[Webkit-unassigned] [Bug 213371] New: A possible bug of String.prototype.replace

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 19 04:24:28 PDT 2020


https://bugs.webkit.org/show_bug.cgi?id=213371

            Bug ID: 213371
           Summary: A possible bug of String.prototype.replace
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nisl_grammarly1 at 163.com

### Version: d940b47

### Testcase:
var NISLFuzzingFunc = function () {
    var a =  function (r) {
        return this[r];
    };
    print(a());
    var b = 'A at B#C$D.E'.replace(/([^A-Z])/g, a);
    print(b);
};
NISLFuzzingFunc();

### Command:
./webkit/WebKitBuild/Release/bin/jsc testcase.js

### Output:
undefined
AundefinedBundefinedC[object Object]DundefinedE

### Expected output:
undefined
AundefinedBundefinedCundefinedDundefinedE

### Description:
For String.prototype.replace (searchValue, replaceValue ), if the second parameter is a function, the matched string should be replaced with the return value of this function. When executing this test case, "$" should also be replaced with the return value of the function(undefined), but javascriptCore replaced it with [object Object]. I think this may be a bug of javascriptCore.


Contributor:Wen Yi

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200619/b7c4774e/attachment-0001.htm>


More information about the webkit-unassigned mailing list