FRAME and FRAMESET should always be in-flow (and non-floating).

Frames and framesets ignore display:none, and will render no matter
what. The style adjuster would check for display != none, before
attempting to adjust, and would therefore just do nothing and accept
whatever.

We only used to override display and position (force to "block" and
"static", respectively). Additionally force "float" to "none", as
framesets are really unsuitable containing blocks, since they inherit
from LayoutBox rather than LayoutBlockFlow. So, putting anything exotic
inside is potentially dangerous. It confused the layout engine in
general, and also managed to trick the multicol machinery into treating
a floated frame child of an absolutely positioned frameset parent as
column content.

Bug: 840986
Change-Id: I08d2e8823c88fb3b690d71d4fac275377d082e64
Reviewed-on: https://chromium-review.googlesource.com/1059618Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558768}

third_party/WebKit/LayoutTests/fast/frames/abspos-display-none-frameset-crash.html

+<!DOCTYPE html>
+<style>
+  frameset { display:none; position:absolute; }
+  frame { float:right; }
+</style>
+<div id="container"></div>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<script>
+  var frameset = document.createElement("frameset")
+  var frame = document.createElement("frame");
+  var container = document.getElementById("container");
+  frameset.appendChild(frame);
+  container.appendChild(frameset);
+  test(() => { }, "No crash or DCHECK failure.");
+</script>

third_party/WebKit/LayoutTests/fast/multicol/abspos-display-none-frameset-crash.html

+<!DOCTYPE html>
+<style>
+  frameset { display:none; position:absolute; }
+  frame { float:right; }
+</style>
+<div id="multicol" style="columns:1;">
+  <div></div>
+</div>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<script>
+  var frameset = document.createElement("frameset")
+  var frame = document.createElement("frame");
+  frameset.appendChild(frame);
+  multicol.appendChild(frameset);
+  document.body.offsetTop;
+  multicol.style.display = "none";
+  test(() => { }, "No crash or DCHECK failure.");
+</script>

third_party/blink/renderer/core/css/resolver/style_adjuster.cc

@@ -236,9 +236,10 @@ static void AdjustStyleForHTMLElement(ComputedStyle& style,
   if (IsHTMLFrameElement(element) || IsHTMLFrameSetElement(element)) {
     // Frames and framesets never honor position:relative or position:absolute.
     // This is necessary to fix a crash where a site tries to position these
-    // objects. They also never honor display.
+    // objects. They also never honor display nor floating.
     style.SetPosition(EPosition::kStatic);
     style.SetDisplay(EDisplay::kBlock);
+    style.SetFloating(EFloat::kNone);
     return;
   }
 
@@ -531,7 +532,9 @@ void StyleAdjuster::AdjustComputedStyle(StyleResolverState& state,
   const ComputedStyle& parent_style = *state.ParentStyle();
   const ComputedStyle& layout_parent_style = *state.LayoutParentStyle();
 
-  if (style.Display() != EDisplay::kNone && element &&
+  if (element &&
+      (style.Display() != EDisplay::kNone ||
+       element->LayoutObjectIsNeeded(style)) &&
       element->IsHTMLElement()) {
     AdjustStyleForHTMLElement(style, ToHTMLElement(*element));
   }