[csa] Fully initialize elements for large JSArray allocations

This fixes an issue introduced in https://crrev.com/c/1301483.

The JSArray allocation could trigger GC and thus elements must be
fully initialized.

Bug: v8:8429,chromium:890599
Change-Id: I7bfa1728c1dde7fc880063e095413163b13be2d5
Reviewed-on: https://chromium-review.googlesource.com/c/1322955Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57342}

src/code-stub-assembler.cc

@@ -3920,10 +3920,19 @@ CodeStubAssembler::AllocateUninitializedJSArrayWithElements(
 
     CSA_CHECK(this, IsValidFastJSArrayCapacity(capacity, capacity_mode));
 
-    // Allocate and initialize the elements first.
+    // Allocate and initialize the elements first. Full initialization is needed
+    // because the upcoming JSArray allocation could trigger GC.
     elements =
         AllocateFixedArray(kind, capacity, capacity_mode, allocation_flags);
 
+    if (IsDoubleElementsKind(kind)) {
+      FillFixedDoubleArrayWithZero(CAST(elements.value()),
+                                   ParameterToIntPtr(capacity, capacity_mode));
+    } else {
+      FillFixedArrayWithSmiZero(CAST(elements.value()),
+                                ParameterToIntPtr(capacity, capacity_mode));
+    }
+
     // The JSArray and possibly allocation memento next. Note that
     // allocation_flags are *not* passed on here and the resulting JSArray will
     // always be in new space.