[runtime] Fix Object.create(null) initialization order

src/runtime/runtime-object.cc

Index: src/runtime/runtime-object.cc
diff --git a/src/runtime/runtime-object.cc b/src/runtime/runtime-object.cc
index 7be70bf51bcf6728714f7130cae595c13f03b4c1..b3f72d5f9c817a510dd42e08c2e766b5f1619299 100644
--- a/src/runtime/runtime-object.cc
+++ b/src/runtime/runtime-object.cc
@@ -247,13 +247,18 @@ RUNTIME_FUNCTION(Runtime_ObjectCreate) {
     }
   }
 
+  bool is_dictionary_map = map->is_dictionary_map();
+  Handle<FixedArray> object_properties;
+  if (is_dictionary_map) {
+    // Allocate the actual properties dictionay up front to avoid invalid object
+    // state.
+    object_properties =
+        NameDictionary::New(isolate, NameDictionary::kInitialCapacity);
+  }
   // Actually allocate the object.
   Handle<JSObject> object = isolate->factory()->NewJSObjectFromMap(map);
-
-  if (map->is_dictionary_map()) {
-    Handle<NameDictionary> properties =
-        NameDictionary::New(isolate, NameDictionary::kInitialCapacity);
-    object->set_properties(*properties);
+  if (is_dictionary_map) {
+    object->set_properties(*object_properties);
   }
 
   // Define the properties if properties was specified and is not undefined.