We were using CmpInstanceType instead of CmpObjectType in some places,
which meant that we were reading the value at the instance type field
offset within objects directly, rather than first loading their map and
reading the instance type there.

Bug: chromium:1180434
Change-Id: I4771b4f8f9a32bdc35944c6e6cd30c54e4ac8b6c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2716292
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73003}