Strange behavior with replace, unshift

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
enhancement
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {testcase})

Trunk
x86
Mac OS X
testcase
Points:
---
Bug Flags:
wanted-next +
blocking1.9.2 -

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
./js

print("fa".replace(/f/g, [].unshift));
for (var i = 0; [][i] != undefined; ++i)
  print(uneval([][i]));

Prints
3a
"f"
0
"fa"

Seems like the first line causes [].unshift to be called with |this| not the global, but instead Object.prototype??  If I replace [].unshift with a user-defined function, its |this| is the global...
(Reporter)

Comment 1

9 years ago
Igor explains in bug 452913 comment 9:

> string.replace(regex, f) will use the parent of f as its "this" to call the
> function f. In SpiderMonkey Array's natives have Array.prototype as their
> parent. The latter is not specified in EcmaScript and implementations are
> free to do what ever suits them since.

Updated

9 years ago
Severity: normal → enhancement
I'm nominating this early on for blocking1.9.2, this is common in jsfunfuzz by producing false-positive hangs involving .replace and .unshift behaviour. Reducing hangs take much longer than crashes or assertions so when I painfully reduce a hang testcase only to find it's this bug, it's much time wasted.
Flags: blocking1.9.2?

Updated

8 years ago
Flags: wanted-next+
Flags: blocking1.9.2?
Flags: blocking1.9.2-
With a current js shell, I get "TypeError: can't convert undefined to object" when I try the testcase in comment 0 now.
Bug 514570 changed behavior to not pass the parent but rather to pass |undefined| as this, which -- while not as explicitly specified by ES5 as I would desire -- is the right thing to pass.  And when that flows into a builtin function, it causes a TypeError to be thrown.  These are the right semantics; if fuzzers still have problems with this, they're going to have to cope.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.