Rewrite for recursive safety

This commit rewrites the runtime crate to provide safety in the face
of recursive calls to the guest. The basic principle is that
`GuestMemory` is now a trait which dynamically returns the
pointer/length pair. This also has an implicit contract (hence the
`unsafe` trait) that the pointer/length pair point to a valid list of
bytes in host memory "until something is reentrant".

After this changes the various suite of `Guest*` types were rewritten.
`GuestRef` and `GuestRefMut` were both removed since they cannot safely
exist. The `GuestPtrMut` type was removed for simplicity, and the final
`GuestPtr` type subsumes `GuestString` and `GuestArray`. This means
that there's only one guest pointer type, `GuestPtr<'a, T>`, where `'a`
is the borrow into host memory, basically borrowing the `GuestMemory`
trait object itself.

Some core utilities are exposed on `GuestPtr`, but they're all 100%
safe. Unsafety is now entirely contained within a few small locations:

* Implementations of the `GuestType` for primitive types (e.g. `i8`,
  `u8`, etc) use `unsafe` to read/write memory. The `unsafe` trait of
  `GuestMemory` though should prove that they're safe.

* `GuestPtr<'_, str>` has a method which validates utf-8 contents, and
  this requires `unsafe` internally to read all the bytes. This is
  guaranteed to be safe however given the contract of `GuestMemory`.

And that's it! Everything else is a bunch of safe combinators all built
up on the various utilities provided by `GuestPtr`. The general idioms
are roughly the same as before, with various tweaks here and there. A
summary of expected idioms are:

* For small values you'd `.read()` or `.write()` very quickly. You'd
  pass around the type itself.

* For strings, you'd pass `GuestPtr<'_, str>` down to the point where
  it's actually consumed. At that moment you'd either decide to copy it
  out (a safe operation) or you'd get a raw view to the string (an
  unsafe operation) and assert that you won't call back into wasm while
  you're holding that pointer.

* Arrays are similar to strings, passing around `GuestPtr<'_, [T]>`.
  Arrays also have a `iter()` method which yields an iterator of
  `GuestPtr<'_, T>` for convenience.

Overall there's still a lot of missing documentation on the runtime
crate specifically around the safety of the `GuestMemory` trait as well
as how the utilities/methods are expected to be used. Additionally
there's utilities which aren't currently implemented which would be easy
to implement. For example there's no method to copy out a string or a
slice, although that would be pretty easy to add.

In any case I'm curious to get feedback on this approach and see what
y'all think!

tests/strings.rs

@@ -1,5 +1,5 @@
 use proptest::prelude::*;
-use wiggle_runtime::{GuestError, GuestPtrMut, GuestString};
+use wiggle_runtime::{GuestError, GuestMemory, GuestPtr};
 use wiggle_test::{impl_errno, HostMemory, MemArea, WasiCtx};
 
 wiggle::from_witx!({
@@ -10,11 +10,12 @@ wiggle::from_witx!({
 impl_errno!(types::Errno);
 
 impl strings::Strings for WasiCtx {
-    fn hello_string(&self, a_string: &GuestString<'_>) -> Result<u32, types::Errno> {
-        let as_ref = a_string.as_ref().expect("deref ptr should succeed");
-        let as_str = as_ref.as_str().expect("valid UTF-8 string");
-        println!("a_string='{}'", as_str);
-        Ok(as_str.len() as u32)
+    fn hello_string(&self, a_string: &GuestPtr<str>) -> Result<u32, types::Errno> {
+        let s = a_string.as_raw().expect("should be valid string");
+        unsafe {
+            println!("a_string='{}'", &*s);
+            Ok((*s).len() as u32)
+        }
     }
 }
 
@@ -26,7 +27,6 @@ fn test_string_strategy() -> impl Strategy<Value = String> {
 struct HelloStringExercise {
     test_word: String,
     string_ptr_loc: MemArea,
-    string_len_loc: MemArea,
     return_ptr_loc: MemArea,
 }
 
@@ -38,63 +38,43 @@ impl HelloStringExercise {
                     Just(test_word.clone()),
                     HostMemory::mem_area_strat(test_word.len() as u32),
                     HostMemory::mem_area_strat(4),
-                    HostMemory::mem_area_strat(4),
                 )
             })
-            .prop_map(
-                |(test_word, string_ptr_loc, string_len_loc, return_ptr_loc)| Self {
-                    test_word,
-                    string_ptr_loc,
-                    string_len_loc,
-                    return_ptr_loc,
-                },
-            )
+            .prop_map(|(test_word, string_ptr_loc, return_ptr_loc)| Self {
+                test_word,
+                string_ptr_loc,
+                return_ptr_loc,
+            })
             .prop_filter("non-overlapping pointers", |e| {
-                MemArea::non_overlapping_set(&[
-                    &e.string_ptr_loc,
-                    &e.string_len_loc,
-                    &e.return_ptr_loc,
-                ])
+                MemArea::non_overlapping_set(&[&e.string_ptr_loc, &e.return_ptr_loc])
             })
             .boxed()
     }
 
     pub fn test(&self) {
-        let mut ctx = WasiCtx::new();
-        let mut host_memory = HostMemory::new();
-        let mut guest_memory = host_memory.guest_memory();
-
-        // Populate string length
-        *guest_memory
-            .ptr_mut(self.string_len_loc.ptr)
-            .expect("ptr mut to string len")
-            .as_ref_mut()
-            .expect("deref ptr mut to string len") = self.test_word.len() as u32;
+        let ctx = WasiCtx::new();
+        let host_memory = HostMemory::new();
 
         // Populate string in guest's memory
-        {
-            let mut next: GuestPtrMut<'_, u8> = guest_memory
-                .ptr_mut(self.string_ptr_loc.ptr)
-                .expect("ptr mut to the first byte of string");
-            for byte in self.test_word.as_bytes() {
-                *next.as_ref_mut().expect("deref mut") = *byte;
-                next = next.elem(1).expect("increment ptr by 1");
-            }
+        let ptr = host_memory.ptr::<str>((self.string_ptr_loc.ptr, self.test_word.len() as u32));
+        for (slot, byte) in ptr.as_bytes().iter().zip(self.test_word.bytes()) {
+            slot.expect("should be valid pointer")
+                .write(byte)
+                .expect("failed to write");
         }
 
         let res = strings::hello_string(
-            &mut ctx,
-            &mut guest_memory,
+            &ctx,
+            &host_memory,
             self.string_ptr_loc.ptr as i32,
-            self.string_len_loc.ptr as i32,
+            self.test_word.len() as i32,
             self.return_ptr_loc.ptr as i32,
         );
         assert_eq!(res, types::Errno::Ok.into(), "hello string errno");
 
-        let given = *guest_memory
+        let given = host_memory
             .ptr::<u32>(self.return_ptr_loc.ptr)
-            .expect("ptr to return value")
-            .as_ref()
+            .read()
             .expect("deref ptr to return value");
         assert_eq!(self.test_word.len() as u32, given);
     }