Safely reassign array in usort()

Make sure to destroy the old value only after assigning the new
one. Otherwise we may try to double free, e.g. if GC runs during
this dtor.

This caused an assertion failure in phpro/grumphp and is likely
the cause for bug #81603 as well.

Author: nikic

ext/standard/array.c

@@ -988,8 +988,10 @@ static void php_usort(INTERNAL_FUNCTION_PARAMETERS, bucket_compare_func_t compar
 
 	zend_hash_sort(arr, compare_func, renumber);
 
-	zval_ptr_dtor(array);
+	zval garbage;
+	ZVAL_COPY_VALUE(&garbage, array);
 	ZVAL_ARR(array, arr);
+	zval_ptr_dtor(&garbage);
 
 	PHP_ARRAY_CMP_FUNC_RESTORE();
 	RETURN_TRUE;