This creates a circular lifetime dependency that is not enforced, thus allowing read-after-write / use-after-free data races, especially during process termination. For example, running the shutdownTask on a shard server will result in rolling back stashed transactions – this may cause using opCtx pointers stored on instances of RecoveryUnit, while the actual opCtx might have been deleted already.

My recommendation is to avoid storing opCtx pointers in RecoveryUnit. Instead, we should have its public APIs expect a pointer to opCtx if needed, or store pointers to objects that will always outlive any instance of RecoveryUnit.