Bug 308414

`InbandDataTextTrack::removeCue()` crashes when `TextTrack.removeCue()` is called from JavaScript with a non-DataCue on an inband metadata text track. Steps to reproduce: 1. Load HLS media with inband metadata track (creates InbandDataTextTrack) 2. JavaScript: `track.addCue(new VTTCue(0, 1, "test"))` (succeeds) 3. JavaScript: `track.removeCue(vttCue)` (crashes) Crash stack: ``` 0 WebCore WTFCrashWithInfo(int, char const*, char const*, int) [inlined] WebCore WTF::downcast<DataCue, TextTrackCue>(TextTrackCue&) [inlined] WebCore InbandDataTextTrack::removeCue(TextTrackCue&) 1 WebCore jsTextTrackPrototypeFunction_removeCueBody(...) [inlined] WebCore jsTextTrackPrototypeFunction_removeCue(...) 2 JIT (JavaScript execution) [...] ``` Root cause: The function unconditionally performs `downcast<DataCue>(cue)` which triggers `RELEASE_ASSERT(is<DataCue>(cue))`. However, `TextTrack::addCue()` is non-virtual and allows any TextTrackCue subtype to be added to an `InbandDataTextTrack`, creating this mismatch. Regression: This bug has been latent since the original DataCue implementation in April 2014 (commit 150050@main, Bug 131799). <rdar://122375096>