[SCCPSolver] Fix use-after-free in markArgInFuncSpecialization

In SCCPSolver::markArgInFuncSpecialization, the ValueState map may be
reallocated *after* the initial ValueLatticeElement reference is grabbed, but
*before* its use in copy initialization. This causes a use-after-free.  To fix
this, this commit changes the behavior to create the new ValueLatticeElement
before assigning the old one to it.

Patch by: https://github.com/duck-37/

Differential Revision: https://reviews.llvm.org/D111112