[RootScroller] Don't assume frame owner is an iframe

We can't assume a FrameOwner's content view is a local frame view here
since we might be removing a root scroller because it's no longer
valid; it could be that it once was a LocalFrameView but has since
been replaced by another type of view.

No test since this came from the fuzzer and only causes an issue when
run under UBSan.

Bug: 961597
Change-Id: Ia24c000ac53a795d0325c2aa8825e901344f3ec8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1618203Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Commit-Queue: David Bokan <bokan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#662182}

third_party/blink/renderer/core/page/scrolling/root_scroller_controller.cc

@@ -338,7 +338,7 @@ void RootScrollerController::ApplyRootScrollerProperties(Node& node) {
 
   if (IsA<LocalFrame>(frame_owner->ContentFrame())) {
     LocalFrameView* frame_view =
-        To<LocalFrameView>(frame_owner->OwnedEmbeddedContentView());
+        DynamicTo<LocalFrameView>(frame_owner->OwnedEmbeddedContentView());
 
     bool is_root_scroller = &EffectiveRootScroller() == &node;