The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1cc20e72617821bec929076a4c37f06d22486f0b

commit 1cc20e72617821bec929076a4c37f06d22486f0b
Author: mrefaat <mrefaat@chromium.org>
Date: Wed Sep 19 00:21:52 2018

Fix WKHTTPSystemCookieStore crash caused by object being deleted.

WKHTTPSystemCookieStore object can be deleted while there are some
pending callbacks, these callbacks needs to check if the object is alive
or not and based on that either early return or continue running.

We only need to keep a valid pointer to the WKHTTPCookieStore, the problem
that happens when the WKHTTPSystemCookieStore object is deleted is the pointer
it self become invalid, so the solution is to copy the weak pointer of
WKHTTPCookieStore inside the WKHTTPSystemCookieStore methods, so it remains
valid inside the blocks.

Bug:  883909 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-cronet;luci.chromium.try:ios-simulator-full-configs
Change-Id: Ie499c368859ec4b604ea1cd97c971b7597bc5b57
Reviewed-on: https://chromium-review.googlesource.com/1225750
Reviewed-by: Eugene But <eugenebut@chromium.org>
Commit-Queue: Mohammad Refaat <mrefaat@chromium.org>
Cr-Commit-Position: refs/heads/master@{#592278}
[modify] https://crrev.com/1cc20e72617821bec929076a4c37f06d22486f0b/ios/net/cookies/system_cookie_store.h
[modify] https://crrev.com/1cc20e72617821bec929076a4c37f06d22486f0b/ios/web/net/cookies/wk_http_system_cookie_store.mm

This bug requires manual review: Less than 23 days to go before AppStore submit on M70
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Are unit tests a possibility here? Or more eg tests? Also let's verify this on canary please.

Not sure why more eg tests, the existing eg tests actually caught the problem.
i verified on canary. subhashinik@ please take a look
The crash used to happen when clearing cookies happen while in incognito.

Tested on latest M71 build(71.0.3558.0) and on old version of M71(71.0.3549.0) on iPhone 6plus(iOS 10.3.3), iPhone 6splus(iOS 12 GM) and iPad Air(iOS 11.4.1)

mrefaat@ , we tried following cases to clear cookies in incognito tabs

1. Close all incognito tabs
2. Clear browsing data
3. Induce browser crash
4. Device reboot
5. App cold start

In all the cases cookies cleared with no crash

Note #1: Tested with main, persistent and session cookies

Could you please let us know if there are any other repo steps for the crash so that we will follow the same to replicate the issue.

The crash is hard to reproduce on the device, i had to do the steps on CookiesTestCase/testSwitchToMain at least 10 times for it to crash (however the eg test was crashing consistently) that's always the case when having a crash that is caused by memory deallocation.

Per comment 7, assuming this is verified?

Approved.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b54aaaab9b787315580cce48ddf716a62264595e

commit b54aaaab9b787315580cce48ddf716a62264595e
Author: mrefaat <mrefaat@chromium.org>
Date: Thu Sep 27 03:12:18 2018

[Merge to M70] Fix WKHTTPSystemCookieStore crash caused by object being deleted.

WKHTTPSystemCookieStore object can be deleted while there are some
pending callbacks, these callbacks needs to check if the object is alive
or not and based on that either early return or continue running.

We only need to keep a valid pointer to the WKHTTPCookieStore, the problem
that happens when the WKHTTPSystemCookieStore object is deleted is the pointer
it self become invalid, so the solution is to copy the weak pointer of
WKHTTPCookieStore inside the WKHTTPSystemCookieStore methods, so it remains
valid inside the blocks.

(cherry picked from commit 1cc20e72617821bec929076a4c37f06d22486f0b)

Bug:  883909 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-cronet;luci.chromium.try:ios-simulator-full-configs
Change-Id: Ie499c368859ec4b604ea1cd97c971b7597bc5b57
Reviewed-on: https://chromium-review.googlesource.com/1225750
Reviewed-by: Eugene But <eugenebut@chromium.org>
Commit-Queue: Mohammad Refaat <mrefaat@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#592278}
Reviewed-on: https://chromium-review.googlesource.com/1246593
Cr-Commit-Position: refs/branch-heads/3538@{#698}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/b54aaaab9b787315580cce48ddf716a62264595e/ios/net/cookies/system_cookie_store.h
[modify] https://crrev.com/b54aaaab9b787315580cce48ddf716a62264595e/ios/web/net/cookies/wk_http_system_cookie_store.mm

The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/b54aaaab9b787315580cce48ddf716a62264595e

Commit: b54aaaab9b787315580cce48ddf716a62264595e
Author: mrefaat@chromium.org
Commiter: mrefaat@chromium.org
Date: 2018-09-27 03:12:18 +0000 UTC

[Merge to M70] Fix WKHTTPSystemCookieStore crash caused by object being deleted.

WKHTTPSystemCookieStore object can be deleted while there are some
pending callbacks, these callbacks needs to check if the object is alive
or not and based on that either early return or continue running.

We only need to keep a valid pointer to the WKHTTPCookieStore, the problem
that happens when the WKHTTPSystemCookieStore object is deleted is the pointer
it self become invalid, so the solution is to copy the weak pointer of
WKHTTPCookieStore inside the WKHTTPSystemCookieStore methods, so it remains
valid inside the blocks.

(cherry picked from commit 1cc20e72617821bec929076a4c37f06d22486f0b)

Bug:  883909 
Cq-Include-Trybots: luci.chromium.try:ios-simulator-cronet;luci.chromium.try:ios-simulator-full-configs
Change-Id: Ie499c368859ec4b604ea1cd97c971b7597bc5b57
Reviewed-on: https://chromium-review.googlesource.com/1225750
Reviewed-by: Eugene But <eugenebut@chromium.org>
Commit-Queue: Mohammad Refaat <mrefaat@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#592278}
Reviewed-on: https://chromium-review.googlesource.com/1246593
Cr-Commit-Position: refs/branch-heads/3538@{#698}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}