Ubuntu
camera-app package

Camera crashes when taking pictures with qt5.1.1

Bug #1223042 reported by Ricardo Salveti
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
camera-app (Ubuntu)
Fix Released
High
Günter Schwann
qtbase-opensource-src (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Using the following Qt5.1.1 packages from https://launchpad.net/~canonical-qt5-edgers/+archive/qt5-beta-proper:

libqt5core5:armhf 5.1.1+dfsg-2ubuntu1~saucy1~test5
libqt5opengl5:armhf 5.1.1+dfsg-2ubuntu1~saucy1~test5

Steps to reproduce:
1 - Open the camera-app
2 - Take a picture

Can't reproduce all the time, but it's quite easy to reproduce the issue.

Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x49aa8460 (LWP 5262)]
0x00000000 in ?? ()
(gdb) bt full
#0 0x00000000 in ?? ()
No symbol table info available.
#1 0x403dceaa in QSGOpaqueTextureMaterialShader::updateState (this=0x279c30, state=..., newEffect=0x386fd4, oldEffect=0x0) at scenegraph/util/qsgtexturematerial.cpp:107
        tx = 0x386fd4
        oldTx = 0x0
        npotSupported = true
        size = {wd = 1235909436, ht = 1077792673}
        isNpot = <optimized out>
#2 0x403d6700 in QSGDefaultRenderer::renderNodes (this=this@entry=0x322f18, nodes=<optimized out>, count=count@entry=12) at scenegraph/coreapi/qsgdefaultrenderer.cpp:528
        geomNode = 0x386f30
        changeMatrix = <optimized out>
        updates = <optimized out>
        changeClip = <optimized out>
        changeProgram = <optimized out>
        changeRenderOrder = <optimized out>
        changeOpacity = <optimized out>
        material = 0x386fd4
        program = 0x279c30
        i = 0
        scale = <optimized out>
        currentRenderOrder = <optimized out>
        currentClipType = {i = 0}
        projection = {m = {{0.00260416674, 0, 0, 0}, {0, -0.00163666124, 0, 0}, {0, 0, 1, 0}, {-1, 1, 0, 1}}, flagBits = 3}
#3 0x403d6a32 in QSGDefaultRenderer::render (this=0x322f18) at scenegraph/coreapi/qsgdefaultrenderer.cpp:281
        opaqueEnd = 3
        transparentEnd = 12
        i = 0
        r = <optimized out>
        sortNodes = <optimized out>
        opaqueStart = <optimized out>
        transparentStart = 0
#4 0x403da1de in QSGRenderer::renderScene (this=this@entry=0x322f18, bindable=...) at scenegraph/coreapi/qsgrenderer.cpp:274
        profileFrames = false
        bindTime = 0
        renderTime = 0
#5 0x403da2e8 in QSGRenderer::renderScene (this=this@entry=0x322f18) at scenegraph/coreapi/qsgrenderer.cpp:231
        b = warning: RTTI symbol not found for class 'QSGRenderer::renderScene()::B'
{<QSGBindable> = {_vptr.QSGBindable = 0x40503ad8 <vtable for QSGRenderer::renderScene()::B+8>}, <No data fields>}
#6 0x403e0e56 in QSGContext::renderNextFrame (this=<optimized out>, renderer=0x322f18, fboId=<optimized out>) at scenegraph/qsgcontext.cpp:313
No locals.
#7 0x4040452e in QQuickWindowPrivate::renderSceneGraph (this=this@entry=0x40c50, size=...) at items/qquickwindow.cpp:336
        _qml_memory_scope = {pushed = false}
        fboId = <optimized out>
        devicePixelRatio = <optimized out>
#8 0x403f1ace in QSGRenderThread::syncAndRender (this=this@entry=0x40330) at scenegraph/qsgthreadedrenderloop.cpp:595
        i = 0
        profileFrames = <optimized out>
        syncRequested = <optimized out>
        __PRETTY_FUNCTION__ = "void QSGRenderThread::syncAndRender()"
        waitTimer = {t1 = 725, t2 = 845641251}
        repaintRequested = <optimized out>
#9 0x403f2996 in QSGRenderThread::run (this=0x40330) at scenegraph/qsgthreadedrenderloop.cpp:666
No locals.
#10 0x4009a86c in QThreadPrivate::start (arg=0x40330) at thread/qthread_unix.cpp:345
        __clframe = {__cancel_routine = 0x40099ff1 <QThreadPrivate::finish(void*)>, __cancel_arg = 0x40330, __do_it = 1, __cancel_type = <optimized out>}
        thr = 0x40330
        data = <optimized out>
        objectName = {static null = {<No data fields>}, d = 0x4020ce94 <QArrayData::shared_null>}
#11 0x40ad1e64 in start_thread (arg=0x49aa8460) at pthread_create.c:313
        pd = 0x49aa8460
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {1235912312, 1235911776, 1, 1235910120, -1090523272, -1090523272, 1235911776, 1112166720, 1235910120, 1085087299, 0 <repeats 16 times>,
                536870931, 0 <repeats 37 times>}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#12 0x40a79758 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:96 from /lib/arm-linux-gnueabihf/libc.so.6
No locals.
#13 0x40a79758 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:96 from /lib/arm-linux-gnueabihf/libc.so.6

Tags: qt5.1

CVE References

Ricardo Salveti (rsalveti)
tags: added: qt5.1
Bill Filler (bfiller)
Changed in camera-app (Ubuntu):
importance: Undecided → High
assignee: nobody → Günter Schwann (schwann)
Revision history for this message
Günter Schwann (schwann) wrote :

The crash is caused by the preview sliding down after the capture.
Actually it's after the animation, the image is reset by setting it's source to "", that triggers the crash.
This does not happen when an image is loaded from disk as preview.

Revision history for this message
Günter Schwann (schwann) wrote :

Loading an image from disk in AalVideoRendererControl::onSnapshotTaken() instead of passing the preview stops camera from crashing.

Loading an image from disk in ShaderVideoNode::onTakeSnapshot() and passing it as the preview keeps the camera crashing.

All that happens, is that the QImage is passed from ShaderVideoNode::onTakeSnapshot() via signal slot to AalVideoRendererControl::onSnapshotTaken() (maybe crossing thread boundaries).
No idea why that causes the crash...

Revision history for this message
grizzancs (grizzancs) wrote :

We have the same backtrace and crash, without using any camera functionality (though we do set the source for an image to "" at one point.) We'll test whether skipping the empty string fixes it.

The image is loaded through an ImageProvider through C++, and is dynamically changed without depending on the ID, the empty string is used to trigger a refresh from the Image, as it requests the image from the provider only if the URI has changed.

Revision history for this message
grizzancs (grizzancs) wrote :

I forgot to mention we're developing a completely different application, with Qt5.1.1 release (from their homepage), though on Kubuntu

Revision history for this message
Ricardo Salveti (rsalveti) wrote :

Interesting, this is probably an upstream regression in Qt.

Adam, do you know if we have a bug in upstream already? Would be nice if you could also show how you are reproducing the issue in Kubuntu.

Revision history for this message
David Faure (faure) wrote :

This looks like https://bugreports.qt-project.org/browse/QTBUG-34944, which is fixed in Qt 5.2.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (13.3 KiB)

This bug was fixed in the package qtbase-opensource-src - 5.2.1+dfsg-1ubuntu7

---------------
qtbase-opensource-src (5.2.1+dfsg-1ubuntu7) trusty; urgency=medium

  [ Colin Watson ]
  * Add arm64 to archs that don't use -m64

qtbase-opensource-src (5.2.1+dfsg-1ubuntu6) trusty; urgency=medium

  * Add Use-None-instead-of-GLX_NONE.patch:
    - Cherry-pick upstream patch (LP: #1288278)

qtbase-opensource-src (5.2.1+dfsg-1ubuntu5) trusty; urgency=medium

  * Only run tests on armhf, amd64 and i386.

qtbase-opensource-src (5.2.1+dfsg-1ubuntu4) trusty; urgency=medium

  [ Chris Gagnon ]
  * Enable unit tests

qtbase-opensource-src (5.2.1+dfsg-1ubuntu3) trusty; urgency=medium

  * Revert the transitional package change final landing.

qtbase-opensource-src (5.2.1+dfsg-1ubuntu2) trusty; urgency=medium

  * libqt5core5 transitional package to be able to run ABI related tests

qtbase-opensource-src (5.2.1+dfsg-1ubuntu1) trusty; urgency=low

  [ Dmitry Shachnev ]
  * Update watch file (taken from Debian).
  * Fix generating documentation by building qdoc before using it.
  * Remove qtcreator.qdoc from qtbase5-doc.install, as it is already in
    qtbase5-dev.install.
  * Merge with Debian up to 5.2.0~beta1+dfsg-3.
    - Fixes build failures on powerpc and armel.
  * Add debian/patches/fix_cppcodemarker_crash.patch to fix qdoc
    crash that caused ubuntu-ui-toolkit to FTBFS (LP: #1217331).

  [ Łukasz 'sil2100' Zemczak ]
  * Cherry-pick two submitted patches to support appmenu-qt: (LP: #1157213)
    - make_qkdetheme_constructor_public.diff
    - platformtheme_env.diff

  [ Timo Jyrinki ]
  * New upstream release 5.2.1 (LP: #1256341) (LP: #1223032) (LP: #1222988)
    (LP: #1223042) (LP: #1253120) (LP: #1251262)
  * Sync with Debian 5.2.0+dfsg-7, remaining changes:
    - Remove firebird and ibase dependencies
    - Maintainer fields and Vcs-Bzr
    - No gdb required on ppc64el
    - Provides: qt-default to qt5-default
    - Define explicit list on which archs openvg required
    - Additional patches:
      + disable_overlay_scrollbars.diff
      + load_testability_from_env_var.patch
      + make_qkdetheme_constructor_public.diff
      + platformtheme_env.diff
      + qdoc-Fix-crash-in-Generator-generateInnerNode.patch
      + 0001-Do-not-overwrite-basePixmap-of-QIconLoader-PixmapEnt.patch
    - Use our symbols files
    - Additional multi-arch packages (not correct policy-wise)
  * Drop upstream patches:
    - add_since_52_to_new_QColor_features.patch
    - fix_cppcodemarker_crash.patch
    - fix_usr-move_workaround_in_the_presence_of_multi-arch.patch
    - make_QColor_understand_AARRGGBB.patch
    - Add-workaround-for-GL-on-Android-emulator.patch
    - 0001-Do-not-overwrite-basePixmap-of-QIconLoader-PixmapEnt.patch
    - fix_destroy_qapp_segfault.diff
  * Remove Ubuntu patches:
    - enable_appmenu_support.diff (obsolete)
    - 0001-Implement-XEmbed-protocol.patch (submitted and merged upstream)
    - fix_maliit_activation.patch (not used anymore)
    - inputmethod_fix_focusout.patch (not used anymore)
    - fix_number_precision_qjsondocument.patch_8e8becdc.patch (upstream)
    - bug1227629.patch (merged upstream)
    - fix_rowinserted.patch (LP: #1242630...

Changed in qtbase-opensource-src (Ubuntu):
status: New → Fix Released
Florian Boucault (fboucault)
Changed in camera-app (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.