While this use case is unlikely, the crash is concerning and probably something we should look into.

I'm not seeing the crash on ToT.  Did hit a repro on Canary:

07-14 13:55:58.566 25521 25521 W google-breakpad: Chrome build fingerprint:
07-14 13:55:58.566 25521 25521 W google-breakpad: 61.0.3155.0
07-14 13:55:58.566 25521 25521 W google-breakpad: 315500052
07-14 13:55:58.566 25521 25521 W google-breakpad: ### ### ### ### ### ### ### ### ### ### ### ### ###
07-14 13:55:58.567 25521 25521 E AndroidRuntime: FATAL EXCEPTION: main
07-14 13:55:58.567 25521 25521 E AndroidRuntime: Process: com.chrome.canary, PID: 25521
07-14 13:55:58.567 25521 25521 E AndroidRuntime: java.lang.NullPointerException: Attempt to read from field 'org.chromium.chrome.browser.widget.selection.SelectableListLayout org.chromium.chrome.browser.history.HistoryManager.mSelectableListLayout' on a null object reference
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at org.chromium.chrome.browser.history.HistoryPage.getView(HistoryPage.java:12)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at org.chromium.chrome.browser.vr_shell.VrShellImpl$8.onPreDraw(VrShellImpl.java:12)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.view.ViewTreeObserver.dispatchOnPreDraw(ViewTreeObserver.java:944)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.view.ViewRootImpl.performTraversals(ViewRootImpl.java:2205)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.view.ViewRootImpl.doTraversal(ViewRootImpl.java:1254)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.view.ViewRootImpl$TraversalRunnable.run(ViewRootImpl.java:6337)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.view.Choreographer$CallbackRecord.run(Choreographer.java:874)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.view.Choreographer.doCallbacks(Choreographer.java:686)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.view.Choreographer.doFrame(Choreographer.java:621)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:860)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.os.Handler.handleCallback(Handler.java:751)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:95)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:154)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at android.app.ActivityThread.main(ActivityThread.java:6119)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at java.lang.reflect.Method.invoke(Native Method)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:886)
07-14 13:55:58.567 25521 25521 E AndroidRuntime: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:776)
07-14 13:55:58.575  1079  4292 W ActivityManager:   Force finishing activity com.chrome.canary/org.chromium.chrome.browser.ChromeTabbedActivity
07-14 13:55:58.592  1079  1131 W ActivityManager: Failed setting process group of 25521 to 1
07-14 13:55:58.592  1079  1131 W System.err: java.lang.IllegalArgumentException: Given thread 25944 does not exist
07-14 13:55:58.592  1079  1131 W System.err: 	at android.os.Process.setThreadScheduler(Native Method)
07-14 13:55:58.592  1079  1131 W System.err: 	at com.android.server.am.ActivityManagerService.applyOomAdjLocked(ActivityManagerService.java:20499)
07-14 13:55:58.592  1079  1131 W System.err: 	at com.android.server.am.ActivityManagerService.updateOomAdjLocked(ActivityManagerService.java:21013)
07-14 13:55:58.592  1079  1131 W System.err: 	at com.android.server.am.BroadcastQueue.processCurBroadcastLocked(BroadcastQueue.java:272)
07-14 13:55:58.593  1079  1131 W System.err: 	at com.android.server.am.BroadcastQueue.processNextBroadcast(BroadcastQueue.java:1222)
07-14 13:55:58.593  1079  1131 W System.err: 	at com.android.server.am.BroadcastQueue$BroadcastHandler.handleMessage(BroadcastQueue.java:172)
07-14 13:55:58.593  1079  1131 W System.err: 	at android.os.Handler.dispatchMessage(Handler.java:102)
07-14 13:55:58.593  1079  1131 W System.err: 	at android.os.Looper.loop(Looper.java:154)
07-14 13:55:58.593  1079  1131 W System.err: 	at android.os.HandlerThread.run(HandlerThread.java:61)
07-14 13:55:58.593  1079  1131 W System.err: 	at com.android.server.ServiceThread.run(ServiceThread.java:46)

My guess for what is happening:
VrShellImpl gets called back for onPreDraw, and tries to get the view of the mNativePage but mNativePage may have already been destroyed.

This would mean that EmptyTabObserver#onContentChanged and NativePage destruction aren't synchronized.

Looking at the code however, Tab@showRenderedPage will notifyContentChanged before destroying the native page.  There are other codepaths that will destroy a native page, but none that look relevant in this scenario.

maybe Tab#swapWebContents?

I've gotten it to repro a few times on ToT now, so not Canary-specific.

We appear to have an old VrShellImpl that is trying to rendeer a native page that has already been destroyed.  The older VrShellImpl seems to miss some notifications.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f94c331233eed93fc37b045523eeb87322ee6337

commit f94c331233eed93fc37b045523eeb87322ee6337
Author: Bill Orr <billorr@chromium.org>
Date: Fri Jul 21 00:13:55 2017

Clean up native page onPreDrawListener when exiting VrShell

Currently the onPreDrawListener for native pages is called even after
VrShell exits. A fix is to unregister our onPreDrawListener during
VrShell shutdown.

VrShell destruction is ordered to remove VrShell from the view hierarchy,
then notify VrShell to do clean up.  Unfortunately removing VrShell
from the view hierarchy prevents cleaning up our onPreDrawListener, so
we need a new notification to clean up while still in the view
hierarchy.

The fix is to remove our OnPreDrawlistener in response to a new cleanup
method called while we are still hosted in the view.

BUG= 743119 

Change-Id: Ieacdfb6a08799d4347ea2b268070fd6543f6a2c7
Reviewed-on: https://chromium-review.googlesource.com/580107
Commit-Queue: Bill Orr <billorr@chromium.org>
Reviewed-by: Michael Thiessen <mthiesse@chromium.org>
Cr-Commit-Position: refs/heads/master@{#488507}
[modify] https://crrev.com/f94c331233eed93fc37b045523eeb87322ee6337/chrome/android/java/src/org/chromium/chrome/browser/vr_shell/VrShell.java
[modify] https://crrev.com/f94c331233eed93fc37b045523eeb87322ee6337/chrome/android/java/src/org/chromium/chrome/browser/vr_shell/VrShellDelegate.java
[modify] https://crrev.com/f94c331233eed93fc37b045523eeb87322ee6337/chrome/android/java/src/org/chromium/chrome/browser/vr_shell/VrShellImpl.java

verified with 61.0.3163.13. Will also add a new manual test case for this scenario.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/38de4436abc07e86391ee0b1abc4bb1723b89a76

commit 38de4436abc07e86391ee0b1abc4bb1723b89a76
Author: bsheedy <bsheedy@chromium.org>
Date: Wed Sep 27 17:34:26 2017

Add VR regression test for 743119

Adds a test to catch regressions of  crbug.com/743119 , which caused
Chrome to crash when a a history item was selected while in VR.

Bug:  743119 
Change-Id: Ib447a919269d64a702bb2a6e2a6e9434dad1a28e
Reviewed-on: https://chromium-review.googlesource.com/686047
Reviewed-by: Theresa <twellington@chromium.org>
Reviewed-by: Michael Thiessen <mthiesse@chromium.org>
Commit-Queue: Brian Sheedy <bsheedy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504720}
[modify] https://crrev.com/38de4436abc07e86391ee0b1abc4bb1723b89a76/chrome/android/java/src/org/chromium/chrome/browser/history/HistoryItemView.java
[modify] https://crrev.com/38de4436abc07e86391ee0b1abc4bb1723b89a76/chrome/android/javatests/src/org/chromium/chrome/browser/vr_shell/VrShellNavigationTest.java