RESOLVED FIXED 209323
RegExp.prototype[@@replace] doesn't coerce result index to integer 
https://bugs.webkit.org/show_bug.cgi?id=209323
Summary RegExp.prototype[@@replace] doesn't coerce result index to integer
Ross Kirsling
Reported 2020-03-19 18:13:11 PDT
RegExp.prototype[@@replace] doesn't coerce result index to integer
Attachments
Patch (3.92 KB, patch)
2020-03-19 18:21 PDT, Ross Kirsling 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ross Kirsling
Comment 1 2020-03-19 18:21:14 PDT
Created attachment 394052 [details] Patch
Yusuke Suzuki
Comment 2 2020-03-19 20:23:10 PDT
Comment on attachment 394052 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394052&action=review r=me > Source/JavaScriptCore/ChangeLog:14 > + From https://tc39.es/ecma262/#sec-regexp.prototype-@@replace: > + 21.2.5.10 RegExp.prototype [ @@replace ] ( string, replaceValue ) > + ... > + 14. For each result in results, do > + ... > + e. Let position be ? ToInteger(? Get(result, "index")). > + f. Set position to max(min(position, lengthS), 0). Can you ensure that we do not need to change DFG / FTL too?
Ross Kirsling
Comment 3 2020-03-20 12:39:16 PDT
(In reply to Yusuke Suzuki from comment #2) > Can you ensure that we do not need to change DFG / FTL too? Confirmed that this issue is limited to the @@replace built-in.
EWS
Comment 4 2020-03-20 13:20:03 PDT
Committed r258783: <https://trac.webkit.org/changeset/258783> All reviewed patches have been landed. Closing bug and clearing flags on attachment 394052 [details].
Radar WebKit Bug Importer
Comment 5 2020-03-20 13:21:16 PDT
<rdar://problem/60701752>
Note You need to log in before you can comment on or make changes to this bug.