M8+M9+M10+M11+M12: LOW-tier milestones — funcptr-arrays, EH flag, TLS, lr-trace

Five LOW-priority milestones bundled. Total ~700 LOC across 11 files.

## M9 — has_eh derived from pdata.flags exception bit
- New `functions.has_eh BOOLEAN NOT NULL` column. Derived from M1's
  already-parsed `pdata.flags` (bit 31 of the packed word — the
  exception-handler-present flag, distinct from bit 30 which is the
  always-1 32-bit-code flag). Index idx_functions_has_eh.
- Sylpheed: 2,975 of 23,073 pdata-validated functions have EH (12.9%).

## M10 — .tls section / IMAGE_TLS_DIRECTORY32 parser
- New `xenia_xex::tls::parse_tls` parses the directory + zero-terminated
  callback array. Returns None when the binary has no .tls section.
- New `tls_info` (singleton row) + `tls_callbacks(slot, address)` tables.
- New `DbWriter::write_tls()` no-ops on None.
- Sylpheed has no .tls section → 0 rows; infra ready for binaries with
  __declspec(thread).

## M8 + M11 — function_pointer_arrays (dispatch tables + static initialisers)
- New `xenia_analysis::funcptr_arrays::analyze` widens M3's vtable scan:
  detects runs of ≥2 function pointers in .rdata and classifies each as
  `vtable` (M3 re-emit), `dispatch_table` (M8), or `static_init` (M11)
  via a constructor-prologue heuristic (mfspr + small stwu).
- New tables `function_pointer_arrays(address PK, length, kind)` and
  `function_pointer_array_entries(array_address, slot, function_address)`.
- Sylpheed: 722 vtables + 388 dispatch_tables = 1,110 arrays / 6,347 slots.
  0 static_init detected (Sylpheed's ctors don't all match the
  conservative heuristic; M11.5 future work can chain via the entry-
  point's static-init driver).

## M12 — --lr-trace runtime canary-diff harness
- New CLI `exec --lr-trace=PC[,PC,...]` and `--lr-trace-out=PATH` flags.
  Symbolic resolution (Class::method, Class::*) via M4 lookup. Env vars
  XENIA_LR_TRACE / XENIA_LR_TRACE_OUT also work.
- New `KernelState::lr_trace_pcs` + `lr_trace_writer` + helper
  `fire_lr_trace_if_match(hw_id)` invoked from the per-instr probe slot.
- JSONL output: pc/tid/hw/cycle/r3/r4/r5/r6/lr — superset of what
  xenia-canary's --log_lr_on_pc patch emits, with a cycle counter for
  cross-run reproducibility. Diff-friendly via `jq`.
- Lockstep digest unaffected: smoke test on entry-point PC fires once
  with cycle=0/lr=BCBCBCBC/all-GPR-zero (correct initial state).

Tests 636→640 (+2 TLS tests, +2 funcptr_arrays tests). Schema golden
updated for new tables + has_eh column. Lockstep determinism preserved
(instructions=2000005 ×2 reruns identical).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/xenia-analysis/src/func.rs

@@ -39,6 +39,10 @@ pub struct FuncInfo {
     /// Function size in bytes per `.pdata`'s `function_length` field, if known.
     /// Absent (None) when this row is prologue-only.
     pub pdata_length: Option<u32>,
+    /// True when `.pdata`'s exception-flag bit is set on this entry — the
+    /// function has a registered C++ EH (or SEH) frame handler. Always false
+    /// for entries without `.pdata` coverage. (M9)
+    pub has_eh: bool,
 }
 
 /// Result of the function analysis pass.
@@ -296,6 +300,8 @@ pub fn analyze_with_pdata(
             if let Some(p) = pdata_entry {
                 fi.pdata_validated = true;
                 fi.pdata_length = Some(p.function_length);
+                // bit 0 of the packed flags = exception-handler-present
+                fi.has_eh = (p.flags & 0x2) != 0;
                 // If the prologue walk ended too early, trust pdata's length.
                 let pdata_end = p.begin_address.wrapping_add(p.function_length);
                 if pdata_end > fi.end {
@@ -317,6 +323,7 @@ pub fn analyze_with_pdata(
                     is_saverestore: false,
                     pdata_validated: true,
                     pdata_length: Some(p.function_length),
+                    has_eh: (p.flags & 0x2) != 0,
                 },
             );
         }
@@ -326,6 +333,7 @@ pub fn analyze_with_pdata(
     if let Some(sb) = save_base {
         // The save block is one cascade: entry at each rN, falls through to blr
         // Treat as a single function with the first entry point
+        let pe_sb = pdata_by_begin.get(&sb).copied();
         functions.insert(sb, FuncInfo {
             start: sb,
             end: sb + 20 * 4, // 18 std + stw r12 + blr
@@ -333,11 +341,13 @@ pub fn analyze_with_pdata(
             saved_gprs: 18,
             is_leaf: true,
             is_saverestore: true,
-            pdata_validated: pdata_by_begin.contains_key(&sb),
-            pdata_length: pdata_by_begin.get(&sb).map(|p| p.function_length),
+            pdata_validated: pe_sb.is_some(),
+            pdata_length: pe_sb.map(|p| p.function_length),
+            has_eh: pe_sb.map(|p| (p.flags & 0x2) != 0).unwrap_or(false),
         });
     }
     if let Some(rb) = restore_base {
+        let pe_rb = pdata_by_begin.get(&rb).copied();
         functions.insert(rb, FuncInfo {
             start: rb,
             end: rb + 21 * 4, // 18 ld + lwz r12 + mtspr LR + blr
@@ -345,8 +355,9 @@ pub fn analyze_with_pdata(
             saved_gprs: 18,
             is_leaf: true,
             is_saverestore: true,
-            pdata_validated: pdata_by_begin.contains_key(&rb),
-            pdata_length: pdata_by_begin.get(&rb).map(|p| p.function_length),
+            pdata_validated: pe_rb.is_some(),
+            pdata_length: pe_rb.map(|p| p.function_length),
+            has_eh: pe_rb.map(|p| (p.flags & 0x2) != 0).unwrap_or(false),
         });
     }
 
@@ -498,6 +509,7 @@ fn analyze_function(
         is_saverestore: false,
         pdata_validated: false,
         pdata_length: None,
+        has_eh: false,
     })
 }