The numerical value returned by oracle might physically match the address of the stack slot for 'x', assuming that it exists, but it doesn't mean that, from a language point of view, it is a valid pointer.
If forging pointers had defined behaviour, it would be impossible to use the language sanely or perform any kind of optimization.
Note that rand() returns 32-bit value so you have to call it twice and merge the results to obtain a 64-bit pointer.