Fix box2d physics use-after-free crashes

[zero-meta]

Fix physics use-after-free crashes

Summary

Fix multiple use-after-free vulnerabilities in the Box2D physics binding that cause SIGSEGV crashes in production (Our Google Play App).

• StopWorld 3-phase cleanup: Replace per-body DestroyBody loop with bulk cleanup to eliminate double-free when gear joints have m_bodyA == m_bodyB (both edges in same body's joint list)
• StepWorld offscreen fix: Remove GetParent() guard in ~DisplayObjectExtensions so offscreen display objects (snapshot.group, canvas texture cache) unconditionally clear body->SetUserData(NULL), preventing dangling pointer dereference on next frame. The same as this PR: (removed) #894
• Finalizer ownership check: Add bidirectional joint->GetUserData() == wrapper guard before writing to b2Joint userdata in Lua GC finalizer
• Pre-invalidate joint wrappers: Invalidate all attached joint UserdataWrappers immediately in ~DisplayObjectExtensions, closing the GC timing window between removeSelf and StepWorld's deferred DestroyBody

Crash signatures (from production)

[libcorona.so] b2Fixture::Destroy(b2BlockAllocator*) SIGSEGV
[libcorona.so] PhysicsJoint::Finalizer                SIGSEGV
[Corona Simulator] b2Joint::Destroy + 32               SIGSEGV at 0x0

Prior fix context

This PR #858 (commit c8c3bd1e) ("Core: fix box2d joint use after free when world deleted") added DestroyBody(body) to the StopWorld loop. This fixed the original bug where delete fWorld bulk-freed all joint memory without calling SayGoodbye, leaving joint wrappers dangling for the GC Finalizer to crash on. With DestroyBody, each joint gets SayGoodbye → wrapper->Invalidate() before being freed, making the Finalizer safe for all normal joints.

However, DestroyBody introduced a new deterministic crash for gear joints: b2GearJoint has m_bodyA == m_bodyB == ground, so both joint edges are in the same body's list, and DestroyBody(ground) double-frees the gear joint.

This PR's 3-phase StopWorld solves both problems simultaneously: no DestroyBody (avoids gear joint double-free), but manually iterates the joint list to wrapper->Invalidate() (replaces SayGoodbye's role).

Gear joint deterministic crash — test code

The gear joint crash is 100% reproducible. b2GearJoint overrides m_bodyA/m_bodyB to the sub-joints' other bodies, causing both joint edges to register in the same body's list (ground). When DestroyBody(ground) iterates this list, it frees the gear joint via edgeB, then follows the prefetched next pointer to edgeA — which is now freed memory.

Paste into main.lua and run — crashes immediately on physics.stop():

local physics = require("physics")
physics.start()
physics.setGravity(0, 9.8)

-- Bodies
local ground = display.newRect(160, 450, 320, 20)
physics.addBody(ground, "static")

local wheelA = display.newCircle(100, 300, 30)
physics.addBody(wheelA, "dynamic", { radius = 30, density = 1.0 })

local wheelB = display.newCircle(220, 300, 30)
physics.addBody(wheelB, "dynamic", { radius = 30, density = 1.0 })

-- Two pivot joints anchored to ground
local pivotA = physics.newJoint("pivot", wheelA, ground, 100, 300)
local pivotB = physics.newJoint("pivot", wheelB, ground, 220, 300)

-- Gear joint links the two pivots — internally sets m_bodyA = m_bodyB = ground
local gearJoint = physics.newJoint("gear", wheelA, wheelB, pivotA, pivotB, 1.5)

-- Stop physics after a short delay → StopWorld → DestroyBody(ground) → SIGSEGV
timer.performWithDelay(500, function()
    physics.stop()  -- deterministic crash: b2Joint::Destroy + 32, SIGSEGV at 0x0
end)