According to ES10.0, "String.prototype.replace(searchValue,replaceValue)" will return a new string which matches of "searchValue" is replaced by "replaceValue". But when "relpaceValue" is a string with "$<" and "searchValue" is "/a/", the result is wrong. This is an issue of "String.prototype.replace". #### version d940b47 #### command webkit/WebKitBuild/Release/bin/jsc testcase.js #### testcase var NISLFuzzingFunc = function(){ var result = "a".replace(/a/,"AAAA$<AAAA"); print(result); }; NISLFuzzingFunc(); #### output $<AAAA #### expected output AAAA$<AAAA Contributor:Yuan Wang
<rdar://problem/64278675>
(In reply to NWU_NISL from comment #0) > #### version > d940b47 This appears to be GitHub WebKit mirror commit hash (rather than git-svn): https://github.com/WebKit/webkit/commit/d940b477848884f63752d25491d9dd0b9d3ccb2d, which points to r246052 (Jun 3, 2019). > #### expected output > AAAA$<AAAA The issue was fixed in r254088 (Jan 6, 2020): I've confirmed that JSC outputs expected "AAAA$<AAAA" since this revision, yet "$<AAAA" before it. *** This bug has been marked as a duplicate of bug 205785 ***