`IndirectlyMutableLocals` analysis is unsound in the presence of unsafe code

[ecstatic-morse]

#64470 added an IndirectlyMutableLocals analysis to track whether a local could possibly be mutated through a pointer at a given point in the program. However, this analysis overlooked the fact that a shared reference to a Freeze field of a struct could be converted to a shared reference to a !Freeze field of that same struct by offsetting a pointer.

This does not currently cause any unsoundness in the language, since this analysis is only used in const contexts, where the required operations are forbidden. However, we need to fix this before it becomes possible to take a mutable reference or mutate an UnsafeCell or other !Freeze type in a const context.

#64980 added a test that demonstrates the incorrect behavior.

[ecstatic-morse]

Using ptr::offset to convert a reference to one field into a pointer to another is UB according to the current model of stacked borrows (see rust-lang/unsafe-code-guidelines#134). As a result, the behavior of the test is undefined, and this does not (currently) represent any unsoundness in IndirectlyMutableLocals.