In engine_v8.h, the following (global?) variables are used to track objects referenced by v8:
ObjTracker<BSONHolder> bsonHolderTracker;
ObjTracker<DBClientWithCommands> dbClientWithCommandsTracker;
ObjTracker<DBClientBase> dbClientBaseTracker;
ObjTracker<DBClientCursor> dbClientCursorTracker;

Objects tracked by these are deleted by v8 with the callback deleteOnCollect.

The problem is that the dbClientCursorTracker may have references to DBClientCursors that reference an instance of a DBClientBase that is also tracked by v8. If v8 decides to delete the DBClientBase before an associated DBClientCursor, then the DBClientCursor will have a pointer to a DBClientBase that has already been deleted. The destructor will then crash on the following code:
_client->sayPiggyBack( m );

So, suppose we have a DBClientBase* foo, and DBClientCursor* bar, both of which are tracked by v8, and that bar->_client == foo. If v8 destroys foo before bar, then the client may crash when destroying bar, due to bar's now bad reference to foo.