selftests/bpf: Check pruning across subprog calls

Add two tests for stack liveness and state pruning when subprogs
modify or read the caller's stack through pointer arguments.

subprog_stack_zero_to_misc_unsound:
A subprog variant of stack_zero_to_misc_unsound_array_lookup.
The callee maybe_clobber_key() receives a pointer to the caller's
4-byte key and, on one path, overwrites key[0] with a scalar.
After the call, a bpf_map_lookup_elem on an array map is
value-sensitive: a const-zero key yields PTR_TO_MAP_VALUE, but a
non-const key yields PTR_TO_MAP_VALUE_OR_NULL. If the state cleaner
collapses STACK_ZERO to STACK_MISC for the live key slot, the
explored (safe) path's cached state subsumes the unexplored (unsafe)
path, pruning the null-deref. Verify the verifier rejects the
program.

spill_reload_inflates_stack_liveness:
Demonstrates an arg-tracking limitation: when a subprog spills and
reloads the arg pointer across a helper call, compute_subprog_arg_access()
cannot connect the reload back to the original arg, so it marks
all slots as used (conservative). This inflates caller stack
liveness, pulling dead slots into live_stack_before and preventing
state pruning at the modifier's return point. Verify the verifier
still prunes ("6: safe") when dead slots are properly cleaned.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>