Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7430f66a authored by Dariusz Iwanoczko's avatar Dariusz Iwanoczko Committed by Danny Baumann
Browse files

Race-condition in SoundPool during release 

There is race between SoundPoolThread and SoundPool / AudioManager
threads during releasing SoundPool.
AudioManager deletes a global reference before setting SoundPool
callback to NULL. If, at that time, a call to the SoundPool::notify
fuction happens then mCallback is valid but mUserData is not.

The following log will show up to indicate the problem:
  JNI ERROR (app bug): accessed deleted global reference 0xXXXXXXXX

This fix is to clear the SoundPool's callback before releasing global
reference.

Change-Id: I5e6d647edc0444340db879428048e2c0a068a8b4
parent 916eae67

media/jni/soundpool/android_media_SoundPool_SoundPoolImpl.cpp

+3 −3
Original line number Diff line number Diff line
@@ -231,14 +231,14 @@ android_media_SoundPool_SoundPoolImpl_release(JNIEnv *env, jobject thiz) 
    SoundPool *ap = MusterSoundPool(env, thiz);

    if (ap != NULL) {



        // release weak reference

        // release weak reference and clear callback

        jobject weakRef = (jobject) ap->getUserData();

        ap->setCallback(NULL, NULL);

        if (weakRef != NULL) {

            env->DeleteGlobalRef(weakRef);

        }



        // clear callback and native context

        ap->setCallback(NULL, NULL);

        // clear native context

        env->SetLongField(thiz, fields.mNativeContext, 0);

        delete ap;

    }