[change-array-by-copy] Use fixed args for with

Array#with and TypedArray#with adapt their arguments because they have a
fixed arity of 2. Builtins that adapt arguments shouldn't use
...arguments in Torque, which results in a "don't adapt" sentinel to be
generated, resulting in incorrect frame size computation.

Bug: v8:12764, chromium:1367133
Change-Id: I81c1ef2cdef25d049fa0b8effcb2a953c2a9846b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3915939
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83405}

src/builtins/array-with.tq

@@ -55,10 +55,8 @@ transitioning builtin GenericArrayWith(
 
 // https://tc39.es/proposal-change-array-by-copy/#sec-array.prototype.with
 transitioning javascript builtin ArrayPrototypeWith(
-    js-implicit context: NativeContext, receiver: JSAny)(...arguments): JSAny {
-  const index = arguments[0];
-  const value = arguments[1];
-
+    js-implicit context: NativeContext, receiver: JSAny)(
+    index: JSAny, value: JSAny): JSAny {
   // 1. Let O be ? ToObject(this value).
   const object: JSReceiver = ToObject_Inline(context, receiver);
 

src/builtins/typed-array-with.tq

@@ -7,10 +7,8 @@ const kBuiltinNameWith: constexpr string = '%TypedArray%.prototype.with';
 
 // https://tc39.es/proposal-change-array-by-copy/#sec-%typedarray%.prototype.with
 transitioning javascript builtin TypedArrayPrototypeWith(
-    js-implicit context: NativeContext, receiver: JSAny)(...arguments): JSAny {
-  const index = arguments[0];
-  let value: JSAny = arguments[1];
-
+    js-implicit context: NativeContext, receiver: JSAny)(
+    index: JSAny, valueArg: JSAny): JSAny {
   try {
     // 1. Let O be the this value.
     // 2. Perform ? ValidateTypedArray(O).
@@ -21,12 +19,13 @@ transitioning javascript builtin TypedArrayPrototypeWith(
         otherwise IsDetachedOrOutOfBounds;
     const originalLength = attachedArrayAndLength.length;
 
+    let value: JSAny;
     if (IsBigInt64ElementsKind(array.elements_kind)) {
       // 4. If O.[[ContentType]] is BigInt, set value to ? ToBigInt(value).
-      value = ToBigInt(context, value);
+      value = ToBigInt(context, valueArg);
     } else {
       // 5. Else, set value to ? ToNumber(value).
-      value = ToNumber_Inline(value);
+      value = ToNumber_Inline(valueArg);
     }
 
     // 6. Let relativeIndex be ? ToIntegerOrInfinity(index).

test/mjsunit/harmony/regress/regress-crbug-1367133.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-change-array-by-copy
+// Flags: --allow-natives-syntax --stress-concurrent-inlining
+
+(function TestArray() {
+  function doCall(a, method, ...args) { a[method](); }
+  function callOnArray(a) { doCall(a, 'with'); a.keys(); }
+
+  %PrepareFunctionForOptimization(callOnArray);
+  callOnArray([1]);
+  doCall({}, 'valueOf', "foo");
+  %OptimizeFunctionOnNextCall(callOnArray);
+  callOnArray([{},]);
+})();
+
+(function TestTypedArray() {
+  function doCall(a, method, ...args) { a[method](); }
+  function callOnArray(a) { doCall(a, 'with'); a.keys(); }
+
+  %PrepareFunctionForOptimization(callOnArray);
+  callOnArray(new Uint8Array(32));
+  doCall({}, 'valueOf', "foo");
+  %OptimizeFunctionOnNextCall(callOnArray);
+  callOnArray(new Float64Array(8));
+})();