We should consider introducing an early pass to validation that checks all handles are valid, allowing the rest of validation to assume that arena indexing is infallible.

We recently improved the validator's robustness when presented with modules with invalid Handles. This was necessary, but it had an unpleasant impact on the validator code and some interfaces. Some operations became fallible (e.g. try_size, and various error types acquired bad-handle variants (e.g. TypeLayoutError::BadHandle), and bits and pieces of error-mapping code needed to be introduced.

Specifically:

• It's not always obvious where the checks are needed. We found most of the current set by fuzzing.
• Back ends are permitted to assume validation has succeeded, so they either need to unwrap (setting an uncomfortable precedent) or call alternate functions that panic on bad handles (boilerplate, and unclear when to use which alternative)
• The checks are a distraction from the code's primary purpose.
• There's a lot of redundancy in the error types.

An alternative would be to have one pass that runs at the beginning of validation that walks all functions, statement trees, expressions, types, and constants, and checks all handles. Then subsequent validation code can assume handles are valid. It can use the Index implementations on arenas, simplify function return types and error enums, and omit error remapping code.

The handle validation pass need not return very detailed error information; handle validation errors are only of interest to front end developers, not WebGPU or wgpu users. Capturing a backtrace would be the most important thing.