camera v6.2.2 crashes on launch on Fedora

[decathorpe]

I got a crash report that Camera crashes on start on Fedora 38 (GNOME/Wayland), and I was able to reproduce the same issue on Fedora 39 (both GNOME/Wayland and GNOME/Xorg) - I don't have a fully functional Pantheon session yet where I can test this, but I don't think Pantheon and GNOME/Xorg should be different here.

On Wayland, there are some Gdk-WARNING log messages, and on Xorg, there are GStreamer-CRITICAL log messages, but the crash that immediately follows those looks similar (null pointer dereference?).

I ran valgrind io.elementary.camera on both GNOME/Wayland and GNOME/Xorg on Fedora 39 and these are the logs that also includes the backtraces for the invalid reads / writes (there seem to be both use-after-free issues and null-pointer dereferences).

log: valgrind io.elementary.camera on Wayland

==715736== Memcheck, a memory error detector
==715736== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==715736== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==715736== Command: io.elementary.camera
==715736== 
==715736== Invalid write of size 8
==715736==    at 0x1A1DF7D8: UnknownInlinedFun (list.h:61)
==715736==    by 0x1A1DF7D8: destroy_port (gstpipewiredeviceprovider.c:489)
==715736==    by 0x1A27BB87: pw_proxy_destroy (proxy.c:230)
==715736==    by 0x1A27BDB7: pw_proxy_remove (proxy.c:254)
==715736==    by 0x1A246D08: UnknownInlinedFun (core.c:166)
==715736==    by 0x1A246D08: UnknownInlinedFun (map.h:218)
==715736==    by 0x1A246D08: UnknownInlinedFun (core.c:205)
==715736==    by 0x1A246D08: proxy_core_removed (core.c:186)
==715736==    by 0x1A27BDB7: pw_proxy_remove (proxy.c:254)
==715736==    by 0x1A247177: pw_core_disconnect (core.c:487)
==715736==    by 0x1A1DC777: gst_pipewire_core_release (gstpipewirecore.c:174)
==715736==    by 0x1A1DF3B6: gst_pipewire_device_provider_probe (gstpipewiredeviceprovider.c:624)
==715736==    by 0x48D5C8F: gst_device_provider_get_devices (gstdeviceprovider.c:424)
==715736==    by 0x48EAC79: gst_device_monitor_get_devices (gstdevicemonitor.c:447)
==715736==    by 0x1158CD: UnknownInlinedFun (CameraView.vala:162)
==715736==    by 0x1158CD: camera_main_window_constructor (MainWindow.vala:113)
==715736==    by 0x49DEA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==715736==  Address 0x17f293c0 is 288 bytes inside a block of size 304 free'd
==715736==    at 0x4845B2C: free (vg_replace_malloc.c:985)
==715736==    by 0x1A246D08: UnknownInlinedFun (core.c:166)
==715736==    by 0x1A246D08: UnknownInlinedFun (map.h:218)
==715736==    by 0x1A246D08: UnknownInlinedFun (core.c:205)
==715736==    by 0x1A246D08: proxy_core_removed (core.c:186)
==715736==    by 0x1A27BDB7: pw_proxy_remove (proxy.c:254)
==715736==    by 0x1A247177: pw_core_disconnect (core.c:487)
==715736==    by 0x1A1DC777: gst_pipewire_core_release (gstpipewirecore.c:174)
==715736==    by 0x1A1DF3B6: gst_pipewire_device_provider_probe (gstpipewiredeviceprovider.c:624)
==715736==    by 0x48D5C8F: gst_device_provider_get_devices (gstdeviceprovider.c:424)
==715736==    by 0x48EAC79: gst_device_monitor_get_devices (gstdevicemonitor.c:447)
==715736==    by 0x1158CD: UnknownInlinedFun (CameraView.vala:162)
==715736==    by 0x1158CD: camera_main_window_constructor (MainWindow.vala:113)
==715736==    by 0x49DEA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==715736==    by 0x49E0D29: UnknownInlinedFun (gobject.c:2243)
==715736==    by 0x49E0D29: g_object_new_valist (gobject.c:2584)
==715736==    by 0x49E155E: g_object_new (gobject.c:2057)
==715736==  Block was alloc'd at
==715736==    at 0x4849E60: calloc (vg_replace_malloc.c:1595)
==715736==    by 0x1A27B75E: pw_proxy_new (proxy.c:80)
==715736==    by 0x1A45E46D: registry_marshal_bind.lto_priv.0 (protocol-native.c:1852)
==715736==    by 0x1A1E07D7: UnknownInlinedFun (core.h:517)
==715736==    by 0x1A1E07D7: registry_event_global (gstpipewiredeviceprovider.c:510)
==715736==    by 0x1A45BBD1: registry_demarshal_global.lto_priv.0 (protocol-native.c:1826)
==715736==    by 0x1A449020: process_remote (module-protocol-native.c:1037)
==715736==    by 0x1A449807: on_remote_data (module-protocol-native.c:1071)
==715736==    by 0x1A2EEF15: loop_iterate (loop.c:496)
==715736==    by 0x1A290E16: do_loop (thread-loop.c:295)
==715736==    by 0x58F9896: start_thread (pthread_create.c:444)
==715736==    by 0x5980563: clone (clone.S:100)
==715736== 
==715736== Invalid write of size 8
==715736==    at 0x1A1DF7DF: UnknownInlinedFun (list.h:62)
==715736==    by 0x1A1DF7DF: destroy_port (gstpipewiredeviceprovider.c:489)
==715736==    by 0x1A27BB87: pw_proxy_destroy (proxy.c:230)
==715736==    by 0x1A27BDB7: pw_proxy_remove (proxy.c:254)
==715736==    by 0x1A246D08: UnknownInlinedFun (core.c:166)
==715736==    by 0x1A246D08: UnknownInlinedFun (map.h:218)
==715736==    by 0x1A246D08: UnknownInlinedFun (core.c:205)
==715736==    by 0x1A246D08: proxy_core_removed (core.c:186)
==715736==    by 0x1A27BDB7: pw_proxy_remove (proxy.c:254)
==715736==    by 0x1A247177: pw_core_disconnect (core.c:487)
==715736==    by 0x1A1DC777: gst_pipewire_core_release (gstpipewirecore.c:174)
==715736==    by 0x1A1DF3B6: gst_pipewire_device_provider_probe (gstpipewiredeviceprovider.c:624)
==715736==    by 0x48D5C8F: gst_device_provider_get_devices (gstdeviceprovider.c:424)
==715736==    by 0x48EAC79: gst_device_monitor_get_devices (gstdevicemonitor.c:447)
==715736==    by 0x1158CD: UnknownInlinedFun (CameraView.vala:162)
==715736==    by 0x1158CD: camera_main_window_constructor (MainWindow.vala:113)
==715736==    by 0x49DEA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==715736==  Address 0x17f293c8 is 296 bytes inside a block of size 304 free'd
==715736==    at 0x4845B2C: free (vg_replace_malloc.c:985)
==715736==    by 0x1A246D08: UnknownInlinedFun (core.c:166)
==715736==    by 0x1A246D08: UnknownInlinedFun (map.h:218)
==715736==    by 0x1A246D08: UnknownInlinedFun (core.c:205)
==715736==    by 0x1A246D08: proxy_core_removed (core.c:186)
==715736==    by 0x1A27BDB7: pw_proxy_remove (proxy.c:254)
==715736==    by 0x1A247177: pw_core_disconnect (core.c:487)
==715736==    by 0x1A1DC777: gst_pipewire_core_release (gstpipewirecore.c:174)
==715736==    by 0x1A1DF3B6: gst_pipewire_device_provider_probe (gstpipewiredeviceprovider.c:624)
==715736==    by 0x48D5C8F: gst_device_provider_get_devices (gstdeviceprovider.c:424)
==715736==    by 0x48EAC79: gst_device_monitor_get_devices (gstdevicemonitor.c:447)
==715736==    by 0x1158CD: UnknownInlinedFun (CameraView.vala:162)
==715736==    by 0x1158CD: camera_main_window_constructor (MainWindow.vala:113)
==715736==    by 0x49DEA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==715736==    by 0x49E0D29: UnknownInlinedFun (gobject.c:2243)
==715736==    by 0x49E0D29: g_object_new_valist (gobject.c:2584)
==715736==    by 0x49E155E: g_object_new (gobject.c:2057)
==715736==  Block was alloc'd at
==715736==    at 0x4849E60: calloc (vg_replace_malloc.c:1595)
==715736==    by 0x1A27B75E: pw_proxy_new (proxy.c:80)
==715736==    by 0x1A45E46D: registry_marshal_bind.lto_priv.0 (protocol-native.c:1852)
==715736==    by 0x1A1E07D7: UnknownInlinedFun (core.h:517)
==715736==    by 0x1A1E07D7: registry_event_global (gstpipewiredeviceprovider.c:510)
==715736==    by 0x1A45BBD1: registry_demarshal_global.lto_priv.0 (protocol-native.c:1826)
==715736==    by 0x1A449020: process_remote (module-protocol-native.c:1037)
==715736==    by 0x1A449807: on_remote_data (module-protocol-native.c:1071)
==715736==    by 0x1A2EEF15: loop_iterate (loop.c:496)
==715736==    by 0x1A290E16: do_loop (thread-loop.c:295)
==715736==    by 0x58F9896: start_thread (pthread_create.c:444)
==715736==    by 0x5980563: clone (clone.S:100)
==715736== 

(io.elementary.camera:715736): Gdk-WARNING **: 01:25:22.780: eglMakeCurrent failed

(io.elementary.camera:715736): Gdk-WARNING **: 01:25:22.801: eglMakeCurrent failed

(io.elementary.camera:715736): Gdk-WARNING **: 01:25:23.156: eglMakeCurrent failed
==715736== Invalid read of size 1
==715736==    at 0x56F74D4: UnknownInlinedFun (gdkglcontext.c:420)
==715736==    by 0x56F74D4: gdk_gl_texture_from_surface (gdkgl.c:734)
==715736==    by 0x5700CBF: gdk_window_end_paint_internal (gdkwindow.c:3060)
==715736==    by 0x5700DDA: UnknownInlinedFun (gdkwindow.c:3311)
==715736==    by 0x5700DDA: gdk_window_end_draw_frame (gdkwindow.c:3294)
==715736==    by 0x52503B9: gtk_widget_render (gtkwidget.c:17613)
==715736==    by 0x50ED7FF: UnknownInlinedFun (gtkmain.c:1844)
==715736==    by 0x50ED7FF: gtk_main_do_event (gtkmain.c:1691)
==715736==    by 0x56EB416: UnknownInlinedFun (gdkevents.c:73)
==715736==    by 0x56EB416: _gdk_event_emit (gdkevents.c:67)
==715736==    by 0x56FD7B8: _gdk_window_process_updates_recurse_helper.lto_priv.0 (gdkwindow.c:3874)
==715736==    by 0x5701E84: gdk_window_process_updates_internal (gdkwindow.c:4020)
==715736==    by 0x5702090: UnknownInlinedFun (gdkwindow.c:4215)
==715736==    by 0x5702090: gdk_window_process_updates_with_mode.lto_priv.0 (gdkwindow.c:4186)
==715736==    by 0x49EDE84: UnknownInlinedFun (gclosure.c:895)
==715736==    by 0x49EDE84: signal_emit_valist_unlocked (gsignal.c:3516)
==715736==    by 0x49EDF90: g_signal_emit_valist (gsignal.c:3355)
==715736==    by 0x49EE052: g_signal_emit (gsignal.c:3675)
==715736==  Address 0xffffffffffffffe4 is not stack'd, malloc'd or (recently) free'd
==715736== 
==715736== 
==715736== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==715736==  Access not within mapped region at address 0xFFFFFFFFFFFFFFE4
==715736==    at 0x56F74D4: UnknownInlinedFun (gdkglcontext.c:420)
==715736==    by 0x56F74D4: gdk_gl_texture_from_surface (gdkgl.c:734)
==715736==    by 0x5700CBF: gdk_window_end_paint_internal (gdkwindow.c:3060)
==715736==    by 0x5700DDA: UnknownInlinedFun (gdkwindow.c:3311)
==715736==    by 0x5700DDA: gdk_window_end_draw_frame (gdkwindow.c:3294)
==715736==    by 0x52503B9: gtk_widget_render (gtkwidget.c:17613)
==715736==    by 0x50ED7FF: UnknownInlinedFun (gtkmain.c:1844)
==715736==    by 0x50ED7FF: gtk_main_do_event (gtkmain.c:1691)
==715736==    by 0x56EB416: UnknownInlinedFun (gdkevents.c:73)
==715736==    by 0x56EB416: _gdk_event_emit (gdkevents.c:67)
==715736==    by 0x56FD7B8: _gdk_window_process_updates_recurse_helper.lto_priv.0 (gdkwindow.c:3874)
==715736==    by 0x5701E84: gdk_window_process_updates_internal (gdkwindow.c:4020)
==715736==    by 0x5702090: UnknownInlinedFun (gdkwindow.c:4215)
==715736==    by 0x5702090: gdk_window_process_updates_with_mode.lto_priv.0 (gdkwindow.c:4186)
==715736==    by 0x49EDE84: UnknownInlinedFun (gclosure.c:895)
==715736==    by 0x49EDE84: signal_emit_valist_unlocked (gsignal.c:3516)
==715736==    by 0x49EDF90: g_signal_emit_valist (gsignal.c:3355)
==715736==    by 0x49EE052: g_signal_emit (gsignal.c:3675)
==715736==  If you believe this happened as a result of a stack
==715736==  overflow in your program's main thread (unlikely but
==715736==  possible), you can try to increase the size of the
==715736==  main thread stack using the --main-stacksize= flag.
==715736==  The main thread stack size used in this run was 8388608.
==715736== 
==715736== HEAP SUMMARY:
==715736==     in use at exit: 20,608,344 bytes in 83,818 blocks
==715736==   total heap usage: 845,848 allocs, 762,030 frees, 98,532,554 bytes allocated
==715736== 
==715736== LEAK SUMMARY:
==715736==    definitely lost: 52,528 bytes in 9 blocks
==715736==    indirectly lost: 22,976 bytes in 962 blocks
==715736==      possibly lost: 114,723 bytes in 1,510 blocks
==715736==    still reachable: 19,956,565 bytes in 78,289 blocks
==715736==         suppressed: 0 bytes in 0 blocks
==715736== Rerun with --leak-check=full to see details of leaked memory
==715736== 
==715736== For lists of detected and suppressed errors, rerun with: -s
==715736== ERROR SUMMARY: 35 errors from 3 contexts (suppressed: 0 from 0)

log: valgrind io.elementary.camera on Xorg

==6350== Memcheck, a memory error detector
==6350== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==6350== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==6350== Command: io.elementary.camera
==6350== 
==6350== Invalid write of size 8
==6350==    at 0x1649F7D8: UnknownInlinedFun (list.h:61)
==6350==    by 0x1649F7D8: destroy_port (gstpipewiredeviceprovider.c:489)
==6350==    by 0x19975B87: pw_proxy_destroy (proxy.c:230)
==6350==    by 0x19975DB7: pw_proxy_remove (proxy.c:254)
==6350==    by 0x19940D08: UnknownInlinedFun (core.c:166)
==6350==    by 0x19940D08: UnknownInlinedFun (map.h:218)
==6350==    by 0x19940D08: UnknownInlinedFun (core.c:205)
==6350==    by 0x19940D08: proxy_core_removed (core.c:186)
==6350==    by 0x19975DB7: pw_proxy_remove (proxy.c:254)
==6350==    by 0x19941177: pw_core_disconnect (core.c:487)
==6350==    by 0x1649C777: gst_pipewire_core_release (gstpipewirecore.c:174)
==6350==    by 0x1649F3B6: gst_pipewire_device_provider_probe (gstpipewiredeviceprovider.c:624)
==6350==    by 0x48D1C8F: gst_device_provider_get_devices (gstdeviceprovider.c:424)
==6350==    by 0x48E6C79: gst_device_monitor_get_devices (gstdevicemonitor.c:447)
==6350==    by 0x1158CD: UnknownInlinedFun (CameraView.vala:162)
==6350==    by 0x1158CD: camera_main_window_constructor (MainWindow.vala:113)
==6350==    by 0x49DAA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==6350==  Address 0x1974b400 is 288 bytes inside a block of size 304 free'd
==6350==    at 0x4845B2C: free (vg_replace_malloc.c:985)
==6350==    by 0x19940D08: UnknownInlinedFun (core.c:166)
==6350==    by 0x19940D08: UnknownInlinedFun (map.h:218)
==6350==    by 0x19940D08: UnknownInlinedFun (core.c:205)
==6350==    by 0x19940D08: proxy_core_removed (core.c:186)
==6350==    by 0x19975DB7: pw_proxy_remove (proxy.c:254)
==6350==    by 0x19941177: pw_core_disconnect (core.c:487)
==6350==    by 0x1649C777: gst_pipewire_core_release (gstpipewirecore.c:174)
==6350==    by 0x1649F3B6: gst_pipewire_device_provider_probe (gstpipewiredeviceprovider.c:624)
==6350==    by 0x48D1C8F: gst_device_provider_get_devices (gstdeviceprovider.c:424)
==6350==    by 0x48E6C79: gst_device_monitor_get_devices (gstdevicemonitor.c:447)
==6350==    by 0x1158CD: UnknownInlinedFun (CameraView.vala:162)
==6350==    by 0x1158CD: camera_main_window_constructor (MainWindow.vala:113)
==6350==    by 0x49DAA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==6350==    by 0x49DCD29: UnknownInlinedFun (gobject.c:2243)
==6350==    by 0x49DCD29: g_object_new_valist (gobject.c:2584)
==6350==    by 0x49DD55E: g_object_new (gobject.c:2057)
==6350==  Block was alloc'd at
==6350==    at 0x4849E60: calloc (vg_replace_malloc.c:1595)
==6350==    by 0x1997575E: pw_proxy_new (proxy.c:80)
==6350==    by 0x19B1C46D: registry_marshal_bind.lto_priv.0 (protocol-native.c:1852)
==6350==    by 0x164A07D7: UnknownInlinedFun (core.h:517)
==6350==    by 0x164A07D7: registry_event_global (gstpipewiredeviceprovider.c:510)
==6350==    by 0x19B19BD1: registry_demarshal_global.lto_priv.0 (protocol-native.c:1826)
==6350==    by 0x19B07020: process_remote (module-protocol-native.c:1037)
==6350==    by 0x19B07807: on_remote_data (module-protocol-native.c:1071)
==6350==    by 0x164B0F15: loop_iterate (loop.c:496)
==6350==    by 0x1998AE16: do_loop (thread-loop.c:295)
==6350==    by 0x58F5896: start_thread (pthread_create.c:444)
==6350==    by 0x597C563: clone (clone.S:100)
==6350== 
==6350== Invalid write of size 8
==6350==    at 0x1649F7DF: UnknownInlinedFun (list.h:62)
==6350==    by 0x1649F7DF: destroy_port (gstpipewiredeviceprovider.c:489)
==6350==    by 0x19975B87: pw_proxy_destroy (proxy.c:230)
==6350==    by 0x19975DB7: pw_proxy_remove (proxy.c:254)
==6350==    by 0x19940D08: UnknownInlinedFun (core.c:166)
==6350==    by 0x19940D08: UnknownInlinedFun (map.h:218)
==6350==    by 0x19940D08: UnknownInlinedFun (core.c:205)
==6350==    by 0x19940D08: proxy_core_removed (core.c:186)
==6350==    by 0x19975DB7: pw_proxy_remove (proxy.c:254)
==6350==    by 0x19941177: pw_core_disconnect (core.c:487)
==6350==    by 0x1649C777: gst_pipewire_core_release (gstpipewirecore.c:174)
==6350==    by 0x1649F3B6: gst_pipewire_device_provider_probe (gstpipewiredeviceprovider.c:624)
==6350==    by 0x48D1C8F: gst_device_provider_get_devices (gstdeviceprovider.c:424)
==6350==    by 0x48E6C79: gst_device_monitor_get_devices (gstdevicemonitor.c:447)
==6350==    by 0x1158CD: UnknownInlinedFun (CameraView.vala:162)
==6350==    by 0x1158CD: camera_main_window_constructor (MainWindow.vala:113)
==6350==    by 0x49DAA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==6350==  Address 0x1974b408 is 296 bytes inside a block of size 304 free'd
==6350==    at 0x4845B2C: free (vg_replace_malloc.c:985)
==6350==    by 0x19940D08: UnknownInlinedFun (core.c:166)
==6350==    by 0x19940D08: UnknownInlinedFun (map.h:218)
==6350==    by 0x19940D08: UnknownInlinedFun (core.c:205)
==6350==    by 0x19940D08: proxy_core_removed (core.c:186)
==6350==    by 0x19975DB7: pw_proxy_remove (proxy.c:254)
==6350==    by 0x19941177: pw_core_disconnect (core.c:487)
==6350==    by 0x1649C777: gst_pipewire_core_release (gstpipewirecore.c:174)
==6350==    by 0x1649F3B6: gst_pipewire_device_provider_probe (gstpipewiredeviceprovider.c:624)
==6350==    by 0x48D1C8F: gst_device_provider_get_devices (gstdeviceprovider.c:424)
==6350==    by 0x48E6C79: gst_device_monitor_get_devices (gstdevicemonitor.c:447)
==6350==    by 0x1158CD: UnknownInlinedFun (CameraView.vala:162)
==6350==    by 0x1158CD: camera_main_window_constructor (MainWindow.vala:113)
==6350==    by 0x49DAA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==6350==    by 0x49DCD29: UnknownInlinedFun (gobject.c:2243)
==6350==    by 0x49DCD29: g_object_new_valist (gobject.c:2584)
==6350==    by 0x49DD55E: g_object_new (gobject.c:2057)
==6350==  Block was alloc'd at
==6350==    at 0x4849E60: calloc (vg_replace_malloc.c:1595)
==6350==    by 0x1997575E: pw_proxy_new (proxy.c:80)
==6350==    by 0x19B1C46D: registry_marshal_bind.lto_priv.0 (protocol-native.c:1852)
==6350==    by 0x164A07D7: UnknownInlinedFun (core.h:517)
==6350==    by 0x164A07D7: registry_event_global (gstpipewiredeviceprovider.c:510)
==6350==    by 0x19B19BD1: registry_demarshal_global.lto_priv.0 (protocol-native.c:1826)
==6350==    by 0x19B07020: process_remote (module-protocol-native.c:1037)
==6350==    by 0x19B07807: on_remote_data (module-protocol-native.c:1071)
==6350==    by 0x164B0F15: loop_iterate (loop.c:496)
==6350==    by 0x1998AE16: do_loop (thread-loop.c:295)
==6350==    by 0x58F5896: start_thread (pthread_create.c:444)
==6350==    by 0x597C563: clone (clone.S:100)
==6350== 

(io.elementary.camera:6350): GStreamer-CRITICAL **: 01:25:12.142: gst_bin_add: assertion 'GST_IS_ELEMENT (element)' failed

(io.elementary.camera:6350): GStreamer-CRITICAL **: 01:25:12.168: gst_element_link_pads_full: assertion 'GST_IS_ELEMENT (dest)' failed

(io.elementary.camera:6350): GLib-GObject-CRITICAL **: 01:25:12.169: g_object_get: assertion 'G_IS_OBJECT (object)' failed
==6350== Use of uninitialised value of size 8
==6350==    at 0x4FFCDF4: UnknownInlinedFun (gtkcontainer.c:1862)
==6350==    by 0x4FFCDF4: gtk_container_add (gtkcontainer.c:1856)
==6350==    by 0x112E05: camera_widgets_camera_view_create_pipeline (CameraView.vala:259)
==6350==    by 0x113FDD: camera_widgets_camera_view_change_camera (CameraView.vala:189)
==6350==    by 0x4A6C80F: g_list_foreach (glist.c:1092)
==6350==    by 0x1158E2: UnknownInlinedFun (CameraView.vala:162)
==6350==    by 0x1158E2: camera_main_window_constructor (MainWindow.vala:113)
==6350==    by 0x49DAA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==6350==    by 0x49DCD29: UnknownInlinedFun (gobject.c:2243)
==6350==    by 0x49DCD29: g_object_new_valist (gobject.c:2584)
==6350==    by 0x49DD55E: g_object_new (gobject.c:2057)
==6350==    by 0x110B1C: UnknownInlinedFun (MainWindow.vala:58)
==6350==    by 0x110B1C: UnknownInlinedFun (MainWindow.vala:57)
==6350==    by 0x110B1C: camera_application_real_activate (Application.vala:61)
==6350==    by 0x49E9E84: UnknownInlinedFun (gclosure.c:895)
==6350==    by 0x49E9E84: signal_emit_valist_unlocked (gsignal.c:3516)
==6350==    by 0x49E9F90: g_signal_emit_valist (gsignal.c:3355)
==6350==    by 0x49EA052: g_signal_emit (gsignal.c:3675)
==6350== 
==6350== Invalid read of size 8
==6350==    at 0x4FFCDF4: UnknownInlinedFun (gtkcontainer.c:1862)
==6350==    by 0x4FFCDF4: gtk_container_add (gtkcontainer.c:1856)
==6350==    by 0x112E05: camera_widgets_camera_view_create_pipeline (CameraView.vala:259)
==6350==    by 0x113FDD: camera_widgets_camera_view_change_camera (CameraView.vala:189)
==6350==    by 0x4A6C80F: g_list_foreach (glist.c:1092)
==6350==    by 0x1158E2: UnknownInlinedFun (CameraView.vala:162)
==6350==    by 0x1158E2: camera_main_window_constructor (MainWindow.vala:113)
==6350==    by 0x49DAA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==6350==    by 0x49DCD29: UnknownInlinedFun (gobject.c:2243)
==6350==    by 0x49DCD29: g_object_new_valist (gobject.c:2584)
==6350==    by 0x49DD55E: g_object_new (gobject.c:2057)
==6350==    by 0x110B1C: UnknownInlinedFun (MainWindow.vala:58)
==6350==    by 0x110B1C: UnknownInlinedFun (MainWindow.vala:57)
==6350==    by 0x110B1C: camera_application_real_activate (Application.vala:61)
==6350==    by 0x49E9E84: UnknownInlinedFun (gclosure.c:895)
==6350==    by 0x49E9E84: signal_emit_valist_unlocked (gsignal.c:3516)
==6350==    by 0x49E9F90: g_signal_emit_valist (gsignal.c:3355)
==6350==    by 0x49EA052: g_signal_emit (gsignal.c:3675)
==6350==  Address 0x500 is not stack'd, malloc'd or (recently) free'd
==6350== 
==6350== 
==6350== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==6350==  Access not within mapped region at address 0x500
==6350==    at 0x4FFCDF4: UnknownInlinedFun (gtkcontainer.c:1862)
==6350==    by 0x4FFCDF4: gtk_container_add (gtkcontainer.c:1856)
==6350==    by 0x112E05: camera_widgets_camera_view_create_pipeline (CameraView.vala:259)
==6350==    by 0x113FDD: camera_widgets_camera_view_change_camera (CameraView.vala:189)
==6350==    by 0x4A6C80F: g_list_foreach (glist.c:1092)
==6350==    by 0x1158E2: UnknownInlinedFun (CameraView.vala:162)
==6350==    by 0x1158E2: camera_main_window_constructor (MainWindow.vala:113)
==6350==    by 0x49DAA4B: g_object_new_with_custom_constructor (gobject.c:2163)
==6350==    by 0x49DCD29: UnknownInlinedFun (gobject.c:2243)
==6350==    by 0x49DCD29: g_object_new_valist (gobject.c:2584)
==6350==    by 0x49DD55E: g_object_new (gobject.c:2057)
==6350==    by 0x110B1C: UnknownInlinedFun (MainWindow.vala:58)
==6350==    by 0x110B1C: UnknownInlinedFun (MainWindow.vala:57)
==6350==    by 0x110B1C: camera_application_real_activate (Application.vala:61)
==6350==    by 0x49E9E84: UnknownInlinedFun (gclosure.c:895)
==6350==    by 0x49E9E84: signal_emit_valist_unlocked (gsignal.c:3516)
==6350==    by 0x49E9F90: g_signal_emit_valist (gsignal.c:3355)
==6350==    by 0x49EA052: g_signal_emit (gsignal.c:3675)
==6350==  If you believe this happened as a result of a stack
==6350==  overflow in your program's main thread (unlikely but
==6350==  possible), you can try to increase the size of the
==6350==  main thread stack using the --main-stacksize= flag.
==6350==  The main thread stack size used in this run was 8388608.
==6350== 
==6350== HEAP SUMMARY:
==6350==     in use at exit: 4,900,736 bytes in 51,336 blocks
==6350==   total heap usage: 403,787 allocs, 352,451 frees, 32,704,825 bytes allocated
==6350== 
==6350== LEAK SUMMARY:
==6350==    definitely lost: 49,176 bytes in 3 blocks
==6350==    indirectly lost: 72 bytes in 3 blocks
==6350==      possibly lost: 22,873 bytes in 288 blocks
==6350==    still reachable: 4,433,207 bytes in 48,414 blocks
==6350==         suppressed: 0 bytes in 0 blocks
==6350== Rerun with --leak-check=full to see details of leaked memory
==6350== 
==6350== Use --track-origins=yes to see where uninitialised values come from
==6350== For lists of detected and suppressed errors, rerun with: -s
==6350== ERROR SUMMARY: 17 errors from 4 contexts (suppressed: 0 from 0)

[tintou]

Camera hard depends on "gstreamer1-plugins-good-gtk" in Fedora, this should fix the issue

[decathorpe]

Nope - that package is already installed.

[danirabbit]

I can confirm Camera crashes on OS 8 under Wayland as well, in Flatpak. It works fine in X11

[bmr-cymru]

I believe the initial report of a crash on startup is resolved in (at least) 8.0.0 - I'm running elementary-camera-8.0.0-2.fc42.x86_64 with Wayland/Gnome on F42 and the application starts up fine and works correctly (it selects the V4L2 sources by default, which do not seem to work, but that may be a system issue. Selecting the underlying devices from the camera menu works perfectly). Video and still capture works as expected.

While trying to understand the video source issue I tried running io.elementary.camera --gst-debug-level=9 which (after generating a huge amount of log messages) segfaults before initialising the window:

$ io.elementary.camera --gst-debug-level=9
...
0:00:00.531803432 626777 0x5584392659b0 TRACE        GST_REFCOUNTING gstobject.c:425:gst_object_finalize:<pipewiredevice7> 0x7f9474021870 finalize
0:00:00.531812152 626777 0x5584392659b0 TRACE        GST_REFCOUNTING gstminiobject.c:660:gst_mini_object_unref: 0x7f947400d790 unref 1->0
0:00:00.531818604 626777 0x5584392659b0 TRACE              structure gststructure.c:771:gst_structure_free: free structure 0x7f9474016690
0:00:00.531824939 626777 0x5584392659b0 TRACE               GST_CAPS gstcaps.c:219:_gst_caps_free: freeing caps 0x7f947400d790
Segmentation fault (core dumped)

Cycling through the debug levels this occurs with any --gst-debug-level value >= 5:

$ io.elementary.camera --gst-debug-level=5
...
9.999999999, seq-num 7, element 'pipewiredeviceprovider0', GstMessageDeviceRemoved, device=(GstDevice)"\(GstPipeWireDevice\)\ pipewiredevice6";
0:00:00.370640606 627074 0x559c5f1589b0 DEBUG                GST_BUS gstbus.c:452:gst_bus_post:<bus1> bus is flushing
0:00:00.370655877 627074 0x559c5f1589b0 DEBUG                GST_BUS gstbus.c:339:gst_bus_post:<bus1> [msg 0x7f999000b3f0] posting on bus device-removed message: 0x7f999000b3f0, time 99:99:99.999999999, seq-num 8, element 'pipewiredeviceprovider0', GstMessageDeviceRemoved, device=(GstDevice)"\(GstPipeWireDevice\)\ pipewiredevice7";
0:00:00.370661762 627074 0x559c5f1589b0 DEBUG                GST_BUS gstbus.c:452:gst_bus_post:<bus1> bus is flushing
Segmentation fault (core dumped)

@decathorpe pointed me at this issue (which I'd read previously), but I think this may be a different problem than the original report. It's obviously a minor issue since it only affects high GST debug levels when run from the terminal. Starting the app from the desktop menu runs without issue.

I'm unable to reproduce the segfault with other GST apps when using --gst-debug-level=9 (totem, rhythmbox).

I'll try to test today with the current main via flatpak-builder.

I'm happy to file a separate issue if it's useful, and I can provide stack traces from the core dumps, run under valgrind etc.

[bmr-cymru]

Update: I don't see the segfault building current main (e7be0f5) on Fedora with Flatpak using --gst-debug-level= values from 5..9. Everything starts up and logs as expected. The app also selects a working video source on startup. I'll try to test the same approach with the version currently packaged in Fedora to see if it's either fixed in main or particular to the Fedora build (libs presumably?).