Bug 14244

Summary: Data corruption when using a replace() callback function with data containing "$"
Product: WebKit Reporter: Steven Levithan <steves_list>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mrowe
Priority: P2    
Version: 523.x (Safari 3)   
Hardware: PC   
OS: Windows XP   
URL: http://blog.stevenlevithan.com/javascript/commafy-numbers/
Attachments:
Description Flags
Test case
none
Patch mitz: review+

Description Steven Levithan 2007-06-20 13:42:40 PDT
When using a function for the replacement argument with the String.replace() method, the returned data is somehow returned incorrectly if it contains a dollar sign ("$") followed by a number for which there is a corresponding capturing group in the regular expression pattern being searched for. This corruption does not directly result from the regular expression or any other JavaScript code being run over the data.

Here's reduced code to reproduce the bug:

var str = '$1';
alert(str.replace(/(\D)(\d)/g, function($0){return $0;}));

Values to set for str, and the results:

- '$1' (as shown above) incorrectly returns just $.
- '$2' incorrectly returns just 2.
- Other values correctly result in the entire, original test string being returned.
Comment 1 Mark Rowe (bdash) 2007-06-20 14:18:56 PDT
Created attachment 15146 [details]
Test case
Comment 2 Mark Rowe (bdash) 2007-06-20 14:19:35 PDT
Confirmed.  I can reproduce this on Safari 2.0.r and 3 beta on Mac.
Comment 3 Mark Rowe (bdash) 2007-06-20 14:21:24 PDT
I have a fix for this in my tree, I just need to write up some test cases to better cover the expected behaviours.
Comment 4 Mark Rowe (bdash) 2007-06-20 16:23:14 PDT
Created attachment 15149 [details]
Patch
Comment 5 mitz 2007-06-20 16:43:47 PDT
Comment on attachment 15149 [details]
Patch

r=me
Comment 6 Mark Rowe (bdash) 2007-06-20 17:00:36 PDT
Landed in r23675.  Thanks for the bug report!