For the JS object allocation case, we materialize children_count - 1 objects.
However, we already materialized the map and property array, so this could
materialize one object beyond the JS object. If there is no such object,
we would go out-of-bounds.

Bug: chromium:792330
Change-Id: I5ed5e4ddde9de9789bb2531a48a0d87c80bd156c
Reviewed-on: https://chromium-review.googlesource.com/817315
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49986}