We see the same problem on vexpress with TC2 tile with an ICS 4.0.1 build. It can be triggered by running BBench 2.0 in the webkit browser. We traced down this issue to the point that it happens when the browser sends one of multiple GET_MEMORY_INFO_TRANSACTION messages to the system_server. signal 11 (SIGSEGV), code 1 (SEGV_MAPERR) happens in DVM interpreter in one of system_server's Binder threads. The same problem can be seen by using a simple test application sending this message constantly. log files are: system_server_16072012.txt, logcat_16072012.txt, tombstone_00_16072012.txt (see attachements) Callstack of '56 tid: 1544 Binder Thread #5 native #00 pc 00022c1c /system/lib/libdvm.so <-- signal 11 (SIGSEGV), code 1 (SEGV_MAPERR)' #00 pc 00022c1c /system/lib/libdvm.so #01 pc 000342b4 /system/lib/libdvm.so (_Z12dvmInterpretP6ThreadPK6MethodP6JValue) #02 pc 0006c7d8 /system/lib/libdvm.so (Z14dvmCallMethodVP6ThreadPK6MethodP6ObjectbP6JValueSt9_va_list) #03 pc 0005818c /system/lib/libdvm.so #04 pc 0004c450 /system/lib/libdvm.so #05 pc 000434f6 /system/lib/libandroid_runtime.so #06 pc 0005dbd6 /system/lib/libandroid_runtime.so #07 pc 00017ec0 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j) #08 pc 0001b202 /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi) #09 pc 0001b3de /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb) #10 pc 000206bc /system/lib/libbinder.so #11 pc 00020cd6 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv) #12 pc 00040ac4 /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv) #13 pc 0002131c /system/lib/libutils.so #14 pc 00012bf4 /system/lib/libc.so (__thread_entry) #15 pc 00012748 /system/lib/libc.so (pthread_create) #00 dalvik_inst /home/dieegg01/work/repo/aosp/dalvik/vm/mterp/out/InterpAsm-armv7-a-neon.S:7484 #01 dvmInterpret(Thread*, Method const*, JValue*) /home/dieegg01/work/repo/aosp/dalvik/vm/interp/Interp.cpp:1965 #02 dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list) /home/dieegg01/work/repo/aosp/dalvik/vm/interp/Stack.cpp:523 #03 CallBooleanMethodV /home/dieegg01/work/repo/aosp/dalvik/vm/Jni.cpp:2018 #04 Check_CallBooleanMethodV /home/dieegg01/work/repo/aosp/dalvik/vm/CheckJni.cpp:1666 #05 _JNIEnv::CallBooleanMethod(_jobject*, _jmethodID*, ...) /home/dieegg01/work/repo/aosp/dalvik/libnativehelper/include/nativehelper/jni.h:633 #06 JavaBBinder::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int) /home/dieegg01/work/repo/aosp/frameworks/base/core/jni/android_util_Binder.cpp:290 #07 android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int) /home/dieegg01/work/repo/aosp/frameworks/base/libs/binder/Binder.cpp:107 #08 android::IPCThreadState::executeCommand(int) /home/dieegg01/work/repo/aosp/frameworks/base/libs/binder/IPCThreadState.cpp:1027 #09 android::IPCThreadState::joinThreadPool(bool) /home/dieegg01/work/repo/aosp/frameworks/base/libs/binder/IPCThreadState.cpp:468 #10 android::PoolThread::threadLoop() /home/dieegg01/work/repo/aosp/frameworks/base/libs/binder/ProcessState.cpp:67 #11 android::Thread::_threadLoop(void*) /home/dieegg01/work/repo/aosp/frameworks/base/libs/utils/Threads.cpp:834 #12 android::AndroidRuntime::javaThreadShell(void*) /home/dieegg01/work/repo/aosp/frameworks/base/core/jni/AndroidRuntime.cpp:985 #13 thread_data_t::trampoline(thread_data_t const*) /home/dieegg01/work/repo/aosp/frameworks/base/libs/utils/Threads.cpp:127 #14 __thread_entry /home/dieegg01/work/repo/aosp/bionic/libc/bionic/pthread.c:217 #15 pthread_create /home/dieegg01/work/repo/aosp/bionic/libc/bionic/pthread.c:357