Add pre-finalizer to SpeechSynthesis.

Avoids a UAF by disconnecting the mojo::Receiver and mojo::Remote from
the pre-finalizer.

Bug: 1016574
Change-Id: Icdbba0e7798a93318df9931b4f1fe9004b6b8501
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1952085Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Darin Fisher <darin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#722542}

third_party/blink/renderer/modules/speech/speech_synthesis.cc

@@ -192,6 +192,11 @@ void SpeechSynthesis::SentenceBoundaryEventOccurred(
             sentence_boundary_string);
 }
 
+void SpeechSynthesis::Dispose() {
+  receiver_.reset();
+  mojom_synthesis_.reset();
+}
+
 void SpeechSynthesis::VoicesDidChange() {
   if (GetExecutionContext())
     DispatchEvent(*Event::Create(event_type_names::kVoiceschanged));

third_party/blink/renderer/modules/speech/speech_synthesis.h

@@ -43,6 +43,7 @@ class MODULES_EXPORT SpeechSynthesis final
       public ContextClient,
       public mojom::blink::SpeechSynthesisVoiceListObserver {
   DEFINE_WRAPPERTYPEINFO();
+  USING_PRE_FINALIZER(SpeechSynthesis, Dispose);
   USING_GARBAGE_COLLECTED_MIXIN(SpeechSynthesis);
 
  public:
@@ -70,6 +71,7 @@ class MODULES_EXPORT SpeechSynthesis final
     return ContextClient::GetExecutionContext();
   }
 
+  // GarbageCollected
   void Trace(blink::Visitor*) override;
 
   // mojom::blink::SpeechSynthesisVoiceListObserver
@@ -94,6 +96,10 @@ class MODULES_EXPORT SpeechSynthesis final
   }
 
  private:
+  // USING_PRE_FINALIZER interface.
+  // Called before the object gets garbage collected.
+  void Dispose();
+
   void VoicesDidChange();
   void StartSpeakingImmediately();
   void HandleSpeakingCompleted(SpeechSynthesisUtterance*, bool error_occurred);