My best guess is that this happens when:

1) Request is made
2) Profile is destroyed, which destroys ResourceContext
3) WebRequestAPI, which is a BrowserContextKeyedAPI, gets destroyed because of that
4) WebRequestAPI posts a task to destroy proxies: https://cs.chromium.org/chromium/src/extensions/browser/api/web_request/web_request_api.cc?l=519&rcl=da3d369acf18c339183b77840d42a4c96cb00d72
5) Request client is destroyed, causing the WebRequestProxyingURLLoaderFactory::InProgressRequest::OnRequestError handler to run which uses ResourceContext which has already be destroyed

Since the proxies have to wait for the task to be destroyed, some of the BrowserContext scoped data held by them can be invalid.

Issue 878574 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a475e1abdde98c7315fd567687935576ac47ca4a

commit a475e1abdde98c7315fd567687935576ac47ca4a
Author: Clark DuVall <cduvall@chromium.org>
Date: Thu Aug 30 20:44:06 2018

Fix crash in web request proxies connection error handler

When WebRequestAPI is destroyed, it posts a task to the IO thread to
shutdown the proxies. This crash can happen when the WebRequestAPI is
destroyed, and a connection error happens on one of the proxies (which
accesses data destroyed by the profile) before the ProxySet can be fully
shutdown on the IO thread. This change adds an atomic flag to check to
make sure the WebRequestAPI has not been destroyed before running error
handlers.

Bug:  878366 
Change-Id: I2f7b98c1d6df7c53a5917444ac996e9b5ef4e794
Reviewed-on: https://chromium-review.googlesource.com/1196031
Reviewed-by: Ken Rockot <rockot@chromium.org>
Commit-Queue: Clark DuVall <cduvall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587749}
[modify] https://crrev.com/a475e1abdde98c7315fd567687935576ac47ca4a/chrome/browser/extensions/api/web_request/web_request_apitest.cc
[modify] https://crrev.com/a475e1abdde98c7315fd567687935576ac47ca4a/extensions/browser/api/web_request/web_request_api.cc
[modify] https://crrev.com/a475e1abdde98c7315fd567687935576ac47ca4a/extensions/browser/api/web_request/web_request_api.h
[modify] https://crrev.com/a475e1abdde98c7315fd567687935576ac47ca4a/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc
[modify] https://crrev.com/a475e1abdde98c7315fd567687935576ac47ca4a/extensions/browser/api/web_request/web_request_proxying_websocket.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/63affad9eb485822ced25a7333acc20e36aefdd3

commit 63affad9eb485822ced25a7333acc20e36aefdd3
Author: Clark DuVall <cduvall@chromium.org>
Date: Fri Aug 31 01:37:29 2018

Revert "Fix crash in web request proxies connection error handler"

This reverts commit a475e1abdde98c7315fd567687935576ac47ca4a.

Reason for revert: Test failing on Win debug and msan.

Original change's description:
> Fix crash in web request proxies connection error handler
> 
> When WebRequestAPI is destroyed, it posts a task to the IO thread to
> shutdown the proxies. This crash can happen when the WebRequestAPI is
> destroyed, and a connection error happens on one of the proxies (which
> accesses data destroyed by the profile) before the ProxySet can be fully
> shutdown on the IO thread. This change adds an atomic flag to check to
> make sure the WebRequestAPI has not been destroyed before running error
> handlers.
> 
> Bug:  878366 
> Change-Id: I2f7b98c1d6df7c53a5917444ac996e9b5ef4e794
> Reviewed-on: https://chromium-review.googlesource.com/1196031
> Reviewed-by: Ken Rockot <rockot@chromium.org>
> Commit-Queue: Clark DuVall <cduvall@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#587749}

TBR=rockot@chromium.org,cduvall@chromium.org

Change-Id: I5825fdb5449001062095bd56ed39eb8b76e055e3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  878366 
Reviewed-on: https://chromium-review.googlesource.com/1198488
Reviewed-by: Clark DuVall <cduvall@chromium.org>
Commit-Queue: Clark DuVall <cduvall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587902}
[modify] https://crrev.com/63affad9eb485822ced25a7333acc20e36aefdd3/chrome/browser/extensions/api/web_request/web_request_apitest.cc
[modify] https://crrev.com/63affad9eb485822ced25a7333acc20e36aefdd3/extensions/browser/api/web_request/web_request_api.cc
[modify] https://crrev.com/63affad9eb485822ced25a7333acc20e36aefdd3/extensions/browser/api/web_request/web_request_api.h
[modify] https://crrev.com/63affad9eb485822ced25a7333acc20e36aefdd3/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc
[modify] https://crrev.com/63affad9eb485822ced25a7333acc20e36aefdd3/extensions/browser/api/web_request/web_request_proxying_websocket.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eb70882071cfaea93b0126a724cf0c135076f1c6

commit eb70882071cfaea93b0126a724cf0c135076f1c6
Author: Clark DuVall <cduvall@chromium.org>
Date: Fri Aug 31 03:09:02 2018

Reland "Fix crash in web request proxies connection error handler"

This is a reland of a475e1abdde98c7315fd567687935576ac47ca4a

Test needed to call Shutdown() so WebRequestAPI is cleaned up properly.

Original change's description:
> Fix crash in web request proxies connection error handler
>
> When WebRequestAPI is destroyed, it posts a task to the IO thread to
> shutdown the proxies. This crash can happen when the WebRequestAPI is
> destroyed, and a connection error happens on one of the proxies (which
> accesses data destroyed by the profile) before the ProxySet can be fully
> shutdown on the IO thread. This change adds an atomic flag to check to
> make sure the WebRequestAPI has not been destroyed before running error
> handlers.
>
> Bug:  878366 
> Change-Id: I2f7b98c1d6df7c53a5917444ac996e9b5ef4e794
> Reviewed-on: https://chromium-review.googlesource.com/1196031
> Reviewed-by: Ken Rockot <rockot@chromium.org>
> Commit-Queue: Clark DuVall <cduvall@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#587749}

TBR=rockot@chromium.org

Bug:  878366 
Change-Id: I97ab12e12fe4955af94138ec5bb64c1391d27598
Reviewed-on: https://chromium-review.googlesource.com/1198567
Reviewed-by: Clark DuVall <cduvall@chromium.org>
Commit-Queue: Clark DuVall <cduvall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587927}
[modify] https://crrev.com/eb70882071cfaea93b0126a724cf0c135076f1c6/chrome/browser/extensions/api/web_request/web_request_apitest.cc
[modify] https://crrev.com/eb70882071cfaea93b0126a724cf0c135076f1c6/extensions/browser/api/web_request/web_request_api.cc
[modify] https://crrev.com/eb70882071cfaea93b0126a724cf0c135076f1c6/extensions/browser/api/web_request/web_request_api.h
[modify] https://crrev.com/eb70882071cfaea93b0126a724cf0c135076f1c6/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc
[modify] https://crrev.com/eb70882071cfaea93b0126a724cf0c135076f1c6/extensions/browser/api/web_request/web_request_proxying_websocket.cc

Re-opening this for further investigation as there are still crashes seen on 71.0.3541.0.

Magic signature extensions::WebRequestProxyingWebSocket::OnError

Link to the crashes:
===================
https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27extensions%3A%3AWebRequestProxyingWebSocket%3A%3AOnError%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27browser%27#-property-selector,-samplereports,+productname,+productversion:1000,+directory,-clientid,+operatingsystem,+url,+simplifiedurl,+extensions

Magic signature InstantIOContext::IsInstantProcess duped here in C#4(Issue 878574)

Link to the crashes:
=====================
https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27InstantIOContext%3A%3AIsInstantProcess%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27browser%27#-propertyselector,productname:1000,productversion:100,-magicsignature:50,-magicsignature2:50,-stablesignature:50,-magicsignaturesorted:50

Fix for this bug is in review at http://crrev.com/c/1205470

 Issue 880114  has been merged into this issue.

if you're interested, I have a reliable repro for this in  issue 880114 . I can verify after lands, if you want.

Thanks for the repro, it looks like the WebRequestProxyingWebSocket crash is actually different than the WebRequestProxyingURLLoader crash. I'm going to reopen the original bug on that crash (issue 878574), and put up a fix for that one too.

Looks like the WebRequestProxyingURLLoaderFactory crash is no longer showing up in 71.0.3543.0 canary, I'm going to close this. The WebRequestProxyingWebSocket crash is tracked in issue 878574.

clark, let's get this into M70 branch.

This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Looks like bugdroid hasn't posted a comment yet, but this merge request is for http://crrev.com/c/1205470.

approved branch:3538

This was merged into M70 in http://crrev.com/c/1207354 if bugdroid doesn't comment again.

Here's a summary of the rules that were executed: 
 - OnlyMergeApprovedChange: Rule Failed -- Revision 61a92ca6b14054280304985768ff4032a304f33c was merged to refs/branch-heads/3538 branch with no merge approval from a TPM! 
Please explain why this change was merged to the branch!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/86bc694455e1e754512434f1d44a4f3fc84a7821

commit 86bc694455e1e754512434f1d44a4f3fc84a7821
Author: Clark DuVall <cduvall@chromium.org>
Date: Tue Sep 04 23:47:28 2018

Fix web request proxy crash by moving ownership to ResourceContext

The web request proxies will now be owned completely on the IO thread by
ResourceContext. This should prevent any handlers from being run after
the ResourceContext is destroyed.

Bug:  878366 
Change-Id: I629d81597ee3ab3835a63ebe47cb97fa4497b36a
Reviewed-on: https://chromium-review.googlesource.com/1205470
Reviewed-by: Ken Rockot <rockot@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: Clark DuVall <cduvall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#588692}
[modify] https://crrev.com/86bc694455e1e754512434f1d44a4f3fc84a7821/extensions/browser/api/web_request/web_request_api.cc
[modify] https://crrev.com/86bc694455e1e754512434f1d44a4f3fc84a7821/extensions/browser/api/web_request/web_request_api.h
[modify] https://crrev.com/86bc694455e1e754512434f1d44a4f3fc84a7821/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc
[modify] https://crrev.com/86bc694455e1e754512434f1d44a4f3fc84a7821/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h
[modify] https://crrev.com/86bc694455e1e754512434f1d44a4f3fc84a7821/extensions/browser/api/web_request/web_request_proxying_websocket.cc
[modify] https://crrev.com/86bc694455e1e754512434f1d44a4f3fc84a7821/extensions/browser/api/web_request/web_request_proxying_websocket.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/61a92ca6b14054280304985768ff4032a304f33c

commit 61a92ca6b14054280304985768ff4032a304f33c
Author: Clark DuVall <cduvall@chromium.org>
Date: Wed Sep 05 16:43:31 2018

Fix web request proxy crash by moving ownership to ResourceContext

The web request proxies will now be owned completely on the IO thread by
ResourceContext. This should prevent any handlers from being run after
the ResourceContext is destroyed.

Bug:  878366 
Change-Id: I629d81597ee3ab3835a63ebe47cb97fa4497b36a
Reviewed-on: https://chromium-review.googlesource.com/1205470
Reviewed-by: Ken Rockot <rockot@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: Clark DuVall <cduvall@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#588692}(cherry picked from commit 86bc694455e1e754512434f1d44a4f3fc84a7821)
Reviewed-on: https://chromium-review.googlesource.com/1207354
Reviewed-by: Clark DuVall <cduvall@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#50}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/61a92ca6b14054280304985768ff4032a304f33c/extensions/browser/api/web_request/web_request_api.cc
[modify] https://crrev.com/61a92ca6b14054280304985768ff4032a304f33c/extensions/browser/api/web_request/web_request_api.h
[modify] https://crrev.com/61a92ca6b14054280304985768ff4032a304f33c/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc
[modify] https://crrev.com/61a92ca6b14054280304985768ff4032a304f33c/extensions/browser/api/web_request/web_request_proxying_url_loader_factory.h
[modify] https://crrev.com/61a92ca6b14054280304985768ff4032a304f33c/extensions/browser/api/web_request/web_request_proxying_websocket.cc
[modify] https://crrev.com/61a92ca6b14054280304985768ff4032a304f33c/extensions/browser/api/web_request/web_request_proxying_websocket.h