Add C++ test for Scheduler delegate UAF after JS-throw teardown (#56800)

Summary:
Pull Request resolved: #56800

Reproduces, in a standalone gtest, the use-after-free race between Scheduler
teardown and pending rendering-update lambdas previously enqueued via
runtimeScheduler->scheduleRenderingUpdate inside
Scheduler::uiManagerDidFinishTransaction.

The lambda captures the SchedulerDelegate by raw pointer; when the delegate
is destroyed (as part of an instance teardown triggered by an uncaught fatal
error) before the lambda runs, the dereference is a use-after-free unless
the invalidation-token guard in Scheduler::setDelegate
(enableSchedulerDelegateInvalidation) is enabled at queue time.

The test:
- Drives the *real* Scheduler::uiManagerDidFinishTransaction so the lambda
  is enqueued via the regular code path into a real RuntimeScheduler's
  pending-rendering-updates queue.
- Initiates teardown via an uncaught JSI host-function throw routed through
  RuntimeScheduler's onTaskError callback (the test's analog of a host-side
  fatal handler), which drops the delegate.
- Triggers the next event loop tick to drain the queue.

Three test cases:
1. Sanity_LambdaRunsOnNextTickWhenDelegateAlive -- baseline: lambda runs and
   reaches the delegate when no teardown happens.
2. GuardEnabled_JSThrowInitiatedTeardownIsSafe -- with the guard ON, the
   pending lambda observes the invalidation token after teardown and returns
   without touching the freed delegate. Safe.
3. GuardDisabled_JSThrowInitiatedTeardownIsUAF -- with the guard OFF, the
   lambda dereferences the destroyed delegate. Caught by EXPECT_DEATH via a
   magic-sentinel ASSERT_EQ in the recording delegate, or by AddressSanitizer
   on the vptr load.

Fantom is intentionally not used here: it shares the global runtime VM across
tests, which would interfere with this test's contract that no further JS
executes after a fatal-driven instance teardown.

Changelog: [Internal]

Reviewed By: javache

Differential Revision: D104777850

fbshipit-source-id: 7ecacaf21a4a9b121575fcc66c2fcbb6bfd4adc7

Author: fkgozali

packages/react-native/Package.swift

@@ -473,6 +473,7 @@ let reactFabric = RNTarget(
     "components/unimplementedview",
     "components/virtualview",
     "components/root/tests",
+    "scheduler/tests",
   ],
   dependencies: [.reactNativeDependencies, .reactJsiExecutor, .rctTypesafety, .reactTurboModuleCore, .jsi, .logger, .reactDebug, .reactFeatureFlags, .reactUtils, .reactRuntimeScheduler, .reactCxxReact, .reactRendererDebug, .reactGraphics, .yoga, .reactJsInspectorTracing],
   sources: ["animated", "animationbackend", "animations", "attributedstring", "core", "componentregistry", "componentregistry/native", "components/root", "components/view", "components/view/platform/cxx", "components/scrollview", "components/scrollview/platform/cxx", "components/scrollview/platform/ios", "components/legacyviewmanagerinterop", "components/legacyviewmanagerinterop/platform/ios", "dom", "scheduler", "mounting", "observers/events", "observers/intersection", "observers/mutation", "telemetry", "consistency", "leakchecker", "uimanager", "uimanager/consistency", "viewtransition"]

packages/react-native/ReactCommon/React-Fabric.podspec

@@ -159,6 +159,7 @@ Pod::Spec.new do |s|
 
   s.subspec "scheduler" do |ss|
     ss.source_files         = podspec_sources("react/renderer/scheduler/**/*.{m,mm,cpp,h}", "react/renderer/scheduler/**/*.h")
+    ss.exclude_files        = "react/renderer/scheduler/tests"
     ss.header_dir           = "react/renderer/scheduler"
 
     ss.dependency             "React-Fabric/animationbackend"