The bug here is that we add empty JSValues to the sparse map, and then set them - but a GC may occur before doing so (due to a call to reportExtraMemory cost). We may want to consider making it safe to mark empty JSValues, but the simple & contained fix to this specific bug is to just initialize these values to something other than JSValue().
Created attachment 135457 [details] Fix
Fixed in r113112