=== Mali-G925 SIGSEGV — variant 1 — vkWaitForFences === Device : Samsung Galaxy Tab S11 (SM-X736B) Build : samsung/gts11eea/gts11:16/BP4A.251205.006/X736BXXU5AZBC_OXM5AZBC:userdebug Kernel : 6.6.102-android15-8-abogkiX736BXXU5AZBC-4k GPU : Mali-G925-Immortalis MC12 Driver : 49.1.0 Vulkan : 1.3.278 App : com.samsung.aifredo.debug Source : vulkan_swapchain.cpp using VkFence per-CPU-slot recycle pattern Build ID : varies per APK rebuild === logcat -b crash excerpt === F libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x306e69be in tid (camera thread) F DEBUG : Cmdline: com.samsung.aifredo.debug F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x00000000306e69be (read) F DEBUG : esr: 0000000092000006 (Data Abort Exception 0x24) F DEBUG : tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE) === backtrace === #00 pc 0x21804 /system/lib64/libvulkan.so vulkan::api::(anonymous namespace)::WaitForFences( VkDevice_T*, unsigned int, VkFence_T* const*, unsigned int, unsigned long)+4 #01 pc 0x3b0c1c /data/app/.../librvmncnn.so aifredo_swapchain_present_real_frame+856 #02 pc 0x369484 /data/app/.../librvmncnn.so NdkCameraWindow::on_image(unsigned char const*, int, int) const+3364 #03 pc 0x367fa8 /data/app/.../librvmncnn.so (unwound to AImageReader callback) #04 pc 0x39b60 /system/lib64/libmediandk.so AImageReader::CallbackHandler::onMessageReceived(...)+416 #05 pc 0x1c818 /system/lib64/libstagefright_foundation.so android::AHandler::deliverMessage(...)+184 #06 pc 0x23bbc /system/lib64/libstagefright_foundation.so android::AMessage::deliver()+172 #07 pc 0x1de58 /system/lib64/libstagefright_foundation.so android::ALooper::loop()+536 #08 pc 0x18120 /system/lib64/libutils.so android::Thread::_threadLoop(void*)+528 #09 pc 0x1590fc /system/lib64/libandroid_runtime.so android::AndroidRuntime::javaThreadShell(void*)+140 === analysis === vkWaitForFences delegates from libvulkan loader to Mali ICD. Fault fires at offset +4 of libvulkan's WaitForFences wrapper (entry on ICD call). Fault address 0x306e69be is a 4-byte-aligned small value, not a heap pointer — consistent with ICD dereferencing a corrupt internal struct field index after compute submit corrupted its sync-object table. Time to crash : 0-6 frames after first vkQueueSubmit on the swapchain command buffer. Reproducibility: 100% with default swapchain pattern (FIFO, 4-5 images, per-frame fence recycle across kFramesInFlight=2).