canvas2d: Fix UAF due to undefined destruction order for TLS.

CanvasResourceSharedImage::OnBitmapImageDestroyed can be triggered when
the shared context stored in thread local storage is desroyed. The
function uses Thread::Current() for checking which thread it is invoked
on. Since Thread is also stored in TLS and there is no clear order in
which TLS objects are destroyed, this can result in UAF if Thread is
destroyed before the context.

Avoid the above by using PlatformThreadId which uses low level platform
APIs to get a unique thread id.

R=kbr@chromium.org

Bug: 984788
Change-Id: Ifb73fdf5fa07d9de8afbbf0aea876d3b30cbcea3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1709891
Commit-Queue: Khushal <khushalsagar@chromium.org>
Commit-Queue: Kenneth Russell <kbr@chromium.org>
Auto-Submit: Khushal <khushalsagar@chromium.org>
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#678960}

third_party/blink/renderer/platform/graphics/canvas_resource.cc

@@ -693,7 +693,7 @@ CanvasResourceSharedImage::CanvasResourceSharedImage(
                     context_provider_wrapper_->ContextProvider()
                         ->GetCapabilities())
               : GL_TEXTURE_2D),
-      owning_thread_id_(Thread::Current()->ThreadId()),
+      owning_thread_id_(base::PlatformThread::CurrentId()),
       owning_thread_task_runner_(Thread::Current()->GetTaskRunner()) {
   if (!context_provider_wrapper_)
     return;

third_party/blink/renderer/platform/graphics/canvas_resource.h

@@ -364,7 +364,7 @@ class PLATFORM_EXPORT CanvasResourceSharedImage final : public CanvasResource {
   }
   void WillDraw();
   bool is_cross_thread() const {
-    return Thread::Current()->ThreadId() != owning_thread_id_;
+    return base::PlatformThread::CurrentId() != owning_thread_id_;
   }
   bool has_read_access() const {
     return owning_thread_data().bitmap_image_read_refs > 0u;
@@ -413,11 +413,11 @@ class PLATFORM_EXPORT CanvasResourceSharedImage final : public CanvasResource {
   void SetGLFilterIfNeeded();
 
   OwningThreadData& owning_thread_data() {
-    DCHECK_EQ(Thread::Current()->ThreadId(), owning_thread_id_);
+    DCHECK_EQ(base::PlatformThread::CurrentId(), owning_thread_id_);
     return owning_thread_data_;
   }
   const OwningThreadData& owning_thread_data() const {
-    DCHECK_EQ(Thread::Current()->ThreadId(), owning_thread_id_);
+    DCHECK_EQ(base::PlatformThread::CurrentId(), owning_thread_id_);
     return owning_thread_data_;
   }
 
@@ -445,7 +445,7 @@ class PLATFORM_EXPORT CanvasResourceSharedImage final : public CanvasResource {
   const IntSize size_;
   const bool is_origin_top_left_;
   const GLenum texture_target_;
-  const PlatformThreadId owning_thread_id_;
+  const base::PlatformThreadId owning_thread_id_;
   const scoped_refptr<base::SingleThreadTaskRunner> owning_thread_task_runner_;
 
   OwningThreadData owning_thread_data_;