Assigning to Alan to confirm and triage. (Not sure if you're the right person to work on it.)

Crash stack from Canary 73.0.3639.0 (Official Build) canary (64-bit) Revision e428f176a90386a3ab8dccb657d236eac077209c-refs/branch-heads/3639@{#1}: https://crash.corp.google.com/browse?q=reportid=%273d69bd1c1a650f11%27

0x0000000110d935b1  (Google Chrome Framework -layer_impl.cc:132 ) <name omitted>
0x0000000110dfeee3  (Google Chrome Framework -draw_property_utils.cc:882 )  cc::draw_property_utils::ComputeDrawPropertiesOfVisibleLayers(std::__1::vector<cc::LayerImpl*, std::__1::allocator<cc::LayerImpl*> > const*, cc::PropertyTrees*)
0x0000000110e0f012  (Google Chrome Framework -layer_tree_host_common.cc:596 ) cc::CalculateDrawPropertiesInternal(cc::LayerTreeHostCommon::CalcDrawPropsImplInputs*, cc::PropertyTreeOption)
0x0000000110e2bd53  (Google Chrome Framework -layer_tree_impl.cc:1260 ) cc::LayerTreeImpl::UpdateDrawProperties(bool)
0x0000000110e11b91  (Google Chrome Framework -layer_tree_host_impl.cc:472 ) cc::LayerTreeHostImpl::UpdateSyncTreeAfterCommitOrImplSideInvalidation()
0x0000000110e11a98  (Google Chrome Framework -layer_tree_host_impl.cc:456 ) cc::LayerTreeHostImpl::CommitComplete()
0x0000000110e4e6a6  (Google Chrome Framework -proxy_impl.cc:599 ) cc::ProxyImpl::ScheduledActionCommit()
0x0000000110dc77f1  (Google Chrome Framework -scheduler.cc:801 )  cc::Scheduler::ProcessScheduledActions()
0x0000000110dc7fdf  (Google Chrome Framework -scheduler.cc:163 )  cc::Scheduler::NotifyReadyToCommit()
0x0000000110e4ccbc  (Google Chrome Framework -proxy_impl.cc:279 ) cc::ProxyImpl::NotifyReadyToCommitOnImpl(cc::CompletionEvent*, cc::LayerTreeHost*, base::TimeTicks, bool)
0x000000010fa58cb4  (Google Chrome Framework -callback.h:99 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x000000010fac125c  (Google Chrome Framework -thread_controller_impl.cc:209 ) base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType)
0x000000010fa58cb4  (Google Chrome Framework -callback.h:99 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x000000010fa742be  (Google Chrome Framework -message_loop_impl.cc:374 )  base::MessageLoopImpl::RunTask(base::PendingTask*)
0x000000010fa747d2  (Google Chrome Framework -message_loop_impl.cc:385 )  base::MessageLoopImpl::DoWork()
0x000000010fa75608  (Google Chrome Framework -message_pump_default.cc:39 )  base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
0x000000010fa99674  (Google Chrome Framework -run_loop.cc:102 ) <name omitted>
0x000000010fae0fd5  (Google Chrome Framework -thread.cc:332 ) base::Thread::ThreadMain()
0x000000010fb13456  (Google Chrome Framework -platform_thread_posix.cc:81 ) base::(anonymous namespace)::ThreadFunc(void*)
0x00007fff5c287304  (libsystem_pthread.dylib + 0x00003304 ) _pthread_body
0x00007fff5c28a26e  (libsystem_pthread.dylib + 0x0000626e ) _pthread_start
0x00007fff5c286414  (libsystem_pthread.dylib + 0x00002414 ) thread_start

I don't seem to be able to repro this after the first time. Have tried launching from Applications/ and chrome:apps and after reinstalling.

I've created a minimal PWA site with a <video> element that crashes if you wave the mouse in and out of the running video: https://ruby-clover.glitch.me/

No useful stack trace unfortunately (even when forcing in_signal_handler = 1 in stack_trace_posix.cc).

Browser process:
[36650:775:1214/192152.160207:ERROR:app_shim_host_mac.cc(69)] Channel error custom_reason:0 description: 

App shim process:
Segmentation fault: 11

Found a stack trace for the mouse waving crash (attached to app_mode_launcher with XCode). It died on GetNativeImageNamed() with EXC_BAD_ACCESS (code=1, address=0x0).

NSCursor* LoadCursor(int resource_id, int hotspot_x, int hotspot_y) {
  const gfx::Image& cursor_image =
      content::GetContentClient()->GetNativeImageNamed(resource_id);
  DCHECK(!cursor_image.IsEmpty());
  return [[[NSCursor alloc] initWithImage:cursor_image.ToNSImage()
                                  hotSpot:NSMakePoint(hotspot_x,
                                                      hotspot_y)] autorelease];
}

#0  (anonymous namespace)::LoadCursor(int, int, int)
#1  content::RenderWidgetHostNSViewBridgeLocal::DisplayCursor(content::WebCursor const&)
#2  content::mojom::RenderWidgetHostNSViewBridgeStubDispatch::Accept(content::mojom::RenderWidgetHostNSViewBridge*, mojo::Message*)
#3  mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*)
#4  mojo::FilterChain::Accept(mojo::Message*)
#5  mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*)
#6  mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*)
#7  mojo::internal::MultiplexRouter::Accept(mojo::Message*)
#8  mojo::FilterChain::Accept(mojo::Message*)
#9  mojo::Connector::ReadSingleMessage(unsigned int*)
#10 mojo::Connector::ReadAllAvailableMessages()
#11 mojo::Connector::OnHandleReadyInternal(unsigned int)
#12 base::RepeatingCallback<void (unsigned int)>::Run(unsigned int) const & [inlined]
#13 mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&)
#14 base::RepeatingCallback<void (unsigned int, mojo::HandleSignalsState const&)>::Run(unsigned int, mojo::HandleSignalsState const&) const [inlined]
#15 mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&)
#16 void base::internal::FunctorTraits<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), void>::Invoke<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&>(void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&&&, int const&&&, unsigned int const&&&, mojo::HandleSignalsState const&&&) [inlined]
#17 void base::internal::InvokeHelper<true, void>::MakeItSo<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&>(void (mojo::SimpleWatcher::* const&&&)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&&&, int const&&&, unsigned int const&&&, mojo::HandleSignalsState const&&&) [inlined]
#18 void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0ul, 1ul, 2ul, 3ul>(void (mojo::SimpleWatcher::* const&&&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>)
#19 base::OnceCallback<void ()>::Run() &&
#20 base::OnceCallback<void ()>::Run() && [inlined]
#21 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
#22 base::MessageLoopImpl::RunTask(base::PendingTask*)
#23 base::MessageLoopImpl::DeferOrRunPendingTask(base::PendingTask) [inlined]
#24 base::MessageLoopImpl::DoWork()
#25 base::MessagePumpCFRunLoopBase::RunWork()
#26 base::mac::CallWithEHFrame(void () block_pointer)
#27 base::MessagePumpCFRunLoopBase::RunWorkSource(void*)
#28 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ ()
#29 __CFRunLoopDoSource0 ()
#30 __CFRunLoopDoSources0 ()
#31 __CFRunLoopRun ()
#32 CFRunLoopRunSpecific ()
#33 RunCurrentEventLoopInMode ()
#34 ReceiveNextEventCommon ()
#35 _BlockUntilNextEventMatchingListInModeWithFilter ()
#36 _DPSNextEvent ()
#37 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] ()
#38 -[NSApplication run] ()
#39 base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*)
#40 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
#41 base::MessageLoopImpl::Run(bool)
#42 base::RunLoop::Run()
#43 ::ChromeAppModeStart_v4(const app_mode::ChromeAppModeInfo *)
#44 (anonymous namespace)::LoadFrameworkAndStart(app_mode::ChromeAppModeInfo*) [inlined]
#45 main

We have a victim:
https://crash.corp.google.com/browse?q=product_name%3D%27Chrome_Mac%27+AND+product.version%3D%2773.0.3639.1%27+AND+expanded_custom_data.ChromeCrashProto.channel%3D%27canary%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27app_shim%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3AWebCursor%3A%3AGetNativeCursor%27

Ah -- we don't set a ContentClient. Maybe just do what we have at
https://cs.chromium.org/chromium/src/content/app/content_main_runner_impl.cc?rcl=baf8291abe913dd0ed101efb9ff060a91b46e04e&l=684

I'm learning a bit more about how Chrome works and the existence of ContentClient.

Setting an empty ContentClient fixes the null crash but then we hit the DCHECK(!cursor_image.IsEmpty()). I guess we have to create a mojo pipe to the main process' ContentClient? I wish I knew a bit more about what it's actually trying to do to rationalise an alternative to that.

Looks like a possibly heavy weight fix for this is to actually load the resource bundle resources and expose them via the ChromeContentClient: https://chromium-review.googlesource.com/c/chromium/src/+/1379614

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/98955fa086b362047319e361cdab819d24a88931

commit 98955fa086b362047319e361cdab819d24a88931
Author: Alan Cutter <alancutter@chromium.org>
Date: Mon Dec 17 03:45:26 2018

RemoteMacViews: Fix crash when waving mouse over the border of a running video

This CL fixes a crash where RenderWidgetHostNSViewBridge::DisplayCursor() is expected
to be able to acquire a concrete cursor image while the user moves their mouse in/out
of a video element.

Bug:  913336 
Change-Id: I58e6f41186163b759b342c468e9dddb76fe5fcfb
Reviewed-on: https://chromium-review.googlesource.com/c/1379614
Reviewed-by: ccameron <ccameron@chromium.org>
Commit-Queue: Alan Cutter <alancutter@chromium.org>
Cr-Commit-Position: refs/heads/master@{#617042}
[modify] https://crrev.com/98955fa086b362047319e361cdab819d24a88931/chrome/app_shim/chrome_main_app_mode_mac.mm

Tried checking the issue on chrome version 73.0.3631.0 on Mac 10.14.1 with the below mentioned steps(....as per C#4).
1. Launched Chrome
2. Navigated to https://ruby-clover.glitch.me/
3. Hovered mouse in and out
Didn't observe any crashing of tab.

@Alan Cutter: Please let us know if we have missed anything in the process and help us in verifying the fix.

The repro steps are:
1. Visit ruby-clover.glitch.me
2. App menu > Install Ruby Clover
3. Open Ruby Clover application.
4. Start video.
5. Wave mouse in and out of the video element.

Retested kicking the tires of a YouTube PWA window. Haven't found any release crashes so I'm marking this one as fixed.