diff --git a/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp b/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp
index 4115ba25ced16..e8d714635371f 100644
--- a/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp
+++ b/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp
@@ -45,13 +45,16 @@ PolymorphicCallNode::~PolymorphicCallNode()
 
 void PolymorphicCallNode::unlink(VM& vm)
 {
+    // We first remove itself from the linked-list before unlinking m_callLinkInfo.
+    // The reason is that m_callLinkInfo can potentially link PolymorphicCallNode's stub itself, and it may destroy |this| (the other CallLinkInfo
+    // does not do it since it is not chained in PolymorphicCallStubRoutine).
+    if (isOnList())
+        remove();
+
     if (m_callLinkInfo) {
         dataLogLnIf(Options::dumpDisassembly(), "Unlinking polymorphic call at ", m_callLinkInfo->doneLocation(), ", bc#", m_callLinkInfo->codeOrigin().bytecodeIndex());
         m_callLinkInfo->unlink(vm);
     }
-
-    if (isOnList())
-        remove();
 }
 
 void PolymorphicCallNode::clearCallLinkInfo()