[cfi-icall] Refactor GL g_driver_* to be CFI-safe

Control Flow Integrity [1] indirect call (cfi-icall) checking can not
verify that dynamically resolved function pointers call their intended
function. To account for this, we place the function pointers in the
various g_driver_* structs in ProtectedMemory, a wrapper for keeping
variables in read-only memory except for when they are initialized.
Once they are set they can not be tampered with since the memory is set
back to read-only.

The generated bindings in gl_bindings_autogen_*.cc are not aware of the
fact that their implementation is held in protected memory, so instead
of using base::UnsanitizedCfiCall() we mark the individual function
stubs with __attribute__((no_sanitize("cfi-icall"))) to disable icall
checks on the generated bindings since their function pointer calls
are routed through protected memory.

[1] https://www.chromium.org/developers/testing/control-flow-integrity

Bug: 771365
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I6bbf1b9a4122e1d00f6d2a365ae3730b4bb95a73
Reviewed-on: https://chromium-review.googlesource.com/770252


Commit-Queue: Peter Collingbourne <pcc@chromium.org>
Reviewed-by: Dan Sanders <sandersd@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Peter Collingbourne <pcc@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#524318}