========================================
I have searched http://www.open-std.org/jtc1/sc22/wg14/ , and https://groups.google.com/forum/m/#!topic/comp.std.c/yIpg6gtdOoU . But I am still not sure how it's better to start DR submission procedure (I do not want fuss, I know members of committee already have a lot of work, but obscurity is confusing).

========================================
We know at least one existing compiler, where undefined behavior have visible impact on code execution. Not "possible possibilities" and "we can imagine", but right now, here, real, target of any portable code.
It has been already mentioned, gcc 4.9
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61236

This demonstration how NULL restriction can be exploited by compiler is real demonstration of how really this can be exploited by compiler.

gcc 4.9 uses this restriction not for memcpy optimization itself (and other string.h routines), but couple it with reasoning about pointer value (even for zero array size).

========================================
My thoughts about 'Pro' and 'Cons' about prohibition to pass NULL to string.h functions with zero n (array size) argument:

Pro:
1) Vague "optimization opportunity" of memcpy itself, and more (false?) compiler reasoning about program logic.
2) Do not render existing gcc 4.9.0 implementation as invalid.

Cons:
1) This is also anti-optimization - we add additional check to algorithm which is already works fine with NULL. Compiler can remove such 'if', but it's strange to force programmer to write meaningless 'if's, and such optimization is not portable to other compilers. Hardcore code optimization persons are not happy.

2) Security: this optimization can be used by hackers on existing soft compiled in new way, to send empty input converted to {ptr=NULL, size=0} dynamic array and bypass some code validation.

3) This NULLeness pointer deduction is coupled with copying algorithm. It's important for library to be orthogonal, and do not couple two possible independent wishes (optimization hint, and byte copying).
If programmer can ensure that pointer is not null, he can write explicit hint. Standardization of such a hint, like the __assume/__expect is much orthogonal and gives programmer a lot more of possibilities.
It is better to state, that memcpy is equivalent of
{while(n--)dst[n]=src[n];},
not equivalent of something like
{ if(n || src==NULL/*why?..*/) { *src; } while(n--){dst[i]=src[i]}; }.

Hardcore code optimization person still can hint compiler, even inside MACRO-generated code.

4) If compiler can deduce that n>0 in the memcpy(dst,src,n) call, there are still reasonable hint that dst and src pointers are not NULL.

if (src) { i += 1; }
/* previous 'if'-check can be dropped, if compiler is sure
that strlen() can't return (size_t(0)-1) on target platform. */
memcpy(dst, src, strlen(src) + 1)

6) If memory allocation library makes one-element-past-end of array memory unreadable, it's unlikely that memcpy implementation tries to read/write any pointer when n=0.

(less technical reasoning, but still have large impact on the world):
5) Make gcc(6+N).0 ... more robust. May be, even gcc 4.9.* and 5.1.* next minor update.
7) Make the world better place
8) less if's and branches - better and faster software.

===================================
There is important typo in my test code:
- TEST(dst == memset(dst, 0, 0));
+ TEST(dst == memset(dst, 0, n));

Full code: https://gist.github.com/dobrokot/61959f21609abdea0960

And for future readers of mail archive, copy:
===================================
#include <string.h>
#include <stdio.h>

typedef char *p;

volatile p src = NULL;
volatile p dst = NULL;
volatile size_t n = 0;

#define TEST(x) if (x) ; else { printf("error, %s\n", #x); }

int main() {
TEST(dst == memcpy(dst, src, n));
TEST(dst == memmove(dst, src, n));
TEST(dst == strncpy(dst, src, n));
TEST(dst == memset(dst, 0, n));
TEST(0 == strncmp(src, dst, n));
TEST(0 == memcmp(src, dst, n));


/* Observable effect after observable reads from 'volatile n'.
OS are not always give explicit message
about segmentation fault/invalid read at process termination. */
printf("Still alive. Still alive.\n");
return 0;
}

===================================

I very much agree.
Yes.

Of course it isn't a bug by the standard, as the warning "Condition is
always false" isn't a requirement by the standard.

But, once the implementation generates such a warning, it is a clear
inconsistency to on one hand use the fact that you conclude that the
expression must be false (or undefined behavior has occurred) to omit
the code generation, but not consider it suitable for the warning
(assuming that warning is enabled).

This is the fundamental problem behind most of the "surprising
mis-compliation" conditions. You have a compiler that historically has
been very good at pointing out questionable situations that might be
program errors, you then add an aggressive optimizer that detects these
sorts of conditions, and "improves" the code, but then doesn't generate
a warning that if it had been a more obvious condition it would have.

The compiler has thus created a bug of being inconsistent and failed to
report a condition that it is documented as reporting, even though it
HAS detected that condition. It isn't non-conformance to the "standard",
just deviation from its documented operation.

I can see no way to justify that the optimization without warning is
something that would be desired, in fact, the detection is likely to
indicate a latent problem with the code, which is what warnings are
designed to show.

I think you are missing my point. The purpose of generating warnings is
to point out potentially bad code. While we can't demand that a compiler
find every thing that could be bad code, if the compiler does determine
that a piece of code meets one of the defined criteria for a warning, to
not generate that warning (if it is enabled) is a bug, and a very user
hostile type of action (I could have helped you, but I decided not to).

It has been decided previously, that condition testing in an expression,
that we can determine from program analysis to always be false (or true)
is possibly a programming error (likely either there is a problem in the
path coming to here is wrong (we shouldn't have been able to do the
simplification), the test is wrong (we are testing for the wrong
condition).

Here we have a case that we have detected that the program thinks that
the pointer might have been null, so is testing for it, but the compiler
has determined that the only way to get here is through paths that the
pointer being null would have invoked undefined behavior, so it will
assume it isn't null. From the previous statements, it should be clear
that the compiler is being deliberately unhelpful, and based on the
documentation, it is reasonable to expect that the compiler would issue
a warning here. It then compounds the unhelpfulness by generating code
that bypasses the case that might have detected the problem in the code
(abet, after the fact). This seems to indicate a compiler writer that
has lost part of the goal of the compiler, to help the programmer create
a working program.