Bug 213023

Summary: An issue about String.prototype.replace
Product: WebKit Reporter: NWU_NISL <nisl_grammarly1>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ashvayka, fpizlo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   

Description NWU_NISL 2020-06-10 07:07:02 PDT 
According to ES10.0, "String.prototype.replace(searchValue,replaceValue)" will return a new string which matches of "searchValue" is replaced by "replaceValue". But when "relpaceValue" is a string with "$<" and "searchValue" is "/a/", the result is wrong. This is an issue of "String.prototype.replace".

#### version
d940b47


#### command
webkit/WebKitBuild/Release/bin/jsc testcase.js


#### testcase
var NISLFuzzingFunc = function(){
    var result = "a".replace(/a/,"AAAA$<AAAA");
    print(result);
};
NISLFuzzingFunc();


#### output
$<AAAA


#### expected output
AAAA$<AAAA


Contributor:Yuan Wang
Comment 1 Radar WebKit Bug Importer 2020-06-11 18:07:00 PDT 
<rdar://problem/64278675>
Comment 2 Alexey Shvayka 2020-06-12 02:10:54 PDT 
(In reply to NWU_NISL from comment #0)
> #### version
> d940b47

This appears to be GitHub WebKit mirror commit hash (rather than git-svn): https://github.com/WebKit/webkit/commit/d940b477848884f63752d25491d9dd0b9d3ccb2d, which points to r246052 (Jun 3, 2019).

> #### expected output
> AAAA$<AAAA

The issue was fixed in r254088 (Jan 6, 2020): I've confirmed that JSC outputs expected "AAAA$<AAAA" since this revision, yet "$<AAAA" before it.

*** This bug has been marked as a duplicate of bug 205785 ***