chore: cherry-pick 6bb320d134b1 from chromium

[ppontes]

M96: Storage Foundation: Share FileState ownership with I/O threads.

blink::NativeIOFile methods implementing the Storage Foundation
JavaScript API pass raw pointers to NativeIOFile::FileState instances to
their corresponding blink::NativeIOFile::Do*() methods, which rely on
that CrossThreadPersistent arguments to keep the
underlying NativeIOFile::FileState instances alive.

CrossThreadPersistent can be used across threads to keep a garbage
collected object alive, together with any non-garbage-collected objects
that it owns. However, relying on CrossThreadPersistent existence to
access the owned objects on a different thread is not safe.
cppgc::subtle::CrossThreadPersistent (blink::CrossThreadPersistent is an
alias to that) has comments explaining that the garbage collected heap
can go away while the CrossThreadPersistent instance exists.

This CL fixes the problem by having the ownership of
NativeIOFile::FileState be shared between the corresponding NativeIOFile
instance and any threads doing I/O on the FileState.

(cherry picked from commit 7dc02206707362f3f92cea93f8eb2fa4af0d375f)

Bug: 1240593
Change-Id: I5c9c818bcb23316fe1fd5afa57ed9c3fdb034377
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3269947
Commit-Queue: Victor Costan pwnall@chromium.org
Reviewed-by: Austin Sullivan asully@chromium.org
Reviewed-by: Marijn Kruisselbrink mek@chromium.org
Reviewed-by: enne enne@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#940130}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3272672
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Cr-Commit-Position: refs/branch-heads/4664@{#945}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}

Notes: Backported fix for CVE-2021-38006.

[release-clerk]

Release Notes Persisted

Backported fix for CVE-2021-38006.