Revert of Move FrameHost::m_subframeCount to Page

third_party/WebKit/Source/core/frame/FrameHost.h

Index: third_party/WebKit/Source/core/frame/FrameHost.h
diff --git a/third_party/WebKit/Source/core/frame/FrameHost.h b/third_party/WebKit/Source/core/frame/FrameHost.h
index 5850da1ad5807955eac2c440c30c837dba034f43..2bf525c5279654e6d27f74d55a019c1a2742d94c 100644
--- a/third_party/WebKit/Source/core/frame/FrameHost.h
+++ b/third_party/WebKit/Source/core/frame/FrameHost.h
@@ -84,8 +84,16 @@
 
   DECLARE_TRACE();
 
-  void incrementSubframeCount();
-  void decrementSubframeCount();
+  // Don't allow more than a certain number of frames in a page.
+  // This seems like a reasonable upper bound, and otherwise mutually
+  // recursive frameset pages can quickly bring the program to its knees
+  // with exponential growth in the number of frames.
+  static const int maxNumberOfFrames = 1000;
+  void incrementSubframeCount() { ++m_subframeCount; }
+  void decrementSubframeCount() {
+    ASSERT(m_subframeCount);
+    --m_subframeCount;
+  }
   int subframeCount() const;
 
  private:
@@ -97,6 +105,8 @@
   const Member<ConsoleMessageStorage> m_consoleMessageStorage;
   const Member<TopDocumentRootScrollerController>
       m_globalRootScrollerController;
+
+  int m_subframeCount;
 };
 
 }  // namespace blink