From 416abff90dae9c66e17efe9d6a01efce63eefba8 Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Thu, 6 Mar 2014 00:39:37 +0100
Subject: [PATCH] Don't access dangling reference to reallocated IR.

---
 src/lj_asm.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/lj_asm.c b/src/lj_asm.c
index 3f472d28..264649ae 100644
--- a/src/lj_asm.c
+++ b/src/lj_asm.c
@@ -1246,16 +1246,18 @@ static void asm_phi_fixup(ASMState *as)
     Reg r = rset_picktop(work);
     IRRef lref = as->phireg[r];
     IRIns *ir = IR(lref);
-    /* Left PHI gained a spill slot before the loop? */
-    if (irt_ismarked(ir->t) && ra_hasspill(ir->s)) {
-      IRRef ren;
-      lj_ir_set(as->J, IRT(IR_RENAME, IRT_NIL), lref, as->loopsnapno);
-      ren = tref_ref(lj_ir_emit(as->J));
-      as->ir = as->T->ir;  /* The IR may have been reallocated. */
-      IR(ren)->r = (uint8_t)r;
-      IR(ren)->s = SPS_NONE;
+    if (irt_ismarked(ir->t)) {
+      irt_clearmark(ir->t);
+      /* Left PHI gained a spill slot before the loop? */
+      if (ra_hasspill(ir->s)) {
+	IRRef ren;
+	lj_ir_set(as->J, IRT(IR_RENAME, IRT_NIL), lref, as->loopsnapno);
+	ren = tref_ref(lj_ir_emit(as->J));
+	as->ir = as->T->ir;  /* The IR may have been reallocated. */
+	IR(ren)->r = (uint8_t)r;
+	IR(ren)->s = SPS_NONE;
+      }
     }
-    irt_clearmark(ir->t);  /* Always clear marker. */
     rset_clear(work, r);
   }
 }