Both the YARR interpreter and the JIT use a mixture of unsigned and int offsets when referencing or generating code to reference subject strings. Usually this works out due to 2's complement math, however there have been bugs reported where we underflow / overflow counts, reference out of bounds memory, or trying to generate code to do the same. Instead we should make the YARR code "unsigned" clean for all references to subject strings. This bug is in response to two radars: <rdar://problem/27084358> ASSERTION FAILED: (&term - term.atom.parenthesesWidth)->inputPosition == term.inputPosition <rdar://problem/27171689> REGRESSION (r197869): CrashOnOverflow in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::generateCharacterClassFixed The first is an issue in the YARR interpreter and the second in the YARR JIT.