The following regex causes a crash: /(?<!(ab*?))c/i. DYLD_FRAMEWORK_PATH=./ ./jsC ~/Development/LASER/bugshelf/main-687cffbf9f06590db52690f62dd4b64ac43de4f42bb1b29a34de9d2948683497.js ASSERTION FAILED: pos >= negativePositionOffest ./yarr/YarrInterpreter.cpp(279) : char32_t JSC::Yarr::Interpreter<unsigned char>::InputStream::readChecked(unsigned int) [CharType = unsigned char] 1 0x11c8b0778 WTFCrash 2 0x11eef82a8 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x124b9916c JSC::Yarr::Interpreter<unsigned char>::InputStream::readChecked(unsigned int) 4 0x124b8c8d0 JSC::Yarr::Interpreter<unsigned char>::checkCasedCharacter(JSC::Yarr::ByteTerm&, unsigned int) 5 0x124b84fec JSC::Yarr::Interpreter<unsigned char>::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter<unsigned char>::DisjunctionContext*, bool) 6 0x124b4c70c JSC::Yarr::Interpreter<unsigned char>::interpret() 7 0x124b4231c JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, WTF::StringView, unsigned int, unsigned int*) 8 0x1215d79f4 int JSC::RegExp::matchInline<WTF::Vector<int, 32ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, (JSC::Yarr::MatchFrom)0>(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, unsigned int, WTF::Vector<int, 32ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) 9 0x12152b25c JSC::createRegExpMatchesArray(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*, WTF::String const&, JSC::RegExp*, unsigned int, JSC::MatchResult&) 10 0x121528bc8 JSC::RegExpObject::execInline(JSC::JSGlobalObject*, JSC::JSString*) 11 0x123985884 JSC::RegExpObject::exec(JSC::JSGlobalObject*, JSC::JSString*) The problem is that the function backtrackPatternCasedCharacter() doesn't have the string position checks that backtrackPatternCharacter() has.