Fix spilling bug

If we spilled a FuncCtx (pretty unlikely), we treated the class/this
portion as a type, and only spilled/restored the low 32 bits:

   0xb23ad54:    mov    %r13,0x10(%rsp)
   0xb23ad59:    mov    %edx,0x1c(%rsp) # rdx contained a $this pointer
   0xb23ad5d:    mov    %r14,-0x10(%rbx)
   0xb23ad61:    mov    %r15d,-0x4(%rbx)
   0xb23ad65:    add    $0xfffffffffffffff0,%rbx
   0xb23ad69:    lea    (%rbx),%rdi
   0xb23ad6c:    callq  0x33f68f1 <HPHP::assertTv(HPHP::TypedValue const*)>
   0xb23ad71:    mov    0x10(%rsp),%rdx
   0xb23ad76:    mov    0x1c(%rsp),%ecx # restored here
   0xb23ad7a:    movq   $0x0,-0x8(%rbx)
   0xb23ad82:    mov    %rdx,-0x20(%rbx)
   0xb23ad86:    mov    %rcx,-0x10(%rbx) # and written to the new actrec here
   0xb23ad8a:    mov    %rbp,-0x30(%rbx)
   0xb23ad8e:    movl   $0x0,-0x14(%rbx)
   0xb23ad95:    add    $0xffffffffffffffd0,%rbx

hphp/runtime/vm/jit/codegen.cpp

@@ -2557,7 +2557,7 @@ void CodeGenerator::cgSpill(IRInstruction* inst) {
       m_as.movdqa(srcReg, reg::rsp[sinfo.offset()]);
     } else {
       int offset = sinfo.offset();
-      if (locIndex == 0 || packed_tv) {
+      if (locIndex == 0 || packed_tv || src->type().subtypeOf(Type::FuncCtx)) {
         emitStoreReg(m_as, srcReg, reg::rsp[offset]);
       } else {
         // Note that type field is shifted in memory
@@ -2583,7 +2583,7 @@ void CodeGenerator::cgReload(IRInstruction* inst) {
       m_as.movdqa(reg::rsp[sinfo.offset()], dstReg);
     } else {
       int offset = sinfo.offset();
-      if (locIndex == 0 || packed_tv) {
+      if (locIndex == 0 || packed_tv || src->type().subtypeOf(Type::FuncCtx)) {
         emitLoadReg(m_as, reg::rsp[offset], dstReg);
       } else {
         // Note that type field is shifted in memory