Draft: memory safe cpp subset

[qqiangwu]

A static analyzer can find bugs in c++ code, but it cannot analyze arbitrary c++ code. For code which cannot be proven right, the analyzer can either:

• ignore it to avoid false positives
• reject it to avoid true negatives

According to BS's opinion, the second way is preferred to make c++ really safe.

We need to define a formal memory safe cpp subset.

See the WIP Draft. Contributions are welcomed.

[qqiangwu]

struct Pair {
    int x;
    Owner<int> y;
};

const Owner<int>& get(const Owner<Pair>& p)
{
    return p.get().y;
};