[Webkit-unassigned] [Bug 213371] New: A possible bug of String.prototype.replace
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 19 04:24:28 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=213371
Bug ID: 213371
Summary: A possible bug of String.prototype.replace
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: nisl_grammarly1 at 163.com
### Version: d940b47
### Testcase:
var NISLFuzzingFunc = function () {
var a = function (r) {
return this[r];
};
print(a());
var b = 'A at B#C$D.E'.replace(/([^A-Z])/g, a);
print(b);
};
NISLFuzzingFunc();
### Command:
./webkit/WebKitBuild/Release/bin/jsc testcase.js
### Output:
undefined
AundefinedBundefinedC[object Object]DundefinedE
### Expected output:
undefined
AundefinedBundefinedCundefinedDundefinedE
### Description:
For String.prototype.replace (searchValue, replaceValue ), if the second parameter is a function, the matched string should be replaced with the return value of this function. When executing this test case, "$" should also be replaced with the return value of the function(undefined), but javascriptCore replaced it with [object Object]. I think this may be a bug of javascriptCore.
Contributor:Wen Yi
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200619/b7c4774e/attachment-0001.htm>
More information about the webkit-unassigned
mailing list