This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Can you take a look at this or send it to someone who can? Thank you.

Assigning to abodenha for triage. I don't see anything that would have caused this in the revision range.

After a bit of poking, it looks like StartPageTilesContainer::Update() deletes tile views which are selected so if less tile views are recreated, then changing the selection index results in GetTileItemView() retrieving a stale pointer.

I think resetting the selection inside Update() in this case might fix things, but I'm not sure. Assigning to xdai@ who wrote the new grid code.

https://codereview.chromium.org/2605463003/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/49ff293042830e095777651dc4058772af41fdda

commit 49ff293042830e095777651dc4058772af41fdda
Author: xdai <xdai@chromium.org>
Date: Wed Jan 04 01:17:32 2017

Fix the Crash in the launcher's start page on Chrome OS.

In Chrome OS launcher's start page, we recreate the app tile views
if we need to display different numbers of apps compared with the
previous time (e.g., install a new app or uninstall an existing app).
We need to make sure the number of the displayed apps is properly
updated. Otherwise, it might cause browser crash because of retrieving
a stale pointer in StartPageView::StartPageTilesContainer::GetTileItemView().

This simple CL is a temporary fix that meant to merge back to M56. It
will be reverted later on Tot and a better but more complicated fix
will be landed.

BUG= 675150 

Review-Url: https://codereview.chromium.org/2605463003
Cr-Commit-Position: refs/heads/master@{#441275}

[modify] https://crrev.com/49ff293042830e095777651dc4058772af41fdda/ui/app_list/views/search_result_container_view.h
[modify] https://crrev.com/49ff293042830e095777651dc4058772af41fdda/ui/app_list/views/start_page_view.cc

It also happens on M56. Request merge for M56.

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Your change meets the bar and is auto-approved for M56. Please go ahead and merge the CL manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/049fb2e3267a44e8b57f1a178924a4077ad8a66f

commit 049fb2e3267a44e8b57f1a178924a4077ad8a66f
Author: xdai <xdai@chromium.org>
Date: Thu Jan 05 17:56:17 2017

[Merge to M56] Fix the Crash in the launcher's start page on Chrome OS.

In Chrome OS launcher's start page, we recreate the app tile views
if we need to display different numbers of apps compared with the
previous time (e.g., install a new app or uninstall an existing app).
We need to make sure the number of the displayed apps is properly
updated. Otherwise, it might cause browser crash because of retrieving
a stale pointer in StartPageView::StartPageTilesContainer::GetTileItemView().

This simple CL is a temporary fix that meant to merge back to M56. It
will be reverted later on Tot and a better but more complicated fix
will be landed.

BUG= 675150 
TBR=xiyuan@chromium.org

Review-Url: https://codereview.chromium.org/2605463003
Cr-Commit-Position: refs/heads/master@{#441275}
(cherry picked from commit 49ff293042830e095777651dc4058772af41fdda)

Review-Url: https://codereview.chromium.org/2618793002 .
Cr-Commit-Position: refs/branch-heads/2924@{#680}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/049fb2e3267a44e8b57f1a178924a4077ad8a66f/ui/app_list/views/search_result_container_view.h
[modify] https://crrev.com/049fb2e3267a44e8b57f1a178924a4077ad8a66f/ui/app_list/views/start_page_view.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/826b507a7c29ed99f7389256ec19bfc5354acb77

commit 826b507a7c29ed99f7389256ec19bfc5354acb77
Author: xdai <xdai@chromium.org>
Date: Thu Jan 05 18:50:29 2017

Revert "Fix the Crash in the launcher's start page on Chrome OS."

This reverts commit 49ff293042830e095777651dc4058772af41fdda.

This CL (https://codereview.chromium.org/2605463003/) has been merged
to M56, so revert it on Tot. A better fix will be landed later.

BUG= 675150 
TBR=xiyuan@chromium.org

Review-Url: https://codereview.chromium.org/2613993002
Cr-Commit-Position: refs/heads/master@{#441715}

[modify] https://crrev.com/826b507a7c29ed99f7389256ec19bfc5354acb77/ui/app_list/views/search_result_container_view.h
[modify] https://crrev.com/826b507a7c29ed99f7389256ec19bfc5354acb77/ui/app_list/views/start_page_view.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a1260e2951edbb3f8c0645827a3bb42a0ec7b926

commit a1260e2951edbb3f8c0645827a3bb42a0ec7b926
Author: xdai <xdai@chromium.org>
Date: Thu Jan 05 19:37:03 2017

Fix the Crash in the launcher's start page (a better approach).

In Chrome OS launcher's start page, we recreate the app tile views
if we need to display different numbers of apps compared with the
previous time (e.g., install a new app or uninstall an existing app).
We need to make sure the number of the displayed apps is properly
updated. Otherwise, it might cause browser crash because of retrieving
a stale pointer in StartPageView::StartPageTilesContainer::GetTileItemView().
Also refactor related functions.

This is a better approach of https://codereview.chromium.org/2605463003/.

BUG= 675150 

Review-Url: https://codereview.chromium.org/2609843004
Cr-Commit-Position: refs/heads/master@{#441733}

[modify] https://crrev.com/a1260e2951edbb3f8c0645827a3bb42a0ec7b926/ui/app_list/views/search_result_container_view.cc
[modify] https://crrev.com/a1260e2951edbb3f8c0645827a3bb42a0ec7b926/ui/app_list/views/search_result_container_view.h
[modify] https://crrev.com/a1260e2951edbb3f8c0645827a3bb42a0ec7b926/ui/app_list/views/search_result_list_view.cc
[modify] https://crrev.com/a1260e2951edbb3f8c0645827a3bb42a0ec7b926/ui/app_list/views/search_result_list_view.h
[modify] https://crrev.com/a1260e2951edbb3f8c0645827a3bb42a0ec7b926/ui/app_list/views/search_result_tile_item_list_view.cc
[modify] https://crrev.com/a1260e2951edbb3f8c0645827a3bb42a0ec7b926/ui/app_list/views/search_result_tile_item_list_view.h
[modify] https://crrev.com/a1260e2951edbb3f8c0645827a3bb42a0ec7b926/ui/app_list/views/start_page_view.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot