expression: use indirection to safely finalize object expression

The data parameter that was passed to g_object_weak_ref() is the expression itself. However, we cannot actually call g_object_weak_unref() safely in some cases which means the callback will continue to be called with the expression pointer after the expression has been finalized.

This counteracts that with an extra layer of indirection. A new handle structure is allocated which is reference counted by both the expression and for the weak ref callback data. Upon first unref, the data pointing back to the expression is cleared to prevent use-after-free.

Since g_object_weak_ref() does not have a destroy notify associated with it we must handle clearing that extra reference ourself in the case we know it has not been called.