It's been discovered in  Issue 644575  and discussed in https://codereview.chromium.org/2341043002/ that there are some subtle invariants around taking raw pointers to Oilpan objects, even if the Oilpan object uses GarbageCollectedFinalized, and those raw pointers would be cleaned up in the destructor.

Basically, it's necessary to use a pre-finalizer for this task, at least in ASAN builds. As soon as the object becomes unreachable, its memory is poisoned, and it's only briefly unpoisoned when the object's destructor is run. This implies that the finalizer must be run before the object is poisoned -- the definition of a pre-finalizer.

This needs to be documented in src/third_party/WebKit/Source/platform/heap/BlinkGCAPIReference.md . The example of using a garbage collected object as the "this" pointer for a posted task can be used as an example, and CancellableTaskFactory documented as a special case.