nodejs/node

vm module regression

tsctx opened this issue · 4 comments

tsctx commented

Version

v23.0.0-nightly20240605b26a260ce5

Platform

windows

Subsystem

vm

What steps will reproduce the bug?

// vm.js
"use strict";
const vm = require("node:vm");
var ctx;
const getterObject = {
  get key() {
    return "value";
  },
};
const setterObject = {
  set key(value) {},
};
const plainObject = {
  key: "value",
};
class GetterObject {
  get key() {
    return "value";
  }
}
class SetterObject {
  set key(value) {
    // noop
  }
}

ctx = vm.createContext(new GetterObject()); // <- OK
ctx = vm.createContext(new SetterObject()); // <- OK
ctx = vm.createContext({}); // <- OK
ctx = vm.createContext([]); // <- OK
ctx = vm.createContext(new Array(1)); // <- OK
ctx = vm.createContext([["key", "value"]]); // <- Fail
ctx = vm.createContext(plainObject); // <- Fail
ctx = vm.createContext({ __proto__: plainObject }); // <- Fail
ctx = vm.createContext(getterObject); // <- Fail
ctx = vm.createContext(setterObject); // <- Fail

console.log(vm.runInContext(`this`, ctx));

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior? Why is that the expected behavior?

No response

What do you see instead?

> $ ./node ./vm.js


#
# Fatal error in , line 0
# Check failed: Object::ToUint32(*element, &number).
#
#
#
#FailureMessage Object: 000000B0F2FFB3B0
----- Native stack trace -----

 1: 00007FF67B678B4B node::SetCppgcReference+16011
 2: 00007FF67B56424F node::TriggerNodeReport+73343
 3: 00007FF67C706065 V8_Fatal+197
 4: 00007FF67BE83214 v8::MemorySpan<std::basic_string_view<char,std::char_traits<char> > const >::end+375236   
 5: 00007FF67BE814CE v8::MemorySpan<std::basic_string_view<char,std::char_traits<char> > const >::end+367742   
 6: 00007FF67BE81395 v8::MemorySpan<std::basic_string_view<char,std::char_traits<char> > const >::end+367429   
 7: 00007FF67BE82539 v8::MemorySpan<std::basic_string_view<char,std::char_traits<char> > const >::end+371945   
 8: 00007FF67BE81674 v8::MemorySpan<std::basic_string_view<char,std::char_traits<char> > const >::end+368164   
 9: 00007FF67BE83C88 v8::MemorySpan<std::basic_string_view<char,std::char_traits<char> > const >::end+377912   
10: 00007FF67BE83A57 v8::MemorySpan<std::basic_string_view<char,std::char_traits<char> > const >::end+377351   
11: 00007FF67BD639DE v8::internal::Version::GetString+409934
12: 00007FF67C30B46E v8::PropertyDescriptor::writable+726222
13: 00007FF67C2E4F4D v8::PropertyDescriptor::writable+569261
14: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
15: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
16: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
17: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
18: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
19: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
20: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
21: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
22: 00007FF67C2697D0 v8::PropertyDescriptor::writable+63536
23: 00007FF67C2693CB v8::PropertyDescriptor::writable+62507
24: 00007FF67C110954 v8::Isolate::NumberOfHeapSpaces+2564
25: 00007FF67C1102A3 v8::Isolate::NumberOfHeapSpaces+851
26: 00007FF67C235724 v8::Function::Call+308
27: 00007FF67B469664 uv_loop_size+101860
28: 00007FF67C26DA18 v8::PropertyDescriptor::writable+80504
29: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
30: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
31: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
32: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
33: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
34: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
35: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
36: 00007FF67C26BBD2 v8::PropertyDescriptor::writable+72754
37: 00007FF67C2697D0 v8::PropertyDescriptor::writable+63536
38: 00007FF67C2693CB v8::PropertyDescriptor::writable+62507
39: 00007FF67C110954 v8::Isolate::NumberOfHeapSpaces+2564
40: 00007FF67C1102A3 v8::Isolate::NumberOfHeapSpaces+851
41: 00007FF67C235724 v8::Function::Call+308
42: 00007FF67B6077EA node::OnFatalError+138330
43: 00007FF67B557E76 node::TriggerNodeReport+23206
44: 00007FF67B62A5E2 node::Start+114
45: 00007FF67B62B05A node::Start+2794
46: 00007FF67B6B5E16 node::LoadEnvironment+310
47: 00007FF67B5922C6 DH_get0_priv_key+179190
48: 00007FF67B62B80B node::Start+4763
49: 00007FF67B62A597 node::Start+39
50: 00007FF67B36DD9C AES_cbc_encrypt+152524
51: 00007FF67CD39128 inflateValidate+20696
52: 00007FF8CDD6257D BaseThreadInitThunk+29
53: 00007FF8CE40AA48 RtlUserThreadStart+40

Additional information

I believe #53172 is the cause.

tsctx commented

Sorry, wrong PR to link

targos commented

Thanks for the report. I don't have the capacity to investigate and fix this, so I opened a revert PR.

joyeecheung commented

On a side note the stack trace looks a bit weird and I think this is similar to the incorrect backtrace I saw in #50849 (comment) cc @legendecas

legendecas commented

@joyeecheung thanks for the ping. I can reproduce the stack trace with the nightly build on Windows but can not reproduce the stack trace with a local build. I'll take a look at it.