[Builtins] Array.reduceRight deopt point fix

When running with --deopt-every-n-times, it's possible to hit the
deopt point in reduceRight where we fail to find an initial element.
There was a bug in this code: the deopt point failed to begin walking
the array at {length - 1} in search of the first non-holey element.
With the flag, incorrect results would be produced. Without the flag,
it's not possible to get an incorrect result because normally the
deopt point fires only when the array (of whatever length) contains
only holes.

Bug: v8:9984
Change-Id: I654c702fca67c0f9a982f5bb8a5d9569e907ccf4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1934328Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65167}

src/builtins/array-reduce-right.tq

@@ -17,12 +17,13 @@ namespace array {
     const jsreceiver = Cast<JSReceiver>(receiver) otherwise unreachable;
     const callbackfn = Cast<Callable>(callback) otherwise unreachable;
     const numberLength = Cast<Number>(length) otherwise unreachable;
+    const initialK = numberLength - 1;
 
-    // Simulate starting the loop at 0, but ensuring that the accumulator is
-    // the hole. The continuation stub will search for the initial non-hole
-    // element, rightly throwing an exception if not found.
+    // Simulate starting the loop at {length - 1}, but ensuring that the
+    // accumulator is the hole. The continuation stub will search for the
+    // last non-hole element, rightly throwing an exception if not found.
     return ArrayReduceRightLoopContinuation(
-        jsreceiver, callbackfn, TheHole, jsreceiver, 0, numberLength);
+        jsreceiver, callbackfn, TheHole, jsreceiver, initialK, numberLength);
   }
 
   transitioning javascript builtin