Move FrameHost::m_subframeCount to Page

third_party/WebKit/Source/core/page/Page.h

Index: third_party/WebKit/Source/core/page/Page.h
diff --git a/third_party/WebKit/Source/core/page/Page.h b/third_party/WebKit/Source/core/page/Page.h
index 738c031e95a88ebf574aa2d56e51e3c517efac3f..24616cb5c723210962dcc08062faa1e176e25124 100644
--- a/third_party/WebKit/Source/core/page/Page.h
+++ b/third_party/WebKit/Source/core/page/Page.h
@@ -235,6 +235,18 @@ class CORE_EXPORT Page final : public GarbageCollectedFinalized<Page>,
   bool isCursorVisible() const;
   void setIsCursorVisible(bool isVisible) { m_isCursorVisible = isVisible; }
 
+  // Don't allow more than a certain number of frames in a page.
+  // This seems like a reasonable upper bound, and otherwise mutually
+  // recursive frameset pages can quickly bring the program to its knees
+  // with exponential growth in the number of frames.
+  static const int maxNumberOfFrames = 1000;
+  void incrementSubframeCount() { ++m_subframeCount; }
+  void decrementSubframeCount() {
+    DCHECK_GT(m_subframeCount, 0);
+    --m_subframeCount;
+  }
+  int subframeCount() const;
+
   void setDefaultPageScaleLimits(float minScale, float maxScale);
   void setUserAgentPageScaleConstraints(
       const PageScaleConstraints& newConstraints);
@@ -326,6 +338,8 @@ class CORE_EXPORT Page final : public GarbageCollectedFinalized<Page>,
   bool m_isPainting = false;
 #endif
 
+  int m_subframeCount;
+
   // A pointer to all the interfaces provided to in-process Frames for this
   // Page.
   // FIXME: Most of the members of Page should move onto FrameHost.