Fix leak on foreach by ref assign to property

In this case we ended up creating an ASSIGN_OBJ_REF with VAR
result operand, which was not freed.

Fix this by implementing assign_ref_znode the same was as
assign_znode, i.e. performing an assignment with result and
then freeing the result, which will result mark the result as
UNUSED. This is more robust than the special handling for
result == NULL that was used before.

This fixes one of the issues reported in bug #81190.

Author: nikic

Zend/tests/foreach_by_ref_to_property.phpt

@@ -0,0 +1,11 @@
+--TEST--
+Foreach by ref assignment to property
+--FILE--
+<?php
+$obj = new stdClass;
+foreach ([0] as &$obj->prop) {
+    var_dump($obj->prop);
+}
+?>
+--EXPECT--
+int(0)

Zend/zend_compile.c

@@ -2888,17 +2888,13 @@ void zend_compile_assign_ref(znode *result, zend_ast *ast) /* {{{ */
 		opline->extended_value &= ~ZEND_FETCH_REF;
 		opline->extended_value |= flags;
 		zend_emit_op_data(&source_node);
-		if (result != NULL) {
-			*result = target_node;
-		}
+		*result = target_node;
 	} else if (opline && opline->opcode == ZEND_FETCH_STATIC_PROP_W) {
 		opline->opcode = ZEND_ASSIGN_STATIC_PROP_REF;
 		opline->extended_value &= ~ZEND_FETCH_REF;
 		opline->extended_value |= flags;
 		zend_emit_op_data(&source_node);
-		if (result != NULL) {
-			*result = target_node;
-		}
+		*result = target_node;
 	} else {
 		opline = zend_emit_op(result, ZEND_ASSIGN_REF, &target_node, &source_node);
 		opline->extended_value = flags;
@@ -2908,9 +2904,11 @@ void zend_compile_assign_ref(znode *result, zend_ast *ast) /* {{{ */
 
 static inline void zend_emit_assign_ref_znode(zend_ast *var_ast, znode *value_node) /* {{{ */
 {
+	znode dummy_node;
 	zend_ast *assign_ast = zend_ast_create(ZEND_AST_ASSIGN_REF, var_ast,
 		zend_ast_create_znode(value_node));
-	zend_compile_assign_ref(NULL, assign_ast);
+	zend_compile_assign_ref(&dummy_node, assign_ast);
+	zend_do_free(&dummy_node);
 }
 /* }}} */