After some feedback from :mccr8, this was able to browse around techcrunch, cnn, and passed octane. I'd like to push this to try, but bug 994028.

This turned up a security issue. See bug 1005119.

I know we have assertions on insertion into the GraphBuilder that the nodes we're adding are not in the nursery, so I think that this is not actually a problem in practice. That said, I have no idea *why* that assertion passes. We can certainly GC after building the graph during Unlink (we run JS there), but I guess the graph is already gone by then? I'm not sure how we keep compacting from ruining our world in that case. Either way we need more assertions around this interaction. I think the patch attached here is a good starting place, but I'd also like assertion on Heap<T>::get that we are not in one of these regions -- e.g. that we do not try to ExposeToActiveJS in the middle of deleting stuff from the CC.

Rebased. We renamed the method and stuff moved around a bit in the CC.

https://hg.mozilla.org/integration/mozilla-inbound/rev/b1df9ae6cce2e3766c7d9c7521a32b5e6bfb7161 Bug 1004276 - Assert that we do not GC in the wrong parts of the CC; r=mccr8