Fix object initialization when slack tracking for it's map is still enabled.

src/ia32/builtins-ia32.cc

Index: src/ia32/builtins-ia32.cc
diff --git a/src/ia32/builtins-ia32.cc b/src/ia32/builtins-ia32.cc
index 05bf9b1b7582429f83feb295ddfdad51499b99ad..25da2a4eea23d3c81785e83b2a821cf5a02da9c1 100644
--- a/src/ia32/builtins-ia32.cc
+++ b/src/ia32/builtins-ia32.cc
@@ -241,18 +241,12 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
           __ j(less, &no_inobject_slack_tracking);
 
           // Allocate object with a slack.
-          __ movzx_b(
-              esi,
-              FieldOperand(
-                  eax,
-                  Map::kInObjectPropertiesOrConstructorFunctionIndexOffset));
-          __ movzx_b(eax, FieldOperand(eax, Map::kUnusedPropertyFieldsOffset));
-          __ sub(esi, eax);
-          __ lea(esi,
-                 Operand(ebx, esi, times_pointer_size, JSObject::kHeaderSize));
+          __ movzx_b(esi, FieldOperand(eax, Map::kUnusedPropertyFieldsOffset));
+          __ neg(esi);
+          __ lea(esi, Operand(edi, esi, times_pointer_size, 0));
           // esi: offset of first field after pre-allocated fields
           if (FLAG_debug_code) {
-            __ cmp(esi, edi);
+            __ cmp(ecx, esi);
             __ Assert(less_equal,
                       kUnexpectedNumberOfPreAllocatedPropertyFields);
           }