[PA][macOS] Fix SIGBUS in MallocZoneSize on freed super pages

On macOS, the system (CoreFoundation/AppKit) may call malloc_zone_size()
on any pointer to determine zone ownership. When called on a pointer in
a freed direct-mapped PartitionAlloc super page, GetSizeEstimate()
crashes with SIGBUS because:

1. IsManagedByPartitionAlloc() only checks the GigaCage pool range,
   which remains valid even after the super page is freed via
   UnmapNow().
2. The subsequent metadata access at PartitionPageMetadata::FromAddr()
   hits a decommitted page.

Additionally, in UnmapNow(), the metadata is decommitted before the
ReservationOffsetTable is updated with SetNotAllocatedTag(), creating a
TOCTOU race window where concurrent callers see "allocated" in the
table but the metadata is already gone.

Fix:
- Add ReservationOffsetTable::IsManagedByNormalBucketsOrDirectMap()
  check in GetSizeEstimate() after the GigaCage range check, before
  accessing metadata. Returns 1 if the super page has been freed.
- Reorder UnmapNow() to call SetNotAllocatedTag() before
  DecommitAndZeroSystemPages() to close the race window.

Bug: 510013808
Change-Id: I2c94f766819922f9a76ad1b244d4f12c9a1b0d92
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7820194
Reviewed-by: Takashi Sakamoto <tasak@google.com>
Reviewed-by: Stephen Nusko <nuskos@chromium.org>
Commit-Queue: Chunyang Huo <chunyanghuo@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#1627503}
NOKEYCHECK=True
GitOrigin-RevId: 58edd49bc53dca2c036d0f2a3b520578b1a9a8cd