Fix crash in AXTreeSerializer after reparenting.

This bug could be reproduced just by visiting https://www.lasestrellas.tv/
with accessibility enabled on any platform. The issue was that reparenting
caused AXTreeSerializer to call Reset, which deleted the whole client
tree and forced re-serializing everything again. However, because some nodes
in the tree were not attached to the root at the time Reset was called,
|client_id_map_| still had some entries pointing to nodes that were no
longer valid.

The solution is for Reset() to explicitly clear out |client_id_map_|.

Bug: 704045
Change-Id: I0f1d7b24b547953970965fd49ec1a15fbade281e
Reviewed-on: https://chromium-review.googlesource.com/1006073
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Reviewed-by: David Tseng <dtseng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550122}

ui/accessibility/ax_tree_serializer.h

@@ -200,12 +200,14 @@ AXTreeSerializer<AXSourceNode, AXNodeData, AXTreeData>::~AXTreeSerializer() {
 template <typename AXSourceNode, typename AXNodeData, typename AXTreeData>
 void AXTreeSerializer<AXSourceNode, AXNodeData, AXTreeData>::Reset() {
   client_tree_data_ = AXTreeData();
-  if (!client_root_)
-    return;
 
-  DeleteClientSubtree(client_root_);
-  client_id_map_.erase(client_root_->id);
-  delete client_root_;
+  // Normally we use DeleteClientSubtree to remove nodes from the tree,
+  // but Reset() needs to work even if the tree is in a broken state.
+  // Instead, iterate over |client_id_map_| to ensure we clear all nodes and
+  // start from scratch.
+  for (auto&& item : client_id_map_)
+    delete item.second;
+  client_id_map_.clear();
   client_root_ = nullptr;
 }