Eliminate unsafety from scheduler operations

[brson]

The new runtime, scheduler, and I/O types are often accessed through unsafe mutable pointers. There are many interrelated runtime features that expect independent access to mutable task-local or thread-local state, and this is difficult to model safely.

Many of the unsafe features that need to be fixed use functions called unsafe_borrow*, like unsafe_borrow, unsafe_borrow_io, unsafe_borrow_local_services.

More things will need to be passed by value or ~. There are probably useful functional idioms that I'm not familiar with that could help.

[emberian]

Triage bump

[toddaaro]

Status bump. The recent scheduler restructuring did a fair bit to eliminate unsafe blocks. In the sched.rs file we are down to unsafe code for the raw context swap, the cleanup job execution, and the "run" operation on the event loop. I think the first two are fundamental and unavoidable, the unsafe fun might be escapable. The unsafe to worry about is now all in the io code.

[catamorphism]

Triage bump -- @brson, is there anything blocking this?

[thestinger]

no longer relevant for the standard libraries due to #17325