The crash is due to the CHECK(_webUsageEnabled) in -ensureWebViewCreatedWithConfiguration:. Normally web views should not be created when _webUsageEnabled is false. But perhaps webview creation for placeholder URL should be allowed because these are meant to back native views.

All of the crashes have -loadPlaceholderInWebViewForURL in the stacktrace. There seem to be a few different scenarios that trigger this:
1. Opening a tab from tab switcher (http://crash/e0d96aa7b07f39d6). This is the most prevalent.
2. Disable web usage triggers clear transient view, which triggers reload of NTP  (http://crash/1c500735f336675e)
3. Resuming session [AppState resumeSessionWithTabOpener:tabSwitcher:] (http://3062ce5a98c53234)

I can reproduce #2 with the following steps:

1) Open a new tab
2) Load http://expired.badssl.com
3) While SSL interstitial is visible, go to Menu -> Settings -> Privacy -> Clear Browsing Data -> (select all) -> Clear Browsing Data

This crashes the browser. My crash report: https://crash.corp.google.com/browse?q=reportid=%275dd77d0b2e9d4ca5%27

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/038bf28ab1cdb1eb13bf99568a10fc4511c5a2d9

commit 038bf28ab1cdb1eb13bf99568a10fc4511c5a2d9
Author: Danyao Wang <danyao@chromium.org>
Date: Mon Jul 23 15:35:26 2018

[Nav Experiment] Defer loading URL if web usage is not enabled.

The SlimNav experiment is hitting the CHECK(_webUsageEnabled) in
-ensureWebViewCreatedWithConfiguration when loading placeholder
URL while web usage is disabled. One cause for this situation is when
clearing website data while an interstitial is presented over a native
view. WebInterstitialImpl::DontProceed() is called after web usage is
disabled and it triggers the reload of the native view, which in turn
triggers the placeholder load. Deferring the load fixes the problem,
because the web view is recreated immediately after.

Other causes for placeholder load when web usage is disabled exist, but
the causes are not fully understood. This CL fixes the crashes in these
cases as well. This should uncover behavior changes, that hopefully give
us more details to fix the root cause later.

A downstream egtest for the interstitial case is added in
http://chrome-internal-review.googlesource.com/c/chrome/ios_internal/+/654301

Bug:  865985 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-full-configs;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I03d928ce82d128c2f67f36e204731576e479d497
Reviewed-on: https://chromium-review.googlesource.com/1145725
Reviewed-by: Kurt Horimoto <kkhorimoto@chromium.org>
Commit-Queue: Danyao Wang <danyao@chromium.org>
Cr-Commit-Position: refs/heads/master@{#577174}
[modify] https://crrev.com/038bf28ab1cdb1eb13bf99568a10fc4511c5a2d9/ios/web/web_state/ui/crw_web_controller.mm

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/ios_internal.git/+/d2a58b5d2e042fb7b9e812c1939ad2313cb6a991

commit d2a58b5d2e042fb7b9e812c1939ad2313cb6a991
Author: Danyao Wang <danyao@chromium.org>
Date: Mon Jul 23 19:53:34 2018

[Auto-generated comment by a script] We noticed that this issue is targeted for M-69; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-69 label, otherwise remove Merge-TBD label. Thanks.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e6c09732840487bf76d3b775ce969bc9cdc06c26

commit e6c09732840487bf76d3b775ce969bc9cdc06c26
Author: Danyao Wang <danyao@chromium.org>
Date: Tue Jul 24 16:09:21 2018

[Nav Experiment] Improve comments in |loadCurrentURL|.

I missed this suggestion in http://crrev.com/c/1145725

Bug:  865985 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-full-configs;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: Ie656457f7acf0acb5da81cfc267a7962acb62cc3
Reviewed-on: https://chromium-review.googlesource.com/1146902
Reviewed-by: Kurt Horimoto <kkhorimoto@chromium.org>
Commit-Queue: Danyao Wang <danyao@chromium.org>
Cr-Commit-Position: refs/heads/master@{#577567}
[modify] https://crrev.com/e6c09732840487bf76d3b775ce969bc9cdc06c26/ios/web/web_state/ui/crw_web_controller.mm

Your change meets the bar and is auto-approved for M69. Please go ahead and merge the CL to branch 3497 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/682a1b5003f371ef5fac4dab0a36e4f972a491e3

commit 682a1b5003f371ef5fac4dab0a36e4f972a491e3
Author: Danyao Wang <danyao@chromium.org>
Date: Thu Jul 26 19:21:33 2018

[Nav Experiment] Defer loading URL if web usage is not enabled.

Cherry-pick for M69 (refs/branch-heads/3497).

The SlimNav experiment is hitting the CHECK(_webUsageEnabled) in
-ensureWebViewCreatedWithConfiguration when loading placeholder
URL while web usage is disabled. One cause for this situation is when
clearing website data while an interstitial is presented over a native
view. WebInterstitialImpl::DontProceed() is called after web usage is
disabled and it triggers the reload of the native view, which in turn
triggers the placeholder load. Deferring the load fixes the problem,
because the web view is recreated immediately after.

Other causes for placeholder load when web usage is disabled exist, but
the causes are not fully understood. This CL fixes the crashes in these
cases as well. This should uncover behavior changes, that hopefully give
us more details to fix the root cause later.

A downstream egtest for the interstitial case is added in
http://chrome-internal-review.googlesource.com/c/chrome/ios_internal/+/654301

Bug:  865985 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-full-configs;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I03d928ce82d128c2f67f36e204731576e479d497
Reviewed-on: https://chromium-review.googlesource.com/1145725
Reviewed-by: Kurt Horimoto <kkhorimoto@chromium.org>
Commit-Queue: Danyao Wang <danyao@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#577174}(cherry picked from commit 038bf28ab1cdb1eb13bf99568a10fc4511c5a2d9)
Reviewed-on: https://chromium-review.googlesource.com/1151913
Reviewed-by: Danyao Wang <danyao@chromium.org>
Cr-Commit-Position: refs/branch-heads/3497@{#122}
Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753}
[modify] https://crrev.com/682a1b5003f371ef5fac4dab0a36e4f972a491e3/ios/web/web_state/ui/crw_web_controller.mm

Verified in 70.0.3508.0 Canary in iPhone X(iOS 11.4.1), iPhone 8plus(iOS 12 beta 5), iPad Air (iOS 11.4.1)

Followed the steps mentioned in comment#1 for the 'Disable web usage triggers clear transient view, which triggers reload of NTP  (http://crash/1c500735f336675e)'. The crash is not happening now looks good

Note: No reproducible steps for #1 and #3 crashes mentioned in comment #1.

Verified in 69.0.3497.22 beta in iPhone 7(iOS 11.4.1), iPad mini(iOS 10.3.3) and iPhone 8plus(iOS 12 beta 5)

Followed the steps mentioned in comment#1 for the 'Disable web usage triggers clear transient view, which triggers reload of NTP  (http://crash/1c500735f336675e)'. The crash is not happening now looks good

Note: No reproducible steps for #1 and #3 crashes mentioned in comment #1.