I'll probably fix this at the same time as fixing #520, but just in case creating an issue for it.

Traceable takes an &self and eventually calls into spidermonkey's tracing functions. Spidermonkey may then mutate the thing being traced to point to a new location where it moved the object. Per this comment.

Traceable is defined as

pub unsafe trait Traceable {
    /// Trace `self`.
    unsafe fn trace(&self, trc: *mut JSTracer);
}

It takes self as a immutable reference, despite mutating it. Short of interior mutability, this is unsound. It is implemented for Value and ValueArray, which do not (and IMHO should not) have interior mutability. So the type signature of trace needs to change to either &mut self, self: &UnsafeCell<Self>.