Crash due to double reference decrements in timer

[nanang]

The cancel() inside cancel_timer() returns zero when a timer entry is invalid or its expiration callback is being invoked (as the entry is removed already). Unfortunately the cancel_timer() does not check the count returned by cancel() and always proceed further with pj_grp_lock_dec_ref().

This is a bad news if at the same time the entry callback is being invoked by pj_timer_heap_poll() as pj_grp_lock_dec_ref() will be called after the callback returns. Note that the pj_grp_lock_dec_ref() may cause group lock ref count reaching zero, where all member objects of the group lock will invoke their destructors (usually freeing up any memory allocations), so the next pj_grp_lock_dec_ref() will access invalid/freed memory address.

Thanks Keerthi Kumar Thovi for the report and the analysis.

[nanang]

In 5927:

Fixed #2172: Avoid double reference counter decrements in timer in the scenario of race condition between pj_timer_heap_cancel() and pj_timer_heap_poll().