fixeria has uploaded this change for review.

View Change

msc: add TC_lu_and_ussd_notify_during_mt_call

This is a more realistic scenario (race condition) that reproduces
an assertion failure in osmo-msc (OS#6756).  We already do have
TC_mo_ussd_evil_ms reproducing the problem, but this scenario is
unrealistic when using a "normal" (not "evil") MS/UE.

Change-Id: I6935ad96aef7747c576505ae52f8b5d3e0611882
Related: osmo-msc.git I724f0f0c9ef8611d3c3653e9370361b252127f72
Related: OS#6756
---
M msc/MSC_Tests.ttcn
M msc/expected-results.xml
2 files changed, 64 insertions(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-ttcn3-hacks refs/changes/10/40410/1
diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn
index 2f8df4d..22b6608 100644
--- a/msc/MSC_Tests.ttcn
+++ b/msc/MSC_Tests.ttcn
@@ -3972,6 +3972,66 @@
 	vc_conn.done;
 }
 
+friend function f_TC_lu_and_ussd_notify_during_mt_call(charstring id, BSC_ConnHdlrPars pars)
+runs on BSC_ConnHdlr {
+	var CallParameters cpars := valueof(t_CallParams);
+
+	f_init_handler(pars);
+
+	/* Perform location update */
+	f_perform_lu();
+	/* Initiate a MT call */
+	f_mt_call_establish(cpars);
+
+	/* Facility IE with network-originated USSD notification */
+	var OCTN facility_req := f_USSD_FACILITY_IE_INVOKE(op_code := SS_OP_CODE_USS_NOTIFY,
+							   ussd_string := "Knock knock");
+	/* Facility IE with acknowledgment to the USSD notification */
+	var OCTN facility_rsp := enc_SS_FacilityInformation(
+		valueof(ts_SS_USSD_FACILITY_RETURN_RESULT_EMPTY())
+	);
+
+	/* HLR sends a USSD notification */
+	GSUP.send(ts_GSUP_PROC_SS_REQ(imsi := g_pars.imsi,
+				      sid := g_pars.gsup_sid,
+				      state := OSMO_GSUP_SESSION_STATE_BEGIN,
+				      ss := facility_req));
+	/* ... and immediately terminates the session */
+	GSUP.send(ts_GSUP_PROC_SS_REQ(imsi := g_pars.imsi,
+				      sid := g_pars.gsup_sid,
+				      state := OSMO_GSUP_SESSION_STATE_END));
+
+	/* MSC forwards USSD notification to the MS */
+	f_expect_mt_dtap_msg(tr_ML3_MT_SS_REGISTER(tid := 0,
+						   ti_flag := c_TIF_ORIG,
+						   facility := facility_req));
+	/* ... immediately followed by the RELEASE COMPLETE message */
+	f_expect_mt_dtap_msg(tr_ML3_MT_SS_RELEASE_COMPLETE(tid := 0,
+							   ti_flag := c_TIF_ORIG,
+							   facility := omit));
+
+	/* MS didn't receive the RELEASE COMPLETE yet, so it responds */
+	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_SS_FACILITY(tid := 0,
+							ti_flag := c_TIF_REPL,
+							facility := facility_rsp)));
+	/* this response is rejected because the SS transaction is gone */
+	f_expect_mt_dtap_msg(tr_ML3_MT_SS_RELEASE_COMPLETE(tid := 0,
+							   ti_flag := c_TIF_ORIG,
+							   facility := omit));
+
+	/* ... old osmo-msc crashes here (OS#6756) ...
+	 * fixed in osmo-msc.git I724f0f0c9ef8611d3c3653e9370361b252127f72 */
+
+	/* Release the call (does Clear Complete itself) */
+	f_call_hangup(cpars, true);
+}
+testcase TC_lu_and_ussd_notify_during_mt_call() runs on MTC_CT {
+	var BSC_ConnHdlr vc_conn;
+	f_init();
+	vc_conn := f_start_handler(refers(f_TC_lu_and_ussd_notify_during_mt_call), 111);
+	vc_conn.done;
+}
+
 
 /* LU followed by MO USSD request and MO Release during transaction */
 friend function f_tc_lu_and_mo_ussd_mo_release(charstring id, BSC_ConnHdlrPars pars)
@@ -4395,7 +4455,8 @@
 
 /* MO (mobile-originated) SS/USSD FACILITY for an unknown transaction,
  * and CM SERVICE REQUEST with wrong establishment cause prior to that.
- * This is an "evil MS" scenario that can be used to reproduce OS#6756. */
+ * This is an "evil MS" scenario that can be used to reproduce OS#6756.
+ * More realistic scenario for this bug: TC_lu_and_ussd_notify_during_mt_call. */
 friend function f_TC_mo_ussd_evil_ms(charstring id, BSC_ConnHdlrPars pars)
 runs on BSC_ConnHdlr {
 	f_init_handler(pars);
@@ -7613,6 +7674,7 @@
 	execute( TC_proc_ss_abort() );
 
 	if (Misc_Helpers.f_osmo_repo_is("nightly")) {
+		execute( TC_lu_and_ussd_notify_during_mt_call() ); /* XXX: crashes osmo-msc */
 		execute( TC_mo_ussd_evil_ms() ); /* XXX: crashes osmo-msc */
 	}
 
diff --git a/msc/expected-results.xml b/msc/expected-results.xml
index dacb840..9d7e315 100644
--- a/msc/expected-results.xml
+++ b/msc/expected-results.xml
@@ -94,6 +94,7 @@
   <testcase classname='MSC_Tests' name='TC_proc_ss_for_unknown_session' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_proc_ss_paging_fail' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_proc_ss_abort' time='MASKED'/>
+  <testcase classname='MSC_Tests' name='TC_lu_and_ussd_notify_during_mt_call' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_mo_ussd_evil_ms' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_multi_lu_and_mo_ussd' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_multi_lu_and_mt_ussd' time='MASKED'/>

To view, visit change 40410. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: osmo-ttcn3-hacks
Gerrit-Branch: master
Gerrit-Change-Id: I6935ad96aef7747c576505ae52f8b5d3e0611882
Gerrit-Change-Number: 40410
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy@sysmocom.de>