Import of data url leads to crash

[jleedev]

Version

v19.0.1

Platform

Linux instance-1 5.19.0-0.deb11.2-cloud-arm64 #1 SMP Debian 5.19.11-1~bpo11+1 (2022-10-03) aarch64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

> m=()=>import(`data:text/javascript,`)
[Function: m]
> await m()
Segmentation fault (core dumped)

How often does it reproduce? Is there a required condition?

Sometimes happens on the first call, sometimes takes a few repeated calls of the statement above.

What is the expected behavior?

No response

What do you see instead?

Crashes here:

Thread 1 "node" received signal SIGSEGV, Segmentation fault.
0x0000000000b6da2c in node::loader::ImportModuleDynamically(v8::Local<v8::Context>, v8::Local<v8::Data>, v8::Local<v8::Value>, v8::Local<v8::String>, v8::Local<v8::FixedArray>) ()
(gdb) where

Specifically on this line where the value is not found in the map:

node/src/module_wrap.cc

Line 594 in 6ac3a22

contextify::ContextifyScript* wrap = env->id_to_script_map.find(id)->second;

Additional information

No response

[aduh95]

I'm not able to reproduce on macOS:

$ node
Welcome to Node.js v19.0.1.
Type ".help" for more information.
>  m=()=>import(`data:text/javascript,`)
[Function: m]
> await m()
[Module: null prototype] {  }
> .exit

[aduh95]

Oh wait, I'm actially able to reproduce when I remove the space at the start of the line that assigns m:

$ node
Welcome to Node.js v19.0.1.
Type ".help" for more information.
> m=()=>import(`data:text/javascript,`)
[Function: m]
> await m()
[1]    11470 segmentation fault  node

Also, FWIW it reproduces without the await:

$ node --no-experimental-repl-await
Welcome to Node.js v19.0.1.
Type ".help" for more information.
> m=()=>import(`data:text/javascript,`)
[Function: m]
> m()
[1]    29893 segmentation fault  node --no-experimental-repl-await

[targos]

gdb doesn't show much info (debug build)

> m=()=>import(`data:text/javascript,`)
[New Thread 0x7fffe5ffb700 (LWP 2723058)]
[Thread 0x7fffe5ffb700 (LWP 2723058) exited]
[Function: m]
> await m()
[New Thread 0x7fffe5ffb700 (LWP 2724111)]

Thread 1 "node" received signal SIGSEGV, Segmentation fault.
node::loader::ImportModuleDynamically (context=..., host_defined_options=..., resource_name=..., specifier=...,
    import_assertions=...) at ../../src/module_wrap.cc:594
594         contextify::ContextifyScript* wrap = env->id_to_script_map.find(id)->second;
Missing separate debuginfos, use: yum debuginfo-install glibc-2.28-189.5.el8_6.x86_64 libgcc-8.5.0-10.1.el8_6.x86_64 libstdc++-8.5.0-10.1.el8_6.x86_64
(gdb) bt
#0  node::loader::ImportModuleDynamically (context=..., host_defined_options=..., resource_name=..., specifier=..., import_assertions=...) at ../../src/module_wrap.cc:594
#1  0x00000000017f3637 in v8::internal::Isolate::RunHostImportModuleDynamicallyCallback (this=this@entry=0x6a4abd0, maybe_referrer=..., specifier=..., specifier@entry=...,
    maybe_import_assertions_argument=..., maybe_import_assertions_argument@entry=...) at ../../deps/v8/include/v8-local-handle.h:180
#2  0x0000000001ea894d in v8::internal::__RT_impl_Runtime_DynamicImportCall (isolate=0x6a4abd0, args=...) at ../../deps/v8/src/handles/maybe-handles.h:38
#3  v8::internal::Runtime_DynamicImportCall (args_length=<optimized out>, args_object=<optimized out>, isolate=0x6a4abd0) at ../../deps/v8/src/runtime/runtime-module.cc:24
#4  0x0000000002437034 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvInRegister_NoBuiltinExit () at ../../deps/v8/src/builtins/torque-internal.tq:101
#5  0x000000000250ef51 in Builtins_CallRuntimeHandler () at ../../deps/v8/src/builtins/torque-internal.tq:101
#6  0x00000000023a52dc in Builtins_InterpreterEntryTrampoline () at ../../deps/v8/src/builtins/torque-internal.tq:236
#7  0x000009fe435c4699 in ?? ()
#8  0x000007a74c9c1e49 in ?? ()
#9  0x0000003b00000000 in ?? ()
#10 0x000009fe435f2f69 in ?? ()
#11 0x0000000000000001 in ?? ()
#12 0x000007a74c9c1e49 in ?? ()
#13 0x00001d250a2c1141 in ?? ()
#14 0x00007fffffff80d8 in ?? ()
#15 0x00000000023a52dc in Builtins_InterpreterEntryTrampoline () at ../../deps/v8/src/builtins/torque-internal.tq:236
#16 0x00001d250a2c1121 in ?? ()
#17 0x00002d70b8d015a9 in ?? ()
#18 0x000007a74c9c1e49 in ?? ()
#19 0x000015588bd5e039 in ?? ()
#20 0x00001d250a2c1141 in ?? ()
#21 0x000015588bd5dfe1 in ?? ()
#22 0x0000005000000000 in ?? ()
#23 0x000009fe435f2d31 in ?? ()
#24 0x0000000000000001 in ?? ()
#25 0x000015588bd5dce9 in ?? ()
#26 0x00001d250a2c1141 in ?? ()
#27 0x00007fffffff8128 in ?? ()
#28 0x00000000023a52dc in Builtins_InterpreterEntryTrampoline () at ../../deps/v8/src/builtins/torque-internal.tq:236
#29 0x00001d250a2c1121 in ?? ()
#30 0x000015588bd5dce9 in ?? ()
#31 0x00002d70b8d015a9 in ?? ()
#32 0x0000003a00000000 in ?? ()
#33 0x000009fe435f2c39 in ?? ()
#34 0x0000000000000002 in ?? ()
#35 0x000009fe435f2e41 in ?? ()
#36 0x00001d250a2c1141 in ?? ()
#37 0x00007fffffff8158 in ?? ()
#38 0x00000000023a34dc in Builtins_JSEntryTrampoline () at ../../deps/v8/src/objects/contexts.tq:201
#39 0x00001d250a2c1121 in ?? ()
#40 0x000015588bd5d981 in ?? ()
#41 0x000009fe435f2e41 in ?? ()
#42 0x000000000000002c in ?? ()
#43 0x00007fffffff81c0 in ?? ()
#44 0x00000000023a3203 in Builtins_JSEntry () at ../../deps/v8/src/objects/contexts.tq:201
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

[jleedev]

I was able to add a CHECK fail similar to the one a few lines below:

auto it = env->id_to_function_map.find(id);
CHECK_NE(it, env->id_to_function_map.end());

I don't know enough to say but I guess that the script is being garbage collected and the caller held a weak reference and passed the stale id.

[dnalborczyk]

Looks like a duplicate of multiple issues which have been filed over time.

#44438
#43205
#43681

possibly be fixed with: #44923 @legendecas

[jleedev]

Appears to be fixed in v21.0.0-nightly202309156a489df73b

[legendecas]

This should be able to be fixed by #48510.