The fast path of Array#toSpliced currently does not correctly initialize
the elements range in the copy's FixedArray elements that will hold the
inserted items. A GC can occur between the initial allocation of the
elements before the inserted items are copied into it, which will fail
heap verification.

This CL also refactors CSA's FillFixedArrayWithSmiZero method to support
only zeroing a portion of a FixedArray instead of the entire thing.

Bug: v8:13035
Change-Id: I1bdb77d3b27f682620b45caa5a9c10ea0072a6ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3750321Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81665}