All test failure cases look to have same stack trace.

#0 0x7f4cdb2fc03d base::debug::StackTrace::StackTrace()
#1 0x7f4cdaff5bfa base::debug::StackTrace::StackTrace()
#2 0x5618c41d29a2 content::(anonymous namespace)::DumpStackTraceSignalHandler()
#3 0x7f4ca75d8cb0 <unknown>
#4 0x7f4cc9fe615a aura::Window::CleanupGestureState()
#5 0x7f4cc9fe57fe aura::Window::~Window()
#6 0x7f4cc9fe6669 aura::Window::~Window()

Something in aura::Window::CleanupGestureState() is wrong.

I tried to revert the culprit CL (https://chromium-review.googlesource.com/c/chromium/src/+/1368828) but failed.
Assign its owner.

dtseng@
A fix CL https://chromium-review.googlesource.com/c/chromium/src/+/1375113 was landed but it still fails. Please take another look.

https://chromium-review.googlesource.com/c/chromium/src/+/1368828 needs to be reverted.

https://chromium-review.googlesource.com/c/chromium/src/+/1362193 is unfortunately getting in the way for that (conflicts), so need to revert that one as well.

+mukai, in case he has ideas about gesture recognizer cleanup.

 Issue 914811  has been merged into this issue.

This is a use-after-free crash, also captured by MSan/ASan bot. See  issue 914811   #0 for more details.

Looks like revert https://chromium-review.googlesource.com/c/chromium/src/+/1375128 get through though.

I saw similar stack trace the other day. If that's the case, I believe that's because some accessibility-related instance outlives aura::Env.

At that time, I modified AXRootObjectWrapper to clean up the aura::Window. See https://chromium-review.googlesource.com/c/chromium/src/+/1171838/14/chrome/browser/ui/aura/accessibility/ax_root_obj_wrapper.cc