[vm] Fix truncation of slot offsets during heap snapshots.

Truncation caused sorting to place the field at offset 2^16 before the field at offset 8, etc.

TEST=iso-stress
Bug: #60717
Change-Id: Ie75c9fa74b830bc08b386533b16e8b01127b0f26
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/428565
Commit-Queue: Alexander Aprelev <[email protected]>
Reviewed-by: Alexander Aprelev <[email protected]>

Author: rmacnak-google

runtime/vm/object_graph.cc

@@ -32,10 +32,10 @@ static bool IsUserClass(intptr_t cid) {
 // This may be a regulard dart field, a unboxed dart field or
 // a slot of any type in a predefined layout.
 struct ObjectSlot {
-  uint16_t offset;
+  uint32_t offset;
   bool is_compressed_pointer;
   const char* name;
-  ObjectSlot(uint16_t offset, bool is_compressed_pointer, const char* name)
+  ObjectSlot(uint32_t offset, bool is_compressed_pointer, const char* name)
       : offset(offset),
         is_compressed_pointer(is_compressed_pointer),
         name(name) {}
@@ -113,7 +113,9 @@ class ObjectSlots {
 
       // We sort the slots, so we'll visit the slots in memory order.
       slots->Sort([](const ObjectSlot* a, const ObjectSlot* b) {
-        return a->offset - b->offset;
+        if (a->offset < b->offset) return -1;
+        if (a->offset > b->offset) return 1;
+        return 0;
       });
 
       // As optimization as well as to support variable-length data, we remember