Fix Array#replace on shifted arrays

[HertzDevil]

Array#replace is broken because it never accounts for the space available between an Array's root and real buffers, if #shift has been called on that Array. Here are two examples:

class Array(T)
  def dump
    String.build do |io|
      io << "["
      @capacity.times do |i|
        io << ", " if i > 0
        if 0 <= i - @offset_to_buffer < @size
          @buffer[i - @offset_to_buffer].inspect(io)
        else
          io << '_'
        end
      end
      io << ']'
    end
  end
end

x = [0, 1, 2, 3, 4]
x.shift
x.dump # => [_, 1, 2, 3, 4]

# element lost after reallocation
x.replace([0, 1, 2, 3, 4, 5, 6, 7])
x.dump # => [_, 0, 1, 2, 3, 4, 5, 6]
10000.times { x << 1 } # segfault

# element lost without reallocation
x = [0, 1, 2, 3, 4]
x.shift
x.replace([5, 6, 7, 8, 9])
x.dump # => [_, 5, 6, 7, 8]
10000.times { x << 1 } # segfault

Both #replace calls write into memory outside the array buffer. This PR ensures the above doesn't happen:

x = [0, 1, 2, 3, 4]
x.shift
x.replace([0, 1, 2, 3, 4, 5, 6, 7])
x.dump # => [0, 1, 2, 3, 4, 5, 6, 7, _, _]
10000.times { x << 1 } # okay

x = [0, 1, 2, 3, 4]
x.shift
x.replace([5, 6, 7, 8, 9])
x.dump # => [5, 6, 7, 8, 9]
10000.times { x << 1 } # okay

Additionally, it clears the unused region if the new array is smaller. This is important for arrays of reference types because previously the trailing elements would still be reachable after such a call to #replace and therefore cannot be garbage-collected.