I'm getting a bit confused.

In the first place why do we not simply wrapper-trace the following path?

  holder wrapper -> ScriptPromiseProperty -> Promise and Resolver

assuming that the intention is to keep returning the same promise and resolver while the holder wrapper is alive?

I hope somebody else can chime in here. I'd like to get this sorted out but don't know the details of the initial design.

yhirano@: Any thoughts on this?

I'm confused: Is this different from issue 916022?

Issue 916022 was about a specific crash that happened because of recursive GC calls triggered from V8 API usage in the destructor. That crasher is fixed.

The mitigation I landed is very careful in the usage of V8's API so that no GC is triggered (as far as I know). This works now but is very fragile and may break at any time without anybody realizing :/

The more general issue seems that we should not call into V8 from destructors to avoid this problem on that level.

Hm, the destructor has never been trivial; See https://codereview.chromium.org/361863003.

- I think making the destructor trivial is safe. Some references will be left but I don't think they're super harmful. 
- Haraken's solution also sounds good. But we need EnsureWrapper as the wrapper may not be instantiated. We also need to ensure that TraceWrapperMember is used instead of Member.
- Or can we wait for the unified GC if it comes soon?

> Or can we wait for the unified GC if it comes soon?

Unified GC does not solve the problem of calling into V8 from destructors that may have arbitrary side effects. For this particular issue it solves the need for using TraceWrapperMember at some point. Until we fully launch we need it though.