src: fix multiple format string bugs

The THROW_ERR_* functions interpret the first argument as a printf-like format string, which is problematic when it contains unsanitized user input. This typically happens when a printf-like function is used to produce the error message, which is then passed to a THROW_ERR_* function, which again interprets the error message as a format string.

Fix such occurrences by properly formatting error messages using static format strings only, and in a single step.

The added tests do not cover all changes; I only added tests for those occurrences that allow triggering a crash easily.

I am adding the security label because such bugs are frequent causes of vulnerabilities, even though none of the occurrences I found seem to be exploitable realistically.

cc @nodejs/cpp-reviewers @nodejs/security