fix: guard OnStateChange against null _jingleDataChannel

OnPeerConnectionClosed() dispatches a kClosed event and calls Stop(),
but the network thread can still fire OnStateChange() concurrently.
If OnStateChange runs after OnPeerConnectionClosed has already called
CleanupInternals (which sets _jingleDataChannel to nullptr), accessing
_jingleDataChannel->state() crashes with a null pointer dereference.

Remove the redundant CleanupInternals() call from OnPeerConnectionClosed
(added in 33ceabf) — its purpose was to dispatch close events before
PeerConnection::Close() cancels SafeTask callbacks, but HandleStateChange
already does that. CleanupInternals will still run when OnStateChange
receives kClosed from the network thread.

Add a null guard in OnStateChange for the case where it races with
OnPeerConnectionClosed during shutdown.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

src/interfaces/rtc_data_channel.cc

@@ -119,13 +119,15 @@ void RTCDataChannel::CleanupInternals() {
 
 void RTCDataChannel::OnPeerConnectionClosed() {
   if (_jingleDataChannel != nullptr) {
-    CleanupInternals();
     HandleStateChange(*this, webrtc::DataChannelInterface::kClosed);
     Stop();
   }
 }
 
 void RTCDataChannel::OnStateChange() {
+  if (_jingleDataChannel == nullptr) {
+    return;
+  }
   auto state = _jingleDataChannel->state();
   if (state == webrtc::DataChannelInterface::kClosed) {
     CleanupInternals();