Providing the bisect using per-revision bisect, tried bisecting multiple times on Win and Mac OS and getting the following CL every time,

You are probably looking for a change made after 574403 (known good), but no later than 574404 (first known bad).

CHANGE-LOG URL:

The script might not always return single CL as suspect as some perf builds might get missing due to failure.

https://chromium.googlesource.com/chromium/src/+log/a4247ad3b2fda13e8f4d57b68b639bea7d78df02..382c1d7689514b2bb3449f2ca14209ad5e75c472

Suspect: https://chromium.googlesource.com/native_client/src/native_client.git/+/e6ce828ef60c4c1438867b535efbbb5d9a177c0e

@thomasanderson: Could you please check whether this is caused with respect to your change, if not kindly help us in assigning it to the right owner.

Note: 
(1) Above issue is also on Mac(10.12.6, 10.13.1, 10.13.6, 10.14) OS after enabling ‘Use Views browser windows instead of Cocoa’ under chrome://flags
(2) Issue is not seen on Linux OS. 

Thank You!

Stack trace for the crash id:
-----------------------------
Thread 2 (id: 0x20d4) CRASHED [EXCEPTION_BREAKPOINT @ 0x00007ffc668f5049 ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0x00007ffc668f5049	(chrome.dll -template_expressions.cc:97 )	ui::ReplaceTemplateExpressions(base::BasicStringPiece<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::map<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const >,std::allocator<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > const &)
0x00007ffc668f53fc	(chrome.dll -i18n_source_stream.cc:63 )	ui::I18nSourceStream::FilterData(net::IOBuffer *,int,net::IOBuffer *,int,int *,bool)
0x00007ffc65b7af86	(chrome.dll -filter_source_stream.cc:157 )	net::FilterSourceStream::DoFilterData()
0x00007ffc65b77ccf	(chrome.dll -filter_source_stream.cc:113 )	net::FilterSourceStream::DoLoop(int)
0x00007ffc65b77bc6	(chrome.dll -filter_source_stream.cc:63 )	net::FilterSourceStream::Read(net::IOBuffer *,int,base::OnceCallback<void >)
0x00007ffc65a21f15	(chrome.dll -url_request_job.cc:136 )	net::URLRequestJob::Read(net::IOBuffer *,int)
0x00007ffc65a21dea	(chrome.dll -url_request.cc:766 )	net::URLRequest::Read(net::IOBuffer *,int)
0x00007ffc65a21bf6	(chrome.dll -resource_loader.cc:763 )	content::ResourceLoader::ReadMore(bool)
0x00007ffc65a1f770	(chrome.dll -resource_loader.cc:748 )	content::ResourceLoader::PrepareToReadMore(bool)
0x00007ffc65932062	(chrome.dll -resource_loader.cc:223 )	content::ResourceLoader::ScopedDeferral::~ScopedDeferral()
0x00007ffc65a24a5a	(chrome.dll -resource_loader.cc:814 )	content::ResourceLoader::CompleteRead(int)
0x00007ffc65a248b2	(chrome.dll -resource_loader.cc:491 )	content::ResourceLoader::OnReadCompleted(net::URLRequest *,int)
0x00007ffc65b7ae56	(chrome.dll -filter_source_stream.cc:195 )	net::FilterSourceStream::OnIOComplete(int)
0x00007ffc65b7ae56	(chrome.dll -filter_source_stream.cc:195 )	net::FilterSourceStream::OnIOComplete(int)
0x00007ffc65a24372	(chrome.dll -url_request_job.cc:516 )	net::URLRequestJob::ReadRawDataComplete(int)
0x00007ffc66c4e99a	(chrome.dll -post_task_and_reply_impl.cc:97 )	base::`anonymous namespace'::PostTaskAndReplyRelay::RunReply
0x00007ffc66c4ea53	(chrome.dll -bind_internal.h:649 )	base::internal::Invoker<base::internal::BindState<void (*)(base::(anonymous namespace)::PostTaskAndReplyRelay),base::(anonymous namespace)::PostTaskAndReplyRelay>,void ()>::RunOnce
0x00007ffc655c4cab	(chrome.dll -task_annotator.cc:101 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x00007ffc655c4686	(chrome.dll -message_loop.cc:453 )	base::MessageLoop::RunTask(base::PendingTask *)
0x00007ffc655bd3a1	(chrome.dll -message_loop.cc:522 )	base::MessageLoop::DoWork()
0x00007ffc655bd149	(chrome.dll -message_pump_win.cc:482 )	base::MessagePumpForIO::DoRunLoop()
0x00007ffc655bcfdd	(chrome.dll -message_pump_win.cc:52 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x00007ffc655bcd40	(chrome.dll -run_loop.cc:102 )	base::RunLoop::Run()
0x00007ffc655bccd5	(chrome.dll -browser_process_sub_thread.cc:178 )	content::BrowserProcessSubThread::IOThreadRun(base::RunLoop *)
0x00007ffc655ba7af	(chrome.dll -thread.cc:337 )	base::Thread::ThreadMain()
0x00007ffc6678fac3	(chrome.dll -platform_thread_win.cc:91 )	base::`anonymous namespace'::ThreadFunc
0x00007ffc9d2913d1	(KERNEL32.dll + 0x000013d1 )	BaseThreadInitThunk
0x00007ffc9f0b54f3	(ntdll.dll + 0x000154f3 )	RtlUserThreadStart

Stack trace similar to issue 863318.

Thank you!

That CL only made a change to whitespace.txt to trigger a buildbot cycle, so it's unlikely to be the cause of this issue.

Update : 

Tried bisecting multiple times on Win and Mac OS and unable to narrow down the range using per-revision and narrow bisect hence providing manual bisect,

Suspecting : r574398 ?

@chrisha: Could you please check whether this is caused with respect to your change, if not kindly help to reassign it to the right owner.  

Note: The issue is still reproducible for on latest Canary build #70.0.3500.0

This is a duplicate of this bug 863318. The change in r574398 doesn't make this crash occur, it just makes it more likely than it previously was. The real issue is a lifetime management issue in the underlying Web UI code.

I finally found time to make progress on this bug. CL on the way. Should get 2 days on canary before needing a merge to M69.

vineetha:

I'm unable to reproduce on today's canary M70 (70.0.3507.0). Can you confirm this is still happening for you?

Update w.r.t comment #7:

Rechecked the above issue on Windows OS using latest canary build #70.0.3508.0 and able to reproduce the issue. Kindly refer attached screen cast.

Thank you!

Deleted: CanaryBehaviour.mp4 1.8 MB

	CanaryBehaviour.mp4 1.8 MB View Download

This should be fixed on tomorrow's canary, if you can confirm then.