The race can happen if:
1) Fixed array A is right before object B in new space
2) A slot in object C located in old space points to object B (old to new remembered set entry is created)
3) Object C becomes unreachable which held the only reference to object B which also becomes unreachable
4) Fixed array A gets right trimmed
5) The sweeper will sweep the last word of object A and object B. It will write the free space map into the last word of object A and a size field in the first word of object B.
6) Pointer updating may observe the size field now because the recored slot points to the start of object B and will confuse it with a forwarding pointer.

Note a similar race may happen with left trimming. Array A points to its backing store, the backing store gets left trimmed by 1 element, and array A dies.
BUG=

Review-Url: https://codereview.chromium.org/2416563002
Cr-Commit-Position: refs/heads/master@{#40218}