script: Avoid double borrow crash on iframe focus (#35742)

Signed-off-by: Seán de Búrca <leftmostcat@gmail.com>

components/script/script_thread.rs

@@ -2498,10 +2498,18 @@ impl ScriptThread {
             .find_document(parent_pipeline_id)
             .unwrap();
 
-        let iframes = document.iframes();
-        if let Some(iframe) = iframes.get(browsing_context_id) {
-            document.request_focus(Some(iframe.element.upcast()), FocusType::Parent, can_gc);
-        }
+        let Some(iframe_element_root) = ({
+            // Enclose `iframes()` call and create a new root to avoid retaining
+            // borrow.
+            let iframes = document.iframes();
+            iframes
+                .get(browsing_context_id)
+                .map(|iframe| DomRoot::from_ref(iframe.element.upcast()))
+        }) else {
+            return;
+        };
+
+        document.request_focus(Some(&iframe_element_root), FocusType::Parent, can_gc);
     }
 
     fn handle_post_message_msg(

tests/wpt/mozilla/meta/MANIFEST.json

@@ -16,6 +16,13 @@
       {}
      ]
     ],
+    "iframe_focus-crash.html": [
+     "f991b1a563f3cc44870640ab194708fa239ad89d",
+     [
+      null,
+      {}
+     ]
+    ],
     "test-wait-crash.html": [
      "2419da6af0c278a17b9ff974d4418f9e386ef3e0",
      [

tests/wpt/mozilla/tests/mozilla/iframe_focus-crash.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<meta charset="utf-8">
+<meta name="assert" content="focusing an iframe with onfocus event shouldn't crash">
+
+<iframe id="f" srcdoc="<iframe></iframe><script>document.querySelector('iframe').focus();</script>"></iframe>
+<script>
+    document.querySelector('iframe').onfocus = () => f;
+</script>