Bug triggered after enabling Wordpress jetpack comment on a specific Wordpress theme. Accessing the page from an iPhone or iPad (and I'm told but haven't verified from android) causes an immediate hard browser crash dumping back to the device home screen. Accessing the same page from the desktop or from emulation in chrome canary doesn't crash. Remote debugging on safari exits at the point of the crash giving no useful data. The production version of the same page (jetpack comments disabled) works fine http://p.tt/2014/04/things-i-learned-at-burning-man-treat-your-staff-as-if-they-are-volunteers/ Sorry I can't be more specific but on the basis that any crash is a potential security hole I'm logging this as a security bug until proven otherwise.
I don't see any crash on an iPhone 5 running iOS 7.1.1. Can you please provide more details about your configuration?
Oh wait, I tried the wrong URL. I am now able to repro.
The diff between the 2 urls is the one that crashes has jetpack comments enabled and the other doesn't.
Multiple repro instances on iOS show that this always triggers the same non-exploitable null-deref crash. In addition, we tested with an instrumented WebKit build on OS X and saw no evidence of memory corruption or pointer shenanigans. This doesn't look like a security bug.
Cool thanks. Do I need to re file as non-security or will this bug id suffice?
I just removed the security bits, so this bug should suffice.
Could someone attach a crash log please?
Created attachment 230399 [details] crashlog
Thread 2 name: WebThread Thread 2 Crashed: 0 WebCore 0x35964f82 WebCore::LayoutState::LayoutState(WebCore::LayoutState*, WebCore::RenderBox*, WebCore::LayoutSize const&, WebCore::LayoutUnit, bool, WebCore::ColumnInfo*) + 282 (LayoutSize.h:50) 1 WebCore 0x35964e5a WebCore::LayoutState::LayoutState(WebCore::LayoutState*, WebCore::RenderBox*, WebCore::LayoutSize const&, WebCore::LayoutUnit, bool, WebCore::ColumnInfo*) + 26 (LayoutState.cpp:138) 2 WebCore 0x35964e04 WebCore::RenderView::pushLayoutState(WebCore::RenderBox*, WebCore::LayoutSize const&, WebCore::LayoutUnit, bool, WebCore::ColumnInfo*) + 164 (RenderView.h:262) 3 WebCore 0x35961206 WebCore::RenderBlock::layoutBlock(bool, WebCore::LayoutUnit) + 438 (RenderView.h:406) 4 WebCore 0x35968a4c WebCore::RenderLayer::updateScrollbarsAfterLayout() + 720 (RenderLayer.cpp:3331) 5 WebCore 0x35968276 WebCore::RenderLayer::updateScrollInfoAfterLayout() + 210 (RenderLayer.cpp:3384)
iOS crashes should be reported via bugreporter.apple.com
Thanks, Bug opened with apple - ref 16760154