RESOLVED FIXED 173867
RegExp.prototype[@@replace] relies on globals and doesn't perform ToLength 
https://bugs.webkit.org/show_bug.cgi?id=173867
Summary RegExp.prototype[@@replace] relies on globals and doesn't perform ToLength
Saam Barati
Reported 2017-06-26 23:38:25 PDT
...
Attachments
Patch (20.93 KB, patch)
2020-03-25 13:07 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (20.96 KB, patch)
2020-03-25 13:21 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (20.96 KB, patch)
2020-03-25 13:38 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (20.97 KB, patch)
2020-03-25 16:28 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2017-06-27 14:23:15 PDT
I think this is observable.
Alexey Shvayka
Comment 2 2020-03-25 13:07:39 PDT
Created attachment 394532 [details] Patch
Alexey Shvayka
Comment 3 2020-03-25 13:21:53 PDT
Created attachment 394535 [details] Patch Add a few UNUSED_PARAM, drop extra JSC_HOST_CALL. I wonder if we need to ALWAYS_INLINE string*Impl()?
Ross Kirsling
Comment 4 2020-03-25 13:27:45 PDT
Comment on attachment 394535 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394535&action=review > Source/JavaScriptCore/ChangeLog:14 > + b) Removes `lastPosition` checks/updates, as there are none in the spec, and it was > + equivalent to checking `nextSourcePosition`. Nice catch. I wondered about this in my earlier patch but evidently didn't think about it long enough to realize it wasn't helping at all.
Alexey Shvayka
Comment 5 2020-03-25 13:38:08 PDT
Created attachment 394541 [details] Patch Set correct 'length' of builtinStringSubstringInternal's JSFunction.
Ross Kirsling
Comment 6 2020-03-25 13:54:45 PDT
Comment on attachment 394541 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394541&action=review > Source/JavaScriptCore/runtime/StringPrototype.cpp:1136 > + JSValue position = callFrame->argument(1); > + UNUSED_PARAM(position); > + ASSERT(position.isUndefined() || position.isNumber()); Here and below, if this is just for a non-release ASSERT, I suppose it'd be okay get the argument twice instead?
Alexey Shvayka
Comment 7 2020-03-25 16:28:54 PDT
Created attachment 394561 [details] Patch Drop UNUSED_PARAM.
EWS
Comment 8 2020-03-25 19:24:34 PDT
Committed r259029: <https://trac.webkit.org/changeset/259029> All reviewed patches have been landed. Closing bug and clearing flags on attachment 394561 [details].
Radar WebKit Bug Importer
Comment 9 2020-03-25 19:25:12 PDT
<rdar://problem/60900492>
Note You need to log in before you can comment on or make changes to this bug.