Fix using clear_table() within an &expire_func

This previously crashed since clear_table()/TableVal::RemoveAll() left
behind a stale iterator to the old table causing a heap-use-after-free
when resuming table expiry iteration in TableVal::DoExpire().

src/Val.cc

@@ -1459,6 +1459,8 @@ TableVal::~TableVal()
 
 void TableVal::RemoveAll()
 	{
+	delete expire_iterator;
+	expire_iterator = nullptr;
 	// Here we take the brute force approach.
 	delete table_val;
 	table_val = new PDict<TableEntryVal>;
@@ -2575,6 +2577,10 @@ void TableVal::DoExpire(double t)
 
 				if ( ! v )
 					{ // user-provided function deleted it
+					if ( ! expire_iterator )
+						// Entire table got dropped (e.g. clear_table() / RemoveAll())
+						break;
+
 					continue;
 					}
 
@@ -2613,7 +2619,7 @@ void TableVal::DoExpire(double t)
 	if ( modified )
 		Modified();
 
-	if ( (*expire_iterator) == table_val->end_robust() )
+	if ( ! expire_iterator || (*expire_iterator) == table_val->end_robust() )
 		{
 		delete expire_iterator;
 		expire_iterator = nullptr;

testing/btest/Baseline/bifs.clear_table_expire_func/out

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+expire

testing/btest/bifs/clear_table_expire_func.zeek

@@ -0,0 +1,26 @@
+# @TEST-EXEC: zeek -b %INPUT > out
+# @TEST-EXEC: btest-diff out
+# @TEST-DOC: Checks use of clear_table() within an &expire_func works.
+
+redef exit_only_after_terminate=T;
+redef table_expire_interval = 1msec;
+
+global myexpire: function(t: table[count] of count, i: count): interval;
+
+global mt: table[count] of count &create_expire=1msec &expire_func=myexpire;
+
+function myexpire(t: table[count] of count, i: count): interval
+	{
+	print "expire";
+	clear_table(mt);
+	terminate();
+	return 0secs;
+	}
+
+event zeek_init()
+	{
+	mt[0] = 0;
+	mt[1] = 1;
+	mt[2] = 2;
+	}
+