Leak/crash with <option> removed from shadow tree

Bug: 848617
Change-Id: I42b5b23a8497912128462ce83dacfd8009ef8797
Reviewed-on: https://chromium-review.googlesource.com/1105069
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#568673}

third_party/WebKit/LayoutTests/accessibility/option-removed-from-shadow-dom-crash.html

+<!DOCTYPE HTML>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+
+<script>
+/* doc > span */
+const spanElem = document.createElement('span');
+document.documentElement.appendChild(spanElem);
+
+// span > #shadowRoot
+const shadowRoot = spanElem.createShadowRoot();
+shadowRoot.appendChild(document.createElement('content'));
+
+// "Hello"
+const textNode1 = document.createTextNode('Hello');
+spanElem.appendChild(textNode1);
+
+// div > select > option
+const divElem = document.createElement('div');
+divElem.innerHTML = "<select><option></select>";
+spanElem.appendChild(divElem);
+
+// Perform a layout.
+divElem.offsetWidth;
+
+// "World"
+const textNode2 = document.createTextNode('World');
+spanElem.appendChild(textNode2);
+
+// Now we have:
+/* doc 
+ *   span
+ *     #shadowRoot
+ *       "Hello"  <-- REMOVE FIRST
+ *       div > select > option   <-- REMOVE OPTION NEXT
+ *       "World"
+ */
+textNode1.remove();
+
+test(function(t) {
+  document.querySelector("option").remove();
+}, "Removing an option inside a shadow dom shouldn't crash");
+
+</script>
\ No newline at end of file

third_party/blink/renderer/modules/accessibility/ax_object_cache_impl.cc

@@ -411,7 +411,6 @@ AXObject* AXObjectCacheImpl::GetOrCreate(Node* node) {
   node_object_mapping_.Set(node, ax_id);
   new_obj->Init();
   new_obj->SetLastKnownIsIgnoredValue(new_obj->AccessibilityIsIgnored());
-
   MaybeNewRelationTarget(node, new_obj);
 
   return new_obj;
@@ -889,12 +888,13 @@ void AXObjectCacheImpl::MaybeNewRelationTarget(Node* node, AXObject* obj) {
   // If so, fire activedescendantchanged event now.
   // This is only for ARIA active descendants, not in a native control like a
   // listbox, which has its own initial active descendant handling.
-  AXObject* focus = FocusedObject();
-  if (!focus)
-    return;
-
-  if (focus->ActiveDescendant() == obj && obj->CanBeActiveDescendant())
-    focus->HandleActiveDescendantChanged();
+  Node* focused_node = document_->FocusedElement();
+  if (focused_node) {
+    AXObject* focus = Get(focused_node);
+    if (focus && focus->ActiveDescendant() == obj &&
+        obj->CanBeActiveDescendant())
+      focus->HandleActiveDescendantChanged();
+  }
 }
 
 void AXObjectCacheImpl::HandleActiveDescendantChanged(Node* node) {
@@ -1150,7 +1150,7 @@ void AXObjectCacheImpl::HandleValueChanged(Node* node) {
 
 void AXObjectCacheImpl::HandleUpdateActiveMenuOption(LayoutMenuList* menu_list,
                                                      int option_index) {
-  AXObject* obj = GetOrCreate(menu_list);
+  AXObject* obj = Get(menu_list);
   if (!obj || !obj->IsMenuList())
     return;