I can consistently crash the system by opening the browser, clicking on the 'News' tab on the Google home page, then selecting either of the menus to change region or appearance. On my board, the are shown as 'U.K. Edition' and 'Compact'.
I observed this on a Versatile Express A9 board, build https://android-build.linaro.org/builds/~linaro-android/vexpress-ics-gcc46-armlt-stable-open-12.04-release/#build=3
Here's an example of crash dump, and attached is full logcat with repeated crashes and reboots.
I/DEBUG ( 1718): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 1718): Build fingerprint: 'vexpress/vexpress/vexpress:4.0.4/IMM76D/3:eng/test-keys'
I/DEBUG ( 1718): pid: 1835, tid: 1846 >>> system_server <<<
I/DEBUG ( 1718): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000020
I/DEBUG ( 1718): r0 02080f40 r1 00000000 r2 00000000 r3 986e2dd7
I/DEBUG ( 1718): r4 9ee63122 r5 9b9b2c88 r6 01fa41a0 r7 000000f0
I/DEBUG ( 1718): r8 b661d980 r9 a007e7e0 10 9b9b2c3c fp 9bab2ca0
I/DEBUG ( 1718): ip 000000f0 sp 9bab2ba8 lr 986e2de9 pc b6621594 cpsr 20000010
I/DEBUG ( 1718): d0 000000100000004c d1 00002725000009ac
I/DEBUG ( 1718): d2 0000000000000044 d3 9bab30f09bab30ac
I/DEBUG ( 1718): d4 006c0061006e0072 d5 006500690076002e
I/DEBUG ( 1718): d6 00490049002e0077 d7 007400750070006e
I/DEBUG ( 1718): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 1718): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 1718): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 1718): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 1718): d16 000000002329a000 d17 00000000094ec000
I/DEBUG ( 1718): d18 0000000000000000 d19 0000000000000000
I/DEBUG ( 1718): d20 00000028fad93a01 d21 bfb1be5a93a83e1d
I/DEBUG ( 1718): d22 3f4de16b9c24a98f d23 be206435816bc5ca
I/DEBUG ( 1718): d24 3fede16b9c24a98f d25 3f733c3b597385d3
I/DEBUG ( 1718): d26 bf66c0c55ca9076a d27 3f1155e54e7e8408
I/DEBUG ( 1718): d28 bebbbc6c1a570a20 d29 3e66376972bea4d0
I/DEBUG ( 1718): d30 0000022200000222 d31 000000620000006c
I/DEBUG ( 1718): scr 60000012
I/DEBUG ( 1718):
I/DEBUG ( 1718): #00 pc 00022594 /system/lib/libdvm.so
I/DEBUG ( 1718): #01 pc 00034eb4 /system/lib/libdvm.so (_Z12dvmInterpretP6ThreadPK6MethodP6JValue)
I/DEBUG ( 1718): #02 pc 0007c12c /system/lib/libdvm.so (_Z14dvmCallMethodVP6ThreadPK6MethodP6ObjectbP6JValueSt9__va_list)
I/DEBUG ( 1718): #03 pc 0006163e /system/lib/libdvm.so
I/DEBUG ( 1718): #04 pc 0005106e /system/lib/libdvm.so
I/DEBUG ( 1718): #05 pc 00043d84 /system/lib/libandroid_runtime.so
I/DEBUG ( 1718): #06 pc 00063c16 /system/lib/libandroid_runtime.so
I/DEBUG ( 1718): #07 pc 000170fe /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j)
I/DEBUG ( 1718): #08 pc 0001aca0 /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi)
I/DEBUG ( 1718): #09 pc 0001b13e /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb)
I/DEBUG ( 1718): #10 pc 00020698 /system/lib/libbinder.so
I/DEBUG ( 1718): #11 pc 0002432a /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv)
I/DEBUG ( 1718): #12 pc 00040728 /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv)
I/DEBUG ( 1718): #13 pc 00023eda /system/lib/libutils.so
I/DEBUG ( 1718): #14 pc 000120b8 /system/lib/libc.so (__thread_entry)
I/DEBUG ( 1718): #15 pc 00011bd4 /system/lib/libc.so (pthread_create)
I/DEBUG ( 1718):
I/DEBUG ( 1718): code around pc:
I/DEBUG ( 1718): b6621574 e1f470b6 e207c0ff e088f30c e1d410b4 .p..............
I/DEBUG ( 1718): b6621584 e7950101 e3500000 0a0038ce e5901000 ......P..8......
I/DEBUG ( 1718): b6621594 e5912020 e3120102 1a001470 e1d612b8 ......p.......
I/DEBUG ( 1718): b66215a4 e2111008 1a001473 e1f470b6 e207c0ff ....s....p......
I/DEBUG ( 1718): b66215b4 e088f30c e320f000 e320f000 f57ff05e ...... ... .^...
I/DEBUG ( 1718):
I/DEBUG ( 1718): code around lr:
I/DEBUG ( 1718): 986e2dc8 9eb5f636 b6ecbe6c 020fb8e8 f85f0020 6...l....... ._.
I/DEBUG ( 1718): 986e2dd8 68010008 60013101 0028f8df 47886ef1 ...h.1.`..(..n.G
I/DEBUG ( 1718): 986e2de8 4300e000 47806e70 9ee63128 00000001 ...Cpn.G(1......
I/DEBUG ( 1718): 986e2df8 b6690000 9f8d21d8 ffff0101 00000001 ..i..!..........
I/DEBUG ( 1718): 986e2e08 00000000 9ee63122 020fb8ec f85f005c ...."1......\._.
I/DEBUG ( 1718):
I/DEBUG ( 1718): stack:
I/DEBUG ( 1718): 9bab2b68 9b9b2f70
I/DEBUG ( 1718): 9bab2b6c 01fa41a0 [heap]
I/DEBUG ( 1718): 9bab2b70 01fa41b0 [heap]
I/DEBUG ( 1718): 9bab2b74 b661d980 /system/lib/libdvm.so
I/DEBUG ( 1718): 9bab2b78 00000000
I/DEBUG ( 1718): 9bab2b7c 9b9b2f40
I/DEBUG ( 1718): 9bab2b80 9bab2ca0
I/DEBUG ( 1718): 9bab2b84 b66460c9 /system/lib/libdvm.so
I/DEBUG ( 1718): 9bab2b88 00000001
I/DEBUG ( 1718): 9bab2b8c 9b9b2f70
I/DEBUG ( 1718): 9bab2b90 9ee43122 /data/dalvik-cache/system@<email address hidden>@classes.dex
I/DEBUG ( 1718): 9bab2b94 9b9b2c88
I/DEBUG ( 1718): 9bab2b98 01fa41a0 [heap]
I/DEBUG ( 1718): 9bab2b9c 000000b2
I/DEBUG ( 1718): 9bab2ba0 df0027ad
I/DEBUG ( 1718): 9bab2ba4 00000000
I/DEBUG ( 1718): #00 9bab2ba8 a0678038 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG ( 1718): 9bab2bac 01fa41a0 [heap]
I/DEBUG ( 1718): 9bab2bb0 9f84b548 /dev/ashmem/dalvik-LinearAlloc (deleted)
I/DEBUG ( 1718): 9bab2bb4 9bab2c1c
I/DEBUG ( 1718): 9bab2bb8 00000000
I/DEBUG ( 1718): 9bab2bbc b66d0f48 /system/lib/libdvm.so
I/DEBUG ( 1718): 9bab2bc0 fffffe64
I/DEBUG ( 1718): 9bab2bc4 00000000
I/DEBUG ( 1718): 9bab2bc8 9bab2ca0
I/DEBUG ( 1718): 9bab2bcc b6633eb8 /system/lib/libdvm.so
I/DEBUG ( 1718): #01 9bab2bd0 00000000
I/DEBUG ( 1718): 9bab2bd4 00000011
I/DEBUG ( 1718): 9bab2bd8 00000000
I/DEBUG ( 1718): 9bab2bdc 00000000
I/DEBUG ( 1718): 9bab2be0 00000000
I/DEBUG ( 1718): 9bab2be4 00000000
I/DEBUG ( 1718): 9bab2be8 00000000
I/DEBUG ( 1718): 9bab2bec 00000000
I/DEBUG ( 1718): 9bab2bf0 00000000
I/DEBUG ( 1718): 9bab2bf4 00000000
I/DEBUG ( 1718): 9bab2bf8 00000000
I/DEBUG ( 1718): 9bab2bfc 00000000
I/DEBUG ( 1718): 9bab2c00 00000000
I/DEBUG ( 1718): 9bab2c04 00000000
I/DEBUG ( 1718): 9bab2c08 00000000
I/DEBUG ( 1718): 9bab2c0c 00000000
I/DEBUG ( 1718): 9bab2c10 00000000
I/DEBUG ( 1718): 9bab2c14 00000000
I/DEBUG ( 1718): 9bab2c18 b66aff00 /system/lib/libdvm.so
I/DEBUG ( 1718): 9bab2c1c 00000000
I/DEBUG ( 1718): 9bab2c20 9b9b2f98
I/DEBUG ( 1718): 9bab2c24 00000000
I/DEBUG ( 1718): 9bab2c28 00000000
I/DEBUG ( 1718): 9bab2c2c 00000000
I/DEBUG ( 1718): 9bab2c30 00000000
I/DEBUG ( 1718): 9bab2c34 00000000
I/DEBUG ( 1718): 9bab2c38 00000000
I/DEBUG ( 1718): 9bab2c3c 00000000
I/DEBUG ( 1718): 9bab2c40 b66d5f64 /system/lib/libdvm.so
I/DEBUG ( 1718): 9bab2c44 01fa41a0 [heap]
I/DEBUG ( 1718): 9bab2c48 9f84b548 /dev/ashmem/dalvik-LinearAlloc (deleted)
I/DEBUG ( 1718): 9bab2c4c 00000001
I/DEBUG ( 1718): 9bab2c50 9bab2ca0
I/DEBUG ( 1718): 9bab2c54 9b9b2fc4
I/DEBUG ( 1718): 9bab2c58 9bab2d24
I/DEBUG ( 1718): 9bab2c5c 9f30127a /data/dalvik-cache/system@<email address hidden>@classes.dex
I/DEBUG ( 1718): 9bab2c60 a0678038 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG ( 1718): 9bab2c64 b667b12f /system/lib/libdvm.so
I can reproduce this on Snowball build https:/ /android- build.linaro. org/builds/ ~linaro- android/ snowball- ics-gcc46- igloo-stable- blob-12. 04-release/ #build= 2
It seems that to trigger it, you don't need to actually click on anything on the Google new page, moving the mouse around or even just going to the page seems to be enough.