cm-async: Cap read/write sizes on streams

The spec mandates that stream operations cannot exceed `2**28` elements,
but Wasmtime previously did not check for this limit. This meant that
the guest could get silently corrupt answers when trying to operate on
this many elements. This commit adds a new `ItemCount` newtype wrapper
which is intended to be proof of an in-bounds count and then that's
plumbed everywhere internally.

Closes bytecodealliance#13023

Author: alexcrichton

crates/c-api/include/wasmtime/trap.h

@@ -136,6 +136,8 @@ enum wasmtime_trap_code_enum {
   WASMTIME_TRAP_CODE_CONCURRENT_FUTURE_STREAM_OP = 45,
   /// A reference count (for e.g. an `error-context`) overflowed.
   WASMTIME_TRAP_CODE_REFERENCE_COUNT_OVERFLOW = 46,
+  /// A read/write on a stream must be <2**28 items.
+  WASMTIME_TRAP_CODE_STREAM_OP_TOO_BIG = 47,
 };
 
 /**

crates/c-api/src/trap.rs

@@ -53,6 +53,7 @@ const _: () = {
     assert!(Trap::CannotResumeThread as u8 == 44);
     assert!(Trap::ConcurrentFutureStreamOp as u8 == 45);
     assert!(Trap::ReferenceCountOverflow as u8 == 46);
+    assert!(Trap::StreamOpTooBig as u8 == 47);
 };
 
 #[repr(C)]

crates/environ/src/trap_encoding.rs

@@ -223,6 +223,9 @@ generate_trap_type! {
         /// A reference count (for e.g. an `error-context`) overflowed.
         ReferenceCountOverflow = "reference count overflow",
 
+        /// A read/write on a stream must be <2**28 items.
+        StreamOpTooBig = "stream read/write count too large",
+
         // if adding a variant here be sure to update `trap.rs` and `trap.h` as
         // mentioned above
     }