fix: restrict actor exit codes to non-system codes

[alanshaw]

This PR restricts actor methods from exiting with a system exit code. If an actor aborts with a system exit code, it is caught and changed to an SysErrorIllegalActor.

This conveniently also guards against actors using negative exit codes.

In #3199 @anorth suggested changing Runtime.Abortf to do this check, but this function is used by the runtime itself to abort with system exit codes and would not guard against an actor calling panic(aerrors.New(exitcode.SysErrInsufficientFunds, "actor made a system error")) directly.

refs filecoin-project/test-vectors#15

[Kubuxu]

These panics are also going through this recover.
In essence we need to split out the Abortf into actor runtime one and internal one, the internal one would have no such check.

[alanshaw]

Ah right, gotcha, because an actor can also call Send on the runtime for example and a legitimate system error there would then be SysErrorIllegalActor.

hmm, if we split Abortf we'd still need to somehow deal with guarding against an actor calling panic(aerrors.New(exitcode.SysErrInsufficientFunds, "actor made a system error")) directly.

[Kubuxu]

Actors don't have access to aerrors package.
but we can add a sentinel function to aerrors.ActorError interface
In the form of:

type guard struct{}
type ActorError interface {
	error
	IsFatal() bool
	RetCode() exitcode.ExitCode
	guard() guard
}

Then nothing outside aerrors package can implement the ActorError interface.