RESOLVED FIXED 246274
String.prototype.replace should not take fast path if the pattern is RegExp Object and the lastIndex is not numeric 
https://bugs.webkit.org/show_bug.cgi?id=246274
Summary String.prototype.replace should not take fast path if the pattern is RegExp O...
EntryHi
Reported 2022-10-10 04:52:57 PDT
for (let i = 0; i < 3000; ++i) { let r = /abcd/; regexLastIndex = {}; regexLastIndex.toString = function () { print(i) return "1"; }; r.lastIndex = regexLastIndex; "test".replace(r, "cons") } With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 This bug is similar to 191731, but they are different. The above js scripts should print 0-2999, but jsc only prints 0-2209. In DFGBytecodeParser, replace is inlined into StringReplace node. In DFGStrengthReduction, StringReplace is converted to Identity. So after DFG, lastIndex is no longer read and updated. Therefore, regexLastIndex.toString is no longer invoked.
Attachments
Add attachment proposed patch, testcase, etc.
Karl Dubost
Comment 1 2022-10-13 03:07:42 PDT
Modified to run in the browser console. ``` for (let i = 0; i < 3000; ++i) { let r = /abcd/; regexLastIndex = {}; regexLastIndex.toString = function () { console.log(i) return "1"; }; r.lastIndex = regexLastIndex; "test".replace(r, "cons") } ``` Safari result is random Both Firefox and Chrome print until 2999. Tested on macOS 13.0 --- Safari Technology Preview 155 18615.1.7.1 Firefox Nightly 107.0a1 10722.10.4 Google Chrome Canary 108.0.5355.0 5355.0
Radar WebKit Bug Importer
Comment 2 2022-10-13 05:28:55 PDT
<rdar://problem/101122567>
Sosuke Suzuki
Comment 3 2024-02-22 10:51:10 PST
Pull request: https://github.com/WebKit/WebKit/pull/24959
EWS
Comment 4 2024-02-23 13:29:32 PST
Committed 275255@main (3790f1e3cc0a): <https://commits.webkit.org/275255@main> Reviewed commits have been landed. Closing PR #24959 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.