244196 2022-08-22 04:27:04 -0700 String.prototype.includes incorrectly returns false when string is empty and position is past end of string 2022-09-09 12:47:02 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build All All RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=144314 InRadar P2 Normal --- 1 entryhii darin darin mark.lam saam webkit-bug-importer ysuzuki oldest_to_newest 1892934 0 entryhii 2022-08-22 04:27:04 -0700 function foo(n) { return ("aaa").includes("", n) } noInline(foo); for (var m = 0; m < 200; ++m) { print(foo(m)); } With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=1 According to ECMAScript Language Specification, when the first parameter of String.prototype.includes is empty, the result should be true regardless of whether the second parameter is greater than length. However, JSC prints false when n exceeds length. The problem is in StringPrototype.cpp stringIncluesImpl. When positionArg is Int32, it should be clamped. Otherwise, the function findCommon will return notFound and the final result will be false. 1892971 1 ap 2022-08-22 08:48:07 -0700 On macOS, this prints 4x "true" and 196x "false". 1892979 2 darin 2022-08-22 09:03:59 -0700 The suggested change sounds OK. There are other ways to fix it as well. Makes sense that JavaScript calls for this behavior, since it's consistent with indexOf. I am surprised this is not covered by Test262. Maybe this function is too new? It looks like the startsWith and endsWith implementations may have a similar bug. 1894482 3 webkit-bug-importer 2022-08-29 04:28:16 -0700 <rdar://problem/99271518> 1897326 4 darin 2022-09-09 11:40:11 -0700 Pull request: https://github.com/WebKit/WebKit/pull/4180 1897363 5 ews-feeder 2022-09-09 12:46:59 -0700 Committed 254319@main (ebf196ed5724): <https://commits.webkit.org/254319@main> Reviewed commits have been landed. Closing PR #4180 and removing active labels.