Get rid of raw pointer in WebContentsAccessibilityAndroid

This is a speculative fix. If WebContentsAccessibilityAndroid ever
had a bad pointer to its root BrowserAccessibilityManager, that
could definitely cause the sorts of crashes we've been seeing.
Rather than keeping a copy of a raw pointer, just have
WebContentsAccessibilityAndroid retrieve the root
BrowserAccessibilityManager when needed.

Also ensures that if GetRootBrowserAccessibilityManager is null, any
function called from Java returns an error immediately, as that could
also potentially be a source of bugs.

Bug: 1126657
Change-Id: I52040a71c21ba4a8f5f30b316082c8b1e7efbb66
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2415928Reviewed-by: Mark Schillaci <mschillaci@google.com>
Reviewed-by: Bo <boliu@chromium.org>
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#808115}

content/browser/accessibility/browser_accessibility_manager_android.cc

@@ -33,15 +33,11 @@ BrowserAccessibilityManagerAndroid::BrowserAccessibilityManagerAndroid(
   // The Java layer handles the root scroll offset.
   use_root_scroll_offsets_when_computing_bounds_ = false;
 
-  if (web_contents_accessibility_)
-    web_contents_accessibility_->set_root_manager(this);
   Initialize(initial_tree);
 }
 
-BrowserAccessibilityManagerAndroid::~BrowserAccessibilityManagerAndroid() {
-  if (web_contents_accessibility_)
-    web_contents_accessibility_->set_root_manager(nullptr);
-}
+BrowserAccessibilityManagerAndroid::~BrowserAccessibilityManagerAndroid() =
+    default;
 
 // static
 ui::AXTreeUpdate BrowserAccessibilityManagerAndroid::GetEmptyDocument() {

content/browser/accessibility/web_contents_accessibility_android.h

@@ -24,7 +24,7 @@ class WebContentsImpl;
 
 // Bridges BrowserAccessibilityManagerAndroid and Java WebContentsAccessibility.
 // A RenderWidgetHostConnector runs behind to manage the connection. Referenced
-// by BrowserAccessibilityManagerAndroid for main frame (root manager) only.
+// by BrowserAccessibilityManagerAndroid for main frame only.
 // The others for subframes should acquire this instance through the root
 // manager to access Java layer.
 //
@@ -244,10 +244,6 @@ class CONTENT_EXPORT WebContentsAccessibilityAndroid
 
   void UpdateFrameInfo(float page_scale);
 
-  void set_root_manager(BrowserAccessibilityManagerAndroid* manager) {
-    root_manager_ = manager;
-  }
-
   // --------------------------------------------------------------------------
   // Methods called from the BrowserAccessibilityManager
   // --------------------------------------------------------------------------
@@ -274,6 +270,8 @@ class CONTENT_EXPORT WebContentsAccessibilityAndroid
   base::WeakPtr<WebContentsAccessibilityAndroid> GetWeakPtr();
 
  private:
+  BrowserAccessibilityManagerAndroid* GetRootBrowserAccessibilityManager();
+
   BrowserAccessibilityAndroid* GetAXFromUniqueID(int32_t unique_id);
 
   void CollectStats();
@@ -295,8 +293,6 @@ class CONTENT_EXPORT WebContentsAccessibilityAndroid
 
   bool use_zoom_for_dsf_enabled_;
 
-  BrowserAccessibilityManagerAndroid* root_manager_;
-
   // Manages the connection between web contents and the RenderFrameHost that
   // receives accessibility events.
   // Owns itself, and destroyed upon WebContentsObserver::WebContentsDestroyed.