LibJS: Never give back virtual memory once it belongs to a cell type

Instead of returning HeapBlock memory to the kernel (or a non-type
specific shared cache), we now keep a BlockAllocator per CellAllocator
and implement "deallocation" by basically informing the kernel that we
don't need the physical memory right now.

This is done with MADV_FREE or MADV_DONTNEED if available, but for other
platforms (including SerenityOS) we munmap and then re-mmap the memory
to achieve the same effect. It's definitely clunky, so I've added a
FIXME about implementing the madvise options on SerenityOS too.

The important outcome of this change is that GC types that use a
type-specific allocator become immune to use-after-free type confusion
attacks, since their virtual addresses will only ever be re-used for
the same exact type again and again.

Fixes #22274

Userland/Libraries/LibJS/Heap/Heap.h

@@ -15,7 +15,6 @@
 #include <AK/Vector.h>
 #include <LibCore/Forward.h>
 #include <LibJS/Forward.h>
-#include <LibJS/Heap/BlockAllocator.h>
 #include <LibJS/Heap/Cell.h>
 #include <LibJS/Heap/CellAllocator.h>
 #include <LibJS/Heap/Handle.h>
@@ -83,8 +82,6 @@ public:
 
     void register_cell_allocator(Badge<CellAllocator>, CellAllocator&);
 
-    BlockAllocator& block_allocator() { return m_block_allocator; }
-
     void uproot_cell(Cell* cell);
 
 private:
@@ -154,8 +151,6 @@ private:
 
     Vector<GCPtr<Cell>> m_uprooted_cells;
 
-    BlockAllocator m_block_allocator;
-
     size_t m_gc_deferrals { 0 };
     bool m_should_gc_when_deferral_ends { false };