It is invalid to pass null as a pointer argument to memcpy/memcmp/memset, even if the count argument is zero:

> Where an argument declared as size_t n specifies the length of the array for a
function, n can have the value zero on a call to that function. Unless explicitly stated
otherwise in the description of a particular function in this subclause, pointer arguments
on such a call shall still have valid values [...]

Detected by -fsanitize=nonnull-attribute.

[ 66%] Linking CXX executable capnpc-c++
cd /home/edward.catmur/build/capnproto@master/c++/src/capnp && /usr/local/bin/cmake -E cmake_link_script CMakeFiles/capnpc_cpp.dir/link.txt --verbose=1
/usr/lib64/icecc/bin/c++   -fsanitize=vptr   CMakeFiles/capnpc_cpp.dir/compiler/capnpc-c++.c++.o  -o capnpc-c++ -rdynamic libcapnp.a ../kj/libkj.a -lpthread
libcapnp.a(layout.c++.o):(.data+0x38): undefined reference to `typeinfo for capnp::ClientHook'
libcapnp.a(layout.c++.o):(.data+0x3b8): undefined reference to `typeinfo for capnp::ClientHook'
collect2: error: ld returned 1 exit status

$ g++ --version
g++ (GCC) 5.4.0
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Refactor bounds checks to avoid ever creating out-of-bounds pointer values, which is technically UB even if not dereferenced.

This eliminates a TODO(soon).

This includes making builders a little more tolerant of corrupt data. Note that our threat model generally does not expect this tolerance -- we expect that builders always contain either structures created locally or copied in from a reader, which does a certain amount of validation in itself.

TODO:
- Rename Guarded to Bounded?
- Consider bounded array (where size and indexes are bounded quantities).
- Implement non-CAPNP_DEBUG_TYPES fallback.
  - Don't allow casting kj::maxValue to bounded type, this won't work right when not using debug types!
- Verify that this change doesn't hurt performance.

See: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html

This commit as-is is the result of wading through two years of merge conflicts. It does not build as-is because new code added in that time hasn't been converted over.

The existing error message suggests this case can only arise if there is a
a bug in the library. However, malformed input can trigger the error too.
In particular, the error gets thrown when a non-double far pointer resolves
to another far pointer.