when black allocation is on.

The scenario:
1) Incremental marking is off.
2) Partial deserialization starts and calls Heap::ReserveSpace.
2) ReserveSpace creates (white) reservations in old space.
3) ReserveSpace allocates map placeholders. One of these allocations
starts incremental marking, which starts black allocation (currently
when concurrent marking is on). Subsequent maps are black allocated.
4) ReserveSpace succeeds without triggering a GC.
5) Deserialization continues. Some maps are black. Note that
deserialization emits only old->new write barriers and skips
marking write barriers.
6) Deserialization finishes and re-visits the black allocated
reservations and large object. This misses black allocated maps.
7) There is black->white descriptor array pointer in one of these map.

BUG=chromium:723600

Change-Id: Ifffe46f22a7d7dbc5cff2e882190234fcc722ccb
Reviewed-on: https://chromium-review.googlesource.com/581187
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46816}