Closed Bug 1105988 Opened 10 years ago Closed 10 years ago

[Telephony] Should initialize call->timer for inbound call

Categories

(Firefox OS Graveyard :: Emulator, defect)

Product:
Firefox OS Graveyard
Component:
Emulator
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
2.2 S2 (19dec)

People

(Reporter: aknow, Assigned: aknow)

References

Details

Attachments

(2 files)

[platform_external_qemu] PR 121
62 bytes, text/x-github-pull-request
edgar
: review+
Details | Review
(kk) [platform_external_qemu] PR 125
62 bytes, text/x-github-pull-request
aknow
: review+
Details | Review 
I spent whole day debugging this problem ...

It might causes emulator crash in some cases.

Think about:

1. Have 1 incoming call
2. Have 1 outgoing call.

Then, in emulator
- modem->calls[0]: incoming call
- modem->calls[1]: outgoing call, call->timer is set

3. disconnect incoming call.

In amodem_free_call, we perform the memmove() that lead to the following changes
- modem->calls[0]: outgoing call, call->timer is set
- modem->calls[1]: outgoing call, call->timer is set
- modem->call_count = 1

4. have another incoming call
- modem->calls[0]: outgoing call, call->timer is set
- modem->calls[1]: incoming call, call->timer is set because it contains the previous value!!

Note that modem->calls[0]->timer == modem->calls[1]->timer

5. disconnect calls[1] and calls[0]

sys_timer_destroy() will be called for same timer address twice!!

Timer resource is implemented by a linked list of free timer. When we free the timer, it is prepend to the list. 

timer->next    = _s_free_timers;

So, if timer and _s_free_timers is point to the same position, it introduces a self loop.

Next time, when we allocate the timer.

sys_timer_alloc( void )              
{                                    
    SysTimer  timer = _s_free_timers;
                                     
    if (timer != NULL) {             
        _s_free_timers = timer->next;
        timer->next    = NULL;       
        timer->timer   = NULL;       
    }                                
    return timer;                    
}                                                                  

timer->next will set the remaining list to empty.

In the end, we lack enough timer resource next time and it cause the crash.

        Attachment #8530206 -
        Flags: review?(echen)

    
  
Blocks: 1093014

    
    

    
  
Comment on attachment 8530206 [details] [review]
[platform_external_qemu] PR 121

Thank you for spending time on debugging this. :)

        Attachment #8530206 -
        Flags: review?(echen) → review+

    
  
Keywords: checkin-needed

    
    

    
  
https://github.com/mozilla-b2g/platform_external_qemu/commit/6fa7a4936414ceb4055fd27f7a30e76790f834fb
Status: NEW → RESOLVED
Closed: 10 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → 2.2 S2 (19dec)

    
  
Blocks: emulator-kk

    
    

    
  
check-in needed for kk branch
=> (kk) [platform_external_qemu] PR 125
Keywords: checkin-needed

    
  
No longer blocks: emulator-l_taskcluster

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: