Refactor bounds checks to avoid ever creating out-of-bounds pointer values, which is technically UB even if not dereferenced.

Details: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2017-04-17-0-apple-32bit-elides-bounds-check.md

This eliminates a TODO(soon).

The previous approach worked only for ekam builds, where fuzz-test was its own binary.

I changed it to use TestAllTypes instead of a trivial struct, which will probably get more coverage quicker.

This includes making builders a little more tolerant of corrupt data. Note that our threat model generally does not expect this tolerance -- we expect that builders always contain either structures created locally or copied in from a reader, which does a certain amount of validation in itself.

Since this header is included by everyone, and units.h has lots of templates, this seems like it could significantly improve build times.

TODO:
- Rename Guarded to Bounded?
- Consider bounded array (where size and indexes are bounded quantities).
- Implement non-CAPNP_DEBUG_TYPES fallback.
  - Don't allow casting kj::maxValue to bounded type, this won't work right when not using debug types!
- Verify that this change doesn't hurt performance.

See: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html

This commit as-is is the result of wading through two years of merge conflicts. It does not build as-is because new code added in that time hasn't been converted over.