Incorrect write barrier elimination #40780
Description
Using verification code added in https://dart-review.googlesource.com/c/sdk/+/137240, I see that https://dart-review.googlesource.com/c/sdk/+/136221 causes incorrect write barrier elimination in Splay.
$ ./out/ReleaseX64/dart --verify-store-buffer ~/benchmarks/Splay/dart/Splay.dart
./../runtime/vm/heap/scavenger.cc: 512: error: Old object 0x7feaf6403091 references new object 0x7feaf8c79cb9, but it is not in any store buffer. Consider using rr to watch the slot 0x7feaf64030b0 to reverse-continue to find the store with a missing barrier.
rr reveals that last write to 0x7feaf64030b0 was
StoreInstanceField(v213 . right = v245, NoStoreBarrier)
StoreInstanceField(v213 . right = v245, NoStoreBarrier)
v209 <- AllocateObject(Node) T{Node}
v213 <- phi(v209, v255) alive T{Node}
v217 <- phi(v316 T{Node}, v259) alive T{Node?}
v245 <- phi(v237 T{Node}, v217 T{Node}) alive T{Node}
v255 <- phi(v213, v245) alive T{Node}
v255 <- phi(v213, v245) alive T{Node}
v259 <- phi(v271, v247) alive T{Node?}
v237 <- LoadField(v217 T{Node} . right) T{Node?}
v247 <- LoadField(v245 . right) T{Node?}
v271 <- LoadField(v269 . left) T{Node?}
v316 <- LoadField(v8 T{SplayTree} . root) T{Node?}
v213 can come from a field load, so it is not safe to remove the barrier.