LibJS: Add some basic freelist validation for the GC heap

When using the freelist, we now validate that the entries are actual
cell pointers within the current HeapBlock.

Userland/Libraries/LibJS/Heap/HeapBlock.cpp

@@ -75,6 +75,8 @@ HeapBlock::HeapBlock(Heap& heap, size_t cell_size)
 
 void HeapBlock::deallocate(Cell* cell)
 {
+    ASSERT(is_valid_cell_pointer(cell));
+    ASSERT(!m_freelist || is_valid_cell_pointer(m_freelist));
     ASSERT(cell->is_live());
     ASSERT(!cell->is_marked());
     cell->~Cell();

Userland/Libraries/LibJS/Heap/HeapBlock.h

@@ -51,6 +51,7 @@ public:
     {
         if (!m_freelist)
             return nullptr;
+        ASSERT(is_valid_cell_pointer(m_freelist));
         return exchange(m_freelist, m_freelist->next);
     }
 
@@ -80,6 +81,11 @@ public:
         return cell(cell_index);
     }
 
+    bool is_valid_cell_pointer(const Cell* cell)
+    {
+        return cell_from_possible_pointer((FlatPtr)cell);
+    }
+
     IntrusiveListNode m_list_node;
 
 private: