src: fix crash when lazy getter is invoked in a vm context

V8 should invoke native functions in their creation context,
preventing dynamic context by the caller. However, the lazy getter is
not invoked in the creation context and leads to a null realm. Before
V8 fixes this issue, retrieve the creation context via `this`
argument.

Author: legendecas

src/node_errors.h

@@ -84,6 +84,7 @@ void OOMErrorHandler(const char* location, const v8::OOMDetails& details);
   V(ERR_INVALID_ARG_TYPE, TypeError)                                           \
   V(ERR_INVALID_FILE_URL_HOST, TypeError)                                      \
   V(ERR_INVALID_FILE_URL_PATH, TypeError)                                      \
+  V(ERR_INVALID_INVOCATION, TypeError)                                         \
   V(ERR_INVALID_PACKAGE_CONFIG, Error)                                         \
   V(ERR_INVALID_OBJECT_DEFINE_PROPERTY, TypeError)                             \
   V(ERR_INVALID_MODULE, Error)                                                 \
@@ -201,6 +202,7 @@ ERRORS_WITH_CODE(V)
     "Context not associated with Node.js environment")                         \
   V(ERR_ILLEGAL_CONSTRUCTOR, "Illegal constructor")                            \
   V(ERR_INVALID_ADDRESS, "Invalid socket address")                             \
+  V(ERR_INVALID_INVOCATION, "Invalid invocation")                              \
   V(ERR_INVALID_MODULE, "No such module")                                      \
   V(ERR_INVALID_STATE, "Invalid state")                                        \
   V(ERR_INVALID_THIS, "Value of \"this\" is the wrong type")                   \

src/node_util.cc

@@ -350,9 +350,24 @@ static void IsInsideNodeModules(const FunctionCallbackInfo<Value>& args) {
 
 static void DefineLazyPropertiesGetter(
     Local<v8::Name> name, const v8::PropertyCallbackInfo<Value>& info) {
-  Realm* realm = Realm::GetCurrent(info);
-  Isolate* isolate = realm->isolate();
-  auto context = isolate->GetCurrentContext();
+  Isolate* isolate = info.GetIsolate();
+  // This getter is not invoked in the creation context. When this getter
+  // is invoked in a vm context, the `Realm::GetCurrent(info)` returns a
+  // nullptr and. Retrieve the creation context via `this` object and
+  // get the creation Realm.
+  Local<Value> receiver_val = info.This();
+  if (!receiver_val->IsObject()) {
+    THROW_ERR_INVALID_INVOCATION(isolate);
+    return;
+  }
+  Local<Object> receiver = receiver_val.As<Object>();
+  Local<Context> context;
+  if (!receiver->GetCreationContext().ToLocal(&context)) {
+    THROW_ERR_INVALID_INVOCATION(isolate);
+    return;
+  }
+
+  Realm* realm = Realm::GetCurrent(context);
   Local<Value> arg = info.Data();
   Local<Value> require_result;
   if (!realm->builtin_module_require()
@@ -368,6 +383,7 @@ static void DefineLazyPropertiesGetter(
   }
   info.GetReturnValue().Set(ret);
 }
+
 static void DefineLazyProperties(const FunctionCallbackInfo<Value>& args) {
   // target: object, id: string, keys: string[][, enumerable = true]
   CHECK_GE(args.Length(), 3);

test/parallel/test-vm-util-lazy-properties.js

@@ -0,0 +1,31 @@
+'use strict';
+require('../common');
+
+const vm = require('node:vm');
+const util = require('node:util');
+const assert = require('node:assert');
+
+// This verifies that invoking property getters defined with
+// `require('internal/util').defineLazyProperties` does not crash
+// the process.
+// V8 should invoke native functions in their creation context,
+// preventing dynamic context by the caller. However, the lazy getter is
+// not invoked in the creation context and leads to a null realm. Before
+// V8 fixes this issue, retrieve the creation context via `this`
+// argument.
+
+const ctx = vm.createContext();
+const getter = vm.runInContext(`
+  function getter(object, property) {
+    return object[property];
+  }
+  getter;
+`, ctx);
+
+// `util.parseArgs` is a lazy property.
+const parseArgs = getter(util, 'parseArgs');
+assert.strictEqual(parseArgs, util.parseArgs);
+
+// `globalThis.TextEncoder` is a lazy property.
+const TextEncoder = getter(globalThis, 'TextEncoder');
+assert.strictEqual(TextEncoder, globalThis.TextEncoder);