Ok here's the new version. The first patch is a no-op, but preparation for the GC able to traverse the `scope_chain_t`. It's pretty simple, it just utilizes the jsdisp vtbl.
The second patch is the updated GC, which is now simplified and proper with `InterpretedFunction_gc_traverse`. The tests are already modified (note how `a` is set to `function() {}`, this would have leaked without traversing scopes properly).
The `gc_run` is also simplified. Now it all restores it after the second logical pass, for both normal and error paths. There are no `goto`s anymore, no need to keep a mental state of the states during failure.
I still use the chunk approach and modifying object refcounts in-place since I can't find an alternative that allows random-access to the refs (from object links) without adding another field to the `jsdisp_t`, which IMO is not ideal just for this.
The only complexity with chunks comes from first filling the chunks (which is pretty basic), and then restoring from the chunks, linearly. That's it. I think it's reasonable now, considering the alternative…