Defuse Bundles parsed by the system process.

It's easy for apps to throw custom Parcelables into Bundles, but
if the system tries peeking inside one of these Bundles, it triggers
a BadParcelableException.  If that Bundle was passed away from the
Binder thread that delivered it into the system, we end up with a
nasty runtime restart.

This change mitigates this trouble by "defusing" any Bundles parsed by
the system server.  That is, if it encounters BadParcelableException
while unpacking a Bundle, it logs and delivers an empty Bundle as
the result.

Simultaneously, to help catch the system process sticking its
fingers into Bundles that are destined for other processes, a Bundle
now tracks if it's "defusable."  For example, any Intents delivered
through ActivityThread are marked as being defusable, since they've
arrived at their final destination.  Any other Bundles are considered
to be "in transit" and we log if the system tries unparceling them.

Merges several Parcel boolean fields into a flags int.  Add better
docs to several classes.

Bug: 27581063
Change-Id: I28cf3e7439503b5dc9a429bafae5eb48f21f0d93