. CFRetain does not promote a stack block to the
+    // heap, so releasing it later (during GC, on a different stack) would touch a
+    // dead frame and crash in objc_release. Block_copy moves it to the heap (or
+    // just bumps the refcount when it is already a heap/global block); the
+    // matching Block_release runs in ObjectManager::DisposeValue.
+    JSBlock* ownedBlock = reinterpret_cast<JSBlock*>(Block_copy(block));
+    BlockWrapper* blockWrapper = new BlockWrapper(ownedBlock, typeEncoding, true);
     Local<External> ext = External::New(isolate, blockWrapper);
     Local<v8::Function> callback;
 
-    CFRetain(block);
-
     bool success =
         v8::Function::New(
             context,

NativeScript/runtime/ObjectManager.mm

@@ -1,4 +1,5 @@
 #include "ObjectManager.h"
+#include <Block.h>
 #include <CoreFoundation/CoreFoundation.h>
 #include <sstream>
 #include "Caches.h"
@@ -108,10 +109,12 @@
     case WrapperType::Block: {
       BlockWrapper* blockWrapper = static_cast<BlockWrapper*>(wrapper);
       if (blockWrapper->OwnsBlock()) {
-        // Balance the CFRetain taken when a native block was wrapped for JS
-        // (see Interop::GetResult). This runs the block's dispose helper if
-        // we held the last reference.
-        CFRelease(blockWrapper->Block());
+        // Balance the Block_copy taken when a native block was wrapped for JS
+        // (see Interop::GetResult). Block_release is the correct counterpart to
+        // Block_copy and runs the block's dispose helper once we drop the last
+        // reference. (Using CFRelease here over-released stack blocks that were
+        // never promoted to the heap, crashing in objc_release during GC.)
+        Block_release(blockWrapper->Block());
       }
       // Blocks created from JS callbacks (OwnsBlock() == false) are owned by
       // the native code they were handed to (e.g. NSNotificationCenter);