Fish-shell: Fish segfaults on launch (parsing builtin config.fish) when built from HEAD with homebrew

I've updated my local install of fish using homebrew to 020fe5ccdfbbc147977ae11803816475e9fef763, and it segfaults at launch, while reading config.fish.

Here's what I see when running it in lldb and when running it with a high --debug-level: https://gist.github.com/thomcc/4bda5472facccd4c93884df3e3e50044 (actually, it now includes function disassemblies too).

From the disassemblies, it looks like the compiler is dropping the test for child here: https://github.com/fish-shell/fish-shell/blob/master/src/tnode.h#L147, since it's assuming a that a reference can never be nullptr, since that's UB (note that it rewrites the function a bit so that it skips to the end when nodeptr is nullptr, so it knows child couldn't be null for that reason).

There could be other issues as well, of course, especially if other code has the same problem (e.g. assumes a reference could be nullptr).

Unfortunately, this sort of issue is very tricky to repro, and I can't actually get it to happen on a build outside of installing from homebrew, even though everything else should be the same (I guess it's possible that it has a different path and is finding a different clang? I don't know).

It's reliable for me inside homebrew, though.