Fix JSFunction's in-object properties initialization.

src/heap/heap.cc

Index: src/heap/heap.cc
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index f9b07ca3bf65ed361a720b64243e1f50b57785b0..ff9d19a201d570cbf32e39211b16b090a7c6ad5d 100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3432,6 +3432,12 @@ void Heap::InitializeJSObjectFromMap(JSObject* obj, FixedArray* properties,
   // fixed array (e.g. Heap::empty_fixed_array()).  Currently, the object
   // verification code has to cope with (temporarily) invalid objects.  See
   // for example, JSArray::JSArrayVerify).
+  InitializeJSObjectBody(obj, map, JSObject::kHeaderSize);
+}
+
+
+void Heap::InitializeJSObjectBody(JSObject* obj, Map* map, int start_offset) {
+  if (start_offset >= map->instance_size()) return;

[ulan, 2015/11/25 11:11:51]

As discussed offline, please check for == explicitly and DCHECK that offset
doesn't exceed the size.

[Igor Sheludko, 2015/11/25 11:25:40]

Done.

   Object* filler;
   // We cannot always fill with one_pointer_filler_map because objects
   // created from API functions expect their internal fields to be initialized
@@ -3448,7 +3454,7 @@ void Heap::InitializeJSObjectFromMap(JSObject* obj, FixedArray* properties,
   } else {
     filler = Heap::undefined_value();
   }
-  obj->InitializeBody(map, Heap::undefined_value(), filler);
+  obj->InitializeBody(map, start_offset, Heap::undefined_value(), filler);
 }