1 files changed, 12 insertions, 0 deletions

diff --git a/Source/JavaScriptCore/heap/HandleSet.h b/Source/JavaScriptCore/heap/HandleSet.h
index f9737882e..58251f66a 100644
--- a/Source/JavaScriptCore/heap/HandleSet.h
+++ b/Source/JavaScriptCore/heap/HandleSet.h
@@ -35,10 +35,12 @@
 
 namespace JSC {
 
+class HandleBlock;
 class HandleSet;
 class HeapRootVisitor;
 class VM;
 class JSValue;
+class SlotVisitor;
 
 class HandleNode {
 public:
@@ -98,6 +100,7 @@ private:
     SentinelLinkedList<Node> m_strongList;
     SentinelLinkedList<Node> m_immediateList;
     SinglyLinkedList<Node> m_freeList;
+    Node* m_nextToFinalize;
 };
 
 inline HandleSet* HandleSet::heapFor(HandleSlot handle)
@@ -122,6 +125,10 @@ inline HandleSet::Node* HandleSet::toNode(HandleSlot handle)
 
 inline HandleSlot HandleSet::allocate()
 {
+    // Forbid assignment to handles during the finalization phase, since it would violate many GC invariants.
+    // File a bug with stack trace if you hit this.
+    RELEASE_ASSERT(!m_nextToFinalize);
+
     if (m_freeList.isEmpty())
         grow();
 
@@ -134,6 +141,11 @@ inline HandleSlot HandleSet::allocate()
 inline void HandleSet::deallocate(HandleSlot handle)
 {
     HandleSet::Node* node = toNode(handle);
+    if (node == m_nextToFinalize) {
+        ASSERT(m_nextToFinalize->next());
+        m_nextToFinalize = m_nextToFinalize->next();
+    }
+
     SentinelLinkedList<HandleSet::Node>::remove(node);
     m_freeList.push(node);
 }