[C++ BoundsSafety] Fix false positives when pointer argument is a function call

[ziqingluo-90]

This PR attempts to fix false positives in such an example:

void cb(int *__counted_by(count) p, size_t count);
int *__counted_by(n) f(size_t n);

void test(size_t len) {
  cb(f(len), len); // false positive
}

The analysis needs to compare the size of f(len), which is specified by __counted_by(n), with the expected count of the first argument of cb, which is specified by __counted_by(count). The comparison interprets the two comparands at two "call contexts" respectively: the count n needs to be interpreted at the call f(len) with a mapping {n -> len} and the count count needs to be interpreted at the call cb(f(len), len) with a mapping {p -> f(len), count -> len}.

The existing compare algorithm is extended from assuming only one comparand needs a substitution map to assuming both comparands need substitution maps.

rdar://155952016

[ziqingluo-90]

@patrykstefanski This is my attempt to extend the existing CompatibleCountExprVisitor to take two substitution maps, though I think we've reached the limit of this Visitor-based comparison approach. It traverses only one of the comparands so it does not know when to apply substitution for the other comparand. The result is that I have to trySubstitute at each of the overloaded methods.
I'd like to refactor this comparison code later.