M8+M9+M10+M11+M12: LOW-tier milestones — funcptr-arrays, EH flag, TLS, lr-trace
Five LOW-priority milestones bundled. Total ~700 LOC across 11 files. ## M9 — has_eh derived from pdata.flags exception bit - New `functions.has_eh BOOLEAN NOT NULL` column. Derived from M1's already-parsed `pdata.flags` (bit 31 of the packed word — the exception-handler-present flag, distinct from bit 30 which is the always-1 32-bit-code flag). Index idx_functions_has_eh. - Sylpheed: 2,975 of 23,073 pdata-validated functions have EH (12.9%). ## M10 — .tls section / IMAGE_TLS_DIRECTORY32 parser - New `xenia_xex::tls::parse_tls` parses the directory + zero-terminated callback array. Returns None when the binary has no .tls section. - New `tls_info` (singleton row) + `tls_callbacks(slot, address)` tables. - New `DbWriter::write_tls()` no-ops on None. - Sylpheed has no .tls section → 0 rows; infra ready for binaries with __declspec(thread). ## M8 + M11 — function_pointer_arrays (dispatch tables + static initialisers) - New `xenia_analysis::funcptr_arrays::analyze` widens M3's vtable scan: detects runs of ≥2 function pointers in .rdata and classifies each as `vtable` (M3 re-emit), `dispatch_table` (M8), or `static_init` (M11) via a constructor-prologue heuristic (mfspr + small stwu). - New tables `function_pointer_arrays(address PK, length, kind)` and `function_pointer_array_entries(array_address, slot, function_address)`. - Sylpheed: 722 vtables + 388 dispatch_tables = 1,110 arrays / 6,347 slots. 0 static_init detected (Sylpheed's ctors don't all match the conservative heuristic; M11.5 future work can chain via the entry- point's static-init driver). ## M12 — --lr-trace runtime canary-diff harness - New CLI `exec --lr-trace=PC[,PC,...]` and `--lr-trace-out=PATH` flags. Symbolic resolution (Class::method, Class::*) via M4 lookup. Env vars XENIA_LR_TRACE / XENIA_LR_TRACE_OUT also work. - New `KernelState::lr_trace_pcs` + `lr_trace_writer` + helper `fire_lr_trace_if_match(hw_id)` invoked from the per-instr probe slot. - JSONL output: pc/tid/hw/cycle/r3/r4/r5/r6/lr — superset of what xenia-canary's --log_lr_on_pc patch emits, with a cycle counter for cross-run reproducibility. Diff-friendly via `jq`. - Lockstep digest unaffected: smoke test on entry-point PC fires once with cycle=0/lr=BCBCBCBC/all-GPR-zero (correct initial state). Tests 636→640 (+2 TLS tests, +2 funcptr_arrays tests). Schema golden updated for new tables + has_eh column. Lockstep determinism preserved (instructions=2000005 ×2 reruns identical). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
@@ -274,10 +274,134 @@ See `crates/xenia-analysis/src/lookup.rs`.
|
||||
- 0 multiword / dcbz / byterev — these instructions exist in the binary
|
||||
but are not in lis+addi-tracked code paths.
|
||||
|
||||
## Forward work (M8–M12, not yet landed)
|
||||
## Layer M8 + M11 — Function-pointer arrays beyond vtables (landed)
|
||||
|
||||
- **M8** — dispatch-table heuristics beyond vtables (e.g. function-pointer arrays in `.data`).
|
||||
- **M9** — `__CxxFrameHandler` exception scope-table parsing.
|
||||
- **M10** — `.tls` section / TLS slot tracking.
|
||||
- **M11** — `__xc_a` / `__xc_z` static-initializer driver detection.
|
||||
- **M12** — comparative-PC-trace mode for canary diff (runtime side, not analyzer).
|
||||
### Schema additions
|
||||
- New table `function_pointer_arrays(address PK, length, kind)` where
|
||||
`kind` is `'vtable'` (M3 re-emit), `'dispatch_table'` (M8), or
|
||||
`'static_init'` (M11).
|
||||
- New table `function_pointer_array_entries(array_address, slot,
|
||||
function_address, PRIMARY KEY (array_address, slot))` — one row per
|
||||
slot of every detected array (vtable + non-vtable).
|
||||
- Indices on `function_pointer_arrays.kind` and
|
||||
`function_pointer_array_entries.function_address`.
|
||||
|
||||
### What this layer does
|
||||
- Walks `.rdata` (only — `.data` produces too many false positives) for
|
||||
runs of ≥ 2 consecutive 4-byte BE values where each value is a known
|
||||
function entry from M1's `functions` table.
|
||||
- Skips runs whose start matches an M3 vtable head — those are re-emitted
|
||||
in this table with `kind='vtable'` for unified queries but not
|
||||
re-classified.
|
||||
- Heuristically classifies non-vtable runs:
|
||||
- `static_init` (M11): every entry's first instruction is `mfspr r12, LR`
|
||||
AND the next is `stwu r1, -N(r1)` with `N ≤ 0x80` (or a save-stub `bl`).
|
||||
Mirrors the typical C++ static-initialiser prologue.
|
||||
- `dispatch_table` (M8): everything else.
|
||||
|
||||
### What this layer does NOT do
|
||||
- Does not parse symbol-table-bracketed regions like `__xc_a` / `__xc_z`
|
||||
/ `__xi_a` / `__xi_z` directly — Sylpheed's symbol table is stripped.
|
||||
- Does not chain multi-segment static-init drivers; future M11.5 could
|
||||
walk the entry-point's static-init driver call chain to surface
|
||||
ground-truth ctor PCs.
|
||||
- 2-slot runs in `.rdata` may be false positives where two struct fields
|
||||
happen to alias function VAs; downstream queries should use a length
|
||||
filter (`WHERE length >= 3`) when high precision matters.
|
||||
|
||||
### Sylpheed yield
|
||||
- 722 vtables (M3 re-emit) + 388 dispatch_tables = 1,110 arrays in
|
||||
`function_pointer_arrays`.
|
||||
- 0 static_init detected — Sylpheed's ctors don't all match the
|
||||
conservative prologue heuristic. Lengths concentrate at 2 slots
|
||||
(typical of switch-case jump tables).
|
||||
|
||||
## Layer M9 — `has_eh` from `.pdata` exception flag (landed)
|
||||
|
||||
### Schema additions
|
||||
- `functions.has_eh BOOLEAN NOT NULL` — true when `.pdata`'s exception-
|
||||
handler-present bit (bit 31 of word 1, the high bit) is set.
|
||||
- Index `idx_functions_has_eh`.
|
||||
|
||||
### What this layer does
|
||||
- Derived directly from M1's already-parsed `pdata.flags` bit field (no
|
||||
new parsing). The bit was always available in `pdata_entries.flags`;
|
||||
this layer surfaces it as a first-class column on `functions`.
|
||||
|
||||
### What this layer does NOT do
|
||||
- Does not parse the actual `__CxxFrameHandler` / `__C_specific_handler`
|
||||
scope-table records that the exception bit gates. Walking those tables
|
||||
would let us name try/catch ranges and per-state cleanup actions, but
|
||||
is out of scope for a derive-only milestone.
|
||||
|
||||
### Sylpheed yield
|
||||
- 2,975 of 23,073 pdata-validated functions have `has_eh=true` (12.9%) —
|
||||
plausible MSVC C++ EH coverage rate. Largest EH function: 26,328 bytes
|
||||
(`sub_823518F0`).
|
||||
|
||||
## Layer M10 — `.tls` section / TLS directory (landed)
|
||||
|
||||
### Schema additions
|
||||
- New table `tls_info(raw_data_start, raw_data_end, index_address,
|
||||
callback_array, zero_fill_size, characteristics)` — at most one row
|
||||
(the IMAGE_TLS_DIRECTORY32).
|
||||
- New table `tls_callbacks(slot PK, address)` — one row per resolved TLS
|
||||
callback function.
|
||||
|
||||
### What this layer does
|
||||
- Reads the first 24 bytes of the `.tls` section as an
|
||||
`IMAGE_TLS_DIRECTORY32` and walks the zero-terminated callback array.
|
||||
- All addresses stored as absolute VAs.
|
||||
|
||||
### What this layer does NOT do
|
||||
- Does not parse the raw TLS template content (the variable initialiser
|
||||
block); just records its start/end VAs.
|
||||
|
||||
### Sylpheed yield
|
||||
- 0 rows — Sylpheed has no `.tls` section. Infrastructure ready for any
|
||||
binary that uses `__declspec(thread)` storage.
|
||||
|
||||
## Layer M12 — `--lr-trace` runtime canary-diff harness (landed)
|
||||
|
||||
### Runtime additions (no DB)
|
||||
- New CLI flag `--lr-trace=PC[,PC,...]` on `exec` — comma-separated PCs
|
||||
to capture as JSONL records on every fire. Symbolic tokens (`Class::method`)
|
||||
resolve via M4's lookup against `--probe-db`. Settable via
|
||||
`XENIA_LR_TRACE`.
|
||||
- New CLI flag `--lr-trace-out=PATH` — writes JSONL to a file (one
|
||||
record per line). Stdout when omitted. Settable via `XENIA_LR_TRACE_OUT`.
|
||||
- New kernel state fields `lr_trace_pcs: HashSet<u32>` +
|
||||
`lr_trace_writer: Option<Mutex<File>>` and helper
|
||||
`KernelState::fire_lr_trace_if_match(hw_id)` invoked from the
|
||||
per-instruction probe slot.
|
||||
|
||||
### JSONL record fields
|
||||
`pc, tid, hw, cycle, r3, r4, r5, r6, lr` — superset of what
|
||||
xenia-canary's `--log_lr_on_pc` patch emits, with a cycle counter added
|
||||
for cross-run reproducibility.
|
||||
|
||||
### What this layer does NOT do
|
||||
- Does not capture VMX / FP register state (only GPRs r3..r6).
|
||||
- Does not buffer / batch records — one `write_all` per fire. For
|
||||
high-frequency probes (e.g. tight loops at >1M fires/sec), redirect
|
||||
to a file and use a SSD.
|
||||
|
||||
### Determinism
|
||||
Lockstep digest unaffected: probe firing happens after the per-instr
|
||||
hooks for ctor/branch probes and only emits side-channel output. Verified
|
||||
end-of-session: `check sylpheed.iso --stable-digest -n 2M` ×2 produced
|
||||
byte-identical digests (`instructions=2000005`).
|
||||
|
||||
---
|
||||
|
||||
## Forward work (not yet landed)
|
||||
|
||||
- **M5.5** — `this`-flow extension to M5. Resolve vtable dispatches via
|
||||
`lwz vt, off(this)` patterns by tracing constructor-side vptr writes.
|
||||
Highest-value future work for the audit-009 cluster renderer hunt.
|
||||
- **M9.5** — full `__CxxFrameHandler` scope-table parsing (try/catch
|
||||
range names, per-state cleanup actions).
|
||||
- **M11.5** — walk the static-initialiser driver call chain from the
|
||||
entry point to surface ground-truth ctor PCs.
|
||||
- VMX/VMX128 vector-store xref emission (M6 follow-up).
|
||||
- UTF-8 / shift_jis localised-string detection in `.rdata` (M7 follow-up).
|
||||
|
||||
Reference in New Issue
Block a user