starboard: Enforce thread safety invariants in release builds (#7112)

The AudioRendererPcm/MediaDecoder and their underlying sink components
are designed with a critical invariant: they are not thread-safe and
their methods must be called from a single, consistent thread.

Previously, this invariant was only verified by SB_DCHECK, which is
compiled out of release builds. Because this check is compiled out of
release builds, it was unable to detect race conditions occurring in the
production environment. It make debugging from prod crash report very
difficult.

This change promotes these thread-safety checks to SB_CHECK. Now, if any
method is called from an incorrect thread, the application will crash
immediately with a clear stack trace at the site of the violation. This
prevents the system from entering a corrupt state and makes diagnosing
the root cause of such threading bugs significantly more
straightforward.

#vibe-coded

Bug: 443334872
Bug: 435425692

Author: kjyoun

starboard/android/shared/media_decoder.cc

@@ -149,7 +149,7 @@ MediaDecoder::MediaDecoder(
 }
 
 MediaDecoder::~MediaDecoder() {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
 
   TerminateDecoderThread();
 
@@ -170,7 +170,7 @@ MediaDecoder::~MediaDecoder() {
 }
 
 void MediaDecoder::Initialize(const ErrorCB& error_cb) {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
   SB_DCHECK(error_cb);
   SB_DCHECK(!error_cb_);
 
@@ -182,7 +182,7 @@ void MediaDecoder::Initialize(const ErrorCB& error_cb) {
 }
 
 void MediaDecoder::WriteInputBuffers(const InputBuffers& input_buffers) {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
   if (stream_ended_.load()) {
     SB_LOG(ERROR) << "Decode() is called after WriteEndOfStream() is called.";
     return;
@@ -213,7 +213,7 @@ void MediaDecoder::WriteInputBuffers(const InputBuffers& input_buffers) {
 }
 
 void MediaDecoder::WriteEndOfStream() {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
 
   stream_ended_.store(true);
   std::lock_guard lock(mutex_);
@@ -388,7 +388,7 @@ void MediaDecoder::DecoderThreadFunc() {
 }
 
 void MediaDecoder::TerminateDecoderThread() {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
 
   destroying_.store(true);
 
@@ -705,7 +705,7 @@ void MediaDecoder::OnMediaCodecFirstTunnelFrameReady() {
 }
 
 bool MediaDecoder::Flush() {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
 
   // Try to flush if we can, otherwise return |false| to recreate the codec
   // completely. Flush() is called by `player_worker` thread,

starboard/android/shared/video_decoder.cc

@@ -458,7 +458,7 @@ VideoDecoder::GetRenderAlgorithm() {
 
 void VideoDecoder::Initialize(const DecoderStatusCB& decoder_status_cb,
                               const ErrorCB& error_cb) {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_DCHECK(decoder_status_cb);
   SB_DCHECK(!decoder_status_cb_);
   SB_DCHECK(error_cb);
@@ -497,7 +497,7 @@ int64_t VideoDecoder::GetPrerollTimeout() const {
 }
 
 void VideoDecoder::WriteInputBuffers(const InputBuffers& input_buffers) {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_DCHECK(!input_buffers.empty());
   SB_DCHECK_EQ(input_buffers.front()->sample_type(), kSbMediaTypeVideo);
   SB_DCHECK(decoder_status_cb_);
@@ -567,7 +567,7 @@ void VideoDecoder::WriteInputBuffers(const InputBuffers& input_buffers) {
 }
 
 void VideoDecoder::WriteEndOfStream() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_DCHECK(decoder_status_cb_);
 
   if (end_of_stream_written_) {
@@ -616,7 +616,7 @@ void VideoDecoder::WriteEndOfStream() {
 }
 
 void VideoDecoder::Reset() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
 
   // If fail to flush |media_decoder_| or |media_decoder_| is null, then
   // re-create |media_decoder_|. If the codec is kSbMediaVideoCodecAv1,
@@ -653,7 +653,7 @@ void VideoDecoder::Reset() {
 
 bool VideoDecoder::InitializeCodec(const VideoStreamInfo& video_stream_info,
                                    std::string* error_message) {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_CHECK(error_message);
 
   if (video_stream_info.codec == kSbMediaVideoCodecAv1) {
@@ -776,7 +776,7 @@ bool VideoDecoder::InitializeCodec(const VideoStreamInfo& video_stream_info,
 }
 
 void VideoDecoder::TeardownCodec() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   if (owns_video_surface_) {
     ReleaseVideoSurface();
     owns_video_surface_ = false;
@@ -1211,14 +1211,14 @@ void VideoDecoder::OnFirstTunnelFrameReady() {
 }
 
 void VideoDecoder::OnTunnelModePrerollTimeout() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_DCHECK_NE(tunnel_mode_audio_session_id_, -1);
 
   TryToSignalPrerollForTunnelMode();
 }
 
 void VideoDecoder::OnTunnelModeCheckForNeedMoreInput() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_DCHECK_NE(tunnel_mode_audio_session_id_, -1);
 
   // There's a race condition when suspending the app. If surface view is

starboard/shared/starboard/player/filter/audio_renderer_internal_pcm.cc

@@ -102,7 +102,7 @@ AudioRendererPcm::~AudioRendererPcm() {
                 << " channels, " << bytes_per_frame_ << " bytes per frame, "
                 << max_cached_frames_ << " max cached frames, and "
                 << min_frames_per_append_ << " min frames per append.";
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
 }
 
 void AudioRendererPcm::Initialize(const ErrorCB& error_cb,
@@ -124,7 +124,7 @@ void AudioRendererPcm::Initialize(const ErrorCB& error_cb,
 }
 
 void AudioRendererPcm::WriteSamples(const InputBuffers& input_buffers) {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_DCHECK(!input_buffers.empty());
   SB_DCHECK(can_accept_more_data_);
 
@@ -142,7 +142,7 @@ void AudioRendererPcm::WriteSamples(const InputBuffers& input_buffers) {
 }
 
 void AudioRendererPcm::WriteEndOfStream() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   // TODO: Check |can_accept_more_data_| and make WriteEndOfStream() depend on
   // CanAcceptMoreData() or callback.
   // SB_DCHECK(can_accept_more_data_);
@@ -161,12 +161,12 @@ void AudioRendererPcm::WriteEndOfStream() {
 }
 
 void AudioRendererPcm::SetVolume(double volume) {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   audio_renderer_sink_->SetVolume(volume);
 }
 
 bool AudioRendererPcm::IsEndOfStreamWritten() const {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   return eos_state_ >= kEOSWrittenToDecoder;
 }
 
@@ -176,28 +176,28 @@ bool AudioRendererPcm::IsEndOfStreamPlayed() const {
 }
 
 bool AudioRendererPcm::CanAcceptMoreData() const {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   return eos_state_ == kEOSNotReceived && can_accept_more_data_ &&
          (!decoder_sample_rate_ || !time_stretcher_.IsQueueFull());
 }
 
 void AudioRendererPcm::Play() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
 
   std::lock_guard lock(mutex_);
   paused_ = false;
   consume_frames_called_ = false;
 }
 
 void AudioRendererPcm::Pause() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
 
   std::lock_guard lock(mutex_);
   paused_ = true;
 }
 
 void AudioRendererPcm::SetPlaybackRate(double playback_rate) {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
 
   std::lock_guard lock(mutex_);
 
@@ -222,7 +222,7 @@ void AudioRendererPcm::SetPlaybackRate(double playback_rate) {
 }
 
 void AudioRendererPcm::Seek(int64_t seek_to_time) {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_DCHECK_GE(seek_to_time, 0);
 
   audio_renderer_sink_->Stop();
@@ -499,7 +499,7 @@ void AudioRendererPcm::OnFirstOutput(
     const SbMediaAudioSampleType decoded_sample_type,
     const SbMediaAudioFrameStorageType decoded_storage_type,
     const int decoded_sample_rate) {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_DCHECK(!decoder_sample_rate_);
   decoder_sample_rate_ = decoded_sample_rate;
   int destination_sample_rate =
@@ -541,7 +541,7 @@ bool AudioRendererPcm::IsEndOfStreamPlayed_Locked() const {
 }
 
 void AudioRendererPcm::OnDecoderConsumed() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
 
   // TODO: Unify EOS and non EOS request once WriteEndOfStream() depends on
   // CanAcceptMoreData().
@@ -553,7 +553,7 @@ void AudioRendererPcm::OnDecoderConsumed() {
 }
 
 void AudioRendererPcm::OnDecoderOutput() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
 
   ++pending_decoder_outputs_;
 
@@ -566,7 +566,7 @@ void AudioRendererPcm::OnDecoderOutput() {
 }
 
 void AudioRendererPcm::ProcessAudioData() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
 
   process_audio_data_job_token_.ResetToInvalid();
 
@@ -668,7 +668,7 @@ void AudioRendererPcm::ProcessAudioData() {
 }
 
 bool AudioRendererPcm::AppendAudioToFrameBuffer(bool* is_frame_buffer_full) {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
   SB_DCHECK(is_frame_buffer_full);
 
   *is_frame_buffer_full = false;
@@ -738,7 +738,7 @@ bool AudioRendererPcm::AppendAudioToFrameBuffer(bool* is_frame_buffer_full) {
 
 #if SB_PLAYER_FILTER_ENABLE_STATE_CHECK
 void AudioRendererPcm::CheckAudioSinkStatus() {
-  SB_DCHECK(BelongsToCurrentThread());
+  SB_CHECK(BelongsToCurrentThread());
 
   // Check if sink callbacks are called too frequently.
   if (sink_callbacks_since_last_check_.load() > kMaxSinkCallbacksBetweenCheck) {

starboard/shared/starboard/player/filter/audio_renderer_sink_impl.cc

@@ -50,7 +50,7 @@ AudioRendererSinkImpl::AudioRendererSinkImpl(
 }
 
 AudioRendererSinkImpl::~AudioRendererSinkImpl() {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
 
   Stop();
 }
@@ -83,7 +83,7 @@ void AudioRendererSinkImpl::Start(
     SbAudioSinkFrameBuffers frame_buffers,
     int frames_per_channel,
     RenderCallback* render_callback) {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
   SB_DCHECK(!HasStarted());
   SB_DCHECK(channels > 0 && channels <= SbAudioSinkGetMaxChannels());
   SB_DCHECK_GT(sampling_frequency_hz, 0);
@@ -111,7 +111,7 @@ void AudioRendererSinkImpl::Start(
 }
 
 void AudioRendererSinkImpl::Stop() {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
 
   if (HasStarted()) {
     SbAudioSinkDestroy(audio_sink_);
@@ -121,7 +121,7 @@ void AudioRendererSinkImpl::Stop() {
 }
 
 void AudioRendererSinkImpl::SetVolume(double volume) {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
 
   volume_ = volume;
   if (HasStarted()) {
@@ -130,7 +130,7 @@ void AudioRendererSinkImpl::SetVolume(double volume) {
 }
 
 void AudioRendererSinkImpl::SetPlaybackRate(double playback_rate) {
-  SB_DCHECK(thread_checker_.CalledOnValidThread());
+  SB_CHECK(thread_checker_.CalledOnValidThread());
   SB_DCHECK(playback_rate == 0.0 || playback_rate == 1.0)
       << "Playback rate on audio sink can only be set to 0 or 1, "
       << "but is now set to " << playback_rate;