The optimizer incorrectly optimized an expression and moved an expression invoking undefined behavior before a test that would have prevented the expression from being executed. Specifically, the optimizer moved a null pointer dereference to a point before a test that would have guarded against the null pointer being dereferenced. The optimization in question is essentially as follows. Given

if (X) Y = Z; else Y = W
or
Y = (X ? Z : W)

where all of X, Y, Z, and W are bool or single-bit bit-fields, and one of Z or W is the constant 0, the optimizer would produce

Y = (X&Z) | ((!X)&W)

(The user's code might not look exactly like the above, because the optimizer can produce the above code by rearranging logically similar code sequences.) The problem is that in the original expression, W could be a null pointer dereference guarded by X. In the original code, W would not be executed if X is true, but in the new code, both Z and W will always be executed. The fix is to make the optimizer produce

Y = (X&&Z)||((!X)&&W)

If Z and/or W turn out to be safe to execute speculatively, later optimizations in the optimizer can turn the && operators into & operators.