Bring back Module::deserialize (#2858)

* Bring back `Module::deserialize`

I thought I was being clever suggesting that `Module::deserialize` was
removed from #2791 by funneling all module constructors into
`Module::new`. As our studious fuzzers have found, though, this means
that `Module::new` is not safe currently to pass arbitrary user-defined
input into. Now one might pretty reasonable expect to be able to do
that, however, being a WebAssembly engine and all. This PR as a result
separates the `deserialize` part of `Module::new` back into
`Module::deserialize`.

This means that binary blobs created with `Module::serialize` and
`Engine::precompile_module` will need to be passed to
`Module::deserialize` to "rehydrate" them back into a `Module`. This
restores the property that it should be safe to pass arbitrary input to
`Module::new` since it's always expected to be a wasm module. This also
means that fuzzing will no longer attempt to fuzz `Module::deserialize`
which isn't something we want to do anyway.

* Fix an example

* Mark `Module::deserialize` as `unsafe`

crates/c-api/src/module.rs

@@ -185,10 +185,13 @@ pub extern "C" fn wasmtime_module_deserialize(
     binary: &wasm_byte_vec_t,
     ret: &mut *mut wasm_module_t,
 ) -> Option<Box<wasmtime_error_t>> {
-    handle_result(Module::new(&engine.engine, binary.as_slice()), |module| {
-        let module = Box::new(wasm_module_t::new(module));
-        *ret = Box::into_raw(module);
-    })
+    handle_result(
+        unsafe { Module::deserialize(&engine.engine, binary.as_slice()) },
+        |module| {
+            let module = Box::new(wasm_module_t::new(module));
+            *ret = Box::into_raw(module);
+        },
+    )
 }
 
 #[no_mangle]