3 files changed, 26 insertions, 0 deletions

diff --git a/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-with-javascript-navigate-crash-expected.txt b/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-with-javascript-navigate-crash-expected.txt
new file mode 100644
index 0000000..ff15046
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-with-javascript-navigate-crash-expected.txt
@@ -0,0 +1 @@
+Test passes if no crash with ASAN. 
diff --git a/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-with-javascript-navigate-crash.html b/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-with-javascript-navigate-crash.html
new file mode 100644
index 0000000..ed3cb7a
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-with-javascript-navigate-crash.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<body>
+Test passes if no crash with ASAN.
+<input value="boom">
+<script>
+if (window.testRunner) {
+  testRunner.waitUntilDone();
+  testRunner.dumpAsText();
+}
+
+var input = document.getElementsByTagName('input')[0];
+function explode() {
+  var value = input.value;
+  if (value) {
+    input.value = value.substr(0, value.length - 1);
+    window.setTimeout(explode, 0);
+  } else {
+    window.location.href="javascript:''";
+    if (window.testRunner)
+      testRunner.notifyDone();
+  }
+}
+explode();
+</script>
diff --git a/third_party/WebKit/Source/core/frame/FrameView.cpp b/third_party/WebKit/Source/core/frame/FrameView.cpp
index bd382ae..09c9e647 100644
--- a/third_party/WebKit/Source/core/frame/FrameView.cpp
+++ b/third_party/WebKit/Source/core/frame/FrameView.cpp
@@ -249,6 +249,7 @@ void FrameView::reset()
     m_firstVisuallyNonEmptyLayoutCallbackPending = true;
     m_maintainScrollPositionAnchor = nullptr;
     m_viewportConstrainedObjects.clear();
+    m_layoutSubtreeRoots.clear();
 }
 
 void FrameView::removeFromAXObjectCache()