https://bugs.webkit.org/show_bug.cgi?id=83096

Reviewed by Filip Pizlo.

The bug here is that we add empty JSValues to the sparse map, and then set them
- but a GC may occur before doing so (due to a call to reportExtraMemory cost).
We may want to consider making it safe to mark empty JSValues, but the simple &
contained fix to this specific bug is to just initialize these values to
something other than JSValue().

* runtime/JSArray.cpp:
(JSC::SparseArrayValueMap::add):
    - Initialize sparse map entries.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@113112 268f45cc-cd09-0410-ab3c-d52691b4dbfc