LibJS: Never give back virtual memory once it belongs to a cell type

Instead of returning HeapBlock memory to the kernel (or a non-type
specific shared cache), we now keep a BlockAllocator per CellAllocator
and implement "deallocation" by basically informing the kernel that we
don't need the physical memory right now.

This is done with MADV_FREE or MADV_DONTNEED if available, but for other
platforms (including SerenityOS) we munmap and then re-mmap the memory
to achieve the same effect. It's definitely clunky, so I've added a
FIXME about implementing the madvise options on SerenityOS too.

The important outcome of this change is that GC types that use a
type-specific allocator become immune to use-after-free type confusion
attacks, since their virtual addresses will only ever be re-used for
the same exact type again and again.

Fixes #22274

Userland/Libraries/LibJS/Heap/CellAllocator.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Andreas Kling <kling@serenityos.org>
+ * Copyright (c) 2020-2023, Andreas Kling <kling@serenityos.org>
  *
  * SPDX-License-Identifier: BSD-2-Clause
  */
@@ -37,11 +37,10 @@ Cell* CellAllocator::allocate_cell(Heap& heap)
 
 void CellAllocator::block_did_become_empty(Badge<Heap>, HeapBlock& block)
 {
-    auto& heap = block.heap();
     block.m_list_node.remove();
     // NOTE: HeapBlocks are managed by the BlockAllocator, so we don't want to `delete` the block here.
     block.~HeapBlock();
-    heap.block_allocator().deallocate_block(&block);
+    m_block_allocator.deallocate_block(&block);
 }
 
 void CellAllocator::block_did_become_usable(Badge<Heap>, HeapBlock& block)