Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/npm_trusted_release.yml:
- Around line 123-126: The workflow is unsafe because it interpolates
workflow_dispatch inputs directly into the run script (e.g., release_type='${{
inputs.release-type }}', preid='${{ inputs.preid }}', target='${{ matrix.target
}}'), allowing shell injection; change the step to pass these values via env:
(e.g., set environment variables like RELEASE_TYPE, PREID, TARGET) and then
reference them inside the run body as quoted shell variables ("$RELEASE_TYPE",
"$PREID", "$TARGET"); apply the same env + "$VAR" quoting pattern to every run
step that currently splices `${{ inputs.* }}` (including the summary step) and
update references to the functions/variables release_type, preid, and target
accordingly.
- Around line 57-84: Add explicit least-privilege GITHUB_TOKEN permissions for
the affected jobs by declaring permissions: contents: read (and id-token: write
only where needed) at the job-level for the matrix, build, and summary jobs
(instead of relying on repo defaults) so each job's token scope is minimal; also
fix the command-injection risk in the build job where inputs.preid is inlined by
moving inputs.preid into the job environment (e.g., env: PREID: ${{ inputs.preid
}}) and reference that env var inside the bash step (or otherwise properly
escape it) rather than embedding ${{ inputs.preid }} into the shell script body.

In `@benchmarks/objc-dispatch/run.js`:
- Around line 611-622: When the child process exits without emitting the
benchmark marker the code currently just waits for the timeout; update the
child.on("exit", ...) handler to fail fast: if !settled and output does NOT
include marker, create a failure report that includes the exit code and the
child's stderr (use the same captured stderr buffer/variable you already
collect) and immediately call the settling path (e.g. settleWithReport or the
equivalent settle/error function) instead of doing nothing; reference the
symbols child.on("exit", settled, output, marker, settleWithReport,
parseBenchmarkOutput) so you locate and replace the current no-op branch with an
immediate failure/settle containing the stderr and exit code.
- Around line 460-462: Replace the ad-hoc file URL constructor in pathToFileUrl
with Node's pathToFileURL: import and return pathToFileURL(filePath).href inside
the existing pathToFileUrl function so dynamic import works for paths with #,
spaces, etc.; and update launchAndCollect's simctl launch exit handler to fail
fast by rejecting when the child process exits with a non-zero code (include
stderr/stdout or the exit code in the rejection), and ensure you remove
listeners/kill or cleanup the child process and resolve/reject only once to
avoid waiting for the marker after a launch failure.

In `@examples/react-native-demo/App.tsx`:
- Around line 47-50: Replace the direct use of
UIApplication.sharedApplication.keyWindow with a scene-aware lookup: when
obtaining the window (currently using UIApplication.sharedApplication and
keyWindow), enumerate UIApplication.sharedApplication.connectedScenes, find the
UIWindowScene whose activationState is .foregroundActive (or
.foregroundForegroundActive equivalent) and then pick its windows array entry
with isKeyWindow == true; if none found, fall back to the existing keyWindow
(for iOS 12 and earlier). Update the code that throws "No key UIWindow is
available yet" to use this scene-aware window variable (referencing
UIApplication.sharedApplication, connectedScenes, UIWindowScene.activationState,
windows, and isKeyWindow) so it only throws when no window can be resolved after
the scene-aware fallback.

In `@NativeScript/ffi/HermesFastNativeApi.mm`:
- Around line 2352-2380: The C-function invocation writes into the cached
Cif->rvalue while the runtime is unlocked, risking clobbering across
concurrent/recursive calls; allocate a per-call return buffer (local stack or
heap) and pass its pointer instead of cif->rvalue into
ensureHermesCFunctionEngineDirectInvoker/InvokeCFunctionEngineDirectDynamic (use
a local variable like perCallRValue), then after the invocation (while still in
this function, before returning) convert that per-call buffer by calling
makeHermesCFunctionReturnValue or copying it into the cif if needed; update the
call sites that currently pass cif->rvalue to pass perCallRValue and ensure
makeHermesCFunctionReturnValue(env, function, cif, perCallRValue) or equivalent
is used so the cached Cif->rvalue is no longer written while runtime is
unlocked.
- Around line 1639-1650: The branch that boxes Hermes booleans/numbers for every
non-class object kind incorrectly creates NSNumbers for NSString fast args;
modify the condition inside the non-mdTypeClass branch so it first checks
whether kind is mdTypeNSStringObject or mdTypeNSMutableStringObject and, if so,
performs the normal string conversion (instead of boxing) into
*reinterpret_cast<id*>(result); otherwise continue to handle isHermesBool and
isHermesNumber as before. Update the logic near hermesRawValueBits(value),
isHermesBool, isHermesNumber and the assignment to
*reinterpret_cast<id*>(result) to skip NSNumber boxing for the two NSString
kinds.
- Around line 202-233: The mutableString branch currently allocates an
NSMutableString via initWithCharacters: and returns a retained object (leak);
change it to return an autoreleased instance so callers don’t leak: after
creating the string with [[NSMutableString alloc] initWithCharacters:...
length:utf16Length] call autorelease (or replace with a convenience constructor
such as +stringWithCharacters:length:), assign that autoreleased object to
*result and return true; update the allocation site in HermesFastNativeApi.mm
(the mutableString branch and the expression using initWithCharacters)
accordingly.
- Around line 1596-1625: Both TryFastConvertHermesInt64Argument and
TryFastConvertHermesUInt64Argument accept BigInts even when
napi_get_value_bigint_int64/_uint64 returns lossless==false, which can truncate
values; update each function to call napi_get_value_bigint_int64 /
napi_get_value_bigint_uint64 into the existing result and lossless variables and
only return true if the call returns napi_ok AND lossless is true (otherwise
return false) so oversized BigInt arguments are rejected on the Hermes fast
path.

In `@NativeScript/ffi/JSCFastNativeApi.mm`:
- Around line 184-186: The mdTypeVoid branch currently returns
JSValueMakeNull(ctx) which yields null; change both occurrences of the
mdTypeVoid case in JSCFastNativeApi.mm (the fast-path switch handling return
types — see the case mdTypeVoid near the top and the duplicate at ~1776-1778) to
return JSValueMakeUndefined(ctx) and return true so void native calls produce
undefined, matching other backends.
- Around line 879-920: The code can set env->last_exception during a speculative
direct call even when that call returns false, which leaks that exception into
the subsequent slow-path; after each direct attempt (the calls to
tryCallJSCObjCEngineDirect and tryCallJSCCFunctionEngineDirect) ensure you only
preserve env->last_exception when didUseDirectResult is true—if
didUseDirectResult is false, clear env->last_exception (set to nullptr)
immediately so the slow-path isn't given a spurious pending exception; update
the blocks around the tryCallJSCObjCEngineDirect and
tryCallJSCCFunctionEngineDirect invocations to reset env->last_exception when
the direct path wasn't used.

In `@NativeScript/ffi/ObjCBridge.h`:
- Around line 215-233: In cacheHandleObjectRef, the call
deleteOwnedHandleObjectRef(env, it->second) uses an undefined env; change the
call to the existing overload that doesn't require env by calling
deleteOwnedHandleObjectRef(it->second) (or update cacheHandleObjectRef signature
to accept an env if that overload is required), and keep the rest of the logic
around handleObjectRefs, bumpHandleObjectRefsGeneration(), and HandleObjectRef
unchanged.

In `@NativeScript/ffi/QuickJSFastNativeApi.mm`:
- Around line 275-277: The fast-path currently maps mdTypeVoid to JS_NULL (see
mdTypeVoid case in QuickJSFastNativeApi.mm) causing void-return natives to
surface as null; update the case handling to return JS_UNDEFINED instead of
JS_NULL and ensure the same replacement is applied to the other identical
mdTypeVoid branch later in the file (the second occurrence around the longer
native-call handling) so both fast-paths consistently produce undefined for void
results.
- Around line 992-1094: A pending QuickJS exception from
tryCallQuickJS*EngineDirect can remain and be rethrown after the slow path;
before entering the slow path (i.e., after the didUseDirectReturn branch and
before QuickJSFastStackHandleScope) clear any pending exception by calling
JS_GetException(context) and JS_FreeValue(context, <that exception>) (or
equivalent QuickJS APIs) so the slow-path result isn't shadowed by a stale
exception; reference tryCallQuickJSObjCEngineDirect,
tryCallQuickJSCFunctionEngineDirect, QuickJSFastStackHandleScope,
JS_HasException, JS_GetException, and JS_FreeValue to locate the correct place
to insert the clear.

In `@NativeScript/ffi/SignatureDispatch.h`:
- Around line 139-163: The helpers readHermesDispatchFiniteNumber and
readHermesDispatchFiniteNumberRaw must reject non-finite Hermes numbers instead
of coercing to 0.0: change the logic so that after confirming
isHermesDispatchNumber(raw) you check hermesDispatchRawDoubleIsFinite(raw) and
return false if it's not finite; only call hermesDispatchRawToDouble(raw) and
store into *result when the value is finite, and ensure you still return true on
success and false on any null-pointer or non-finite condition.

In `@NativeScript/ffi/TypeConv.mm`:
- Around line 2200-2213: The direct-lookup fallback is gated by "if
(objNormalized != objPtr)" so it only runs when the incoming pointer has extra
bits; instead remove that gate and always iterate
bridgeState->mdProtocolsByPointer when the direct lookup misses: compute objPtr
and objNormalized as before, then unconditionally loop over
bridgeState->mdProtocolsByPointer, compare normalizePtr((void*)entry.first) to
objNormalized, call bridgeState->getProtocol(env, entry.second) and if proto !=
nullptr return get_ref_value(env, proto->constructor); this ensures
metadata-side keys with tag/auth bits are matched even when the incoming pointer
was already normalized.

In `@packages/react-native/ios/Fabric/NativeScriptUIViewComponentView.mm`:
- Around line 15-17: The +load override in NativeScriptUIViewComponentView (the
+load method in NativeScriptUIViewComponentView.mm) should not call [super load]
manually; remove the explicit [super load] call (or remove the entire +load
override if it does nothing) so the Objective-C runtime handles superclass +load
invocation and avoids double-invoking superclass load-time side effects.

---

Outside diff comments:
In `@NativeScript/ffi/CFunction.mm`:
- Around line 342-349: The code currently marshals arguments/results through the
shared Cif scratch buffers (cif->avalues / cif->rvalue) while executing the
native call under NativeCallRuntimeUnlockScope, which allows a nested re-entry
to clobber those buffers; change the call sites that use CFunction::cif (and
functions like ensureCFunctionDispatchLookup, preparedInvoker, napiInvoker,
engineDirectInvoker) to copy needed avalues and rvalue into per-invocation
scratch storage before unlocking the runtime (e.g., allocate small stack/local
arrays or a temporary vector for the arg/value pointers), then pass those
per-call buffers to the invoker and restore any needed state after the call —
ensure every path that currently references cif->avalues or cif->rvalue
(including the other noted blocks) is updated to use these per-invocation copies
so the shared cif buffers are never used while the runtime is unlocked.

In `@NativeScript/ffi/Class.mm`:
- Around line 602-610: The loop currently uses NSUInteger and implicitly narrows
to uint32_t when calling napi_set_element and napi_create_int32, causing
warnings; change the loop index to uint32_t (e.g., for (uint32_t index = 0;
index < (uint32_t)count; ++index) ), keep using self->state.itemsPtr[index] and
bridgeState->getObject(env, obj) as before, use napi_set_element(env,
stackArray, index, jsObj) with the uint32_t index, and replace
napi_create_int32(env, count, &result) with napi_create_uint32(env,
(uint32_t)count, &result) to avoid narrowing conversions.

---

Nitpick comments:
In `@metadata-generator/src/SignatureDispatchEmitter.cpp`:
- Around line 654-729: The function writeHermesDirectReturnValue currently emits
an open "if" block that callers must close, but this contract is undocumented;
add a short comment above the writeHermesDirectReturnValue declaration stating
that the function writes the opening of an if(...) { block and that the caller
is responsible for emitting the corresponding cleanup logic, the "return false;"
(on failure), and the closing brace '}' so callers like whoever invokes
writeHermesDirectReturnValue know to finish the block correctly; reference the
symbol writeHermesDirectReturnValue and mention the related concepts "open if
block", "cleanup logic", "return false", and "closing brace" in the comment.

In `@NativeScript/ffi/HermesFastCallbackInfo.h`:
- Around line 54-57: HermesFastThisArg currently dereferences info and
info->frame without checks and can crash if a caller bypasses
TryGetHermesFastCallbackInfo; add the same defensive null-checks used elsewhere:
verify info is non-null and info->frame is non-null before accessing
info->frame->thisArgAndArgsBase, and return nullptr (or the function's
appropriate null napi_value) when the checks fail; update HermesFastThisArg to
mirror the validation pattern of the other accessor functions and keep the
return type/behavior consistent with callers that expect a null napi_value.

In `@NativeScript/ffi/JSCFastNativeApi.h`:
- Around line 6-16: Wrap the namespace block with `#ifdef` __cplusplus / `#endif` so
the identifier namespace nativescript { ... } (containing
JSCTryDefineFastNativeProperty) is only emitted for C++/ObjC++ compiles; i.e.,
surround the opening "namespace nativescript {" and the corresponding closing "
}  // namespace nativescript" with `#ifdef` __cplusplus and `#endif` to prevent a C
translation unit from seeing an unguarded C++ namespace.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@NativeScript/ffi/CFunction.mm`:
- Around line 436-451: The code eagerly allocates a
shared_ptr<CFunctionInvocationFrame> (invocationFrame) and its heap per-argument
storage even on the fast direct-invoker path; move to lazy allocation by keeping
a cheap inline/stack return buffer (rvalue or small local storage) and only
construct CFunctionInvocationFrame (and call make_shared) when falling back to
the slow path (when engineDirectInvoker==nullptr && (napiInvoker==nullptr ||
cif->skipGeneratedNapiDispatch) OR when preparedInvoker/ffi_call or
isMainEntrypoint scheduling is required). Update the call site in the function
that currently creates invocationFrame (the jsCallDirect / CFunction invocation
logic) to use the inline rvalue for direct dispatch and only allocate
invocationFrame before calling preparedInvoker/ffi_call or before entering the
try block when the path requires full frame semantics.

---

Outside diff comments:
In `@metadata-generator/src/SignatureDispatchEmitter.cpp`:
- Around line 53-65: The dispatch identity currently collapses concrete object
MDTypeKind values which causes distinct concrete kinds (e.g.,
mdTypeNSStringObject, mdTypeNSMutableStringObject) to map to the same dispatchId
while wrappers/fast-paths still depend on the concrete kind; fix this by
preserving the concrete MDTypeKind when computing signatureHash/dispatchId
instead of canonicalizing them to mdTypeAnyObject — update
canonicalizeSignatureTypeKind (or the place that calls it for signature hash
creation) to return the original kind for object kinds, ensure
dispatchId/signatureHash generation uses that concrete kind, and re-run tests to
confirm emplace/select behavior now distinguishes NSString/NSMutableString/id
slots (or alternatively make the emitted wrapper conversions fully kind-agnostic
if you prefer that approach).
- Around line 894-926: The BigInt-fast-paths call napi_get_value_bigint_int64 /
napi_get_value_bigint_uint64 but ignore the out-parameter lossless{index},
allowing truncated values; update the branches that call
napi_get_value_bigint_int64 and napi_get_value_bigint_uint64 to check
lossless{index} after a successful return and treat lossless==false as an error:
if lossless{index} is false then call cleanupManagedArgs() when hasCleanupArgs
is true and return false to force the fallback; ensure the same check is applied
for both signed (napi_get_value_bigint_int64) and unsigned
(napi_get_value_bigint_uint64) paths referencing arg{index}, lossless{index},
and cleanupManagedArgs().

In `@NativeScript/ffi/ObjCBridge.mm`:
- Around line 978-997: The fast-array decision wrongly treats
nativeIsMutableArray as sufficient to choose the fast path; change the condition
that computes shouldUseFastArray to require both that the array is mutable and
that its count is <= kHermesFastArrayIndexPropertyLimit (i.e. replace the `||`
with `&&` in the expression that sets shouldUseFastArray). This ensures
shouldProxyArray is true for large NSMutableArray instances and prevents calling
createNativeFastArrayIndexes/factory with a 1024 cap when the array exceeds
kHermesFastArrayIndexPropertyLimit.

In `@NativeScript/ffi/TypeConv.mm`:
- Around line 2823-2839: The toJS override currently returns nullptr when
ObjCBridgeState::InstanceData(env) is missing, which yields an invalid
napi_value; instead, keep the pointer fallback for non-null Class values: in
toJS (the function containing Class cls, the findRegisteredClassConstructor
call, and the ObjCBridgeState::InstanceData(env) lookup), if bridgeState is null
call the same pointer-to-JS fallback used elsewhere in this file (i.e.,
construct a valid napi_value representing the raw Class pointer or external
handle) and return that rather than nullptr so callers receive a valid JS handle
when getObject cannot be used.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@NativeScript/ffi/CFunction.mm`:
- Around line 517-523: The CFunctionInvocationFrame currently allocates rvalue_
using cif->rvalueLength > 0 ? cif->rvalueLength : 1 which can under-allocate
when cif->rvalueLength is zero; update the allocation logic in
CFunctionInvocationFrame (the rvalue_ allocation and any related sizing logic
used before calling preparedInvoker/ffi_call) to mirror CFunctionReturnStorage's
behavior by using cif->rvalueLength if > 0 otherwise falling back to
cif->cif.rtype->size so the return buffer is correctly sized for the slow path.

---

Outside diff comments:
In `@NativeScript/ffi/QuickJSFastNativeApi.mm`:
- Around line 1567-1596: The fast-path string branch in
TryFastConvertQuickJSUInt16Argument wrongly treats the JS string as a UTF-8 byte
buffer; instead convert the JSValue to a QuickJS JSString and read the first
UTF-16 code unit (i.e. first JS character/code unit), not the first UTF-8 byte.
Replace the JS_ToCStringLen/length check with a JS_ToString (or
JS_DupValue/JS_VALUE_GET_STRING) + JS_GetStringLen to ensure there is exactly
one code unit, then extract that code unit (via the QuickJS string char accessor
such as JS_GetStringChar/appropriate API) and store it into *result; keep the
existing error handling (napi_throw_type_error) when it isn’t a single code
unit.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@NativeScript/ffi/hermes/HermesFastNativeApi.mm`:
- Around line 707-745: The code marks the Hermes fast path handled (writes to
*handled) before the final dispatch, causing a hard failure on a fast-path miss;
change the logic so *handled is only set after the dispatch succeeds (i.e.,
after didInvoke is true). Specifically, in the block that uses
EngineDirectRoundTripCacheFrameGuard, invoker
(ensureHermesObjCEngineDirectInvoker) and the fallback
InvokeObjCMemberEngineDirectDynamic, move the "*handled = true" assignment so it
executes only when didInvoke is true (after the `@try/`@catch and the if
(!didInvoke) check), and apply the same change to the other analogous block that
uses the same symbols (invoker, didInvoke, InvokeObjCMemberEngineDirectDynamic)
later in the file.

In `@NativeScript/ffi/hermes/HermesFastNativeApiPrivate.h`:
- Around line 78-89: The current makeHermesRawValue writes into
cif->hermesRawReturnSlot which can be clobbered by reentrant calls; instead, do
not store raw bits in the shared Cif. Change makeHermesRawValue so it never
writes to cif->hermesRawReturnSlot: always allocate a per-call/thread-local slot
(like the existing static thread_local slots/nextSlot) and return a pointer to
that slot; keep the same slot rotation logic and reinterpret_cast to napi_value,
and remove the branch that assigns to cif->hermesRawReturnSlot so Cif is not
used to hold return bits.

In `@NativeScript/ffi/jsc/JSCFastNativeApi.mm`:
- Around line 47-57: The fallback that returns member->cls->nativeClass when
member->classMethod or when jsThis is a function is too broad and causes
inherited constructor calls to resolve to the superclass; update the logic in
the block checking member, member->cls, and member->cls->nativeClass to also
perform the same constructor-identity check used in the N-API/Hermes path: when
jsThis is a function (napi_typeof(...)=napi_function) confirm that jsThis's JS
constructor identity equals member->cls->nativeClass before returning
static_cast<id>(member->cls->nativeClass); if the identity does not match, do
not fall back to member->cls->nativeClass and allow dispatch to use the actual
jsThis/receiver instead.

In `@NativeScript/ffi/quickjs/QuickJSFastNativeApi.mm`:
- Around line 36-42: The fast-path in QuickJSFastNativeApi.mm returns the raw
wrapped pointer from TryUnwrapQuickJSNativeObjectFast (called with env,
ToJSValue(jsThis)), which may be an ObjCClass/ObjCProtocol wrapper rather than
the real Objective‑C receiver; update the code so that after obtaining non-null
wrapped you perform the same class/protocol normalization used by the slow
conversion path (i.e. transform bridge wrappers into the actual Class/id
receiver) before returning it — reuse the existing normalization helper used
elsewhere (the same logic the slower conversion path uses) so objc_msgSend
always receives the normalized native receiver.

In `@NativeScript/ffi/v8/V8FastConversion.mm`:
- Around line 270-276: In TryFastConvertV8Argument's string branch (the
value->IsString() block using v8::String::Value chars), remove the call to
throwV8Error so the fast-path probe does not create a pending V8 exception;
instead, on chars.length() != 1 set *result = 0 and return false to signal the
caller to run the generic converter. Do not introduce any other throws or V8
exception APIs in this probe so callers can safely interpret false as “fallback
only.”
- Around line 337-350: The fast-path currently unconditionally narrows BigInt
via Int64Value()/Uint64Value(), which can truncate; modify the BigInt handling
in V8FastConversion.mm so that after calling
value.As<v8::BigInt>()->Int64Value(&lossless) or ->Uint64Value(&lossless) you
check the lossless flag and only write to *reinterpret_cast<int64_t*>(result) or
*reinterpret_cast<uint64_t*>(result) and return true if lossless is true; if
lossless is false, do not assign and return false (so the caller falls back to
the slower, safe conversion path) — apply this change for both the signed
(Int64Value) and unsigned (Uint64Value) branches.

In `@NativeScript/ffi/v8/V8FastNativeWrapper.mm`:
- Around line 87-89: The named-setter path calls definePlainValueProperty (which
calls CreateDataProperty) but always returns NS_V8_RETURN_YES; change it to
check the boolean result of definePlainValueProperty (or the underlying
CreateDataProperty) when setting holder/property/value and if it returns false
return NS_V8_RETURN_NO instead of unconditionally NS_V8_RETURN_YES so failed
writes (e.g., on non-extensible/frozen wrappers) propagate failure to JS; update
the code around definePlainValueProperty(..., holder, property, value) to
capture its return and conditionally use NS_V8_RETURN_YES or NS_V8_RETURN_NO.

---

Outside diff comments:
In `@NativeScript/ffi/hermes/HermesFastConversion.mm`:
- Around line 1017-1025: In TryFastConvertHermesPointerArgument (case
napi_bigint) handle the napi_get_value_bigint_uint64 lossless out parameter:
after calling napi_get_value_bigint_uint64, verify the bool lossless is true and
if not return false so the fast path rejects lossy BigInt conversions; only when
napi_get_value_bigint_uint64 succeeds and lossless == true assign *result =
reinterpret_cast<void*>(raw) and return true.

In `@NativeScript/ffi/jsc/JSCFastConversion.mm`:
- Around line 707-709: The current BigInt→64-bit conversion calls
(napi_get_value_bigint_int64 and napi_get_value_bigint_uint64) ignore the
lossless out-parameter and only check for napi_ok; update each call (the
occurrences around the earlier return, and the blocks at the other two ranges)
to treat lossless==false as a conversion failure: after calling
napi_get_value_bigint_int64/uint64, return false (or take the non‑truncating
fallback) if the call succeeded but lossless is false. Concretely, keep the
existing napi_ok check but also ensure the function returns false when lossless
is false (or proceeds to the safe fallback path) for the calls to
napi_get_value_bigint_int64 and napi_get_value_bigint_uint64 using the lossless
variable and the result out-parameter.

In `@NativeScript/ffi/napi/CFunction.mm`:
- Around line 493-501: The current early return when engineDirectInvoker or
napiInvoker returns false prevents falling back to the existing libffi slow
path; instead of returning nullptr when invoked is false, remove the early
return and allow execution to continue to the slow/libffi path so signatures the
generated C-function path can't handle still work; update the block around the
invoked check in CFunction.mm (where returnStorage.rvalue(),
engineDirectInvoker, napiInvoker and the invoked boolean are used) to skip the
early return and proceed to the code that performs the libffi fallback.

In `@NativeScript/ffi/napi/ClassMember.mm`:
- Around line 2050-2051: The setter conversion uses a single bool shouldFree for
both per-argument and aggregate out-parameters, which can cause incorrect frees;
change this to two separate flags (e.g., bool argShouldFree = false; bool
aggShouldFree = false) and pass them respectively to
cif->argTypes[0]->toNative(env, value, avalues[2], &argShouldFree,
&aggShouldFree) so the per-argument free state is not aliased with the aggregate
flag used elsewhere (locate the call site that currently uses shouldFree and
update it to the two-variable pattern).
- Around line 385-391: The generated ObjC dispatch currently returns false on a
failed invoker; instead, when invoked == false you should call the libffi
fallback objcNativeCall so the fast-path miss falls through. Modify the block in
ClassMember.mm where engineInvoker/invoker are called: if (!invoked) invoke
objcNativeCall(env, cif, (void*)objc_msgSend, self, selector, argv, rvalue) and
return its result rather than returning false. Keep existing scope handling
(NativeCallRuntimeUnlockScope) and use the same parameters as the original call
so callers receive the fallback behavior.
- Around line 582-599: The code incorrectly marks JS arrays as compatible with
mdTypeNSStringObject/mdTypeNSMutableStringObject during type scoring; change the
napi_is_array branch so arrays are not treated as valid NSString candidates (do
not return true for isArray). In the switch handling
mdTypeNSStringObject/mdTypeNSMutableStringObject (the block referencing jsType,
napi_is_array, napi_unwrap), if napi_is_array reports true, skip returning true
and proceed to the wrapped-object check (only return true when napi_unwrap
succeeds); ensure no early true is returned for arrays so scoring won't prefer
string-taking overloads for array inputs.

In `@NativeScript/ffi/napi/TypeConv.mm`:
- Around line 1321-1334: The fast-path currently only handles Pointer-shaped
objects and ignores raw externals stored under "__ns_native_ptr", so restore the
fallback: after retrieving nativePointerValue (using napi_get_named_property)
and if Pointer::isInstance(env, nativePointerValue) check unwrap as before
(Pointer::unwrap) but otherwise detect a raw external (use
napi_get_value_external / napi_typeof or equivalent N-API check) and extract the
void* from that external into *out and return true; keep existing
napi_has_named_property / napi_get_named_property and the Pointer::isInstance /
Pointer::unwrap flow intact so both Pointer instances and raw externals are
supported.

In `@NativeScript/ffi/shared/EngineDirectCall.mm`:
- Around line 1000-1002: The code currently calls
ObjCBridgeState::InstanceData(env) before verifying env is non-null; change the
order to first guard against a null env (e.g., if (env == nullptr) return
nullptr;) and only then call ObjCBridgeState::InstanceData(env), then check the
returned bridgeState for null before proceeding; update the block around
ObjCBridgeState::InstanceData and the existing env/bridgeState null checks to
reflect this reordering.
- Around line 793-815: The current loop writes converted args into the shared
cached buffer cif->avalues, causing races; allocate and use per-invocation
storage (e.g., use stackAvalues/heapAvalues via the local pointer avalues) and
never write back into cif->avalues; copy cif->avalues into avalues initially,
run TryFastConvertEngineArgument and call cif->argTypes[i]->toNative to place
results into avalues[i], and maintain per-call shouldFree storage
(stackShouldFree/heapShouldFree via a similar pointer) and update shouldFreeAny
accordingly so frees happen only for this invocation; keep references to
TryFastConvertEngineArgument, cif->avalues, avalues, stackAvalues, heapAvalues,
stackShouldFree, heapShouldFree, and cif->argTypes[i]->toNative to locate and
apply the change.

In `@NativeScript/ffi/shared/SignatureDispatch.h`:
- Around line 420-439: The functions SetHermesGeneratedInt8Return and
SetHermesGeneratedUInt8Return are special-casing 0/1 to produce Hermes
boolean-tagged values, which makes numeric signatures return booleans; change
both to always produce numeric returns: remove the if (value == 0 || value == 1)
branches and call makeHermesDispatchRawNumberValue(cif,
static_cast<double>(value)) unconditionally for both int8_t and uint8_t, leaving
the function signatures and return true; this ensures int8_t/uint8_t results are
always numeric in JS.
- Around line 250-407: Fast-path Hermes numeric converters (e.g.,
TryFastConvertHermesGeneratedInt8Argument,
TryFastConvertHermesGeneratedUInt32RawArgument,
TryFastConvertHermesGeneratedInt64RawArgument, etc.) only check finiteness and
then static_cast, which allows out-of-range or fractional JS numbers to silently
wrap/truncate; update each TryFastConvertHermesGenerated*Argument and
*RawArgument to validate the converted double before narrowing by (1) ensuring
the value is within the target type range using
std::numeric_limits<T>::min()/max(), (2) for integer types rejecting fractional
values (e.g., via std::trunc/ std::floor or checking converted ==
std::trunc(converted)), and (3) for unsigned types also enforcing >= 0; if any
check fails, return false so the caller falls back to the regular converter;
apply the same validation to raw variants after calling
readHermesDispatchFiniteNumberRaw.
- Around line 832-839: The isGeneratedDispatchEnabled() predicate treats only
the exact string "0" as disabling GSD, so NS_DISABLE_GSD=1 still enables it;
update the function (isGeneratedDispatchEnabled) to parse common truthy disable
values instead: if NS_DISABLE_GSD is unset or empty return true, but if it is
set to "1" or any case-insensitive "true" (or other common truthy indicators)
return false; implement this by normalizing the value from
std::getenv("NS_DISABLE_GSD") and checking for '1' or a case-insensitive match
to "true" (and keep the existing check for exact "0" as disabling if you prefer)
so that setting NS_DISABLE_GSD=1 properly disables generated dispatch.

In `@NativeScript/napi/quickjs/quickjs-api.c`:
- Around line 3414-3425: The code caches externalInfo into the object opaque
slot via JS_SetOpaque(jsValue, externalInfo) after defining the napi_external
property (JS_DefinePropertyValue), but that property is writable/configurable so
it can be deleted/replaced and free externalInfo while the opaque slot still
points to it; fix by removing this unsafe fast path or making the backing
property truly immutable/hidden before caching (e.g., define napi_external as
non-writable, non-configurable, and non-enumerable) or, if you must keep a
writable property, avoid trusting the opaque cache and instead revalidate the
napi_external property (read and compare its current value) each time before
returning the cached pointer (symbols: JS_DefinePropertyValue, napi_external,
JS_SetOpaque, externalInfo, napi_unwrap).

---

Duplicate comments:
In `@NativeScript/ffi/v8/V8FastConversion.mm`:
- Around line 360-381: The generated-path conversion handlers mdTypeFloat and
mdTypeDouble currently coerce NaN/±Inf to 0.0; remove the std::isnan/std::isinf
checks and the converted = 0.0 assignments so the code simply calls
value->NumberValue(env->context()).To(&converted) and then writes converted
(cast for float) into result, allowing NaN/Infinity to propagate the same way as
the regular conversion/error path.