[SimplifyCFG] Speculated load accesses a dead object

[dtcxzyw]

Reproducer: https://alive2.llvm.org/ce/z/F8zhNx

define i32 @src() {
entry:
  %l_297 = alloca i32, align 4
  call void @llvm.lifetime.start.p0(i64 4, ptr %l_297)
  %tobool842.not.not = icmp eq i32 0, 0
  call void @llvm.lifetime.end.p0(i64 4, ptr %l_297)
  br i1 %tobool842.not.not, label %cleanup860, label %for.end856

for.end856:
  %0 = load i32, ptr %l_297, align 4
  br label %cleanup860

cleanup860:
  %cleanup.dest.slot.5 = phi i32 [ 0, %entry ], [ %0, %for.end856 ]
  ret i32 %cleanup.dest.slot.5
}

define i32 @tgt() {
entry:
  %l_297 = alloca i32, align 4
  call void @llvm.lifetime.start.p0(i64 4, ptr %l_297)
  %tobool842.not.not = icmp eq i32 0, 0
  call void @llvm.lifetime.end.p0(i64 4, ptr %l_297)
  %0 = load i32, ptr %l_297, align 4
  %spec.select = select i1 %tobool842.not.not, i32 0, i32 %0
  ret i32 %spec.select
}

Transformation doesn't verify!

ERROR: Source is more defined than target

Example:

Source:
ptr %l_297 = pointer(local, block_id=0, offset=0) / Address=#x100
i1 %tobool842.not.not = #x1 (1)
  >> Jump to %cleanup860
i32 %cleanup.dest.slot.5 = #x00000000 (0)

SOURCE MEMORY STATE
===================
NON-LOCAL BLOCKS:
Block 0 >	alive: true

LOCAL BLOCKS:
Block 2 >	size: 4	align: 4	alloc type: 1	alive: false	address: 256

Target:
ptr %l_297 = pointer(local, block_id=0, offset=0) / Address=#x100
i1 %tobool842.not.not = #x1 (1)
i32 %#0 = UB triggered!

TARGET MEMORY STATE
===================
LOCAL BLOCKS:
Block 2 >	size: 4	align: 4	alloc type: 1	alive: false	address: 256

llvm version: 5859863

[dtcxzyw]

It seems a long-standing issue: #51838