ASSERTION FAILED: to.m_offset != -1 (/Volumes/Data/CopperHead/JavaScriptCore/assembler/X86Assembler.h:1535 void JSC::X86Assembler::linkJump(JSC::X86Assembler::JmpSrc, JSC::X86Assembler::JmpDst)) Segmentation fault: 11 The problem is hit when there are multiple alternatives in the top level disjunction, the last disjunction is longer than the first, and all are BOL predicated, e.g.: /^a|^bc/ Two optimizations are coming into conflict here. Due to the BOL unrolling there is no need to ever loop, so no head of loop label has been set, however the optimized code path that loops without checking length is available (since we have already checked N+1 characters for the last alternative before looping) doesn't check the flag indicating whether a label has been set.
Created attachment 68056 [details] The patch
Comment on attachment 68056 [details] The patch Clearing flags on attachment: 68056 Committed r67867: <http://trac.webkit.org/changeset/67867>
All reviewed patches have been landed. Closing bug.
*** Bug 46075 has been marked as a duplicate of this bug. ***
*** Bug 46102 has been marked as a duplicate of this bug. ***