LibJS: Fix UB downcast during GlobalObject construction

When constructing a GlobalObject, it has to pass itself as the global
object to its own Shape. Since this is done in the Object constructor,
and Object is a base class of GlobalObject, it's not yet valid to cast
"this" to a GlobalObject*.

Fix this by having Shape store the global object as an Object& and move
Shape::global_object() to GlobalObject.h where we can at least perform a
valid static_cast in the getter.

Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29267

Libraries/LibJS/Runtime/Shape.cpp

@@ -72,7 +72,7 @@ Shape::Shape(ShapeWithoutGlobalObjectTag)
 {
 }
 
-Shape::Shape(GlobalObject& global_object)
+Shape::Shape(Object& global_object)
     : m_global_object(&global_object)
 {
 }