Check that non-overwrite accesses to downcast projections are dominated by variant checks.

[eddyb]

Pattern-matching in Rust, e.g.:

fn f<T>(_: T) {}
fn g<T>(_: T) {}

// T and E have Copy bounds to reduce MIR verbosity. 
pub fn foo<T: Copy, E: Copy>(r: Result<T, E>) {
    match r {
        Ok(x) => f(x),
        Err(e) => g(e),
    }
}

turns into this MIR (slightly cleaned up):

fn foo(_1: std::result::Result<T, E>) -> () {
    let mut _0: ();                      // return place
    let mut _2: isize;
    let mut _3: T;
    let mut _4: E;

    bb0: {
        _2 = discriminant(_1);
        switchInt(move _2) -> [0isize: bb2, 1isize: bb3, otherwise: bb1];
    }

    bb1: {
        unreachable;
    }

    bb2: {
        _3 = ((_1 as Ok).0: T);
        _0 = const f(move _3) -> bb4;
    }

    bb3: {
        _4 = ((_1 as Err).0: E);
        _0 = const g(move _4) -> bb4;
    }

    bb4: {
        return;
    }
}

We already have a dominator tree for MIR, so we can build on top of that and compute the known variants for places (in this case, Ok and Err for _1).

Then we can just check that any read/borrow/etc. access (any access with does not fully overwrite the previous value, really) within a downcast (e.g. (_1 as Ok).0) is dominated by a variant check for that variant (i.e. _1 being Ok, via _2 being discriminant(_1)).

That said, the kind of dataflow borrowck already needs to do might easily include this too (e.g. treating (_1 as Ok) as initialized iff _1 is initialized and discriminant(_1) == 0 was checked).

(Also tempting: moving Discriminant into Operand to be able to get rid of the _2 and have switchInt(discriminant(_1)) directly)

cc @rust-lang/wg-compiler-nll @oli