This doesn't happen consistently, but is not too hard to reproduce:
1. Make sure --enable-slim-navigation-manager is set
2. In a new tab, type chrome://flags in the URL bar. This usually works
3. Navigate to a few other websites
4. Type chrome://flags in the URL bar again. This crashes the app.
The problem is probably in CRWWebController |-loadHTML:forAppSpecificURL|. When it creates the finish code block, URL is captured as reference instead of a copy.
thread #1, name = 'CrWebMain', queue = 'com.apple.main-thread'
frame #0: 0x00000001144a6527 libc++.1.dylib`std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 27
* frame #1: 0x000000010455f734 Chromium`GURL::GURL(this=0x00006240000fc700, other=0x3f80000000000000) at gurl.cc:73
frame #2: 0x000000010455faad Chromium`GURL::GURL(this=0x00006240000fc700, other=0x3f80000000000000) at gurl.cc:75
frame #3: 0x000000010455f885 Chromium`GURL::GURL(this=0x0000624000142e20, other=0x000061c000133308) at gurl.cc:77
frame #4: 0x000000010455faad Chromium`GURL::GURL(this=0x0000624000142e20, other=0x000061c000133308) at gurl.cc:75
frame #5: 0x0000000101a7cbbc Chromium`web::NavigationContextImpl::NavigationContextImpl(this=0x0000624000142e10, web_state=0x00007f7fc9f4b590, url=0x000061c000133308, page_transition=PAGE_TRANSITION_TYPED, is_renderer_initiated=false) at navigation_context_impl.mm:106
frame #6: 0x0000000101a7c56c Chromium`web::NavigationContextImpl::NavigationContextImpl(this=0x0000624000142e10, web_state=0x00007f7fc9f4b590, url=0x000061c000133308, page_transition=PAGE_TRANSITION_TYPED, is_renderer_initiated=false) at navigation_context_impl.mm:111
frame #7: 0x0000000101a7c391 Chromium`web::NavigationContextImpl::CreateNavigationContext(web_state=0x00007f7fc9f4b590, url=0x000061c000133308, page_transition=PAGE_TRANSITION_TYPED, is_renderer_initiated=false) at navigation_context_impl.mm:25
frame #8: 0x0000000101aae4da Chromium`::-[CRWWebController loadHTML:forURL:](self=0x00007f7fc9f08a30, _cmd="loadHTML:forURL:", HTML="<!doctype html>\n<html dir=\"ltr\" lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n<style>/* Copyright 2015 The Chromium Authors. All rights reserved.\n * Use of this source code is governed by a BSD-style license that can be\n * found in the LICENSE file. */\n\n\n@font-face {\n font-family: 'Roboto';\n font-style: normal;\n font-weight: 400;\n src: local('Roboto'), local('Roboto-Regular'),\n url(chrome://resources/roboto/roboto-regular.woff2) format('woff2');\n}\n\n@font-face {\n font-family: 'Roboto';\n font-style: normal;\n font-weight: 500;\n src: local('Roboto Medium'), local('Roboto-Medium'),\n url(chrome://resources/roboto/roboto-medium.woff2) format('woff2');\n}\n\n@font-face {\n font-family: 'Roboto';\n font-style: normal;\n font-weight: 700;\n src: local('Roboto Bold'), local('Roboto-Bold'),\n url(chrome://resources/roboto/roboto-bold.woff2) format('woff2');\n}\n\n</style><style>/* Copyright 2015 The Chromium Authors. All rights reserved.\n *"..., URL=0x000061c000133308) at crw_web_controller.mm:4018
frame #9: 0x0000000101aaf5ae Chromium`::__47-[CRWWebController loadHTML:forAppSpecificURL:]_block_invoke(.block_descriptor=<unavailable>) at crw_web_controller.mm:4033
frame #10: 0x00000001019f8be5 Chromium`::-[CRWPlaceholderNavigationInfo runCompletionHandler](self=0x00006140002000f0, _cmd="runCompletionHandler") at crw_placeholder_navigation_info.mm:58
frame #11: 0x0000000101ab603a Chromium`::-[CRWWebController webView:didFinishNavigation:](self=0x00007f7fc9f08a30, _cmd="webView:didFinishNavigation:", webView=0x00007f7fcb07ac00, navigation=0x00007f7fc2520900) at crw_web_controller.mm:4631
frame #12: 0x00000001134aa609 WebKit`WebKit::NavigationState::NavigationClient::didFinishNavigation(WebKit::WebPageProxy&, API::Navigation*, API::Object*) + 91
Comment 1 by danyao@chromium.org
, Jan 29 2018