More strictly check bounds in FACT trampolines

This commit is a hardening of the various in-bounds checks and such of
the FACT compiler, in particular as related to strings. The previous
implementation would check bounds in a few places but this was a bit
ad-hoc and not uniformly done. There's no known issue with the prior
checks, but given the sensitive nature of these checks I feel it's best
to make this a bit more rigorous.

Specifically the `malloc` helpers, and a newly added `realloc` helper,
will internally verify not only alignment but additionally the size of
the allocation itself. All manual invocations of `realloc` are switched
over to this helper. Additionally all conversion of a guest pointer to a
more structured value now additionally goes through helpers which
performs these same checks to ensure that everything is in-bounds.

The net result is that this should have no behavior change from before.
A suite of tests are added for behavior around large strings,
specifically exercising the maximum allowable size of strings. This
uncovered a few minor issues in transcoding where spec-wise Wasmtime
previously transcoded too many bytes before performing a
growing `realloc`.

Finally a few refactorings were done in FACT to handle some helpers
going away, notably around translating the `map<K, V>` type, which
cleans up the internals as well.

Author: alexcrichton

crates/cranelift/src/compiler/component.rs

@@ -1860,6 +1860,8 @@ impl TrampolineCompiler<'_> {
                 args.push(self.len_param(1, from64));
                 args.push(self.ptr_param(2, to64, to_base));
                 args.push(self.len_param(3, to64));
+                let first_pass = self.builder.func.dfg.block_params(self.block0)[6];
+                args.push(first_pass);
             }
 
             Transcode::Utf8ToCompactUtf16 | Transcode::Utf16ToCompactUtf16 => {

crates/environ/src/component.rs

@@ -211,8 +211,8 @@ macro_rules! foreach_builtin_component_function {
             latin1_to_latin1(vmctx: vmctx, src: ptr_u8, len: size, dst: ptr_u8) -> bool;
             latin1_to_utf16(vmctx: vmctx, src: ptr_u8, len: size, dst: ptr_u16) -> bool;
             utf8_to_utf16(vmctx: vmctx, src: ptr_u8, len: size, dst: ptr_u16) -> size;
-            utf16_to_utf8(vmctx: vmctx, src: ptr_u16, src_len: size, dst: ptr_u8, dst_len: size, ret2: ptr_size) -> size;
-            latin1_to_utf8(vmctx: vmctx, src: ptr_u8, src_len: size, dst: ptr_u8, dst_len: size, ret2: ptr_size) -> size;
+            utf16_to_utf8(vmctx: vmctx, src: ptr_u16, src_len: size, dst: ptr_u8, dst_len: size, first_pass: u32, ret2: ptr_size) -> size;
+            latin1_to_utf8(vmctx: vmctx, src: ptr_u8, src_len: size, dst: ptr_u8, dst_len: size, first_pass: u32, ret2: ptr_size) -> size;
             utf16_to_compact_probably_utf16(vmctx: vmctx, src: ptr_u16, len: size, dst: ptr_u16) -> size;
             utf8_to_latin1(vmctx: vmctx, src: ptr_u8, len: size, dst: ptr_u8, ret2: ptr_size) -> size;
             utf16_to_latin1(vmctx: vmctx, src: ptr_u16, len: size, dst: ptr_u8, ret2: ptr_size) -> size;