[wasm] Fix missing GC visit of instance elements

The elements of a {WasmInstanceObject} were not visited during GC,
leading to crashes when using them later.
This CL fixes this by visiting the whole {JSObject} header, consisting
of properties and elements.

R=titzer@chromium.org

Bug: chromium:839919, chromium:946350
Change-Id: I070fb3e6a7fd87a7288fc68b284100a2f9c72e9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1541237
Auto-Submit: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60488}

src/objects-body-descriptors-inl.h

@@ -677,7 +677,7 @@ class WasmInstanceObject::BodyDescriptor final : public BodyDescriptorBase {
   template <typename ObjectVisitor>
   static inline void IterateBody(Map map, HeapObject obj, int object_size,
                                  ObjectVisitor* v) {
-    IteratePointer(obj, kPropertiesOrHashOffset, v);
+    IteratePointers(obj, kPropertiesOrHashOffset, JSObject::kHeaderSize, v);
     for (uint16_t offset : kTaggedFieldOffsets) {
       IteratePointer(obj, offset, v);
     }

test/mjsunit/regress/wasm/regress-946350.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+var builder = new WasmModuleBuilder();
+var instance = builder.instantiate();
+instance[1] = undefined;
+gc();
+Object.getOwnPropertyNames(instance);