Eliminate null checks if the OS is known to trap failures safely

[mattmccutchen-cci]

The compiler could skip inserting null checks on pointer dereferences if it knows that use of a null pointer would be trapped safely by the OS rather than causing undefined behavior. This is probably true for a dereference at a sufficiently small constant offset from a pointer (e.g., accessing a struct field), but a dereference at an offset not known to be small or any pointer arithmetic operation that could be repeated to build up a large offset may still require a null check. This feature could be controlled by its own Checked-C-specific flag, or it might make sense to tie it into target-specific information already available in LLVM/Clang, such as -fdelete-null-pointer-checks; this may be related to #168.

Potential benefits:

1. Avoid the performance impact of the null checks.
2. If a user turns on warnings for runtime check insertion (#1188) in order to get a guarantee of spatial memory safety on a plain C compiler, getting a large number of warnings about null checks and having to add them explicitly to the source code would be extremely annoying. Having the compiler eliminate most of the null checks would make this use scenario more feasible. An alternative way to address the problem would be to add a nullability analysis to Checked C, but I imagine that might be a lot of work and might become a distraction from the main goal of spatial memory safety.