Create more instances for object graph walk

[RByers]

To find [NoInterfaceObject] interfaces and properties that occur on instances instead of prototypes (eg. CSSStyleDeclaration), we must discover some instances. For now we do some sort of limited walk from window, but IIRC it's not a full recursive walk. Even if it was, there are still interesting instances we couldn't find without invoking some methods.

As foolip mentions in https://github.com/GoogleChrome/confluence/issues/163#issuecomment-331441582, I suggest we add a list of expressions as a heuristic to ensure we discover specific instances of value (eg. document.body.style). Then we can augment this list manually whenever we find something that's missing (while still aiming to discover most things automatically).

[RByers]

Let's start tracking here the expressions we want:

• document.body.style (just to make absolutely sure CSSStyleDeclaration shows up, though it's probably redundant)
• new DOMException() - to work around Safari's bug of having properties on the instance instead of the prototype. But this is fixed in trunk, see https://github.com/GoogleChrome/confluence/issues/163#issuecomment-332231159
• new ArrayBuffer() - to work around byteLength being on the instance in Safari before 11.

@foolip suggests that we have the tool just try invoking every constructor we can find (without any arguments) - that seems worth doing to me.

[foolip]

Renamed this issue since it's a matter of creating instances more than finding them. Two recent issues are DOMRectList and Error.

Adding the roadmap label since this has come up a fair number of times now, and just the mechanism itself without actually creating a lot of instances should be pretty straightforward. @mdittmer, could it be a matter of just adding another root from which to start walking?