From 5bda985cb96a166573824f175b00deea2b8008da Mon Sep 17 00:00:00 2001
From: Jarred Sumner <jarred@jarredsumner.com>
Date: Thu, 1 Aug 2024 21:29:48 -0700
Subject: [PATCH] Fix crash

---
 .../runtime/DeferredWorkTimer.cpp               | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/Source/JavaScriptCore/runtime/DeferredWorkTimer.cpp b/Source/JavaScriptCore/runtime/DeferredWorkTimer.cpp
index c8cef6bce3537..1f494a961675d 100644
--- a/Source/JavaScriptCore/runtime/DeferredWorkTimer.cpp
+++ b/Source/JavaScriptCore/runtime/DeferredWorkTimer.cpp
@@ -224,20 +224,27 @@ void DeferredWorkTimer::scheduleWorkSoon(Ticket ticket, Task&& task)
 // https://bugs.webkit.org/show_bug.cgi?id=276538
 bool DeferredWorkTimer::cancelPendingWork(Ticket ticket)
 {
-    ASSERT(m_pendingTickets.contains(ticket));
+#if ASSERT_ENABLED
+    if (!onCancelPendingWork) {
+        ASSERT(m_pendingTickets.contains(ticket));
+    }
+#endif
+
     ASSERT(ticket->isCancelled() || ticket->vm().currentThreadIsHoldingAPILock() || (Thread::mayBeGCThread() && ticket->vm().heap.worldIsStopped()));
 
     bool result = false;
     if (!ticket->isCancelled()) {
+        // Script execution context is cleared in ->cancel().
+        // So we have to call onCancelPendingWork before canceling the ticket.
+        if (onCancelPendingWork) {
+            onCancelPendingWork(ticket);
+        }
+
         dataLogLnIf(DeferredWorkTimerInternal::verbose, "Canceling ticket: ", RawPointer(ticket));
         ticket->cancel();
         result = true;
     }
 
-     if (onCancelPendingWork) {
-        onCancelPendingWork(ticket);
-    }
-
     return result;
 }