https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79265
--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> --- That is because -fsanitize=nonnull (very much intentionally) turns off -fdelete-null-pointer-checks, because the intent of the instrumentation is to diagnose when gcc would think it must be non-NULL when it actually is NULL. We don't have fine grained switches that would distinguish various sub-cases of flag_delete_null_pointer_checks guarded code and adding them would be non-trivial. Generally, -fno-delete-null-pointer-checks allows e.g. global vars to reside at address 0, in the testcase you are mentioning it is actually an automatic variable, so it is arguably harder for those to be at address 0 (the stack would need to be there), but not impossible.
