Fix early free of assign_obj op_data

We need to make sure that op_data is only freed after populating
result, as op_data may be the only thing holding the value in the
case of an overloaded assignment.

This reverts the code to how it looked like in 7.3.

Author: nikic

Zend/tests/overloaded_assign_prop_return_value.phpt

@@ -0,0 +1,14 @@
+--TEST--
+Make sure the return value of a property assignment is not freed to early
+--FILE--
+<?php
+class Overloaded {
+    function __set($r, $a) {}
+}
+$obj = new Overloaded;
+$x = $obj->prop = new stdClass;
+var_dump($x);
+?>
+--EXPECT--
+object(stdClass)#2 (0) {
+}

Zend/zend_vm_def.h

@@ -2495,6 +2495,9 @@ ZEND_VM_C_LABEL(assign_object):
 				} else {
 ZEND_VM_C_LABEL(fast_assign_obj):
 					value = zend_assign_to_variable(property_val, value, OP_DATA_TYPE, EX_USES_STRICT_TYPES());
+					if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+						ZVAL_COPY(EX_VAR(opline->result.var), value);
+					}
 					ZEND_VM_C_GOTO(exit_assign_obj);
 				}
 			}
@@ -2542,6 +2545,9 @@ ZEND_VM_C_LABEL(fast_assign_obj):
 					}
 				}
 				zend_hash_add_new(zobj->properties, Z_STR_P(property), value);
+				if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+					ZVAL_COPY(EX_VAR(opline->result.var), value);
+				}
 				ZEND_VM_C_GOTO(exit_assign_obj);
 			}
 		}
@@ -2554,11 +2560,11 @@ ZEND_VM_C_LABEL(fast_assign_obj):
 	value = Z_OBJ_HT_P(object)->write_property(object, property, value, (OP2_TYPE == IS_CONST) ? CACHE_ADDR(opline->extended_value) : NULL);
 
 ZEND_VM_C_LABEL(free_and_exit_assign_obj):
-	FREE_OP_DATA();
-ZEND_VM_C_LABEL(exit_assign_obj):
 	if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
 		ZVAL_COPY(EX_VAR(opline->result.var), value);
 	}
+	FREE_OP_DATA();
+ZEND_VM_C_LABEL(exit_assign_obj):
 	FREE_OP2();
 	FREE_OP1_VAR_PTR();
 	/* assign_obj has two opcodes! */