| Summary: | RegExp.prototype[@@replace] doesn't coerce result index to integer | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Ross Kirsling <ross.kirsling> | ||||
| Component: | JavaScriptCore | Assignee: | Ross Kirsling <ross.kirsling> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ews-watchlist, joepeck, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=173867 | ||||||
| Attachments: |
|
||||||
|
Description
Ross Kirsling
2020-03-19 18:13:11 PDT
Created attachment 394052 [details]
Patch
Comment on attachment 394052 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394052&action=review r=me > Source/JavaScriptCore/ChangeLog:14 > + From https://tc39.es/ecma262/#sec-regexp.prototype-@@replace: > + 21.2.5.10 RegExp.prototype [ @@replace ] ( string, replaceValue ) > + ... > + 14. For each result in results, do > + ... > + e. Let position be ? ToInteger(? Get(result, "index")). > + f. Set position to max(min(position, lengthS), 0). Can you ensure that we do not need to change DFG / FTL too? (In reply to Yusuke Suzuki from comment #2) > Can you ensure that we do not need to change DFG / FTL too? Confirmed that this issue is limited to the @@replace built-in. Committed r258783: <https://trac.webkit.org/changeset/258783> All reviewed patches have been landed. Closing bug and clearing flags on attachment 394052 [details]. |