From 23abbd9ef344289d1dae6d8fcf9d3c0ab8e1e6e1 Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Sun, 29 Jul 2012 21:37:45 +0200
Subject: [PATCH] Only replay sunk stores up to the snapshot reference.

---
 src/lj_snap.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/lj_snap.c b/src/lj_snap.c
index 0cf12243..dd123692 100644
--- a/src/lj_snap.c
+++ b/src/lj_snap.c
@@ -464,8 +464,7 @@ void lj_snap_replay(jit_State *J, GCtrace *T)
       J->baseslot = s+1;
   }
   if (pass23) {
-    IRIns *irlast = &T->ir[(snap+1)->ref];
-    lua_assert(J->exitno+1 < T->nsnap);
+    IRIns *irlast = &T->ir[snap->ref];
     pass23 = 0;
     /* Emit dependent PVALs. */
     for (n = 0; n < nent; n++) {