Noticed the following documentation,
Figured I would mention it, the solution they reach for does not seem
to be the one capability discipline would espouse (make insecure usage
unrepresentable).
https://developer.arm.com/documentation/102805/1-0/Confused-deputy-scenario
In theory (you could) by pushing the check_range checks outside to the
caller, introducing a type for a checked range location. In this case
that might introduce a TOCTOU, (if the range check is somewhat
dynamic), but that might already be the case if the operation affects
range check.
But certainly moving the checks out increases the amount of
opportunities for TOCTOU beyond that of operation. Given the lack of
revocation for raw pointers to invalidate a previously checked
location, this is all a lot easier if the range check is static
though.
I suppose that I should stop here before I get too far off the path...