Fix use-after-free of m_currentSpeechUtterance.

      SpeechSynthesis.cpp incorrectly assumed that calling
m_platformSpeechSynthesizer->cancel() would immediately call
didFinishSpeaking or speakingErrorOccurred, which would null out
m_currentSpeechUtterance. This assumption was true in WebKit/Mac, but
Chromium's platform implementation is asynchronous, so that call may
come later.

Fix the issue and simplify the logic by getting rid of the raw pointer
to the current utterance altogether. Now the RefPtr at the front of the
utterance queue is the current utterance, and the platform implementation
is allowed to fire events on utterances that are no longer in the queue.

BUG=344881
R=abarth@chromium.org

Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=168092

Review URL: https://codereview.chromium.org/180553004

git-svn-id: svn://svn.chromium.org/blink/trunk@168169 bbb929c8-8fbe-4397-9dbb-9b2b20218538