Safely reassign array in usort()

Make sure to destroy the old value only after assigning the new
one. Otherwise we may try to double free, e.g. if GC runs during
this dtor.

This caused an assertion failure in phpro/grumphp and is likely
the cause for bug #81603 as well.

(cherry picked from commit 6f38acf)

(I applied this to the wrong base branch at first...)

Author: nikic

ext/standard/array.c

@@ -1037,8 +1037,10 @@ static void php_usort(INTERNAL_FUNCTION_PARAMETERS, compare_func_t compare_func,
 
 	retval = zend_hash_sort(arr, compare_func, renumber) != FAILURE;
 
-	zval_ptr_dtor(array);
+	zval garbage;
+	ZVAL_COPY_VALUE(&garbage, array);
 	ZVAL_ARR(array, arr);
+	zval_ptr_dtor(&garbage);
 
 	PHP_ARRAY_CMP_FUNC_RESTORE();
 	RETURN_BOOL(retval);