Abide by strict provenance

[joshlf]

There's a chance that Rust will eventually adopt a "strict provenance" model for determining which operations on pointers are sound. Consistent with the guarantees we aim to make as part of #61, we should restrict ourselves to operations which are sound under this model. The sptr crate provides a polyfill that would allow us to make use of an API that is currently unstable in Rust itself.

Note that we are likely already compliant with strict provenance, as we test using strict provenance in our Miri tests.

This issue tracks the following tasks:

• Ensure that zerocopy abides by strict provenance, for example by using the sptr crate*
• Update our docs to describe our adherence with strict provenance
  • This is not quite as strong as a full forwards-compatible soundness guarantee, but it is still very strong
• Work with Rust to promise that Rust will never adopt a model which is more strict than strict provenance
  • This will allow us to use our compliance with strict provenance as a proof of forwards-compatible soundness for #61

* Another option - since folks prefer crates without many dependencies - is to only use sptr as a dev-dependency which is exercised in CI. We could even define a polyfill shim inside of zerocopy which is just a thin wrapper around sptr so that we prevent ourselves from ever "slipping" from its usage (and to make conditional compilation less viral).

[joshlf]

Strict provenance has made a lot of progress since this issue was opened, and may land soon: rust-lang/rust#130350