Do you have the full stack available? Would be good to know what call is happening that triggers the segfault.

[5722:5722:0929/203614:FATAL:signin_tracker.cc(47)] Check failed: false.
#0 0x7fe873e06cde base::debug::StackTrace::StackTrace()
#1 0x7fe873e74b3f logging::LogMessage::~LogMessage()
#2 0x7fe8798382b9 SigninTracker::OnRefreshTokenRevoked()
#3 0x7fe874cf6d44 OAuth2TokenServiceDelegate::FireRefreshTokenRevoked()
#4 0x7fe87625f837 MutableProfileOAuth2TokenServiceDelegate::RevokeCredentials()
#5 0x7fe87625f2ae MutableProfileOAuth2TokenServiceDelegate::RevokeAllCredentials()
#6 0x7fe874ce2193 OAuth2TokenService::RevokeAllCredentials()
#7 0x7fe876e36b73 SigninManager::SignOut()
#8 0x7fe876e371b6 SigninManager::OnSigninAllowedPrefChanged()
#9 0x7fe874cea3e9 _ZN4base8internal13FunctorTraitsIMN18OAuth2TokenService7FetcherEFvvEvE6InvokeIPS3_JEEEvS5_OT_DpOT0_
#10 0x7fe874cea311 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN18OAuth2TokenService7FetcherEFvvEJPS5_EEEvOT_DpOT0_
#11 0x7fe876e3b427 _ZN4base8internal7InvokerINS0_9BindStateIM13SigninManagerFvvEJNS0_17UnretainedWrapperIS3_EEEEEFvvEE7RunImplIRKS5_RKSt5tupleIJS7_EEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#12 0x7fe876e3b36c _ZN4base8internal7InvokerINS0_9BindStateIM13SigninManagerFvvEJNS0_17UnretainedWrapperIS3_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#13 0x7fe8712dba6b base::internal::RunMixin<>::Run()
#14 0x7fe8712ec15c subtle::PrefMemberBase::InvokeUnnamedCallback()
#15 0x7fe8750c696f _ZN4base8internal13FunctorTraitsIPFvRKNS_8CallbackIFvN10extensions18BluetoothApiSocket11ErrorReasonERKSsELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEES7_EvE6InvokeIJSD_S7_EEEvSF_DpOT_
#16 0x7fe8750c691d _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKPFvRKNS_8CallbackIFvN10extensions18BluetoothApiSocket11ErrorReasonERKSsELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEES9_EJSF_S9_EEEvOT_DpOT0_
#17 0x7fe875f9afe7 _ZN4base8internal7InvokerINS0_9BindStateIPFvRKNS_8CallbackIFvvELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEERKSsEJS7_EEEFvSB_EE7RunImplIRKSD_RKSt5tupleIJS7_EEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEESB_
#18 0x7fe875f9af1c _ZN4base8internal7InvokerINS0_9BindStateIPFvRKNS_8CallbackIFvvELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEERKSsEJS7_EEEFvSB_EE3RunEPNS0_13BindStateBaseESB_
#19 0x7fe8712e92d6 base::internal::RunMixin<>::Run()
#20 0x7fe8712ed9f5 _ZN4base8internal13FunctorTraitsINS_8CallbackIFvRKSsELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEEvE6InvokeIRKS8_JS4_EEEvOT_DpOT0_
#21 0x7fe8712ed882 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKNS_8CallbackIFvRKSsELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEEJS6_EEEvOT_DpOT0_
#22 0x7fe8712ed842 _ZN4base8internal7InvokerINS0_9BindStateINS_8CallbackIFvRKSsELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEEJSsEEEFvvEE7RunImplIRKS9_RKSt5tupleIJSsEEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#23 0x7fe8712ed78c _ZN4base8internal7InvokerINS0_9BindStateINS_8CallbackIFvRKSsELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEEJSsEEEFvvEE3RunEPNS0_13BindStateBaseE
#24 0x7fe873dd712b base::internal::RunMixin<>::Run()
#25 0x7fe873de0b13 base::ScopedClosureRunner::~ScopedClosureRunner()
#26 0x7fe8712ec0a4 subtle::PrefMemberBase::Internal::UpdateValue()
#27 0x7fe8712ebbfa subtle::PrefMemberBase::UpdateValueFromPref()
#28 0x7fe8712ebced subtle::PrefMemberBase::OnPreferenceChanged()
#29 0x7fe8712f0ecd PrefNotifierImpl::FireObservers()
#30 0x7fe8712f0a6f PrefNotifierImpl::OnPreferenceChanged()
#31 0x7fe8713107a2 PrefValueStore::NotifyPrefChanged()
#32 0x7fe87130fc43 PrefValueStore::OnPrefValueChanged()
#33 0x7fe87130fc14 PrefValueStore::PrefStoreKeeper::OnPrefValueChanged()
#34 0x7fe86a652514 policy::ConfigurationPolicyPrefStore::Refresh()
#35 0x7fe86a652345 policy::ConfigurationPolicyPrefStore::OnPolicyUpdated()
#36 0x7fe86a70cdaa policy::PolicyServiceImpl::NotifyNamespaceUpdated()
#37 0x7fe86a70b752 policy::PolicyServiceImpl::MergeAndTriggerUpdates()
#38 0x7fe86a63ea2e _ZN4base8internal13FunctorTraitsIMN6policy19URLBlacklistManagerEFvvEvE6InvokeIRKNS_7WeakPtrIS3_EEJEEEvS5_OT_DpOT0_
#39 0x7fe86a7187ca _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN6policy17PolicyServiceImplEFvvERKNS_7WeakPtrIS5_EEJEEEvOT_OT0_DpOT1_
#40 0x7fe86a718752 _ZN4base8internal7InvokerINS0_9BindStateIMN6policy17PolicyServiceImplEFvvEJNS_7WeakPtrIS4_EEEEEFvvEE7RunImplIRKS6_RKSt5tupleIJS8_EEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#41 0x7fe86a71869c _ZN4base8internal7InvokerINS0_9BindStateIMN6policy17PolicyServiceImplEFvvEJNS_7WeakPtrIS4_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#42 0x7fe873dd712b base::internal::RunMixin<>::Run()
#43 0x7fe873e0c641 base::debug::TaskAnnotator::RunTask()
#44 0x7fe873e9c69f base::MessageLoop::RunTask()
#45 0x7fe873e9c8e4 base::MessageLoop::DeferOrRunPendingTask()
#46 0x7fe873e9cbae base::MessageLoop::DoWork()
#47 0x7fe873eb44c6 base::MessagePumpGlib::Run()
#48 0x7fe873e9c256 base::MessageLoop::RunHandler()
#49 0x7fe873f41354 base::RunLoop::Run()
#50 0x7fe8764d409f ChromeBrowserMainParts::MainMessageLoopRun()
#51 0x7fe86dd873a9 content::BrowserMainLoop::RunMainMessageLoopParts()
#52 0x7fe86dd92065 content::BrowserMainRunnerImpl::Run()
#53 0x7fe86dd80f18 content::BrowserMain()
#54 0x7fe86fb67ae6 content::RunNamedProcessTypeMain()
#55 0x7fe86fb69f72 content::ContentMainRunnerImpl::Run()
#56 0x7fe86fb66b82 content::ContentMain()
#57 0x7fe874c7f46b ChromeMain
#58 0x7fe874c7f402 main
#59 0x7fe861f2cf45 __libc_start_main
#60 0x7fe874c7f305 <unknown>

Aborted (core dumped)

btw, the debug build seems to be hitting a NOTREACHED() ^ far earlier (than the segfault i was seeing that's settings-specific), so the stack is different, but it may be related

+Signin folks. Looks like the SigninTracker doesn't expect the refresh token to be revoked?

In those repro steps, when are you signing in? IIRC the SigninTracker is a temporary object that only exists during sign in, which is why it doesn't expect the token being revoked (there's no token when it's created and its job is partly to figure out when the token is obtained).

The fact that there's a SigninTracker seems to indicate that either:

1. You've just signed in and the flow isn't completed yet, so SigninTracker still exists when the token is revoked.
2. SigninTracker wrongfully lives after it's done doing its work.

In any case, I think that NOTREACHED() is valid. We shouldn't be getting TokenRevoked while SigninTracker is alive but it should also probably not crash release. I'd be interested to know what the segfault dbeam mentions in #3 is about, although I doubt it's related to SigninTracker NOTREACHED()'ing. Maybe try removing that NOTREACH and repro'ing to get the later stack trace?

anthonyvd@: sign in then disable sync by policy (which can happen at any time) fairly soon after

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7c176719b12185d6ddbf531d825884dfb457e755

commit 7c176719b12185d6ddbf531d825884dfb457e755
Author: tommycli <tommycli@chromium.org>
Date: Thu Dec 22 22:50:47 2016

MD Settings: Fix policy-related ProfileSyncService crashes.

General repro steps:
 1) Sign in with MD Settings.
 2) Set SyncDisabled to true and wait for it to take effect.
 3) MD Settings will crash shortly.

BUG= 651303 

Review-Url: https://codereview.chromium.org/2598073002
Cr-Commit-Position: refs/heads/master@{#440531}

[modify] https://crrev.com/7c176719b12185d6ddbf531d825884dfb457e755/chrome/browser/ui/webui/settings/people_handler.cc

tommcyli@: still a problem?

https://codereview.chromium.org/2603453002 also landed for this bug.

I fixed the two crashes I found. I'll close this for now, and re-open if we discover any more Policy related crashes.

Chrome OS 9532.0.0, 60.0.3092.0