Fix object initialization when slack tracking for it's map is still enabled.

src/objects-inl.h

Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index a174a319c5b89962603b4998bc56317bb6251926..4a8e975705e725d22bc91f63507969df1a519a80 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -2286,7 +2286,53 @@ Object* JSObject::InObjectPropertyAtPut(int index,
 }
 
 
-
+//
+// The layout of JSObject created from initial map:
+//
+// ----------------------
+//   map                 \   \
+//   properties           |   | - JSObject header.
+//   elements             |  /
+//                        |
+//   header field 1       | - Extended header (see for example JSDate).
+//   ...                  |
+//   header field K      /
+// ----------------------
+//   internal field 1    \
+//   ...                  | - internal fields
+//   internal field M    /
+// ----------------------
+//   in-object property  \                            \
+//     field 1            |                            |
+//   ...                  | - pre-allocated            |
+//   in-object property   |                            |
+//     field P           /                             | - in-object properties
+//   in-object property  \                             |
+//     field P + 1        |                            |
+//   ...                  | - unused property fields   |
+//   in-object property   |                            |
+//     field P + U       /                            /
+// ----------------------
+//
+// where
+//   K - number of extra header fields
+//   M - number of internal fields
+//   P - number of pre-allocated fields
+//   U - number of unused fields
+//
+// The following values are stored in the Map:
+//   |inobject_properties|, |instance_size|, U := |unused_property_fields| and
+//   |extended_header_size| (computable via |instance_type|).
+//
+// The other values are calculated as follows:
+//   P := |inobject_properties| - |unused_property_fields|
+//   M := (|instance_size| - |extended_header_size|) / kPointerSize -
+//            |inobject_properties|
+//   K := (|extended_header_size| - JSObject::kHeaderSize) / kPointerSize
+//
+// When in-object slack tracking is enabled for the map, the unused fields
+// are initialized with one-word fillers.
+//
 void JSObject::InitializeBody(Map* map,
                               Object* pre_allocated_value,
                               Object* filler_value) {
@@ -2297,10 +2343,10 @@ void JSObject::InitializeBody(Map* map,
   int size = map->instance_size();
   int offset = kHeaderSize;
   if (filler_value != pre_allocated_value) {
-    int pre_allocated =
-        map->GetInObjectProperties() - map->unused_property_fields();
-    DCHECK(pre_allocated * kPointerSize + kHeaderSize <= size);
-    for (int i = 0; i < pre_allocated; i++) {
+    int end_of_pre_allocated_offset =
+        size - (map->unused_property_fields() << kPointerSizeLog2);

[Toon Verwaest, 2015/11/20 10:55:55]

What about just * kPointerSize? :)

[Igor Sheludko, 2015/11/20 11:26:14]

Done.

+    DCHECK_LE(kHeaderSize, end_of_pre_allocated_offset);
+    while (offset < end_of_pre_allocated_offset) {
       WRITE_FIELD(this, offset, pre_allocated_value);
       offset += kPointerSize;
     }