panics in the host via mistaken comparison and conversion dispatch

[graydon]

There's a fairly serious (and old!) bug in the way EnvVal<WeakHost,RawVal>::cmp calls WeakHost::obj_cmp which calls through to impl Env for CheckedEnv and treats it as infallibe. This is causing panics because it's not actually infallibe (specifically: comparing values can exceed budget and thereby return a HostError), and the latter impl escalates HostError to panic (which is appropriate for local-testing mode but inapprorpiate for production hosts).

This is happening because we (really just I) overlooked the fact that all the very-early plumbing (in April) that put in place originally to make im work (EnvVal and WeakHost and such) got made-useless by the slightly-later transition (in May) to infallible host functions and CheckedEnv. It all compiles and runs, but it's essentially incoherent: any error that happens inside an im call to Ord::cmp winds up escalating to a panic.

This is really quite bad. My best guess at a solution here is .. quite invasive and horrible:

• DONE (Remove EnvVal #608) Get rid of EnvVal and WeakHost entirely (eliminating the Ord impl along the way)
• DONE (Delete im #585) Get rid of im, and actually we can't really use anyone's containers because they all have this characteristic -- we have to write our own maps and vecs that have fallible lookup routines
• Carefully audit and/or possibly feature-gate code paths in the production host that might accidentally call through to the impl Env for CheckedEnv -- it should really only be seen/called by contracts running tests. Possibly move it to the SDK to avoid the possibility of calling it in the host's own codebase.
• DONE (Reform TryFromVal to reduce number of impls. #628) Refactor all the TryFromVal paths to enable systematic reform of errors
• PENDING (Env error cleanup #633) Remove impl Env for CheckedEnv entirely and make all Env methods fallible with a configurable Error provided by the Env type.

[graydon]

Update: we .. actually have another copy of the same bug re-occurring in the conversion paths triggered server-side from the builtin contract. For example in impl<E:Env> TryFrom<E, RawVal> for u64 we make infallible calls to e.obj_to_u64() assuming we're being called in a native-testing contract (non-production, local-to-the-user's-workstation) context, where it's fine to panic; but these calls also happen in the inject/extract paths of the builtin contract (production, in-the-server) context, where it's very much not fine to panic. But these calls compile because theyare served by the impl Env for CheckedEnv, that escalates errors to panic.

We need to get that impl out of soroban-env-common or host or guest, move it explicitly to the user-code SDK (and possibly also have a compile-time check (feature? colliding panic handler? some other hack?) that differentiates "code that is in a context where it's allowed to panic" from "not", and ensure the latter. This is way too dangerous to have kicking around in the host.

cc @leighmcculloch

[graydon]

This is now complete. Long live the new infallible-errors boilerplate!