#33133 contains examples of borrow hazards discovered when a GC occurs while a DOM object's field has a mutable borrow outstanding. It should be possible to detect these automatically at compilation time if we can accurately answer the question "can this function call perform a GC?"

We could build up to this iteratively:

1. create a struct CanGc(()); which can be copied freely
2. any code in Servo that calls a method from mozjs/rust-mozjs must have a CanGc argument passed into it, indicating that it calls a method which can perform a GC operation
3. the compiler now forces all code that calls these methods to pass a CanGc argument, so each caller must also receive a new CanGc argument
4. step 3 repeats all the way up the stack to code that is automatically called by generated bindings or the main script event loop

Once this data is available, it should be possible to write an analysis pass as a new linter (similar to crown) which uses a dataflow analysis to find any function calls containing a CanGc argument that occur within the lifetime of a borrow_mut() return value. Even without this static analysis, though, the presence of the arguments will make it easier to visually determine if there are hazards present.