WinDbg output:

rax=245c8948ccc3c032 rbx=0000000004b14af0 rcx=000007fee285d0d0
rdx=000000000013d1e8 rsi=000000000013d2c0 rdi=000000000013d2c8
rip=000007fee37356bc rsp=000000000013d1c0 rbp=000000000013d230
 r8=0000000000000000  r9=0000000000000000 r10=000000000451c290
r11=000000000451c3d0 r12=000000000013d2d0 r13=000000000338b7d8
r14=000000000338b7d8 r15=0000000000000002
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010246
*** WARNING: Unable to verify checksum for chrome_child.dll
chrome_child!v8_inspector::protocol::Runtime::Frontend::consoleAPICalled+0x110:
000007fe`e37356bc ff5010          call    qword ptr [rax+10h] ds:245c8948`ccc3c042=????????????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0013d1c0 000007fe`e374103c chrome_child!v8_inspector::protocol::Runtime::Frontend::consoleAPICalled+0x110 [c:\b\build\slave\win64-pgo\build\src\out\release_x64\gen\v8\src\inspector\protocol\runtime.cpp @ 1152]
00000000`0013d270 000007fe`e3755fd7 chrome_child!v8_inspector::V8ConsoleMessage::reportToFrontend+0x358 [c:\b\build\slave\win64-pgo\build\src\v8\src\inspector\v8-console-message.cc @ 324]
00000000`0013d340 000007fe`e3192925 chrome_child!v8_inspector::V8RuntimeAgentImpl::reportMessage+0x23 [c:\b\build\slave\win64-pgo\build\src\v8\src\inspector\v8-runtime-agent-impl.cc @ 735]
00000000`0013d370 000007fe`e289d8bd chrome_child!v8_inspector::V8ConsoleMessageStorage::addMessage+0x8f5041 [c:\b\build\slave\win64-pgo\build\src\v8\src\inspector\v8-console-message.cc @ 470]
00000000`0013d3c0 000007fe`e289d5fb chrome_child!v8_inspector::`anonymous namespace'::ConsoleHelper::reportCall+0xa5 [c:\b\build\slave\win64-pgo\build\src\v8\src\inspector\v8-console.cc @ 104]
00000000`0013d430 000007fe`e289d577 chrome_child!v8_inspector::`anonymous namespace'::ConsoleHelper::reportCall+0x7f [c:\b\build\slave\win64-pgo\build\src\v8\src\inspector\v8-console.cc @ 76]
00000000`0013d480 000007fe`e26d3b70 chrome_child!v8_inspector::V8Console::logCallback+0x1b [c:\b\build\slave\win64-pgo\build\src\v8\src\inspector\v8-console.cc @ 297]
00000000`0013d4e0 000007fe`e26d3906 chrome_child!v8::internal::FunctionCallbackArguments::Call+0xd8 [c:\b\build\slave\win64-pgo\build\src\v8\src\api-arguments.cc @ 26]
00000000`0013d620 000007fe`e26d2d31 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>+0x11e [c:\b\build\slave\win64-pgo\build\src\v8\src\builtins\builtins-api.cc @ 112]
00000000`0013d720 000007fe`e26d2c42 chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0xe1 [c:\b\build\slave\win64-pgo\build\src\v8\src\builtins\builtins-api.cc @ 139]
00000000`0013d7c0 0000007b`9cb843a6 chrome_child!v8::internal::Builtin_HandleApiCall+0x32 [c:\b\build\slave\win64-pgo\build\src\v8\src\builtins\builtins-api.cc @ 127]
00000000`0013d800 00000000`0013d858 0x7b`9cb843a6
00000000`0013d808 0000007b`9cb843a6 0x13d858
00000000`0013d810 000007fe`e27d0647 0x7b`9cb843a6
00000000`0013d818 00000362`cf949b79 chrome_child!v8::internal::Runtime_StoreIC_Miss+0x357
00000000`0013d820 0000002f`98b4b689 0x362`cf949b79
00000000`0013d828 00000362`cf949b79 0x2f`98b4b689
00000000`0013d830 00000000`0013d7f0 0x362`cf949b79
00000000`0013d838 0000007b`9cb842e1 0x13d7f0
00000000`0013d840 00000000`0013d800 0x7b`9cb842e1

machenbach: Can you please help triage (as v8 sheriff)? It's possible the v8 embedder is responsible, but it does seem to be crashing fairly deeply in the v8 code. 

There are several mitigating factors here but it may be possible to tickle this under other circumstances. Setting priority to low for now. 

chromium.khalil@gmail.com can you confirm whether this happens on Chrome Stable/Beta or just on Canary?

Able to repro this on Stable/Beta/Canary. This bug is similar to  issue 657568 .

Adding to triage for cluterfuzz sheriffs.

dgozman: Could you please help triage? (Your username seemed to come up in a bunch of the git blames associated with the files in the stack trace).

Thanks!

Yang, is this something on the V8 side? 

Looks like we are trying to access stale V8InspectorSessionImpl (closing the debugger infobar should terminate it). Not sure how the print preview is related.
Aleksey, mind taking a look?

I've found a way to reduce too many user gestures for this crash.

1. Open index.html
2. Click "Start" button
3. Open the Devtools (on navigate.html)

shouldn't be higher than low severity?

Deleted: index.htm 175 bytes

index.htm 175 bytes View Download

Deleted: navigate.htm 158 bytes

navigate.htm 158 bytes View Download

Deleted: Recording.mp4 188 KB

	Recording.mp4 188 KB View Download

Fix on the way: https://codereview.chromium.org/2770823003/

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2629f811ea2f784e810ea9a38c1d290097cfa8e3

commit 2629f811ea2f784e810ea9a38c1d290097cfa8e3
Author: kozyatinskiy <kozyatinskiy@chromium.org>
Date: Fri Mar 24 01:33:12 2017

[inspector] Increased chances of successful InjectedScriptSource compilation

- added InspectorTest.setupInjectedScriptEnvironment method which mutates current context,
- clear prototype of InjectedScript function and domAttributesWithObservableSideEffectOnGet.

Second point increases chances that injected-script-source would be successfully compiled.

BUG= chromium:693338 
R=dgozman@chromium.org,luoe@chromium.org

Review-Url: https://codereview.chromium.org/2770823003
Cr-Commit-Position: refs/heads/master@{#44081}

[modify] https://crrev.com/2629f811ea2f784e810ea9a38c1d290097cfa8e3/src/inspector/injected-script-source.js
[modify] https://crrev.com/2629f811ea2f784e810ea9a38c1d290097cfa8e3/src/inspector/injected_script_externs.js
[modify] https://crrev.com/2629f811ea2f784e810ea9a38c1d290097cfa8e3/src/inspector/v8-injected-script-host.cc
[modify] https://crrev.com/2629f811ea2f784e810ea9a38c1d290097cfa8e3/src/inspector/v8-injected-script-host.h
[modify] https://crrev.com/2629f811ea2f784e810ea9a38c1d290097cfa8e3/test/inspector/console/destroy-context-during-log.js
[modify] https://crrev.com/2629f811ea2f784e810ea9a38c1d290097cfa8e3/test/inspector/inspector.isolate
[modify] https://crrev.com/2629f811ea2f784e810ea9a38c1d290097cfa8e3/test/inspector/protocol-test.js
[add] https://crrev.com/2629f811ea2f784e810ea9a38c1d290097cfa8e3/test/inspector/runtime/runtime-evaluate-with-dirty-context-expected.txt
[add] https://crrev.com/2629f811ea2f784e810ea9a38c1d290097cfa8e3/test/inspector/runtime/runtime-evaluate-with-dirty-context.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6c2215325e34d6a311df5d7d65abb43e0a1edf05

commit 6c2215325e34d6a311df5d7d65abb43e0a1edf05
Author: kozyatinskiy <kozyatinskiy@chromium.org>
Date: Fri Mar 24 17:38:20 2017

[inspector] better isArrayLike for injected-script-source.js

We should never check existing of the property by typeof obj.name check.

BUG= chromium:693338 
R=dgozman@chromium.org,luoe@chromium.org

Review-Url: https://codereview.chromium.org/2767323002
Cr-Commit-Position: refs/heads/master@{#44113}

[modify] https://crrev.com/6c2215325e34d6a311df5d7d65abb43e0a1edf05/src/inspector/injected-script-source.js
[modify] https://crrev.com/6c2215325e34d6a311df5d7d65abb43e0a1edf05/src/inspector/injected_script_externs.js
[modify] https://crrev.com/6c2215325e34d6a311df5d7d65abb43e0a1edf05/src/inspector/v8-injected-script-host.cc
[modify] https://crrev.com/6c2215325e34d6a311df5d7d65abb43e0a1edf05/src/inspector/v8-injected-script-host.h
[modify] https://crrev.com/6c2215325e34d6a311df5d7d65abb43e0a1edf05/test/inspector/protocol-test.js
[modify] https://crrev.com/6c2215325e34d6a311df5d7d65abb43e0a1edf05/test/inspector/runtime/evaluate-with-generate-preview-expected.txt
[modify] https://crrev.com/6c2215325e34d6a311df5d7d65abb43e0a1edf05/test/inspector/runtime/evaluate-with-generate-preview.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/aaafb4385dfedf20daf5682e4bbfe37269558923

commit aaafb4385dfedf20daf5682e4bbfe37269558923
Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org>
Date: Fri Mar 31 15:30:23 2017

Merged: [inspector] Increased chances of successful InjectedScriptSource compilation

Revision: 2629f811ea2f784e810ea9a38c1d290097cfa8e3

BUG= chromium:693338 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: I93dac5a5d7dc794816e61eb8229f587ce6482bcc
Reviewed-on: https://chromium-review.googlesource.com/465106
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.8@{#47}
Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1}
Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429}
[modify] https://crrev.com/aaafb4385dfedf20daf5682e4bbfe37269558923/src/inspector/injected-script-source.js
[modify] https://crrev.com/aaafb4385dfedf20daf5682e4bbfe37269558923/src/inspector/injected_script_externs.js
[modify] https://crrev.com/aaafb4385dfedf20daf5682e4bbfe37269558923/src/inspector/v8-injected-script-host.cc
[modify] https://crrev.com/aaafb4385dfedf20daf5682e4bbfe37269558923/src/inspector/v8-injected-script-host.h
[modify] https://crrev.com/aaafb4385dfedf20daf5682e4bbfe37269558923/test/inspector/console/destroy-context-during-log.js

I'm afraid the panel declined to reward for this bug, noting that even if the user performs the interaction required, the use after free would be very difficult to control and exploit.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot