Here's a bit of erroneous code:

00000c5c <s1ad_info>:
     c5c:       8b 45 08                mov    0x8(%ebp),%eax
     c5f:       d9 46 03                flds   0x3(%esi)
     c62:       dd d9                   fstp   %st(1)
     c64:       d9 55 08                fsts   0x8(%ebp)
     c67:       89 c6                   mov    %eax,%esi
     c69:       c7 45 00 24 0c 00 00    movl   $0xc24,0x0(%ebp)
     c70:       f7 c6 03 00 00 00       test   $0x3,%esi
     c76:       75 ac                   jne    c24 <s1ac_info>

So we should be doing some ffrees before the jne.  The code that
inserts the ffrees wasn't expecting to do it for a conditional jump,
because they are usually local, but we have a late optimisation that
shortcuts jumps-to-jumps, and that can result in a non-local
conditional jump.

This at least fixes an instance of the bug that I was able to
reproduce, let's hope there aren't any more.