Document subtlety of safety conditions for vm::Instance::sibling_vmctx_mut (#11318)

I initially thought that the documentation was missing a safety invariant that
callers must uphold, and then realized that it was a little subtler than I
originally thought, so I updated the documentation to clarify this for future
readers.

Author: fitzgen

crates/wasmtime/src/runtime/vm/instance.rs

@@ -354,6 +354,14 @@ impl Instance {
     ///
     /// This function requires that the `vmctx` pointer is indeed valid and
     /// from the store that `self` belongs to.
+    ///
+    /// (Note that it is *NOT* required that `vmctx` be distinct from this
+    /// instance's `vmctx`, or that usage of the resulting instance is limited
+    /// to its defined items! The returned borrow has the same lifetime as
+    /// `self`, which means that this instance cannot be used while the
+    /// resulting instance is in use, and we therefore do not need to worry
+    /// about mutable aliasing between this instance and the resulting
+    /// instance.)
     #[inline]
     unsafe fn sibling_vmctx_mut<'a>(
         self: Pin<&'a mut Self>,