Subclause 7.6.10 [expr.eq] bullet 3.1 specifies:

• If one pointer represents the address of a complete object, and another pointer represents the address one past the last element of a different complete object, [ Footnote: ... ] the result of the comparison is unspecified.
• ...

This phrasing does not properly handle the case where addresses of subobjects are compared, yet those subobjects happen to have the same address as their respective complete objects.

The rule in question was introduced by issue 1652 for purposes of constant evaluation: comparing a pointer to an object X with a pointer past the end of another object Y ought not to be possible during contant evaluation. However, that issue resolution also caused a change to runtime behavior, departing from the prior "address comparison" model. It turns out that implementations nowadays rely on that rule for optimization purposes (see the reflector discussion).

Possible resolution:

Change in 7.6.10 [expr.eq] bullet 3.1 as follows:

• If one pointer points to an object and represents the address of the first byte in memory occupied by that object's a complete object, and another pointer points past the end of an object whose complete object is different and represents the address of the first byte in memory after the end of the storage occupied by that object's one past the last element of a different complete object, the result of the comparison is unspecified.
• ...