I’m not sure, but this looks like a bug to me (resulting in a crash):
in CCScheduler::unscheduleAllSelectors, unscheduleAllSelectorsForTarget is called and in the next line pElement is accessed:
pElement = (tHashSelectorEntry *)pElement->hh.next;
in unscheduleAllSelectorsForTarget, the same pElement seems to be resolved from target:
tHashSelectorEntry *pElement = NULL;
HASH_FIND_INT(m_pHashForSelectors, &pTarget, pElement);
and later removed and freed:
removeHashElement(pElement); // <-- this method frees pElement!
now pElement~~>hh.next in unscheduleAllSelectors breaks.
My simple suggestion would be to assign pElement~~>hh.next to a temporary before calling unscheduleAllSelectorsForTarget.
I’m not sure if this is really a bug, or if this results from a wrong API usage in our code.