Fix use-after-free when ArrayObject sort comparator replaces backing store

[iliaal]

spl_array_method() caches the backing HashTable pointer across the user-supplied sort comparator. A comparator that re-enters __construct() (or __unserialize()) routes through spl_array_set_array(), which unlike the other ArrayObject mutators had no nApplyCount guard, so it swaps intern->array out from under the cached pointer and the post-sort cleanup releases then dereferences freed memory. Reachable from pure userland; valgrind reports an invalid read and the process segfaults. Add the nApplyCount guard the dimension writers and exchangeArray() already use.

$ao = new ArrayObject([3, 1, 2]);
$o = new ArrayObject([9, 8, 7]);
$ao->uasort(function ($a, $b) use ($ao, $o) {
    static $n = 0;
    if ($n++ === 0) { $ao->__construct($o); }
    return $a <=> $b;
});
var_dump($ao->getArrayCopy()); // segfaults before the patch

[iliaal]

Submitted upstream as php#22310.