Zend/zend_execute: clear reference before calling dtor

If we don't do this, then `zend_objects_store_del()` will call the PHP
destructor, which may then recurse into `zend_objects_store_del()`,
leading to a use-after-free / double-free bug.

Fixes failures of `Zend/tests/gh10168_3.phpt` (added recently by
71ddede) which, depending on the timing, can trigger the recursive
zend_objects_store_del() call.

This is similar to commit a057f06

Author: MaxKellermann

Zend/zend_execute.c

@@ -3553,6 +3553,13 @@ ZEND_API bool ZEND_FASTCALL zend_verify_ref_assignable_zval(zend_reference *ref,
 static zend_always_inline void i_zval_ptr_dtor_noref(zval *zval_ptr) {
 	if (Z_REFCOUNTED_P(zval_ptr)) {
 		zend_refcounted *ref = Z_COUNTED_P(zval_ptr);
+
+		/* clear reference before invoking the destructor, or
+		   else something inside the destructor may assign the
+		   reference again, triggering another recursive
+		   destructor call */
+		ZVAL_UNDEF(zval_ptr);
+
 		ZEND_ASSERT(Z_TYPE_P(zval_ptr) != IS_REFERENCE);
 		if (!GC_DELREF(ref)) {
 			rc_dtor_func(ref);