Don't assume HTMLFrameOwnerElement::GetLayoutObject is LayoutEmbeddedContent

The comment above HTMLFrameOwnerElement::GetLayoutEmbeddedContent()
says:
  // Most subclasses use LayoutEmbeddedContent (either LayoutEmbeddedObject or
  // LayoutIFrame) except for HTMLObjectElement and HTMLEmbedElement which may
  // return any LayoutObject when using fallback content.
  LayoutEmbeddedContent* GetLayoutEmbeddedContent() const;

No new test because I couldn't reproduce the bug locally, but I believe this
will fix the clusterfuzz bug.

Bug: 981459
Change-Id: I3ecf8022111dc25a2e862c0311ffa56467d18c2e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1689336Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#675712}

third_party/blink/renderer/core/html/html_frame_owner_element.cc

@@ -362,8 +362,7 @@ void HTMLFrameOwnerElement::SetEmbeddedContentView(
 
   GetDocument().GetRootScrollerController().DidUpdateIFrameFrameView(*this);
 
-  LayoutEmbeddedContent* layout_embedded_content =
-      ToLayoutEmbeddedContent(GetLayoutObject());
+  LayoutEmbeddedContent* layout_embedded_content = GetLayoutEmbeddedContent();
   if (!layout_embedded_content)
     return;
 
@@ -391,8 +390,7 @@ EmbeddedContentView* HTMLFrameOwnerElement::ReleaseEmbeddedContentView() {
     return nullptr;
   if (embedded_content_view_->IsAttached())
     embedded_content_view_->DetachFromLayout();
-  LayoutEmbeddedContent* layout_embedded_content =
-      ToLayoutEmbeddedContent(GetLayoutObject());
+  LayoutEmbeddedContent* layout_embedded_content = GetLayoutEmbeddedContent();
   if (layout_embedded_content) {
     if (AXObjectCache* cache = GetDocument().ExistingAXObjectCache())
       cache->ChildrenChanged(layout_embedded_content);