[webkit-changes] [258783] trunk

[ross . kirsling]

Title: [258783] trunk

Revision

258783

Author

ross.kirsl...@sony.com

Date

2020-03-20 13:19:56 -0700 (Fri, 20 Mar 2020)

Log Message

RegExp.prototype[@@replace] doesn't coerce result index to integer
https://bugs.webkit.org/show_bug.cgi?id=209323

Reviewed by Yusuke Suzuki.

JSTests:

* test262/expectations.yaml:
Mark six test cases as passing.

Source/_javascript_Core:

>From https://tc39.es/ecma262/#sec-regexp.prototype-@@replace:
  21.2.5.10 RegExp.prototype [ @@replace ] ( string, replaceValue )
    ...
    14. For each result in results, do
      ...
      e. Let position be ? ToInteger(? Get(result, "index")).
      f. Set position to max(min(position, lengthS), 0).

result.index may be undefined, so it doesn't suffice to coerce it with comparison operators.

* builtins/RegExpPrototype.js:

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/JSTests/test262/expectations.yaml
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/builtins/RegExpPrototype.js

Diff

Modified: trunk/JSTests/ChangeLog (258782 => 258783)

--- trunk/JSTests/ChangeLog	2020-03-20 20:16:38 UTC (rev 258782)
+++ trunk/JSTests/ChangeLog	2020-03-20 20:19:56 UTC (rev 258783)
@@ -1,3 +1,13 @@
+2020-03-20  Ross Kirsling  <ross.kirsl...@sony.com>
+
+        RegExp.prototype[@@replace] doesn't coerce result index to integer
+        https://bugs.webkit.org/show_bug.cgi?id=209323
+
+        Reviewed by Yusuke Suzuki.
+
+        * test262/expectations.yaml:
+        Mark six test cases as passing.
+
 2020-03-19  Tomas Popela  <tpop...@redhat.com>
 
         [JSC][BigEndians] Several JSC stress tests failing

Modified: trunk/JSTests/test262/expectations.yaml (258782 => 258783)

--- trunk/JSTests/test262/expectations.yaml	2020-03-20 20:16:38 UTC (rev 258782)
+++ trunk/JSTests/test262/expectations.yaml	2020-03-20 20:19:56 UTC (rev 258783)
@@ -1486,15 +1486,6 @@
 test/built-ins/RegExp/prototype/Symbol.match/builtin-infer-unicode.js:
   default: 'Test262Error: Expected SameValue(«�», «null») to be true'
   strict mode: 'Test262Error: Expected SameValue(«�», «null») to be true'
-test/built-ins/RegExp/prototype/Symbol.replace/result-coerce-capture.js:
-  default: 'Test262Error: Expected SameValue(«», «foo[toString value]bar») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«», «foo[toString value]bar») to be true'
-test/built-ins/RegExp/prototype/Symbol.replace/result-coerce-length.js:
-  default: 'Test262Error: Expected SameValue(«», «foobar$3») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«», «foobar$3») to be true'
-test/built-ins/RegExp/prototype/Symbol.replace/result-coerce-matched.js:
-  default: 'Test262Error: Expected SameValue(«», «foo[toString value]bar») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«», «foo[toString value]bar») to be true'
 test/built-ins/RegExp/prototype/Symbol.search/u-lastindex-advance.js:
   default: 'Test262Error: Expected SameValue(«1», «-1») to be true'
   strict mode: 'Test262Error: Expected SameValue(«1», «-1») to be true'

Modified: trunk/Source/_javascript_Core/ChangeLog (258782 => 258783)

--- trunk/Source/_javascript_Core/ChangeLog	2020-03-20 20:16:38 UTC (rev 258782)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-03-20 20:19:56 UTC (rev 258783)
@@ -1,3 +1,22 @@
+2020-03-20  Ross Kirsling  <ross.kirsl...@sony.com>
+
+        RegExp.prototype[@@replace] doesn't coerce result index to integer
+        https://bugs.webkit.org/show_bug.cgi?id=209323
+
+        Reviewed by Yusuke Suzuki.
+
+        From https://tc39.es/ecma262/#sec-regexp.prototype-@@replace:
+          21.2.5.10 RegExp.prototype [ @@replace ] ( string, replaceValue )
+            ...
+            14. For each result in results, do
+              ...
+              e. Let position be ? ToInteger(? Get(result, "index")).
+              f. Set position to max(min(position, lengthS), 0).
+
+        result.index may be undefined, so it doesn't suffice to coerce it with comparison operators.
+
+        * builtins/RegExpPrototype.js:
+
 2020-03-20  Justin Michaud  <jus...@justinmichaud.com>
 
         Fix JSCOnly build without unified sources

Modified: trunk/Source/_javascript_Core/builtins/RegExpPrototype.js (258782 => 258783)

--- trunk/Source/_javascript_Core/builtins/RegExpPrototype.js	2020-03-20 20:16:38 UTC (rev 258782)
+++ trunk/Source/_javascript_Core/builtins/RegExpPrototype.js	2020-03-20 20:19:56 UTC (rev 258783)
@@ -330,7 +330,7 @@
             nCaptures = 0;
         var matched = @toString(result[0]);
         var matchLength = matched.length;
-        var position = result.index;
+        var position = @toInteger(result.index);
         position = (position > stringLength) ? stringLength : position;
         position = (position < 0) ? 0 : position;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes