[webkit-changes] [WebKit/WebKit] eff90f: [JSC] `String#replace`, `String#replaceAll` and `S...

Sat, 13 Jun 2026 00:21:38 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: eff90f74db57d243c062b7ced375361f06da78c0
      
https://github.com/WebKit/WebKit/commit/eff90f74db57d243c062b7ced375361f06da78c0
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-06-13 (Sat, 13 Jun 2026)

  Changed paths:
    A 
JSTests/stress/dfg-string-split-regexp-no-split-fallback-evaluation-order.js
    A JSTests/stress/string-replace-regexp-fast-path-tostring-side-effects.js
    A JSTests/stress/string-replaceall-regexp-fast-path-tostring-side-effects.js
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/runtime/RegExpPrototype.cpp
    M Source/JavaScriptCore/runtime/RegExpPrototype.h
    M Source/JavaScriptCore/runtime/StringPrototype.cpp

  Log Message:
  -----------
  [JSC] `String#replace`, `String#replaceAll` and `String#split` RegExp paths 
miss observable side effects
https://bugs.webkit.org/show_bug.cgi?id=316627

Reviewed by Yusuke Suzuki.

This fixes three problems:

1. stringProtoFuncReplace never rechecked isSymbolReplaceFastAndNonObservable()
   after ToString(this), so its side effects (e.g. overriding
   RegExp.prototype.exec) were ignored. Recheck, the same way String#search
   does, via regExpReplaceGeneric extracted from regExpProtoFuncReplace.

2. stringProtoFuncReplaceAll had the same problem. Apply the same fix.

3. The no-@@split fallback in operationStringSplitRegExp evaluated
   ToString(separator) before ToUint32(limit). The spec evaluates the limit
   first.

Tests: 
JSTests/stress/dfg-string-split-regexp-no-split-fallback-evaluation-order.js
       JSTests/stress/string-replace-regexp-fast-path-tostring-side-effects.js
       
JSTests/stress/string-replaceall-regexp-fast-path-tostring-side-effects.js

* JSTests/stress/dfg-string-split-regexp-no-split-fallback-evaluation-order.js: 
Added.
(shouldBe):
(valueOf):
(re.toString):
(let.limit.valueOf):
* JSTests/stress/string-replace-regexp-fast-path-tostring-side-effects.js: 
Added.
(shouldBe):
(throw.new.Error.let.obj.toString.RegExp.prototype.exec):
(throw.new.Error):
(shouldBe.RegExp.prototype.exec):
* JSTests/stress/string-replaceall-regexp-fast-path-tostring-side-effects.js: 
Added.
(shouldBe):
(throw.new.Error):
(shouldBe.let.obj.toString.RegExp.prototype.exec):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Canonical link: https://commits.webkit.org/315169@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to