The input has to be in the form of a .js file rather than shell input. "AAB".split(/A|B(((?=)){1,2})/); Assertion failure: get(0, 1) <= int(input->length()), at ../jscntxt.h:1699 "AAB".split(/B(((?=)){1,2})/); Assertion failure: buf[idx + 1] >= buf[idx], at ../jsregexp.cpp:225

This bug also causes Valgrind warnings. Since the Valgrind warnings happen more reliably than the assertions, they're probably the best place to start. > ==1479== Conditional jump or move depends on uninitialised value(s) > ==1479== at 0x11291E: js::RegExp::execute(JSContext*, JSString*, unsigned long*, bool, long*) (jsregexp.cpp:225) > ==1479== by 0x129D25: find_split(JSContext*, JSString*, js::RegExp*, int*, JSSubString*) (jsstr.cpp:2076) > ==1479== by 0x12BEF3: str_split(JSContext*, unsigned int, long*) (jsstr.cpp:2190) > ==1479== by 0x9C2E2: js_Interpret (jsops.cpp:2145) > ==1479== by 0xAE052: js_Execute (jsinterp.cpp:891) > ==1479== by 0x158EA: JS_ExecuteScript (jsapi.cpp:4759) > ==1479== by 0x9354: Process(JSContext*, JSObject*, char*, int) (shell/js.cpp:522) > ==1479== by 0x9D18: ProcessArgs(JSContext*, JSObject*, char**, int) (shell/js.cpp:843) > ==1479== by 0x9E32: shell(JSContext*, int, char**, char**) (shell/js.cpp:5025) > ==1479== by 0x9F57: main (shell/js.cpp:5112) > ==1479== Uninitialised value was created by a stack allocation > ==1479== at 0x1F31B5: jsRegExpExecute(JSContext*, JSRegExp const*, unsigned short const*, int, int, int*, int) (pcre_exec.cpp:2018)

Repros on 32b.

WFM as tested on TM changeset 284811f39ca6 on a 32-bit shell on Linux, it has also been tested on the Webkit side.