Fix a NULL pointer deref in LRU.

Spotted by: c0004x.vtc on slow machines.

bin/varnishd/cache/cache_expire.c

@@ -331,6 +331,8 @@ EXP_NukeOne(struct busyobj *bo, struct lru *lru)
 
 	VSLb(bo->vsl, SLT_ExpKill, "LRU x=%u",
 	    oc_getxid(bo->stats, oc) & VSL_IDENTMASK);
+	AN(bo->stats);
+	AN(oc);
 	(void)HSH_DerefObjCore(bo->stats, &oc);
 	return (1);
 }

bin/varnishd/cache/cache_fetch.c

@@ -384,8 +384,8 @@ vbf_stp_fetch(struct worker *wrk, struct busyobj *bo)
 		bo->exp.keep = 0.0;
 		obj = STV_NewObject(bo, TRANSIENT_STORAGE, l, nhttp);
 	}
-	bo->stats = NULL;
 	if (obj == NULL) {
+		bo->stats = NULL;
 		(void)VFP_Error(bo, "Could not get storage");
 		VDI_CloseFd(&bo->vbc);
 		return (F_STP_DONE);
@@ -459,6 +459,8 @@ vbf_stp_fetch(struct worker *wrk, struct busyobj *bo)
 		break;
 	}
 
+	bo->stats = NULL;
+
 	bo->t_body = VTIM_mono();
 
 	if (bo->vbc != NULL) {

bin/varnishd/cache/cache_fetch_proc.c

@@ -178,6 +178,7 @@ VFP_GetStorage(struct busyobj *bo, ssize_t sz)
 	if (st != NULL && st->len < st->space)
 		return (st);
 
+	AN(bo->stats);
 	l = fetchfrag;
 	if (l == 0)
 		l = sz;

bin/varnishd/storage/stevedore.c

@@ -202,6 +202,7 @@ stv_alloc_obj(struct busyobj *bo, size_t size)
 	 * Always use the stevedore which allocated the object in order to
 	 * keep an object inside the same stevedore.
 	 */
+	AN(bo->stats);
 	CHECK_OBJ_NOTNULL(bo, BUSYOBJ_MAGIC);
 	obj = bo->fetch_obj;
 	CHECK_OBJ_NOTNULL(obj, OBJECT_MAGIC);