Currently the jitted code may contain embedded pointers to GC-things like JSObject or JSString. This is not sound since the JITed code is not flushed during the GC. Thus it could be possible that the embedded GC thing would be collected and a new GC thing is allocated with the same address defeating the jited code assumption about unique identity of GC things.
Do you have a testcase for this bug? During GC, TraceTraceMonitor sets TraceMonitor.needFlush, which will flush the trace cache as soon as possible. The reason we dont flush immediately is that native code still might be on the stack and needs to unwind. We do not touch any of the embedded GCThings during unwinding.
Right, this is what I have missed: the trace can not be entered without calling js_CheckGlobalObjectShape which will return false after the GC forcing js_FlushJITCache.