* SUMMARY CRASH running inspector-protocol/debugger/breakpoint-action-detach.html with guard malloc. * STEPS TO REPRODUCE: 1. shell> run-webkit-tests inspector-protocol/debugger/breakpoint-action-detach.html --repeat-each 2 -v --no-retry -g => CRASH * CRASH Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010310bffc WTF::Vector<Inspector::ScriptBreakpointAction, 0ul, WTF::CrashOnOverflow>::size() const + 12 1 com.apple.JavaScriptCore 0x000000010347732c Inspector::ScriptDebugServer::handleBreakpointHit(JSC::Breakpoint const&) + 204 2 com.apple.JavaScriptCore 0x0000000102d18a96 JSC::Debugger::pauseIfNeeded(JSC::ExecState*) + 422 3 com.apple.JavaScriptCore 0x0000000102d18d6c JSC::Debugger::updateCallFrameAndPauseIfNeeded(JSC::ExecState*) + 60 4 com.apple.JavaScriptCore 0x0000000102d18f8c JSC::Debugger::returnEvent(JSC::ExecState*) + 76 5 com.apple.JavaScriptCore 0x0000000103177069 JSC::Interpreter::debug(JSC::ExecState*, JSC::DebugHookID) + 265 * NOTES - The test itself is closing the page in the 1st breakpoint action, and assumes the 2nd breakpoint action never fires: actions: [ {type: "evaluate", data: "disconnect()"}, {type: "evaluate", data: "log('FAIL: This action should not be executed.')"} ] - Iterating breakpoint actions we actually use a reference to a list in a hash, unfortunately that hash entry can go away. This is enough to fix the crash: BreakpointIDToActionsMap::iterator it = m_breakpointIDToActions.find(breakpoint.id); if (it != m_breakpointIDToActions.end()) { - BreakpointActions& actions = it->value; + BreakpointActions actions = it->value; for (size_t i = 0; i < actions.size(); ++i) { if (!evaluateBreakpointAction(actions[i])) return; } } but we need to do a bit more to ensure that later breakpoint actions don't still fire if the debugger was detached.