=== Mali-G925 SIGSEGV — variant 2 — vkWaitSemaphores (timeline) ===

Device   : Samsung Galaxy Tab S11 (SM-X736B)
Build    : samsung/gts11eea/gts11:16/BP4A.251205.006/X736BXXU5AZBC_OXM5AZBC:userdebug
GPU      : Mali-G925-Immortalis MC12
Driver   : 49.1.0
Vulkan   : 1.3.278

App      : com.samsung.aifredo.debug
Source   : vulkan_swapchain.cpp:1058 after VkFence -> VkTimelineSemaphore
           migration (per-CPU-slot timeline semaphore with explicit signal
           value tracking; pfn_WaitSemaphores resolved via
           vkGetDeviceProcAddr).

=== logcat -b crash excerpt ===

F libc    : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR),
            fault addr 0x0000720600007214 in tid <Thread-2>
            (async inference worker)
F DEBUG   : Cmdline: com.samsung.aifredo.debug
F DEBUG   : esr: 0000000092000006 (Data Abort Exception 0x24)

=== register dump (key) ===

x0  000072060000720c   <- target pointer being deref'd
x1  0000000000000001
x2  00000079443545a0
sp  00000079443541a0
pc  0000007c06861804   <- inside libvulkan.so QueueWaitIdle dispatch
lr  00000078ac224c20

=== backtrace ===

#00 pc 0x995098 /vendor/lib64/egl/mt6991/libGLES_mali.so
    BuildId: 8ffcdf0fe7b476c1
#01 pc 0x3b0698 /data/app/.../librvmncnn.so
    aifredo_swapchain_present_real_frame+936
    (corresponds to vulkan_swapchain.cpp:1058 = pfn_WaitSemaphores call)
#02 pc 0x369484 /data/app/.../librvmncnn.so
    NdkCameraWindow::on_image+3364
#03 pc 0x36add8 /data/app/.../librvmncnn.so
    NdkCameraWindow::rtsp_thread_func+1984
#04 pc 0x8aadc  /apex/com.android.runtime/lib64/bionic/libc.so
    __pthread_start+236

=== analysis ===

Timeline-semaphore migration (Vulkan 1.2 vkWaitSemaphores) was
supposed to avoid the vkWaitForFences crash. Mali driver's Vulkan
1.2 timeline-semaphore path also crashes, deeper inside the same
ICD region. Crash point at libGLES_mali.so + 0x995098 — same general
function area as variant 1's libvulkan delegation target.

Fault addr 0x720600007214 is a tagged-pointer-looking value;
suggests the ICD's sync subsystem is computing a bad index off a
corrupt internal table and using the result as a pointer.

Confirms: ARM/Mali sync-object subsystem is broken for ANY caller-
facing wait API. The 5-pass golden self-test cascade had also
exposed a related fp16_storage miscompile on this driver
(mae=0.434 vs 0.05 gate), but the WSI sync crash is independent
of fp16 path.