### Version: d940b47 ### Testcase: var NISLFuzzingFunc = function () { var a = function (r) { return this[r]; }; print(a()); var b = 'A@B#C$D.E'.replace(/([^A-Z])/g, a); print(b); }; NISLFuzzingFunc(); ### Command: ./webkit/WebKitBuild/Release/bin/jsc testcase.js ### Output: undefined AundefinedBundefinedC[object Object]DundefinedE ### Expected output: undefined AundefinedBundefinedCundefinedDundefinedE ### Description: For String.prototype.replace (searchValue, replaceValue ), if the second parameter is a function, the matched string should be replaced with the return value of this function. When executing this test case, "$" should also be replaced with the return value of the function(undefined), but javascriptCore replaced it with [object Object]. I think this may be a bug of javascriptCore. Contributor:Wen Yi
<rdar://problem/64550276>
(In reply to NWU_NISL from comment #0) > ### Description: > For String.prototype.replace (searchValue, replaceValue ), if the second > parameter is a function, the matched string should be replaced with the > return value of this function. When executing this test case, "$" should > also be replaced with the return value of the function(undefined), but > javascriptCore replaced it with [object Object]. I think this may be a bug > of javascriptCore. "$" is substituted with the value of `globalThis.$`, which is exposed to JSC shell (we use it in JSTests/stress), but not to the web. If provided test case is executed in Chrome DevTools, "$" is also substituted with `document.querySelector` helper.