Make TextIterator to stop when it falls to handle shadow tree

The issue 521655 causes bad case in |toShadowRoot()| with a test script in
|TextIterator::advance()|. However, I could not get a HTML fragment causing
this situation since the test script generates HTML fragment and I could not
reproduce on my machines.

This patch changes |TextIterator| to stop when it fails to handle shadow tree
to avoid bad cast for preventing attacker to use this.

We'll add a test case for this once we have HTML fragment to cause this
bad cast.

BUG=521655
TEST=n/a; It is hard to create a test case for this issue

Review URL: https://codereview.chromium.org/1293703006

git-svn-id: svn://svn.chromium.org/blink/trunk@200958 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/Source/core/editing/iterators/TextIterator.cpp

@@ -368,6 +368,11 @@ void TextIteratorAlgorithm<Strategy>::advance()
                 if (!next && !parentNode && m_shadowDepth > 0) {
                     // 4. Reached the top of a shadow root. If it's created by author, then try to visit the next
                     // sibling shadow root, if any.
+                    if (!m_node->isShadowRoot()) {
+                        ASSERT_NOT_REACHED();
+                        m_shouldStop = true;
+                        return;
+                    }
                     ShadowRoot* shadowRoot = toShadowRoot(m_node);
                     if (shadowRoot->type() == ShadowRootType::OpenByDefault || shadowRoot->type() == ShadowRootType::Open) {
                         ShadowRoot* nextShadowRoot = shadowRoot->olderShadowRoot();