Overriding Object.prototype.get in a vm context causes a crash.

[JoelEinbinder]

What steps will reproduce the bug?

const vm = require('vm');
const ctx = vm.createContext({});
vm.runInContext(`Object.prototype.get = 4; x = 3;`, ctx);

How often does it reproduce? Is there a required condition?

Every time

What is the expected behavior? Why is that the expected behavior?

Not a crash

What do you see instead?

FATAL ERROR: v8::NamedPropertyDescriptorCallback Invalid property descriptor.
----- Native stack trace -----

 1: 0x104aab650 node::OnFatalError(char const*, char const*)
 2: 0x104ca9508 v8::Utils::ReportApiFailure(char const*, char const*)
 3: 0x1051ab3e0 v8::internal::JSReceiver::GetOwnPropertyDescriptor(v8::internal::LookupIterator*, v8::internal::PropertyDescriptor*)
 4: 0x10523d4c4 v8::internal::Object::SetSuperProperty(v8::internal::LookupIterator*, v8::internal::DirectHandle<v8::internal::Object>, v8::internal::StoreOrigin, v8::Maybe<v8::internal::ShouldThrow>)
 5: 0x10523ca40 v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::DirectHandle<v8::internal::Object>, v8::internal::StoreOrigin, v8::Maybe<v8::internal::ShouldThrow>)
 6: 0x104fbb028 v8::internal::StoreIC::Store(v8::internal::Handle<v8::internal::Union<v8::internal::Smi, v8::internal::HeapNumber, v8::internal::BigInt, v8::internal::String, v8::internal::Symbol, v8::internal::Boolean, v8::internal::Null, v8::internal::Undefined, v8::internal::JSReceiver>>, v8::internal::Handle<v8::internal::Name>, v8::internal::DirectHandle<v8::internal::Object>, v8::internal::StoreOrigin)
 7: 0x104fba650 v8::internal::StoreGlobalIC::Store(v8::internal::Handle<v8::internal::Name>, v8::internal::DirectHandle<v8::internal::Object>)
 8: 0x104fbea64 v8::internal::Runtime_StoreGlobalICNoFeedback_Miss(int, unsigned long*, v8::internal::Isolate*)
 9: 0x1059c1f74 Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit
10: 0x105aa313c Builtins_StaGlobalHandler
11: 0x105924bec Builtins_InterpreterEntryTrampoline
12: 0x1059228cc Builtins_JSEntryTrampoline
13: 0x105922570 Builtins_JSEntry
14: 0x104e4bb1c v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&)
15: 0x104e4c0e0 v8::internal::Execution::CallScript(v8::internal::Isolate*, v8::internal::DirectHandle<v8::internal::JSFunction>, v8::internal::DirectHandle<v8::internal::Object>, v8::internal::DirectHandle<v8::internal::Object>)
16: 0x104caf7b8 v8::Script::Run(v8::Local<v8::Context>, v8::Local<v8::Data>)
17: 0x104a97e28 node::contextify::ContextifyScript::EvalMachine(v8::Local<v8::Context>, node::Environment*, long long, bool, bool, bool, v8::MicrotaskQueue*, v8::FunctionCallbackInfo<v8::Value> const&)
18: 0x104a977cc node::contextify::ContextifyScript::RunInContext(v8::FunctionCallbackInfo<v8::Value> const&)
19: 0x105926818 Builtins_CallApiCallbackGeneric
20: 0x105924bec Builtins_InterpreterEntryTrampoline
21: 0x105924bec Builtins_InterpreterEntryTrampoline
22: 0x105924bec Builtins_InterpreterEntryTrampoline
23: 0x105924bec Builtins_InterpreterEntryTrampoline
24: 0x105924bec Builtins_InterpreterEntryTrampoline
25: 0x105924bec Builtins_InterpreterEntryTrampoline
26: 0x105924bec Builtins_InterpreterEntryTrampoline
27: 0x105924bec Builtins_InterpreterEntryTrampoline
28: 0x105924bec Builtins_InterpreterEntryTrampoline
29: 0x105924bec Builtins_InterpreterEntryTrampoline
30: 0x105924bec Builtins_InterpreterEntryTrampoline
31: 0x1059228cc Builtins_JSEntryTrampoline
32: 0x105922570 Builtins_JSEntry
33: 0x104e4bb1c v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&)
34: 0x104e4b480 v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::DirectHandle<v8::internal::Object>, v8::internal::DirectHandle<v8::internal::Object>, v8::base::Vector<v8::internal::DirectHandle<v8::internal::Object> const>)
35: 0x104cc1330 v8::Function::Call(v8::Isolate*, v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*)
36: 0x104a84c58 node::builtins::BuiltinLoader::CompileAndCall(v8::Local<v8::Context>, char const*, node::Realm*)
37: 0x104b4b448 node::Realm::ExecuteBootstrapper(char const*)
38: 0x104a62204 node::StartExecution(node::Environment*, char const*)
39: 0x104a62158 node::StartExecution(node::Environment*, std::__1::function<v8::MaybeLocal<v8::Value> (node::StartExecutionCallbackInfo const&)>)
40: 0x1049b1750 node::LoadEnvironment(node::Environment*, std::__1::function<v8::MaybeLocal<v8::Value> (node::StartExecutionCallbackInfo const&)>, std::__1::function<void (node::Environment*, v8::Local<v8::Value>, v8::Local<v8::Value>)>)
41: 0x104aff124 node::NodeMainInstance::Run()
42: 0x104a65934 node::Start(int, char**)
43: 0x19ef52b98 start

Additional information

Happens on all versions of nodejs I tested (22.15.1, 24.10.0, 25.0.0).

[ChALkeR]

node -e "require('vm').runInNewContext('Object.prototype.get = 4; x = 3;')"

Since 18.0.0
Does not happen on 16.x or 17.x

[theanarkh]

The value of getter in descriptor object(return by ContextifyContext::PropertyDescriptorCallback) is not a function.

If get is a function V8 will throw another error which causes crash.