Investigating...
Somehow I reproduced this issue. Attaching a file in gmail failed, but uploading a file in Drive web page succeeded.

Hi nasko@,
could you look into this issue?
When I reverted https://codereview.chromium.org/2102883002/, this issue disappeared.

I only checked this issue on Chrome OS, so I'm not sure if this is reproducible on other OSs.

FWIW, this specific patch was fixing the actual issue of the file dialog not showing up. omahaproxy lists CrOS dev at 53.0.2773.3, so how can one reproduce this, since it is reported on 53.0.2784.1?

fukino@ can you please merge this revert into ToT M53? Once the branch is ready for M53 (its in progress now) we should merge this to branch.

Before we approve merge to M53, Could you please confirm whether this change is baked/verified in Canary OR on ToT and safe to merge?

Has the M53 branch point been announced yet? Assuming you are trying to merge r402683, it could be before the branch point and thus no merging needed.

https://chromium.googlesource.com/chromium/src/+/f6a80acd01b832cbaa4ec5d77d213dcb73ba70e1 THis shows this was committed to master already and has been verified by fukino@ from comment#4 above. Just confirmed with govind@ that this is already picked up by the Chrome branch. So we are good. No need to merge to branch anymore.

removing RBD and merge request.

I managed to repro the issue and have a fix for it - https://codereview.chromium.org/2113353002/. The CL which you are reverting fixes a use-after-free bug, which can cause crashes in the browser process, which are pretty bad on ChromeOS.

Actually, the bug affects more than ChromeOS. It affects gmail even on other platforms.

The fix is in the CQ and should make today's cut for canary if it all goes well on the trybots.

I am out for next week, so putting creis@ on cc, who can help with merging the fix in M53, once it has landed on trunk. Alternatively, I'll be back on 7/11 and can continue  on this.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5e61b75ffa3c2fe805124b5969e8dff578510b99

commit 5e61b75ffa3c2fe805124b5969e8dff578510b99
Author: nasko <nasko@chromium.org>
Date: Fri Jul 01 22:35:05 2016

Fix file chooser on ChromeOS.

A previous CL - https://codereview.chromium.org/2102883002/, introduced
a bug specific to the ChromeOS version of the file chooser. It fixed a
use-after-free bug by monitoring for RenderFrame deletions. However,
on ChromeOS, the file picker is itself a RenderFrame and the code didn't
account for nullifying the cached object only when they match.
This CL fixes the issue by ensuring that the pointer is cleared only
when the object being deleted matches.

BUG= 624956 

Review-Url: https://codereview.chromium.org/2113353002
Cr-Commit-Position: refs/heads/master@{#403554}

[modify] https://crrev.com/5e61b75ffa3c2fe805124b5969e8dff578510b99/chrome/browser/file_select_helper.cc

nasko@, Could you please merge this to 2785 branch? we are planning a dev release next week from the same branch.

Thank you!

Nasko is now OOO for the long weekend, but I can merge it for him.  Requesting merge approval for M53.

dimu@, please approve the merge to M53 branch 2785 once the change is baked/verified in canary.

Applying OS=All label based on based on comment #13. 

Your change meets the bar and is auto-approved for M53 (branch: 2785)

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Merging now.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c9bd48036f5e78fdc8aee791d455256532d30c5b

commit c9bd48036f5e78fdc8aee791d455256532d30c5b
Author: Charles Reis <creis@chromium.org>
Date: Wed Jul 06 16:36:52 2016

Fix file chooser on ChromeOS.

A previous CL - https://codereview.chromium.org/2102883002/, introduced
a bug specific to the ChromeOS version of the file chooser. It fixed a
use-after-free bug by monitoring for RenderFrame deletions. However,
on ChromeOS, the file picker is itself a RenderFrame and the code didn't
account for nullifying the cached object only when they match.
This CL fixes the issue by ensuring that the pointer is cleared only
when the object being deleted matches.

BUG= 624956 

Review-Url: https://codereview.chromium.org/2113353002
Cr-Commit-Position: refs/heads/master@{#403554}
(cherry picked from commit 5e61b75ffa3c2fe805124b5969e8dff578510b99)

Review URL: https://codereview.chromium.org/2123093003 .

Cr-Commit-Position: refs/branch-heads/2785@{#30}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[modify] https://crrev.com/c9bd48036f5e78fdc8aee791d455256532d30c5b/chrome/browser/file_select_helper.cc

Seems to be working on Mac 54.0.2789.0, and I've merged it to M53.  I'll mark it as fixed.

Verified the issue on Mac 10.11.5,Win 7 and Ubuntu 14.04 using 53.0.2785.8 and its working fine.Hence added the respective TE-Verified labels for the same.