Verified on 60.0.3112.66, app crashes when using the 1password extension in iOS 11 only

Device: iPhone 6 Plus
Version: 11.0

Pre-requisite:
1. 1Password app should be installed in device
2. login credentials of yahoo should be saved in 1Password

Steps to reproduce:
1. Launch chrome 
2. Navigate to login.yahoo.com
3. Tap on tools>> Share>> Select 1Password
4. Enter Master password
5. Tap on the account

Link to video/image:

https://drive.google.com/a/google.com/file/d/0B8Cek8RsDbF8YTYzUmRtWVpYNkE/view?usp=sharing

Link to Crash URL: 
https://crash.corp.google.com/browse?stbtiq=520ffaf088000000#0

Stack Trace: 

Thread 1 (id: 8963) CRASHED [EXC_BREAKPOINT / EXC_ARM_BREAKPOINT @ 0x0000000191082be0 ] MAGIC SIGNATURE THREAD
Stack Quality81%Show frame trust levels
0x0000000191082be0	(WebKit + 0x000ecbe0 )	WebKit::CallbackMap::put(WTF::Ref<WebKit::CallbackBase>&&)
0x0000000191082b88	(WebKit + 0x000ecb88 )	WebKit::CallbackMap::put(WTF::Ref<WebKit::CallbackBase>&&)
0x000000019116db48	(WebKit + 0x001d7b48 )	unsigned long long WebKit::CallbackMap::put<API::SerializedScriptValue*, bool, WebCore::ExceptionDetails const&, WebKit::CallbackBase::Error>(WTF::Function<void (API::SerializedScriptValue*, bool, WebCore::ExceptionDetails const&, WebKit::CallbackBase::Error)>&&, WTF::RefPtr<WTF::RefCounter<WebKit::ProcessThrottler::BackgroundActivityCounterType>::Count> const&)
0x000000019116da68	(WebKit + 0x001d7a68 )	WebKit::WebPageProxy::runJavaScriptInMainFrame(WTF::String const&, WTF::Function<void (API::SerializedScriptValue*, bool, WebCore::ExceptionDetails const&, WebKit::CallbackBase::Error)>&&)
0x0000000191285700	(WebKit + 0x002ef700 )	-[WKWebView evaluateJavaScript:completionHandler:]
0x0000000102ac19c0	(Chrome -crw_js_injection_receiver.mm:45 )	-[CRWJSInjectionReceiver executeJavaScript:completionHandler:]
0x0000000102ac165c	(Chrome -crw_js_injection_manager.mm:64 )	-[CRWJSInjectionManager executeJavaScript:completionHandler:]
0x0000000102b357bc	(Chrome -js_password_manager.mm:98 )	-[JsPasswordManager evaluateExtraScript:completionHandler:]
0x0000000102b36484	(Chrome -password_controller.mm:438 )	-[PasswordController findPasswordFormsWithCompletionHandler:]
0x0000000102b35d6c	(Chrome -password_controller.mm:347 )	-[PasswordController findAndFillPasswordForms:password:completionHandler:]
0x0000000102d6d4c0	(Chrome -browser_view_controller.mm:5051 )	-[BrowserViewController passwordAppExDidFinish:username:password:completionMessage:]
0x0000000102d84164	(Chrome -activity_service_controller.mm:279 )	__75-[ActivityServiceController processItemsReturnedFromActivity:status:items:]_block_invoke
0x0000000182691b08	(Foundation + 0x00119b08 )	__95-[NSItemProvider _loadItemOfClass:forTypeIdentifier:options:coerceForCoding:completionHandler:]_block_invoke.389
0x0000000181625e00	(libdispatch.dylib + 0x00001e00 )	_dispatch_call_block_and_release
0x0000000181625dc0	(libdispatch.dylib + 0x00001dc0 )	_dispatch_client_callout
0x000000018162fef0	(libdispatch.dylib + 0x0000bef0 )	_dispatch_queue_serial_drain$VARIANT$mp
0x0000000181630940	(libdispatch.dylib + 0x0000c940 )	_dispatch_queue_invoke$VARIANT$mp
0x000000018163150c	(libdispatch.dylib + 0x0000d50c )	_dispatch_root_queue_drain_deferred_wlh$VARIANT$mp
0x000000018163a0a4	(libdispatch.dylib + 0x000160a4 )	_dispatch_workloop_worker_thread$VARIANT$mp
0x00000001818d31e4	(libsystem_pthread.dylib + 0x000011e4 )	_pthread_wqthread
0x00000001818d2e3c	(libsystem_pthread.dylib + 0x00000e3c )	start_wqthread

Issue 742171 has been merged into this issue.

Note: Issue is not reproducible in iOS 11 Safari and Firefox browsers 

eugenebut@ Can you please check if the bug is ok tobe non-RVG since we posted chrome stack-trace in comment#4.

Setting RBS because it is a crash.

Error message:
Main Thread Checker: UI API called on a background thread: -[WKWebView evaluateJavaScript:completionHandler:]
PID: 44004, TID: 3244734, Thread name: (none), Queue name: com.apple.Foundation.NSItemProvider-callback-queue, QoS: 0

This is new in iOS 11. There are several references to this type of crashes if you google for the error message above.

The callback from the extension runs on a non-main thread in iOS 11. This caused the crash.

Users experienced this crash on the following builds:

Ios Beta 60.0.3112.66 -  193.59 CPM, 3 reports, 2 clients (signature WebKit::CallbackMap::put)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/265a292b9397dd2c91db8a10335fa4ea25973301

commit 265a292b9397dd2c91db8a10335fa4ea25973301
Author: Peter K. Lee <pkl@chromium.org>
Date: Mon Jul 17 19:10:49 2017

Redispatch JavaScript to main thread if it is not

Password filling uses JavaScript injection, so it must be ran on main
thread. iOS 11 runs the Extension callback on a non-main thread
and results in a crash. This CL fixes this be detecting that the crucial
piece of code is not on main thread and re-dispatches it.

Bug:  742554 
Change-Id: I7a337e424800052069dfd207903d17da8df04458
Reviewed-on: https://chromium-review.googlesource.com/572701
Reviewed-by: Eugene But <eugenebut@chromium.org>
Reviewed-by: Mike Dougherty <michaeldo@chromium.org>
Commit-Queue: Peter Lee <pkl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#487185}
[modify] https://crrev.com/265a292b9397dd2c91db8a10335fa4ea25973301/ios/chrome/browser/ui/activity_services/activity_service_controller.mm

Verified in 61.0.3163.20 beta, iPhone 7 iOS 11

Followed steps on Comment #4.
Looks good

 Issue 753931  has been merged into this issue.

Issue 753388 has been merged into this issue.

 Issue 771225  has been merged into this issue.