Bug 273066

###### Webkit 9e5519436f6b4b766fe205d2adacf6668033e9bb ###### Build platform Ubuntu 22.04.3 ###### Build steps ```sh ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir="0422_debug" --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'" ``` ###### Test case ```sh ("py").search(("-256")[0]); ``` ###### Execution steps ```sh ./jsc poc.js ``` ###### Output ```sh ASSERTION FAILED: v <= 0 WTF/Headers/wtf/MathExtras.h(787) : typename std::enable_if_t<std::is_integral_v<T> && std::is_signed_v<T>, std::make_unsigned_t<T>> WTF::negate(T) [T = int] Thread 1 "jsc" received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. pwndbg> bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff5aa3859 in __GI_abort () at abort.c:79 #2 0x00000000004277ca in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:862 #3 0x0000000002415c18 in WTF::negate<int> (v=<optimized out>) at WTF/Headers/wtf/MathExtras.h:787 #4 JSC::MacroAssemblerX86Common::sub32 (this=<optimized out>, this@entry=0xc0, src=JSC::X86Registers::esi, imm=..., imm@entry=..., dest=JSC::X86Registers::eax) at ../../../Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h:908 #5 0x0000000002404d65 in JSC::MacroAssembler::sub32 (this=<optimized out>, src=<optimized out>, src@entry=JSC::X86Registers::esi, imm=..., imm@entry=..., dest=<optimized out>, dest@entry=JSC::X86Registers::eax) at ../../../Source/JavaScriptCore/assembler/MacroAssembler.h:2167 #6 0x00000000023f57da in JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::generate (this=<optimized out>, this@entry=0x7fffffff9b88) at ../../../Source/JavaScriptCore/yarr/YarrJIT.cpp:2752 #7 0x00000000023d3196 in JSC::Yarr::YarrGenerator<JSC::Yarr::YarrJITDefaultRegisters>::compile (this=<optimized out>, this@entry=0x7fffffff9b88, codeBlock=...) at ../../../Source/JavaScriptCore/yarr/YarrJIT.cpp:4786 #8 0x00000000023d22c2 in JSC::Yarr::jitCompile (pattern=..., patternString=..., charSize=<optimized out>, charSize@entry=JSC::Yarr::CharSize::Char8, sampleString=..., vm=<optimized out>, vm@entry=0x7fffa9000000, codeBlock=..., mode=<optimized out>) at ../../../Source/JavaScriptCore/yarr/YarrJIT.cpp:5351 #9 0x0000000001e25c9f in JSC::RegExp::compileMatchOnly (this=this@entry=0x7fffeb0575d8, vm=vm@entry=0x7fffa9000000, charSize=JSC::Yarr::CharSize::Char8, sampleString=std::optional<WTF::StringView> = {...}) at ../../../Source/JavaScriptCore/runtime/RegExp.cpp:323 #10 0x0000000001e35ab3 in JSC::RegExp::compileIfNecessaryMatchOnly (this=this@entry=0x7fffeb0575d8, vm=..., charSize=JSC::Yarr::CharSize::Char8, sampleString=std::optional<WTF::StringView> = {...}) at ../../../Source/JavaScriptCore/runtime/RegExpInlines.h:242 #11 0x0000000001e2602b in JSC::RegExp::matchInline<(JSC::Yarr::MatchFrom)0> (this=0x7fffeb0575d8, nullOrGlobalObject=0x7fffa941a088, vm=..., s=..., startOffset=0) at ../../../Source/JavaScriptCore/runtime/RegExpInlines.h:253 #12 0x0000000000c8caff in JSC::RegExpGlobalData::performMatch (this=this@entry=0x7fffa941a888, owner=owner@entry=0x7fffa941a088, regExp=regExp@entry=0x7fffeb0575d8, string=string@entry=0x7fffa9462240, input=..., startOffset=startOffset@entry=0) at ../../../Source/JavaScriptCore/runtime/RegExpGlobalDataInlines.h:80 #13 0x0000000001e42a6a in JSC::regExpProtoFuncSearchFast (globalObject=0x7fffa941a088, callFrame=<optimized out>) at ../../../Source/JavaScriptCore/runtime/RegExpPrototype.cpp:394 #14 0x00007fffaabf0038 in ?? () #15 0x00007fffffffd370 in ?? () #16 0x00000000025240fa in llint_op_call () #17 0x0000000000000000 in ?? () ```