This can happen:

NonClientView::UpdateFrame() calls
View::DoRemoveChildView() calls
TooltipManagerAura::UpdateTooltip() calls
View::GetTooltipHandlerForPoint()

which hit-tests through the View hierarchy. In particular, this can call into:

Tab::GetHitTestMask() calls
TabStrip::GetStrokeThickness() calls
TabStrip::ShouldDrawStrokes() calls
BrowserNonClientFrameView::GetFrameColor() calls
NonClientFrameView::ShouldPaintAsActive() which segfaults because the NonClientFrameView is currently being removed from the NonClientView.

This is easy to reproduce when running the InfoBarsTest.TestInfoBarsCloseOnNewTheme browser_test, but it can also happen organically depending on the mouse position before running that test (!!):

1) Run the test once, note where the second tab it creates appears
2) Position the mouse over that point on the screen
3) Run the test again

If this repros properly, you should see a tooltip appear for that tab, and then the test will crash like so:

BrowserTestBase received signal: Segmentation fault. Backtrace:
#0 0x000006255e6c base::debug::StackTrace::StackTrace()
#1 0x000006856545 content::(anonymous namespace)::DumpStackTraceSignalHandler()
#2 0x7f3e2f440030 <unknown>
#3 0x0000091f39fb BrowserNonClientFrameView::GetTabBackgroundColor()
#4 0x000009277a8d TabStrip::GetStrokeThickness()
#5 0x000009267665 Tab::GetHitTestMask()
#6 0x000009267fcd Tab::GetHitTestMask()
#7 0x0000092668ea views::MaskedTargeterDelegate::DoesIntersectRect()
#8 0x000006f2fd4d views::View::GetTooltipHandlerForPoint()
#9 0x000006f2fe5d views::View::GetTooltipHandlerForPoint()
#10 0x000009278f0a TabStrip::GetTooltipHandlerForPoint()
#11 0x000006f2fe5d views::View::GetTooltipHandlerForPoint()
#12 0x000006f2fe5d views::View::GetTooltipHandlerForPoint()
#13 0x000006f2fe5d views::View::GetTooltipHandlerForPoint()
#14 0x000006f4c2b9 views::NonClientView::GetTooltipHandlerForPoint()
#15 0x000006f2fe5d views::View::GetTooltipHandlerForPoint()
#16 0x000006f5c90f views::TooltipManagerAura::UpdateTooltip()
#17 0x000006f2ac3a views::View::DoRemoveChildView()
#18 0x000006f4be50 views::NonClientView::UpdateFrame()
#19 0x0000025af0b8 _ZN4base8internal7InvokerINS0_9BindStateIMN12_GLOBAL__N_116SimpleHttpServerEFviEJNS_7WeakPtrIS4_EEiEEEFvvEE7RunOnceEPNS0_13BindStateBaseE
#20 0x0000061aee5d base::debug::TaskAnnotator::RunTask()
#21 0x0000061addd6 base::MessageLoop::RunTask()
#22 0x0000061ae2e2 base::MessageLoop::DoWork()
#23 0x0000061b19df base::(anonymous namespace)::WorkSourceDispatch()
#24 0x7f3e34c5cfc7 g_main_context_dispatch
#25 0x7f3e34c5d200 <unknown>
#26 0x7f3e34c5d28c g_main_context_iteration
#27 0x0000061b170c base::MessagePumpGlib::Run()
#28 0x0000061ad7a1 base::MessageLoop::Run()
#29 0x0000061d9d36 base::RunLoop::Run()
#30 0x000006880685 content::RunAllPendingInMessageLoop()
#31 0x0000062a22c1 InProcessBrowserTest::PostRunTestOnMainThread()
#32 0x000006855c61 content::BrowserTestBase::ProxyRunTestOnMainThreadLoop()
#33 0x00000630dc62 ChromeBrowserMainParts::PreMainMessageLoopRunImpl()
#34 0x00000630c97a ChromeBrowserMainParts::PreMainMessageLoopRun()
#35 0x000004704b31 content::BrowserMainLoop::PreMainMessageLoopRun()
#36 0x000004be1025 content::StartupTaskRunner::RunAllTasksNow()
#37 0x0000047030f9 content::BrowserMainLoop::CreateStartupTasks()
#38 0x0000047079c3 content::BrowserMainRunnerImpl::Initialize()
#39 0x0000047009f2 content::BrowserMain()
#40 0x0000060f7ea8 content::ContentMainRunnerImpl::Run()
#41 0x000008238d89 service_manager::Main()
#42 0x0000060f60b1 content::ContentMain()
#43 0x0000068555de content::BrowserTestBase::SetUp()
#44 0x0000062a0982 InProcessBrowserTest::SetUp()
#45 0x00000391f37d testing::Test::Run()
#46 0x00000391ffe0 testing::TestInfo::Run()
#47 0x0000039204f7 testing::TestCase::Run()
#48 0x00000392bda7 testing::internal::UnitTestImpl::RunAllTests()

Assigning to noms@ since 73f4c306d69d51e5cd580b74d8cbf5820c4e3c67 looks very related.