script: Avoid double borrow crash in DataTransferItem (#35699)

* avoid double borrow inside GetAsString

Signed-off-by: Gae24 <96017547+Gae24@users.noreply.github.com>

* added crashtest

Signed-off-by: Gae24 <96017547+Gae24@users.noreply.github.com>

---------

Signed-off-by: Gae24 <96017547+Gae24@users.noreply.github.com>

components/script/dom/datatransferitem.rs

@@ -123,7 +123,8 @@ impl DataTransferItemMethods<crate::DomTypeHolder> for DataTransferItem {
                 .task_manager()
                 .dom_manipulation_task_source()
                 .queue(task!(invoke_callback: move || {
-                    if let Some(index) = this.root().pending_callbacks.borrow().iter().position(|val| val.id == id) {
+                    let maybe_index = this.root().pending_callbacks.borrow().iter().position(|val| val.id == id);
+                    if let Some(index) = maybe_index {
                         let callback = this.root().pending_callbacks.borrow_mut().swap_remove(index).callback;
                         let _ = callback.Call__(DOMString::from(string), ExceptionHandling::Report);
                     }

tests/wpt/mozilla/meta/MANIFEST.json

@@ -9,6 +9,13 @@
       {}
      ]
     ],
+    "datatransferitem-crash.html": [
+     "d11355ab38c1e99e0ba3e10d7dfed18bf26af60b",
+     [
+      null,
+      {}
+     ]
+    ],
     "test-wait-crash.html": [
      "2419da6af0c278a17b9ff974d4418f9e386ef3e0",
      [

tests/wpt/mozilla/tests/mozilla/datatransferitem-crash.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<meta charset="utf-8">
+<meta name="assert" content="GetAsString shouldn't crash.">
+
+<script>
+  const dt = new DataTransfer();
+
+  dt.items.add("data", "text/plain");
+  let item = dt.items[0];
+
+  item.getAsString(str => {
+    console.log(`Calling getAsString on a item shouldn't crash`);
+  });
+</script>