LibJS: Fix UB downcast during GlobalObject construction

When constructing a GlobalObject, it has to pass itself as the global
object to its own Shape. Since this is done in the Object constructor,
and Object is a base class of GlobalObject, it's not yet valid to cast
"this" to a GlobalObject*.

Fix this by having Shape store the global object as an Object& and move
Shape::global_object() to GlobalObject.h where we can at least perform a
valid static_cast in the getter.

Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29267

Libraries/LibJS/Runtime/GlobalObject.h

@@ -125,4 +125,9 @@ inline void GlobalObject::add_constructor(const FlyString& property_name, Constr
     define_property(property_name, constructor, Attribute::Writable | Attribute::Configurable);
 }
 
+inline GlobalObject* Shape::global_object() const
+{
+    return static_cast<GlobalObject*>(m_global_object);
+}
+
 }