Bug 213023 - An issue about String.prototype.replace
Summary: An issue about String.prototype.replace
Status: RESOLVED DUPLICATE of bug 205785
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-06-10 07:07 PDT by NWU_NISL
Modified: 2020-06-12 02:10 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description NWU_NISL 2020-06-10 07:07:02 PDT 
According to ES10.0, "String.prototype.replace(searchValue,replaceValue)" will return a new string which matches of "searchValue" is replaced by "replaceValue". But when "relpaceValue" is a string with "$<" and "searchValue" is "/a/", the result is wrong. This is an issue of "String.prototype.replace".

#### version
d940b47


#### command
webkit/WebKitBuild/Release/bin/jsc testcase.js


#### testcase
var NISLFuzzingFunc = function(){
    var result = "a".replace(/a/,"AAAA$<AAAA");
    print(result);
};
NISLFuzzingFunc();


#### output
$<AAAA


#### expected output
AAAA$<AAAA


Contributor:Yuan Wang
Comment 1 Radar WebKit Bug Importer 2020-06-11 18:07:00 PDT 
<rdar://problem/64278675>
Comment 2 Alexey Shvayka 2020-06-12 02:10:54 PDT 
(In reply to NWU_NISL from comment #0)
> #### version
> d940b47

This appears to be GitHub WebKit mirror commit hash (rather than git-svn): https://github.com/WebKit/webkit/commit/d940b477848884f63752d25491d9dd0b9d3ccb2d, which points to r246052 (Jun 3, 2019).

> #### expected output
> AAAA$<AAAA

The issue was fixed in r254088 (Jan 6, 2020): I've confirmed that JSC outputs expected "AAAA$<AAAA" since this revision, yet "$<AAAA" before it.

*** This bug has been marked as a duplicate of bug 205785 ***