Extend Xr0 to reject uninitialised memory and use-after-free bugs.

[claude-betz]

The high level functionality involved in getting this to work involves:

1. “pass by pointer” functionality for the arguments to functions.
2. Verification that “setup preconditions” defined in a particular function’s abstract are met by the state of the caller when said function is invoked.
3. Encoding well defined memory access semantics which
   • Rejects cases of uninitialised memory accesses
   • Rejects cases of invalid pointer dereferences.
4. Reworking our branching model to reconcile with the evaluation of “setup preconditions”.