| Summary: | A possible bug of String.prototype.replace | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | NWU_NISL <nisl_grammarly1> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | Normal | CC: | ashvayka, fpizlo, keith_miller, msaboff, saam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
(In reply to NWU_NISL from comment #0) > ### Description: > For String.prototype.replace (searchValue, replaceValue ), if the second > parameter is a function, the matched string should be replaced with the > return value of this function. When executing this test case, "$" should > also be replaced with the return value of the function(undefined), but > javascriptCore replaced it with [object Object]. I think this may be a bug > of javascriptCore. "$" is substituted with the value of `globalThis.$`, which is exposed to JSC shell (we use it in JSTests/stress), but not to the web. If provided test case is executed in Chrome DevTools, "$" is also substituted with `document.querySelector` helper. |
### Version: d940b47 ### Testcase: var NISLFuzzingFunc = function () { var a = function (r) { return this[r]; }; print(a()); var b = 'A@B#C$D.E'.replace(/([^A-Z])/g, a); print(b); }; NISLFuzzingFunc(); ### Command: ./webkit/WebKitBuild/Release/bin/jsc testcase.js ### Output: undefined AundefinedBundefinedC[object Object]DundefinedE ### Expected output: undefined AundefinedBundefinedCundefinedDundefinedE ### Description: For String.prototype.replace (searchValue, replaceValue ), if the second parameter is a function, the matched string should be replaced with the return value of this function. When executing this test case, "$" should also be replaced with the return value of the function(undefined), but javascriptCore replaced it with [object Object]. I think this may be a bug of javascriptCore. Contributor:Wen Yi