Arbitrary IR fuzzing

[kvark]

This change adds arbitrary feature and implements fuzzing of IR based on it, with cargo-fuzz.
We aren't enabling it on CI yet because it catches a ton of low-hanging fruits - let's fix those first.

[jimblandy]

In addition to fixing CI, I think we need to change the errors being used here.

[jimblandy]

I think it's good to get these changes in, but I definitely think there are two loose ends we should tie up.

• We should have a single error type for bad handles, used everywhere. See my comments in the patch for some ideas. Another idea would be to have this error type defined in arena.rs, returned directly by some function that resembles get but returns a Result, and then have #[transparent] variants in the error types of functions that use those arena methods. But, it's important for us to establish a clear practice for this, because otherwise everyone who contributes patches to the validator or processors is going to improvise.
• It's not spelled out in any way where it's okay to unwrap size, and where one should pass an error. I know that the rationale right now is, "If validation should already have caught it, then unwrap," but I don't think people are going to pick up on this on their own. There should at least be comments. But it might? be better to have separate functions, designated for use only on validated modules, that panic on bad handles. I'm not sure it's much better - but either way, there needs to be a comment we can point people at that explains the policy.

[kvark]

Thank you for the well-thought review!
I believe everything is addressed now. I'm going to merge it without squashing, since the commits are individual, and the only failures here are related to MSRV of arbitrary and the formatting stuff - we can live with that when bisecting.

[kvark]

I had an abrupt connection loss and my last commit wasn't pushed here before merging. So following up with #1669