Bug 421917 - crashes on the 1st frame render.
Summary: crashes on the 1st frame render.
Status: RESOLVED DOWNSTREAM
Alias: None
Product: kamoso
Classification: Applications
Component: general (show other bugs)
Version: 3.2
Platform: Kubuntu Linux
: NOR normal
Target Milestone: ---
Assignee: Aleix Pol
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-22 13:58 UTC by Maxim Egorushkin
Modified: 2020-06-22 14:30 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Maxim Egorushkin 2020-05-22 13:58:46 UTC
SUMMARY
kamoso crashes on the first frame render.

STEPS TO REPRODUCE
Plug-in Logitech Brio camera. Start kamoso.

OBSERVED RESULT
kamoso crashes when trying to display the first frame, judging from the stacktrace.

EXPECTED RESULT
kamoso doesn't crash.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Kubuntu 18.04.4 LTS, kernel 4.15.0-101-generic.
KDE Plasma Version: 5.12.9.
KDE Frameworks Version: 5.44.0.
Qt Version: 5.9.5.

ADDITIONAL INFORMATION
nvidia-driver-440, version 440.59-0ubuntu0.18.04.1.
cheese version 3.28.0-1ubuntu1 works with no issues.
obs-studio version 25.0.8-0obsproject1~bion works with no issues.
kamoso crashes.

gdb backtrace:

Starting program: /usr/bin/kamoso 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe4f49700 (LWP 19268)]
[New Thread 0x7fffdac06700 (LWP 19273)]
[New Thread 0x7fffda3b4700 (LWP 19274)]
[New Thread 0x7fffd228d700 (LWP 19275)]
[New Thread 0x7fffbc776700 (LWP 19276)]
[New Thread 0x7fffbbf24700 (LWP 19277)]
[New Thread 0x7fffbb6d2700 (LWP 19278)]
[New Thread 0x7fffbae80700 (LWP 19279)]
[New Thread 0x7fffba62e700 (LWP 19280)]
[New Thread 0x7fffb9ddc700 (LWP 19281)]
[New Thread 0x7fffb958a700 (LWP 19282)]
[New Thread 0x7fffb8d38700 (LWP 19283)]
[New Thread 0x7fff97fff700 (LWP 19284)]
[New Thread 0x7fff9759b700 (LWP 19285)]
[New Thread 0x7fff969b2700 (LWP 19293)]

Thread 15 "QSGRenderThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff9759b700 (LWP 19285)]
0x00000000400b0e71 in ?? ()
(gdb) bt
#0  0x00000000400b0e71 in  ()
#1  0x00007fffa0e56593 in  ()
#2  0x00007fff883c1c20 in  ()
#3  0x00007fff9759a030 in  ()
#4  0x0000000000000001 in  ()
#5  0x00007fffd2cbe706 in  () at /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.440.59
#6  0x00007fffd2cc92ea in  () at /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.440.59
#7  0x00007fffd2e384f3 in  () at /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.440.59
#8  0x00007fffd2e031e0 in  () at /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.440.59
#9  0x00007fffd2e0d445 in  () at /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.440.59
#10 0x00007fffd2e10f89 in  () at /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.440.59
#11 0x00007fffd2e28027 in  () at /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.440.59
#12 0x00007fffc1d184ac in VideoMaterial::bindTexture(int, unsigned char const*) () at /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstqt5videosink.so
#13 0x00007fffc1d1862c in VideoMaterial::bind() () at /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstqt5videosink.so
#14 0x00007fffc1d18bcd in VideoMaterialShader::updateState(QSGMaterialShader::RenderState const&, QSGMaterial*, QSGMaterial*) () at /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstqt5videosink.so
#15 0x00007ffff5a5bdc7 in QSGBatchRenderer::Renderer::renderMergedBatch(QSGBatchRenderer::Batch const*) () at /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#16 0x00007ffff5a5d00d in QSGBatchRenderer::Renderer::renderBatches() () at /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#17 0x00007ffff5a6285e in QSGBatchRenderer::Renderer::render() () at /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#18 0x00007ffff5a532a0 in QSGRenderer::renderScene(QSGBindable const&) () at /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#19 0x00007ffff5a5375b in QSGRenderer::renderScene(unsigned int) () at /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#20 0x00007ffff5a8daf0 in QSGDefaultRenderContext::renderNextFrame(QSGRenderer*, unsigned int) () at /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#21 0x00007ffff5aebb68 in QQuickWindowPrivate::renderSceneGraph(QSize const&) () at /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#22 0x00007ffff5a96bbc in  () at /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#23 0x00007ffff5a9bac8 in  () at /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#24 0x00007ffff407817d in  () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#25 0x00007ffff13036db in start_thread (arg=0x7fff9759b700) at pthread_create.c:463
#26 0x00007ffff375b88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) info threads
  Id   Target Id         Frame 
  1    Thread 0x7ffff7fa4800 (LWP 19264) "kamoso" 0x00007ffff374ebf9 in __GI___poll (fds=0x5555565572d0, nfds=6, timeout=12) at ../sysdeps/unix/sysv/linux/poll.c:29
  2    Thread 0x7fffe4f49700 (LWP 19268) "QXcbEventReader" 0x00007ffff374ebf9 in __GI___poll (fds=0x7fffe4f48ca8, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  3    Thread 0x7fffdac06700 (LWP 19273) "QDBusConnection" 0x00007ffff374ebf9 in __GI___poll (fds=0x7fffd4004db0, nfds=3, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  4    Thread 0x7fffda3b4700 (LWP 19274) "QQmlThread" 0x00007ffff374ebf9 in __GI___poll (fds=0x7fffcc004660, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  5    Thread 0x7fffd228d700 (LWP 19275) "QQmlThread" 0x00007ffff374ebf9 in __GI___poll (fds=0x7fffc8003ce0, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  6    Thread 0x7fffbc776700 (LWP 19276) "queue5:src" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
  7    Thread 0x7fffbbf24700 (LWP 19277) "queue4:src" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
  8    Thread 0x7fffbb6d2700 (LWP 19278) "queue0:src" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
  9    Thread 0x7fffbae80700 (LWP 19279) "queue2:src" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
  10   Thread 0x7fffba62e700 (LWP 19280) "viewfinderbin-q" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
  11   Thread 0x7fffb9ddc700 (LWP 19281) "queue1:src" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
  12   Thread 0x7fffb958a700 (LWP 19282) "preview-appsrc:" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
  13   Thread 0x7fffb8d38700 (LWP 19283) "queue3:src" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
  14   Thread 0x7fff97fff700 (LWP 19284) "v4l2src0:src" 0x00007ffff374ecf6 in __GI_ppoll (fds=0x7fff900151a0, nfds=2, timeout=<optimised out>, sigmask=0x0) at ../sysdeps/unix/sysv/linux/ppoll.c:39
* 15   Thread 0x7fff9759b700 (LWP 19285) "QSGRenderThread" 0x00000000400b0e71 in ?? ()
  16   Thread 0x7fff969b2700 (LWP 19293) "pool" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
(gdb) q
Comment 1 Christoph Feck 2020-06-19 20:27:30 UTC
Crash is in the NVIDIA binary OpenGL drivers. If this is reproducible, please report this issue directly to NVIDIA developers via https://forums.developer.nvidia.com/t/if-you-have-a-problem-please-read-this-first/27131
Comment 2 Maxim Egorushkin 2020-06-22 12:27:05 UTC
(In reply to Christoph Feck from comment #1)
> Crash is in the NVIDIA binary OpenGL drivers. If this is reproducible,
> please report this issue directly to NVIDIA developers via
> https://forums.developer.nvidia.com/t/if-you-have-a-problem-please-read-this-
> first/27131

No other video application crashes in NVidia drivers, apart from kamoso.

Given that, it is much more likely the bug is in kamoso, not NVidia drivers.

But I know some developers refuse to investigate and fix their bugs when they see nvidia binary driver in the stack trace.
Comment 3 Christoph Feck 2020-06-22 13:55:06 UTC
If we had the sources of the driver we could investigate. The backtrace doesn't even have symbol information for the driver to check which function was being called.
Comment 4 Maxim Egorushkin 2020-06-22 14:30:53 UTC
(In reply to Christoph Feck from comment #3)
> If we had the sources of the driver we could investigate. The backtrace
> doesn't even have symbol information for the driver to check which function
> was being called.

Some more info:

VideoMaterial::bindTexture calls glTexImage2D and this call crashes:

#12 0x00007fffc1e5c4ac in VideoMaterial::bindTexture(int, unsigned char const*) () from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstqt5videosink.so                              
(gdb) disassemble 
Dump of assembler code for function _ZN13VideoMaterial11bindTextureEiPKh:                                                                                                          
   0x00007fffc1e5c460 <+0>:     movsxd rsi,esi                                                                                                                                     
   0x00007fffc1e5c463 <+3>:     push   r12                                                                                                                                         
   0x00007fffc1e5c465 <+5>:     push   rbp                                                                                                                                         
   0x00007fffc1e5c466 <+6>:     push   rbx                                                                                                                                         
   0x00007fffc1e5c467 <+7>:     lea    rbx,[rdi+rsi*4]                                                                                                                             
   0x00007fffc1e5c46b <+11>:    mov    rbp,rdi                                                                                                                                     
   0x00007fffc1e5c46e <+14>:    mov    edi,0xde1                                                                                                                                   
   0x00007fffc1e5c473 <+19>:    mov    r12,rdx                                                                                                                                     
   0x00007fffc1e5c476 <+22>:    mov    esi,DWORD PTR [rbx+0x2c]                                                                                                                    
   0x00007fffc1e5c479 <+25>:    call   0x7fffc1e56b40 <glBindTexture@plt>                                                                                                          
   0x00007fffc1e5c47e <+30>:    movsxd rax,DWORD PTR [rbx+0x50]                                                                                                                    
   0x00007fffc1e5c482 <+34>:    sub    rsp,0x8                                                                                                                                     
   0x00007fffc1e5c486 <+38>:    mov    ecx,DWORD PTR [rbx+0x38]                                                                                                                    
   0x00007fffc1e5c489 <+41>:    mov    edx,DWORD PTR [rbp+0x6c]                                                                                                                    
   0x00007fffc1e5c48c <+44>:    xor    r9d,r9d                                                                                                                                     
   0x00007fffc1e5c48f <+47>:    xor    esi,esi                                                                                                                                     
   0x00007fffc1e5c491 <+49>:    mov    edi,0xde1                                                                                                                                   
   0x00007fffc1e5c496 <+54>:    add    r12,rax                                                                                                                                     
   0x00007fffc1e5c499 <+57>:    push   r12                                                                                                                                         
   0x00007fffc1e5c49b <+59>:    mov    eax,DWORD PTR [rbp+0x70]                                                                                                                    
   0x00007fffc1e5c49e <+62>:    push   rax                                                                                                                                         
   0x00007fffc1e5c49f <+63>:    mov    eax,DWORD PTR [rbp+0x68]                                                                                                                    
   0x00007fffc1e5c4a2 <+66>:    push   rax
   0x00007fffc1e5c4a3 <+67>:    mov    r8d,DWORD PTR [rbx+0x44]
   0x00007fffc1e5c4a7 <+71>:    call   0x7fffc1e56ad0 <glTexImage2D@plt>
=> 0x00007fffc1e5c4ac <+76>:    add    rsp,0x20
   0x00007fffc1e5c4b0 <+80>:    mov    edx,0x2601
   0x00007fffc1e5c4b5 <+85>:    mov    esi,0x2800
   0x00007fffc1e5c4ba <+90>:    mov    edi,0xde1
   0x00007fffc1e5c4bf <+95>:    call   0x7fffc1e56340 <glTexParameteri@plt>
   0x00007fffc1e5c4c4 <+100>:   mov    edx,0x2601
   0x00007fffc1e5c4c9 <+105>:   mov    esi,0x2801
   0x00007fffc1e5c4ce <+110>:   mov    edi,0xde1
   0x00007fffc1e5c4d3 <+115>:   call   0x7fffc1e56340 <glTexParameteri@plt>
   0x00007fffc1e5c4d8 <+120>:   mov    edx,0x812f
   0x00007fffc1e5c4dd <+125>:   mov    esi,0x2802
   0x00007fffc1e5c4e2 <+130>:   mov    edi,0xde1
   0x00007fffc1e5c4e7 <+135>:   call   0x7fffc1e56340 <glTexParameteri@plt>
   0x00007fffc1e5c4ec <+140>:   pop    rbx
   0x00007fffc1e5c4ed <+141>:   pop    rbp
   0x00007fffc1e5c4ee <+142>:   pop    r12
   0x00007fffc1e5c4f0 <+144>:   mov    edx,0x812f
   0x00007fffc1e5c4f5 <+149>:   mov    esi,0x2803
   0x00007fffc1e5c4fa <+154>:   mov    edi,0xde1
   0x00007fffc1e5c4ff <+159>:   jmp    0x7fffc1e56340 <glTexParameteri@plt>

Registers in glTexImage2D just before the crash:

Thread 15 "QSGRenderThread" hit Breakpoint 1, 0x00007ffff0866700 in glTexImage2D () from /usr/lib/x86_64-linux-gnu/libGL.so.1
(gdb) info registers 
rax            0x1907   6407
rbx            0x7fff881b5da4   140735476882852
rcx            0x7f     127
rdx            0x8051   32849
rsi            0x0      0
rdi            0xde1    3553
rbp            0x7fff881b5da0   0x7fff881b5da0
rsp            0x7fff9f7fd678   0x7fff9f7fd678
r8             0x7f     127
r9             0x0      0
r10            0x1      1
r11            0x3f800000       1065353216
r12            0x7fff98e56593   140735758558611
r13            0x7fff940266b0   140735676573360
r14            0x7fff9f7fd760   140735869343584
r15            0x7fff8816a140   140735476572480
rip            0x7ffff0866700   0x7ffff0866700 <glTexImage2D>
eflags         0x206    [ PF IF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

(gdb) x/4xa $rsp
0x7fff9f7fd678: 0x7fffc1e5c4ac <_ZN13VideoMaterial11bindTextureEiPKh+76>        0x1907
0x7fff9f7fd688: 0x1401  0x7fff98e56593

The first 6 args of glTexImage2D are in registers above, the other 3 args are in the stack.