NetBSD system crash when testing camera in chromium

[Robert Bagdan <kikadf.01%gmail.com@localhost>]

Hi,
I’m porting chromium to NetBSD, but I got a random system crash when
testing camera support.

My NetBSD is (uname -a): NetBSD test 10.0_STABLE NetBSD 10.0_STABLE
(GENERIC) #0: Fri Dec  6 20:38:43 UTC 2024  mkrepro%mkrepro.NetBSD.org@localhost
 :/usr/src/sys/arch/amd64/compile/GENERIC amd64

To reproduce the system crash:
1) Build chromium from pkgsrc-wip/chromium (many hours as it is a kaiju..)
2) Open in chromium the https://webcamtests.com/ page, and run the testing
3) Not always but often I got a system crash while the test is running

I try to found the problem:
1) cd /var/crash && sudo gunzip -d *gz
2) sudo dmesg -M netbsd.4.core -N netbsd.4
[   429.761546] video_enum_framesizes: type mismatch 56595559 47504a4d
… (919 messages from video_enum_framesizes)
[   512.133230] video_enum_framesizes: type mismatch 47504a4d 56595559
[   512.917593] fatal protection fault in supervisor mode
[   512.917593] trap type 4 code 0 rip 0xffffffff80db14f4 cs 0x8
rflags 0x10206 cr2  0x7dbd48c2e600 ilevel 0 rsp 0xffff c18242975d40
[   512.917593] curlwp 0xffffe53d60a3ca00 pid 3297.3302 lowest kstack
0xffffc182429712c0
[   512.917593] panic: trap
[   512.917593] cpu2: Begin traceback...
[   512.918047] vpanic() at netbsd:vpanic+0x183
[   512.919505] panic() at netbsd:panic+0x3c
[   512.920481] trap() at netbsd:trap+0xbaf
[   512.920481] --- trap (number 4) ---
[   512.920969] videoclose() at netbsd:videoclose+0xbb
[   512.921941] cdev_close() at netbsd:cdev_close+0x92
[   512.922414] spec_close() at netbsd:spec_close+0x188
[   512.923403] VOP_CLOSE() at netbsd:VOP_CLOSE+0x44
[   512.924378] vn_close() at netbsd:vn_close+0x51
[   512.924873] closef() at netbsd:closef+0x58
[   512.925838] fd_close() at netbsd:fd_close+0x140
[   512.926349] sys_close() at netbsd:sys_close+0x22
[   512.927307] syscall() at netbsd:syscall+0x1fc
[   512.927770] --- syscall (number 6) ---
[   512.927770] netbsd:syscall+0x1fc:
[   512.927770] cpu2: End traceback...
[   512.928265] dumping to dev 168,1 (offset=8, size=2097039):
[   512.928265] dump

3) sudo gdb /netbsd --eval-command="target kvm netbsd.1.core"
GNU gdb (GDB) 11.0.50.20200914-git
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64--netbsd".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
   <http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /netbsd...
Reading symbols from /usr/libdata/debug//netbsd-GENERIC.debug...
0xffffffff80239985 in cpu_reboot (howto=260, bootstr=<optimized out>)
at /usr/src/sys/arch/amd64/amd64/machdep.c:717
warning: Source file is more recent than executable.
717                     dumpsys();
(gdb) bt
#0  0xffffffff80239985 in cpu_reboot (howto=260, bootstr=<optimized
out>) at /usr/src/sys/arch/amd64/amd64/machdep.c:717
#1  0xffffffff80ce5a9b in debugged_child_exists (parent=0x104,
si=0xffffd2fccac4d400,  options=260, id=0, idtype=1112612864) at
/usr/src/sys/kern/kern_exit.c:986
#2  find_stopped_child (si=0xffffd2fccac4d400, wru=0x0,
child_p=<synthetic pointer>, options=260, id=0, idtype=1112612864,
parent=0x104) at /usr/src/sys/kern/kern_exit.c:1124
#3  do_sys_waitid (idtype=<optimized out>, id=<optimized out>,
pid=<optimized out>, status=<optimized out>, options=260, wru=0x0,
si=<optimized out>) at  /usr/src/sys/kern/kern_exit.c:673
#4  0xffffffff80d1be6f in device_pmf_driver_deregister
(dev=<unavailable>) at  /usr/src/sys/kern/subr_autoconf.c:3182
#5  0xffffffff80d1bf44 in device_pmf_lock1 (dev=0xffffd2fceb993b00) at
./machine/cpu.h:72
#6  device_pmf_lock (dev=0xffffd2fceb993b00) at
/usr/src/sys/kern/subr_autoconf.c:3269
#7  0xffffffff8023c155 in trap (frame=0x0) at
/usr/src/sys/arch/amd64/amd64/trap.c:326
#8  0xffffffff80234a7b in alltraps ()
#9  0xffffd2fca47ec3c8 in ?? ()
#10 0xffffd2fca455c080 in ?? ()
#11 0xffffd2fca47ec3a0 in ?? ()
#12 0x0000000000000000 in ?? ()

(gdb) list *0xffffffff80db14f4
0xffffffff80db14f4 is in videoclose (/usr/src/sys/dev/video.c:2481).
warning: Source file is more recent than executable.
2476                             "tearing down bufs while streaming\n"));
2477            }
2478
2479            /* dequeue all buffers */
2480            while (SIMPLEQ_FIRST(&vs->vs_ingress) != NULL)
2481                    SIMPLEQ_REMOVE_HEAD(&vs->vs_ingress, entries);
2482            while (SIMPLEQ_FIRST(&vs->vs_egress) != NULL)
2483                    SIMPLEQ_REMOVE_HEAD(&vs->vs_egress, entries);
2484
2485            err = video_stream_free_bufs(vs);
(gdb)

I got this system crash only on chromium, firefox with the same steps
did not cause system crash. I checked the differences in the
codebases, I found chromium uses VIDIOC_ENUM_FRAMEINTERVALS and
VIDIOC_ENUM_FRAMESIZES, while firefox does not. I don’t know is it
relevant, but my dmesg output has many “video_enum_framesizes: type
mismatch 47504a4d 56595559” lines, what is come from
video_enum_framesizes():https://github.com/NetBSD/src/blob/52fe981959bae952bc9fc0d6e7829963ece5abbc/sys/dev/video.c#L830.

I need help to resolve this problem, I don’t know if this is a problem
in NetBSD or if I made a mistake in the chromium codebase.

Thanks,
kikadf