Why would an implementation that doesn't give away sensitive information be slow?
It would have to run the pointer through a one-way hash. Or store extra information for each object. Either way, there's a cost to generating and storing the hash code, which seems silly when you're going to stick it right into a normal hash table (which isn't exactly the fastest data structure in existence).
I don't understand why buckets make the code slow, leaky, or difficult to test.
Slow because the JavaScript code needs to do at least one comparison and branch on every lookup. (This is in addition to the native comparison and branch done by the native hash table!)
Leaky because the bucket has to hold onto the object (which is ok in some situations but not in others).
Difficult to test because usually the first item in the bucket will be the one you want, but sometimes it won't.
I also don't understand why a GC would have to keep extra information for an object whose hash code method was called.
A moving garbage collector would need to keep extra information around, because a hash-of-a-pointer changes when the object's location changes.