diff --git a/lib/Sema/TreeTransform.h b/lib/Sema/TreeTransform.h
index 5d761d382a77f8e7b711f19fec19053aec615455..240445190b865d25a914842418bb68458ce3c6e4 100644
--- a/lib/Sema/TreeTransform.h
+++ b/lib/Sema/TreeTransform.h
@@ -8325,9 +8325,12 @@ TreeTransform<Derived>::RebuildArrayType(QualType ElementType,
       break;
     }
 
-  IntegerLiteral ArraySize(SemaRef.Context, *Size, SizeType,
-                           /*FIXME*/BracketsRange.getBegin());
-  return SemaRef.BuildArrayType(ElementType, SizeMod, &ArraySize,
+  // Note that we can return a VariableArrayType here in the case where
+  // the element type was a dependent VariableArrayType.
+  IntegerLiteral *ArraySize
+      = IntegerLiteral::Create(SemaRef.Context, *Size, SizeType,
+                               /*FIXME*/BracketsRange.getBegin());
+  return SemaRef.BuildArrayType(ElementType, SizeMod, ArraySize,
                                 IndexTypeQuals, BracketsRange,
                                 getDerived().getBaseEntity());
 }
diff --git a/test/CodeGenCXX/c99-variable-length-array.cpp b/test/CodeGenCXX/c99-variable-length-array.cpp
index 76f99c7b4137db87ffa7b1fa0c4391cb7e3cf67d..d486f9b018260342e117dd0aeebcde203a6bc631 100644
--- a/test/CodeGenCXX/c99-variable-length-array.cpp
+++ b/test/CodeGenCXX/c99-variable-length-array.cpp
@@ -25,3 +25,13 @@ void f(int argc, const char* argv[]) {
   // CHECK: call void @_ZN1XD1Ev
   // CHECK: ret void
 }
+
+namespace PR11744 {
+  // Make sure this doesn't crash; there was a use-after-free issue
+  // for this testcase.
+  template<typename T> int f(int n) {
+    T arr[3][n];
+    return 3;
+  }
+  int test = f<int>(0);
+}