RotateRight32 needs a "number of bits" operand in the range 0..31.
Thankfully that's how x86 shift instructions behave anyway, and
how the bitwise shift operators in JavaScript are spec'ed, so this
fix is unobservable in non-UBSan builds.

RemoveArrayHolesGeneric can be used for length values anywhere in
the uint32_t range, so it must not implicitly cast those to int.
That actually caused an observable bug where a proxy's traps would
not get called at all, but only for huge "length" properties, where
the entire operation would also be painfully slow.

Bug: chromium:935133, chromium:937652
Change-Id: I13f74ca27eae6b2b089d58217842b699b2574509
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1510272
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60112}