The escape analysis calculates the number of slots in an object as
no-of-slots = object-size / pointer-size.  This gives 3 slots for
heap numbers on 32-bit architectures (one slot for the map, two for
the double value); however, my argument materialization code assumed
just two slots (map + value). Since Hydrogen allocates heap numbers
quite rarely, it is hard to produce a more meaningful repro than the
one provided by Clusterfuzz. Any suggestions are welcome.

The fix is simple - we just read out all extra slots (beyond the map
and the double) for heap numbers.

R=mstarzinger@chromium.org
BUG=351315
LOG=N

Review URL: https://codereview.chromium.org/196283004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19874 ce2b1a6d-e550-0410-aec6-3dcde31c8c00