From b1c76bc93efb875e78805723625b71937a87c789 Mon Sep 17 00:00:00 2001
From: Jarred Sumner <jarred@jarredsumner.com>
Date: Fri, 2 Aug 2024 02:42:12 -0700
Subject: [PATCH] Update JSCTaskScheduler.cpp

---
 src/bun.js/bindings/JSCTaskScheduler.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/bun.js/bindings/JSCTaskScheduler.cpp b/src/bun.js/bindings/JSCTaskScheduler.cpp
index d70740eb0cbd39..616b3ed693ba6b 100644
--- a/src/bun.js/bindings/JSCTaskScheduler.cpp
+++ b/src/bun.js/bindings/JSCTaskScheduler.cpp
@@ -60,17 +60,20 @@ void JSCTaskScheduler::onScheduleWorkSoon(Ticket ticket, Task&& task)
 
 void JSCTaskScheduler::onCancelPendingWork(Ticket ticket)
 {
-    auto& scheduler = WebCore::clientData(getVM(ticket))->deferredWorkTimer;
+    JSC::VM& vm = getVM(ticket);
+    auto* clientData = WebCore::clientData(vm);
+    auto* bunVM = clientData->bunVM;
+    auto& scheduler = clientData->deferredWorkTimer;
 
     Locker<Lock> holder { scheduler.m_lock };
     bool isKeepingEventLoopAlive = scheduler.m_pendingTicketsKeepingEventLoopAlive.removeIf([ticket](auto pendingTicket) {
         return pendingTicket.ptr() == ticket;
     });
+    // -- At this point, ticket may be an invalid pointer.
 
     if (isKeepingEventLoopAlive) {
         holder.unlockEarly();
-        JSC::VM& vm = getVM(ticket);
-        Bun__eventLoop__incrementRefConcurrently(WebCore::clientData(vm)->bunVM, -1);
+        Bun__eventLoop__incrementRefConcurrently(bunVM, -1);
     } else {
         scheduler.m_pendingTicketsOther.removeIf([ticket](auto pendingTicket) {
             return pendingTicket.ptr() == ticket;