Fix nullptr dereference in WebAXObject

A WebAXObject holds  An AXObject as a WebPrivatePtr which holds a AXObjectCacheImpl Member.

In order to persist the AXObjectCacheImpl, we need to directly hold a Persistent<AXObjectCacheImpl> in ScopedActionAnnotator so that in our destructor, we can be guaranteed the AXObjectCacheImpl is still around.

Bug: 966935
Change-Id: I5c0c1322af58d5ee388e3ef448c0ccf767e50b34
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1629184
Commit-Queue: David Tseng <dtseng@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#664588}

third_party/blink/renderer/modules/exported/web_ax_object.cc

@@ -103,16 +103,15 @@ class WebAXSparseAttributeClientAdapter : public AXSparseAttributeClient {
 // AXObjCache handles programmatic actions.
 class ScopedActionAnnotator {
  public:
-  explicit ScopedActionAnnotator(AXObject* obj) : obj_(obj) {
-    obj_->AXObjectCache().set_is_handling_action(true);
+  explicit ScopedActionAnnotator(AXObject* obj)
+      : cache_(&(obj->AXObjectCache())) {
+    cache_->set_is_handling_action(true);
   }
 
-  ~ScopedActionAnnotator() {
-    obj_->AXObjectCache().set_is_handling_action(false);
-  }
+  ~ScopedActionAnnotator() { cache_->set_is_handling_action(false); }
 
  private:
-  Persistent<AXObject> obj_;
+  Persistent<AXObjectCacheImpl> cache_;
 };
 
 static bool IsLayoutClean(Document* document) {