Fix object initialization when slack tracking for it's map is still enabled.

src/objects-inl.h

Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index a174a319c5b89962603b4998bc56317bb6251926..e5cd74dc2c088b72bbf5872ea48013a9b9658d30 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -2286,7 +2286,6 @@ Object* JSObject::InObjectPropertyAtPut(int index,
 }
 
 
-
 void JSObject::InitializeBody(Map* map,
                               Object* pre_allocated_value,
                               Object* filler_value) {
@@ -2297,10 +2296,10 @@ void JSObject::InitializeBody(Map* map,
   int size = map->instance_size();
   int offset = kHeaderSize;
   if (filler_value != pre_allocated_value) {
-    int pre_allocated =
-        map->GetInObjectProperties() - map->unused_property_fields();
-    DCHECK(pre_allocated * kPointerSize + kHeaderSize <= size);
-    for (int i = 0; i < pre_allocated; i++) {
+    int end_of_pre_allocated_offset =
+        size - (map->unused_property_fields() * kPointerSize);
+    DCHECK_LE(kHeaderSize, end_of_pre_allocated_offset);
+    while (offset < end_of_pre_allocated_offset) {
       WRITE_FIELD(this, offset, pre_allocated_value);
       offset += kPointerSize;
     }