Thank you for the report.
I can't reproduce this right now as I don't have a Mac and the flag doesn't seem to exist on Linux, but I haven't seen anything to make me think this bug is a security risk.
Also, this bug seems to be a duplicate of  issue 795725 .

This is a different repro.

Could you please check under ASan Mac build? this seems like a UaF crash.

ooh - nice. I've had my eye on this crash stack in the reporter for a while, but didn't know a repro. Thanks for filing!

I can repro the crash -- http://go/crash/1fa66bb4a0c6c5e1

0x000000010bb215eb	(Google Chrome Framework -cocoa_mouse_capture.mm:78 )	___ZN5views17CocoaMouseCapture14ActiveEventTap4InitEv_block_invoke
0x00007fffd09e37f9	(AppKit + 0x001c77f9 )	_NSSendEventToObservers
0x00007fffd0fdc23e	(AppKit + 0x007c023e )	-[NSApplication(NSEvent) sendEvent:]
0x0000000109e609f9	(Google Chrome Framework -chrome_browser_application_mac.mm:267 )	__34-[BrowserCrApplication sendEvent:]_block_invoke
0x000000010a21a8d9	(Google Chrome Framework + 0x01e708d9 )	base::mac::CallWithEHFrame(void () block_pointer)
0x0000000109e607d5	(Google Chrome Framework -chrome_browser_application_mac.mm:251 )	-[BrowserCrApplication sendEvent:]
0x00007fffd0857426	(AppKit + 0x0003b426 )	-[NSApplication run]


chrome://flags/#enable-translate-new-ux isn't shipping soon. Bumping milestone.

There are two problems:
 - the popup isn't using a native NSMenu for its button
 - Closing the parent window while it's hosting a non-native menu is triggering some lifetime issue.

Both should be fixed before shipping the translate bubble on Mac.

But the crashes are annoying, and should be fixed regardless. I'm taking a look. Asan stack looks like

==91339==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000d848d0 at pc 0x000164c3bcc3 bp 0x7fff52dfb450 sp 0x7fff52dfb448
READ of size 8 at 0x603000d848d0 thread T0
    #0 0x164c3bcc2 in ___ZN5views17CocoaMouseCapture14ActiveEventTap4InitEv_block_invoke cocoa_mouse_capture.mm:78
    #1 0x7fffd09e37f9 in _NSSendEventToObservers (AppKit:x86_64+0x1c77f9)
    #2 0x7fffd0fdc23e in -[NSApplication(NSEvent) sendEvent:] (AppKit:x86_64+0x7c023e)
    #3 0x11b7b0c04 in __34-[BrowserCrApplication sendEvent:]_block_invoke chrome_browser_application_mac.mm:267
    #4 0x1146be539 in base::mac::CallWithEHFrame(void () block_pointer) (libbase.dylib:x86_64+0x27a539)
    #5 0x11b7b018e in -[BrowserCrApplication sendEvent:] chrome_browser_application_mac.mm:251
    #6 0x7fffd0857426 in -[NSApplication run] (AppKit:x86_64+0x3b426)
    #7 0x1147a434e in base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) message_pump_mac.mm:806
    #8 0x11479b701 in base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) message_pump_mac.mm:180
    #9 0x1147759be in base::MessageLoop::Run(bool) message_loop.cc:345
    #10 0x1149ff524 in base::RunLoop::Run() run_loop.cc:130
    #11 0x11b7d2dac in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome_browser_main.cc:1957
    #12 0x14527bd62 in content::BrowserMainLoop::RunMainMessageLoopParts() browser_main_loop.cc:1194
    #13 0x145294ad7 in content::BrowserMainRunnerImpl::Run() browser_main_runner.cc:140
    #14 0x14525b46c in content::BrowserMain(content::MainFunctionParams const&) browser_main.cc:46
    #15 0x14bd2ed16 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content_main_runner.cc:427
    #16 0x14bd32716 in content::ContentMainRunnerImpl::Run() content_main_runner.cc:723
    #17 0x14bd1b5cc in content::ContentServiceManagerMainDelegate::RunEmbedderProcess() content_service_manager_main_delegate.cc:51
    #18 0x113d1900e in service_manager::Main(service_manager::MainParams const&) main.cc:456
    #19 0x14bd2e731 in content::ContentMain(content::ContentMainParams const&) content_main.cc:19
    #20 0x115eb8a16 in ChromeMain chrome_main.cc:128
    #21 0x10ce01cf4 in main chrome_exe_main_mac.cc:165
    #22 0x7fffe8ab5234 in start (libdyld.dylib:x86_64+0x5234)

0x603000d848d0 is located 0 bytes inside of 24-byte region [0x603000d848d0,0x603000d848e8)
freed by thread T0 here:
    #0 0x10ce6c8c2  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x618c2)
    #1 0x164c3c5d8 in views::CocoaMouseCapture::~CocoaMouseCapture() cocoa_mouse_capture.mm:97
    #2 0x164c3c604 in views::CocoaMouseCapture::~CocoaMouseCapture() cocoa_mouse_capture.mm:96
    #3 0x164c08000 in views::BridgedNativeWidget::ReleaseCapture() bridged_native_widget.mm:721
    #4 0x164c0db8d in views::BridgedNativeWidget::OnVisibilityChanged() bridged_native_widget.mm:924
    #5 0x164c4c1b7 in -[ViewsNSWindowDelegate onWindowOrderChanged:] views_nswindow_delegate.mm:41
    #6 0x164c48c1d in -[NativeWidgetMacNSWindow orderWindow:relativeTo:] native_widget_mac_nswindow.mm:167
    #7 0x164c0ef29 in views::BridgedNativeWidget::NotifyVisibilityChangeDown() bridged_native_widget.mm:1343
    #8 0x164c0e056 in views::BridgedNativeWidget::OnVisibilityChanged() bridged_native_widget.mm:950
    #9 0x164c4c1b7 in -[ViewsNSWindowDelegate onWindowOrderChanged:] views_nswindow_delegate.mm:41
    #10 0x164c48c1d in -[NativeWidgetMacNSWindow orderWindow:relativeTo:] native_widget_mac_nswindow.mm:167
    #11 0x16501370f in views::NativeWidgetMac::Close() native_widget_mac.mm:380
    #12 0x165047b9c in views::Widget::Close() widget.cc:601
    #13 0x164ba87e0 in views::BubbleDialogDelegateView::OnDeactivate() bubble_dialog_delegate.cc:336
    #14 0x164bace96 in void base::internal::FunctorTraits<void (views::BubbleDialogDelegateView::*)(), void>::Invoke<views::BubbleDialogDelegateView*>(void (views::BubbleDialogDelegateView::*)(), views::BubbleDialogDelegateView*&&) bind_internal.h:211
    #15 0x164bacb7c in void base::internal::InvokeHelper<false, void>::MakeItSo<void (views::BubbleDialogDelegateView::* const&)(), views::BubbleDialogDelegateView*>(void (views::BubbleDialogDelegateView::* const&&&)(), views::BubbleDialogDelegateView*&&) bind_internal.h:294
    #16 0x164bac905 in void base::internal::Invoker<base::internal::BindState<void (views::BubbleDialogDelegateView::*)(), base::internal::UnretainedWrapper<views::BubbleDialogDelegateView> >, void ()>::RunImpl<void (views::BubbleDialogDelegateView::* const&)(), std::__1::tuple<base::internal::UnretainedWrapper<views::BubbleDialogDelegateView> > const&, 0ul>(void (views::BubbleDialogDelegateView::* const&&&)(), std::__1::tuple<base::internal::UnretainedWrapper<views::BubbleDialogDelegateView> > const&&&, std::__1::integer_sequence<unsigned long, 0ul>) bind_internal.h:368
    #17 0x164bac72b in base::internal::Invoker<base::internal::BindState<void (views::BubbleDialogDelegateView::*)(), base::internal::UnretainedWrapper<views::BubbleDialogDelegateView> >, void ()>::Run(base::internal::BindStateBase*) bind_internal.h:350
    #18 0x1155a30cc in base::RepeatingCallback<void ()>::Run() const & callback.h:94
    #19 0x115767b58 in ui::BubbleCloser::OnClickOutside() bubble_closer.mm:50
    #20 0x115767b28 in ___ZN2ui12BubbleCloserC2EP8NSWindowN4base17RepeatingCallbackIFvvEEE_block_invoke bubble_closer.mm:36
    #21 0x7fffd09e37f9 in _NSSendEventToObservers (AppKit:x86_64+0x1c77f9)
    #22 0x7fffd0fdc23e in -[NSApplication(NSEvent) sendEvent:] (AppKit:x86_64+0x7c023e)
    #23 0x11b7b0c04 in __34-[BrowserCrApplication sendEvent:]_block_invoke chrome_browser_application_mac.mm:267
    #24 0x1146be539 in base::mac::CallWithEHFrame(void () block_pointer) (libbase.dylib:x86_64+0x27a539)
    #25 0x11b7b018e in -[BrowserCrApplication sendEvent:] chrome_browser_application_mac.mm:251
    #26 0x7fffd0857426 in -[NSApplication run] (AppKit:x86_64+0x3b426)
    #27 0x1147a434e in base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) message_pump_mac.mm:806
    #28 0x11479b701 in base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) message_pump_mac.mm:180
    #29 0x1147759be in base::MessageLoop::Run(bool) message_loop.cc:345

previously allocated by thread T0 here:
    #0 0x10ce6c2e2  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x612e2)
    #1 0x164c3c01f in views::CocoaMouseCapture::CocoaMouseCapture(views::CocoaMouseCaptureDelegate*) cocoa_mouse_capture.mm:92
    #2 0x164c3c48c in views::CocoaMouseCapture::CocoaMouseCapture(views::CocoaMouseCaptureDelegate*) cocoa_mouse_capture.mm:92
    #3 0x164c07ab8 in views::BridgedNativeWidget::AcquireCapture() bridged_native_widget.mm:709
    #4 0x16500f83e in views::NativeWidgetMac::SetCapture() native_widget_mac.mm:234
    #5 0x164d28348 in views::MenuHost::ShowMenuHost(bool) menu_host.cc:176
    #6 0x164d27598 in views::MenuHost::InitMenuHost(views::Widget*, gfx::Rect const&, views::View*, bool) menu_host.cc:148
    #7 0x164d72f5d in views::SubmenuView::ShowAt(views::Widget*, gfx::Rect const&, bool) submenu_view.cc:388
    #8 0x164d09fb7 in views::MenuController::OpenMenuImpl(views::MenuItemView*, bool) menu_controller.cc:1830
    #9 0x164d09293 in views::MenuController::OpenMenu(views::MenuItemView*) menu_controller.cc:1801
    #10 0x164d039f5 in views::MenuController::CommitPendingSelection() menu_controller.cc:1766
    #11 0x164ceccc5 in views::MenuController::SetSelection(views::MenuItemView*, int) menu_controller.cc:1195
    #12 0x164ce973e in views::MenuController::Run(views::Widget*, views::MenuButton*, views::MenuItemView*, gfx::Rect const&, views::MenuAnchorPosition, bool, bool) menu_controller.cc:476
    #13 0x164d57bce in views::internal::MenuRunnerImpl::RunMenuAt(views::Widget*, views::MenuButton*, gfx::Rect const&, views::MenuAnchorPosition, int) menu_runner_impl.cc:136
    #14 0x164d5e0d6 in views::internal::MenuRunnerImplAdapter::RunMenuAt(views::Widget*, views::MenuButton*, gfx::Rect const&, views::MenuAnchorPosition, int) menu_runner_impl_adapter.cc:34
    #15 0x164d55edb in views::MenuRunner::RunMenuAt(views::Widget*, views::MenuButton*, gfx::Rect const&, views::MenuAnchorPosition, ui::MenuSourceType) menu_runner.cc:72
    #16 0x129b1bfce in TranslateBubbleView::ShowOptionsMenu(views::Button*) translate_bubble_view.cc:406
    #17 0x129b1a05f in TranslateBubbleView::ButtonPressed(views::Button*, ui::Event const&) translate_bubble_view.cc:288
    #18 0x164c6d3ea in views::Button::NotifyClick(ui::Event const&) button.cc:498
    #19 0x164c69c0d in views::Button::OnMouseReleased(ui::MouseEvent const&) button.cc:234
    #20 0x164fbe9ed in views::View::ProcessMouseReleased(ui::MouseEvent const&) view.cc:2580
    #21 0x164fbd1d6 in views::View::OnMouseEvent(ui::MouseEvent*) view.cc:1105
    #22 0x164b4252e in views::InkDropHostView::OnMouseEvent(ui::MouseEvent*) ink_drop_host_view.cc:263
    #23 0x15f42ec63 in ui::EventHandler::OnEvent(ui::Event*) event_handler.cc:27
    #24 0x15f4515f6 in ui::ScopedTargetHandler::OnEvent(ui::Event*) scoped_target_handler.cc:32
    #25 0x15f42a23f in ui::EventDispatcher::DispatchEvent(ui::EventHandler*, ui::Event*) event_dispatcher.cc:191
    #26 0x15f425299 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) event_dispatcher.cc:139
    #27 0x15f424021 in ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget*, ui::Event*) event_dispatcher.cc:86
    #28 0x15f4237f0 in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) event_dispatcher.cc:58
    #29 0x16502a079 in views::internal::RootView::OnMouseReleased(ui::MouseEvent const&) root_view.cc:442

Cool, thanks for that! shouldn't be marked as a security one since this is a UaF vulnerability?

Actually upon investigation, it looks like this is the same root cause as Issue 751940.

I don't think this is exploitable.