Fail operations when adapter is in destroy process

[xiazhvera]

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov-commenter]

Codecov Report

Attention: 6 lines in your changes are missing coverage. Please review.

Comparison is base (c475ef1) 82.41% compared to head (ed5a700) 82.34%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #331      +/-   ##
==========================================
- Coverage   82.41%   82.34%   -0.07%     
==========================================
  Files          20       20              
  Lines        8722     8759      +37     
==========================================
+ Hits         7188     7213      +25     
- Misses       1534     1546      +12     

Files	Coverage Δ
source/v5/mqtt5_to_mqtt3_adapter.c	76.79% <83.78%> (+0.21%)	⬆️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[xiazhvera]

Judgement call: Instead of creating a new member here, we can use adapter_state to track the destroy processing. When we start the destroy process (internal ref -> 0), the adapter would not receive any lifecycle events anymore.

[sfod]

This check is missing for s_aws_mqtt_5_resubscribe_existing_topics, s_aws_mqtt_client_connection_5_acquire and s_aws_mqtt_client_connection_5_release. I think that's all, but I could miss something

[xiazhvera]

Updated s_aws_mqtt_5_resubscribe_existing_topics.

Debatable: I feel we should directly fail the acquire/release if the adapter is in destroying process... the ASSERT instead of a validation check might be a better option here.

[sfod]

Yeah, this situation (trying to do something meaningful with connection in callback while it's being destroyed in another thread) should be pretty rare and most probably will indicate that something's wrong with user code. So, ASSERT could actually help to find a possible issue in the code.

[sfod]

Debatable: I feel slightly uneasy because of passing a "half-dead" connection object into callbacks. But this approach seems safe with the current implementation, so I don't have strong opinion about it.

[bretambrose]

Usage after ref-count goes to zero is not something we need to worry about.

[xiazhvera]

Talked to Bret about the issue. The caller should be responsible to track the connection reference. If the caller have released the connection reference, the caller should never use connection even if the connection is from the callback.

As Igor mentioned, passing a "half-dead" connection object into callbacks is hard to handle. However, if we pass a null here, it has a risk to crash the user. (If the caller forget to handle NULL here).
Besides, it also breaks the contract that the user “should never use the connection if they have release it.” if they have to do a NULL check here.

We should make a rule to avoid expose the object in callbacks in the future implementation.