Stop dangling pointer from being assigned to AudioOutputDevice::callback_

When we use BackupRefPtr for AudioOutputDevice::callback_, it detects a dangling pointer being assigned to it.
This is because, RenderCallback can be destroyed by the time InitializeOnIOThread gets called on the io thread.
This CL adds a check for stopping_hack_ so we won't assign, when Stop() has already been called.

Bug: 1154812, 1080832
Change-Id: Icb02ed9661ebcd2c0ee8c81888bc68c3d1af83a6
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2575481
Commit-Queue: Keishi Hattori <keishi@chromium.org>
Reviewed-by: Olga Sharonova <olka@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#843465}

media/audio/audio_output_device.cc

@@ -63,6 +63,11 @@ void AudioOutputDevice::InitializeOnIOThread(const AudioParameters& params,
   DCHECK(params.IsValid());
   DVLOG(1) << __func__ << ": " << params.AsHumanReadableString();
   audio_parameters_ = params;
+
+  base::AutoLock auto_lock(audio_thread_lock_);
+  // If Stop() has already been called, RenderCallback has already been
+  // destroyed. So |callback| would be a dangling pointer.
+  if (!stopping_hack_)
     callback_ = callback;
 }
 
@@ -206,7 +211,13 @@ void AudioOutputDevice::RequestDeviceAuthorizationOnIOThread() {
 void AudioOutputDevice::CreateStreamOnIOThread() {
   TRACE_EVENT0("audio", "AudioOutputDevice::Create");
   DCHECK(io_task_runner_->BelongsToCurrentThread());
+#if DCHECK_IS_ON()
+  {
+    base::AutoLock auto_lock(audio_thread_lock_);
+    if (!stopping_hack_)
       DCHECK(callback_) << "Initialize hasn't been called";
+  }
+#endif
   DCHECK_NE(state_, STREAM_CREATION_REQUESTED);
 
   if (!ipc_) {