The bad scenario this fix handles:

We have a slot in a free list, then promote the object pointed-to by
the slot during scavenge. When allocating the space for the promoted
object, we overwrite the slot with the free list entry map if the
object is allocated just before the slot. After the allocation,
ScavengingVisitor::PromoteObject overwrites the slot with the
address of the allocated object, thus corrupting the free list.

Unfortunately, we do not have a way to construct a reliable repro
case because we would need to somehow craft a free list and store
buffer slot to be in the right configuration.

R=hpayer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/695213004

Cr-Commit-Position: refs/heads/master@{#25143}
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@25143 ce2b1a6d-e550-0410-aec6-3dcde31c8c00