Check that offset is not too big, check projection offset to be inbounds

[RalfJung]

According to rust-lang/rust#53676, there is an upper bound to what you can do with offset. miri should check that.

Related question: Shouldn't the place_field method in the miri engine check pointer_offset_inbounds? That will be a heavy perf hit, but I think we might currently be missing out on some UB.

[RalfJung]

Or maybe projections can never leave the bounds... I have not been able to exploit this.

We currently miss the UB in

use std::mem;

fn main() {
    let slice: &[u8; 5] = &[0; 5];
    let slice: &[u8; 10] = unsafe { mem::transmute(slice) };
    let _x = &slice[7];
}

but IMHO this is a case for validating values during computation, not for adding bounds checks to projections.

[RalfJung]

Also see #437

[RalfJung]

See the discussion at rust-lang/nomicon#149 (comment) and rust-lang/nomicon#149 (comment): for now we probably don't actually need to do any checks on the offsets here if we instead check that when we dereference (*ptr), the pointer is not dangling. That's more UB and so a good conservative start.

It will be interesting to see if there is code in our test suite / libstd violating this.

Also, here's another example:

fn main() {
    let local = 5u8;
    let ptr = (&local as *const u8).wrapping_sub(1) as *const (u8, u8);
    let _ref = unsafe { &(*ptr).1 };
}

And with rust-lang/rfcs#2582, here's another one:

fn main() {
    let ptr: *const (u8, u8) = 16usize as *const _;
    let ptr2 = &raw const (*ptr).1;
}