Race-condition in SoundPool during release

There is race between SoundPoolThread and SoundPool / AudioManager
threads during releasing SoundPool.
AudioManager deletes a global reference before setting SoundPool
callback to NULL. If, at that time, a call to the SoundPool::notify
fuction happens then mCallback is valid but mUserData is not.

The following log will show up to indicate the problem:
  JNI ERROR (app bug): accessed deleted global reference 0xXXXXXXXX

This fix is to clear the SoundPool's callback before releasing global
reference.

Change-Id: I5e6d647edc0444340db879428048e2c0a068a8b4

1 files changed, 3 insertions, 3 deletions

diff --git a/media/jni/soundpool/android_media_SoundPool_SoundPoolImpl.cpp b/media/jni/soundpool/android_media_SoundPool_SoundPoolImpl.cpp
index ce20e52..baf61d5 100644
--- a/media/jni/soundpool/android_media_SoundPool_SoundPoolImpl.cpp
+++ b/media/jni/soundpool/android_media_SoundPool_SoundPoolImpl.cpp
@@ -231,14 +231,14 @@ android_media_SoundPool_SoundPoolImpl_release(JNIEnv *env, jobject thiz)
     SoundPool *ap = MusterSoundPool(env, thiz);
     if (ap != NULL) {
 
-        // release weak reference
+        // release weak reference and clear callback
         jobject weakRef = (jobject) ap->getUserData();
+        ap->setCallback(NULL, NULL);
         if (weakRef != NULL) {
             env->DeleteGlobalRef(weakRef);
         }
 
-        // clear callback and native context
-        ap->setCallback(NULL, NULL);
+        // clear native context
         env->SetLongField(thiz, fields.mNativeContext, 0);
         delete ap;
     }