RESOLVED WONTFIX213371
A possible bug of String.prototype.replace 
https://bugs.webkit.org/show_bug.cgi?id=213371
Summary A possible bug of String.prototype.replace
NWU_NISL
Reported 2020-06-19 04:24:28 PDT
### Version: d940b47 ### Testcase: var NISLFuzzingFunc = function () { var a = function (r) { return this[r]; }; print(a()); var b = 'A@B#C$D.E'.replace(/([^A-Z])/g, a); print(b); }; NISLFuzzingFunc(); ### Command: ./webkit/WebKitBuild/Release/bin/jsc testcase.js ### Output: undefined AundefinedBundefinedC[object Object]DundefinedE ### Expected output: undefined AundefinedBundefinedCundefinedDundefinedE ### Description: For String.prototype.replace (searchValue, replaceValue ), if the second parameter is a function, the matched string should be replaced with the return value of this function. When executing this test case, "$" should also be replaced with the return value of the function(undefined), but javascriptCore replaced it with [object Object]. I think this may be a bug of javascriptCore. Contributor:Wen Yi
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-06-19 17:21:55 PDT
<rdar://problem/64550276>
Alexey Shvayka
Comment 2 2020-06-30 09:03:22 PDT
(In reply to NWU_NISL from comment #0) > ### Description: > For String.prototype.replace (searchValue, replaceValue ), if the second > parameter is a function, the matched string should be replaced with the > return value of this function. When executing this test case, "$" should > also be replaced with the return value of the function(undefined), but > javascriptCore replaced it with [object Object]. I think this may be a bug > of javascriptCore. "$" is substituted with the value of `globalThis.$`, which is exposed to JSC shell (we use it in JSTests/stress), but not to the web. If provided test case is executed in Chrome DevTools, "$" is also substituted with `document.querySelector` helper.
Note You need to log in before you can comment on or make changes to this bug.