Predator and CL could not provide any possible suspects.
Using Code Search for the file, "LocalFrame.cpp" assigning to the concern owner.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/f791eeeca58c648ee7b55e439e0368129a7db990

@reillyg -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

I'm also hitting this on Windows while trying to access this webpage: http://www.lapresse.ca/xtra/votre-prochain-vehicule/201707/17/01-5116926-la-technologie-dans-les-vehicules-3-incontournables.php (on 62.0.3192.0 and 62.0.3189.0)

More detailed stack trace:

Thread 1 "content_shell" received signal SIGSEGV, Segmentation fault.
(anonymous namespace)::CheckOpResult::message (this=0x48) at ../../third_party/WebKit/Source/platform/wtf/RefPtr.h:85
85	  ALWAYS_INLINE T* operator->() const { return ptr_; }
(gdb) bt
#0  0x00007fdc09dfd95c in (anonymous namespace)::CheckOpResult::message() (this=0x48) at ../../third_party/WebKit/Source/platform/wtf/RefPtr.h:85
#1  0x00007fdc0a892969 in (anonymous namespace)::LocalFrame::DomWindow() const (this=0x0) at ../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:410
#2  0x00007fdc0a891179 in (anonymous namespace)::LocalFrame::GetDocument() const (this=0x0) at ../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:423
#3  0x00007fdc0b19c222 in (anonymous namespace)::DocumentLoader::ReplaceDocumentWhileExecutingJavaScriptURL((anonymous namespace)::KURL const&, (anonymous namespace)::Document*, bool, (anonymous namespace)::String const&) (this=0x2e571467008, url=..., owner_document=0x36b2d4d68ef0, should_reuse_default_view=false, source=...) at ../../third_party/WebKit/Source/core/loader/DocumentLoader.cpp:1163
#4  0x00007fdc0b1bd3e0 in (anonymous namespace)::FrameLoader::ReplaceDocumentWhileExecutingJavaScriptURL((anonymous namespace)::String const&, (anonymous namespace)::Document*) (this=0x2e571463aa8, source=..., owner_document=0x36b2d4d68ef0)
    at ../../third_party/WebKit/Source/core/loader/FrameLoader.cpp:431
#5  0x00007fdc09e6011e in (anonymous namespace)::ScriptController::ExecuteScriptIfJavaScriptURL((anonymous namespace)::KURL const&, (anonymous namespace)::Element*) (this=0x10f429d75000, url=..., element=0x36b2d4d638b0)
    at ../../third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:269
#6  0x00007fdc0aa078a1 in (anonymous namespace)::HTMLFrameElementBase::OpenURL(bool) (this=0x36b2d4d638b0, replace_current_item=true) at ../../third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp:121
#7  0x00007fdc0aa08274 in (anonymous namespace)::HTMLFrameElementBase::SetNameAndOpenURL() (this=0x36b2d4d638b0) at ../../third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp:185
#8  0x00007fdc0aa0842e in (anonymous namespace)::HTMLFrameElementBase::DidNotifySubtreeInsertionsToDocument() (this=0x36b2d4d638b0) at ../../third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp:207
#9  0x00007fdc0a3d36c0 in (anonymous namespace)::ContainerNode::DidInsertNodeVector((anonymous namespace)::NodeVector const&, (anonymous namespace)::Node*, (anonymous namespace)::NodeVector const&) (this=0x36b2d4d67128, targets=..., next=0x0, post_insertion_notification_targets=...) at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:330
#10 0x00007fdc0a3d5a6d in (anonymous namespace)::ContainerNode::ReplaceChild((anonymous namespace)::Node*, (anonymous namespace)::Node*, (anonymous namespace)::ExceptionState&) (this=0x36b2d4d67128, new_child=0x36b2d4d638b0, old_child=0x36b2d4d67e10, exception_state=...)
    at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:579
#11 0x00007fdc0a5088b2 in (anonymous namespace)::Node::replaceChild((anonymous namespace)::Node*, (anonymous namespace)::Node*, (anonymous namespace)::ExceptionState&) (this=0x36b2d4d67128, new_child=0x36b2d4d638b0, old_child=0x36b2d4d67e10, exception_state=...)
    at ../../third_party/WebKit/Source/core/dom/Node.cpp:451
#12 0x00007fdc0b82e4eb in (anonymous namespace)::(anonymous namespace)::replaceChildMethodForMainWorld((anonymous namespace)::FunctionCallbackInfo<v8::Value> const&) (info=...) at gen/blink/bindings/core/v8/V8Node.cpp:663
#13 0x00007fdc0b82dfa7 in (anonymous namespace)::V8Node::replaceChildMethodCallbackForMainWorld((anonymous namespace)::FunctionCallbackInfo<v8::Value> const&) (info=...) at gen/blink/bindings/core/v8/V8Node.cpp:963
#14 0x00007fdc0cba7fd2 in (anonymous namespace)::(anonymous namespace)::FunctionCallbackArguments::Call((anonymous namespace)::FunctionCallback) (this=0x7ffe1531f6d8, f=0x7fdc0b82df70 <(anonymous namespace)::V8Node::replaceChildMethodCallbackForMainWorld((anonymous namespace)::FunctionCallbackInfo<v8::Value> const&)>) at ../../v8/src/api-arguments.cc:25
#15 0x00007fdc0cc87912 in (anonymous namespace)::(anonymous namespace)::(anonymous namespace)::HandleApiCallHelper<false>((anonymous namespace)::(anonymous namespace)::Isolate*, (anonymous namespace)::(anonymous namespace)::Handle<v8::internal::HeapObject>, (anonymous namespace)::(anonymous namespace)::Handle<v8::internal::HeapObject>, (anonymous namespace)::(anonymous namespace)::Handle<v8::internal::FunctionTemplateInfo>, (anonymous namespace)::(anonymous namespace)::Handle<v8::internal::Object>, (anonymous namespace)::(anonymous namespace)::BuiltinArguments) (isolate=0x1d7fe9e53020, function=..., new_target=..., fun_data=..., receiver=..., args=...) at ../../v8/src/builtins/builtins-api.cc:112
#16 0x00007fdc0cc86190 in (anonymous namespace)::(anonymous namespace)::Builtin_Impl_HandleApiCall((anonymous namespace)::(anonymous namespace)::BuiltinArguments, (anonymous namespace)::(anonymous namespace)::Isolate*) (args=..., isolate=0x1d7fe9e53020)
    at ../../v8/src/builtins/builtins-api.cc:142

This is almost certainly due to https://chromium.googlesource.com/chromium/src/+/e7511b6ade9192af8139739153b236188647bbb7, so I'll take it over.

Thanks, I confirmed that reverting your change fixes the crash and was about to CC you.

Adding the beta blocker tag as this is making it impossible to use one of the most popular news article in Quebec (Canada), most of the articles on lapresse.ca end up in a renderer crash, e.g. http://www.lapresse.ca/xtra/votre-prochain-vehicule/201707/17/01-5116926-la-technologie-dans-les-vehicules-3-incontournables.php

Any update on this? I'm hitting this several time per day, this makes using Canary really painful.

Yep, fix out for review: https://chromium-review.googlesource.com/c/chromium/src/+/624558

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be

commit 9a070d9c2d2bda6f5b041a7e0f6a62bd543630be
Author: Nate Chapin <japhet@chromium.org>
Date: Sat Aug 26 05:42:26 2017

Stash DocumentParser on DocumentLoader for the inital parse of a Document

The navigation might be finished/cancelled and replaced with a parser
from document.open(), and the two shouldn't be mixed.

Prior to https://chromium.googlesource.com/chromium/src/+/e7511b6ade9192af8139739153b236188647bbb7,
DocumentWriter was doing this under the hood. That behavior is apparently
still needed.

Bug:  757215 ,  757276 
Test: fast/loader/detach-iframe-while-loading-javascript-url.html
Change-Id: I63b4e3a7a933b2a073fe03ee39ebc20ba82af2b8
Reviewed-on: https://chromium-review.googlesource.com/624558
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497657}
[add] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/LayoutTests/fast/loader/detach-iframe-while-loading-javascript-url-expected.txt
[add] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/LayoutTests/fast/loader/detach-iframe-while-loading-javascript-url.html
[modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
[modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/loader/DocumentLoader.h

ClusterFuzz has detected this issue as fixed in range 497656:497657.

Detailed report: https://clusterfuzz.com/testcase?key=5833693213229056

Fuzzer: attekett_dom_fuzzer
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000030
Crash State:
  blink::LocalFrame::GetDocument
  blink::DocumentLoader::ReplaceDocumentWhileExecutingJavaScriptURL
  blink::FrameLoader::ReplaceDocumentWhileExecutingJavaScriptURL
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=494482:494528
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=497656:497657

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5833693213229056

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5833693213229056 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Issue 760097 has been merged into this issue.